# Event Logs

A question that is typically raised during and post breach investigation is what event logs should be monitored, collected or enabled. The below list aims to provide a cheat sheet of sorts to highlight the common logs that contain forensic evidence and that often can be ingested into a central point, such as a SIEM, to provide contextual information for alerting.

## Windows Event Logging

Windows event logs are a useful tool in incident response and digital forensics because they provide a record of events that have occurred on a system. These events can include system-level events such as startup and shutdown, as well as application and service-level events. Examining these logs can help identify potential security incidents, troubleshoot issues, and provide evidence for forensic investigations.

<table><thead><tr><th width="167.33333333333331">Log File</th><th>File Path</th><th>Description</th></tr></thead><tbody><tr><td>Security</td><td>%SystemRoot%\System32\Winevt\Logs\Security.evtx</td><td>Contains information about security-related events, such as successful and failed login attempts, access to sensitive resources, and changes to security settings.</td></tr><tr><td>Application</td><td>%SystemRoot%\System32\Winevt\Logs\Application.evtx</td><td>Contains information about events related to applications, such as errors and warnings.</td></tr><tr><td>System</td><td>%SystemRoot%\System32\Winevt\Logs\System.evtx</td><td>Contains information about events related to the operating system, such as hardware and software failures, resource utilization, and system updates.</td></tr><tr><td>DNS Server</td><td>%SystemRoot%\System32\Dns\Dns.log</td><td>Contains information about Domain Name System (DNS) activity, such as requests and responses.</td></tr><tr><td>File Replication Service</td><td>%SystemRoot%\debug\Frs\FrsDiag.log</td><td>Contains information about the File Replication Service (FRS), which is used to replicate files and folders between domain controllers.</td></tr><tr><td>Internet Information Services (IIS)</td><td>%SystemRoot%\System32\LogFiles\W3SVC1\</td><td>Contains information about web server activity, such as requests, responses, and errors. This folder contains multiple log files, including an exYYMMDD.log file for each day, a u_exYYMMDD.log file for each day that contains log data in a different format, and a W3SVC1 folder that contains additional log files.</td></tr><tr><td>PowerShell</td><td>%SystemRoot%\System32\Winevt\Logs\Windows PowerShell.evtx</td><td>Contains information about PowerShell activity, such as script execution and cmdlet usage.</td></tr><tr><td>Windows PowerShell Operational</td><td>%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx</td><td>Contains information about the operational state of PowerShell, such as start and stop events and errors.</td></tr><tr><td>Remote Desktop Services</td><td>%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx</td><td>Contains information about Remote Desktop Services activity, including Remote Desktop Protocol (RDP) connections and disconnections.</td></tr><tr><td>Windows Management Instrumentation</td><td>%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx</td><td>Contains information about WMI activity, including WMI queries and method calls.</td></tr><tr><td>Windows Management Instrumentation Provider Operations</td><td>%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Operational.evtx</td><td>Contains information about the operational state of WMI providers, including start and stop events and errors.</td></tr><tr><td>Windows Defender log</td><td>C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx</td><td>Contains events related to the Windows Defender antivirus software.</td></tr></tbody></table>

## Unix/Linux Event Logging

Linux event logs are a useful tool in incident response and digital forensics because they provide a record of events that have occurred on a system. These events can include system-level events such as startup and shutdown, as well as application and service-level events. Examining these logs can help identify potential security incidents, troubleshoot issues, and provide evidence for forensic investigations.

<table><thead><tr><th width="149">Log File</th><th>Location</th><th>Description</th></tr></thead><tbody><tr><td>Syslog<br>Messages</td><td><strong>Debian</strong><br><code>/var/log/syslog</code><br><strong>Redhat</strong><br><code>/var/log/messages</code></td><td>General messages and info regarding system operations. Predominately an administrative focused log</td></tr><tr><td>Auth.log<br>Secure</td><td><strong>Debian</strong><br><code>/var/log/auth.log</code><br><strong>Redhat</strong><br><code>/var/log/secure</code></td><td>Authentication logs containing successful and failed logins. sshd process logs are also written here</td></tr><tr><td>Boot.log</td><td><strong>Debian</strong><br><code>/var/log/boot.log</code><br><strong>Redhat</strong><br><code>/var/log/messages</code></td><td>Contains information about the system's boot process, including details on system initialization tasks, service startup, hardware detection, and kernel messages.</td></tr></tbody></table>

## MacOS Event Logging

MacOS event logs are a useful tool in incident response and digital forensics because they provide a record of events that have occurred on a system. These events can include system-level events such as startup and shutdown, as well as application and service-level events. Examining these logs can help identify potential security incidents, troubleshoot issues, and provide evidence for forensic investigations.

<table><thead><tr><th width="207.33333333333331">Log File</th><th>File Path</th><th>Description</th></tr></thead><tbody><tr><td>System log</td><td>/private/var/log/system.log</td><td>Contains events related to system components such as drivers, the kernel, and the startup process.</td></tr><tr><td>Secure log</td><td>/private/var/log/secure.log</td><td>Contains events related to security-related activities such as login and logout events, as well as successful and failed attempts to access resources.</td></tr><tr><td>Application Firewall log</td><td>/private/var/log/appfirewall.log</td><td>Contains events related to applications and services running on the system, including events related to the macOS firewall.</td></tr><tr><td>Setup log</td><td>/private/var/log/install.log</td><td>Contains events related to the installation, removal, and update of software on the system.</td></tr><tr><td>Safari log</td><td>/private/var/log/safari/Safari.log</td><td>Contains events related to the Safari browser.</td></tr><tr><td>MacOS Server log</td><td>/Library/Logs/DiagnosticReports</td><td>Contains events related to MacOS Server.</td></tr></tbody></table>

## Resources

1. [Microsoft documentation on Windows event logs](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-logs-overview)
2. [SANS Institute's guide on using Windows event logs in incident response](https://www.sans.org/reading-room/whitepapers/incident/windows-event-logs-incident-response-34375)
3. [Digital Forensics Solutions' blog post on using Windows event logs in forensic investigations](https://www.digitalforensicssolutions.com/blog/windows-event-logs-in-forensic-investigations/)
4. [Tripwire's blog post on using Windows event logs to detect security breaches](https://www.tripwire.com/state-of-security/security-data-protection/using-windows-event-logs-to-detect-security-breaches/)
5. [TechNet's guide on using the Event Viewer utility in Windows](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/eventvwr)
6. [Digital Forensics Solutions' blog post on using Linux logs in forensic investigations](https://www.digitalforensicssolutions.com/blog/linux-logs-in-forensic-investigations/)
7. [SANS Institute's guide on using Linux logs in incident response](https://www.sans.org/reading-room/whitepapers/incident/using-linux-logs-incident-response-34382)
8. [Plesk - Linux Logs Explained](https://www.plesk.com/blog/featured/linux-logs-explained/)
9. [Forensic Focus - A Linux Forensics Starter Case Study](https://www.forensicfocus.com/articles/a-linux-forensics-starter-case-study/)
10. [Apple's documentation on MacOS logs](https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPHelpDataProviderSpecification/Introduction/Introduction.html)
11. [TechRepublic's tutorial on using the Console application in MacOS](https://www.techrepublic.com/article/how-to-use-console-to-view-logs-on-a-mac/)