WEBVTT

00:00.120 --> 00:07.980
Log files are everywhere within your infrastructure and log files are the phillips screw driver of I.T.

00:07.980 --> 00:08.490
security.

00:08.490 --> 00:13.860
We use them all the time and you're going to see a lot of questions on the exam that challenge you with

00:13.860 --> 00:15.080
log type questions.

00:15.090 --> 00:18.090
Now logs have all kinds of different names.

00:18.150 --> 00:22.980
They can be called Event Logs or security logs or audit logs or device logs.

00:22.980 --> 00:25.390
I don't really care about that.

00:25.410 --> 00:29.840
Logs can exist anywhere in a system where they exist exactly.

00:29.880 --> 00:30.710
I don't know.

00:30.960 --> 00:31.500
I don't care.

00:31.500 --> 00:37.860
I can poke around and find logs based on whatever issue I'm running into but logs can exist anywhere

00:37.860 --> 00:40.290
use if you're in Windows use Event Viewer.

00:40.290 --> 00:43.510
If you're on a Mac use console if you're on a Linux system.

00:43.830 --> 00:48.990
There's so many logs and so many tools I can't even wrap your head around what's all out there and available

00:48.990 --> 00:55.170
to you what we're going to do in this episode though is we're going to take a broader outlook at what

00:55.290 --> 00:56.630
logs really are.

00:56.790 --> 01:03.930
We're going to use a term that I've coined called the generic log look and to make this work we're going

01:03.930 --> 01:07.850
to break all of these different types of logs into two groups.

01:07.850 --> 01:11.370
I'm going to call them non-network and network logs.

01:11.370 --> 01:17.460
Let's take a look at both of those non-network events are events that take place on a host even if that

01:17.460 --> 01:24.690
host is unplugged from a network a network of vente is something that takes place on a host that has

01:24.690 --> 01:31.170
to deal with the communication between that host and something on the network to take a look at some

01:31.320 --> 01:32.460
non-network events.

01:32.460 --> 01:33.980
I like to break them into three groups.

01:34.020 --> 01:36.400
And in fact most operating systems do too.

01:36.450 --> 01:42.330
One group is one I'm going to call operating system that's so things like host starting hosts shutting

01:42.330 --> 01:48.870
down reboot stuff like that may be services starting maybe services stopping maybe even services failing

01:49.680 --> 01:55.880
operating system updates if I plug a thumb drive in with an update it would log that type of information.

01:56.340 --> 01:57.900
Next are applications.

01:57.900 --> 02:01.080
So if an application is installed I'd like to have that logged.

02:01.200 --> 02:05.530
If an application starts or if an application stops or if an application crashes.

02:05.670 --> 02:09.210
I want all that kind of information to be logged on individual events.

02:11.120 --> 02:12.460
Last is security.

02:12.500 --> 02:15.290
So for me the big one under security is logons.

02:15.410 --> 02:19.070
I want to know if log on succeed or if log ons fail.

02:19.070 --> 02:24.440
And that's usually set up by you depending on what kind of information you told the operating system

02:24.680 --> 02:25.550
to monitor.

02:25.700 --> 02:35.720
So a generic example of a non-network event would probably have a date a time some kind of process ID

02:35.720 --> 02:40.640
or a source or something that is generating this particular event.

02:40.670 --> 02:47.300
There may be an account associated with it maybe a user account maybe the system itself is doing this.

02:47.400 --> 02:49.250
Then there's some form of event number.

02:49.290 --> 02:54.600
Almost everybody has some kind of tracking of all the events that take place in a log file and they'll

02:54.600 --> 03:01.470
usually give it some ID number and last is an event description that actually describes what is going

03:01.470 --> 03:05.430
on and what we want to see in that particular event.

03:05.440 --> 03:12.450
Now network events are any events that take place between a host and something that's going on in the

03:12.450 --> 03:13.210
network.

03:13.230 --> 03:15.490
I like to break this down into two groups.

03:15.540 --> 03:21.990
The first one are events that take place at the operating system or system level of that device to something

03:21.990 --> 03:23.160
else on the network.

03:23.280 --> 03:29.310
And the other one and probably the biggest one there is are things that happen to the applications that

03:29.310 --> 03:31.890
I'm sharing on this particular device.

03:31.980 --> 03:37.840
Out to the network so I think I need to warn you that these two groups can overlap a little bit.

03:37.980 --> 03:39.200
So they're a little fuzzy.

03:39.210 --> 03:44.430
But let's go ahead and look at both of these events to the operating system or the system itself from

03:44.430 --> 03:49.560
the network would consist of simple stuff like for example that somebody is trying to remotely log in

03:49.560 --> 03:51.270
whether they fail or not.

03:51.270 --> 03:55.650
If I've got a switch out there and somebody is trying to log into it I would like to have a log of that

03:55.650 --> 04:01.770
particular event the other one is events that take place on shared applications or resources.

04:01.770 --> 04:05.940
Now this is the big one and you're going to see a lot of stuff on the exam that hits on this type of

04:06.060 --> 04:07.120
situation.

04:07.140 --> 04:15.450
For example if I've got a web server Here's an example of one line one event from an Apache web server.

04:15.480 --> 04:22.380
Another one might be activity on a firewall so here's my router with the firewall features blocking

04:22.380 --> 04:24.110
some incoming traffic.

04:24.420 --> 04:30.650
So in these particular type of events we're going to see hopefully we'll see a date.

04:30.850 --> 04:38.830
We'll see it time we'll see some source address that could be mac address or an IP address or it could

04:38.830 --> 04:41.710
be both depending on the application.

04:41.710 --> 04:48.000
We would have a destination now the destination is also going to be a Mac and an IP address.

04:48.040 --> 04:53.170
A lot of times the destination and source on that application are going to be the device itself whatever

04:53.170 --> 04:54.840
its IP or MAC addresses.

04:55.880 --> 04:59.320
Last there's going to be some description of what is happening.

04:59.360 --> 05:04.220
This can vary dramatically depending on the application itself.

05:04.220 --> 05:10.040
So on any given network you're going to have all kinds of host laying all over the place generating

05:10.100 --> 05:11.520
all kinds of logs.

05:11.530 --> 05:15.620
Now you need to read these logs you've got to monitor them you've got to see what's happening.

05:15.620 --> 05:17.440
So how do we go about doing that.

05:17.450 --> 05:23.810
Well by default pretty much every device on your network is going to have its own little log or log

05:23.810 --> 05:28.670
files all over the place and you're going to be standing at some computer and you're going to have to

05:28.670 --> 05:34.180
go to this computer then that computer then that computer and we call that de-centralized de-centralized

05:34.220 --> 05:39.690
works fine for smaller organizations but we often want to do a more centralized situation.

05:39.770 --> 05:41.450
In that case you've got two choices.

05:41.450 --> 05:47.990
Number one you can have situations where all your different devices are literally sending all their

05:47.990 --> 05:50.870
log traffic to a central repository.

05:50.870 --> 05:56.060
Now that can be a big problem sometimes especially if you've got a lot of traffic and it can slow down

05:56.060 --> 05:57.020
your network.

05:57.020 --> 06:04.970
What we tend to see more commonly is stuff like SMP where I have one system that goes out to all these

06:04.970 --> 06:10.070
different types of logs looks for the information it needs and then generates graphs charts and the

06:10.070 --> 06:11.600
information that I need.

06:11.600 --> 06:17.240
In fact monitoring is so important when it comes to logs that it's very common for people to actually

06:17.240 --> 06:24.660
pay third parties to query all of their different devices and use these third parties to do the monetary

06:24.660 --> 06:31.360
and in fact there's a whole industry called monitoring as a service so it can be pretty interesting.

06:32.680 --> 06:38.710
The exam itself has tune's of questions that need you to read log files.

06:38.830 --> 06:44.890
If you stick with my generic log file conceptualisation and separate non-network from network type log

06:44.890 --> 06:48.800
files and well you need to know your applications and your protocols.

06:48.880 --> 06:50.640
You can get through these pretty easy.

06:50.800 --> 06:54.880
So what I want to do is go through a few examples and I don't know.

06:55.000 --> 06:57.170
Let's start with something fun like a web server.

06:57.250 --> 07:01.030
Here I have two computers and in between them is a router.

07:01.030 --> 07:05.860
Now I'm going to go ahead and put some IP addresses in here so you've got an idea of how all this is

07:05.860 --> 07:11.360
laid out and now what I'm going to do is show you a log from this device.

07:11.380 --> 07:16.620
Well over here on the right and we're going to give you three events on this particular log.

07:16.620 --> 07:23.410
So it's a Cincinnati and an X. So we know this is a network event because we can see IP addresses and

07:23.410 --> 07:24.980
we can see port numbers.

07:25.000 --> 07:26.810
Now I'm going to ask you some questions.

07:26.980 --> 07:29.590
Question number one of those two computers.

07:29.770 --> 07:31.690
Which one is a web server.

07:31.690 --> 07:33.900
Well the answer is is the one on the right.

07:33.910 --> 07:40.090
If we take a look we can see from his log he is receiving port 80 traffic.

07:40.090 --> 07:47.300
So that shows us that that machine on the right is a web server I have another question for you is this

07:47.300 --> 07:50.130
router blocking HTP traffic.

07:50.300 --> 07:54.820
Well the answer is no because it's coming from the other side of the system.

07:54.890 --> 07:55.660
It's coming in.

07:55.660 --> 07:59.010
So it is getting a DTP traffic.

07:59.090 --> 08:03.740
I've got another question is this router doing NAT in this case.

08:03.740 --> 08:09.200
It absolutely has to be doing that because if the traffic is coming from the machine on the left it

08:09.200 --> 08:10.460
would have its IP address.

08:10.460 --> 08:16.610
But if you look very carefully all we're seeing is the router's IP address coming to the system on the

08:16.610 --> 08:17.080
right.

08:17.940 --> 08:22.120
And one more question is that router running DHC.

08:22.140 --> 08:23.700
And the answer is we don't know.

08:23.700 --> 08:27.230
There's nothing within this particular log to give us an answer.

08:27.300 --> 08:28.140
That was fun.

08:28.200 --> 08:29.220
Let's do it again.

08:29.220 --> 08:35.370
You've just got a call from somebody who said someone downloaded a critical video file and probably

08:35.370 --> 08:36.020
corrupted it.

08:36.020 --> 08:39.950
So you get this log file to try to figure out what's happening here.

08:40.110 --> 08:45.420
Now in this particular situation we don't really know what protocol this is or anything but it's not

08:45.420 --> 08:50.130
critical we can still answer the question Who made the download here.

08:50.130 --> 08:55.920
So if we take a look you'll see we've got two different users logging in Bob and Jane.

08:55.920 --> 09:02.880
And then if you take a look at the time both of those users were logged in at the time someone did a

09:02.880 --> 09:06.080
download of that particular MP for file.

09:06.090 --> 09:13.370
So the problem is in this particular situation you don't know based on the time offset who was the person

09:13.380 --> 09:17.040
it may have been Bob or it may have been Jane they were both logged in.

09:17.070 --> 09:19.370
That was fun let's do it again now.

09:19.470 --> 09:24.510
Here is a rather painful looking log that came from a particular system.

09:24.510 --> 09:31.610
Now if we look at this we have to come up with some idea of what would create this type of situation.

09:31.650 --> 09:33.720
So I'm going to give you some choices.

09:33.720 --> 09:36.920
Number one do you think anti-malware would cause this.

09:36.960 --> 09:41.750
What we're looking at in this particular case you see the word checksum that's a big clue.

09:41.790 --> 09:48.840
So what it's telling us is that we have some virtual machine called web Maine that has been changed

09:49.170 --> 09:54.050
and it stored a backup copy so there's something about the files that are very important.

09:54.090 --> 09:58.190
So probably not an anti-malware.

09:58.230 --> 10:02.030
What do you think it might be patch management in this particular case.

10:02.030 --> 10:05.920
Well not really patching anything we're just letting people know that the files changed.

10:06.110 --> 10:13.210
So if I had some file integrity application that might be a great example of this application in action

10:13.520 --> 10:19.550
and I have to run this confirmer executable to make that particular change absolutely permanent.

10:19.550 --> 10:23.270
Logs are absolutely critical for good I.T. Security.

10:23.270 --> 10:28.940
You're going to see a lot of questions on the exam that have you dealing with logs don't worry about

10:28.940 --> 10:35.360
how the log looks exactly don't worry about where it's coming from necessarily but understand that if

10:35.360 --> 10:41.780
you can break all long files into two different types of events either network or non-network events

10:42.050 --> 10:44.270
that's going to make your life a lot easier.

10:44.270 --> 10:49.130
And then take the time know your protocols and you'll be able to answer every one of those questions

10:49.250 --> 11:04.150
no problem.