What Are Security Event Logs?
- Define “security event” and explain the difference between an event and an incident.
- List potential security event log sources.
- Describe how to access logs in the Windows and Linux operating systems.
- Describe the most common security events that appear in logs.
Effective event logging is critical to ensuring application and network health, performance, and security. This article will discuss security event logs and explain how organizations leverage them to secure their network, applications, and data.
Logs and Incidents and Events, Oh My!
First, let’s clear the confusion surrounding the definitions of “security log,” “security incident,” and “security event.” These terms see interchangeable use, which is incorrect. While closely related, they’re not synonyms.
- A log is simply a text record of an event or incident that happened at a particular time. For example, if a user signs into an enterprise application, that activity is logged, along with other relevant data, such as a timestamp and the user’s IP address.
- A security event is an observable occurrence that could impact an organization’s information security. Perhaps the user in our previous example is located in the U.S., but they attempted to log in from an IP in Australia. Maybe the user is visiting Australia -- or perhaps their login credentials have been stolen, and a cybercriminal is trying to use them.
- A security incident is a security event that has escalated to a compromise. Returning to our example, assume a cybercriminal has stolen the user’s login credentials and successfully used them to access the application.
It’s important to note that while all incidents are events, not all events are incidents. An attempted breach is a security event, but it’s not an incident unless the breach is successful.
The typical organizational data environment contains a dizzying array of applications, services, and endpoint devices, all generating logs at a rate that would be impossible for human staff to analyze manually. Instead, IT teams use security solutions, such as security information and event management (SIEM) systems to ingest logs and identify security events and incidents. SIEMs don’t investigate or mitigate security events or incidents. The SIEM’s job is to flag them and notify human security personnel.
Windows Security Event Logs
The Windows operating system logs activity on software or hardware components, which administrators can access directly through the Event Viewer application. Event Viewer uses six default categories to classify events.
- Application logs contain events logged by applications. Which events get logged is determined by the application developers.
- System logs contain events logged by the operating system, such as driver issues during startup.
- Security logs contain events related to security, such as login attempts, object access, and file deletion.Administrators determine which events to log, in accordance with their audit policy.
- Directory service logs are only available on domain controllers, These contain records of Active Directory operations, such as authentication and modification of privileges.
- DNS server logs contain DNS activity.
- File replication service logs contain domain controller replication.
While “security” is its own category, an event in any category could potentially impact organizational security. For example, the DNS server log could contain entries indicating a possible DNS attack.
Linux Security Event Logs
Linux operating system logs contain events related to the server, kernel, and running applications. Events fall into four categories: application logs, event logs, service logs, and system logs.
Linux administrators have several options for directly viewing logs:
- Read log files directly that are stored in /var/log and its subfolders. The command "tail -f" is often used to view updates to log files as they are written.
- Use dmesg to view messages from the kernel's ring buffer, which contains logs generated by hardware, device drivers, and kernel modules during the system's startup process.
Other Common Security Event Log Sources
In addition to operating system logs, organizations commonly monitor these log and information sources:
- Intrusion Detection & Prevention Systems (IDS/IPS)
- Endpoint Security (Antivirus, antimalware)
- Data Loss Prevention
- VPN Concentrators
- Web Filters
- Domain Controllers
- Wireless Access Points
- Application Servers
- Intranet Applications
- Network Maps
- Vulnerability Reports
- Software Inventory
Though not actual log data, many organizations export business-process mappings, points of contact, and partner information into their SIEMs.
What Does a Typical Security Event Log Contain?
Because compromised login credentials are involved in so many cyberattacks, events involving login credentials are very common entries in security event logs. In addition to a user connecting or attempting to connect to a system from an unusual IP address, security event logs may also show failed user login attempts, especially if repeated attempts or privileged or critical systems are involved. Changes in user privileges, especially increases in privileges, are another event that could indicate compromised credentials (or credential abuse by a company insider).
Other everyday security events include:
- Changes to application allow lists.
- Malware infection alerts from antivirus or endpoint protection software.
- Spam or malicious content contained within emails.
- Firewall alerts.
- Connection attempts through new, unknown, or insecure ports or protocols.