Host Operating System Logs
Operating system-specific security logs event data related to access control/audit.
- Audit events are classed either as:
- success/accept
- fail/deny
- Authentication events record:
- when users try to sign in and out
- when a user tries to obtain special or administrative privilege
- File system events
- record whether use of permissions to read or modify a file was allowed or denied
- needs to be explicitly configured
- otherwise would generate a huge amount of data
Windows Logs
- 3 main types of Windows event logs:
- Application
- events generated by application processes
- Security
- audit events
- System
- events generated by the operating system’s kernel processes and services
- Application
Linux Logs
- implemented differently for each distribution:
- syslog
- to direct messages relating to a particular subsystem to a flat text file
- Journald
- as a unified logging system with a binary, rather than plaintext, file format
- messages are read using the
journalctlcommand - can be configured to export some messages to text files via syslog
- syslog
- principal log files:
/var/log/messagesor/var/log/syslog- stores all events generated by the system
- Some of these are copied to individual log files
/var/log/auth.log(Debian/Ubuntu) or/var/log/secure(RedHat/CentOS/Fedora)- records login attempts, use of sudo privileges, and other authentication and authorization data
faillogspecifically tracks failed login events
- package manager log
- stores information about what software has been installed and updated
macOS Logs
- macOS uses a unified logging system
- can be accessed via:
- Console app
logcommand- can be used with filters to review security-related events
- e.g.,
- login:
com.apple.login - app installs:
com.apple.install - system policy violations:
com.apple.syspolicy.exec
- login:
- can be accessed via: