Labels

Log Analysis for Beginners: Learning to Read Like a Defender

Logs are the diary of a system — a constant stream of events that record every login, every error, every request, and sometimes, every mistake. In cybersecurity, log analysis is the process of reviewing these events to detect, investigate, and respond to suspicious behavior.

This guide will help you get started with log analysis from scratch — no expensive tools or certifications required.

๐Ÿง  Why Log Analysis Matters

Attackers leave traces, even if they try to hide them. From login attempts and port scans to privilege escalation and data exfiltration, logs capture everything — if you know where to look.

Log analysis helps:

  • Detect brute-force login attempts

  • Identify lateral movement

  • Investigate insider threats

  • Monitor system health and performance

  • Fulfill compliance requirements (e.g., ISO, PCI, HIPAA)

๐Ÿ›ก️ A SOC analyst spends most of their time analyzing logs — it’s how defenders see what’s really happening on the network.

๐Ÿ“ Types of Logs Every Beginner Should Know

Let’s go over common log types and what they reveal:

๐ŸŸฉ Authentication Logs

๐Ÿ“Œ Example files:

  • /var/log/auth.log (Linux)

  • Security.evtx (Windows Event Viewer)

These logs capture:

  • Successful and failed login attempts

  • SSH or RDP session creation

  • Privilege escalations (sudo, runas)

  • User lockouts

๐Ÿ” Suspicious sign: 15 failed login attempts in 30 seconds from a foreign IP? Brute-force likely.

๐ŸŸจ System Logs

๐Ÿ“Œ Example files:

  • /var/log/syslog, /var/log/messages (Linux)

  • System.evtx (Windows)

These include:

  • Service startups and failures

  • Kernel errors

  • Resource issues (disk, CPU, memory)

๐Ÿ” Suspicious sign: A system service crashing and restarting repeatedly could be under attack.

๐ŸŸง Web Server Logs

๐Ÿ“Œ Example files:

  • access.log, error.log (Apache, Nginx)

They show:

  • IP addresses accessing the site

  • URLs and status codes

  • Timestamps and browser types

๐Ÿ” Suspicious sign: Dozens of requests for /admin, /wp-login.php, or SQL injection strings like ' OR 1=1 --.

๐ŸŸฅ Firewall & IDS/IPS Logs

๐Ÿ“Œ Tools like: pfSense, iptables, Suricata, Snort

Used to track:

  • Dropped/rejected traffic

  • Port scans

  • Exploit attempts (based on signatures)

๐Ÿ” Suspicious sign: Scans across many ports from one IP within seconds = recon.

๐ŸŸฆ Application Logs

๐Ÿ“Œ Examples:

  • Custom app logs (e.g., logs from a Django, Node, or Flask app)

  • Security tools like antivirus or endpoint agents

They record:

  • Application errors

  • User activity

  • API access attempts

๐Ÿ” Suspicious sign: High number of failed login attempts via an app’s API? Bot attack likely.

๐Ÿงช Real-World Suspicious Log Examples

Let’s look at a few real-ish log lines and explain what a defender sees:

1. Failed SSH Logins

Jun 20 14:05:22 server sshd[2891]: Failed password for invalid user admin from 89.43.21.100 port 51234 ssh2

๐Ÿ” What’s happening?
An IP from another country is trying common usernames via SSH. This is the start of a brute-force attempt.

2. Login Success After Many Fails

sshd[3153]: Accepted password for testuser from 192.168.0.88 port 51822 ssh2

If this came after many failures:

Failed password for testuser...
Failed password for testuser...

๐Ÿ” What’s happening?
Brute-force succeeded. This is now an active compromise.

3. Web Recon Attempt

GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 501 "-" "Mozilla/5.0"

๐Ÿ” What’s happening?
Attacker is scanning for known vulnerable web panels (phpMyAdmin). If found, they might try an exploit.

⚙️ Basic Tools to Start Log Analysis

Here are some simple, free tools you can use right now:

Command Line (Linux):

  • grep, less, cat, tail -f, awk, sed

  • Example:

    grep "Failed password" /var/log/auth.log

Windows Event Viewer:

  • Go to Run > eventvwr.msc

  • Filter logs by “Security” for login-related events

GoAccess (web server logs):

ELK Stack (for advanced users):

  • Elasticsearch + Logstash + Kibana

  • Collect, analyze, and visualize logs at scale

๐Ÿ” Best Practices for Log Management

  • ๐Ÿ”„ Centralize logs (use a syslog server or SIEM tool)

  • ๐Ÿงผ Rotate and clean old logs to save space

  • ๐Ÿ”’ Restrict access to log files — they’re sensitive

  • ๐Ÿ“ฆ Back up logs in case of breach investigation

  • ๐Ÿ”” Use alerts for repeated failed logins or suspicious patterns

๐Ÿ’ก Learning Log Analysis by Doing

If you want to practice log analysis:

  • Download CTFs like BlueTeamLabs Online or DetectionLab VM

  • Simulate attacks on a VM and watch what gets logged (e.g., brute-force SSH)

๐Ÿง  Final Thoughts

Log analysis is a foundational cybersecurity skill. It teaches you to read the truth behind system behavior, spot attacks in real time, and build a strong defensive posture.

You don’t need fancy tools — just curiosity, attention to detail, and practice.

Labels:

Comments

Post a Comment