Log Analysis Fundamentals

Introduction

In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and incident response. Logs provide timestamped records of system events, helping teams trace user actions, detect intrusions, troubleshoot issues, and meet compliance requirements.

From application crashes to failed login attempts, every significant event leaves behind a trail. Mastering logging fundamentals ensures organizations can analyze threats, hunt anomalies, and protect infrastructure effectively.

Why Logging Matters

Logging is not just about recording events, it is about making sense of system behavior. Proper log management enables:

• Forensics: Trace attacker activity by time, user, and system.
• Incident Response: Reconstruct attack paths and prioritize alerts.
• Threat Hunting: Detect anomalies and suspicious patterns in large datasets.
• Compliance: Maintain audit trails for standards like PCI-DSS, HIPAA, and GDPR.

Without logging, organizations lose visibility into what happens inside their networks and applications.

Types of Logs and Their Locations

Logs are generated across applications, operating systems, and network devices. Understanding log types is key to monitoring infrastructure.

Log Type	Contents	Common Locations
Application	Errors, transactions, user actions	Windows: C:\ProgramData\\logs Linux: /var/log/<app>.log
System	Driver loads, service start/stop, kernel	Windows: Event Viewer → System Linux: /var/log/syslog
Security	Authentication, authorization, policy changes	Windows: Event Viewer → Security Linux: /var/log/auth.log
Network	Firewall, router, switch traffic	/var/log/ufw.log, device archives
Audit	File/process/registry monitoring	Linux: /var/log/audit/audit.log Windows: Sysmon/Operational
Web	HTTP/S access, errors, proxy, API logs	Apache: /var/log/apache2/access.log Nginx: /var/log/nginx/access.log
DNS	Query resolution, failures, cache activity	BIND: /var/log/named.log Windows DNS Server: Event Viewer → DNS Server
Email	Mail transactions, delivery status, errors	Postfix: /var/log/maillog Exchange: Event Viewer → Application
Database	Queries, transactions, errors, authentication	MySQL: /var/log/mysql/error.log Postgres: /var/log/postgresql/postgresql.log
Cloud	API calls, authentication, resource usage	AWS CloudTrail: S3 buckets Azure Monitor, GCP Cloud Logging
IDS/IPS	Intrusion alerts, packet analysis	Snort: /var/log/snort/ Suricata: /var/log/suricata/
Container	Container runtime, orchestration events	Docker: /var/lib/docker/containers/<id>/json.log Kubernetes: kubectl logs <pod>

Breaking Down a Log Entry

2025-09-11T15:42:18.674Z host=AlphaServer.local level=ERROR component=auth-service message={"user":"emma_smith","action":"login","status":"failed","ip":"203.0.113.52"}

Windows Event Logs

Windows provides a robust Event Logging system that categorizes events into multiple channels.

Event Log Channels

• Application: Records application-specific events.
• Security: Tracks logon attempts, resource access, and policy changes.
• Setup: Captures application setup and Windows installation events.
• System: Logs events from system components such as drivers.
• Forwarded Events: Collects events from remote systems.

Accessing Windows Logs

• Event Viewer (GUI) → Easy visualization.
• Wevtutil.exe (CLI) → Command-line access.
• Get-WinEvent (PowerShell) → Flexible queries for automation.

Key Event Fields

• Log Name (e.g., Security)
• Source (e.g., Microsoft-Windows-Security-Auditing)
• Event ID (unique identifier like 4625 for failed login)
• Level (Information, Warning, Error, Critical)
• User, Computer, and Correlation IDs
• Event Data / Description

Top Windows Security Event IDs

Some Event IDs are critical for security monitoring and SIEM correlation rules.

Event ID	Description	Use Case
4624	Successful logon	Track valid authentication
4625	Failed logon	Detect brute-force attacks
4672	Privileged logon	Identify high-privilege activity
4720	User account creation	Spot unauthorized provisioning
4726	User account deletion	Detect account cover-up attempts
4688	Process creation	Trace malicious or suspicious processes
4697	Service installation	Detect persistence mechanisms
5140	Network share accessed	Monitor sensitive file access

Sysmon: Advanced Windows Logging

Sysmon (System Monitor) is part of Microsoft Sysinternals. It extends native logging with detailed process, network, and file operation events.

Why Sysmon Matters

• Captures process creation with full command lines.
• Logs network connections with IPs and ports.
• Tracks file creation, registry modifications, and drivers.
• Provides high-value data for threat hunting and forensics.

Key Sysmon Event IDs

• Event ID 1: Process creation (with command line).
• Event ID 3: Network connection (source/destination IP, ports).
• Event ID 7: Image loaded (DLLs, libraries).
• Event ID 11: File creation (tracks persistence mechanisms).

Sysmon is essential for advanced detection engineering and works seamlessly with SIEM platforms.

Conclusion

Logging fundamentals provide the foundation for visibility, detection, and compliance in cybersecurity. From basic system logs to advanced monitoring with Windows Event IDs and Sysmon, effective logging helps organizations stay ahead of attackers, strengthen incident response, and meet regulatory obligations.

In today’s threat landscape, logs are more than records, they are critical intelligence for security teams. By mastering logging fundamentals, enterprises can ensure resilience, accountability, and proactive defense.

Read More: Advanced Detection and Prevention of AD Enumeration