Event Logs

In this blog:

• Why are logs important?

• How are logs collected?

• Examining Suricata logs.

• Event log example.

• Network Telemetry log example.

➡️ Find my blog on Network log analysis using TCPdump here.

➡️ Click here to see a Suricata Demonstration.

Why are logs important?

• Events are observable occurrences on a network or device, providing visibility into the environment. Logs, which are records of these events, are crucial for security professionals to detect unusual or malicious activity. System activity is documented in log files, commonly referred to as logs.

• Almost every device or system can generate logs, which contain entries detailing specific events. These logs are valuable to security analysts during incident investigations, as they record the date, time, location, actions taken, and the users or systems involved. This information is crucial for both troubleshooting system performance and security monitoring.

• Logs enable analysts to create a narrative and timeline of events through log analysis, which involves examining logs to identify significant events. Due to the numerous sources of logs, a massive volume of log data can be generated.

• Being selective about what to log enhances efficiency, as not all data generated, such as from web applications, is relevant to investigations and may slow down analysis. Excluding unnecessary data reduces search time. SIEM tools aid security professionals by providing an overview of network activity as they collect data from multiple sources, centralize it, and normalize diverse log formats. SIEM tools process large log volumes in real-time, enabling quick searches and effective log analysis for investigations.

How are logs collected?

• Software known as log forwarders collect logs from various sources and automatically forward them to a centralized log repository for storage. Since different types of devices and systems can create logs, there are different log data sources in an environment. 

• These include network logs, which are generated by devices such as proxies, routers, switches, and firewalls, and system logs, which are generated by operating systems. 

• There are also application logs, which are logs related to software applications, security logs, which are generated by security tools like IDS or IPS, and lastly authentication logs, which record login attempts.

Examining Suricata logs

• Suricata alerts and events are output in a format known as EVE JSON (Extensible Event Format JavaScript Object Notation).

• JSON uses Key-value pairs – simplifies both searching and extracting text from log files.

Suricata generates 2 types of log data:

• Alert logs – contain information that’s relevant to security investigations. Usually this is the output of signatures which have triggered an alert. For example, a signature that detects suspicious traffic across the network generates an alert log that captures details of that traffic.
  

• Network Telemetry logs – contain information about network traffic flows. Network telemetry is not always security relevant, its simply recording what’s happening on a network, such as a connection being made to a specific port. Both log types provide information to build a story during an investigation.
  

Event log example:

• This is an alert as the event-type says ‘alert’.

• Destination IP, src IP, protocol, signature details such as message and ID all shown.

• From the message, it looks like this event relates to the detection of malware.

Network Telemetry Log Example

• Event-type says it is a ‘http request’.

• Hostname shows the accessed website.

• User agent is the name of software that connects you to the website – in this case, it is the web browser Mozilla Firefox.

• Content type shows the content that was requested by the http request. In this case, it is html text.

Thank you for reading!