This cheat sheet presents a checklist for reviewing critical logs when responding to a security incident. It can also be used for routine log review. It was authored by Dr. Anton Chuvakin and Lenny Zeltser.
Server and workstation operating system logs
Application logs (e.g., web server, database server)
Security tool logs (e.g., anti-virus, change detection, intrusion detection/prevention system)
Outbound proxy logs and end-user application logs
Remember to consider other, non-log sources for security events.
Linux OS and core applications: /var/log
Windows OS and core applications: Windows Event Log (Security, System, Application)
Network devices: usually logged via Syslog; some use proprietary locations and formats
|Successful user login||“Accepted password”,
|Failed user login||“authentication failure”,
|User log-off||“session closed”|
|User account change or deletion||“password changed”,
|Sudo actions||“sudo: … COMMAND=…”
|Service failure||“failed” or “failure”
|Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID.|
|Most of the events below are in the Security log; many are only logged on the domain controller.|
|User logon/logoff events||Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc|
|User account changes||Created 624; enabled 626; changed 642; disabled 629; deleted 630|
|Password changes||To self: 628; to others: 627|
|Service started or stopped||7035, 7036, etc.|
|Object access denied (if auditing enabled)||560, 567, etc|
|Look at both inbound and outbound activities.|
|Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality.|
|Traffic allowed on firewall||“Built … connection”,
“access-list … permitted”
|Traffic blocked on firewall||“access-list … denied”,
“Deny … by”
|Bytes transferred (large files?)||“Teardown TCP connection … duration … bytes …”|
|Bandwidth and protocol usage||“limit … exceeded”,
|Detected attack activity||“attack from”|
|User account changes||“user added”,
“User priv level changed”
|Administrator access||“AAA user …”,
“User … locked out”,
|Excessive access attempts to non-existent files|
|Code (SQL, HTML) seen as part of the URL|
|Access to extensions you have not implemented|
|Web service stopped/started/failed messages|
|Access to “risky” pages that accept user input|
|Look at logs on all servers in the load balancer pool|
|Error code 200 on files that are not yours|
|Failed user authentication||Error code 401, 403|
|Invalid request||Error code 400|
|Internal server error||Error code 500|
Special thanks to Anand Sastry for providing feedback on this cheat sheet. If you have suggestions for improving this cheat sheet, please let us know.
This cheat sheet is also hosted on Dr. Anton Chivakin's website.
This cheat sheet is distributed according to the Creative Commons v3 "Attribution" License. File version 1.0.1.
Copyright © 1995-2013 Lenny Zeltser. All rights reserved. RSS Feed.
The information on this site does not necessarily represent positions or opinions of my employer.