Intro to Logs: Tryhackme SOC levl 2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

yo what's going on guys welcome back today we are doing the intro to logs in the sock tier two or level two um path I did not expect them to come out with the sock uh level two as fast as they did so now we're going to have to do them side by side cuz I was going to knock out sock one but they came out with it like weeks after they came out with um level one they came out level two so anyway let's go ahead and hop into it if you guys like this content please hit that sub button it helps out a ton we got to 5K this year I'm so stoked thank you guys so much also if you guys want to see like my notes and some of the walkthroughs and stuff um go ahead and hit that patreon and join there you'll get access to all the notes you also will get access to one-on ones and things like that with me keep in mind I'm still banned from hack the Box um so I cannot upload walkthroughs or anything like that so there is no hack the Box stuff on there I only ask CU people have asked me about it so let's go a and get into it so first things first what is logging right obviously everyone should know what logging is you're I don't know why they're using this because it's kind of confusing but um basically logging is a record of everything on your machine everything that's happening um or happened so it's a history of your machine right it's keeping record of your machine now comprehensive understanding of logs is crucial this is true if you are a level two sock analyst or engineer whatever it is now a lot of people ask me what's the difference between a level one level two because some companies won't say like okay this a level one this a level two like I get it what really the difference only is is experience and skill set what I mean by that is a level one might be a senior level per or I mean a level one might be a regular or junior level person a level two might be a senior level person and they have a lot of experience and they're expected to dive into deeper problems and deeper instant response cases and things like that they're not going to be handling as surface level stuff okay so let's go ahead and dive into it okay so one thing here's the machine that they have us looking at logs for and they say here the heart of the logs is I get they try to go with a log theme here um I think this could have been explained way differently um I don't really love the ring thing because it kind of gives you the impression that um it gives you the impression that like these all buil build on each other which they kind of do but um you get them all like if you find the log you get the time stamp and the source and all that and the all that stuff at the same time it's not like you have to get the time stamp and then get the unique identifier then get the source then get the like so that's the only reason I I'm not a um huge fan of it I understand what they're saying because if you know the time that's the first thing you need to track down I get how they're building it out I just think it could have been executed a little bit better but you know you guys know me I'm just very critical because I want the best content um I think Trak me does an amazing job for teaching people um so I actually really really really respect triac me um it feels like this one was uh kind of pushed fast okay so this information is typically stored in a log file which is correct so the biggest thing to take away here is the timestamp okay you need the timestamp and it needs to be accurate we're going to cover that a little bit more but the reason the reason is all of your different log sources right let's say you do have an incident all of your different log sources will be in different time formats hopefully they're never in the different time zones but they're in different time formats that's important because you have to then convert them to the correct time format that you're going to use and make sure that at that time they coincide so for instance somebody gets has an intrusion in my system they came in through the firewall whatever I check the firewall logs the firewall logs in Epoch time right then I check the um Windows event logs on the machine they took over and that's in window or that's in UTC time okay well now we have two different completely different time formats and we need to know what happened right so we have to convert them and then look and say okay at this time this happened right all right so the true power contextual correlation so this is an example of what happened when did it happen where did it happen so based on suppose a student allegedly access inappropriate content on a university Network so they got access to something they shouldn't have by reviewing the logs the CIS ad could answer these questions what happened an adversary was confirmed to have access to Swift spend Financial gitlab instance when did it happen it started at 2210 a.m. okay where did it happen it originated from this IP okay who's responsible upon examining the network it was reserve the device identified as Xyz is responsible now keep in mind this is just looking at logs but then you would correlate this and say okay who owns this IP right is because they said this one for instance was a student they may have a student computer that is assigned this IP that you can then go back and say this is the student things like that since an API key was found to be publicly Exposed on more of the web proxy were they successful okay yes so they were successful what is the result of their action adversary achieved remote code execution okay so that's pretty bad so the one thing I will say this um this is saying a student allegedly access in appropriate content this is something unfortunately in my experience I see more often than I actually see a fully successful attack from the outside what I mean is I don't see Insider threats all the all the time where people are literally like trying to be malicious let me let me get in there and let me blah but I see all the time most of the investigations I've done in my career are people that are accessing stuff they shouldn't whether they're accessing financial information or whatever and it's not even always bad malicious people it's people that are being Snoopy they they want to see they said oh I can see this let me get in there right o I can do this don't do it because if you're at work guess what someone's going to investigate if they find out and that's going to be me and when I investigate I've seen unfortunately I've seen more times than not people lose their job because they just were nosy so be careful now here's another thing I wanted to cover so they have us open this note right here let's see if it's already open because this this VM is so slow okay so it's already open hey Damian I figured you remote into this web server after the call with SE Ops regarding the ticket and I wanted to give you some additional context now one thing I've seen a lot is I've seen people um kind of hate on not necessarily try hack me but these type of things where they say I I like it I get it but the problem is I would never actually get a note on a thing you know blah blah I will tell you when I was a CIS ad this is exactly how we communicate with each other sounds silly sounds dumb but no regular user should be logging into a server right remoting into it only the CIS ads would be doing that so I would leave a note up like this I wouldn't even have it I wouldn't have it on the dashboard or on the desktop like this I would have it up like this and I would write out to the next sis ad that I know is going to come in here and I would say hey heads up da D I did this I did this da Zack and I would go home right and then the next s ad might come in and when he remotes in he says Ah okay I got you I'm with you right it's a way that it doesn't have to save it I wouldn't have to save it to the desktop I can leave it running um so this is extremely common so this is common it is something that could happen and I want you guys to be aware of that so who what's the name of your colleague who left a note on your desktop Perry Perry is right there he signed it for us awesome he told us where the actual logs are that we need okay so what is the full path of the suggested log file well he suggested that we first start with this access log okay cool so we've now got a location okay so now what type of logs are there and we've covered this in the um in some of the previous boxes we've done in the defensive boxes but there's application logs these are messages about specific applications so this might be however the application is built whatever logging it is bringing to the table these are the logs right they can send them out that way um then you have audit logs activities related to operational procedures crucial for Regulatory Compliance keep in mind also one thing I didn't say um logs are only as good as you make them what I mean by that is some people turn off a lot of logging because it fills up so much information right you got to store this information it's got to be stored somewhere so if you have all your logging enabled which a lot of newer um a newer cyber security people say hey let me enable all logging right the problem is now you have terabytes of data that you have to store somewhere and it's going to cost you lots of money to store so you have to play that game you have to say Okay I'm going to I'm going to enable access logs but I'm not going to enable this right or I'm going to enable this but I'm not going to enable this and you have to do this and you have to figure it out right so this is kind of where your risk appetite comes in how willing are you to risk certain things what what are your bigger risks what do your threat modeling what is considered the high risk for you okay so now you go to application logs you have audit logs security logs this is pretty much exactly what you'd expect security logs events such as logins permission changes firewall so things that security should be doing server logs various logs Ser a server generates including system events errors access logs so this could be something simple the server um you know one of the you had an is server and it didn't start up correctly right that could be in the server logs um but then again you might have access logs because you might have that is server that has a login and it's going to tell you who's logging in right those type of things system logs kernel activities this is based on your actual Hardware so what I mean by that is you might have a Windows server and then is server the Windows server is going to handle or the system logs are going to handle the Windows Server logs but the IIs portion the server logs might handle now Network logs this is exactly what it sounds like anything going on the network right Network traffic connections anything like that database logs again this is like I said if you have a login or you know you have a SQL database anything like that and it's reaching back and forth to get information this is where it's going to log that information and then web server this is actually what I was talking about um with the or with the server logs but this is a specific type of server log so requests processed by a web server including URLs response codes Etc blah blah blah pretty self-explanatory now we have log formats this is something you don't necessarily have to literally know the name of um meaning if you see this log I don't necessarily need to say it is a Windows Event log evtx format right you could you could Google that in two seconds like you could be like hey what's an a Windows or what is you could even say what is the log formats um and get this and look at it and say okay cool now I will tell you you will see these formats a lot but you don't have to memorize the names um so semi-structured logs that's these right they're semi structured they look you got some structure here but they're not like super user friendly to read now you might s read this and say yeah that's not bad that's pretty friendly but the problem is if you have thousands of these all at the same time it's just going to be line line line and you lose some of this so that's why you kind of need to see it now Windows event logs you can see pretty are pretty easy right time ID display name message okay cool semi- structured not insanely structured but semi structured okay now you have structured logs the reason they're called structured logs because you might say well this one doesn't look as structured as this one right well yes but the thing is these are structured in a way these are comma separated values sheet I can import these two other things I can take the CSV and I can upload it download it import it do whatever and parse this data the way it is the reason is I could parse it because it's structured meaning every log is going to show me okay the time has its own time field right yes this has Time created but it's not the same so you can see these are structured in a way that I can parse the data easily that's the whole purpose now Json Json is super simple to read as well so you can see this is just structured in a way that you can use it in Json code if you need it again parsing that's the only thing they're doing then you have w3c extended log format same thing worldwide Web Consortium customized for web server logging again this is I server logging so structured parsing that's that's what the whole point of structured format is is a way to us for us to manipulate the data in a way that doesn't change the data but also gives us what we need right if I say hey I need all the dates I can easily pull all the dates from this now unstructured this is just exactly what it is it's just a SP Splurge of information and you have to kind of go through and figure out what it is for yourself there like you can see here this is here's the IP but I don't if I don't know computers I don't know that that's an IP right maybe that's a time format maybe it's obviously the time format's right here but okay what's this get request like obviously I can break it down and look at it but it doesn't say time is this log information is this it doesn't user agent is this it doesn't say that so I'm just having to look at Raw data okay based on the list of log types in this task what log type is used for log file specified note task 2 if you remember in the note task 2 we have this access log okay well what format is that that's what they're asking well let's go ahead and open it up and take a look and we'll go ahead and go back because we never did open it but we'll go ahead and open the file we'll say cat VAR log gitlab and then in Jinx access dolog so we'll C it I'm just going to stop it okay and then we can look at the actual format so the format you can see is okay IP time it's a post authentic or a post request okay that looks a lot like this one right IP time get request error code okay that looks a lot like that to me so we say based on the list of what type of log file is it it's a web server log and we know that because we're looking right at it it's a web server based on the list of log formats in this task what log format is it so what format is it it's NCS NCSA combined log format so combined okay log collection let's go ahead and talk about log collection so this is probably one of the most important parts of logs a lot of people say see like system Event Viewer and stuff like that and they're like oh I can I can do this but the problem is do doing that on scale meaning I okay I have system Event Viewer and I need to do an investigation but I have 10,000 machines to go through and figure out you know which ones talk to this IP address how do we do that log collection so this is where in they're talking about ntp Network time protocol every machine has to be on the same time zone otherwise if when I say time zone I just mean they all have to sync up to the um ntp server the reason for this is because if your machine is on you know 5:00 p.m. and my machine's on 3:00 p.m. and an event happens my time says 3 yours says 5 okay how do I know when it happened what what if I'm looking at 3 p.m. I'll never see what happened over here they have to be the same so that when I'm looking I know the event occurred around 5:00 p.m. when I'm looking at the logs your logs at 500 p.m. and my logs at 5: p.m. are the same thing they happen at the same time I know what's going on so they're showing you you hear how to manually update that um I will tell you most Windows machines um I say most because I there's probably a weird circumstance out there but all windows machines I've ever worked with they have to be on the same time if they're on a domain um if they are off time won't work they don't work so um just keep that in mind that most domain controllers will handle the time um or they'll have an ntp server somewhere or something that'll handle the time but um long story short there should be all in the same time but it is something you want to check when you're bringing especially if you're bringing like third party or you have like a oneoff server or something that's not on the domain it's just off by itself make sure that time syncs up because I have seen that become an issue um especially with cloud-based because you might have a cloud application and you have no idea what time zone it's in or whatever you need to make sure you know what time zone that's in and be able to correlate those logs Okay so Now log management storage organization backup and review all right perfect so storage where are we going to store these logs right we need a centralized system okay so we're talking about centralization so log log storage right depending on how what regulations what um you know different auditing and different all these different um things you may fall under you may have to store these for a long long long long long time for instance in financial institutions most of the time they have to store them for the life of the customer well what if you're a customer that has had business there for 20 years and you're 40 right you may have to store them for 40 more years okay so you need somewhere to store these right and you need it to be affordable you need it to be reasonable you need to be able to get the data back you need all these different things you have to consider so now organiz that's where organization comes so if I'm storing all this stuff I have to organiz organiz it in a way that I can if I need to grab it I can and it makes sense right backup this is exactly what you should do with everything back regularly back up your logs to prevent data loss so why do we do this besides the fact that you could have some power outage or something and lose all your stuff well what if an attacker comes in to your system and actually changes those logs right he he's been in your system he's been messing around tinkering whatever and then when he's done he goes and tries to delete all his stuff right he's like I'm getting rid of this well you're regularly backing them up and sending them off to a Sim or something guess what he's not everything he's changing is logged before and it's backed up so now you just say okay well the this log doesn't match this log clearly he changed them and that that's one just use case that this could happen now review periodically review logs toensure they are correctly stored in categorized this means periodically review the logs but also periodically review the processes you have in place and make sure that you can restore those backups make sure that you can get data from them if you need to um I can tell you I've seen some logs that are needed where they come back and say hey this happened 30 years ago and it's just now coming to light we need those logs I've seen that so keep that stuff in mind that you may need to pull these logs years and years down the road okay so choose a centralized system centralization is exactly what it sounds like you're taking all the logs putting them in one spot this helps out tremendously because again like I said if you just had single event logs on each machine and that's it and then you had to go to each one to get them it would be in chaos you never get them it'd be impossible because what if I'm trying to review the entire network I'm not going to be able to manually log into 10,000 machines and pull the event logs and look at them and do all this it would just be impossible Now integrate sources connect all your log sources to the centralized system that's part of the system right you pull you figure out the system you want to store them in now you start pull pulling them in and aggregating them then you set up monitoring this is where you say hey if anybody runs a Powershell script that reaches out and has a reverse shell right I want alerted on that right away right those type of things if anybody is at 2: a.m. running this when our work hours are 8 to and nobody should take their computer home I need to know about that right those are things you want to start monitoring um and then integration with Incident Management pretty simple you should be getting an alert from your logs something occurred who knows what it is and then you automatically have an incident management plan right it's already going so that's the whole point that's what logs are for now practical activity log collection with our Cy log so we're going to do this practical activity I'll tell you this machine over here is super slow so so because it's so slow I've already done these but I'm going to prove it and show you guys so here it's I mean literally you follow the steps word for word open the terminal ensure R sis log is installed RS is and then create a configuration file so we're just going to cat it to show you Etsy RIS log well maybe RIS log why is it not oh there we go that's why okay and I'll move this over here because I know you guys can't hardly see it but you can see how slow that is like how laggy it even is come on all right RIS log and then we have RIS log. D and then we have 98 web server SSH comp if I hit Etsy and you can see I've already put this in here file create all that jazz so it's already in here okay so that's perfect I'm also going to move my camera down over here so that you guys can see and then I'll show you the uh I'll move it back so you can see okay we've got it in there that's perfect so now what's it saying save and close the configuration restart it perfect verify the configuration um check the log file after a minute or two okay so you can see we put in here to actually take the program sshd and log it to VAR log web server rist log okay so now we just need to look at the log because it says check it in a few minutes so we can say cat bar log web server O2 RIS log sshd dolog okay we C it and we look and it says here after configuring rsis log what username repeatedly appears in the sshd logs okay it looks like our user invalid user Stan Simmon and I can make this wider so that makes more sense so the name is Stan Simmon so we type in Stan Simmon and boom so this Stan Simmon is continuously trying to guess a password they're brute forcing right well if we thought somebody was doing this we should have an alert already in place that says hey if somebody tries to log in more than three times alert me right so this would be then part of your Incident Management plan you'd look you'd say okay first off Stan Simmon is trying to log in from this IP okay well while we investigate this just block this IP real fast and then let's start looking at it right that's that's where youd start your Incident Management plan you have a plan in place we got we got to start figuring it out now okay what's the IP address of the Sim 02 based on the RIS log okay based on a different configuration so we say cat Etsy RIS log. d99 and then this is the KRON configuration so this is the logging for all the scheduled tasks and you can see here is four logs to sim and then here it is at 10 10 10 10 Z 101 bingo so you guys can kind of see those answers there you go 10 10 101 I guess it makes more sense for my camera to be like right here okay now based on the generated logs in VAR log web server RIS log KRON what command is being executed by the root user okay so now it looks like there is a Cron job or Chrome job which is a scheduled task let's see what it's actually doing so we say cat VAR log web serve O2 R CIS log Chone log okay and we look at it okay so these are logs now it's very odd that the root user is running a basically a reverse shell now the question is is it actually a real scheduled task and I know that sounds crazy cuz you're like well why would that ever be a scheduled test maybe it is maybe there's a reason for it so before you just go and delete it I'm not saying don't block it or anything like that you will have an instant management plan that's your guys's whole thing is you should have add a company an instant management plan you should know if I see something like this here's how I'm going to respond right now if this this is the root user so that's a little bit different because that's not an actual user like it's not a person but if that was a person that was doing that um you may want to go reach out to them right away and say hey is this actually you or not if it's not you we know something's up if it's you why are you doing this because there may be an admin that has to do this for something right it may be a quick thing now I'm not saying just trust him on his word maybe go do some investigating but at least you know for the time being you're not infiltrated from the outside now you can see this has an actual different IP so if it was an outside IP then okay yeah I get it but you should have an instant management plan here so that's why logging is so important because you can find stuff like this and stuff that you didn't even know existed just by setting up good logs Now log retention so here is reasons why you might need log retention now I'll tell you and it says the choice of log retention um typically depends on multiple factors which is true so security requirements so if you have some sort of reg regul compliance requirement right off the bat that says hey I have to store logs for 10 years that's going to change how you store them for sure um and then you can say accessibility needs how quickly do I need to pull them in right storage capacity cost considerations compliance regulations which is why I T talked about with security regulations as well retention policies what's your company's retention policy how long do you have to keep them right and then drps disc Disaster Recovery plans so where are we storing them based on our Disaster Recovery plan now I will tell you um there the reason these are these considerations have to be considered very seriously from a business perspective is because the cost is going to change dramatically so for instance it says here uh cost considerations and accessibility needs okay those are two things you have to consider well what if the logs you're storing have to be stored for multiple years okay well things like AWS Glacier if you've ever used it um the it's extremely cheap for storage but you can only access it so many times a year the reason for that is cuz it's long-term storage not regular storage you might use something else for storage if you need it like all the time right you might use a different AWS product you might use a database you might use whatever but the point is those type of things cost comes into play because they might say here's your budget and you go to AWS like oh yeah it's only this much money and you're like oh that's way under budget we're awesome but then you look and you need to access the data all the time and now your cost goes way up because that's not what that storage is for so keep that in mind so now you have hot storage this is logs from past 3 to six months hot storage is basically a site your storage is right there you can just grab it anytime you want boom boom boom boom boom then you have warm storage warm storage 6 months to 2 years what this is is basically hey we've got it sitting over there we can get it if we need to but we're not accessing it all the time right and then cold storage these are compressed logs um meaning that some of the information is going to be gone but you're still going to have the general idea and then you can also you can restore them if you need to um but realistically you shouldn't be accessing these that often um Now log deletion this like it says right here log deletion must be performed very carefully because you may don't delete something that you don't realize is actually important you don't want to do that um so this is where you you need to really understand your environment and understand what logs are you pulling okay so maintain manageable size of logs for analysis comply with privacy this is the big one comply with regulations because you can get fined if you don't have logs that you say you were logging right um keep that stuff in mind also keep in mind that these logs start to grow tremendously meaning if I enable something it could really start costing me a fortune if I enable logging on something that I think is a good idea but then the cost is skyrocketing because I'm I'm storing terabytes of data that have to be stored in a hot site right those type of things keep that in mind because those are the things that the business and security as a whole need to work together on now practical activity log management with log rotate so I already set this up for you we can go ahead and Cat it if you don't believe me so cat Etsy log rotate and for those of you that might say Well why'd you set them up for us because then we won't get get to see you do it you are literally copying and pasting this you don't need to see me copy and paste you can see there it is copy and paste it gives you word for word instructions so then you manually exploit or I say exploit manually rotate the logs if you don't know what log rotating is it's taking those logs compressing them so like this they're using gzip compressing them and then storing them so the storage is much much smaller you can see they have the size here actually for you and you can see the size is 108 versus and they don't have oh here's the H that's they don't actually have the one um and then they have the hashes saved as well so that way you can correlate now this is a good way to do this but I will tell you on a large scale you wouldn't do this on an individual machine but you will have log rotation in place so you can see cap Etsy and actually we'll just do the ls because I'll show it to you guys so we'll say say LS LA and we'll say bar log web server O2 and you can see here we have the Rus log Chrome log and the SSH logs and you can see this one is compressed and this one is not you can see how much bigger it is so that's that's a huge difference so you may have it set up to rotate however often you want here you can see they have they keep 30 rotations meaning 30 back UPS okay which may seem like a lot to you but they take daily logs so what this means is they're only keeping 30 days of logs they're just keeping them rotated meaning every day the logs go in they get at the end of the day they compress them okay which keep in mind you could lose data not important data but you you can lose some of the data when you really start um compressing these logs so you compress them they're now stored priv or in a much smaller format and and then the next day's logs start then the next day they can press them next day's logs start now if I needed those logs from 2 three four days ago I could un I could unzip them check them out stuff like that but they're not taking up all the storage in my system this is super important now based on the log rotate so now they have another file for us to look at they have Etsy log rotate and then they have this one for the 99 web so they did this configuration file themselves and they said okay based on this configuration file um how many versions of the old compressed files are they going to keep and you can see right there 24 configurations and then how long or what's the rotation frequency frequency hourly so what's that mean they're going to keep 24 hours of logs because they're going to rotate them every hour and they're keeping 24 of them so pretty simple pretty easy okay so now this one this one they're just talking about the log analysis process so they're talking about data sources data sources are where you're getting logs from parsing is taking this data and putting it into a manageable and understandable um format so that you can actually read it and you don't have to just sit there and look at millions of lines of words and hope you find it normalization this is standardizing that parse data you've taken the data you want and you're standardizing it so that you know what you're looking at then sorting sorting is pretty simple if I want to say hey here's the accounting department I want their logs over here now you wouldn't actually sort this way I'm just using it as an example um here's your HR department I want these logs over here you're sorting them you're getting them where you want them so that way you know what to look for usually you would say like okay web server logs over here whatever blah blah but it's just a way it's an example that people can understand so classification this is depending on what data is in that log right you may need to keep that log encrypted because that log might actually have passwords in it or it might have um something else in it pii in it that you need to make sure it's hidden so you would classify those logs and say hey this is classified information keep these logs safe um enrichment this adds context to logs making them more meaningful so it can involve adding information like geographical data so taking these logs and saying hey these logs are from this site right that adds data because what if you have five sites right well you got five sites and now you're looking at all these logs like oh crap which goes where but if you add that information say hey these logs are from this site these LS are from this domain controller blah blah blah here you go you're set now correlation pretty simple taking those logs and linking things together so hey I noce the firewall was hit at this time then this this web server was attacked then this machine was attacked correlate them okay well follow the path did the logs did they come into the firewall and then go into the web server and then go here or did they hit the web server and then turn go and pivot to the firewall you know those things are you need to correlate those logs and put the event full picture visualization this is exactly what it sounds like taking charts graphs heat Maps uh you know whatever you want and making it look good so that you can present it to people um yes it helps you trust me it will help you but it also makes it really nice to present to people and then reporting summarize log data in structured formats this is exactly what it sounds like for uh if you have like an executive who needs to see hey how many of events do we have this year Well if you have a nice graph for it reporting is much easier that's why the visualization comes right before reporting okay so now log analysis techniques pattern recognition pretty easy if you see a pattern you see someone trying to log in over and over and over that's that's odd so that's where you're starting to look at that analysis anomaly okay someone logs in every day 8 to 5 they're working one day they log in at 2: am. and start working working right that's an anomaly correlation again we talked about it you correlate different logs together to say okay okay I see the full picture timeline pretty easy again if that happened at 2 a.m. I'm going to follow that timeline I'm going to start when of the first instance or when the first instance we saw was and follow that timeline um and then like it says here analyzing these over time helps understand Trends so if you've watched him and every day he's logged in 8 every day gets off at 5 that 2 a.m. is very weird then machine learning in AI you can have ai take these logs and say look for those patterns for you look for those correlations for you um and it's going to learn much faster keep in mind you want to do a mixture you don't ever want to rely 100% on AI um because it is wrong a lot so visualization exactly what it sounds like making it look good for you statistical analysis using statistical methods to analyze logs to provide quantitative Insight so we've not we've analyzed 5 million logs and we noticed 100,000 odd ones so the percentage of logs is that we have to actually analyze is much smaller d That's statistical analysis um so now working with L practical application so here again I'm not going to follow this step perfectly because all they're doing is taking the logs parsing them getting the data that they want and then presenting them to you now I will say this okay this looks really complicated to people that aren't familiar with a and said it's not there's a couple reasons I'll tell you it's not the main reason you only have to do this once right so you have plenty of time take your time get this exactly how you want it get that data and then do it once and then now you make this a scheduled task and it's going to just go through that you don't have to keep redoing this every day or memorize this command or anything like that you just make it a scheduled task and then it will give you the data and you can see this is just parsing the data and then optional use GP to filter specific entries so they're using GP then they sort them and then they get rid of unique or they get unique instances meaning they're getting rid of duplicate entry entries and then you can see we can go to this web server and you can see here's the web server and this is a poor example of a Sim but this is what a Sim basically would do it Aggregates all that information puts it in one spot for you so now you might have five or six logs instead of just one and they're all parsed so now you have the date the time or the um path of the log the actual Source here and then all that other stuff right so all of this is just an easy way to view the data now I'll tell you you want a better Sim than this but you can search that's huge that takes a lot of the time that you would have had to go through the command line and GP and all that stuff for so now upon accessing the F log viewer URL which we have what error does this log do so what they're saying here this one was confusing because I didn't really understand what they were saying but if you go right here and you add a log you you add the log this is what they want you to do they want you to add the log and you go back they want you to go to VAR and they're giving you it right here VAR log web server and like I said this one was confusing because it doesn't really tell you it says upon accessing the log viewer show um what error does that log show but that log is not in here so they didn't really specify that so you have to go through and figure out what what they had you do but okay so we are VAR log web server and then we have R CIS log Chrome log so you can see if we do this one right here and we open it and it reloads you'll see the one you'll get is maybe you'll get an error is what you get failed to read log no date field log cannot be merged so this is good you wouldn't want that because you couldn't correlate any of the logs so what do we get the air no date field now what is the process of standardizing parse data into a more easily readable in quable format normalization that's right up here they're going to talk about it normalization standardizing parse data we just talked about it what is the process of containing normalized doogs to enhance the analysis of activities related to specific enrichment you're you're enhancing the ability of the analysis meaning you're adding something that enriches the log so that's exactly it so now conclusion logs are important you got to log or else you're really not going to be you're going to be at a huge disadvantage so make sure you're logging stuff make sure you're understanding the logs and make sure that if you don't understand them you're taking some of these courses when I say that for instance they're showing Sims here spunks or Splunk Basics instant handling Splunk these are free tools a lot of Sims will give you free training on them make sure you're taking advantage of that now you want to know machine logs as well but keep in mind that you should be exporting them to a Sim or to some centralized database because you do not want to rely on the fact that you have to log into a machine after the fact and that logs intact so hopefully you guys like this content I know it takes a while to get through some of this stuff but I want you guys to get the best information and also understand what's going on so hopefully you guys like it if you do hit that like button hit that sub button and thank you guys hope you guys have a great day

Info

Channel: stuffy24

Views: 133

Rating: undefined out of 5

Keywords: hacking, tryhackme tutorial, tryhackme review, try hack me red team path, try hack me pentesting, hacker simulator, how to hack wifi password, pentesting for beginners, walkthrough, tryhackme, tryhackme vs hackthebox, tryhackme security engineer intro, intro, security, thm engineer, stuffy24, security analyst, analyst to engineer, soc, soc lvl 2, security operation center, level 2, tryhackme soc lvl 2, tryhackme soc, level 2 soc, thm soc level 2, thm soc lvl 2, lvl 2 soc

Id: LbDUvMO3TZ0

Channel Id: undefined

Length: 42min 15sec (2535 seconds)

Published: Thu Oct 05 2023