From performance information to fault and intrusion detection, logs can provide you a lot more things with regard to what is happening on your systems and network along with the timestamps and order of the events. Logs can be invaluable for resource management, instruction detection, and troubleshooting. More importantly, logs can provide an admissible evidence for forensic purposes in the aftermath of an incident. The following sections provide a deep dive into some use-cases of logs.
Logs comprise a plenty of hidden information. For instance, security professionals use Internet Control Message Protocol (ICMP) to ping the host for monitoring if a host is up or down. But doing so is not a reliable approach. The successful pinging must indicate that the host’s network interface has been configured properly. But, sometimes, a host can be crashed, yet an interface still responds as long as it is configured and has the power. In addition, logs also provide the entire information regarding the host and applications running on it and their activities. The information about both hardware and software failure is also stored in the logs and this information is extremely invaluable because it is available before the actual failure of the system. Using this information, the administrators can remove or repair the crashed component, either hardware or software, before they become the big nightmares.
Logs can be extremely useful for intrusion detection. See the example of the following log message:
OCT 18 08:00: 03 host.abc.com: sshd : Failed password for illegal user John from 192.168.2.110 port 44670 ssh2
The above log message indicates that the username—namely, John has taken the failed login attempt. The word ‘illegal user’ in the above example demonstrates that John is not included in the login accounts database and, therefore, is illegal. The attacker was using ‘ssh-scanner’ via SSH and utilizing the common usernames and passwords. The cyber pests often try thousands of common passwords with a very short amount of time to match the result with the original one. However, logs can help in detecting these malicious actors who want to compromise your system and network.
Generally, the purpose of troubleshooting is to find out the symptoms and root cause of the problems and incident for grabbing the attention of the administrator. More often, systems and applications provide a log data through alerts and log messages. For example, troubleshooting a USB device problem on a Windows operating system will ask an Event Viewer to investigate the system logs. Contrarily, application logs can provide the information about the issues related to the logging or fail to create the remote login session. Syslog is also designed for troubleshooting purposes.
Forensics is the investigation process that starts in the aftermath of an event or incident. In this situation, logs can have paramount importance as they can provide an admissible evidence in the courtroom. Once the logs are recorded, they cannot be altered or corrupted if the system in question is seized properly. Logs also have timestamps on each record. They show a chronological sequence of all events. It means that logs not only provide what happened but also tell when happened and in what order.
As a result, it has been realized that logs play a crucial role in resource management, intrusion detection, troubleshooting, and forensics purposes. However, these logs must be secured from alteration and corruption so that their credibility can be ensured. For more information about logging, you need to read two more articles that incorporate Why is the Logging Ecosystem So Important? and Why is Log Management More Important Than Ever?