Appendix B
Log Basics
When taking the CompTIA Security+ exam, you’ll be expected to read and understand log entries. It’s often trivial for administrators who look at logs every day to identify relevant elements in a log entry. However, for people who don’t look at logs regularly, this can be challenging.
Understanding Log Basics
CompTIA frequently refers to logs throughout the exam objectives. They are valuable tools when troubleshooting. Unfortunately, there isn’t a single way that logs are formatted making them sometimes hard to read, especially when randomly placed within a question. However, there are many common elements that you can usually identify in log entries.
Logs typically record what happened, when it happened, where it happened, and who did it. This allows someone, such as an administrator or security professional, to analyze the logs to gain details of events.
Many times, security administrators are searching the logs looking for event anomalies. As a simple example, attackers sometimes try to log on to accounts by guessing passwords. Security logs record these attempts as failed logons, which is an event anomaly. After investigating the failed logins, administrators can determine if the failed logins were part of normal operation or a security incident.
It’s tempting to set up logging to record every event and provide as much detail as possible—most logs support a verbose mode that will log additional details. However, a limiting factor is the amount of disk space available. Additionally, when logging is enabled, there is an implied responsibility to review the logs. The more you choose to log, the more you may have to review. The goal is to balance what is needed and the amount of available space for storage. The following sections cover some issues to consider when reviewing logs.
Reading Logs
It isn’t feasible to describe every possible log from every known vendor, at least if I want to keep the page count of this book less than 2,000 pages. However, there are common log attributes that you can look for to help you read them.
When It Happened
Every log entry has a timestamp to let you know when the event happened. Timestamps include both the date and time, but not always in an easily readable form.
For example, you may see something like the following:
22:02:2021 20:10:05 10.10.80.5:49154 > 192.168.1.15:21
22:02:2021 20:24:17 10.10.80.5:49154 > 192.168.1.15:20
22:02:2021 20.37.37 10.80.5:49:154 > 192.168.1.15:25
22:02:2021 20.46.41 10.10.80.5:49154 > 192.168.1.15:23
With a little deductive reasoning, you can see that each entry includes 22:02:2021 (February 2nd, 2021), and that is the date. The next set of data is the time (using a 24- hour clock). It indicates the traffic occurred at 8:10 and 5 seconds (PM), 8:24 and 17 seconds (PM), 8:37 and 37 seconds (PM), and 8:46 and 41 seconds (PM), respectively. In many logs, they spell out the month because an entry such as 05:12:2021 is ambiguous. Is it May 12th or December 5th? It just isn’t clear.
Using a 24-hour clock saves space in a log but is confusing to some people. Hours less than 12 are in the morning (AM) and hours after 12 are in the afternoon and evening. An easy way to identify the time for any hours after 12 is by subtracting 12 from the hour. For example, with a time of 13:10:05, you’d subtract 12 from 13 (indicating 1 PM).
Where It Happened
Many log entries include a source and a destination. This is simply where the traffic originated and where it is going. There are several ways that a log entry may indicate the source and destination, such as:
A computer name (such as Server 1)
An IPv4 address (such as 192.168.80.14)
A socket, which includes an IPv4 address and a port (such as 192.168.80.14:443)
An IPv6 address
A media access control (MAC) address such as 01:23:45:67:89:ab
Sometimes, the log entry may list the computer name (such as Server1), but more often, it uses the IPv4 address or the socket. A socket is an established connection and includes an IP address and a port number. You’ll see the IP address and port separated by a colon, such as 192.168.80.14:443.
When a socket is used, the IP address indicates the source or destination computer, and the port tells the computer what service to send the traffic to when it arrives. A destination port of 443 indicates the Hypertext Transfer Protocol Secure (HTTPS) service should receive and handle the traffic.
In some cases, you’ll find that one socket has a public IP address and another socket has a private IP address. If the log entry is recording traffic in an attack, the public IP address indicates the system sending the attack. The private IP address is the internal computer being attacked. Note that the public IP address may be a spoofed address or a compromised system controlled by an attack.
Some logs use MAC addresses to identify computers. If you can recognize MAC addresses, this should be easy to identify. MAC addresses are typically represented as six pairs of hexadecimal characters (such as 12:ab:34:cd:56:ef).
What Happened
Some log entries require you to analyze them and identify what is the same and what is different. The following entries provide insight into what happened, but you need to understand sockets:
22:11:20 20:10:05 10.10.80.5:49154 > 192.168.1.15:21
22:11:20 20:24:17 10.10.80.5:49154 > 192.168.1.15:20
22:11:20 20.37.37 10.80.5:49154 > 192.168.1.15:25
22:11:20 20.46.41 10.10.80.5:49154 > 192.168.1.15:23
It’s not always apparent, but in these entries, the “>” character indicates the direction of the traffic. Traffic is going from 10.10.80.5 to 192.168.1.15. Notice that the source sockets are identical. They have the same IP address and the same port. In contrast, the ports in the destination socket are all different. This indicates that the attacker (10.10.80.5:49154) is performing a port scan on the destination computer (192.168.1.15). If the port is open, the system responds. If the port is closed, it doesn’t respond.
Who Did It
Some log entries include human-readable text. Take a look at the following partial log entries and see if you can identify what happened:
2/24/2021/02:01:05 Homer 192.168.1.10 action:login/success
2/24/2021/02:02:30 Homer 192.168.1.10 action:login/fail
2/24/2021/02:03:31 Homer 192.168.1.10 action:login/fail
2/24/2021/02:04:32 Homer 192.168.1.10 action:login/fail
The first entry indicates Homer logged in successfully. Afterward, it shows three login failures. This could suggest many things. However, notice that all four entries are within a minute of each other. Homer could have logged off accidentally and then forgot the credentials he just used a moment ago. It could also indicate a malicious actor who previously captured Homer’s credentials, logged on, changed Homer’s password, and then verified that the old credentials aren’t working.
Applying Critical Thinking Skills
You’ll often find that a CompTIA Security+ question will lack details, such as entire log entries. Other times, you may see questions with an excessive amount of details that have nothing to do with the question. In these circumstances, you’ll need to apply some critical thinking.
In short, critical thinking is the process of analyzing the facts you have to make a judgment. Admittedly, critical thinking is a complex topic. While the single sentence description explains what you need for the CompTIA Security+ exam, there are several definitions. Here are a few:
“Disciplined thinking that is clear, rational, open-minded, and informed by evidence.” (dictionary.com)
“Critical thinking is the ability to think in an organized and rational manner in order to understand connections between ideas and/or facts.” (zety.com)
“Critical thinking is the intellectually disciplined process of actively and skillfully conceptualizing, applying, analyzing, synthesizing, and/or evaluating information gathered from, or generated by, observation, experience, reflection, reasoning, or communication, as a guide to belief and action.” (criticalthinking.org)
Some of you may be wondering, “What does this have to do with logs and the CompTIA Security+ exam?”
When you see a question with sample log output, you’ll often be required to apply your knowledge to understand the question, even if the question doesn’t directly mention additional concepts. Consider these questions:
Does the log entry show IP addresses?
If so, are some private and some public? See RFC 1918 if you don’t know how to tell the difference.
Are any IP addresses the same?
Do you see any sockets? Are any of the sockets the same? Are any of the sockets different? This can help you determine the direction of the traffic.
Does the entry show any MAC addresses? Can you identify a MAC address if you see one?
Are there any timestamps? Do you recognize them?
Are there English words, such as account name or action results? You’ll rarely see full sentences in a log entry, but instead, you need to determine what the log entry is communicating with just a few words.
This appendix addresses each of these questions, but it doesn’t cover every possibility. Instead, my intention is to give you some basics you can apply when you see questions that include log entries.