📘 Manual


Created: 12.10.2020

One of the most useful artifacts when properly configured and maintained, are log files. All devices keep some sort of logs, even mobile devices. However, their relevance for the specific case may differ.

Different logs might be collected depending on the case:

  1. Network hack: logs of all network devices (on the route to the hacked device), perimeter router (ISP), Firewall rules might be required.
  2. Unauthorised access: web server logs, application server logs, application logs, router or switch logs, firewall logs, db logs, IDS logs etc.
  3. Trojan/Virus/Worm: antivirus logs, event logs.

There are generally four main ways to analyse this wealth of data:

  • pivot tables in Excel
  • some dedicated framwork
  • LogParser
  • Script

Import csv. Choose your delimiter. If there are some columns sticking together, use Data -> Text to Column to separate them with another delimeter.

ðŸ’Ą Generate pivot tables each day during a month for statistical analysis. Later deviations might highlight suspicious traffic.

❗ïļ Note the data that’s of low frequency.

Another good way to quicly filter out the logs is the fzf utility. It works both on macOS and Linux. I am not sure about Windows, but you could always utilise WSL there. Here is a video how one can dive into this utility and use to spead up searching. Thanks to my genius collegue Kieran for the below command and for his advice to use fzf! Below is an example of quickly filtering the logs for AWS.

aws logs filter-log-events --log-group-name /something/aything --profile prodserver | jq -c '.events[]' | fzf --multi --cycle --reverse --preview-window=right:80%:wrap --preview 'cat {}'

You can go to Logs -> Logs Insights and there you can query the logs using a query language. To the right there are lots of useful examples under Query -> Sample queries.