Interpretation Logs and management for CySA+, Network+, Penetration+

[admar]

Hi mates
I would like to suggest that CompTIA, as a neutral certificate provider, introduce more in-depth and detailed information on how to interpret event logs from different sources and manage them, for example: network devices, OS, Apps, among others.
Events Logs have their lifecycle. CompTIA, I suggest you put more details on the subject in the study guides and consequently in the exams.
This would provide a more solid foundation for network analysts and engineers.

There is a lot of misinterpretation of log messages by Analysts and Network Engineers and this misinterpretation can result in delay in accurate collection of information or poor incident response

I had never seen a book or guide that went into depth about interpreting and detailing message logs.
example: How does a log message present itself when it is a brute force in windows authentication, in FTP, SSH protocols? or even on a Cisco Router, Switch?
another example: privilege escalation on linux account. how look like? mensage log



Guys what your view point about?

 

[admar]

Estou me referindo ao log de mensagens.

 

[Jarrel]

Hi mates
I would like to suggest that CompTIA, as a neutral certificate provider, introduce more in-depth and detailed information on how to interpret event logs from different sources and manage them, for example: network devices, OS, Apps, among others.
Events Logs have their lifecycle. CompTIA, I suggest you put more details on the subject in the study guides and consequently in the exams.
This would provide a more solid foundation for network analysts and engineers.

There is a lot of misinterpretation of log messages by Analysts and Network Engineers and this misinterpretation can result in delay in accurate collection of information or poor incident response

I had never seen a book or guide that went into depth about interpreting and detailing message logs.
example: How does a log message present itself when it is a brute force in windows authentication, in FTP, SSH protocols? or even on a Cisco Router, Switch?
another example: privilege escalation on linux account. how look like? mensage log



Guys what your view point about?

While I agree that there's a lot of misinterpretation of log messages at work, I reckon that it is more because of the lack of skill and experience of whosoever is reading the logs, than the lack of content - or it could also be with the trainer, perhaps?

see material on A+, for logs related to ticketing
see material on Network+, for syslog and traffic logs
see material on CySA+, if you are referring to security logs.
... etc

There are so many products out there, and each one has a different view of logs.
CompTIA material has content on widely-accepted logs i.e. syslog, event viewer, etc.

For product-specific ones, I'd suggest looking at the said product's learning content, i.e. Cisco.

Is there a specific type of logs that you need a material for?

 

[Rick Butler]

I'm not sure there is a definitive way to do this - to teach about log analysis. I think it's a function of two things that make one be able to analyze using logs. First, knowing what each log is for and what information is contained therein. An analyst will have poured over and studied each log for the kinds of messages that are contained in it, from simple information, to errors and warnings. Second, is deductive reasoning, which is more of a natural talent. Sure one can learn techniques that can help them reason better, but in the end, either one's brain is wired that way, or it is not.

I think Jarrell is right about it requiring skill and experience with specific logs. I think it's also understanding what and why things are written to those logs. There's no easy way to do it - it's something you learn through experience.

The best reference for learning how to read a log is the log itself.

/r

 

[Brian Ford]

Hi mates
I would like to suggest that CompTIA, as a neutral certificate provider, introduce more in-depth and detailed information on how to interpret event logs from different sources and manage them, for example: network devices, OS, Apps, among others.
Events Logs have their lifecycle. CompTIA, I suggest you put more details on the subject in the study guides and consequently in the exams.
This would provide a more solid foundation for network analysts and engineers.

There is a lot of misinterpretation of log messages by Analysts and Network Engineers and this misinterpretation can result in delay in accurate collection of information or poor incident response

I had never seen a book or guide that went into depth about interpreting and detailing message logs.
example: How does a log message present itself when it is a brute force in windows authentication, in FTP, SSH protocols? or even on a Cisco Router, Switch?
another example: privilege escalation on linux account. how look like? mensage log



Guys what your view point about?

I completely agree. CySA would be a good place to include more content on interpreting message logs.

I participated in the Data+ TTT and in my course development I'm specifically looking at using log data from Windows and Linux.

Cisco and most network equipment vendors and many Linux distros use the Syslog standard (IETF RFCs 3164 and 5424). I think Syslog is particularly interesting due to the need to often parse the description field for context.

I'm planning on including Windows logs because they're there. The vast majority of students I work with have access to a computer running Windows.

 

[Brian Ford]

Two minutes after I posted my last message I read about a colleague working through log data to investigate and respond to a DoS that morphed to a DDoS attack. IMO this would be a perfect CySA (and also a perfect Data+) exercise.

 

[Rick Butler]

Two minutes after I posted my last message I read about a colleague working through log data to investigate and respond to a DoS that morphed to a DDoS attack. IMO this would be a perfect CySA (and also a perfect Data+) exercise.

Wooooooo! I like that! I don't know why my brain didn't link the two - probably because I've been thinking about everything else these days. But that would be super useful. /r

 

[admar]

Two minutes after I posted my last message I read about a colleague working through log data to investigate and respond to a DoS that morphed to a DDoS attack. IMO this would be a perfect CySA (and also a perfect Data+) exercise.

I would like to see it

 

[admar]

Logs interpretation must fit for Cybersecurity analyst (blueteam ) because without it there is no Analise. we work with SIEM and SOAR they receive logs from diferents sources

 

[Luca MC]

Hello everybody,

In regards,
Have you heard about the LogHub by LogPai?

To give a good picture of what a log looks like and their different forms across multiple platforms and programs, I use this resource here:https://github.com/logpai/loghub
Logpai maintains a collection of system logs, which are freely accessible for research purposes.
Some of the logs are production data released from previous studies, while some others are collected from real systems in their lab environment. Wherever possible, the logs are NOT sanitized, anonymized or modified in any way.
All these logs amount to over 77GB in total!!

Plenty to dive in!

perhaps this could be added into the lovely BlackFedora's Cyber Cache? @Rick Butler ?

 

[Rick Butler]

I think I just might do that when I get a quick second. /r

 

[admar]

Hello everybody,

In regards,
Have you heard about the LogHub by LogPai?

To give a good picture of what a log looks like and their different forms across multiple platforms and programs, I use this resource here:https://github.com/logpai/loghubView attachment 773
Logpai maintains a collection of system logs, which are freely accessible for research purposes.
Some of the logs are production data released from previous studies, while some others are collected from real systems in their lab environment. Wherever possible, the logs are NOT sanitized, anonymized or modified in any way.
All these logs amount to over 77GB in total!!

Plenty to dive in!

perhaps this could be added into the lovely BlackFedora's Cyber Cache? @Rick Butler ?

thank u so much. useful

 

[admar]

Hello everybody,

In regards,
Have you heard about the LogHub by LogPai?

To give a good picture of what a log looks like and their different forms across multiple platforms and programs, I use this resource here:https://github.com/logpai/loghubView attachment 773
Logpai maintains a collection of system logs, which are freely accessible for research purposes.
Some of the logs are production data released from previous studies, while some others are collected from real systems in their lab environment. Wherever possible, the logs are NOT sanitized, anonymized or modified in any way.
All these logs amount to over 77GB in total!!

Plenty to dive in!

perhaps this could be added into the lovely BlackFedora's Cyber Cache? @Rick Butler ?

so many infomation