The most challenging task in network security is network log analysis. This work process identifies *** or *** attempts by closely monitoring and analyzing various log files. This process also includes normalized log security events for correlation analysis. There are many different types of network log files that need to be checked, but devices (including switches, firewalls, routers, etc.).
Although analyzing log files is a tedious and tiring work, the techniques and interesting cases given in the book "Unix/Linux Network Log Analysis and Traffic Monitoring" can help you recover from Gain a lot of valuable experience in the log file.
This log analysis book starts from the role and characteristics of log files and gradually penetrates into the basis of log file analysis. It especially mentions the log format of various system services. The purpose is to automate the log analysis process as much as possible.
1. The importance of web logs
In the complicated daily operation and maintenance work, system administrators tend to ignore all kinds of network log files. Everyone is often busy solving problems, and there is no time and energy to collect and check log files. Often the black bear breaks the corn and throws it with one hand. Or pick up sesame seeds and lose watermelon. Before the failure, I hadn't paid attention to these files until the log was deleted or emptied, and then tried to retrieve it, and then hurriedly searched, trying to find out what happened, it was too late.
Usually, this kind of search work includes checking the log files. The checking of the log files is often performed by the system administrator, but the administrator is not familiar with the format of the log file, or is not familiar with the steps of log file analysis. Even the administrator discovered that the detailed log was not enabled, so there was no record of the event. Log files can provide you with a lot of valuable information. Maybe you still don't know their functions, so I will introduce them in detail in this book of network log analysis.
2 Understand the characteristics of logs
There are many different types of log files in Unix/Linux/Windows systems, and there are many sources for generating these log files. For us, the most concern is the analysis of network log files; in order to understand the events that occur on the network, we hope to focus on the log files that record network events (such as successful and failed connections) or database access . This information can be used to correlate with network activities. Usually the format of these logs is completely different. The book will introduce some of the most commonly encountered log formats. Although the differences in these log formats are important, it is more important to understand that different devices and applications may record very different information.
Beginners just start, network log analysis can make people feel a little scared, mainly because the format of the log is complicated and the log records a lot of information. Below we briefly analyze the information that needs to be searched in the network log file. Most systems that use network log files record several core parts of the information. These information and the content that the system thinks should be paid attention to are as follows;
Timestamp, which typically includes the date and time in s or ms.
Basic IP features, such as source address, destination address and IP protocol (TCP, UDP, ICMP, etc.).
In addition, most logs give some reason for why the event was recorded. However, there are differences in different log formats:
- Descriptive text information.
- The rule number of the matching traffic.
- The action performed, such as receiving, discarding, or rejecting the connection.
-
The only small amount of data can be used to analyze and identify the abnormal behavior of port scans, host scans, or other failed connection attempts.
In addition, there are many information recorded in web logs that do not only include critical data. Other types of data that may appear include: other IP characteristics, especially IP identification number and time to live (TTL). Other TCP-specific features, such as flags (SYN, ACK, etc.), TCP window size and TCP sequence number, payload content. From the perspective of log analysis, these additional fields can provide survival time and TCP window size, which can be used to perform operating system fingerprinting, so that you can roughly analyze the operating system that the hacker may use.
3. Comprehensive fault diagnosis
The most important role of network log files is comprehensive troubleshooting. For example, suppose a user complains that an application cannot download data from an external server. By obtaining the IP address of the user's machine, and then finding out when he used the application, you can quickly search the firewall log to find the attempt to establish the required connection that was rejected. If the firewall also logs all allowed connections, and you can find valid connections to this remote site from the log, then it can be seen from this event that the problem is most likely to be related to the remote server or that program. For the case, we still refer to the book of network log analysis. If you want to learn network log analysis, there is no shortcut, you still have to learn more, practice and read more! The following recommends a best-selling book on log analysis collected by 985 university libraries nationwide.