System Event Log Audit Guide

TL;DR

This guide shows you how to check your system’s event logs for important security information and potential problems. We’ll cover finding the logs, filtering them, and what to look for.

1. Accessing Event Logs (Windows)

1. Open Event Viewer: Search for “Event Viewer” in the Start menu and open it.
2. Navigate the Logs: The main logs you’ll use are:
   • Windows Logs > Security: Records login attempts, account changes, policy audits.
   • Applications and Services Logs > Microsoft > Windows > System: Records system events like driver loading, service errors.
   • Applications and Services Logs > Applications: Records events from installed applications.

2. Accessing Event Logs (Linux)

1. Journalctl: Most modern Linux systems use journalctl.

   sudo journalctl -xe

   This shows recent logs with explanations.

2. Syslog: Older systems might use syslog files, typically in /var/log/syslog or /var/log/messages.

   cat /var/log/syslog | less

3. Filtering Event Logs

Finding specific events is crucial. Here’s how:

Windows

1. Filter Current Log: Right-click a log (e.g., Security) and select “Filter Current Log…”.
2. Event IDs: Use Event IDs to narrow down results.
   • Successful Login: 4624
   • Failed Login: 4625
   • Account Created: 4720
   • Account Modified: 4722
3. Event Sources: Filter by the source of the event (e.g., Microsoft-Windows-Security-Auditing).
4. Time Range: Specify a date and time range to focus your search.

Linux

1. Filtering with journalctl:
   • By Time:

     sudo journalctl --since "2023-10-26" --until "2023-10-27"

   • By Priority (Severity):

     sudo journalctl -p err

     (shows errors)

   • By Unit:

     sudo journalctl -u sshd

     (shows logs for the SSH daemon)

2. Using grep with syslog:

   cat /var/log/syslog | grep "failed password"

4. What to Look For

These events often indicate problems:

• Repeated Failed Logins: Could be a brute-force attack.
• Account Creation/Modification at Unusual Times: Investigate unexpected changes.
• Unexpected Service Errors: May point to system instability or malicious activity.
• Clearance of Event Logs: Someone might be trying to hide their tracks (though legitimate tools also clear logs).
• Login from Unknown Locations/IP Addresses: Check for unauthorized access.

5. Exporting Logs

Save logs for later analysis or reporting.

Windows

1. Right-click the log > Save As… Choose a suitable format (e.g., EVTX, CSV).

Linux

1. journalctl:

   sudo journalctl --export > my_log_file.txt

2. Copy syslog files:

   cp /var/log/syslog /path/to/backup/syslog_backup.txt

6. Further Resources

For more detailed information on Event IDs and log analysis, consult Microsoft’s documentation or your Linux distribution’s resources.