1 00:00:00,900 --> 00:00:08,070 Logging is one of the most important functions of security we should have detailed logs of everything 2 00:00:08,070 --> 00:00:12,240 on the network for security auditing and troubleshooting. 3 00:00:12,930 --> 00:00:19,860 If your network is attacked you would want to be able to point to logs to identify the Who What Where 4 00:00:19,860 --> 00:00:23,130 When and why something happened. 5 00:00:23,370 --> 00:00:30,810 Each operating system has their own logging system Windows logging information can be displayed from 6 00:00:30,810 --> 00:00:39,460 the Event Viewer these logs consist of data like user log in log offs in System Events. 7 00:00:40,290 --> 00:00:46,990 Let's hop back into the lab and I'll show you a live event viewer log from a Microsoft server. 8 00:00:47,420 --> 00:00:53,790 Here I have a remote desktop solution to a Windows server and to get to the Event Viewer logs I'm just 9 00:00:53,790 --> 00:00:59,430 going to go to the Start Menu and I can either click right on the viewer here since it's in my past 10 00:00:59,430 --> 00:01:12,690 applications or like anything else I could just search for it in my search bar and click on it to launch. 11 00:01:12,700 --> 00:01:19,690 So here's the Event Viewer dashboard if you do the dropdown for custom views since this is an active 12 00:01:19,690 --> 00:01:22,380 directory server with multiple roles. 13 00:01:22,390 --> 00:01:27,970 I could actually look at specific logs for each service running on the server. 14 00:01:27,970 --> 00:01:35,770 So if I want to look at DHP server logs I can click on the DHP server option and filter the logs for 15 00:01:35,770 --> 00:01:39,620 that role in relation to security. 16 00:01:39,850 --> 00:01:46,450 If you go to Windows logs and security it's going to filter to security events. 17 00:01:46,540 --> 00:01:53,530 These are very useful logs for investigating a security incident to see exactly when someone logged 18 00:01:53,530 --> 00:01:54,960 on and off the network. 19 00:01:57,800 --> 00:02:04,580 In addition to system logs operating systems have specific logging information for different applications 20 00:02:04,670 --> 00:02:06,550 like Web services. 21 00:02:06,590 --> 00:02:07,350 I asked. 22 00:02:07,350 --> 00:02:12,690 Is the windows based web server application and like apache web servers. 23 00:02:13,250 --> 00:02:16,850 It has access logs to record server activity 24 00:02:19,690 --> 00:02:23,170 Linux also has its own version or system logs. 25 00:02:24,600 --> 00:02:32,610 If you use the command CD for change directory and then for Flash VAR for its last log that takes you 26 00:02:32,610 --> 00:02:35,880 to the Linux log directory. 27 00:02:35,960 --> 00:02:42,530 So that's the main path to get to all of the different system logs you'll find in Linux. 28 00:02:42,730 --> 00:02:47,680 And if you use the last command like you see here you can see all of the different logs that are store 29 00:02:49,680 --> 00:02:51,360 to see log output. 30 00:02:51,360 --> 00:02:55,970 You can use the command more and then the name of the log file. 31 00:02:56,160 --> 00:03:02,730 And as you can see here you could scroll through logs or if you were troubleshooting something or doing 32 00:03:02,730 --> 00:03:11,330 an investigation one really good log to know about when it comes to security and Linux is the authentication 33 00:03:11,330 --> 00:03:16,290 log which is located in the off that log file. 34 00:03:17,660 --> 00:03:23,060 As you can see here this log can be used to audit user log ins to the system. 35 00:03:23,060 --> 00:03:28,730 So if I was investigating a security breach and I wanted to see what user accounts logged into a compromised 36 00:03:28,730 --> 00:03:31,830 system I could look at the opt out log file. 37 00:03:34,630 --> 00:03:39,580 Apache Web servers are open source Linux based systems. 38 00:03:39,580 --> 00:03:47,740 Apache access logs are used to monitor events on apache web servers these logs record and store information 39 00:03:48,160 --> 00:03:52,720 like saurus user IP addresses and the pages that they access.