Log Analysis
In Chapter 14, Investigating an Incident, you learned about the investigation process, and some techniques for finding the right information while investigating an issue. However, to investigate a security issue, it is often necessary to review multiple logs from different vendors and different devices. Although each vendor might have some custom fields in the log, the reality is that once you learn how to read logs, it becomes easier to switch vendors and just focus on deltas for that vendor. While there are many tools that will automate log aggregation, such as a SIEM solution, there will be scenarios in which you need to manually analyze a log in order to figure out the root cause.
In this chapter, we are going to cover the following topics:
- Data correlation
- Operating system logs
- Firewall logs
- Web server logs
- Amazon Web Services (AWS) logs
- Azure Activity logs
- Google Cloud Platform (GCP) logs
Let’s start...