Hello, everyone. And welcome back to the course, identifying Web attacks through logs.
In the last video we talked about http and TCP I p
In this video, we'll start talking about Web server logs.
The learning objectives of this video are to understand the importance of logs,
understand the Web Server, Log Information
Review, Apache and G. I, X and I. I s log structures and perform some initial log analysis.
This is, of course, about logs, But
what are logs by our logs so important?
One of the definitions of a log is a piece of wood, but that definition doesn't really make sense in our context.
In our course, we will use the second definition that says that a log is a full written record of an event.
The Web server will be in charge of generating this lock.
Now we know the definition of a log, but we still need to know why they're so important.
Suppose your sock analyst and you receive a call from a user saying that their computers acting weird.
If you don't have the logs, you need to go to the user's computer and check it manually. And it might be too late.
But if you have the logs, you will be able to tell the user that everything is okay because you've checked the logs. And they say that anti malware has removed the malicious software.
In some cases, you could have the Web access log itself. Tell the user that they visited a malicious website and have been infected.
The more logs you have, the more information you'll have.
That's why logs are so important.
Also, the logs will help you to understand your infrastructure and applications so it can monitor them.
It will also help you in things like trouble. Trouble shooting
logs are so important that oh wasps top 10 projects included lack of logging as a vulnerability on the 2017 version.
If you don't know what a wasp is, don't worry. We'll talk about it later.
Logs can help you a lot
if you work or are planning to work as a sock analyst,
it's important to know what you need to protect because you can't protect what you don't know you have.
Since the log is a record, we need to store it.
There are two basic ways to do this
locally and remotely.
locally speaking, you'd save all the logs in the same place they were generated.
Remote storage is used when you need to send the log to another place. Maybe because you can't store it locally or you just want another copy.
Remote logging is useful because you can have other logs in the same place.
If you have many servers, it will help you to have all the logs in the same place.
Now let's start talking about Web applications or Web server logs.
Most of the time, we can split the information by answering a couple of questions.
When was the action performed? And what was the action?
Most of the attacks will be detected here.
This is a really simple Web server lock
we can easily find in the log. What happened?
The I P address in user name is the Who
Date, and time is the When, and the request is the what
It's important to know that empty fields aren't allowed.
It's normal. It's your hyphen.
The hyphen means no information for that field.
Let's analyze our log. Example.
First we have the I P address
the next field is related. Toe RFC 1413
But this field isn't really common on the logs.
It depends on the Web server and Web application.
The next field is the user ID, followed by date and time.
The date and time format depends on the configuration of the Web server logging
The next field. Contains main information http method used by the client.
The file requested by the client and the http version
After we have the status code, the sizing bites of the answer,
the refer and the user agent.
Just to note this was an Apache Web server log example.
now that I know the log fields
well, what can I do with them?
We always need to answer the three questions. Who, when and what?
The log will help us with this.
Let's check what information each field can tell us.
Source. I P and User I d would say who
date and time when, and all the others will explain what happened.
Just to clarify here is the info for each field
logs air used to rebuild the users behavior or actions
This log would say to us, the user with i p 10.3 point 89.4 was on the log in Web page and access Another Web page app Any dot html.
The user sent a get using Mozilla Firefox in June, close to 7 p.m. And the Web server answered with a 200.
RFC 1413 would say the user who made the request is asking for help identifying who did the action and when it's used. It really looks like user I d. Information.
it's hard to see a Web server using this field.
Here are some more examples.
Take some time and analyze these Web server logs.
First. We have this source I p address
after we have the date and time,
followed by the user request
You can see in this last line that almost all the log fields are important and useful during the analysis.
the only thing missing is the answer to the questions.
Here we have the who
we only have the information about the clients i p address.
The date is the answer of the when question
all the other information is the answer to the what question?
This slide shows a review of the important log fields in their descriptions.
It's important to understand the log fields because they will help you to analyze Web server logs,
spend some time and take notes. If you want
a good place to get more information is on the Apache Web site.
This lesson continues in the next video.