Web Server Logs Review Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
2 hours 5 minutes
Difficulty
Beginner
CEU/CPE
3
Video Transcription
00:00
Now that we know about Web server logs, we can talk about Web server software.
00:05
The first Web server we will review will be Apache.
00:08
Apache is an open source Web server software that's maintained by the Apache Foundation.
00:12
The different locations of logs and Linux and Windows can be seen here.
00:17
Http. D dot com is the file where you can set the logs configuration, including the logs format.
00:24
This right here is the default log format.
00:26
You can find more details on the Apache Web page.
00:31
Now Let's try and understand the log fields on the Web on the Apache Web server log.
00:35
Here we have all the key fields client type RFC 1413 User I d Dating, Time method and so on.
00:43
It's the same format as the previous example, but with different values on the fields.
00:48
Remember,
00:49
the hyphen means no information for that field.
00:53
Now
00:54
let's analyze these next to log lines
00:57
to answer our questions of who, when and what will use this table to help us identify the key fields.
01:03
Here are the results for the first line
01:06
all the key fields are present.
01:07
Now let me show you the results for the second line.
01:11
We now have the answer for who, when and what. And in addition, we have the refer and the user agent.
01:21
After reviewing the Apache Web server, let's talk about N G i n X locks.
01:25
N G I N X is very similar to Apache.
01:29
Here is the default location of its logs.
01:30
Also, the default configuration for Engine X includes logging.
01:36
N G I. N X contains the law configuration for both Linux and Windows, including the log format.
01:42
Now let's try and understand this next n g i N X logline.
01:48
Ah, good thing is N G I N X logs Look a lot like the Apache logs.
01:53
Basically, we have the same fields. Client I P R F c. 14113 User i d Dating Time Method requested file. Http version and so on.
02:02
However, despite the two looking similar, it's always better to just practice. So let's analyze the two lines of log from N G i N X.
02:13
Here, the result of the first line is followed by the refer and user agent.
02:16
Remember,
02:17
the hyphen means no information for that field. So in this line, we don't have the refer
02:23
here is the result for the second line with the refer and user agent.
02:28
Now we can answer the who when and what
02:35
our next Web server will be. Microsoft I I s
02:38
Microsoft. I s is a little different from the other two, but this won't be a problem.
02:43
Here is the default log location.
02:46
Other Web server configurations, including logging, are made on the I s manager a graphical user interface.
02:52
Just to note the log options for I s will look like this.
02:57
Even if the log looks a little different, it should contain all the needed log fields.
03:00
Let's try to understand the ice locks
03:04
here. We have an example of an IIS log.
03:07
First, we have the date and time.
03:08
Next is the Web server I P. Address followed by the http method
03:13
We have the requested file followed by a specific space for you are I Query.
03:19
The server port is 80. So it should be an http request,
03:23
remember, 80 is common to http and 443 is common to https.
03:30
Next, the user name, which is the same as user ID
03:36
client I p address user agent
03:38
Refer Status code,
03:40
sub status code,
03:42
Windows related field and the time taken to answer the request.
03:46
We have many fields, right? But more importantly, we have all the needed fields.
03:52
Now let's analyze two lines of log from I I s
03:55
We need to change our table just a little bit
03:59
building on the table. We see the result
04:00
not so different from Apache and Giant X.
04:03
The second line.
04:04
If you want to try positive video answer.
04:10
Here are the results of the second line.
04:12
One of the differences is the server port.
04:15
It is possible to add this field in Apache and N G and X. It's also possible to have two different log lines one to TCP Port 80 and another to TCP four. Port 443
04:28
Now, I'd like to point out that access log files are not the only log files that could be used to analyze the Web server. There are other log files.
04:35
One good example is the error log file.
04:39
It's like debugging information.
04:42
All Web server software contains an error log file.
04:45
Here's some examples of locations for N, G, i N X, Apache and I. I s
04:49
check the Web server page to look for more information about error locks.
04:55
Here is the address for the error log in Apache.
05:00
To make things more clear, here are two logs from the Web server.
05:02
The first is an error log in the second is related access log.
05:06
Both logs were generated by the same request.
05:10
The access log line will have the client request, and the air logline will have the debug information for the request.
05:16
You can find similar information in both logs, like Client I P. Address the requested file and the method.
05:24
If you don't have enough information from the access log, you can always look for the error log.
05:28
And it could be really helpful when doing analysis
05:33
for the first post assessment question.
05:35
Which fields below are examples of key information provided by Web server logs.
05:41
You can pause the video if you'd like.
05:45
The answer is A, C, E and G.
05:48
Here are the descriptions of each option.
05:53
The next question. Extract the key information from the logs below and fill in the table.
05:58
Here you have the answer, and you can see our questions.
06:00
Who, when and what?
06:03
In addition, it's important to identify which Web server generated these locks.
06:09
The first law is from I s
06:12
The second one. Looks like a log from Apache or N G I N X.
06:15
To solve this question, it's better to ask the server admin.
06:19
In this case, the log is from an N g i n X Server.
06:24
It's common for a company to have many different types of Web servers
06:28
in the same company you confined Apache and G and X and I. I s.
06:32
That's why it's important to know many Web server options,
06:35
even if the software is different. You're looking for the same information
06:41
video summary.
06:43
In this video, we started defining what logs are and why they're important.
06:46
Afterwards, we explain the fields for the Web application or Web server log.
06:51
Finally, we went through Apache Engine X and I s logs to learn how to get the key information in the log fields.
06:59
And finally we discussed airlocks and how they can help us with log analysis.
07:05
In the next video,
07:06
you'll see some consideration about log analysis. We'll talk about fake requests, the differences between knock and sock analysis, and we'll discuss the mistakes that can occur during Weblog analysis
Up Next
Identifying Web Attacks Through Logs

This course will review web application infrastructure, web servers, and the logs associated with them. We will also simulate 10 attack scenarios and identify the attack through logs that are generated by the web server.

Instructed By