- Home
- Logging Guide
- Introduction to log data
Everything you need to know about log data
In this page
- An introduction to log data
- Types of log data
- Why should you enable logging?
- Don't stop with just logging—Start monitoring logs
An introduction to log data
Log data is the records of all the events occurring in a system, in an application, or on a network device. When logging is enabled, logs are automatically generated by the system and timestamped. Log data gives detailed information, such as who was part of the event, when it occurred, where, and how. Therefore, it serves as crucial evidence for troubleshooting operational issues and detecting security threats.
Types of log data
Every network component generates logs in different formats. Here are a few types of log data that are crucial for IT security and operations.
Perimeter device logs
Perimeter devices are used to surveil network traffic and regulate it. A few examples of perimeter devices are VPNs, firewalls, and intrusion detection systems. Logs from perimeter devices include information on the protocols used, the IP addresses, and the port numbers of the sources and destinations. These logs entail a substantial amount of data and play a crucial role in detecting network intrusions and other security events.
2022-05-05 11:15:26 ALLOW TCP 10.40.4.182 10.40.1.11 63064 135 0 - - SEND
In the log entry above, the timestamp of the event is followed by the action. In this case, it shows the day and the hour the firewall permitted traffic.
Windows event logs
Windows event logs hold records of all the activities that occur in a Windows system. Any event occurring on Windows machines, such as a user login, a new process starting, or a permission change, gets logged in the system and can be viewed using the built-in Event Viewer tool. By monitoring these logs, you can detect attacks in the early stages and gain better insights into the functioning of critical resources. Windows event logs get classified into different types, namely:
- Application logs: These are generated by the applications in the Windows operating system to record events such as errors that force an application to close.
- Security logs: Security logs record events that can affect the system's security, such as multiple login attempts or failed authentication.
- System logs: These are generated by the operating system to record events such as the successful loading of processes and drivers.
- Directory service logs: These are generated by Active Directory to record events such as the authentication of privileges.
- DNS server logs: These logs are available for the DNS servers only and contain client IP addresses, the domains queried, and the records requested.
- File replication service logs: These logs are available for domain controllers only and hold events of domain controller replication.
Warning 5/11/2022 1:12:07 PM WLAN-AutoConfig 4003 None
The above example is from the WLAN AutoConfig service, which is a connection management application that allows users to dynamically connect to a WLAN. The first section of the log indicates the severity and is followed by the date and time of the event.
Endpoint logs
Endpoints are devices or nodes that are connected to each other across a network. A few examples of these devices are printers, desktops, and laptops. By monitoring endpoint logs, you can prevent attempts at data exfiltration, system compromise, identity fraud, malware infections, and more. Endpoint logs also help security and system administrators detect policy violations.
Error 6/20/2019 5:00:45 PM Terminal Services- Printers 1111 None
The error source and the event ID (1111) indicate that an error has occurred with the Terminal Services Easy Print driver. When a user has problems printing a file, the logs can be analyzed to determine the exact cause of the problem and how to fix it.
Application logs
These logs are generated by business-critical applications, such as SQL database servers, Oracle Database servers, DHCP applications,SaaS applications like Salesforce, IIS web server applications,and Apache web server applications. Application logs contain information about the ongoing activities within an application. They record everything from errors to informational events. Monitoring application logs helps with detecting and troubleshooting an application's issues.
02-AUG-2013 17:38:48 * (CONNECT_DATA=(SERVICE_NAME=dev12c)
(CID=(PROGRAM=sqlplus)(HOST=oralinux1)(USER=oracle))) *
(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.2.121)(PORT=21165))
* establish * dev12c * 0
The log above records the time and date when the database server received the request. It also includes information on the user and the host computer from which the request came as well as the IP address and port number.
Proxy logs
These are generated by network proxies. They are responsible for managing network access and providing privacy. By monitoring proxy logs, you can detect any suspicious activity because these logs contain vital data such as usage statistics.
4/8/2020 2:20:55 PM User-001 192.168.10.10 GET https://encyclopedia.com/
The log above shows that on the date and time specified, User-001 requested pages from encyclopedia.com.
IoT logs
IoT is a large network with connected devices that collect and exchange data. IoT logs are generated by the devices that form an IoT system.
Why should you enable logging?
Every day, thousands of log entries are generated by an IT system. The purpose of logging is to keep an ongoing record of all the events that occur in the system. IT administrators must enable logging because:
- Log files can be used to review any events that occur within the system, including failures, and they also record requests, such as SIP requests.
- It allows users to see where errors were made, which in turn helps them gain a better understanding of a product or software.
- It gives them detailed information about users’ activities, such as what they were doing, when, and how, making security threat detection easier.
- It detects issues that may arise during the setup process of a product or software.
- It helps them troubleshoot by recording issues with application performance and security, facilitating detection and rectification.
Don't stop with just logging—Start monitoring logs
Just enabling logging isn't enough to manage your network. To ensure smooth operations and network security, IT admins should monitor these logs. Log monitoring starts with collecting all the logs that get generated within a network and storing them on a central server. Then the admins analyze these logs for specific information. Often, to meet compliance mandates, organizations must retain the logs of certain critical infrastructure for a specific time period.
Technicians can swiftly drill down to application-related issues with the help of log management tools. For example, they can identify regions of dysfunctional performance using log data. However, managing logs is not easy task. That's where EventLog Analyzer comes into play. EventLog Analyzer is a powerful tool that covers end-to-end log management. With several notable features, such as application auditing, security analytics, and log management, it is the solution for all your log management needs.
Check out the free, 30-day trial of EventLog Analyzer to see all its features in action.