This section briefly covers examples of audit logfiles. We discuss Unix logs, and then Windows.
The increasing popularity of commercial and free Unix systems makes Unix log analysis skills a growing priority. Unix and Linux installations produce a flood of messages (via a syslog or "system logger" daemon), mostly in plain text, in the following simple format:
<date / time> <host> <message source> <message>
Oct 10 23:13:02 ns1 named: sysquery: findns error (NXDOMAIN) on ns2.example.edu? Oct 10 23:17:14 ns1 PAM_unix: (system-auth) session opened for user anton by (uid=0) Oct 10 22:17:33 ns1 named: denied update from [10.11.12.13].62052 for "example.edu" Oct 10 23:24:40 ns1 sshd: Accepted password for anton from 10.11.12.13 port 2882 ssh2
This example will be familiar to anyone who has administered a Unix system for at least a day. The format contains the following fields:
The system time (date and time up to seconds) of the log-receiving machine (in the case of remote log transfer) or the log-producing machine (in the case of local logging).
The hostname may be either the fully qualified domain name (FQDN), such as ns1.example.edu, or just a computer name, such as ns1 in the example above.
The source can be system software (sshd or named in the above examples) or a component (such as PAM_unix) that produced the log message.
The log message might have different ...