9 Common Log Sources

1 Sysmon

System Monitor (Sysmon) is a Windows system service, that monitors and logs system activities to the Windows event log.

It gives detailed information on the generation of processes, network connections, and changes in file creation times.

You may spot malicious or unusual activity and understand how attackers and malware operate on your network by collecting and analyzing the events it generates using Windows Event Collection or SIEM agents. This can help in digital forensics investigations to track incidents.

2 Windows Security Logs

This is a log system that contains authentication activities and other events enabled. Administrators utilize the Security Log as one of their major tools for detecting and investigating attempted and successful unauthorized behavior as well as troubleshooting issues. this log can help investigate unauthorized logins.

3 Windows System Logs

Sometimes called Event Viewer is a Windows event log that contains a record of system notifications and events and is used by administrators to diagnose system problems or security issues.

Application installations, security management, system setup processes on initial startup, and difficulties or mistakes are all tracked in the Windows operating system's log files.

4 Netflow log

Cisco developed NetFlow, a network protocol system for collecting active IP network traffic as it travels in and out of an interface.

Following that, the NetFlow data is analyzed to represent network traffic flow and volume.

The resulting data can be fed into a SIEM platform, which can help with event monitoring and analysis.

5 PCAP logs

Packet capture is a networking technique that involves intercepting data packets as they transit across a network.

IT teams can save the packets after they've been collected for subsequent investigation.

These packets are examined by IT teams to identify and resolve network faults that influence daily operations.

Network packets can be obtained using tools like Wireshark or tcpdump.

6 Firewall Logs

Logs generated by firewall devices such as FortiGate, Cisco ASA, Jupiter, and others are known as firewall logs.

The logs may contain system login attempts, sites visited, and other security events, depending on the policies in place.

7 Proxy logs

Users and applications on your network send requests to your proxy server, which are logged.

This encompasses not only the most common aspect such as user requests for websites but also requests for applications or services over the internet such as updates

8 Browser History Logs

All web browser contains a history log feature that keeps tabs of all websites ever visited within the browser as well as the date and time.

Browser History Logs can be very helpful when conducting forensic investigations as it helps know where a user has been.

9 DNS Logs

DNS logs are comparable to packet capture tools like Wireshark in that they provide extensive information about all DNS information sent and received by the DNS server