Logging Fundamentals

Forensics: Trace actions by time, user, and system.
Incident Response: Reconstruct attacker activity and prioritize alerts.
Threat Hunting: Identify anomalies and patterns in large datasets.
Compliance: Maintain audit trails for regulations like PCI‑DSS and GDPR.

Logging records timestamped events across applications, operating systems, network devices, and cloud services.

Why It Matters

Log Types & Locations

Type	Contents	Common Locations
Application	Errors, transactions, user actions	Windows: `C:\\ProgramData\\<App>\\logs` Linux: `/var/log/<app>.log`
System	Driver loads, service start/stops, kernel	Windows Event Viewer → System Linux: `/var/log/syslog`
Security	Authentication, authorization, policy changes	Windows Event Viewer → Security Linux: `/var/log/auth.log`
Network	Firewall, router, switch traffic	`/var/log/ufw.log`, device archives
Audit	File/process/registry monitoring	Linux: `/var/log/audit/audit.log` Windows: Sysmon/Operational
Web	HTTP/S access, errors, proxy, API logs	Apache: `/var/log/apache2/access.log` Nginx: `/var/log/nginx/access.log`

Every structured log entry includes these core fields:

Timestamp
- Purpose: Correlate events across systems—ensure NTP sync.
- (e.g., 2025‑08‑05T10:23:47.128Z)
Source
- Identifier: Hostname, IP, or service tag (e.g., host=Omar.local)
- Purpose: Locate origin—include region/AZ in cloud setups.
Level
- Values: DEBUG, INFO, WARN, ERROR, CRITICAL
- Purpose: Prioritize issues.
Component
- Identifier: Application or module name (e.g., component=nginx)
- Purpose: Pinpoints the exact software module.
Message
- Payload: Free text or structured JSON/KV pairs (e.g., {"user":"alice","action":"login","status":"failed"})
- Contains event details.

Example

2025-08-05T10:23:47.128Z host=Omar.local level=ERROR component=payment-processor message={"txn_id":"12345","error":"timeout"}