Digital Forensic: Analysis Logs
This time I'll try for a little tutorial about analyzing the log message. Files can be downloaded here
The first step is to look at the contents and permissions of the file and extract
Let's have a look at one log entry. We pipe the output of cat to the command
head n1 so That We only get the 1st line:
to see a whole using the command
if we want to see from the date we can type
awk is a programming language that is on linux. It will come out look like this
type the following scrip to look at another date
all dates are stored in the log will appear.
to browse dati that date, we can use the command
command is used to display messages that are on the 4th of November
As we look through the log files, we may come across entries That Appear
suspect. Perhaps we need to gather all the entries containing the That We see
string "Did not receive identification string from <IP>" for further analysis.
we can simply use the variable "$ NF", the which means "number of fields". Since
The IP is the last field, its field number is equal to the number of fields:
This can all be redirected to an analysis log or text file for easy Addition
to a report (note that "> report.txt" creates the report file, ">> report.txt"
appends to it). The Following commands are typed on one line each:
echo "Localhost123: Log entries from /var/log/messages" > report.txt
echo "\"Did not receive identification string\":" >> report.txt
tac messages* | grep "identification string" | awk '{print $1" "$2"\t"$3”\t"$NF}' >> report.txt
echo "Unique IP addresses:" >> report.txt
tac messages* | grep "identification string" | awk '{print $NF}' | sort -u >> report.txt
Finish, hopefully in this tutorial, there are no mistakes, if there is an add please :)
The first step is to look at the contents and permissions of the file and extract
Let's have a look at one log entry. We pipe the output of cat to the command
head n1 so That We only get the 1st line:
to see a whole using the command
cat messages * | less
if we want to see from the date we can type
tac messages * | awk '{print $ 1 "" $ 2}' | less
awk is a programming language that is on linux. It will come out look like this
type the following scrip to look at another date
tac messages * | awk '{print $ 1 "" $ 2}' | uniq | less
all dates are stored in the log will appear.
to browse dati that date, we can use the command
tac messages * | grep "Nov 4"
command is used to display messages that are on the 4th of November
As we look through the log files, we may come across entries That Appear
suspect. Perhaps we need to gather all the entries containing the That We see
string "Did not receive identification string from <IP>" for further analysis.
tac messages * | grep 'identification string' | less
we can simply use the variable "$ NF", the which means "number of fields". Since
The IP is the last field, its field number is equal to the number of fields:
tac messages * | grep 'identification string' | awk '{print $ 1 "" $ 2 "" $ 3 "" $ NF}' | less
This can all be redirected to an analysis log or text file for easy Addition
to a report (note that "> report.txt" creates the report file, ">> report.txt"
appends to it). The Following commands are typed on one line each:
echo "Localhost123: Log entries from /var/log/messages" > report.txt
echo "\"Did not receive identification string\":" >> report.txt
tac messages* | grep "identification string" | awk '{print $1" "$2"\t"$3”\t"$NF}' >> report.txt
echo "Unique IP addresses:" >> report.txt
tac messages* | grep "identification string" | awk '{print $NF}' | sort -u >> report.txt
Finish, hopefully in this tutorial, there are no mistakes, if there is an add please :)
Comments
Post a Comment