TABLE OF CONTENTS Investigating intrusions is usually a difficult and tedious task. Faced with megabytes and sometimes gigabytes of log file data, it is easy to overlook some of the most critical evidence. Often it is difficult to determine that a security incident has even occurred.
But Log Parser changes that. Log Parser can combine, sort, and parse through log files to give you a unique perspective of your data. With the right queries, important evidence tends to float into view. Our goal in this chapter is to build a toolbox of queries that we will have ready to use as needed. Here you will learn powerful features and capabilities of Log Parser that will help you track down almost any intrusion.
To locate intruders, you must first detect the intrusion. Fortunately, most attacks leave some kind of trail. The trick is in knowing how to find these intrusions among thousands of normal log entries. The secret is to start with high-level queries then work your way down to more and more specific conditions in your WHERE clause. In this chapter, we will focus on the most common and the most obvious threats.
| Tip | If you anticipate prosecuting an intruder with the information you gather, you should take careful steps to preserve the original evidence, and only run these queries on copies of log data. If you expect legal proceedings, you should always consult a forensics expert on how to best preserve evidence for use in court. |
Suspicious behavior is...
