Learn how to collect operating system data. Jungwoo uses Windows and Linux operating systems to demonstrate what type of network security-relevant data can be retrieved from an operating system.
- One of the primary sources of operating system data is its log management system. The log management mechanism will vary depending on the operating system that you're scrutinizing. For example, Windows OS uses a mechanism called Event Logs, while Linux OS maintains its log files in multiple Flat Files. To view the Windows OS logs we can use the Event Viewer application. There are primarily five event types, which include Error, Warning, Information, Success Audit, and Failure Audit.
Error is the most significant type of event, while Warning is less severe next to Information, which is least serious. Both Success Audit and Failure Audit events are highly pertinent to security. Since they record successful or failed security access attempts. The Linux OS log files are located in the /var/log directory. Within this folder, different varieties of log messages are kept. To name a few are /var/log/messages contain information on general system events.
/var/log/auth.log keeps track of all the authentication attempts. /var/log/maillog stores the mail server log messages. There are many more log files found in /var/log and it's up to you to decide on which file to use for your data analysis for network security. Whether they are generated by the Windows or Linux OS's, log messages of any type can be forwarded to a centralized log server such as syslog-ng.
Therefore, collecting operating system data usually involves log management systems forwarding their operating system's event data to another data collection system.
- Network security concepts
- The basic functions of a firewall
- Intrusion detection and prevention systems
- Using network data to improve security
- Using log servers to collect data
- Collecting application data
- Collecting OS data
- Network forensics
- Network security visualization