WEBVTT

1
00:00:00.090 --> 00:00:01.350
In this lesson,

2
00:00:01.350 --> 00:00:05.070
we will learn about system Log Sources.

3
00:00:05.070 --> 00:00:08.400
System log sources are the logs generated

4
00:00:08.400 --> 00:00:12.810
by the network infrastructure and enterprise devices.

5
00:00:12.810 --> 00:00:15.870
System log sources provide detailed records

6
00:00:15.870 --> 00:00:18.000
of activities and events

7
00:00:18.000 --> 00:00:21.030
and include infrastructure, device logs,

8
00:00:21.030 --> 00:00:24.120
endpoint logs, application logs,

9
00:00:24.120 --> 00:00:29.120
and cloud security posture management or CSPM tools.

10
00:00:29.310 --> 00:00:32.340
Infrastructure device logs capture data

11
00:00:32.340 --> 00:00:35.340
from routers, firewalls, and switches,

12
00:00:35.340 --> 00:00:39.900
helping to identify network anomalies and malicious traffic.

13
00:00:39.900 --> 00:00:44.900
Next, endpoint logs track activities on individual devices

14
00:00:45.090 --> 00:00:47.910
like computers or mobile devices.

15
00:00:47.910 --> 00:00:51.180
Then application logs document events

16
00:00:51.180 --> 00:00:53.760
within software applications

17
00:00:53.760 --> 00:00:56.640
aiding in the detection of software issues

18
00:00:56.640 --> 00:00:58.860
or unauthorized access.

19
00:00:58.860 --> 00:01:02.010
Finally, cloud security posture management,

20
00:01:02.010 --> 00:01:06.150
or CSPM tools, monitor cloud environments

21
00:01:06.150 --> 00:01:10.800
to identify misconfigurations or security risks.

22
00:01:10.800 --> 00:01:14.550
Let's learn more about infrastructure device logs,

23
00:01:14.550 --> 00:01:17.340
endpoint logs, application logs,

24
00:01:17.340 --> 00:01:20.550
and security posture management tools.

25
00:01:20.550 --> 00:01:24.570
First, we have infrastructure device logs.

26
00:01:24.570 --> 00:01:27.240
Infrastructure device logs are records

27
00:01:27.240 --> 00:01:29.880
of the activities and operations

28
00:01:29.880 --> 00:01:32.730
of network hardware such as routers,

29
00:01:32.730 --> 00:01:35.070
firewalls, and switches.

30
00:01:35.070 --> 00:01:38.970
These logs provide insight into network traffic,

31
00:01:38.970 --> 00:01:42.720
performance and potential security issues.

32
00:01:42.720 --> 00:01:46.800
However, it's important to note that not all devices,

33
00:01:46.800 --> 00:01:50.100
whether on premise or in cloud environments,

34
00:01:50.100 --> 00:01:54.540
are configured by default to capture all relevant logs.

35
00:01:54.540 --> 00:01:57.690
For instance, network devices may

36
00:01:57.690 --> 00:01:59.594
in a default configuration,

37
00:01:59.594 --> 00:02:03.210
omit detailed logging of dropped packets

38
00:02:03.210 --> 00:02:06.690
or certain types of user access logs.

39
00:02:06.690 --> 00:02:09.210
This makes it important for enterprises

40
00:02:09.210 --> 00:02:11.640
to implement a log policy

41
00:02:11.640 --> 00:02:14.130
to ensure that all necessary data

42
00:02:14.130 --> 00:02:16.380
is captured for analysis.

43
00:02:16.380 --> 00:02:18.540
In an enterprise environment

44
00:02:18.540 --> 00:02:20.700
infrastructure device logs

45
00:02:20.700 --> 00:02:23.700
can be utilized to monitor network health

46
00:02:23.700 --> 00:02:25.530
and detect anomalies

47
00:02:25.530 --> 00:02:28.140
such as unusual traffic patterns

48
00:02:28.140 --> 00:02:31.200
or unauthorized access attempts.

49
00:02:31.200 --> 00:02:34.980
By analyzing logs from routers and firewalls,

50
00:02:34.980 --> 00:02:37.770
IT teams can identify and address

51
00:02:37.770 --> 00:02:41.850
potential security incidents before they escalate.

52
00:02:41.850 --> 00:02:45.270
For example, firewall logs may reveal

53
00:02:45.270 --> 00:02:48.870
repeated attempts to access a restricted area

54
00:02:48.870 --> 00:02:52.530
of the network from suspicious IP addresses

55
00:02:52.530 --> 00:02:55.260
signaling a potential attack.

56
00:02:55.260 --> 00:02:58.230
So, an enterprise log policy

57
00:02:58.230 --> 00:03:02.250
should cover both on-premise and cloud infrastructure

58
00:03:02.250 --> 00:03:06.510
to ensure a comprehensive view of network activity.

59
00:03:06.510 --> 00:03:11.340
For example, cloud networks like AWS or Azure

60
00:03:11.340 --> 00:03:14.070
may have a basic logging enabled,

61
00:03:14.070 --> 00:03:16.260
but features like traffic monitoring

62
00:03:16.260 --> 00:03:18.300
or advanced threat detection

63
00:03:18.300 --> 00:03:21.660
may require additional configurations.

64
00:03:21.660 --> 00:03:25.350
In the end, a well-defined log policy

65
00:03:25.350 --> 00:03:28.290
ensures that all devices and networks,

66
00:03:28.290 --> 00:03:30.780
whether physical or virtual,

67
00:03:30.780 --> 00:03:33.990
provide detailed and useful logs.

68
00:03:33.990 --> 00:03:37.140
Second, we have endpoint logs.

69
00:03:37.140 --> 00:03:39.150
In enterprise environments,

70
00:03:39.150 --> 00:03:42.210
endpoint logs are used to detect issues

71
00:03:42.210 --> 00:03:45.300
at the user level or device level.

72
00:03:45.300 --> 00:03:49.050
With each log serving a specific function.

73
00:03:49.050 --> 00:03:52.650
On Windows systems, there are five logs of note.

74
00:03:52.650 --> 00:03:56.910
Security, application, system, setup

75
00:03:56.910 --> 00:03:59.250
and forwarded event logs.

76
00:03:59.250 --> 00:04:03.150
The security log tracks user authentication events,

77
00:04:03.150 --> 00:04:06.840
recording successful and failed login attempts,

78
00:04:06.840 --> 00:04:11.840
which helps IT teams detect potential unauthorized access

79
00:04:12.030 --> 00:04:14.640
or failed password attempts.

80
00:04:14.640 --> 00:04:18.120
Next, the application log captures events

81
00:04:18.120 --> 00:04:21.840
related to applications running on the system,

82
00:04:21.840 --> 00:04:24.090
such as errors, warnings,

83
00:04:24.090 --> 00:04:28.470
or informational messages about application behavior.

84
00:04:28.470 --> 00:04:31.560
Next, the system log records events

85
00:04:31.560 --> 00:04:34.950
related to the system's hardware and software,

86
00:04:34.950 --> 00:04:38.220
tracking system failures, driver errors,

87
00:04:38.220 --> 00:04:41.610
and other critical infrastructure events.

88
00:04:41.610 --> 00:04:45.200
Next, the setup log contains information on events

89
00:04:45.200 --> 00:04:48.390
generated during the installation

90
00:04:48.390 --> 00:04:50.760
of the operating system.

91
00:04:50.760 --> 00:04:53.880
And finally, the forwarded events log

92
00:04:53.880 --> 00:04:56.580
aggregates logs from remote machines

93
00:04:56.580 --> 00:04:59.640
if centralized logging is enabled.

94
00:04:59.640 --> 00:05:02.640
Together, these logs collectively provide

95
00:05:02.640 --> 00:05:05.910
valuable insight into system behavior,

96
00:05:05.910 --> 00:05:10.910
performance issues and security risks on Windows devices.

97
00:05:11.220 --> 00:05:14.730
On Linux systems logs are stored primarily

98
00:05:14.730 --> 00:05:17.970
in the /var/log directory

99
00:05:17.970 --> 00:05:21.450
with each file dedicated to different aspects

100
00:05:21.450 --> 00:05:23.310
of system operations.

101
00:05:23.310 --> 00:05:27.150
The auth.log captures authentication events

102
00:05:27.150 --> 00:05:32.040
such as login attempts and authentication method usage.

103
00:05:32.040 --> 00:05:35.340
Similar to the security log in Windows.

104
00:05:35.340 --> 00:05:40.340
Next, system logs are stored in /var/log/messages

105
00:05:41.580 --> 00:05:44.100
and record system-wide events

106
00:05:44.100 --> 00:05:47.790
like daemon activity and service startups

107
00:05:47.790 --> 00:05:51.210
offering a broad view of system health.

108
00:05:51.210 --> 00:05:55.080
Application logs are used for specific services

109
00:05:55.080 --> 00:05:58.260
such as a mail servers or web servers,

110
00:05:58.260 --> 00:06:01.950
and are usually stored in their own sub directories

111
00:06:01.950 --> 00:06:04.923
or individual files under /var/log.

112
00:06:06.750 --> 00:06:11.750
For example, /var/log/httpd for Apache.

113
00:06:13.980 --> 00:06:17.580
Finally, logs related to background processes

114
00:06:17.580 --> 00:06:22.440
such as scheduled tasks, which are called cron jobs in Linux

115
00:06:22.440 --> 00:06:26.970
are captured in daemon.log and cron.log,

116
00:06:26.970 --> 00:06:31.380
allowing administrators to monitor automated tasks.

117
00:06:31.380 --> 00:06:35.610
Additionally, Linux maintains package manager logs,

118
00:06:35.610 --> 00:06:40.020
which tracks software installations, updates and removals.

119
00:06:40.020 --> 00:06:45.020
These are stored in logs like /var/log/dpkg.log

120
00:06:47.670 --> 00:06:49.950
for Debian-based systems

121
00:06:49.950 --> 00:06:54.950
and /var/log/yum.log for Red Hat-based systems.

122
00:06:57.630 --> 00:07:00.450
Monitoring these logs helps keep track

123
00:07:00.450 --> 00:07:02.730
of software version changes

124
00:07:02.730 --> 00:07:04.650
and ensure that patch management

125
00:07:04.650 --> 00:07:07.230
is functioning as expected.

126
00:07:07.230 --> 00:07:11.040
Together, these logs provide IT teams

127
00:07:11.040 --> 00:07:15.000
with dedicated visibility into system operations,

128
00:07:15.000 --> 00:07:18.720
security events, and software performance,

129
00:07:18.720 --> 00:07:22.770
enabling proactive maintenance and security monitoring

130
00:07:22.770 --> 00:07:25.200
in enterprise environments.

131
00:07:25.200 --> 00:07:28.950
So, collecting and analyzing endpoint logs

132
00:07:28.950 --> 00:07:32.310
across all devices within an organization

133
00:07:32.310 --> 00:07:36.450
helps maintain security and ensure compliance.

134
00:07:36.450 --> 00:07:39.780
Third, we have application logs.

135
00:07:39.780 --> 00:07:42.270
Application logs capture events

136
00:07:42.270 --> 00:07:45.330
that occur within software applications,

137
00:07:45.330 --> 00:07:48.360
providing insights into the functioning

138
00:07:48.360 --> 00:07:51.480
and performance of these applications.

139
00:07:51.480 --> 00:07:54.810
On Windows systems application logs

140
00:07:54.810 --> 00:07:57.240
are stored in the event viewer

141
00:07:57.240 --> 00:07:59.850
and are organized by severity

142
00:07:59.850 --> 00:08:02.880
ranging from information to warning,

143
00:08:02.880 --> 00:08:05.580
error, and critical events.

144
00:08:05.580 --> 00:08:08.850
These logs help administrators identify

145
00:08:08.850 --> 00:08:10.560
and troubleshoot issues

146
00:08:10.560 --> 00:08:15.420
such as an application crashing due to a memory leak,

147
00:08:15.420 --> 00:08:17.130
or failing to start

148
00:08:17.130 --> 00:08:19.710
due to a missing dependency.

149
00:08:19.710 --> 00:08:22.710
On Linux systems application logs

150
00:08:22.710 --> 00:08:27.450
are typically stored in the /var/log directory,

151
00:08:27.450 --> 00:08:29.970
but individual application logs

152
00:08:29.970 --> 00:08:33.060
such as web server or database logs

153
00:08:33.060 --> 00:08:36.480
are stored in specific files or sub directories,

154
00:08:36.480 --> 00:08:41.480
such as /var/log/httpd for Apache web server logs.

155
00:08:44.370 --> 00:08:46.230
In enterprise environments,

156
00:08:46.230 --> 00:08:49.500
application logs are critical for monitoring

157
00:08:49.500 --> 00:08:51.480
the performance and security

158
00:08:51.480 --> 00:08:54.090
of business critical applications.

159
00:08:54.090 --> 00:08:57.390
For example, an enterprise might rely

160
00:08:57.390 --> 00:09:01.980
on web server logs to track HTTP requests,

161
00:09:01.980 --> 00:09:04.260
detect potential vulnerabilities

162
00:09:04.260 --> 00:09:06.600
like SQL injection attempts

163
00:09:06.600 --> 00:09:10.320
or identify excessive page load times.

164
00:09:10.320 --> 00:09:13.350
Finally, analyzing application logs

165
00:09:13.350 --> 00:09:17.580
for security events such as failed login attempts

166
00:09:17.580 --> 00:09:19.980
or suspicious user behavior

167
00:09:19.980 --> 00:09:24.420
within an application can detect malicious activity.

168
00:09:24.420 --> 00:09:26.280
And by setting up alerts

169
00:09:26.280 --> 00:09:29.910
based on the severity levels of these logs,

170
00:09:29.910 --> 00:09:33.060
enterprises can prioritize responses

171
00:09:33.060 --> 00:09:35.400
to critical application errors

172
00:09:35.400 --> 00:09:38.310
that could impact service availability

173
00:09:38.310 --> 00:09:40.890
or pose security risks.

174
00:09:40.890 --> 00:09:45.750
Fourth and last, we have Cloud Security Posture Management,

175
00:09:45.750 --> 00:09:48.510
or CSPM Tools.

176
00:09:48.510 --> 00:09:52.140
CSPM tools help enterprises monitor

177
00:09:52.140 --> 00:09:56.010
and maintain security within cloud environments

178
00:09:56.010 --> 00:10:00.480
by identifying misconfigurations, vulnerabilities

179
00:10:00.480 --> 00:10:02.910
and compliance violations.

180
00:10:02.910 --> 00:10:06.000
These tools ensure that cloud resources

181
00:10:06.000 --> 00:10:10.350
are configured correctly according to industry standards

182
00:10:10.350 --> 00:10:13.020
and security best practices.

183
00:10:13.020 --> 00:10:16.410
One of the most prevalent CSPM tools

184
00:10:16.410 --> 00:10:19.110
is AWS security hub,

185
00:10:19.110 --> 00:10:23.220
which integrates data from various AWS services

186
00:10:23.220 --> 00:10:25.560
to provide a unified view

187
00:10:25.560 --> 00:10:28.980
of an organization's security posture.

188
00:10:28.980 --> 00:10:33.480
In enterprise environments, CSPM tools are essential

189
00:10:33.480 --> 00:10:35.610
for maintaining visibility

190
00:10:35.610 --> 00:10:38.040
into the cloud infrastructure

191
00:10:38.040 --> 00:10:42.420
where misconfigurations, such as open S3 buckets

192
00:10:42.420 --> 00:10:46.740
or overly permissive identity and access management roles

193
00:10:46.740 --> 00:10:50.430
can lead to significant security breaches.

194
00:10:50.430 --> 00:10:54.690
Cloud security posture management, or CSPM tools,

195
00:10:54.690 --> 00:10:57.690
continuously monitor cloud environments

196
00:10:57.690 --> 00:10:59.550
and provide recommendations

197
00:10:59.550 --> 00:11:03.210
for remediation based on detected risks.

198
00:11:03.210 --> 00:11:07.526
For example, AWS security hub can automatically

199
00:11:07.526 --> 00:11:12.526
detect misconfigurations in Amazon S3 bucket permissions

200
00:11:13.170 --> 00:11:17.250
and notify administrators who can then correct the issue

201
00:11:17.250 --> 00:11:20.220
to prevent unauthorized access.

202
00:11:20.220 --> 00:11:23.520
So with cloud adoption on the rise,

203
00:11:23.520 --> 00:11:27.900
CSPM tools are becoming increasingly important

204
00:11:27.900 --> 00:11:30.960
in enterprise security strategies.

205
00:11:30.960 --> 00:11:34.860
These tools not only help with real-time monitoring,

206
00:11:34.860 --> 00:11:37.320
but also support compliance efforts

207
00:11:37.320 --> 00:11:39.450
by generating audit reports

208
00:11:39.450 --> 00:11:41.760
that ensure cloud configurations

209
00:11:41.760 --> 00:11:44.010
meet regulatory requirements

210
00:11:44.010 --> 00:11:49.010
such as the General Data Protection Regulation, or GDPR,

211
00:11:49.080 --> 00:11:52.950
or the Health Insurance Portability and Accountability Act,

212
00:11:52.950 --> 00:11:54.690
known as HIPAA.

213
00:11:54.690 --> 00:11:57.090
Enterprises can use these tools

214
00:11:57.090 --> 00:11:59.910
to create a safer cloud environment,

215
00:11:59.910 --> 00:12:02.550
reducing the risk of data breaches

216
00:12:02.550 --> 00:12:06.300
and maintaining secure cloud operations.

217
00:12:06.300 --> 00:12:11.040
So remember, system log sources are critical

218
00:12:11.040 --> 00:12:14.370
for monitoring and managing network infrastructure

219
00:12:14.370 --> 00:12:16.590
and enterprise devices.

220
00:12:16.590 --> 00:12:21.480
They include infrastructure device logs, endpoint logs,

221
00:12:21.480 --> 00:12:25.560
application logs, and cloud security posture management,

222
00:12:25.560 --> 00:12:27.810
or CSPM tools.

223
00:12:27.810 --> 00:12:31.680
Each providing insight into specific aspects

224
00:12:31.680 --> 00:12:36.150
of the network health, security, and performance.

225
00:12:36.150 --> 00:12:40.320
First, infrastructure device logs capture information

226
00:12:40.320 --> 00:12:43.440
from routers, firewalls, and switches

227
00:12:43.440 --> 00:12:46.620
to help identify network anomalies.

228
00:12:46.620 --> 00:12:51.620
Next, endpoint logs track activities on individual devices

229
00:12:51.930 --> 00:12:56.310
helping detect issues at the user or device level.

230
00:12:56.310 --> 00:12:59.610
Then application logs provide details

231
00:12:59.610 --> 00:13:03.780
about events occurring within software applications,

232
00:13:03.780 --> 00:13:06.690
offering insights into software performance

233
00:13:06.690 --> 00:13:08.730
and security risks.

234
00:13:08.730 --> 00:13:13.730
And finally, CSPM tools monitor cloud environments,

235
00:13:13.890 --> 00:13:18.120
identifying misconfigurations and vulnerabilities

236
00:13:18.120 --> 00:13:20.970
that could lead to security breaches.

237
00:13:20.970 --> 00:13:25.020
Together, these logs offer a comprehensive view

238
00:13:25.020 --> 00:13:28.620
of enterprise operations and security,

239
00:13:28.620 --> 00:13:33.620
aiding in proactive issue detection and remediation.