Open in app

Sign in

Write

Sign in

TryHackMe Log Universe Writeup

Motasem Hamdan
4 min readSep 5, 2024

--

In this article, we solve the room named: “TryHackMe Log Universe“. Its very important that you open the VM in the room to be able to follow with the answers given in this post.

If you don’t have access to TryHackMe, then watch the video below for more context.

  • Learn how to identify and use different log sources.
  • Understand what to expect from different log types.
  • Gain hands-on experience in data carving from the log files.

Please watch the video at the bottom for full detailed explanation of the walkthrough.

Network Traffic Analysis Study Notes

Who Are These Notes For?Cybersecurity students preparing for certification exams such as Cisco cyberops, COMPTIA…

www.buymeacoffee.com

Offensive Security Certified Professional Study Notes and Guide

This is a 1459 pages of notes that will guide and help you prepare for and pass the OSCP exam taking into account the…

buymeacoffee.com

Definition of Logs in Cybersecurity & IT

Following security best practices, it is typical for a modern environment to employ log forwarding. Log forwarding means that the SOC will move or “forward” logs from the host machine to a central server or indexer. Even if an attacker can delete logs from the host machine, they could already be off of the device and secured.

Log entries are often given a severity level to categorize and communicate their relative importance or impact. These severity levels help prioritize responses, investigations, and actions based on the criticality of the events. Different systems might use slightly different severity levels, but commonly, you can expect to find the following increasing severity levels: Informational, Warning, Error, and Critical.

What are Log Files?

Log files are records of events committed to a file in a list format. They can include all sorts of information about events that happened at a particular time. Every device on the network creates log files, thus giving you a history of what’s been happening.
Logs typically contain five headed-up areas. They are:

  • Timestamp –the time of the event.
  • Log level — how severe or important the event is.
  • Username– who caused the event.
  • Service or application — what caused the event.
  • Event description — what has happened.

Log Management

Log management includes securely storing logs, providing storage capacity and ensuring swift and quick retrieval of logs when needed. Also make sure to conform to the retention period, backup your logs regularly and conduct a periodic review.

Log Retention & Archival
Define log retention policies and implement them. Don’t forget to create backups of stored log data as well.

Definition of Log Analysis in IT & Cybersecurity

Log analysis examines and interprets log event data generated by various data sources (devices, applications, and systems) to monitor metrics and identify security incidents.
Log analysis involves several steps that starts with collecting, parsing, and processing log files to turn data into actionable objectives. Then analysts would correlate log data to find links and connections between events to paint a story of what happened.

Windows Event Logs

Windows event logs provide in-depth footprint information on the system, security, and applications installed on a Windows operating system. Windows provides a generous amount of logs, and you will need to activate them according to your visibility needs and capacity. Remember, the logging scope is fully configurable, and the default settings are not enough for the current state of the threats. Being comfortable with logs is a vital skill, but it is also important to have the general characteristics before deep diving into each log source’s details.

Windows Categorization of Event Messages

  • Information: Describes the successful operation of a driver, application or service. Basically, a service is calling home.
  • Warning: Describes an event that may not be a present issue but can cause problems in the future.
  • Error: Describes a significant problem with a service or application.
  • Success Audit: Outlines that an audited security access operation was successful. For example, a user’s successful login to the system.
  • Failure Audit: Outlines that an audited security access operation failed. For example, a failed access to a network drive by a user.

Linux Logs

Like Windows event logs, Linux logs provide in-depth footprint information on the system, security, and applications installed. Again, the logging scope is fully configurable, and the default settings are not enough for the current state of the threats. Example of Linux logs can be found below:

var/log/syslog
The syslog file stores all system activity,
including startup activity. Note that this is not the syslog protocol used to collect log entries from other systems.
var/log/messages
This log contains a wide variety of general
system messages. It includes some messages logged during startup, some messages related to mail, the kernel, and messages related to authentication.

Room Answers | TryHackMe Log Universe

Room answers can be found here.

Tryhackme
Tryhackme Walkthrough
Hackthebox
Cybersecurity
Hacking

--

--

Motasem Hamdan
Motasem Hamdan

Written by Motasem Hamdan

541 Followers
10 Following

Motasem Hamdan is a content creator and swimmer who creates cyber security training videos and articles. https://www.youtube.com/@MotasemHamdan

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams