So we're taking a look at some of the logs on our windows systems. Then what? What are the sum of the logs that we can take a look at? Especially in our event viewer? Well, we have our general logs, which are going to be some of the generic system related logs that weaken, view and, in our event viewer weaken view by default, our application security and our system logs.
Now our application logs are going to be like this sound like
they're gonna be logs that log events, errors, information related to applications or programs and sold on our system. So any additional applications in the additional program software that we get errors prompts warnings for information for will log in our application. Long
next, we have our security log. Our security log is goingto log security related events that we set in our security policy toe audit. So if we audit a certain event, that means we want to include that event when it happens in our log. Say we want to audit when Pete, when users unsuccessfully log in
because we want to know if someone's trying to log into an account. If they don't have the password for it,
then we would want to audit that event and have a show up in our security log. We may want to audit if a user gets locked out or someone changes their password or someone modifies the file. Those may all be included on our security logs.
Next, we have our system. Logs are system logs. They're gonna show us heiress warnings and information related to issues with not our applications, not with security, but with our actual system itself. So if their system related issues, maybe the Microsoft has a certain error. It tried thio try to run a
a certain service and it failed
or a service had to be restarted because of an issue that is gonna log those system related events in our system. Logs
Again, Our event viewer is going to show information in our application or system logs as informations, warnings or errors. And the information is just informational. A lot's just letting us know. Hey, this is this is this is not necessarily good or bad. It's just information.
We have warnings that it's something that we need we should take a look at be concerned about, but It's nothing of immediate cause to be concerned,
and then errors, which are things that go wrong, that we may want to take a closer look at men are warnings or information
our security events will. Just our events in our security log will just be security events that we audit on. Just let us know of different security related events.
Next, we have our history logs. Now our history logs will indicate a history of something, something something happening, not necessarily information in our warnings or errors just ah, history of changes or history of what something has done
now the most. The most prominent example of this would be typical of our Internet browsers.
Our Internet browsers typically keep a history, and we'll let little let us know where someone has gone on the Internet on this device. Now
history logs aren't just related are aren't just limited to tracking Internet browsing history. We can configure additional history logs to do things such as track file changes. We can do things such as tracking user account changes, active directory changes, different events that we may want to keep a history of
in order to view and see if someone's see if someone has modified this file or has
logged in or modified system events, we can keep track of history logs even though they're not. They may not necessarily be information or warnings or errors. They may be something that we may need to revert back to our we may need to take a look at for accountability purposes. If we have something that wasn't done right or something that
was done maliciously, and we want to take a look at some history logs,
we may be able to see who along the line did something that tip that off and then last that we have our traffic analysis and we have our protocol analyzer. Traffic analysis is the act of taking and looking at our network traffic and analyzing it. Four issues are analyzing it for different,
just essentially looking at our traffic data
and then using that data in order to make make, make assumptions or make analysis is or insights into our network and to our network is a hole
we can analyze our network traffic through things such as Microsoft Microsoft Protocol analyzers we can use. Our wire shock was very powerful protocol analyzer we can use nets, that which we've talked about. We talked about our previous module. How we can see the current connections that we have to a particular computer. We can check
firewall or I D S R I. D s logs intrusion detection system logs
and use that information as well as our network pack. It captures our nets that information and get an analysis of our network traffic that's going on
By using this network traffic, we can take that information we can view. Ah, certain events that have happened. We can view certain traffic that's been moved around and we can make conjectures about our network. We can say, Oh, uh, we can say, Okay, we got we got a lot of different scans against our firewall for certain ports.
It looks like someone's trying to do some port scans on us
or our wire shark capture picked up. Ah, lot of a lot of AARP requests just arbitrary arts for everything from 1 92.1 68 0.0 through 1 92.1 68 to 55 to 55. That's a lot of our requests looking for I P. addresses that might be out there.
That is definitely an indicator of something or
someone looking on our network to try to find devices. So we need to be aware of what track what different network data means. The more we know about different protocols, the normally, the more we know about normal network traffic and what's protocols and what different requests are for.
We know we were able to use that knowledge and apply it to
our own captures and were able to apply it to abnormal captures and know what certain information is doing
and always have a baseline. We need something that we can compare abnormal traffic, too, because if you're just capturing a bunch of if you're having an issue with your network and that's the first time you capture your data, you might be seeing things. And you might be making making assumptions on data that your network was just always like that.
Maybe you have a Maybe you have several different devices that are
are paying for something there you have. Okay, I have five different devices that are performing an ARP request for this, this one particular I p address. Or maybe there was a problem with connecting this I p address. Maybe I have a certain device that's down. Well, maybe it's just that those five devices
our older devices, that you have a
on there on those devices that are looking for an old network printer that was taken off line years ago. And those devices just occasionally look out and see if they can find that printer. And that may just be normal network traffic for you that maybe not be what's causing your problem. So you need to have a baseline. You need to have something that you can open up and refer to
in order to compare that against a normal traffic
or else you may just be may just be stabbing in the dark. You may not. You may be following rabbit holes that don't really lead anywhere, so have that baseline have something that you can compare it to, and you'll be able to narrow down and find abnormal network traffic a lot more easily
and then last. So we have our protocol analyzer. We've talked about protocol analyzers a couple times, but we'll just go over it really quickly. One more time.
Protocol analyzers is essentially just software that allows us to catch your network data, capture network traffic and analyze that traffic in order to provide us with insight. Weaken, Try. We can capture the data and the packets going along our networks maybe set up a span port on our
switch, plug in a laptop with some protocol analyzer software on it
and just captured the flood of data will be able to see things such as sending and destination I P addresses
destination and sending ports, protocols, even actual packet data that's transmitting over that over the network. This is one of the reasons why we want to make sure that we log in tow websites with https rather than http because https eyes going toe actually encrypt our data. If we logged into a website with http
and then someone's running a protocol analyzer, you can very easily open up one of those packets and say,
Oh, here's the user name. Here's the password and they're very very.
They're very, very pointedly defined fields that can be easily searched for within protocol. Analyzer. You just search for those You just search of those fields. Search for that data type and then you'll be
pop up with the actual the actual packet that if you click on that packet and you know where to look, you'll be able to see the user names and passwords, which is why we have that data encrypted over https. But nonetheless, protocol analyzers provide a great insight into our network.
Allow us to see that traffic allow us to see what's going on
again. You'll need some knowledge of what certain protocols do. You'll need knowledge of what certain ports go to and what's what normal network traffic looks like. You'll need to have a baseline in order to compare these captures against so that you'll say, OK, this is a normal. I don't normally see this many AARP requests.
I don't seem I don't normally see
this many attempted attempted sessions initiated to this particular device or these multiple different types of protocol connections. All of these different ports, the all of these different, well known ports. I have this one single device that's trying to connect to them in a in a list like pattern that's very, very suspicious.
So be aware of that,
play around with a protocol analyzer download wire shark used it on you. Just run it and just view some of your traffic that you're getting on your own network. And then the more you do that in, the more you view and see what normal network traffic is, the better you'll be able Thio very quickly. Notice something that's out of the ordinary, very quickly noticed something that's abnormal.
So thank you for joining us here today on cyber a dot i t. Today we talked about several different types of monitoring tools that we can use in order to analyze our network traffic. We talked about a lot of our different logs that we can use some of our general logs sis log and then viewer in order to view events that happen on our different devices on our network.
We talked about our S and M P, which is a protocol which allows us to actually configure a management
management management agent and a client agent which will collect information from devices such as printers and switches and servers and then send it back to be viewed without having to manually go to every single one of those devices. We just receive those alerts
and we talked about things such as our protocol analyzers and how traffic analysis on our network
actually helps us to narrow down issues and helps us to see things that may be abnormal on our network.
So hopefully this was informative. Hopefully, this provided you a little bit of insight as to what the potential on these different network management tools are so that you can go forward set of your own network management tools and use them to keep it. Keep an eye on your network,
keep track and monitor those errors and warnings
before some a major catastrophe happens, you'll be able to sort of cut it off before it occurs. So again, thank you for watching, and we hope to see you here next time on cyber.