Jump to content

User talk:Jbuchanan 1

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

Welcome

[edit]

Hello, Jbuchanan 1, and Welcome to Wikipedia!

Thank you for your contributions to this free encyclopedia. If you decide that you need help, check out Getting Help below, ask at the help desk, or place {{Help me}} on your talk page and ask your question there. Please remember to sign your name on talk pages by clicking or by typing four tildes (~~~~); this will automatically produce your username and the date. Also, please do your best to always fill in the edit summary field. Below are some useful links to help you get started. Happy editing! ~Oshwah~(talk) (contribs) 16:27, 19 May 2021 (UTC)[reply]

Welcome!

[edit]

Hello, Jbuchanan 1, and welcome to Wikipedia! My name is Ian and I work with Wiki Education; I help support students who are editing as part of a class assignment.

I hope you enjoy editing here. If you haven't already done so, please check out the student training library, which introduces you to editing and Wikipedia's core principles. You may also want to check out the Teahouse, a community of Wikipedia editors dedicated to helping new users. Below are some resources to help you get started editing.

Handouts
Additional Resources
  • You can find answers to many student questions in our FAQ.

If you have any questions, please don't hesitate to contact me on my talk page. Ian (Wiki Ed) (talk) 04:31, 15 July 2021 (UTC)[reply]

Your additions to the above article include passages copied verbatim or nearly verbatim from a non-free source. This was detected by automatic plagiarism detection software. For copyright reasons, your contribution was deleted. Please review the Plagiarism and Copyright training module before proceeding further. Thanks. — Diannaa (talk) 14:01, 29 July 2021 (UTC)[reply]

NIST references are free for public use and distribution. Microsoft functionality such as logging functions to include a number and explanation are core functionality and is a matter of fact for operational use - any interpretation removes any scientific rigor from the discussion. This is also free for use and distribution from their website. Additionally, Linux and directories and files structures, again, are matter of fact. So yes your software may have picked up syntax that is 1:1 but it has no context to the actual subject or topic. Additionally, you have deleted completely original included in your scan. Please advise Diannaa. Jbuchanan 1 (talk) 14:16, 29 July 2021 (UTC)[reply]

The source document is released under a Creative Commons Attribution-Non Commercial

License, which is not a compatible license, because it does not allow commercial use, and our license does. So it's not okay to copy it here. I can help you restore any paragraphs of original prose written by yourself that are properly sourced, if you would be so kind as to identify which they were.— Diannaa (talk) 21:35, 29 July 2021 (UTC)[reply]

Diannaa(talk) Thank you for your help and clarification! This is my first experience with Wikipedia and this is still a learning curve. The following sections were written based on my own knowledge. Any help with restoring the below would be a great help - I am trying to make this a useable reference source. The granular windows log number and descriptions from their website I will re-write in some other format.

https://www.microsoft.com/en-us/legal/copyright/permissions https://www.linuxfoundation.org/the-linux-mark/

Operating System Event Logs

Critical to the operation and functionality of any SIEM tool is the collection and aggregation of events in the form of logs from all assets on a network. It is important to note that different operating systems generate different types of logs in different ways. A SIEM solution often has the capability to index and parse structured and unstructured data. One can classify the records by log type such as Windows Event Logs, in a Windows event log format, Linux that uses the SYSLOG or RSYLOG format, and networking or security appliances that use SYSLOG or proprietary log formats in varying ways.

Windows Logging and SIEM

The Windows Operating System has four categories of logs, as shown in the structure above. Application logs pertain to applications on the operating system in conjunction with system and security logs. Security logs pertain to security-relevant accounts, objects, registry, critical system security elements, and general security functionality. System logs pertain to the operating system itself and not necessarily the 'applications that run outside of core functionality. The fourth category is CustomLog that engineers or administrators can tailor for logging that may extend or combine the last three types.

Within a SIEM solution, through data normalization and structuring of Windows event logs, it is possible to create traceability points with key log events and actions throughout the log structure over periods. For example, using the output of the logs in the SIEM, it is possible to trace an account logon attempts through to file access failure or success and then move through the operating system to attempts to access network assets. Development of these use cases takes significant time and maturity of operational capability. There are solutions from SIEM tools such as Splunk, Elastic, , IBM QRadar (and many others) that can expedite the parsing and visualizations of these event logs into actionable security operations tasks. While initially these logs are thought of as cybersecurity incident response and as an alerting mechanism, organizations can maximize the value of the SIEM to fulfill continuous monitoring initiatives for any Risk Management Framework covering many security controls with one tool.

Linux Logging and SIEM

Linux and any variation of the Unix operating system is fundamentality architected differently than the Windows operating system. With this includes the logging functionality and how the system performs auditing, logging, and thus how a these logs can be used in a SIEM tool. The categories of logs on Linux operating systems are Event Logs, Service Logs, Application Logs, and Application Logs.

Linux permits highly explicit monitoring of directories, files, or folders, with variable levels of alerting within the setting of the logs themselves. Any directory and file in the Linux operating system can be monitored with auditd functionality there are often many other directories of value for SIEM use. Auditd is the daemon that enable writing of logs to disk and is controlled with audit.ctl and audit.rules file. Within the /var/log/ structure there are many directories that would be of interest depending on the specific Linux or Unix operating system deployed. Also, these independent directories contain logs pertinent to their operation the log file is written in a syslog format that is parsed using regular expressions (REGEX) on the SIEM tool to enable human readability or ease of information extraction from the syslog itself. There are variations of syslog operated by rsyslog functionality that extend beyond this article.

Common Linux log file and function Log Directory Description /var/log/alternatives.log Information by the update-alternatives are logged into this log file. On Ubuntu, update-alternatives maintains symbolic links determining default commands. /var/log/anaconda.log Installation related logs /var/log/apt/ Apt/apt-get command history and logs directory /var/log/audit/audit.log General system and security logs pertaining to anything on the system - highly customizable /var/log/auth.log System authorization information, including user logins and authentication mechanism that were used. /var/log/boot.log Logs from boot process /var/log/btmp This file contains information about failed login attempts. Use the last command to view the btmp file. For example, “last -f /var/log/btmp | more” /var/log/cron Chron daemon related logs /var/log/cups Print related logs /var/log/daemon.log Background daemon logs /var/log/dmesg Kernel ring buffer logs /var/log/dpkg.log Package installation and removal logs /var/log/faillog Login failure attempt logs /var/log/httpd/ Apache logs /var/log/kern.log Kernel logs /var/log/lastlog Recent login information /var/log/lighttpd/ Lighttpd access and error logs /var/log/maillog Mail server logs /var/log/mail.log Mail server logs /var/log/messages Global system message logs related to various actions; mail, cron, daemon, kern, auth, etc. /var/log/mysqld.log MySQL logs /var/log/nginx/ Nginx logs /var/log/secure Authentication and authorization privilege logging -- failed logon attempts to include sshd logs. /var/log/syslog General system logs /var/log/user.log Contains information about all user level logs /var/log/utmp or /var/log/wtmp Login records /var/log/wtmp or /var/log/utmp Login records /var/log/yum.log Contains information that are logged when a package is installed using yum

Jbuchanan 1 (talk) 23:29, 29 July 2021 (UTC) Thanks Diannaa(talk)[reply]

You can't add that without supporting citations. Please see Wikipedia:Reliable sources for identifying acceptable reliable sources for Wikipedia editing. — Diannaa (talk) 00:24, 30 July 2021 (UTC)[reply]