14

There are a lot of excellent resources to sharpen your pentesting skills (like Hackthebox, Vulnhub, Juiceshop, Burp Suite Academy and so on), but I couldn't find something similar for forensics, especially log file analysis.

I thought about setting up my own system (e.g., WordPress with a intentionally vulnerable plugin) attacking it and then checking the logs, but in this case I would pretty much know what to look for.

So is there a more realistic way of learning and practicing log file analysis?

nobody
  • 11,251
  • 1
  • 41
  • 60

1 Answers1

21

Logs are artifacts of a system to give you a record of what the system did or processed. This means the focus is the system, not the logs.

So, "learning log analysis" is not what you need to do. You need to learn the system. And, yes, knowing what different attacks look like in different systems' logs can be useful.

Aside from that, the general analysis skills you might need to know are general data analysis, statistical analysis, and hypothesis testing. To focus your learning, I would sign up for courses offered by log aggregation tools or SIEMs. Splunk is a major player in this space (I am not affiliated) and they have free courses and a version of their product is free.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    This is good advice even for other types of analysis. Learning what a normal, healthy system looks like is the first step to learning to detect attacks on that system, no matter what data you are analyzing to look for attacks. – Austin Hemmelgarn Jun 18 '21 at 13:45
  • Extending @schroeder's comment, you may identify deviant patterns in your logs through regular expressions. I.e: imagine that a successful authentication line contains `AAAA-MM-DD HH:MM:SS user 'userName' successfully authenticated` and a failed one is `AAAA-MM-DD HH:MM:SS user 'userName' failed authentication`. Then if you search for `^\d+-\d+-\d+.*user.*authenticat(ed|ion).*$` you can easily get a glimpse if someone is brute-forcing their way into your system or not and which user names are being tested. – mjoao Jun 18 '21 at 18:10