ELI5: What is Log Management?
Every time someone walks through a door in a building, a security camera records it. Logs are like those recordings, but for computers — they write down who did what and when. Log management means collecting all those recordings from every door in every building, putting them in one place, and keeping them organized so that if something goes wrong, you can rewind and figure out exactly what happened.
Overview
Log management is the practice of collecting, centralizing, storing, and analyzing log data generated by operating systems, applications, network devices, and security tools. Proper log management is essential for incident detection, forensic investigation, compliance, and operational troubleshooting. Without centralized logging, security events across the environment remain fragmented and difficult to correlate.
Key Concepts
- Log sources: OS event logs, firewall logs, IDS/IPS alerts, authentication logs, application logs, DNS query logs, proxy logs
- Syslog: Standard protocol (UDP 514, TCP 514, or TLS 6514) for transmitting log data to a centralized server
- Centralized logging: Aggregating logs from all sources into a single repository for unified analysis
- Log forwarding agents: Software installed on endpoints to collect and send logs to central systems
- NTP synchronization: All systems must use the same time source — accurate timestamps are critical for event correlation
- Log retention policies: Defining how long logs are stored based on regulatory and organizational requirements
- Log integrity: Protecting logs from tampering using write-once storage, hashing, or digital signatures
- Windows Event Log: Security, System, and Application logs; Event IDs like 4625 (failed login) and 4624 (successful login)
- journald: Linux systemd journal for structured logging
- rsyslog: Enhanced syslog daemon with TCP support, filtering, and database output
- syslog-ng: Advanced syslog with content-based filtering, flexible configuration, and TLS encryption
- journalctl: Queries systemd journal; filters by unit, priority, or time range
Exam Tips
Remember
Time synchronization (NTP) is CRITICAL — without consistent timestamps, you cannot correlate events across systems. Key Windows Event IDs: 4624 = logon success, 4625 = logon failure, 4648 = explicit credential use.
- Logs should be stored on a separate, secured system — attackers often wipe local logs
- Regulatory requirements (HIPAA, PCI-DSS, SOX) dictate minimum retention periods
- Ensure logs cannot be modified — integrity is essential for forensic and legal use
Connections
- Primary data source for siem platforms to perform correlation and alerting
- Essential evidence source for digital-forensics investigations and timeline reconstruction
- incident-response depends on complete and accurate logs for detection and analysis phases
- Supports compliance by providing audit trails required by regulations
Practice Questions
Q-Bank: Log Management (4 Questions)
Q1. A forensic investigator is trying to correlate events across a web server, a firewall, and an authentication server. The timestamps in the logs from each system differ by several minutes, making it impossible to establish an accurate timeline. What is the MOST likely cause?
A. The log files have been tampered with by an attacker B. The systems are not synchronized to a common NTP time source C. The log retention policies differ across the systems D. The systems are using different log formats
Show Answer B. The systems are not synchronized to a common NTP time source
ntp-synchronization is critical for log correlation — without consistent timestamps across all systems, event correlation becomes unreliable. Option A is possible but less likely than a configuration oversight. Option C affects how long logs are kept, not timestamp accuracy. Option D affects log parsing but not timestamp consistency.
Q2. A security team discovers that an attacker gained access to a server and deleted all local security logs to cover their tracks. Which control would BEST prevent this from impacting the investigation?
A. Increasing the local log file size limit B. Forwarding logs in real time to a centralized, secured logging server C. Encrypting the local log files on the server D. Configuring more verbose logging on the server
Show Answer B. Forwarding logs in real time to a centralized, secured logging server
centralized-logging with real-time log forwarding ensures that copies of all logs exist on a separate, secured system that attackers cannot easily access. Even if local logs are deleted, the forwarded copies remain intact. Option A only delays the problem — larger files can still be deleted. Option C prevents reading but not deletion. Option D generates more detail but is equally vulnerable to local deletion.
Q3. A compliance officer asks the security team how long firewall logs are retained. The team discovers there is no formal policy and logs are automatically overwritten after 30 days. The organization is subject to PCI-DSS requirements. What is the PRIMARY concern?
A. The firewall logs are using too much storage space B. The organization may fail compliance audits due to insufficient log retention C. The firewall is generating too many log entries D. The log format is not compatible with the SIEM platform
Show Answer B. The organization may fail compliance audits due to insufficient log retention
log-retention-policies must align with regulatory requirements. PCI-DSS requires at least one year of log retention with three months immediately available. Without formal policies, the organization risks compliance violations. Option A is an operational concern, not a compliance risk. Option C relates to log volume, not retention. Option D relates to integration, not regulatory compliance.
Q4. A Windows domain controller shows Event ID 4625 occurring 500 times within five minutes from a single source IP, followed by a single Event ID 4624 from the same IP. What does this pattern MOST likely indicate?
A. A scheduled service restarting and re-authenticating normally B. A successful brute-force password attack after many failed attempts C. A misconfigured NTP synchronization setting D. Normal Active Directory replication traffic
Show Answer B. A successful brute-force password attack after many failed attempts
Event ID 4625 indicates failed logon attempts and Event ID 4624 indicates a successful logon. Five hundred failures followed by a success from the same IP is the classic signature of a brute-force attack. Option A would not generate hundreds of failures from one IP. Option C relates to time synchronization, not authentication events. Option D involves machine accounts, not repeated failures from a single source.
Scenario
See case-log-management for a practical DevOps scenario applying these concepts.