Log Analysis

Log analysis is the systematic examination of log files to identify security incidents, unauthorized access, system anomalies, and attack patterns

The 5 W's of Log Analysis

• Who: Which user, service, or system generated the event?

• What: What action or event occurred?

• When: At what date and time did it happen?

• Where: On which system, service, or component?

• Why: What was the context or trigger for the event?

Analysis Approach

1. Baseline Normal: Understand what normal looks like

2. Identify Anomalies: Detect deviations from baseline

3. Correlate Events: Connect related activities across logs

4. Build Timeline: Reconstruct sequence of events

5. Validate Findings: Confirm suspicions with multiple sources

Essential Log Analysis Commands

Basic Log Viewing

View with pagination

less /var/log/logfile
more /var/log/logfile

View a specific number of line

tail -n 50 /var/log/logfile
head -n 50 /var/log/logfile

Follow mode (live updates)

tail -f /var/log/logfile

View specific line range

sed -n '100,200p' /var/log/logfile
awk 'NR>=100 && NR<=200' /var/log/logfile

Pattern Searching

Basic case-sensitive search

grep "pattern" /var/log/logfile

Case-insensitive search (-i is crucial for log analysis)

grep -i "pattern" /var/log/logfile

Multiple patterns (OR logic)

grep -i "pattern1\|pattern2\|pattern3" /var/log/logfile
grep -iE "pattern1|pattern2|pattern3" /var/log/logfile    # Extended regex

grep -i -A 5 "pattern" /var/log/logfile    # 5 lines After match
grep -i -B 5 "pattern" /var/log/logfile    # 5 lines Before match
grep -i -C 5 "pattern" /var/log/logfile    # 5 lines of Context (both)

Invert match (exclude pattern)

grep -v "pattern" /var/log/logfile
grep -iv "INFO\|DEBUG" /var/log/logfile

Count matching lines

grep -i "pattern" /var/log/logfile | wc -l

Show only filenames with matches

grep -l "pattern" /var/log/*.log

Show line numbers

grep -n "pattern" /var/log/logfile

Recursive search in directory

grep -r "pattern" /var/log/ 2>/dev/null
grep -ri "pattern" /var/log/ 2>/dev/null

Advanced Filtering

Print specific columns (space-delimited)

awk '{print $1, $2, $3}' /var/log/logfile

Print specific columns (custom delimiter)

awk -F':' '{print $1, $3}' /var/log/logfile
awk -F',' '{print $2, $5}' /var/log/logfile

Filter by column value

awk '$3 == "FAILED"' /var/log/logfile
awk '$1 ~ /192.168/ {print $0}' /var/log/logfile   # Pattern match in column 1

Filter by numeric comparison

awk '$5 > 100' /var/log/logfile                # Column 5 greater than 100
awk '$2 >= 500 && $2 < 600' /var/log/logfile   # Status codes 500-599

Combine awk with grep

grep "pattern" /var/log/logfile | awk '{print $1, $7}'

Count occurrences by field

awk '{print $1}' /var/log/logfile | sort | uniq -c | sort -rn

# Date/time filtering

awk '$1 == "2025-12-29" && $2 >= "05:00:00" && $2 <= "06:00:00"' /var/log/logfile

Sorting and Uniqueness

Sort alphabetically

sort /var/log/logfile

Sort numerically

sort -n /var/log/logfile

Reverse sort

sort -r /var/log/logfile

Sort by specific column

sort -k 3 /var/log/logfile              # Sort by 3rd column
sort -t',' -k2 /var/log/logfile         # Sort by 2nd column, comma delimiter

Remove duplicate lines

sort /var/log/logfile | uniq

Count and sort duplicates

sort /var/log/logfile | uniq -c | sort -rn

Show only unique lines

sort /var/log/logfile | uniq -u

Show only duplicate lines

sort /var/log/logfile | uniq -d

Counting and Statistics

Count total lines

wc -l /var/log/logfile

Count words

wc -w /var/log/logfile

Count characters

wc -c /var/log/logfile

Count occurrences of pattern

grep -c "pattern" /var/log/logfile
grep -i "pattern" /var/log/logfile | wc -l   # Alternative

Frequency analysis

cut -d' ' -f1 /var/log/logfile | sort | uniq -c | sort -rn | head -20

Authentication Log Analysis

Common Authentication Events

Successful SSH logins

grep -i "Accepted password\|Accepted publickey" /var/log/auth.log

Failed SSH login attempts

grep -i "Failed password" /var/log/auth.log

Invalid user attempts

grep -i "Invalid user" /var/log/auth.log

Root login attempts

grep -i "Failed password for root" /var/log/auth.log

Session events

grep -i "session opened\|session closed" /var/log/auth.log

Sudo usage

grep -i "sudo.*COMMAND" /var/log/auth.log
grep -i "sudo.*root" /var/log/auth.log

User switching

grep -i "su\[" /var/log/auth.log

Session Analysis

Extract specific session by PID

grep "sshd\[12345\]" /var/log/auth.log

Pattern: Find session PIDs for specific IP

grep "192.168.1.100" /var/log/auth.log | grep "Accepted" | awk '{print $NF}' | grep -oP 'sshd\[\K[0-9]+' | sort -u

Analyze complete session activity

SESSION_PID="12345"
grep "sshd\[$SESSION_PID\]" /var/log/auth.log

Calculate session duration

grep "sshd\[12345\]" /var/log/auth.log | grep "session opened"
grep "sshd\[12345\]" /var/log/auth.log | grep "session closed"

Automated vs Manual Detection

Automated attack indicators

Rapid succession of attempts (seconds apart)
Successful login immediately followed by logout
Session duration of < 10 seconds
Dictionary attack pattern (sequential common usernames)

Manual attack indicators

Session duration of minutes/hours
Commands executed during session
Multiple failed attempts with breaks in between
Successful login with sustained connection

• Check Brute Force Analysisfor more details.

Application Log Analysis

Identify the Service and Version

Look for startup messages

grep -i "starting\|started\|version\|build" /var/log/application.log | head -20

Common version identifiers

grep -i "buildinfo\|build info\|version" /var/log/application.log

grep -i "init\|initialized" /var/log/application.log

Identify log levels

grep -oE "ERROR|WARN|INFO|DEBUG|FATAL" /var/log/application.log | sort | uniq -c

High-Frequency Activity

Connections per minute (adjust field numbers based on your log format)

awk '{print $1, $2}' /var/log/application.log | cut -d':' -f1-2 | uniq -c | sort -rn | head -20

Events from specific IP

grep "192.168.1.100" /var/log/application.log | wc -l

Compare Normal hour vs suspicious hour

awk '$1 == "2025-12-29" && $2 >= "04:00:00" && $2 <= "05:00:00"' /var/log/application.log | wc -l
awk '$1 == "2025-12-29" && $2 >= "05:00:00" && $2 <= "06:00:00"' /var/log/application.log | wc -l

Error Pattern Analysis

Types of errors

grep -i "ERROR\|EXCEPTION\|FAILED\|FATAL" /var/log/application.log | awk '{print $4, $5, $6}' | sort | uniq -c | sort -rn

Error burst detection (many errors in short time)

grep -i "ERROR" /var/log/application.log | awk '{print $1, $2}' | cut -d':' -f1-2 | uniq -c | sort -rn

Specific error tracking

grep -i "ConnectionRefused\|Timeout\|Unauthorized" /var/log/application.log

Geographic/Network Anomalies

Extract all IP addresses

grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' /var/log/application.log | sort | uniq -c | sort -rn

Connections from private IP ranges

grep -E '10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.' /var/log/application.log | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u

Unusual ports

grep -oE ':[0-9]{1,5}' /var/log/application.log | sort | uniq -c | sort -rn

Web Server Log Analysis

Access Log Analysis

# Top requesting IPs
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

# Top requested URLs
awk '{print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

# HTTP status code distribution
awk '{print $9}' /var/log/nginx/access.log | sort | uniq -c | sort -rn

# Requests by status code
grep '" 404 ' /var/log/nginx/access.log | wc -l      # Not found
grep '" 500 ' /var/log/nginx/access.log | wc -l      # Server errors
grep '" 403 ' /var/log/nginx/access.log | wc -l      # Forbidden

# User agents
awk -F'"' '{print $6}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

# Large responses (potential data exfiltration)
awk '$10 > 1000000 {print $1, $7, $10}' /var/log/nginx/access.log

# POST requests (often used for uploading web shells)
grep '"POST ' /var/log/nginx/access.log