Log Analysis

Log analysis is the systematic examination of log files to identify security incidents, unauthorized access, system anomalies, and attack patterns

The 5 W's of Log Analysis

• Who: Which user, service, or system generated the event?

• What: What action or event occurred?

• When: At what date and time did it happen?

• Where: On which system, service, or component?

• Why: What was the context or trigger for the event?

Log Analysis Checklist

Initial Assessment

• Identify all relevant log sources

• Verify log timestamps and timezone

• Check for log rotation and missing periods

• Understand log format and structure

Pattern Identification

• Establish baseline for normal activity

• Calculate event frequencies (per minute/hour/day)

• Identify unique IPs, users, or identifiers

• Look for error messages and anomalies

Anomaly Detection

• Search for high-frequency events

• Identify unexpected error patterns

• Detect unusual timing (off-hours activity)

• Find geographic anomalies

Attack Indicators

• Check for brute force attempts

• Look for exploitation signatures

• Identify reconnaissance activity

• Search for persistence mechanisms

Correlation & Timeline

• Build comprehensive timeline

• Correlate events across multiple logs

• Track specific entities (IPs, users, sessions)

• Reconstruct attack chain

Documentation

• Record all commands used

• Document findings with evidence

• Note timestamps and sources

• Preserve relevant log excerpts

Essential Log Analysis Commands

Basic Log Viewing

View with pagination

less /var/log/logfile
more /var/log/logfile

View a specific number of line

tail -n 50 /var/log/logfile
head -n 50 /var/log/logfile

Follow mode (live updates)

tail -f /var/log/logfile

View specific line range

sed -n '100,200p' /var/log/logfile
awk 'NR>=100 && NR<=200' /var/log/logfile

Pattern Searching

Basic case-sensitive search

grep "pattern" /var/log/logfile

Case-insensitive search (-i is crucial for log analysis)

grep -i "pattern" /var/log/logfile

Multiple patterns (OR logic)

grep -i "pattern1\|pattern2\|pattern3" /var/log/logfile
grep -iE "pattern1|pattern2|pattern3" /var/log/logfile    # Extended regex

Search with context

grep -i -A 5 "pattern" /var/log/logfile    # 5 lines After match
grep -i -B 5 "pattern" /var/log/logfile    # 5 lines Before match
grep -i -C 5 "pattern" /var/log/logfile    # 5 lines of Context (both)

Invert match (exclude pattern)

grep -v "pattern" /var/log/logfile
grep -iv "INFO\|DEBUG" /var/log/logfile

Count matching lines

grep -i "pattern" /var/log/logfile | wc -l

Show only filenames with matches

grep -l "pattern" /var/log/*.log

Show line numbers

grep -n "pattern" /var/log/logfile

Recursive search in directory

grep -r "pattern" /var/log/ 2>/dev/null
grep -ri "pattern" /var/log/ 2>/dev/null

Advanced Filtering

Print specific columns (space-delimited)

awk '{print $1, $2, $3}' /var/log/logfile

Print specific columns (custom delimiter)

awk -F':' '{print $1, $3}' /var/log/logfile
awk -F',' '{print $2, $5}' /var/log/logfile

Filter by column value

awk '$3 == "FAILED"' /var/log/logfile
awk '$1 ~ /192.168/ {print $0}' /var/log/logfile   # Pattern match in column 1

Filter by numeric comparison

awk '$5 > 100' /var/log/logfile                # Column 5 greater than 100
awk '$2 >= 500 && $2 < 600' /var/log/logfile   # Status codes 500-599

Combine awk with grep

grep "pattern" /var/log/logfile | awk '{print $1, $7}'

Count occurrences by field

awk '{print $1}' /var/log/logfile | sort | uniq -c | sort -rn

# Date/time filtering

awk '$1 == "2025-12-29" && $2 >= "05:00:00" && $2 <= "06:00:00"' /var/log/logfile

Sorting and Uniqueness

Sort alphabetically

sort /var/log/logfile

Sort numerically

sort -n /var/log/logfile

Reverse sort

sort -r /var/log/logfile

Sort by specific column

sort -k 3 /var/log/logfile              # Sort by 3rd column
sort -t',' -k2 /var/log/logfile         # Sort by 2nd column, comma delimiter

Remove duplicate lines

sort /var/log/logfile | uniq

Count and sort duplicates

sort /var/log/logfile | uniq -c | sort -rn

Show only unique lines

sort /var/log/logfile | uniq -u

Show only duplicate lines

sort /var/log/logfile | uniq -d

Exclude common false positives

grep -v "healthcheck\|monitor\|probe" /var/log/application.log

Counting and Statistics

Count total lines

wc -l /var/log/logfile

Count words

wc -w /var/log/logfile

Count characters

wc -c /var/log/logfile

Count occurrences of pattern

grep -c "pattern" /var/log/logfile
grep -i "pattern" /var/log/logfile | wc -l   # Alternative

Frequency analysis

cut -d' ' -f1 /var/log/logfile | sort | uniq -c | sort -rn | head -20

Count unique IPs

grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' /var/log/logfile | sort -u | wc -l

Authentication Log Analysis

Common Authentication Events

Successful SSH logins

grep -i "Accepted password\|Accepted publickey" /var/log/auth.log

Failed SSH login attempts

grep -i "Failed password" /var/log/auth.log

Failed logins by username

grep "Failed password" /var/log/auth.log | awk '{print $(NF-5)}' | sort | uniq -c | sort -rn

Invalid user attempts

grep -i "Invalid user" /var/log/auth.log

Root login attempts

grep -i "Failed password for root" /var/log/auth.log

Session events

grep -i "session opened\|session closed" /var/log/auth.log

Sudo usage

grep -i "sudo.*COMMAND" /var/log/auth.log
grep -i "sudo.*root" /var/log/auth.log

User switching

grep -i "su\[" /var/log/auth.log

Session Analysis

Extract specific session by PID

grep "sshd\[12345\]" /var/log/auth.log

Pattern: Find session PIDs for specific IP

grep "192.168.1.100" /var/log/auth.log | grep "Accepted" | awk '{print $NF}' | grep -oP 'sshd\[\K[0-9]+' | sort -u

Analyze complete session activity

SESSION_PID="12345"
grep "sshd\[$SESSION_PID\]" /var/log/auth.log

Calculate session duration

grep "sshd\[12345\]" /var/log/auth.log | grep "session opened"
grep "sshd\[12345\]" /var/log/auth.log | grep "session closed"

Find long-running sessions

grep "session opened" /var/log/auth.log | awk '{print $1, $2, $3, $11}' > /tmp/opened.txt
grep "session closed" /var/log/auth.log | awk '{print $1, $2, $3, $11}' > /tmp/closed.txt

Automated vs Manual Detection

Automated attack indicators

Rapid succession of attempts (seconds apart)
Successful login immediately followed by logout
Session duration of < 10 seconds
Dictionary attack pattern (sequential common usernames)

Manual attack indicators

Session duration of minutes/hours
Commands executed during session
Multiple failed attempts with breaks in between
Successful login with sustained connection

• Check Brute Force Analysisfor more details.

Application Log Analysis

Identify the Service and Version

Look for startup messages

grep -i "starting\|started\|version\|build" /var/log/application.log | head -20

Common version identifiers

grep -i "buildinfo\|build info\|version" /var/log/application.log

Service initialization

grep -i "init\|initialized" /var/log/application.log

Identify log levels

grep -oE "ERROR|WARN|INFO|DEBUG|FATAL" /var/log/application.log | sort | uniq -c

High-Frequency Activity

Connections per minute (adjust field numbers based on your log format)

awk '{print $1, $2}' /var/log/application.log | cut -d':' -f1-2 | uniq -c | sort -rn | head -20

Events from specific IP

grep "192.168.1.100" /var/log/application.log | wc -l

Compare Normal hour vs suspicious hour

awk '$1 == "2025-12-29" && $2 >= "04:00:00" && $2 <= "05:00:00"' /var/log/application.log | wc -l
awk '$1 == "2025-12-29" && $2 >= "05:00:00" && $2 <= "06:00:00"' /var/log/application.log | wc -l

Error Pattern Analysis

Types of errors

grep -i "ERROR\|EXCEPTION\|FAILED\|FATAL" /var/log/application.log | awk '{print $4, $5, $6}' | sort | uniq -c | sort -rn

Error burst detection (many errors in short time)

grep -i "ERROR" /var/log/application.log | awk '{print $1, $2}' | cut -d':' -f1-2 | uniq -c | sort -rn

Specific error tracking

grep -i "ConnectionRefused\|Timeout\|Unauthorized" /var/log/application.log

Geographic/Network Anomalies

Extract all IP addresses

grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' /var/log/application.log | sort | uniq -c | sort -rn

Connections from private IP ranges

grep -E '10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.' /var/log/application.log | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u

Unusual ports

grep -oE ':[0-9]{1,5}' /var/log/application.log | sort | uniq -c | sort -rn

Web Server Log Analysis

Access Log Analysis

Top requesting IPs

awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

Top requested URLs

awk '{print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

HTTP status code distribution

awk '{print $9}' /var/log/nginx/access.log | sort | uniq -c | sort -rn

Requests by status code

grep '" 404 ' /var/log/nginx/access.log | wc -l      # Not found
grep '" 500 ' /var/log/nginx/access.log | wc -l      # Server errors
grep '" 403 ' /var/log/nginx/access.log | wc -l      # Forbidden

Requests by hour

awk '{print substr($4,2,14)}' access.log | cut -d':' -f1-2 | uniq -c

User agents

awk -F'"' '{print $6}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

Large responses

awk '$10 > 1000000 {print $1, $7, $10}' /var/log/nginx/access.log

POST requests

grep '"POST ' /var/log/nginx/access.log

SQL Injection Attempts

grep -i "union.*select\|concat.*char\|exec.*sp_\|' or '1'='1" /var/log/nginx/access.log

URL-encoded SQLi patterns

grep -i "%27\|%20or%20\|%20union%20" /var/log/nginx/access.log

Command Injection

grep -i "|.*sh\|;.*sh\|&&.*ls\|../.*etc/passwd" /var/log/nginx/access.log

Path Traversal

grep -E '\.\./|\.\\\' /var/log/nginx/access.log

grep "%2e%2e%2f\|%2e%2e%5c" /var/log/nginx/access.log

Web Shell Access

grep -i "\.php?.*cmd=\|\.php?.*exec=\|shell\.php\|c99\.php" /var/log/nginx/access.log

Vulnerability Scanning

Nikto, SQLmap, Nmap NSE scripts

awk -F'"' '{print $6}' /var/log/nginx/access.log | grep -i "nikto\|sqlmap\|nmap\|acunetix\|burp"

Rapid sequential requests (scanning pattern)

awk '{print $1, $4}' /var/log/nginx/access.log | cut -d'[' -f2 | cut -d':' -f1-3 | uniq -c | sort -rn | head -20

Database Log Analysis

Connection Analysis

Total connections

grep -i "connection\|connect" /var/log/database.log | wc -l

Connections by IP

grep -i "connection.*from" /var/log/database.log | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | sort -rn

Failed authentication

grep -i "authentication failed\|access denied\|login failed" /var/log/database.log

Connection rate

grep -i "connection" /var/log/database.log | awk '{print $1, $2}' | cut -d':' -f1-2 | uniq -c | sort -rn

Query Analysis

Slow queries (if logged)

grep -i "slow query\|execution time" /var/log/database.log

Suspicious query patterns

grep -i "drop table\|delete from\|truncate\|create user" /var/log/database.log

Data access patterns

grep -i "select.*from\|insert.*into\|update.*set" /var/log/database.log | wc -l

Error Analysis

All errors

grep -i "ERROR\|FATAL\|CRITICAL" /var/log/database.log

Specific error types

grep -i "deadlock\|timeout\|crash\|corrupt" /var/log/database.log

Timeline Reconstruction

Single Source Timeline

Extract timestamp and key event

awk '{print $1, $2, "->", $5, $6, $7}' /var/log/logfile | less

Extract all timestamps

awk '{print $1, $2}' /var/log/logfile | sort -u

Events within timeframe

awk '$1 == "2025-12-29" && $2 >= "05:00:00" && $2 <= "06:00:00"' /var/log/logfile

Events per hour distribution

awk '{print $1" "$2}' /var/log/syslog | cut -d':' -f1 | uniq -c

Events per minute

awk '{print $1" "$2}' /var/log/logfile | cut -d':' -f1-2 | uniq -c | sort -rn | head -20

Find logs in date range

awk '$1 >= "2025-12-29" && $1 <= "2025-12-31"' /var/log/logfile

Multi-Source Timeline

Combine multiple logs (ensure consistent timestamp format)

cat /var/log/auth.log | awk '{print $1, $2, $3, "AUTH:", $0}' > /tmp/timeline.txt
cat /var/log/syslog | awk '{print $1, $2, $3, "SYS:", $0}' >> /tmp/timeline.txt
sort /tmp/timeline.txt > /tmp/sorted_timeline.txt

Track Activity by Identifier

Follow specific IP across logs

IP="192.168.1.100"
grep "$IP" /var/log/auth.log > /tmp/ip_activity.txt
grep "$IP" /var/log/nginx/access.log >> /tmp/ip_activity.txt
grep "$IP" /var/log/application.log >> /tmp/ip_activity.txt
sort /tmp/ip_activity.txt

Session-Based Correlation

Track session from login to logout

SESSION_ID="sshd[12345]"
grep "$SESSION_ID" /var/log/auth.log

• Cross-reference with command execution (if available)

• Correlate timestamp from auth log with bash history timestamp