• *Sample Network Log Entry*

[\*\*] [1:1407:9] SNMP trap udp [\*\*] [Classification: Attempted Information Leak] [Priority: 2] 03/12–15:14:09.082119 192.168.1.167:1052 - > 172.30.128.27:162 UDP TTL:118 TOS:0x0 ID:29101 IpLen:20 DgmLen:87.

**105**

**Table 1.**

*Data Collection Techniques for Forensic Investigation in Cloud*

(192.168.1.54,39922). Process name is ""System""."

ip10.165.nist.gov failed - POSSIBLE BREAKIN ATTEMPT!

Mar 1 07:28:41 server1 su: kkent to root on /dev/ttyp2.

DMesg log This is not a log file, but this is used for

Debugging log Stack tracing to determine the nature of

System log Determines if someone is trying or has executed buffer overflow.

Network log Determining Web-based attacks and DDoS attacks.

and flooding attacks.

Authentication log Auditing of attacks on credentials and determines the unauthorized access. Audit log Determining unauthorized user access to the

*Different types of logs, attacks, and the log analysis tool.*

03/12/2015 8:14:07 AM,"Rule ""Block Windows File Sharing"" blocked (192.168.1.54, netbios-ssn(139)).","Rule ""Block Windows File Sharing"" blocked (192.168.1.54, netbios-ssn(139)). Inbound TCP connection. Local address,service

03/12/2015 9:04:04 AM,Firewall configuration updated: 398 rules., Firewall

Mar 1 06:25:43 server1 sshd[23170]: Accepted publickey for server2 from

Mar 1 07:16:42 server1 sshd[9326]: Accepted password for murugiah from

Mar 1 07:26:28 server1 sshd[22572]: Accepted public key for server2 from

**Types of log Attacks Tools for log analysis**

—

—

services

Manager

Splunk, Log4j2

logging and monitoring

Syslog-ng, Log & Event

Nihuo Web Log Analyzer

Auditor, JVM controller

WP Security Audit Log,

auditpol.exe

Analyzer

determining anomalous activity from recent bots.

Determining Web-based attacks (XSS, XSRF, SQLI), remote file inclusion, local file inclusion

VM log Determining hypervisor-related attacks. Virtual Machine Log

Database log Determining database-related attacks. Splunk, Nihuo Web Log

system and network. Includes destination addresses, user login information, and timestamp.

Firewall log Direct method for auditing the firewall. Event Log Analyzer, event

Determining Web-based attacks. Nihuo Web Log Analyzer

Mar 1 07:28:33 server1 su: BAD SU kkent to root on /dev/ttyp2.

application and service-based attacks.

Mar 1 07:16:53 server1 sshd[22938]: reverse mapping checking getaddrinfo for

is (KENT(172.30.128.27),netbios-ssn(139)). Remote address,service is

*DOI: http://dx.doi.org/10.5772/intechopen.82013*

• *Sample Firewall Log Entry*

configuration updated: 398 rules.

172.30.128.115 port 21,011 ssh2.

172.30.128.115 port 30,606 ssh2.

Web server access

Web server error

log

log

10.20.30.108 port 1070 ssh2.

• *Sample Syslog Entries*
