Log Files

There are multiple types of transactions performed by PCs and servers. Every transaction leaves a trace inside one of so-called log files, clearly specifying the event and time of its occurrence. From the beginning of operating system installation process and throughout the computer lifecycle, log files keep tracks of all types of system and users’ activities. Most of computer applications maintain log files, providing the possibility to identify and analyze every operational detail. Usually, log files are associated withevery particular application. Most important are operating system’s log files where all system-level events are stored. Such log files facilitate the troubleshooting process, identifying specific errors and reasons for programs’ malfunction. From the security perspective, log files help discovering threats and investigating attempts to break into the system. Log files are essential in analysis of any particular state of computer’s hardware and software, systematically reconstructing the course of events.

Log files in Windows operating system are distributes through a number of folders, depending on type and role of the associated applications. The importance of log files also varies in accordance with the application or system process’s importance. Identical log files on a desktop PC and on server may present a different value, as roles of these computers are rather diverse. According to Gibson (2010), “many of the available logs are much more valuable on a server than they are on a desktop computer” (p. 225). Usually, system administrators pay attention to System, Application, and Security log files, as they are most important and informative in the Windows environment. The System log stores all events that concern Windows system components, such as services, Windows processes, and drivers. The Application log records events that occur with different applications as they interact with the operating system. Finally, all types of events associated with access rights, security violation attempts, and authorization failures are stored in the Security log file. Physically, these files are located in \Windows\System32\winevt\Logs folder. However, it is rather difficult to open a log file directly from that folder using any text editor application. Log files are reasonably well protected against accidental damage and malicious alterations. Instead, a system application called Event Viewer is used to access the contents of log files.

The ideology of Linux logging is similar to that of Windows in an essence. However, the categorization of system log files is more precise. Global system events, boot-time events, kernel events, and the entire set of other components’ messages are stored separately, though in the same directory. According to Nemeth et.al (2007), “Linux packages send their logging information to files in the /var/log directory” (p. 204). There is one file called /var/log/messages, where the runtime information about all system components is aggregated. In addition, those components record their respective events in separate files, allowing “by subject” logs exploration. All boot-time events concerning hardware and drivers are stored in the /var/log/dmesg file. The log file called /var/log/auth.log contains the system authorization information, user login attempts, and authentication failures. All system-level applications, or daemons, reflect their activities in the /var/log/daemon.log file. The log files’ maintenance is centralized in the Linux environment. “Most programs these days actually send their log entries to a central clearing system called syslog” (Nemeth et.al, 2007, p. 204). The role of syslog is not limited to log files’ filling, categorization, rotation, and archiving. In complex environments, syslog can be responsible also for the logging on behalf of remote network devices. This activity is handled by means of specific daemon syslogd, which allows remote connections to the host’s syslog mechanism. Consequently, remote devices send all events within the predefined range to the Linux host running syslogd, providing single point of logging for the whole IT environment.