5.9.1. Log Data Sources

💡 First Principle: Logs are the primary evidence source for security investigations. Each log type records different aspects of system and user activity. A complete investigation correlates multiple log sources to reconstruct the full attack timeline — no single log type tells the whole story.

Firewall logs — connection attempts (allowed/denied), source/destination IPs, ports, protocols. Answer: who tried to communicate with what? Firewall logs reveal reconnaissance (port scans), blocked attacks, and exfiltration attempts. They're the first place to look when investigating network-based incidents.

Application logs — application-specific events: user logins, transactions, errors, access attempts. Answer: what did users do within the application? Application logs capture business context that infrastructure logs miss — which records were viewed, what transactions were processed, and which queries were executed.

IDS/IPS logs — detected threats, alert details, triggered signatures, traffic patterns. Answer: what attacks were detected and what was their nature? IDS/IPS logs provide attack classification and severity that raw network logs lack.

OS logs — system events, authentication attempts, service starts/stops, privilege usage. Windows Event Log (Security, System, Application channels), Linux syslog/journald. Answer: what happened on this system? OS logs capture local authentication events, privilege escalation, and system configuration changes.

Endpoint logs — EDR telemetry: process execution, file modifications, network connections, registry changes. Answer: what did this endpoint do? EDR logs provide the most granular view of endpoint activity and are critical for malware investigation and lateral movement detection.

Network logs — NetFlow/sFlow data, DNS queries, DHCP leases, proxy logs. Answer: who communicated with whom and when? Network logs provide session-level metadata without the overhead of full packet capture.

Metadata — data about data: email headers (routing path, sender authentication results), file properties (creation date, author, modification history), document metadata. Often reveals more than the content itself — email headers expose spoofing attempts, and file metadata reveals origin and handling.

⚠️ Exam Trap: Different logs answer different questions. If the exam asks "which log source would reveal unauthorized file modifications?" — endpoint/OS logs. "Which log source shows blocked connection attempts?" — firewall logs. Match the log source to the question being asked.