Logging of security events in SIEM

02.10.2020 Read

Effective logging of events and activities in an organization’s technical infrastructure exponentially boosts the capabilities of its SIEM solution. In this article, we explore how logs are leveraged in a SIEM solution. First off, log entries can be helpful for multiple purposes such as security, performance analysis, troubleshooting, etc. Considering the size of a modern enterprise’s IT technical infrastructure, monitoring the network alone is not a favorable approach. With a growing number of applications, endpoint devices, and services, event logs must be collected from all such applications, endpoints, and services.


An event log is a file or a log entry that consists of information related to operations and usage of an application, device, or operating system. Operating systems, devices, applications – all of them generate their own logs and record them in their respective log files. We have observed that systems in a technical infrastructure generate more logs than they can process. After gathering log files from different sources, they can be utilized for identifying suspicious activity, detecting vulnerabilities, and tracking users on a corporate network. Organizations use event and log management tools like SIEM to analyze logs, monitor important events, and leverage this information in the identification and investigation of security incidents.

Log v. Event v. Incident

A log is an entry or a file that contains raw data stored by a device or an application about an action or activity. An event is a set of entries that can be extracted from log data, and it relates to something that has occurred somewhere on a computer network or a system. An incident is an event that is identified as a potential security breach.

Logs from Endpoint Devices

Successful exploitation of vulnerabilities in endpoint devices such as laptops, mobile phones, and computer systems allows the attackers to penetrate your network. Thereof, logs from endpoint devices (or endpoint logs) are essential in collecting data and identifying malicious activity.

1. Windows Event Logs

Windows OS logs activities on software and hardware components connected to a laptop or computer system. It uses six default categories to classify logs: Application Log, System Log, Security Log, Directory Service Log, DNS Server Log, and File Replication Server Log.

On a system running Windows operating system, a security expert can use Event Viewer to access event logs for all the categories mentioned above. Event Viewer shows information about an event, including username, computer, source, type, date, and time.

SIEM event logs

Figure 1: Event Viewer on Windows

For a SIEM solution like Logsign, all events are relevant prima facie; however, security logs hold a special significance. Window records entries for security events such as login attempts, successful login, etc. It logs events such as Directory Service Access, System Events, Object Access, Policy Change, Privilege Use, Process Tracking, Logon Events, Account Management, and Account Logon Events.

2. Linux Event Logs

For systems running on the Linux operating system, we can find a timeline of events related to the kernel, server, and applications. Logs are recorded across four major categories: Event Logs, Service Logs, Application Logs, and System Logs. You can view the logs in this directory: cd/var/log, or if you wish to access specific log types such as System Logs, you can access var/log/syslog.

Our experts commonly refer to the following log files from Linux systems during their investigations:

  1. /var/log/syslog (General system activity logs)
  2. /var/log/auth.log (Authentication/authorization logs)
  3. /var/log/kern.log (Kernel activity logs)
  4. /var/log/faillog (Failed login attempts)
  5. /var/log/maillog (Mail server logs)

As a minimum requirement, a SIEM solution must have the following information for a Linux system: user ID, login attempts, configuration changes, system utilities, security-related events, and any attempt to access data, applications, files, or networks.

3. iOS Event Logs

Whether your organization requires iOS/Android logs or not depends upon your mobile device policy. If your organization does not allow mobile devices, you may not require logs from iOS/Android devices.

iOS, as an operating system, does not log events; but it does log crash reports for application. For versions 10 and later, we can use an API to log application events. On top of this, iOS devices have their own security features. Using logging API, a SIEM solution can access the following types of data generated by inbuilt security features: Application Security, Network Security, Internet Services, Data Encryption, User Password Management, Device Controls, and Privacy Controls.

4. Android Logs

As compared to iOS, Android offers a dedicated platform for providing access to system and application logs, including kernel logs, and C/C++/Java logs. This dedicated logging platform provides functionalities for filtering and viewing messages. The android operating system provides logs across three categories: Application Log, Event Log, and System Log.

Important Log Sources for SIEM

Apart from the sources mentioned above, there is a wide range of sources in your technical infrastructure that generate logs that are useful for a SIEM solution. Considering that most organizations have limited human resources for cyber security, your SIEM solution must prioritize logs. Our experts have listed the following sources as integral for a SIEM solution:

  1. Security Controls: IDS, Anti-virus/anti-malware solutions, data loss prevention, VPN connections web filters, honeypots, firewalls, etc.
  2. Network Logs: Routers, Switches, Domain controllers, WAPs, application servers, intranet applications, databases, etc.
  3. Infrastructure: Configuration, software inventory, vulnerability reports, network maps, owners, locations, etc.
  4. Business: Mapping of business processes, partner information, point of contact