While taking the SY0-501 exam, you may come across some questions that require you to read logs. This confuses some people because logs aren’t written in plain English. However, if you understand the objectives of the exam, you should be able dissect the log to get the relevant information.
As an example, see if you can answer this question:
Q. You are examining logs on a server in your DMZ and come across the following log output:
12:34:56.789 UTC #SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: hsimpson] [Source: 192.168.15.78] [localport: 23] at 12:34:56.789 UTC Sat May 11 2019
Which of the following is an appropriate response after seeing this entry?
A. Nothing. This is a normal entry.
B. Disable SSH
C. Disable telnet on the server
D. Disable the user account
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Reading Log Entries
Admittedly, some of the log entry looks like a code. However, the relevant information in simple text.
12:34:56.789 UTC #SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: hsimpson] [Source: 192.168.15.78] [localport: 23] at 12:34:56.789 UTC Sat May 11 2019
Do you see it?
If you have a basic understanding of ports and protocols, this part of the entry should attract your attention: [localport: 23].
Telnet uses port 23 and is no longer recommended for use because it sends credentials across a network in clear text. Secure Shell (SSH) is generally used as a replacement and it uses port 22.
Cisco IOS Log Entries
The entry cane from a Cisco IOS device. While you don’t need to know this to answer the question, it may be useful to understand the format of the log entry.
12:34:56.789 UTC #SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: hsimpson] [Source: 192.168.15.78] [localport: 23] at 12:34:56.789 UTC Sat May 11 2019
The first part of the entry is simply a time stamp. It indicates a time of s 12:34 and 56 seconds and 789 milliseconds. UTC indicates the time zone of coordinated universal time but could be any valid time zone. You won’t always see the milliseconds or the time zone in a log entry but you can count on a time stamp.
Next, you see #SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: hsimpson]. Not all entries are so clear, but this indicates that user hsimpson successfully logged on. The code 5 indicates the severity level of a notification. Notifications aren’t always logged.
The last part of the entry is [Source: 192.168.15.78] [localport: 23] at 12:34:56.789 UTC Sat May 11 2019. The source indicates the IP address (192.168.15.78) of the user’s system and the localport entry indicates the logical port (23) accessed to log on. Last, it indicates the time and date when the user logged on.
Remember, just as you don’t need to know the exact composition of a log pile to know that it has wood in it, you don’t need to know everything about a log entry to dissect it. Most log entries have some commonality. Don’t allow yourself to get thrown if you see an unfamiliar format. Just look for the common parts of the entry, and the cleartext parts of the entry.
Photo by Pär Pärsson on Unsplash
Reading Log Entries Question and Answer
Q. You are examining logs on a server in your DMZ and come across the following log output:
12:34:56.789 UTC #SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: hsimpson] [Source: 192.168.15.78] [localport: 23] at 12:34:56.789 UTC Sat May 11 2019
Which of the following is an appropriate response after seeing this entry?
A. Nothing. This is a normal entry.
B. Disable SSH
C. Disable telnet on the server
D. Disable the user account
C is correct. The entry indicates a user is logging onto a server in the demilitarized zone (DMZ) using Telnet but Telnet sends credentials across a network in clear text and has been deprecated. As a best practice Telnet should be disabled. If remote access is desirer, Secure Shell (SSH) should be enabled instead.
It’s useful to break down the log entries. The time is shown as 12:34 and 56 seconds and 789 milliseconds. The date is given as Sat May 11 2019 in the UTC (coordinated universal time) time zone. The SEC_LOGIN-5-LOGIN_SUCCESS entry is a notification (severity 5) indicating a successful login by a user with username hsimpson. The [Source: 192.168.15.78] shows the source IP address. [localport: 23] indicates it is using port 23, the default port for Telnet, which is a key piece of information.
Seeing that someone is logging onto a server in the DMZ using Telnet is not a normal entry because Telnet should be disabled.
SSH sends encrypted traffic to port 22, but port 22 isn’t shown in the log entry. It would be appropriate to enable SSH is remote access is desired.
The user account (hsimpson) may be valid so it isn’t appropriate to disable this account with the information given in the scenario.
Chapter 8 of the CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide covers telnet including its default port and chapter 3 covers SSH.
SY0-501 objective 2.6 Given a scenario, implement secure protocols.
You might also like to look at these blogs.
Identifying Ports in Log Entries