While taking the SY0-501 exam, you may come across some questions that require you to read logs. This confuses some people because logs aren’t written in plain English. However, if you understand the objectives of the exam, you should be able dissect the log to get the relevant information.
As an example, see if you can answer this question:
Q. You are examining logs on a server in your DMZ and come across the following log output:
12:34:56.789 UTC #SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: hsimpson] [Source: 192.168.15.78] [localport: 23] at 12:34:56.789 UTC Sat May 11 2019
Which of the following is an appropriate response after seeing this entry?
A. Nothing. This is a normal entry.
B. Disable SSH
C. Disable telnet on the server
D. Disable the user account
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Reading Log Entries
Admittedly, some of the log entry looks like a code. However, the relevant information in simple text.
12:34:56.789 UTC #SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: hsimpson] [Source: 192.168.15.78] [localport: 23] at 12:34:56.789 UTC Sat May 11 2019
Do you see it?
If you have a basic understanding of ports and protocols, this part of the entry should attract your attention: [localport: 23].
Telnet uses port 23 and is no longer recommended for use because it sends credentials across a network in clear text. Secure Shell (SSH) is generally used as a replacement and it uses port 22.
Cisco IOS Log Entries
The entry cane from a Cisco IOS device. While you don’t need to know this to answer the question, it may be useful to understand the format of the log entry.
12:34:56.789 UTC #SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: hsimpson] [Source: 192.168.15.78] [localport: 23] at 12:34:56.789 UTC Sat May 11 2019
The first part of the entry is simply a time stamp. It indicates a time of s 12:34 and 56 seconds and 789 milliseconds. UTC indicates the time zone of coordinated universal time but could be any valid time zone. You won’t always see the milliseconds or the time zone in a log entry but you can count on a time stamp.
Next, you see #SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: hsimpson]. Not all entries are so clear, but this indicates that user hsimpson successfully logged on. The code 5 indicates the severity level of a notification. Notifications aren’t always logged.
The last part of the entry is [Source: 192.168.15.78] [localport: 23] at 12:34:56.789 UTC Sat May 11 2019. The source indicates the IP address (192.168.15.78) of the user’s system and the localport entry indicates the logical port (23) accessed to log on. Last, it indicates the time and date when the user logged on.
Remember, just as you don’t need to know the exact composition of a log pile to know that it has wood in it, you don’t need to know everything about a log entry to dissect it. Most log entries have some commonality. Don’t allow yourself to get thrown if you see an unfamiliar format. Just look for the common parts of the entry, and the cleartext parts of the entry.
Photo by Pär Pärsson on Unsplash
Reading Log Entries Question and Answer
Q. You are examining logs on a server in your DMZ and come across the following log output:
12:34:56.789 UTC #SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: hsimpson] [Source: 192.168.15.78] [localport: 23] at 12:34:56.789 UTC Sat May 11 2019
Which of the following is an appropriate response after seeing this entry?
A. Nothing. This is a normal entry.
B. Disable SSH
C. Disable telnet on the server
D. Disable the user account
C is correct. The entry indicates a user is logging onto a server in the demilitarized zone (DMZ) using Telnet but Telnet sends credentials across a network in clear text and has been deprecated. As a best practice Telnet should be disabled. If remote access is desirer, Secure Shell (SSH) should be enabled instead.
It’s useful to break down the log entries. The time is shown as 12:34 and 56 seconds and 789 milliseconds. The date is given as Sat May 11 2019 in the UTC (coordinated universal time) time zone. The SEC_LOGIN-5-LOGIN_SUCCESS entry is a notification (severity 5) indicating a successful login by a user with username hsimpson. The [Source: 192.168.15.78] shows the source IP address. [localport: 23] indicates it is using port 23, the default port for Telnet, which is a key piece of information.
Seeing that someone is logging onto a server in the DMZ using Telnet is not a normal entry because Telnet should be disabled.
SSH sends encrypted traffic to port 22, but port 22 isn’t shown in the log entry. It would be appropriate to enable SSH is remote access is desired.
The user account (hsimpson) may be valid so it isn’t appropriate to disable this account with the information given in the scenario.
Chapter 8 of the CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide covers telnet including its default port and chapter 3 covers SSH.
SY0-501 objective 2.6 Given a scenario, implement secure protocols.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
You might also like to look at these blogs.
Identifying Ports in Log Entries
