KHOI | Blog

Windows logs vs Linux logs & how they help with Vulnerability Scanning

Mon, Oct 02, 2023 · 7 min read
Blog post image
Table of contents

Windows vs Linux

Here’s a pretty simple to table showing the differences:

Windows Linux
Proprietary Free and open source
Graphical Can be terminal only

Windows Event Log

Is an in-depth record of events related to the system, security, and application stored on a Windows operating system.

Event logs can be used to track system and some application issues and forecast future problems.

Event logs ensure our server stay available. Ensure our files remain untampered.

Main elements of Windows Event Log

Log Name: Name of the event log to which events from different logging components will be written. Events are commonly logged for system, security, and applications.

Event Date/Time: Includes the date and time when the event occurred.

Task Category: Identifies the type of recorded event log. Application developers can also define task categories to serve as extra information about the event.

Event ID: This Windows identification number helps network administrators uniquely identify a specific logged event.

Source: Name of the program or software causing the event log.

Level: Event level represents the severity of the recorded event log. These include information, error, verbose, warning, and critical.

User: Name of the user who logged onto the Windows computer when the event occurred.

Computer: Name of the computer logging the event.

Types of Windows Logs

Application: events related to a software/application.

Security: related to safety of system. Eg: failed logins, file deletions, etc.

Setup: occur during installation of Windows OS. On domain controllers, this log record events related to Active Directory.

Domain controller — a server that responds to security authentication requests within a network domain.

Active Directory — think of it as team grouping.

System: related to system & its components. Eg: failure to load boot-start driver.

Linux Event Logs

Kernel is the brain of the computer.

To view logs in Linux, here’re quite a few locations:

  • /var/log/syslog or /var/log/messages
    • RedHat-based systems store info in the messages folder while Debian-based store in syslog folder.
  • /var/log/auth.log or /var/log/secure — authentication & authorization logs
  • /var/log/kern.log — kernel activity logs, including custom kernels.
  • /var/log/faillog — failed login attempts
  • /var/log/maillog or /var/log/mail.log — track issues like spam emails, suspicious use of postfix or smtpd.

Vulnerability Scanning

  • Enables organizations to monitor their networks, systems, and applications for security vulnerabilities.
  • Vulnerabilities can include (but aren’t limited to):
    • Open ports
    • Unpatched machines
    • Out of date software
    • SSL certificate anomalies
    • Malware on a device

Remember to close unused ports for security!

Vulnerability Scanning & CVEs

Vulnerability scan may include CVE numbers in your results.

  • CVE: Common Vulnerabilities and Exposures — refers to publicly known system vulnerabilities.

In the world of vulnerability scanning, there are 2 main types of system.

Host-based Intrusion Detection System (HIDS)

This system is completely passive.

Analyzes traffic that passes through the network. If it sees something that is abnormal it’s going to send an alert.

Host-based Intrusion Prevention System (HIPS)

This system is active.

Monitors a single host for suspicious activity by analyzing events occurring within that host.

HIPS aims to stop malware by monitoring the behavior of code.