System Logs
Linux
System Logs
View /var/log and dmesg
cat /var/log/syslog | grep "1.2.3.4"
dmesg | egrep "error|fail|warn|problem|denied|deny|forbid|problem" -i
Linux has several default logs to check that will be named something similar to:
/var/log/messages
/var/log/auth.log
/var/log/secure
/var/log/boot.log
/var/log/dmesg
/var/log/kern.log
/var/log/faillog
/var/log/cron
/var/log/mail.log
/var/log/httpd/access.log & error.log
/var/log/mysql[d].log
I use egrep to search through these logs and the log rotations:
sudo cat /var/log/messages | egrep -i "warn|fail|err|problem|down|critical" (and any other terms you're looking for)
zgrep
YOu can also search compressed logs using zgrep, if it is installed
sudo zgrep -iE "bleh|blah" /var/log/messages*
JournalCTL
journalctl --since "2015-01-10" --until "2015-01-11 03:00"
journalctl --since yesterday
journalctl /usr/bin/bash
service --status-all
journalctl -u apache2.service --no-pager | egrep "error|fail|warn|problem|denied|deny|forbid|problem" -i
Powershell
Search/Monitor File
gc -Tail 10 .\fake_data.csv
gc fake_data.csv | select -first 10
Windows
Windows uses application, security, and system logs and then further categorizes them. Like linux, specific applications will also have specific logs. The OS logs can be viewed through powershell, eventvwr.msc and other methods and are usually stored in %SystemRoot%\System32\winevt\Logs.
EventLog Basic Logs
Get-Eventlog -List
Max(K) Retain OverflowAction Entries Log
------ ------ -------------- ------- ---
20,480 0 OverwriteAsNeeded 27,213 Application
20,480 0 OverwriteAsNeeded 0 HardwareEvents
512 7 OverwriteOlder 0 IntelAudioServiceLog
512 7 OverwriteOlder 0 Internet Explorer
20,480 0 OverwriteAsNeeded 0 Key Management Service
512 7 OverwriteOlder 3,408 OneApp_IGCC
5,056 7 OverwriteOlder 1 PRTG Network Monitor
20,480 0 OverwriteAsNeeded 25,931 Security
20,480 0 OverwriteAsNeeded 40,933 System
15,360 0 OverwriteAsNeeded 14,173 Windows PowerShell
EventLog “Available Logs”
Get-WinEvent -ListLog * | where {$_.RecordCount -gt 0}
LogMode MaximumSizeInBytes RecordCount LogName
------- ------------------ ----------- -------
Circular 15728640 14173 Windows PowerShell
Circular 20971520 40933 System
Circular 20971520 25931 Security
Circular 5177344 1 PRTG Network Monitor
Circular 1052672 3408 OneApp_IGCC
Circular 20971520 27213 Application
Circular 1052672 598 SGX/Diagnostic
Circular 1052672 779 SGX/Admin
Circular 1052672 360 Setup
Circular 1052672 92 Microsoft-Windows-WPD-MTPClassDriver/Operational
Circular 1052672 1853 Microsoft-Windows-WMI-Activity/Operational
Circular 1052672 468 Microsoft-Windows-WLAN-AutoConfig/Operational
Circular 1052672 1598 Microsoft-Windows-WinRM/Operational
Circular 1052672 2561 Microsoft-Windows-Winlogon/Operational
EventLog “Errors”
Get-EventLog -Logname Application -Newest 5 -EntryType Error
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
80121 May 15 08:27 Error Microsoft-Windows... 1552 User hive is loaded by another process (Registry Loc...
80120 May 15 08:27 Error Microsoft-Windows... 1552 User hive is loaded by another process (Registry Loc...
80119 May 15 08:27 Error Microsoft-Windows... 1552 User hive is loaded by another process (Registry Loc...
78816 May 09 15:24 Error Microsoft-Windows... 1023 Windows cannot load the extensible counter DLL "C:\W...
78805 May 09 15:22 Error DPTF 17 The description for Event ID '17' in Source 'DPTF' c...
Get-EventLog -Logname System -Newest 5 -EntryType Error
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
79669 May 09 15:16 Error DCOM 10010 The description for Event ID '10010' in Source 'DCOM...
78902 Apr 27 11:20 Error Microsoft-Windows... 20 Installation Failure: Windows failed to install the ...
78805 Apr 25 18:03 Error Microsoft-Windows... 20 Installation Failure: Windows failed to install the ...
78574 Apr 24 13:39 Error Service Control M... 3221232506 The Docker Desktop Service service terminated unexpe...
78260 Apr 21 12:33 Error Microsoft-Windows... 20 Installation Failure: Windows failed to install the ...
EventLog Errors by Date
Using the select-object to cherry pick data
Get-EventLog -LogName System -After ([datetime]'2023-05-09 10:00') -before ([datetime]'2023-05-10 10:00') -Newest 5 -EntryType Error
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
79669 May 09 15:16 Error DCOM 10010 The description for Event ID '10010' in Source 'DCOM...
Get-EventLog -LogName System -After ([datetime]'2023-05-09 10:00') -before ([datetime]'2023-05-10 10:00') -Newest 5 -EntryType Error | Select-Object EntryType, InstanceId
EntryType InstanceId
--------- ----------
Error 10010
EventLog by ID
Can be any EntryType, but this is how to search by a known ID
Get-EventLog -LogName Application -Newest 5 -EntryType Error -InstanceId 1552
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
80121 May 15 08:27 Error Microsoft-Windows... 1552 User hive is loaded by another process (Registry Loc...
80120 May 15 08:27 Error Microsoft-Windows... 1552 User hive is loaded by another process (Registry Loc...
80119 May 15 08:27 Error Microsoft-Windows... 1552 User hive is loaded by another process (Registry Loc...
70588 Mar 17 08:05 Error Microsoft-Windows... 1552 User hive is loaded by another process (Registry Loc...
70587 Mar 17 08:05 Error Microsoft-Windows... 1552 User hive is loaded by another process (Registry Loc...
EventLog Logon Events
Searching for today - 20 days for 7001 and 7002 events
Get-EventLog system -after (get-date).AddDays(-20) | where {$_.InstanceId -eq 7001}
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
79783 May 09 15:22 Information Microsoft-Windows... 7001 User Logon Notification for Customer Experience Impr...
78723 Apr 25 17:55 Information Microsoft-Windows... 7001 User Logon Notification for Customer Experience Impr...