Day 3 – Understanding Logs, Log Types & Why Logs Are Important.

🧾 What Are Logs? (Explained in Simple Language)

Logs are records of activities happening in a system, network, application, or device.

Simple Example:

A log is like a CCTV recording, but instead of video, it records digital activities.

💡 Think of logs as:

• A diary that records every action
• A vehicle’s GPS history
• A shop’s visitor register
• A call history in your mobile

Logs tell us “what happened, when it happened, and who did it.”

🔍 Why Are Logs Important? (For SOC Analysts)

Logs help SOC Analysts:

• Detect attacks
• Investigate suspicious activity
• Understand what the hacker did
• Trace the attacker’s path
• Prepare incident reports

Real Example:

If someone tries to log in to your account 20 times, logs will show:

• Time of logins
• IP address
• Success/failure
• Device used

Without logs → SOC cannot detect attacks.

🗂️ Types of Logs (Explained Very Simply)

1️⃣ Authentication Logs

These show login activity.

Examples:

• Successful login
• Failed password attempt
• New device login

Real Example:
You receive: “New login from Chrome on Windows.”
This comes from authentication logs.

2️⃣ System Logs

These logs come from the operating system (Windows, Linux).

Examples:

• System boot/shutdown
• Errors/crashes
• User creation/deletion
• Permission changes

Real Example:
When your laptop shows “Windows restarted after a crash,”
→ this came from system logs.

3️⃣ Application Logs

Generated by software and apps.

Examples:

• Web server logs (Apache, Nginx)
• Database logs
• App error logs

Real Example:
E-commerce app failing to show “Add to Cart”
→ developer checks application logs.

4️⃣ Security Logs

Special logs related to attacks or threat attempts.

Examples:

• Firewall logs
• Antivirus logs
• EDR logs
• VPN logs

Real Example:
VPN alert: “Login from unusual country.”
→ comes from security logs.

5️⃣ Network Logs

Traffic and communication logs.

Examples:

• Incoming/outgoing connections
• Port scanning
• Packet flows

Real Example:
Firewall blocks unknown IP trying to connect at 2 AM.

🧰 Tools Used to View Logs (Basic Introduction)

SOC Analysts commonly use:

• Windows Event Viewer
• Linux Syslog (/var/log/)
• SIEM Tools (Splunk, QRadar, ELK)
• Firewall Consoles
• EDR dashboards (CrowdStrike, Defender)

🧪 Simple Hands-On Demo You Can Show Your Students

1. Windows Example:

Open Event Viewer → Windows Logs → Security
Show login success / login failure events.

2. Linux Example:

Run:

sudo cat /var/log/auth.log

3. SIEM Example (If possible):

Upload sample logs into Splunk and show search results.

🧠 Real-Time Scenarios (For Understanding)

Scenario 1 – Password Guessing Attack

Logs show:

• 15 failed login attempts
• From same IP
• Within 2 minutes

SOC Analyst conclusion: Brute force attack attempt.

Scenario 2 – Malware Infection

Logs show:

• Unknown .exe file executed
• Anti-virus detected threat
• Outbound connection to foreign IP

SOC Analyst conclusion: Malware trying to contact attacker.

Scenario 3 – Unauthorized Login

Logs show:

• Employee logged in at 3 AM
• From a new country
• Using unknown device

SOC Analyst conclusion: Account compromised.

📝 Day 3 Activity for Students

Give them a small exercise:

Ask students to write:
“Find 5 log entries from your Windows or Linux system and note what they mean.”

🏠 Day 3 Homework

Search on Google:
“What is Sysmon?”

Write:

• What Sysmon does
• Why SOC Analysts use it

🎤 Trainer Script for Day 3

You can read this in class:

“Logs are the digital CCTV of an organization.
They record every action inside a system.

As SOC Analysts, logs are your most important tool for detecting and understanding attacks.

Today you learned types of logs, why logs matter, and how real attacks look in logs.”