Incident Response – Web Logs
Knowing where to look is a real important piece of the incident response puzzle. With a large number of incidents involving web servers, I figured it was a good idea to talk about some of the common log files, their locations and some gotchas. We are going to dive into some tech 101 then follow up with how this ties into the Incident Response process (so hopefully this helps if you re more PowerPoint than Bash).
Why do we care about where the default paths are? Well hopefully if you have planned ahead and got a security monitoring solution you won’t have to. But all things start from acorns. A good way to start to understand how logs and incident response tie together are to understand what is needed under the hood. This isn’t a deep dive but more a glimpse. When we visit a web page the webserver should be configured to capture the access logs. These logs are really helpful in an incident involving web services, so where can we find them?