How to Search Log Files
How to Search Log Files
Section titled “How to Search Log Files”How to Check and Make Sense of Logs on Different Operating Systems
Section titled “How to Check and Make Sense of Logs on Different Operating Systems”If you need to go back to the guide, click * Cyber Incident Response Guide*
Mobile: iOS
Section titled “Mobile: iOS”Use Analytics & Improvements
Section titled “Use Analytics & Improvements”Go to Settings > Privacy > Analytics & Improvements.
Section titled “Go to Settings > Privacy > Analytics & Improvements.”Select Analytics Data to view system and app logs.
Section titled “Select Analytics Data to view system and app logs.”Identify Suspicious Activity
Section titled “Identify Suspicious Activity”Look for entries such as sysdiagnose or stacks+appName, indicating app crashes or system issues.
Section titled “Look for entries such as sysdiagnose or stacks+appName, indicating app crashes or system issues.”Search for terms like privacy, location, or permission to find logs related to privacy settings changes.
Section titled “Search for terms like privacy, location, or permission to find logs related to privacy settings changes.”Check for any entries with daemon or process indicating background activities.
Section titled “Check for any entries with daemon or process indicating background activities.”Mobile: Android
Section titled “Mobile: Android”Enable Developer Options
Section titled “Enable Developer Options”Go to Settings > About phone.
Section titled “Go to Settings > About phone.”Tap Build number seven times to enable Developer Options.
Section titled “Tap Build number seven times to enable Developer Options.”Access Logs through Developer Options
Section titled “Access Logs through Developer Options”Go to Settings > System > Developer options.
Section titled “Go to Settings > System > Developer options.”Scroll to Debugging and select Take bug report or Log viewer.
Section titled “Scroll to Debugging and select Take bug report or Log viewer.”Check for Suspicious Activity
Section titled “Check for Suspicious Activity”Look for frequent app crashes or unexpected system behavior in the logs.
Section titled “Look for frequent app crashes or unexpected system behavior in the logs.”Identify any unusual network activities or connection attempts.
Section titled “Identify any unusual network activities or connection attempts.”Check for logs indicating changes in security settings or permissions granted to unfamiliar apps.
Section titled “Check for logs indicating changes in security settings or permissions granted to unfamiliar apps.”Look for repeated attempts to access secure features or data without authorization.
Section titled “Look for repeated attempts to access secure features or data without authorization.”Windows
Section titled “Windows”Open the Event Viewer
Section titled “Open the Event Viewer”Press the Windows key + R to open the Run dialog box.
Section titled “Press the Windows key + R to open the Run dialog box.”Type eventvwr.msc and press Enter.
Section titled “Type eventvwr.msc and press Enter.”The Event Viewer will open.
Section titled “The Event Viewer will open.”Look for Error or Warning Logs Related to Security
Section titled “Look for Error or Warning Logs Related to Security”Navigate to Windows Logs > Security.
Section titled “Navigate to Windows Logs > Security.”Sort the logs by Event ID, Level, or Source.
Section titled “Sort the logs by Event ID, Level, or Source.”Look for Event IDs:
Section titled “Look for Event IDs:”4624(successful logon),4625(failed logon),4648(explicit login).
Search for Suspicious Activity
Section titled “Search for Suspicious Activity”Look for repeated failed login attempts from the same source IP.
Section titled “Look for repeated failed login attempts from the same source IP.”Look for logon attempts from unfamiliar locations or at unusual times.
Section titled “Look for logon attempts from unfamiliar locations or at unusual times.”Look for logs indicating changes to security settings or software.
Section titled “Look for logs indicating changes to security settings or software.”Look for logs indicating new software installations or changes to existing software.
Section titled “Look for logs indicating new software installations or changes to existing software.”Open Console
Section titled “Open Console”Launch the Console application from the Utilities folder within the Applications folder.
Section titled “Launch the Console application from the Utilities folder within the Applications folder.”Look for Error or Warning Logs Related to Security
Section titled “Look for Error or Warning Logs Related to Security”Check logs related to security software such as antivirus or firewall.
Section titled “Check logs related to security software such as antivirus or firewall.”Search for logs with keywords like error or warning.
Section titled “Search for logs with keywords like error or warning.”Search for Suspicious Activity
Section titled “Search for Suspicious Activity”Look for repeated failed logon attempts from the same source IP.
Section titled “Look for repeated failed logon attempts from the same source IP.”Look for logon attempts from unfamiliar locations or at unusual times.
Section titled “Look for logon attempts from unfamiliar locations or at unusual times.”Check logs indicating changes to security settings or software.
Section titled “Check logs indicating changes to security settings or software.”Look for logs indicating new software installations or changes to existing software.
Section titled “Look for logs indicating new software installations or changes to existing software.”Open Terminal
Section titled “Open Terminal”Launch the Terminal application.
Section titled “Launch the Terminal application.”Look for Error or Warning Logs Related to Security
Section titled “Look for Error or Warning Logs Related to Security”Use the command:
Section titled “Use the command:”sudo grep -E 'error|warning' /var/log/auth.log
to view security logs.
Check Users
Section titled “Check Users”Use the command:
Section titled “Use the command:”sudo getent passwd | grep '/home' | cut -d: -f1
to see all users with a home directory.
Use the command:
Section titled “Use the command:”sudo getent passwd | cut -d: -f1
to see all users, even those without a home directory.