Analyzing-Router-Logs-in-Network-Forensic-Investigation

Analyzing Router Logs in Network Forensic Investigation

Analyzing Router Logs in Network Forensic Investigation, in this the investigator collects the logs of a router to examine and determine the details such as IP addresses and the protocols. Redirection of the logs to syslog server is done in the following mariner: #config terminal Logging 192.168.1.1

During any network hacking, or unauthorized access scenarios, all the logs pertaining to the attack will be stored in the compromised device, which may be the router/switch, database, IDS, the ISP router, or application server. Almost all the professional network devices allow logging of the events; however, due to memory constraints, these devices cannot store the logs for long durations. Therefore, the administrators collect and store these logs on a regular basis.

From the collected logs, one has to identify, collect, and save the suspicious logs along with the firewall protocols for investigation purposes. Log analysis can be completed either manually or with the help of log-analyzing tools. After analyzing the logs, filters are applied to eliminate unnecessary data.

Related Product : Computer Hacking Forensic Investigator | CHFI

Analyzing Router Logs (Cont’d)

Routers follow different standards for storing a log in a network. It is not necessary that every router follows the same standard. For example, in the above screenshot, the log file contains details such as date, time, source IP address, source-port, URL accessed, URL’s IP address, and port used. These details might be helpful for the investigators during the investigations. The syntax of a log file from another router may differ.

Analyzing Router Logs: Cisco

Cisco Networking Software IOS is the networking software used in Cisco routers. The IOS integrates business-critical services and hardware platform support. The lOS security technologies act as a shield for the business process against attack and disruption and protect privacy, as well as support policy and regulatory compliance controls.

Transit network devices contain syslog messages that provide insight and brief a context of a security instance. This insight aids in determining the validity and extent of an incident. Within the context of a security incident, administrators can use syslog messages to understand communication relationships; timing; and, in some cases, the attacker’s motives and/or tools. The events come into consideration as complementary and are required to be used in conjunction with other forms of network monitoring that may already be in place.

There are eight severity levels of classification of the syslog messages on Cisco IOS routers. There is a number and a corresponding name for each severity level for identification. The lower the number is, the greater is the severity of the message, as shown in the following table.

Cisco ASA provides log messages that are useful in CISCO lOS software. Router log messages do not contain numerical identifiers that assist in identifying the messages. Mentioned below is a list of router log messages with detailed description, which are most likely to be useful when analyzing security-related incidents. However, any organizations do not make extensive use of logging on routers and because router logging is somewhat limited, and NetFlow is often a more effective means of analysis.

In the above slide, there is a screenshot containing LOGS with the details such as event ID, data, time, identifier, protocol applied, source IP address, and destination IP address. Based on the Identifier that is (4) in the log sheet, the severity of the log is figured out at the time of analyzing security-related incidents.

Also Read : Understand Log Capturing and Analysis Tools

Analyzing Router Logs: Juniper

JUNOS is an operating system that runs on the Juniper networking devices. The operating system provides two functionalities:

  • System logging

System logging generates syslog messages that record the events in a router pertaining to logins, login failures, unexpected termination of the peer process, and router shutdowns in case of excess heat.

  • Tracing

Tracing is mainly concerned with routing protocols. It stores all the information pertaining to its operations; exchange of packets during the start of a process or transferring the scheduled updates.

The above functions save the log messages to files. The logs of a Juniper router are by default saved in the file named messages. The router stores logs of messages to files. The log files are stored in the /var./log/ location, and the path is same for M-, MX-, and T-series router, for _J-series routers the files are stored in is /cf/var/log.

To view the logs, the following command can be used: user@my-device > show log messages

In the above slide, there is a screenshot of a Juniper logfile. The log file contains date and time, router name and ID, status and message. In case of security breaches, investigators can use these details during Jog analysis.

Questions related to this topic

  1. How do I view Cisco router logs?
  2. How do I enable logs on Cisco router?
  3. How do I check my router logs?
  4. How do I clear the logs on my Cisco router?
  5. What is Analyzing Router Logs in Network Forensic Investigation?

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment