Log	  files:	  A	  wealth	  of	  forensic	  evidence	                     Kevin	  Powe	        Integral	  Technology	  Solu...
More	  info	  at	  h:p://bit.ly/kapowelogs	                                   The most comprehensive Oracle applications &...
Forensic processLog filesCase filesTools	  	         The most comprehensive Oracle applications & technology content under...
The Forensic Process         The most comprehensive Oracle applications & technology content under one roof
Step One: Secure The Scene          The most comprehensive Oracle applications & technology content under one roof
Operating System Evidence	  netstat	  	  for	  network	  issues	  	  	  top	  	  or	  	  Windows	  Task	  Manager	  for	  ...
Rolling Log Files           The most comprehensive Oracle applications & technology content under one roof
Cause            Symptoms2-­‐4PM	                     4-­‐6PM	                The most comprehensive Oracle applications &...
Step Two: Investigate The Scene            The most comprehensive Oracle applications & technology content under one roof
Don’t.Search.The.Log.Files.          The most comprehensive Oracle applications & technology content under one roof
 	  ‘Error’	  	  	  	  versus	  	  	  	  ‘Warning’	  	  	  	  ‘Failing’	  	  	  versus	  	  	  	  ‘Failed’	  	  	         ...
Step Three: Gather And CorrelateEvidence              The most comprehensive Oracle applications & technology content unde...
Step Four: Build A Hypothesis              The most comprehensive Oracle applications & technology content under one roof
1) Secure the scene2) Investigate the scene3) Gather and correlate evidence4) Build a hypothesis	  	              The most...
Forensic processLog filesCase filesTools	  	         The most comprehensive Oracle applications & technology content under...
WebLogic	  Server	  Domain	              AdminServer	                    managedServer1	  Java	  	                        ...
HTTP Access Logs           The most comprehensive Oracle applications & technology content under one roof
192.168.5.6	  -­‐	  -­‐	  [19/Nov/2010:13:34:49	  +0800]	  "POST	  /AccountServices/ProxyServices/AccountServices	  HTTP/1...
ELF = Extended Logging Format            The most comprehensive Oracle applications & technology content under one roof
Extended Logging Format FieldsCommon	  format	  fields	          Request	  fields	  date	                               cs-­...
Server log filesThe most comprehensive Oracle applications & technology content under one roof
The most comprehensive Oracle applications & technology content under one roof
####<2/08/2011	  12:49:35	  AM	  EST>	  <No6ce>	  <Server>	  <brother-­‐eye>	  <AdminServer>	  <[ACTIVE]	  ExecuteThread:	...
Debug flagsThe most comprehensive Oracle applications & technology content under one roof
 	  HTTP: 	  weblogic.servlet.DebugH:p	  	  SSL: 	   	  default.DebugSSL	  	  JDBC: 	  weblogic.jdbc.sql.DebugJDBCSQL	  	 ...
<4/08/2011	  07:47:35	  PM	  EST>	  <Warning>	  <netuix>	  <BEA-­‐423420>	  <Redirect	  is	  executed	  in	  begin	  or	  ...
Oracle Service Bus tracing              The most comprehensive Oracle applications & technology content under one roof
JMS Message Logs           The most comprehensive Oracle applications & technology content under one roof
SOA Suite Diagnostic Logs           The most comprehensive Oracle applications & technology content under one roof
Forensic processLog filesCase filesTools	  	         The most comprehensive Oracle applications & technology content under...
Case File #1An Unbalanced Load           The most comprehensive Oracle applications & technology content under one roof
Sun	  Reverse	                                                             WebLogic	  Server	                             ...
cat	  access.log*	  |	  awk	  ‘{	  print	  $x	  }’	  |	  sort	  |	  uniq	                         (where	  x	  =	  posi-on...
Case File #2Fear Of Commitment           The most comprehensive Oracle applications & technology content under one roof
Oracle	  Service	  Bus	          Tuxedo	       The most comprehensive Oracle applications & technology content under one r...
Forensic processLog filesCase filesTools	  	         The most comprehensive Oracle applications & technology content under...
ToolsEditors	   Querying	  data	                               Analysis	  The	  Gun	   find	                               ...
@kapowe	  kevinpowe	  kapowe	               The most comprehensive Oracle applications & technology content under one roof
Upcoming SlideShare
Loading in …5
×

Developer and Fusion Middleware 1 _ Kevin Powe _ Log files - a wealth of forensic evidence.pdf

934 views
835 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
934
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Developer and Fusion Middleware 1 _ Kevin Powe _ Log files - a wealth of forensic evidence.pdf

  1. 1. Log  files:  A  wealth  of  forensic  evidence   Kevin  Powe   Integral  Technology  Solu6ons   The most comprehensive Oracle applications & technology content under one roof
  2. 2. More  info  at  h:p://bit.ly/kapowelogs   The most comprehensive Oracle applications & technology content under one roof
  3. 3. Forensic processLog filesCase filesTools     The most comprehensive Oracle applications & technology content under one roof
  4. 4. The Forensic Process The most comprehensive Oracle applications & technology content under one roof
  5. 5. Step One: Secure The Scene The most comprehensive Oracle applications & technology content under one roof
  6. 6. Operating System Evidence  netstat    for  network  issues      top    or    Windows  Task  Manager  for  CPU  issues      iostat  or  vmstat  for  I/O  issues       The most comprehensive Oracle applications & technology content under one roof
  7. 7. Rolling Log Files The most comprehensive Oracle applications & technology content under one roof
  8. 8. Cause Symptoms2-­‐4PM   4-­‐6PM   The most comprehensive Oracle applications & technology content under one roof
  9. 9. Step Two: Investigate The Scene The most comprehensive Oracle applications & technology content under one roof
  10. 10. Don’t.Search.The.Log.Files. The most comprehensive Oracle applications & technology content under one roof
  11. 11.    ‘Error’        versus        ‘Warning’        ‘Failing’      versus        ‘Failed’       The most comprehensive Oracle applications & technology content under one roof
  12. 12. Step Three: Gather And CorrelateEvidence The most comprehensive Oracle applications & technology content under one roof
  13. 13. Step Four: Build A Hypothesis The most comprehensive Oracle applications & technology content under one roof
  14. 14. 1) Secure the scene2) Investigate the scene3) Gather and correlate evidence4) Build a hypothesis     The most comprehensive Oracle applications & technology content under one roof
  15. 15. Forensic processLog filesCase filesTools     The most comprehensive Oracle applications & technology content under one roof
  16. 16. WebLogic  Server  Domain   AdminServer   managedServer1  Java     managedServer2  processes     The most comprehensive Oracle applications & technology content under one roof
  17. 17. HTTP Access Logs The most comprehensive Oracle applications & technology content under one roof
  18. 18. 192.168.5.6  -­‐  -­‐  [19/Nov/2010:13:34:49  +0800]  "POST  /AccountServices/ProxyServices/AccountServices  HTTP/1.1"  200  29487   192.168.5.6  -­‐  -­‐  [19/Nov/2010:13:34:49  +0800]  "POST  /WarehousingServices/ProxyServices/RequestOrderDetails  HTTP/1.1"  200  1167   rfc931   date   Remote  host   authuser   192.168.5.6          -­‐            -­‐            [19/Nov/2010:13:34:49  +0800]     request   "POST  /WarehousingServices/ProxyServices/RequestOrderDetails  HTTP/1.1“  status   bytes   200                      1167   The most comprehensive Oracle applications & technology content under one roof
  19. 19. ELF = Extended Logging Format The most comprehensive Oracle applications & technology content under one roof
  20. 20. Extended Logging Format FieldsCommon  format  fields   Request  fields  date   cs-­‐method  6me   cs-­‐uri  bytes   cs-­‐uri-­‐stem  sc-­‐status   cs-­‐uri-­‐query  Network  fields   The  Good  Stuff  c-­‐ip   cs-­‐comment  s-­‐ip   6me-­‐taken  c-­‐dns   custom  s-­‐dns   The most comprehensive Oracle applications & technology content under one roof
  21. 21. Server log filesThe most comprehensive Oracle applications & technology content under one roof
  22. 22. The most comprehensive Oracle applications & technology content under one roof
  23. 23. ####<2/08/2011  12:49:35  AM  EST>  <No6ce>  <Server>  <brother-­‐eye>  <AdminServer>  <[ACTIVE]  ExecuteThread:  0  for  queue:  weblogic.kernel.Default  (self-­‐tuning)>  <<WLS  Kernel>>  <>  <>  <1312210175933>  <BEA-­‐002613>  <Channel  "Default"  is  now  listening  on  10.0.2.15:7001  for  protocols  iiop,  t3,  ldap,  snmp,  h:p.>  ####<2/08/2011  12:49:35  AM  EST>  <No6ce>  <WebLogicServer>  <brother-­‐eye>  <AdminServer>  <[ACTIVE]  ExecuteThread:  0  for  queue:  weblogic.kernel.Default  (self-­‐tuning)>  <<WLS  Kernel>>  <>  <>  <1312210175933>  <BEA-­‐000331>  <Started  WebLogic  Admin  Server  "AdminServer"  for  domain  "example1030Domain"  running  in  Development  Mode>   Timestamp   Severity   Subsystem   Machine   <2/08/2011  12:49:35  AM  EST>  <Nodce>  <WebLogicServer>  <brother-­‐eye>     Server   Thread  ID   <AdminServer>  <[ACTIVE]  ExecuteThread:  0  for  queue:  weblogic.kernel.Default   (self-­‐tuning)>   User   Txn  ID   Diagn.   Time  (msecs)   Message  ID   Text   <<WLS  Kernel>>  <>              <>  <1312210175933>  <BEA-­‐002613>  <Channel  "Default"  is   The most comprehensive Oracle applications & technology content under one roof
  24. 24. Debug flagsThe most comprehensive Oracle applications & technology content under one roof
  25. 25.    HTTP:  weblogic.servlet.DebugH:p    SSL:    default.DebugSSL    JDBC:  weblogic.jdbc.sql.DebugJDBCSQL     The most comprehensive Oracle applications & technology content under one roof
  26. 26. <4/08/2011  07:47:35  PM  EST>  <Warning>  <netuix>  <BEA-­‐423420>  <Redirect  is  executed  in  begin  or  refresh  ac6on.  Redirect  url  is  /console/console.portal?_nfpb=true&_pageLabel=HomePage1.>  Loaded  index.jsp  page  Loaded  index.jsp  page  Loaded  index.jsp  page  <4/08/2011  23:20:34  PM  EST>  <Info>  <Health>  <brother-­‐eye>  <AdminServer>  <weblogic.GCMonitor>  <<anonymous>>  <>  <>  <1311830434630>  <BEA-­‐310002>  <86%  of  the  total  memory  in  the  server  is  free>     TO    <4/08/2011  07:53:38  PM  EST>  <No6ce>  <WebLogicServer>  <BEA-­‐000365>  <Server  state  changed  to  RUNNING>  <4/08/2011  07:53:38  PM  EST>  <No6ce>  <WebLogicServer>  <BEA-­‐000360>  <Server  started  in  RUNNING  mode>  <4/08/2011  07:53:49  PM  EST>  <Nodce>  <Stdout>  <BEA-­‐000000>  <Loaded  index.jsp  page>  <4/08/2011  07:53:50  PM  EST>  <Nodce>  <Stdout>  <BEA-­‐000000>  <Loaded  index.jsp  page>  <4/08/2011  07:53:51  PM  EST>  <Nodce>  <Stdout>  <BEA-­‐000000>  <Loaded  index.jsp  page>  <4/08/2011  08:20:34  PM  EST>  <Info>  <Health>  <brother-­‐eye>  <AdminServer>  <weblogic.GCMonitor>  <<anonymous>>  <>  <>  <1311830434630>  <BEA-­‐310002>  <86%  of  the  total  memory  in  the  server  is  free>     The most comprehensive Oracle applications & technology content under one roof
  27. 27. Oracle Service Bus tracing The most comprehensive Oracle applications & technology content under one roof
  28. 28. JMS Message Logs The most comprehensive Oracle applications & technology content under one roof
  29. 29. SOA Suite Diagnostic Logs The most comprehensive Oracle applications & technology content under one roof
  30. 30. Forensic processLog filesCase filesTools     The most comprehensive Oracle applications & technology content under one roof
  31. 31. Case File #1An Unbalanced Load The most comprehensive Oracle applications & technology content under one roof
  32. 32. Sun  Reverse   WebLogic  Server   Proxy  Load  balancer   Sun  Reverse   WebLogic  Server   Proxy   The most comprehensive Oracle applications & technology content under one roof
  33. 33. cat  access.log*  |  awk  ‘{  print  $x  }’  |  sort  |  uniq   (where  x  =  posi-on  of  the  cookie  in  the  log  file)   The most comprehensive Oracle applications & technology content under one roof
  34. 34. Case File #2Fear Of Commitment The most comprehensive Oracle applications & technology content under one roof
  35. 35. Oracle  Service  Bus   Tuxedo   The most comprehensive Oracle applications & technology content under one roof
  36. 36. Forensic processLog filesCase filesTools     The most comprehensive Oracle applications & technology content under one roof
  37. 37. ToolsEditors   Querying  data   Analysis  The  Gun   find   Excel  vi   grep   R   sed   Splunk   awk   tail   The most comprehensive Oracle applications & technology content under one roof
  38. 38. @kapowe  kevinpowe  kapowe   The most comprehensive Oracle applications & technology content under one roof

×