Chapter 28: Appropriate Data Sources for Investigation
Vulnerability Scan Output
SIEM Dashboards
Sensor
Sensitivity
Trends
Alerts
Correlation
SIEM: Security Incident Event Management
Aggregation
Correlation
Automated Alerts and Triggers
Time synchronization
Deduplication
Log analysis
Log files
Network
System
Application
Security
Web
DNS
Authentication
Dump files
VoIP and call managers
Session Initiation Protocol (SIP) traffic
syslog/rsyslog/syslog-ng
The greatest logging system, period. It can handle logging from Unix, Linux, Windows, Mac and LOTS of devices.
https://en.wikipedia.org/wiki/Syslog
journalctl
Here’s a quick and easy how-to:
https://www.geeksforgeeks.org/journalctl-command-in-linux-with-examples/
NXLog
Ah, a free Community Edition. As it should be:
Bandwidth monitors
Metadata
Mobile
Web
File
Netflow/sFlow
Netflow
https://en.wikipedia.org/wiki/NetFlow
sFlow
https://en.wikipedia.org/wiki/SFlow
https://www.paessler.com/netflow_monitoring
IPFIX
https://en.wikipedia.org/wiki/IP_Flow_Information_Export
https://www.pcwdld.com/what-is-ipfix
Protocol analyzer output
https://wiki.wireshark.org/SampleCaptures