Monitoring System Logs: In addition to network monitoring, you must monitor the event logs. Event Logs are system logs that record various events that occur.
Event logs comprise a broad category that includes some logs that are not relevant to security issue. But within that broad category are security and access logs that are clearly pertinent to security. Windows has several logs.
The two most important logs for security purpose are the following:
Application Log: This log contains various events logged by applications or programs. Many applications will record their errors in this log.
It can be useful particularly if the log is on a server that has database server software like SQL Server installed.
Examining this log can provide clues that someone has been attempting to compromise the database.
Security Log: The most important things that you will find in the security log are successful and unsuccessful logon attempts.
This log also records events related to resource use, such as creating, opening, or deleting files or other objects.
Administrators can specify what events are recorded in the security log. Logon auditing can be turned off, but it never should be.
In Windows a security log is the access log. Linux provides separate logs for successful and failed login attempts.
By default, Windows does not log both successes and failures, but for security reasons this should be changed.
Although the Windows operating system do not create audit logs by name, the logs they create are useful in auditing.
If you add Sharepoint, SQL, or other services, then they will often call the application lgs they create audit logs and you will want to carefully monitor them for security-related events.
Linux also has logs that are important to security:
Var/log/faillog This log file contains failed user logins. You will find this log useful when tracking attempts to crack into your system.
/var/log/apport.log This log records application crashes. Sometimes these can reveal attempts to compromise the system or the presence of a virus or spyware.
