← Back to Eye House
HOUSE OF THE EYE

The Art of Observation

Master the essential skill of log analysis - the foundation of troubleshooting, security monitoring, and system understanding. Learn to see patterns where others see noise.

Why Logs Matter

Common Log Types

Click each card to learn more about different log types:

System Logs

Operating system events including boot sequences, shutdown procedures, kernel messages, hardware events, and system-level errors. Found in /var/log/syslog (Linux) or Event Viewer (Windows).

Application Logs

Software-specific events, errors, warnings, and debug information. Each application typically maintains its own log format and location, recording application lifecycle and business logic events.

Security Logs

Authentication attempts (successful and failed), authorization decisions, access control changes, privilege escalations, and security-related system changes. Critical for detecting breaches.

Network Logs

Firewall rules triggered, network traffic patterns, connection attempts, blocked requests, routing changes, and bandwidth usage. Essential for network security and troubleshooting.

Web Server Logs

HTTP requests (access logs), response codes, client IPs, user agents, request methods, URLs accessed, and server errors. Invaluable for web application debugging and analytics.

Anatomy of a Log Entry

Understanding the structure of log entries is crucial. Hover over each component to learn more:

2025-12-18 14:32:15.482 [ERROR] AuthService - Failed login attempt for user 'admin' from IP 192.168.1.105 - Invalid password (attempt 3/5)
Timestamp
2025-12-18 14:32:15.482
Precise moment the event occurred. Critical for timeline reconstruction and correlation. Often includes milliseconds for high-precision timing.
Severity Level
[ERROR]
Indicates importance: DEBUG (verbose), INFO (normal), WARN (potential issue), ERROR (problem occurred), CRITICAL (system failure).
Source/Component
AuthService
The system component or service that generated the log. Helps identify which part of the application is experiencing issues.
Message
Failed login attempt for user 'admin'...
Descriptive text explaining what happened. Should be clear, concise, and actionable.
Additional Context
IP: 192.168.1.105, User: admin, Attempt: 3/5
Supplementary information like IP addresses, usernames, session IDs, request IDs, or other relevant metadata for investigation.

Key Skills for Log Analysis

Pattern Recognition
Identify recurring events, anomalies, and trends in log data. Spot the unusual among the routine.
Filtering & Searching
Master grep, regex, and log query languages to quickly find relevant entries among millions of lines. Example: grep "ERROR" /var/log/app.log
Correlation
Connect related events across different logs and systems to build a complete picture of incidents.
Timeline Reconstruction
Piece together event sequences chronologically to understand causation and the flow of problems.

Practical Analysis: What Happened Here?

Examine these log entries and identify the issue:

2025-12-18 03:15:23 [INFO] AuthService - Login attempt for user 'admin' from 203.0.113.45
2025-12-18 03:15:24 [WARN] AuthService - Failed login for 'admin' from 203.0.113.45 - Invalid password
2025-12-18 03:15:26 [WARN] AuthService - Failed login for 'admin' from 203.0.113.45 - Invalid password
2025-12-18 03:15:28 [WARN] AuthService - Failed login for 'admin' from 203.0.113.45 - Invalid password
2025-12-18 03:15:31 [ERROR] AuthService - Account 'admin' locked due to excessive failed attempts from 203.0.113.45
2025-12-18 03:15:33 [WARN] SecurityMonitor - Potential brute force attack detected from IP 203.0.113.45
What security event is occurring?
A: Server experiencing performance issues due to high load
B: Network connectivity problems causing authentication failures
C: Brute force attack attempting to guess the admin password
D: Legitimate user forgot their password

Additional Scenarios to Watch For:

2025-12-18 10:42:18 [WARN] WebServer - HTTP 404 /admin/config.php from 198.51.100.23
2025-12-18 10:42:19 [WARN] WebServer - HTTP 404 /wp-admin/install.php from 198.51.100.23
2025-12-18 10:42:20 [WARN] WebServer - HTTP 404 /.env from 198.51.100.23

Pattern: Multiple 404 errors for sensitive files suggests reconnaissance or vulnerability scanning.

2025-12-18 15:22:45 [WARN] DiskMonitor - Disk usage at 85% on /dev/sda1
2025-12-18 16:18:32 [ERROR] DiskMonitor - Disk usage at 92% on /dev/sda1
2025-12-18 16:45:01 [CRITICAL] DiskMonitor - Disk usage at 98% on /dev/sda1 - Immediate action required

Pattern: Progressive disk space exhaustion indicates capacity planning issue or runaway process.

Red Flags to Watch For

These patterns should immediately trigger deeper investigation:

Multiple Failed Logins
Repeated authentication failures, especially for privileged accounts, suggest credential stuffing or brute force attacks. Check if attempts are distributed or from single source.
Activity at Unusual Hours
Legitimate system access patterns are predictable. Activity during off-hours (3 AM) or from unexpected geographic locations warrants investigation.
Privilege Escalation
User accounts gaining elevated permissions (especially to root/admin) should be rare and documented. Unexpected escalations may indicate compromise.
Unusual File Access
Access to sensitive files (passwords, configs, databases) outside normal patterns, bulk downloads, or access to many files rapidly suggests data exfiltration.
Repeated Error Spikes
Sudden increases in error rates, especially for specific services or endpoints, indicate system degradation, attacks, or misconfigurations.
Log Gaps or Tampering
Missing time periods, corrupted log files, or disabled logging are major red flags. Attackers often cover their tracks by manipulating logs.

Ready to Test Your Skills?

Think you've mastered the basics? Challenge yourself with real-world log analysis scenarios.

Finished Reviewing?

Mark this module as complete to track your progress and unlock achievements.