ogmini - Exploration of DFIR

Having fun while learning about and pivoting into the world of DFIR.


About Blog Research CTF/Challenge GitHub RSS
28 January 2025

CISA IR Training - Introduction to Log Management (IR210)

by ogmini

Just attended Introduction to Log Management(IR210) offered by CISA. I talked about these in a previous post and would encourage those eligible to register.

In the course we were given:

  • An overview of logs and their importance
  • How to manage logs along with tools and best practices
  • Introduction to tools along with their setup and usage in Labs

The labs had us configure rsyslog with a client and server. We also configured the logs to be sent using TLS by generating certificates and applying them. Finally, we configured and utilized wazuh. and opensource XDR and SIEM.

Thoughts

This was a useful class for reminding participants about the importance of robust, secure logging and how it assists in detecting IOCs and responding to incidents. I’m a little on the fence about how useful the labs were as many of the steps to setup logging would be very specific to the environment. Always fun to play with new software though.

It was nice to hear about CISA’s Logging Made Easy as a free option for small/medium sized organizations to handle centralized log collection and SIEM. Budget for security can be a big problem for smaller organizations.

There was also a good conversation about log retention and how that decision can be impacted by legal requirements and storage space.

tags: training