Web Server Access & Error Logs
Location
/var/log/apache2/access.log, /var/log/nginx/access.log, /var/log/httpd/access_log (and corresponding error logs)Description
HTTP server access logs recording every request with client IP, timestamp, HTTP method, URI path, query parameters, response code, bytes transferred, referrer, and user agent. Error logs capture application errors, CGI failures, and module warnings.
Forensic Value
Web server logs are the primary artifact for web application compromise investigations. SQL injection, path traversal, webshell uploads, and RCE attempts are recorded with the full request URI and parameters. Successful webshell access appears as POST requests to unusual file paths (e.g., /uploads/cmd.php) from attacker IPs. Error logs reveal failed exploitation attempts and the specific vulnerabilities targeted. Response codes and byte sizes distinguish successful attacks from failed attempts.
Tools Required
Collection Commands
tar
tar czf /forensics/output/web_logs.tar.gz /var/log/apache2/ /var/log/nginx/ /var/log/httpd/
grep
grep -E "POST.*\.(php|jsp|asp)|cmd=|exec=|/etc/passwd|\.\./" /var/log/apache2/access.log > /forensics/output/web_suspicious.log
awk
awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -rn > /forensics/output/web_top_ips.txtgrep
grep -i "error\|warn\|fatal" /var/log/apache2/error.log > /forensics/output/web_errors.log
Collection Constraints
- •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
- •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.
MITRE ATT&CK Techniques
References
Used in Procedures
Related Blockers
M365/Azure Logs Past Retention Period
Unified Audit Log (UAL) entries in Microsoft 365 or Azure AD sign-in logs have expired beyond the default 90-day (E3) or 180-day (E5) retention window. Historical evidence of initial access, mailbox abuse, or OAuth consent grants is no longer available in the tenant.
Unknown Scope of Credential Compromise
One or more accounts are confirmed compromised, but it is unclear how many additional credentials the attacker has obtained. Resetting only known-compromised accounts may be insufficient, while a mass reset disrupts operations.
Attacker Using VPN/Tor -- Cannot Determine True Origin
The threat actor is connecting through VPN services, Tor exit nodes, or residential proxy networks. Source IP addresses rotate frequently and do not reveal the actual origin, limiting geographic attribution and IP-based blocking.
Suspected Insider Still Has Access -- Investigation Must Be Covert
The primary suspect is a current employee or contractor who still has active credentials and system access. Overt containment actions (account lockout, visible monitoring) would tip off the suspect and risk evidence destruction or acceleration of harmful activity.
Exploitation of Unknown or Unpatched Vulnerability
The initial access vector appears to be a zero-day or otherwise unpatched vulnerability with no public advisory, CVE, or patch available. Signature-based detection misses the exploit; response must pivot to behavioral hunting, exploit-chain hypothesis, and vendor/CERT coordination to accelerate disclosure and mitigation.