Database logs

We just saw how we could process basic application server logs. Let's see how we can grab database logs and make the most of them in our forensic investigation. Database servers, such as MySQL and MS SQL, contain log files with information that helps a forensic investigator to understand the chain of events in a much better way. General query logs in MySQL present an investigator with all the queries that were executed during the time of the attack:

We can see that the general query log file allows us to view failed attempts by the attacker to log into the MySQL server. However, it also suggests that there are two successful attempts. Let's further investigate:

We can see that after the failed attempts, the attacker logged in and ran the preceding queries on the database. Query log files are convenient for pinpointing the actual intent of the attacker. In the upcoming chapters, we will look at numerous case study examples on various databases.

On XAMPP, general query logs can be enabled by running the following query:

SET global general_log = 1;

Here's a better way to log all queries in MySQL:

SET global general_log_file='/tmp/mysql.log'; 
SET global log_output = 'file';
SET global general_log = on;