by Dr. Anton Chuvakin ( site , blog , publications )
Started: 06/23/2009
Updated: 08/11/2010
Description: this site contains various free shareable log samples from various systems, security and network devices, applications, etc. The logs are collected from real systems, some contain evidence of compromise and other malicious activity. Wherever possible, the logs are NOT sanitized, anonymized or modified in any way (just as they came from the logging system)
License / permission to use: public; use for whatever you want. Acknowledging the source - this site and chuvakin.org would be very nice; Beerware license is even better.
Size : 100.58MB compressed; about 1GB uncompressed.
Date collected: 2006
Source system: Linux Redhat / Fedora
Format: tar gzipped
Type : Linux logs /var/log/messages, /var/log/secure , process accounting records /var/log/pacct , other Linux logs, Apache web server logs /var/log/httpd/access_log, /var/log/httpd/error-log, /var/log/httpd/referer-log and /var/log/httpd/audit_log , Sendmail /var/log/mailog, Squid /var/log/squid/access_log, /var/log/squid/store_log, /var/log/squid/cache_log, etc.
Sanitization : No sanitization or anonymization is performed; no modification of any kind. No additional sanitization is required before use for research.
Size : 3.3MB compressed; about 67.8MB uncompressed.
Date collected: 2004
Source system: Linux Redhat Fedora
Format: gzipped
Type: Linux IPTABLES firewall logs
Sanitization : No sanitization or anonymization is performed; no modification of any kind. No additional sanitization is required before use for research.
Note: some information about what is contained in these logs is here
Size : 3.0MB compressed; about 52.7MB uncompressed.
Date collected: 2005
Source system: Linux RedHat Fedora
Format: tar gzipped
Type: correlated Linux /var/log/messages, Apache /var/log/httpd/access_log, /var/log/httpd/error_log, /var/log/httpd/ssl_error, IPTABLES firewall log and Snord NIDS logs /var/log/snortsyslog
Sanitization : No sanitization or anonymization is performed; no modification of any kind. No additional sanitization is required before use for research.
Note: some information about what is contained in these logs is here
Size : 9.9MB compressed; about 100MB uncompressed.
Date collected: June - August 2005
Source system: Linux Redhat / Fedora
Format: tar bzip2'ed
Type : Linux logs /var/log/messages, /var/log/secure , process accounting records /var/log/pacct , other Linux logs, Apache web server logs /var/log/httpd/access_log, /var/log/httpd/error-log, /var/log/httpd/referer-log and /var/log/httpd/audit_log , Sendmail /var/log/mailog, Squid /var/log/squid/access_log, /var/log/squid/store_log, /var/log/squid/cache_log, etc.
Sanitization : No sanitization or anonymization is performed; no modification of any kind. No additional sanitization is required before use for research.
Note: the evidence of at least one system compromise by attackers is present in these logs. Attack method: username/password brute-forcing
Size : 129MB compressed; about 1.5GB uncompressed.
Date collected: Sep - Dec 2006
Source system: Linux Redhat / Fedora, Snort NIDS, iptables firewall
Format: bzip2 tar'ed
Type :/var/log/allow is an ugly mess of a log file produced by setting a syslog daemon to log "*.*" to a single file. The main logging components of interest here are Snort NIDS in inline mode watching a honeynet of Linux systems as well as the iptables firewall for the same. You can ignore the actual Linix syslog, if you'd like, since this is not the victim host log, but the sensor's (unless you are into analyzing the system health of honeypot sensors, that is :-))
Sanitization : No sanitization or anonymization is performed; no modification of any kind. No additional sanitization is required before use for research.
Size : 21.6MB compressed; about 1GB uncompressed.
Date collected: 2006-2007, logs for 590 days of continuous operation(!)
Source system: Enterasys Dragon NIDS v.4.x intrusion detection system
Format: bzip2 tar'ed
Type :standard Dragon NIDS alert logs, all signatures enabled. Automatic signature update enabled.
Sanitization : No sanitization or anonymization is performed. No additional sanitization is required before use for research.
Size: 43.3MB compressed; about 1GB uncompressed.
Date collected: 2004
Source system: Linux Redhat 7.1 system deployed in the honeynet
Format: tar bzip2'ed
Type: Linux logs /var/log/messages, /var/log/secure , process accounting records /var/log/pacct , other Linux logs, Apache web server logs /var/log/httpd/access_log, /var/log/httpd/error-log and , Sendmail /var/log/mailog, Squid /var/log/squid/access_log, /var/log/squid/store_log, /var/log/squid/cache_log, etc. (fun Squid proxy logs during honeynet operation as an open proxy)
Sanitization :
No sanitization or anonymization is performed; no modification of any
kind. No additional sanitization is required before use for research.
Size: 280MB compressed; about 2.6GB uncompressed.
Date collected: 2005
Source system: BlueCoat web proxy, unknown version
Format: zip
Type: Standard web proxy log in W3C format (header, tab separated) from BlueCoat web proxy appliance. These logs were collected on the lab network, simulated traffic might be mixed with production traffic.
Sanitization:
No sanitization or anonymization was performed; no modification of any
kind. No additional sanitization is required before use for research.
Size: 25MB compressed; about 300MB uncompressed.
Date collected: 2004
Source system: Apache web server deployed as an open proxy, run by the Honeynet Project for research purposes. Not production environment.
Format: tar gzipped
Type: all types of Apache web server (access_log, error_log, audit_log, various ssl logs, etc )
Sanitization : IP address sanitization for the proxy address is performed. No additional sanitization is required before use for research.
Additional information: