← Concepts
Security OperationsSY0-701 · Task 4.9

Log data sources — SY0-701

Master log data sources for Security+: learn which source to consult for each investigative question and avoid the syslog/SIEM trap.

WHAT IT IS

A log is "a record of the events occurring within an organization's systems and networks" (NIST SP 800-92). A log data source is any system or component that generates those records — firewalls, operating systems, applications, intrusion detection systems, and others. Each source contributes a distinct category of evidence about what happened, where, and when.

Log management — "the process for generating, transmitting, storing, analyzing, and disposing of log data" (NIST SP 800-92) — depends on knowing which sources exist and what evidence each one holds.

Mental model

Think of a building with multiple types of recording devices: door-badge readers, security cameras, phone-call registers, and inventory scanners. Each captures a different slice of activity. No single device tells the whole story. Log data sources work the same way: you match the question you need to answer to the source that recorded that layer of activity.

When to use it

The exam routinely asks which source an analyst should consult given a specific investigative question. Use this table to map the question to the source:

SourceWhat it recordsRepresentative investigative question
Firewall logTraffic allowed or blocked at a network gateway — "a gateway that limits access between networks in accordance with local security policy" (CNSSI 4009-2015)Did traffic to this external IP get permitted or blocked?
Intrusion detection system (IDS) log"Attempts to access system resources in an unauthorized manner" observed on the network or host (NIST SP 800-82r3)Were any known-attack signatures triggered?
Operating system log / audit log"A chronological record of system activities. Includes records of system accesses and operations performed in a given period." (CNSSI 4009-2015)Which user account logged in at this time, and what processes ran?
Application logEvents emitted by individual software applications about their own behaviorDid this web application return an error to that request?
Network traffic / PCAP"Computer network communications that are carried over wired or wireless networks between hosts" (NIST SP 800-86)What were the exact bytes exchanged between these two hosts?
SyslogRecords transmitted using "a protocol that specifies a general log entry format and a log entry transport mechanism" (NIST SP 800-92) — a transport format, not a source categoryHow do we centralize records from diverse devices in a common format?

A SIEM — "a program that provides centralized logging capabilities for a variety of log types" (NIST SP 800-92) — aggregates records from these sources; it is not itself the originating source.

COMMON MISCONCEPTION

Syslog is a source of events, not just a transport format. Candidates often conflate "the system sent syslog" with "syslog is the data source." Syslog is defined by NIST as a protocol specifying a log entry format and transport mechanism (NIST SP 800-92). The originating source is still the firewall, operating system, or application that emitted the event — syslog is simply the channel and format used to carry individual log entries ("an individual record within a log," NIST SP 800-92) to a central collector.

Similarly, a SIEM is not a data source; it is a system that receives, correlates, and stores records that originated elsewhere.

How it shows up on the exam

The cognitive target is application — not recall of definitions but the ability to select the appropriate source given a described scenario. A scenario may present an analyst who needs to answer a specific operational question (unauthorized login, lateral movement, data exfiltration, blocked connection) and ask which log or combination of logs would provide the relevant evidence.

Candidates who have memorized that "firewalls generate logs" but have not internalized what evidence each source type holds tend to confuse firewall logs (network-boundary decisions) with IDS logs (signature-based detections) or OS audit logs (user-account and process activity). An event is "something that occurs within a system or network" (NIST SP 800-92); the exam tests whether you can identify which system or network component records a given category of event.

Watch for scenarios that name a central collector (SIEM) or transport (syslog) as if they were the originating source — that framing is a common trap.

Related concepts

  • Packet captures — full network traffic recordings that complement log summaries with raw payload data
  • Dashboards and reports — the visualization layer that consumes aggregated log data from a SIEM or similar platform
  • Secure baselines — the reference configurations against which OS and application log data is compared to detect drift

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.