Contents
📊 How to Perform Log Analysis in Cybersecurity
Log analysis is the practice of reviewing and interpreting log data to detect threats, troubleshoot issues, and support investigations. Logs are the digital breadcrumbs of systems, applications, and users — and a key component of any modern cybersecurity strategy.
🔎 Why Log Analysis Is Important
| 🔍 Use Case | ✅ Benefit |
|---|---|
| Threat Detection | Identify brute force attacks, lateral movement, C2 traffic, etc. |
| Incident Response | Reconstruct attacker actions across systems. |
| Compliance | Meet requirements (e.g. ISO 27001, PCI-DSS, SOX) for audit logging. |
| Troubleshooting | Diagnose system issues, misconfigurations, or failed processes. |
🧰 Key Log Sources in Cybersecurity
| Source | What to Look For |
|---|---|
| Windows Event Logs | Logon attempts, privilege use, process creation (IDs 4624, 4688, etc.) |
| Syslog (Linux/Network) | SSH access, sudo use, daemon activity, network service logs |
| Firewall Logs | Allowed/denied connections, source/destination IPs, ports |
| Web Server Logs | URL access, status codes, user agents (for injection attempts) |
| DNS Logs | Unexpected lookups to DGA/C2 domains |
| EDR/XDR Logs | Process trees, file changes, detections |
| Cloud Logs (AWS/Azure) | IAM activity, API calls, failed logins, resource changes |
| Authentication Logs | VPN usage, failed logins, MFA attempts |
📋 Common Tools for Log Analysis
| Tool | Description |
|---|---|
| Splunk | Enterprise-grade SIEM with query language (SPL) |
| ELK Stack (Elasticsearch, Logstash, Kibana) | Open-source log aggregation, search, and visualisation |
| Graylog | Centralised logging with correlation and alerting |
| Logwatch / journalctl | Linux built-in log review tools |
| CloudTrail / Azure Monitor | Cloud-native audit log platforms |
🔧 Step-by-Step Guide to Log Analysis
🧲 1. Collect Logs
- Use a SIEM, syslog server, or agent-based collector.
- Ensure logs are centralised, time-synchronised (NTP), and retained (30–365 days depending on policy).
🧹 2. Normalise & Parse
- Use Logstash or custom scripts to:
- Parse timestamps
- Extract fields (e.g.
src_ip,user,command) - Convert logs to searchable format (JSON, CSV)
🔍 3. Apply Filters & Queries
Example queries:
- Failed login attempts:
index=auth "Failed password" OR event_id=4625 - Suspicious PowerShell usage:
index=windows EventCode=4104 | search script_block_text=*Invoke-WebRequest* - Geolocation anomalies:
index=vpn | stats count by user, src_ip | lookup geoip src_ip
🚩 4. Look for Indicators of Compromise (IOCs)
- Suspicious IPs or hashes (use threat intel feeds)
- Account logins from new geographies or unusual hours
- Repeated failed logins followed by success
- Privilege escalation events
🕵️ 5. Correlate Events
- Map user activity across systems (e.g. login → access file share → run script)
- Use MITRE ATT&CK to understand the adversary’s tactics:
Initial Access → Execution → Persistence → Exfiltration
🧾 6. Generate Reports or Alerts
- Create dashboards and email alerts for:
- Multiple failed logins
- New admin accounts
- Large outbound file transfers
🧪 Real-World Example
Scenario: Security alert triggered for suspicious behaviour on a finance server
Steps:
- Correlated login events to see user logged in at 3 AM
Event ID 4688showed execution ofpowershell.exe- DNS logs showed contact with suspicious domain
- File access logs revealed CSV downloads of payroll data
→ Result: Account compromise confirmed, immediate IR launched.
📚 Best Practices
- Enable logging everywhere — prevention without logs is invisible.
- Use log enrichment (e.g. geolocation, hostnames).
- Regularly audit your log retention policy.
- Secure your logs — attackers often try to delete them post-breach.
- Automate alerting but include manual reviews for anomalies.