Log Analysis
What is Log Analysis?
Log AnalysisThe systematic review of system, application, and security logs to detect, investigate, and reconstruct security-relevant events.
Log analysis examines event records produced by operating systems, network devices, applications, and security tools — including Windows EVTX, Linux syslog/journald, web-server access logs, firewall flows, EDR telemetry, and cloud audit trails such as AWS CloudTrail or Microsoft 365 Unified Audit Log. Analysts parse, normalize, and correlate these sources, typically through a SIEM, to identify authentication anomalies, command execution, lateral movement, and data exfiltration. Common tools include Splunk, Elastic, Chainsaw, Hayabusa, EvtxECmd, and Sigma rules. Effective log analysis depends on accurate time synchronization, sufficient log retention, and an inventory of normal activity to recognize deviations.
● Examples
- 01
Hunting for Kerberoasting by analyzing Windows Event ID 4769 entries in Splunk.
- 02
Correlating AWS CloudTrail ConsoleLogin failures with successful logins from a new IP.
● Frequently asked questions
What is Log Analysis?
The systematic review of system, application, and security logs to detect, investigate, and reconstruct security-relevant events. It belongs to the Forensics & IR category of cybersecurity.
What does Log Analysis mean?
The systematic review of system, application, and security logs to detect, investigate, and reconstruct security-relevant events.
How do you defend against Log Analysis?
Defences for Log Analysis typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Log Analysis?
Common alternative names include: Event log analysis, Security log review.