Webinar: What's New in Graylog 6.0? | Watch On-Demand >> ​

Strengthening cybersecurity with log forensic analysis

Any system connected to the Internet is vulnerable to malicious attacks and breaches. Nowadays, everyone from fortune 500 companies to the small mom-and-pop shops is a target. To protect your most valuable assets, you need bulletproof security measures, a skilled Security team, robust investigation tools, and reliable prevention/mitigation strategies. Forensic analysis is one of those highly reliable approaches to enforce a strong cybersecurity posture, and it becomes more scientific when coupled with security best practices and a centralized log management solution with alerting like Graylog Enterprise.

When you need to track a potentially threatening anomaly to its root cause in real time, the first step is start parsing your logs.

Events and logs represent a precious resource during your forensic analysis efforts. They are the first place you should want to drill into when looking for the cause of your issues or detecting a potential vulnerability. Log analysis provides your investigators with the much-needed knowledge of your system status, your network’s landscape, and they always are a starting point for any root cause investigation.


To better understand what forensic analysis is, think about how a crime investigation is conducted in CSI. Starting from crime scene analysts down to detectives and coroners, everyone involved in the forensic process collects and analyzes evidence that is used to reconstruct the events surrounding the crime. In a nutshell, each bit of information represents a data point that helps the analysts with a better overview of the series of events that caused the breach.

The purpose of digital forensic models is to understand what happened before, during, and after the hack. Instead of looking for the bullets around a dead body, cybersecurity experts investigate the cybercrime scene to spot digital evidence. In defining how a cyberattack was carried out, the digital forensic investigator understands where the attack originated, the method used to breach your defenses, and the weak spots in the security perimeter. The purpose is to understand how the malicious actor got access to the network, which vulnerabilities have been exploited, the extent of damage that has been caused, and if there’s still some lingering code left behind.


To improve your cybersecurity and mitigate threats with log forensic analysis, you need to examine the evidence and search for relevant information about the attack, the damage it caused, and the malicious actor’s access points. Logs are the repository of this evidence, as well as the basic resource you will use to fuel your security information and event management (SIEM) solutions later on. All the event information that is collected from logs must be parsed and analyzed to be integrated into the SIEM and SOAR solutions, and prevent bad stuff from occurring once again.

Graylog’s centralize log management solution can process petabytes of structured machine data daily. After you have been amassing a large volume of logs, you really want to get to the high value alerts quickly to see what is happening in your environment. Graylog Enterprise makes this easy with the Correlation Engine. The Correlation Engine takes these high value events and alerts, and stores them in Elasticsearch, allowing for further filtering, aggregation or compound correlation rules, allowing you to build a very powerful alert from your data, which supports a proactive defense strategy.


When analyzing an incident, you must take care not to destroy or alter your evidence. Just like the police, no one should touch anything in the crime scene. Here are some best practices you want to follow to collect the right logs at the right time:

• Always collect the logs before formatting or even just rebooting the system.

• Do not carry out any system-wide activity such as installing a new tool on the infected machine before the forensic analysis is carried out.

• Windows Operating System logs: Save the application, security, and system logs from the event viewer.

• Linux Operating System logs: save boot.log, auth.log, kern.log, message, utmp, and wtmp from the /var/log/ directory.

• Save the antivirus logs in case of a malware attack

• If you’re dealing with an unauthorized access, collect all app server logs, application logs, web server logs, database logs, firewall logs, switch or router logs, and any other logs where an authorization was present.

• In case of a network hack, collect logs of all the other devices found in the route of the hacked one. ISP router logs are also useful.


Mitigating threats requires a multi-layer cybersecurity approach that starts with watertight prevention strategies, and ends with robust digital forensic models. A security breach requires the fastest and most comprehensive resolution possible. Graylog offers the most flexible and comprehensive approach to detecting, responding, and hunting immediate security breaches fast. As cyberattacks will likely strike your enterprise at some point, drawing information from event logs will be instrumental in your cybersecurity strategy to mitigate them as well as reestablish your system to its normal operation.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.