This repository documents my beginner-level understanding of log analysis as part of my journey toward a cybersecurity and SOC analyst role. The purpose of this project is to show how a security analyst reads and interprets logs to identify normal activity and potential security issues.
Logs are records created by systems, applications, and network devices that capture events happening over time. These events can include logins, errors, connections, and system actions.
Logs help security analysts answer questions such as:
- What happened?
- When did it happen?
- Who or what was involved?
Log analysis allows analysts to:
- Detect suspicious or malicious activity
- Investigate security incidents
- Monitor system behavior
- Support incident response decisions
Most security incidents are discovered by reviewing logs rather than by direct user reports.
- Record login attempts and access events
- Useful for identifying brute-force attacks or unauthorized access
- Track system events such as startups, shutdowns, and errors
- Help identify abnormal system behavior
- Capture network connections and traffic
- Useful for identifying suspicious communication patterns
The following examples are fictional and used for learning purposes.
2026-01-30 10:15:42 INFO User login successful User: jdoe | IP: 192.168.1.10
2026-01-30 10:18:03 WARN Failed login attempt User: admin | IP: 203.0.113.45
2026-01-30 10:18:10 WARN Failed login attempt User: admin | IP: 203.0.113.45
A successful login event is usually normal behavior. However, a security analyst still considers context before deciding whether the activity is safe.
An analyst may check:
- Whether the login came from a known or expected IP address
- Whether the login time matches normal user behavior
- Whether there were multiple failed attempts before the successful login
- Whether the account has elevated privileges
A successful login following repeated failures may indicate a compromised account or brute-force attack.
Security analysts look for patterns rather than single events, such as:
- Multiple failed login attempts from the same IP
- Login attempts targeting privileged accounts
- Activity occurring outside normal working hours
- Access attempts from unfamiliar locations
When suspicious activity is identified, an analyst may:
- Review related authentication and system logs
- Identify the source IP address and user account
- Check whether other systems were targeted
- Determine if the activity matches known attack behavior
- Decide whether escalation or response is required
Depending on the severity, response actions may include:
- Blocking or monitoring the suspicious IP address
- Resetting affected user credentials
- Notifying the security or IT team
- Increasing monitoring for similar activity
Security analysts often use Linux commands to review and filter logs.
- grep: Search for specific keywords inside logs
- cat: Display log file contents
- less: Scroll through large log files
Example: grep "failed" auth.log
Analysts may use SQL to search log data stored in databases.
Example query to identify failed login attempts:
SELECT * FROM logs WHERE status = 'failed_login';
Log analysis is a core responsibility of Security Operations Center (SOC) analysts. Even at an entry level, analysts must understand how to read logs, identify abnormal patterns, and respond appropriately.
This project demonstrates foundational log analysis and analyst thinking skills.
- Continue developing SOC analyst skills
- Practice hands-on log review
- Learn how SIEM tools analyze logs