Blog
Log Analysis

Log Anatomy 101: Divining Meaning From User and Systems Activity

Turngate Team
October 29, 2025
8
min read

Every cybersecurity incident tells a story, and that narrative is written in the logs. Whether you’re investigating suspicious logins, tracing lateral movement across your environment, or reconstructing a malware drop, event logs are the main source of forensic breadcrumbs. Despite their usefulness, however, logs can be intimidating to the untrained eye. They’re cryptic, noisy, and difficult to grok. If you've ever opened a syslog file or a security event viewer and thought, “Oof. What’s all this?” you're not alone.

Security pros need to get comfortable with logs. Even if you’re using Turngate to view bunches of event data all in one tool, it’s important to understand the basic anatomy of logs: what they are, how they’re generated, what they contain, and most importantly, how to use them in your cybersecurity incident response.

What’s a Log?

A log is a record of events taking place within a digital system. Log entries originate with operating systems, applications, endpoints, peripherals, cloud platforms, and more. These event records capture granular details about activities like user logins, application access, transactions, errors, system crashes, network activity, configuration changes and, notably, potential threats and intrusions. Whether they’re generated via operating system logs from Windows or Linux, application logs from SaaS apps and web servers, or security logs from firewalls and identity providers, understanding logs is a must for gaining visibility into what goes on across all of your IT infrastructure.

That data gets transmitted in different methods and can be formatted in three basic ways: structured, semi-structured or unstructured.

Where Do Logs Come From?

For the most part, logs are generated automatically by apps and systems when specific events occur. A user login, a file access, a network connection, etc. Assuming proper configuration, most every action triggers some manner of recorded log entry.

These logs can originate from assets such as:

  • Endpoints
  • Web services
  • Containers
  • Apps
  • IOT devices
  • Networks
  • Firewalls
  • Servers
  • Databases

Some logs are formatted as simple, human-readable plaintext lines. Others are structured more formally as comma-separated values (CSV) or in JSON or XML markup.

Common log types include:

  • Event log: a detailed, chronological record of events or activities that occur within a system, application, or network, such as login attempts, failed password attempts, and application events. Event logs include a timestamp, event type, event source, event ID, and user account.
  • System log (syslog): a record of operating system events. It includes startup messages, system changes, unexpected shutdowns, errors and warnings, and other important processes. Windows, Linux, and macOS all generate syslogs.
  • Threat logs (alerts): record potential security threats or suspicious activities within a system, network, or application. Generated by firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), antivirus software, or other monitoring solutions, threat logs are crucial for identifying, analyzing, and responding to security incidents.
  • Authorization logs and access logs: include a list of people or bots accessing certain applications or files.
  • Change logs: include a chronological list of changes made to an application or file.
  • Availability logs: track system performance, uptime, and availability.
  • Resource logs: track the usage and status of system resources, such as CPU, memory, disk space, network bandwidth, and other hardware or software components. These logs are generated by operating systems, apps, or monitoring tools to help admins understand connectivity issues and capacity limits.

To make use of logs, organizations collect them using tools like the Syslog protocol for Unix-based systems, agents such as Fluentd or NXLog, or native cloud tools like AWS CloudWatch or Azure Monitor. Often, logs from multiple sources are aggregated and normalized using either a traditional SIEM (Security Information and Event Management) platform — or a lightweight, SaaS-focused SIEM like Turngate — which allows analysts to quickly search and correlate events across an entire environment both on-prem and in the cloud.

Keep in mind that there can be significant formatting difference between systems of the same function. For example, Office 365 and Google Workspaces logs both track user activity within a system but look completely different. If you start with understanding the log source equipment and function, that will help clarify the nuanced differences between logs.

Anatomy of a Log Entry

Getting arms around log-based investigations starts with a strong understanding of the constituents of log entries. Each entry is assembled from different fields of grouped data; learning to look for the various field groupings will help you parse what you’re seeing.

Keep in mind those data field groupings can vary significantly between devices. To make things even more confusing, logs often have different fields, the data may be formatted differently between various log types, and the fields are frequently in separate locations. Let’s start at the beginning and step through the parts of a typical event.

Log Field Separators: Log fields have to have some indicator of the different areas. Common separators are tabs, commas, colons, dashes, and semicolons.

Log Timestamps: When something happened is often as important as what happened. Different logs use different timestamp formats and analysts need to be comfortable with all of them. They also vary in time zone and 12- vs. 24-hour format. Some examples:

  • Jun 24 2004 09:54:32
  • Sun, 2004-06-24 09:54:32
  • 06/Jun/2004:09:54:32

Or you may find timestamps without dates, like this entry from an IIS log:

  • 12:01:06 127.0.0.1 GET /images/sponsered.gif 304

Then there’s the even more opaque Linux Epoch timestamps, which are just strings of numbers like “1431041867.” You’ll need to run these through an epoch timestamp converter to get a human-readable output. Your version of -nix environment might allow you to do this at the command line. On Linux, you can typically use: “date -d @<epochtimestamp>”. On BSD/macOS, use: “date -r <epochtimestamp>”.

User info: This might be as simple as a user’s name, but in reality, a lot can be nested under the “user info” umbrella, including things like:

  • username or user
    • Description: The name or ID of the user
    • Example: jane, jsmith, Administrator, root
  • userID or uid
    • Description: Numeric or alphanumeric unique identifier for the user
    • Example: 1001, AIDAZ6Q5T4U5, S-1-5-21-...
  • domain or accountDomain
    • Description: The domain/workgroup the user belongs to
    • Example: CORP, CONTOSO, WORKGROUP
  • userPrincipalName (UPN)
    • Description: Email-like identity for federated/authenticated users
    • Example: jane@turngate.io
  • sessionID
    • Description: Identifier for a login session
    • Example: SID:0x3e7
  • sourceIPAddress
    • Description: IP address of the user's device
    • Example: 192.168.1.45, 10.0.0.3
  • userAgent
    • Description: Application/browser agent string (esp. in cloud/web logs)
    • Example: Mozilla/5.0, curl/7.64.1
  • authenticationMethod
    • Description: Method used to authenticate
    • Example: Password, Kerberos, MFA
  • MFAUsed
    • Description: Whether Multi-Factor Authentication was used
    • Example: Yes, No
  • role
    • Description: IAM or system role assumed by user
    • Example: Admin, EC2InstanceRole
  • impersonatedUser
  • Description: If acting on behalf of another identity
  • Example: svc_account acting as user@turngate.io

Event type: These details describe what happened, where, and how, all crucial for security analysts during an investigation. Examples include:

  • eventType or eventName
    • Description: The specific action or event that occurred
    • Example: ConsoleLogin, FileAccess, ProcessStart, user.session.start
  • eventTime or timestamp
    • Description: The exact date and time when the event occurred
    • Example: 2025-09-22T11:03:00Z, Sep 22 08:23:01
  • eventSource or source
    • Description: The service, system, or application that generated the event
    • Example: signin.amazonaws.com, sshd, winlogon, Okta, Microsoft-Windows-Security-Auditing
  • eventID or eventCode
    • Description: A unique identifier or numeric code for the event type
    • Example: 4624 (Windows logon success), 1000 (App crash), a4a4a4a4-... (UUID in AWS)
  • resource or object
    • Description: The resource affected by the action (file, system, API, etc.)
    • Example: /etc/passwd, bucket_name, vpn_gateway, EC2 instance
  • actionTaken or result
    • Description: Whether the event succeeded or failed, and what was done
    • Example: Success, Failure, AccessDenied, Process Terminated, Allowed
  • sourceIPAddress or origin
    • Description: IP address from where the request or action originated
    • Example: 203.0.113.5, 10.0.0.8, 192.168.1.45
  • destination or targetEndpoint
    • Description: The IP or hostname that was targeted
    • Example: web01.internal.local, 172.31.15.33
  • processName or commandLine
    • Description: Name of the process or command that was executed
    • Example: powershell.exe, sudo apt update, cmd.exe /c whoami
  • logonType or authenticationType
    • Description: Method used to access the system (especially in login events)
    • Example: 10 (RDP), 3 (network), Password, Kerberos, Federated SSO
  • sessionID or connectionID
    • Description: Unique identifier for the session or connection
    • Example: 0x3e7, SID-1234-XYZ, ConnID:64519
  • privilegesUsed or elevation
    • Description: Whether elevated privileges (admin/root) were involved
    • Example: Administrator, SUDO, AssumeRole, NT AUTHORITY\SYSTEM

Now that we understand where log data is coming from and what it’s made of, let’s look at how to make good use of logs.

Effective Log Reading

The key to reading logs effectively boils down to understanding them in context and in sequence. Start by organizing logs chronologically to reconstruct timelines. This helps analysts identify not only what might have led to an event, but what happened afterward as well. The cause and the effect are equally important to the skilled cybersecurity investigator.

Use the data at your disposal to look for suspicious behaviors like multiple failed login attempts, activities from unusual geolocations, or account privilege changes. Parsing tools like `grep`, `awk`, and `sed` can help extract relevant patterns from large log files, while `jq` is useful for querying JSON logs.

Modern SIEM platforms automate much of this by indexing logs and enabling custom queries, correlations, and alerting rules. Still, knowing how to manually interpret raw logs remains a foundational skill for any analyst.

Use Case: Why Logs Matter In Security

Logs are a fundamental part of good security operations. They help detect suspicious behavior, trace incidents to their root cause, document compliance, and inform post-incident reporting. For example, log entries can unmask brute-force attacks by showing a pattern of failed authentications from the same IP address over time. Let’s look at a fictitious example from Google Workspace log data:

[
  {
	"id": {
		"time": "2025-07-23T20:24:42.810Z",
		"customerId": "abc123",
		"applicationName": "login",
		"uniqueQualifier": "-5302849670739749758"
	},
	"etag": "\"DACXm7jsATuh9FxZMWuZ372Q1A9FadfUIDqfecpK3QDU/4Tj2PABepNX-OpWiYkkCRy6KADI\"",
	"kind": "admin#reports#activity",
	"actor": {
		"email": "admin@turngate.io",
		"profileId": "11—--------------"
	},
	"events": [
		{
			"name": "login_failure",
			"type": "login",
			"parameters": [
				{
					"name": "login_type",
					"value": "google_password"
				},
				{
					"name": "login_challenge_method",
					"multiValue": [
						"none"
					]
				}
			]
		}
	],
	"ipAddress": "2600:8802:3b07:0:b2a9:f823:209d:1984",
	"networkInfo": {
		"ipAsn": [21873],
		"regionCode": "US",
		"subdivisionCode": "US-CA"
	}
}
{
	"id": {
		"time": "2025-07-23T20:25:42.612Z",
		"customerId": "abc123",
		"applicationName": "login",
		"uniqueQualifier": "-5302849670739749758"
	},
	"etag": "\"DACXm7jsATuh9FxZMWuZ372Q1A9FadfUIDqfecpK3QDU/4Tj2PABepNX-OpWiYkkCRy6KADI\"",
	"kind": "admin#reports#activity",
	"actor": {
		"email": "admin@turngate.io",
		"profileId": "11—--------------"
	},
	"events": [
		{
			"name": "login_failure",
			"type": "login",
			"parameters": [
				{
					"name": "login_type",
					"value": "google_password"
				},
				{
					"name": "login_challenge_method",
					"multiValue": [
						"none"
					]
				}
			]
		}
	],
	"ipAddress": "2600:8802:3b07:0:b2a9:f823:209d:1984",
	"networkInfo": {
		"ipAsn": [21873],
		"regionCode": "US",
		"subdivisionCode": "US-CA"
	}
}
{
	"id": {
		"time": "2025-07-23T20:26:43.115Z",
		"customerId": "abc123",
		"applicationName": "login",
		"uniqueQualifier": "-5302849670739749758"
	},
	"etag": "\"DACXm7jsATuh9FxZMWuZ372Q1A9FadfUIDqfecpK3QDU/4Tj2PABepNX-OpWiYkkCRy6KADI\"",
	"kind": "admin#reports#activity",
	"actor": {
		"email": "admin@turngate.io",
		"profileId": "11—--------------"
	},
	"events": [
		{
			"name": "login_success",
			"type": "login",
			"parameters": [
				{
					"name": "login_type",
					"value": "google_password"
				},
				{
					"name": "login_challenge_method",
					"multiValue": [
						"none"
					]
				}
			]
		}
	],
	"ipAddress": "2600:8802:3b07:0:b2a9:f823:209d:1984",
	"networkInfo": {
		"ipAsn": [21873],
		"regionCode": "US",
		"subdivisionCode": "US-CA"
	}
}


]

From this log snippet, we see a pattern that combines repeated failed logins (multiple "login.login.failure"), a rapid succession of attempts all at one-minute intervals from the same IP address and no attempt to use MFA.

Ultimately, there is a successful login, which is a strong indicator of compromise of the organization’s “admin” account. In a real-word scenario, such an attack may have been thwarted by Google’s security controls, but slow and low attempts can get through if the attacker is dedicated enough.

Understanding this and similar examples across a variety of log types (Windows, Okta, etc.) prepares security analysts to recognize patterns of behavior, both legitimate and malicious, throughout the environment.

Log Parsing Challenges

Working with logs isn’t always so straightforward. The volume of logs generated in even a modest-sized network can be overwhelming. Without synchronization, system clocks can drift, complicating correlation across devices. Logs can also be misconfigured, capturing too little detail or missing critical events. Each vendor’s log format is slightly different, which adds complexity to parsing and normalization. And, if retention policies are too short, valuable historical data may be lost before it’s reviewed during an investigation.

Making The Most Of Your Logs

To get the most value out of logs, security teams can adopt a few tried-and-true best practices. Logs should be centralized using a SIEM or log aggregation platform. For SaaS logs, Turngate provides SaaS specific contextualization. This aids in correlation and analysis across multiple sources, something organizations of any size will need to deal with.

Squelching the verbosity of available logs is also important. This is often achieved after some trial and error. The bottom line is that you want to be collecting enough information to make investigations effective, but logs shouldn’t be so noisy that they risk obscuring critical events with meaningless clutter. Alerts should be configured for high-risk events such as administrative access or configuration changes.

Finally, teams should periodically review logging configurations and confirm that log data remains available (and well protected by encryption) during the required retention period.

Conclusion: Logs Tell the Tale

Logs are the best, most authoritative record of what’s gone on in any digital  environment, but even seasoned security practitioners don’t always understand the depth and breadth of information contained within the raw log anatomy.

Knowing how to read a log and tease actionable insights from seemingly opaque event data is an incredibly valuable skill, and the cornerstone of a thorough security investigation. For any infosec pro, log literacy is essential for incident response and threat hunting.

The uninitiated can start by exploring whatever logs are available in the environment. Experiment with command-line tools to parse and filter them. Study sample logs from cloud services, identity providers, and endpoint protection platforms. With practice, you'll be able to extract meaning from the noise and respond to security events with more speed and increased clarity.

Share this post

More blog posts

Get higher confidence in your investigations with articles from the Turngate Team.

Enterprise Defense

Insider Risk 101: Build a Program Without Breaking the Bank

A defender’s guide to insider risk. What it is, how it differs from insider threat Spot problems early without turning security into a beat cop.
Bruce Potter
Sep 30, 2025
5
min read
Enterprise Defense

Seven Steps to Set Up a SOC Without a Traditional SIEM

Good security investigations are about strategy, not spectacle. Here’s a budget- and user-friendly approach to making the most of your log data
Turngate Team
Sep 23, 2025
6
min read
Turngate

Introducing Turngate's Early Access Program

Learn more about how Turngate can help you monitor your SaaS logs and sign up with our Free Early Access offering.
Bruce Potter
Dec 17, 2024
3
min read
View all posts