Automatic log parser to support forensic analysis

Hudan Studiawan, Ferdous Sohel, Christian Payne

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

15 Citations (Scopus)


Event log parsing is a process to split and label each field in a log entry. Existing approaches commonly use regular expressions or parsing rules to extract the fields. However, such techniques are time-consuming as a forensic investigator needs to define a new rule for each log file type. In this paper, we present a tool, namely nerlogparser, to parse the log entries automatically, where log parsing is modeled as a named entity recognition problem. We use a deep machine learning technique, specifically the bidirectional long short-term memory networks, as the underlying architecture for this purpose. Unlike existing tools, nerlogparser is a fully automatic tool as the investigators do not need to define any parsing rules and it is generic as there is only one model to parse various types of log files. Experimental results show that nerlogparser achieves superior performance compared with other traditional machine learning methods.

Original languageEnglish
Title of host publicationAustralian Digital Forensics Conference, ADF 2018
EditorsCraig Valli
PublisherSRI Security Research Institute, Edith Cowan University
Number of pages10
ISBN (Electronic)9780648444404
Publication statusPublished - 2018
Externally publishedYes
Event16th Australian Digital Forensics Conference, ADF 2018 - Perth, Australia
Duration: 4 Dec 2018 → …

Publication series

NameAustralian Digital Forensics Conference, ADF 2018


Conference16th Australian Digital Forensics Conference, ADF 2018
Period4/12/18 → …


  • Log forensics
  • Log parser
  • Long short-term memory
  • Named entity recognition


Dive into the research topics of 'Automatic log parser to support forensic analysis'. Together they form a unique fingerprint.

Cite this