Log File Forensics Analyzer

Paste or drag-drop a log file. Extracts IP addresses, emails, URLs, file paths, timestamps, and MAC addresses — grouped, counted, and highlighted. 100% client-side.

Drag & drop a .log or .txt file
Paste or upload a log file, then click Analyze.

How to Use the Log Forensics Analyzer

  1. Paste or upload — paste log content directly into the text area, drag-and-drop a file onto the area, or click "Upload File" to browse for a .log or .txt file.
  2. Choose extraction mode — "Extract All" finds every pattern; the mode chips let you focus on IPs, emails, or URLs.
  3. Click Analyze — the tool scans the log with regex patterns, groups unique values, and shows counts.
  4. Review findings — each category (IPv4, IPv6, emails, URLs, paths, timestamps, MACs) is shown in a sorted table with occurrence counts.
  5. Highlight in source — the tool renders your log with color-coded highlights so you can see each artifact in context.
  6. Export as CSV — download all findings grouped by category for further analysis in Excel, Python, or other tools.

What This Tool Extracts

IP Addresses (IPv4 and IPv6)

The tool extracts IPv4 addresses in dotted-decimal notation (e.g. 192.168.1.1, 10.0.0.255) and IPv6 addresses in colon-hex notation including compressed forms (e.g. 2001:db8::1, fe80::1). In security log analysis, IP addresses are often the primary identifier for clients, attackers, or internal hosts. The tool groups IPs by unique address and shows how many times each appeared, making it easy to spot high-frequency IPs that may indicate scanning, brute-force attacks, or crawlers.

Email Addresses

Email addresses extracted via RFC-compliant pattern matching cover the vast majority of real-world addresses including subdomains and plus-addressing (e.g. [email protected]). Email addresses in logs typically come from authentication attempts, contact form submissions, API payloads logged in debug mode, or SMTP server logs. Finding unexpected email domains can reveal phishing attempts, spam submissions, or misconfigured systems.

URLs

The tool extracts full URLs starting with http://, https://, or ftp:// including query strings and fragments. Web server access logs, reverse proxy logs, and application logs often contain the full request URL. Analyzing URL frequency can reveal scrapers targeting specific paths, vulnerability scanners testing known exploit paths (e.g. /wp-admin, /.env, /etc/passwd), or broken links causing 404 storms.

File Paths

Both Unix paths starting with / (e.g. /var/log/syslog, /home/user/) and Windows UNC/drive paths (e.g. C:\Windows\System32, \\server\share) are extracted. File paths in logs often appear in stack traces, error messages, audit logs, and file integrity monitoring (FIM) output. Unexpected system paths can indicate path traversal attacks or unauthorized file access.

Timestamps

Common timestamp formats are recognized: ISO 8601 (2024-03-15T14:23:01Z), Apache/nginx combined log format (15/Mar/2024:14:23:01 +0000), syslog format (Mar 15 14:23:01), and Unix epoch-like numeric timestamps. Timestamps are valuable for correlating events across multiple log sources and for establishing timelines in incident response. The tool extracts and groups unique timestamps so you can identify burst periods with unusual activity.

MAC Addresses

Media Access Control (MAC) addresses are extracted in common formats including colon-separated (00:1B:44:11:3A:B7), hyphen-separated (00-1B-44-11-3A-B7), and dot-separated Cisco notation (001b.4411.3ab7). MAC addresses appear in DHCP server logs, ARP tables, wireless controller logs, and network switch logs. Seeing unexpected MAC addresses can indicate unauthorized devices on your network.

Log Forensics Use Cases

  • Incident response — quickly extract all attacker IPs from a compromised server's access log
  • Brute-force detection — count authentication attempts per IP to identify password spray attacks
  • Data exfiltration review — find unusual URLs or file paths in outbound proxy logs
  • SIEM pre-processing — extract structured data from raw logs before ingesting into Splunk, ELK, or similar
  • Email spam analysis — extract sender addresses from mail server logs to build blocklists
  • Compliance auditing — verify that PII (emails, IPs) in logs is limited to what your policy allows

Privacy Note

Log files often contain sensitive personal data: IP addresses, email addresses, usernames, and URLs that encode user sessions. This tool processes everything locally in your browser. Your log data is never uploaded, transmitted, or stored anywhere. You can use this tool safely on production log data without any risk of data leakage. The only network requests this page makes are to load its own CSS/JS assets from thisdevtool.com.

Frequently Asked Questions

No. The forensics analyzer runs entirely in your browser using JavaScript. Your log data never leaves your machine. All regex extraction happens locally — there is no upload, no server processing, and no data collection.
The tool extracts: IPv4 addresses (e.g. 192.168.1.1), IPv6 addresses, email addresses, HTTP/HTTPS/FTP URLs, Unix and Windows file paths, ISO 8601 and common log timestamps (Apache/nginx CLF, syslog), and MAC addresses in common formats.
Since processing runs in the browser, practical limits depend on your device's RAM. The tool handles files up to approximately 10 MB comfortably. For very large log files (100 MB+), consider using command-line tools like grep or awk, then paste the relevant sections here.
Yes. Drag any plain-text log file from your desktop or file manager directly onto the input area. The file contents will be loaded automatically. The tool accepts .log, .txt, .csv, and any other plain-text format. Binary files are not supported.
When you click Analyze, the tool renders your source text with color-coded highlighting so you can see each IP, email, URL, or other artifact in its original context. Each category gets a distinct color. This is useful for reading log lines with multiple artifacts at once.