I. Introduction
System log analysis is an essential step while investigating a compromised system. It assists the investigator to understand data breaches, unauthorized access and other security-related incidents. Log analysis allows creating a forensic timeline of the events that led up to a computer security violation. The log files are a valuable source of information in any investigation. They store all the events that are taking place in the system with their timestamp, system name, process data, and detailed event description. Therefore, these log files are regarded as one of the key evidences for forensic investigation [1]. Logging is usually performed by an operating system or by software. In Linux-based systems, the system logs are found in the directory /var/log/ [2]. Authorization log (auth.log), Debug log (debug), Kernel log (kern.log), System log (syslog) and Daemon log (daemon.log) are system logs of Ubuntu operating system (Linux-based OS) [3].