Documentation
How to use this tool, practical use cases, and technical notes.
The Log Parser is designed to deliver value in under five minutes. Here is a complete walkthrough of every feature, with guidance on getting the most out of each one.
Step 1 — Open the Tool and Understand the Layout
The workspace is divided into two main panels and a stats bar at the top:
Stats Bar (top):
Counter | What It Shows |
|---|---|
Total lines | Total number of lines in your pasted log input |
Matching filter | Number of lines that match your current active filter |
Errors | Total lines detected as error-level events |
Warnings | Total lines detected as warning-level events |
These four numbers update in real time as you type or paste — giving you an immediate summary before you've read a single line.
Left Panel — Log Input: Where you paste your raw log data.
Right Panel — Parsed Output: Filtered results that update live as you change filters.
Step 2 — Load Your Log Data
You have two options for getting data into the tool:
Option A: Paste raw logs Copy log content from your terminal, log viewer, or file and paste it directly into the "Log input" panel. The tool accepts any volume of line-delimited text.
Common ways to copy logs to clipboard:
Source | Command to Copy Log Content |
|---|---|
Linux auth log (last 200 lines) |
|
Nginx error log |
|
Journald (systemd) |
|
Docker container log |
|
AWS CloudWatch (via CLI) |
|
macOS (pbcopy) |
|
Option B: Load a sample log Click one of the three sample log buttons at the bottom of the workspace to instantly load a representative dataset:
Sample | What It Contains | Best For Learning |
|---|---|---|
Auth failures | Simulated | SSH attack patterns, auth log reading |
Nginx access | Mixed HTTP traffic with 200, 301, 403, 404, and 500 responses | HTTP log analysis, detecting error spikes |
App JSON logs | Structured JSON log lines with ERROR, WARN, and INFO levels | Application log parsing, level detection |
Step 3 — Apply a Filter
The filter bar sits between the stats counters and the parsed output panel. You can filter two ways:
Method A: Use a preset filter button
Preset Filter | What It Matches | Typical Use |
|---|---|---|
All lines | No filter — shows complete log | Initial overview before narrowing |
Failed / error | Lines containing error keywords ( | Finding crashes, authentication failures |
SSH / auth | Lines from sshd, PAM, or containing auth-related keywords | Investigating login attempts, privilege events |
HTTP 4xx/5xx | Lines with HTTP status codes 400–599 | Finding client errors, server errors in web logs |
WARN level | Lines containing | Surfacing degraded-but-not-broken conditions |
Method B: Type a custom keyword in the filter box
The filter keyword input accepts any plain-text string and matches it case-insensitively against every log line. Useful patterns:
You Want To Find | Type in Filter Box |
|---|---|
A specific IP address |
|
Events from a specific service |
|
A specific username |
|
A specific HTTP endpoint |
|
A specific error message |
|
A time window |
|
A specific PID or process |
|
A status code |
|
Step 4 — Analyze the Parsed Output
The parsed output panel shows only the lines matching your active filter, with color coding applied based on detected log level:
Line Appearance | Meaning |
|---|---|
Red / error highlighting | Line detected as error or failure |
Yellow / warning highlight | Line detected as warning |
Normal text | Info or unknown level |
Read the matching line count in the stats bar to understand the scale of what you're seeing — "47 matching filter" during an SSH filter tells you there were 47 auth-related events in your log sample.
Step 5 — Switch Filters to Compare
A powerful technique is switching between filters in sequence to build a mental picture of the log:
Start on All lines — understand the total volume and time range
Switch to Failed / error — see how many errors occurred
Switch to SSH / auth — if applicable, see the authentication activity volume
Switch to HTTP 4xx/5xx — identify client/server error rate
Use the custom keyword filter to drill into specific IPs, endpoints, or services
Step 6 — Live Mode vs. Static Mode
The "Live" toggle in the Log Input panel header indicates that output updates in real time as you edit the input. This is the default and recommended mode for interactive analysis. Toggle it off if you want to paste a large log without triggering filter updates on every keystroke.
Step 7 — Interpret and Act
Once you've filtered to the relevant lines, your next steps typically depend on what you found:
Finding | Recommended Next Step |
|---|---|
High volume of SSH | Check source IPs; consider IP blocking, fail2ban, or disabling root SSH login |
| Username enumeration attack in progress; review firewall rules |
HTTP 500 errors spiking at a specific time | Check application logs for stack traces at that timestamp |
| Web scanning / credential stuffing attempt; review WAF rules |
| Resource exhaustion risk; review database connection limits |
Successful SSH login from unexpected IP | Potential unauthorized access; correlate with other event logs immediately |
The Log Parser is designed to deliver value in under five minutes. Here is a complete walkthrough of every feature, with guidance on getting the most out of each one.
Step 1 — Open the Tool and Understand the Layout
The workspace is divided into two main panels and a stats bar at the top:
Stats Bar (top):
Counter | What It Shows |
|---|---|
Total lines | Total number of lines in your pasted log input |
Matching filter | Number of lines that match your current active filter |
Errors | Total lines detected as error-level events |
Warnings | Total lines detected as warning-level events |
These four numbers update in real time as you type or paste — giving you an immediate summary before you've read a single line.
Left Panel — Log Input: Where you paste your raw log data.
Right Panel — Parsed Output: Filtered results that update live as you change filters.
Step 2 — Load Your Log Data
You have two options for getting data into the tool:
Option A: Paste raw logs Copy log content from your terminal, log viewer, or file and paste it directly into the "Log input" panel. The tool accepts any volume of line-delimited text.
Common ways to copy logs to clipboard:
Source | Command to Copy Log Content |
|---|---|
Linux auth log (last 200 lines) |
|
Nginx error log |
|
Journald (systemd) |
|
Docker container log |
|
AWS CloudWatch (via CLI) |
|
macOS (pbcopy) |
|
Option B: Load a sample log Click one of the three sample log buttons at the bottom of the workspace to instantly load a representative dataset:
Sample | What It Contains | Best For Learning |
|---|---|---|
Auth failures | Simulated | SSH attack patterns, auth log reading |
Nginx access | Mixed HTTP traffic with 200, 301, 403, 404, and 500 responses | HTTP log analysis, detecting error spikes |
App JSON logs | Structured JSON log lines with ERROR, WARN, and INFO levels | Application log parsing, level detection |
Step 3 — Apply a Filter
The filter bar sits between the stats counters and the parsed output panel. You can filter two ways:
Method A: Use a preset filter button
Preset Filter | What It Matches | Typical Use |
|---|---|---|
All lines | No filter — shows complete log | Initial overview before narrowing |
Failed / error | Lines containing error keywords ( | Finding crashes, authentication failures |
SSH / auth | Lines from sshd, PAM, or containing auth-related keywords | Investigating login attempts, privilege events |
HTTP 4xx/5xx | Lines with HTTP status codes 400–599 | Finding client errors, server errors in web logs |
WARN level | Lines containing | Surfacing degraded-but-not-broken conditions |
Method B: Type a custom keyword in the filter box
The filter keyword input accepts any plain-text string and matches it case-insensitively against every log line. Useful patterns:
You Want To Find | Type in Filter Box |
|---|---|
A specific IP address |
|
Events from a specific service |
|
A specific username |
|
A specific HTTP endpoint |
|
A specific error message |
|
A time window |
|
A specific PID or process |
|
A status code |
|
Step 4 — Analyze the Parsed Output
The parsed output panel shows only the lines matching your active filter, with color coding applied based on detected log level:
Line Appearance | Meaning |
|---|---|
Red / error highlighting | Line detected as error or failure |
Yellow / warning highlight | Line detected as warning |
Normal text | Info or unknown level |
Read the matching line count in the stats bar to understand the scale of what you're seeing — "47 matching filter" during an SSH filter tells you there were 47 auth-related events in your log sample.
Step 5 — Switch Filters to Compare
A powerful technique is switching between filters in sequence to build a mental picture of the log:
Start on All lines — understand the total volume and time range
Switch to Failed / error — see how many errors occurred
Switch to SSH / auth — if applicable, see the authentication activity volume
Switch to HTTP 4xx/5xx — identify client/server error rate
Use the custom keyword filter to drill into specific IPs, endpoints, or services
Step 6 — Live Mode vs. Static Mode
The "Live" toggle in the Log Input panel header indicates that output updates in real time as you edit the input. This is the default and recommended mode for interactive analysis. Toggle it off if you want to paste a large log without triggering filter updates on every keystroke.
Step 7 — Interpret and Act
Once you've filtered to the relevant lines, your next steps typically depend on what you found:
Finding | Recommended Next Step |
|---|---|
High volume of SSH | Check source IPs; consider IP blocking, fail2ban, or disabling root SSH login |
| Username enumeration attack in progress; review firewall rules |
HTTP 500 errors spiking at a specific time | Check application logs for stack traces at that timestamp |
| Web scanning / credential stuffing attempt; review WAF rules |
| Resource exhaustion risk; review database connection limits |
Successful SSH login from unexpected IP | Potential unauthorized access; correlate with other event logs immediately |