Lastly, Mandiant has a free tool called Highlighter that looks promising.

OK, now to get down to business. Here are some guidelines:

* Determine the business purpose of the system. You have your facts on the case, and you have some files handed over to you. But do you know what the system does for the business? Is it a mail ? A file server? Web server? Application server?

* Review the entire file. While this sounds counterproductive, it can be helpful to start. Do you need to do a line-by-line review of everything? No. But if you can page through most of the file (or a large chunk of it), you will get a sense of what is normal and what isn't. For example, if you are reviewing a mail log and see mostly the same entry over and over:

Aug 3 03:39:49 goodguy.com sendmail[532]: [ID 702911 mail.notice] rejecting connections on daemon MTA-v6: load average: 17