Now you are in an ideal situation to perform forensics: you are working from a clear stream of data, with fresh, unaltered and pure information at your fingertips, and in case of misbehavior you have all the elements of information that will lead to the criminal.

If you have ever been under attack you can certainly understand the pressure to react fast.  And the first step is to understand what happened, who did it, how, what systems were affected and what needs to be done to stop the damage and prevent this from happening again.

Logs represent a gold mine for this task if you know how to leverage them, and if you have the proper tools to do so.  You know that the proof of the misbehavior is somewhere in there, somewhere mixed with billions of other logs, buried in terabytes or even petabytes of data.

The process of doing forensics on a log management solution is similar to using an Internet search engine. Sometimes you know exactly what you're looking for; other times, it's a trial-and-error process.  Start with keywords and refine/modify these so you zoom in on the log or logs that explain you what happened.