Others have just a horrible text interface but can analyze different kind of logs from many applications. Today I wanna point out LIRE, one of my favorite log Analyzer.This tool permits the creation of several reporting formats, including html, pdf, xml, .. ... .. ect. ect.. It also permits to analyze many log file formats, which include MySQL, Iptables, BIND, Apache, Qmail, Postfix, Syslog and more. It has been deveploped in Perl and I recommend you to install all the dependence modules with CPAN (type "perl -M CPAN -e shell" on the command line as root).
I just wanna remember that every log found inside the compromised machine cannot be asserted as safe, because the attacker may change each entry of the log file. For this reason I suggest to implement a remote log system as SysLog. It's native (on Linux System) easy to implement and really fast. Set up on the machine IP1 syslog (probably you will find it under /etc/init.d/syslog start or just syslog -r). Then edit the /etc/syslog.conf on the monitored machine IP2 as follow:
auth.*; authpriv.* @ip1
Last but not least remember the machine which logs must be able to receive message from the LAN, so if you've set up some iptables, look out.
