This work addresses the challenge of achieving both high-accuracy detection and legally compliant interpretability in forensic analysis of web server logs—a balance that traditional methods struggle to attain. The authors propose CEF-Log, a novel approach that integrates a structured five-step reasoning template into few-shot prompts for large language models, thereby embedding expert knowledge to guide the model toward traceable, multi-step inference rather than reliance on memorized patterns. To evaluate performance in realistic attack scenarios, they introduce a new dataset, ForenWebLog. On the CSIC 2010 benchmark, CEF-Log achieves an F1 score of 0.99 using only four examples, demonstrating a tenfold improvement in sample efficiency over existing prompting methods. The generated explanations are both forensically traceable and suitable for inclusion in legal documentation.

Forensic analysis of web server logs demands both accurate detection and human-readable explanations that can satisfy legal requirements. We present CEF-Log, a context-enhanced few-shot chain-of-thought prompting strategy for Large Language Models that addresses this dual requirement. CEF-Log embeds expert investigative methodology through a structured five-step reasoning template, enabling the model to learn \textit{how} to analyze logs rather than \textit{what} patterns to memorize. Experimental evaluation demonstrates that CEF-Log achieves an F1-score of 0.99 on the CSIC 2010 dataset using only four examples while providing a $10\times$ improvement in sample efficiency compared to other prompting-based methods. We also introduce ForenWebLog, a new dataset that incorporates real-world attacks and multi-step attack sequences for comprehensive evaluation. Qualitative analysis confirms that CEF-Log generates traceable, accurate explanations suitable for forensic documentation, addressing the critical "black-box" limitation of traditional machine learning approaches.