The article proposes a method based on the analysis of the event logs of the Linux operating system, which allows you to automatically detect information security events. The method consists of sequentially implemented steps: reading event logs into single data arrays, clustering and classifying event log entries by available attributes based on regular expressions. Based on the results of the classification of records, histograms of the distribution of information security events by day are formed, which allow us to assess the need for advanced data analysis on the carrier (on the device) where the incident occurred. In addition, the analysis of the existing basic clustering algorithms on the affected topic was carried out, their quantitative and qualitative assessment was given. Separately, emphasis is placed on the use of the ELK Stack (Elasticsearch, Logstash, and Kibana) framework as a set of components that provide convenient centralized logging from different servers and data centers.