The use of log analysis of the outlier was proposed, on the log data preprocessing to establish the appropriate mining size, with depicting a normal mode. The improved method can be used for the large-scale anomalous detection of data sets, reducing the false alarm rate, while greatly improving the detection rate to achieve the desired time efficiency. The system can be with the regular analysis of the user logs, to automatically find the suspect from the log, in a timely manner to prevent or deal with the illegal operation, in order to make the detection system more intelligent, accurate and efficient.