Security logs exhibit diverse and semi-structured formats, making traditional parsing approaches heavily reliant on extensive engineering effort, while direct querying struggles to capture complex temporal patterns and cross-event semantics. This work proposes a natural language–to–log query code generation method that eliminates the need for custom parsers by leveraging lightweight, automatically extracted log format context to guide large language models in translating natural language security questions into executable query code. The approach requires only a single model invocation followed by deterministic execution. Evaluated across five log types and 133 security queries, the method reduces error rates by more than threefold compared to handcrafted scripts, demonstrating particularly significant improvements in critical tasks involving multi-line event correlations.

Security analysts routinely query system logs to detect threats and investigate incidents, but each log source uses its own semi-structured format: logs are cheap to produce, but expensive to use. The standard approach, building per-source parsers to normalize logs into structured schemas, is powerful but requires continuous engineering effort for each new format. Querying raw logs directly with tools like grep avoids this cost, but requires analysts to know each source's message variants and cannot express the multi-line temporal queries that security investigations demand. We present Sieve, a system that generates executable query code from natural-language security questions by grounding a large language model with lightweight, automatically extracted log-format context, requiring only one LLM call per query followed by deterministic execution. Evaluating 133 security queries across 5 log types, we find that Sieve achieves over a 3x reduction in error rate on complex temporal and cross-event queries compared to manual analyst scripting, with the largest gains on the multi-line correlation tasks most critical to active investigations. Our results and benchmark provide evidence that LLM-generated code can bridge the gap between the expressiveness of structured log querying and the immediacy of working directly with raw files.