This chapter presents forensic investigations of cyber attackers' activities on a large scale honeypot and shows how these methodologies can be integrated into an SIEM. The chapter describes our high interaction honeypot and analyzes the illegal activities performed by attackers on the basis of the data collected over two years of attacks: logged sessions, intrusion detection system alerts, mandatory access control system alerts. The empirical study of these illegal activities has allowed us to understand the global motivations of the attackers, their technical skills, the geographical location of the attackers and their targets. A generic method is presented that has enabled us to rebuild the illegal activities using correlation techniques operating on system and network events. Monitoring the network and the operations occurring on each system has provided precise and high level characterization of attacks. Finally, the chapter explains how network and system methods for forensics can be integrated into an SIEM in order to more accurately monitor the security of a pool of hosts.