Before the final attack happens, clandestine attackers conduct sequenced stages for being stealthy and elusive. These attacks can leave clues in several different log files. Howeverexisting approaches can only detect the anomalies using single type of log and fail to reveal all of the attack steps through log integration and correlation. Such methods can hardly detect the relationships among events and prevent the attack in advance. Additionally, traditional machine learning or data mining in log analysis has a high overhead in computing which is impractically applied in a real product or system. To address these problems, we present AClog, a multiple log correlated analysis system to construct the attack chain. Inspired by penetration testing and social network analysis, we transfer the attack provenance as an event relationship discover problem. We use different logs to form the steps of the system and regard them as the event sequences before the attack. Then, we leverage Fast Linear SVM and Longest Common Subsequences to find out the regular steps before the attack. Finally, we spot the corresponding log sequences to identify the pre- attackk steps proactively. We apply our approach in the attack prediction of a cloud computing platform and a university network. The results show that the proposed method can effectively and precisely construct the attack steps and identify the corresponding syslogs.