In this work, we will illustrate our attempt to exploit log files that are recorded locally on each node in a distributed system or a wired/wireless network. In order to improve the efficiency of retrieving data, we propose the idea of building a global view of the system with a clustered log-collecting scheme; this would help the monitoring node gain a whole view of the system by building up and maintaining high-level log files. We also introduce an efficient, tamper-evident scheme to detect whether a local flow-net has been deliberately compromised. We provide both simulation results and implementation of the proposed scheme on Emulab, a network testbed. Copyright © 2011 John Wiley & Sons, Ltd.