Devices, methods, and systems for security log mining are described herein. One method includes combining, using a data fusion unit of an access control system, features of structured and non-structured data associated with system access events for a number of users into a combined data set, generating, using an anomaly detection engine of the access control system, a model of behavior for the number of users based on the combined data set, and comparing, using the anomaly detection engine of the access control system, real time behavior for the number of users to the model for the number of users to determine whether the real time behavior for the number of users is anomalous behavior for the number of users.