LUK: Empowering Log Understanding with Expert Knowledge from Large Language Models
Lipeng Ma, Weidong Yang, Sihang Jiang, Ben Fei, Mingjie Zhou, Shuhao Li, Mingyu Zhao, Bo Xu, Yanghua Xiao
TL;DR
LUK addresses the impracticality of deploying large language models directly for log understanding by distilling expert knowledge from LLMs into smaller pre-trained language models through a multi-expert collaboration (MEC) framework. It introduces two novel pre-training tasks—word-level Token Prediction with a Knowledge Perception Module and Semantic Alignment—to incorporate external expert knowledge into log representations, followed by fine-tuning on six log-analysis tasks. The approach is explicitly evaluated against multiple baselines, including KnowLog, and demonstrates strong performance, especially in low-resource and unseen-log scenarios, while offering substantial efficiency gains over direct LLM reasoning. By comparing various LLM sources (ChatGPT, GPT-4o, Llama-3) and emphasizing knowledge quality via contrastive evaluation and iterative refinement, LUK provides a practical, scalable pathway for robust log understanding in real-world settings.
Abstract
Logs play a critical role in providing essential information for system monitoring and troubleshooting. Recently, with the success of pre-trained language models (PLMs) and large language models (LLMs) in natural language processing (NLP), smaller PLMs (such as BERT) and LLMs (like GPT-4) have become the current mainstream approaches for log analysis. Despite the remarkable capabilities of LLMs, their higher cost and inefficient inference present significant challenges in leveraging the full potential of LLMs to analyze logs. In contrast, smaller PLMs can be fine-tuned for specific tasks even with limited computational resources, making them more practical. However, these smaller PLMs face challenges in understanding logs comprehensively due to their limited expert knowledge. To address the lack of expert knowledge and enhance log understanding for smaller PLMs, this paper introduces a novel and practical knowledge enhancement framework, called LUK, which acquires expert knowledge from LLMs automatically and then enhances the smaller PLM for log analysis with these expert knowledge. LUK can take full advantage of both types of models. Specifically, we design a multi-expert collaboration framework based on LLMs with different roles to acquire expert knowledge. In addition, we propose two novel pre-training tasks to enhance the log pre-training with expert knowledge. LUK achieves state-of-the-art results on different log analysis tasks and extensive experiments demonstrate expert knowledge from LLMs can be utilized more effectively to understand logs. Our source code and detailed experimental data are available at https://github.com/LeaperOvO/LUK.