Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

LogLLM: Log-based Anomaly Detection Using Large Language Models

Wei Guan, Jian Cao, Shiyou Qian, Jianqi Gao, Chun Ouyang

TL;DR

LogLLM tackles log-based anomaly detection by integrating a transformer encoder (BERT) for per-message semantics with a decoder (Llama) for sequence-level classification, bridged by a projector to align embedding spaces. A regex-based preprocessing pipeline avoids brittle log parsers, and a three-stage training procedure (stage 1: Llama templates, stage 2: embedder, stage 3: full fine-tuning) coupled with memory-efficient QLoRA enables effective deployment on large-scale data. Evaluations on four public datasets show LogLLM achieving superior F1 scores and robust performance under variable log quality and class imbalance, with detailed ablations confirming the necessity of each training stage and the benefits of embedding alignment. The approach advances practical log anomaly detection by leveraging both encoder and decoder LLM capabilities while addressing memory and data-imbalance challenges, offering a scalable solution for real-world systems.

Abstract

Software systems often record important runtime information in logs to help with troubleshooting. Log-based anomaly detection has become a key research area that aims to identify system issues through log data, ultimately enhancing the reliability of software systems. Traditional deep learning methods often struggle to capture the semantic information embedded in log data, which is typically organized in natural language. In this paper, we propose LogLLM, a log-based anomaly detection framework that leverages large language models (LLMs). LogLLM employs BERT for extracting semantic vectors from log messages, while utilizing Llama, a transformer decoder-based model, for classifying log sequences. Additionally, we introduce a projector to align the vector representation spaces of BERT and Llama, ensuring a cohesive understanding of log semantics. Unlike conventional methods that require log parsers to extract templates, LogLLM preprocesses log messages with regular expressions, streamlining the entire process. Our framework is trained through a novel three-stage procedure designed to enhance performance and adaptability. Experimental results across four public datasets demonstrate that LogLLM outperforms state-of-the-art methods. Even when handling unstable logs, it effectively captures the semantic meaning of log messages and detects anomalies accurately.

LogLLM: Log-based Anomaly Detection Using Large Language Models

TL;DR

LogLLM tackles log-based anomaly detection by integrating a transformer encoder (BERT) for per-message semantics with a decoder (Llama) for sequence-level classification, bridged by a projector to align embedding spaces. A regex-based preprocessing pipeline avoids brittle log parsers, and a three-stage training procedure (stage 1: Llama templates, stage 2: embedder, stage 3: full fine-tuning) coupled with memory-efficient QLoRA enables effective deployment on large-scale data. Evaluations on four public datasets show LogLLM achieving superior F1 scores and robust performance under variable log quality and class imbalance, with detailed ablations confirming the necessity of each training stage and the benefits of embedding alignment. The approach advances practical log anomaly detection by leveraging both encoder and decoder LLM capabilities while addressing memory and data-imbalance challenges, offering a scalable solution for real-world systems.

Abstract

Software systems often record important runtime information in logs to help with troubleshooting. Log-based anomaly detection has become a key research area that aims to identify system issues through log data, ultimately enhancing the reliability of software systems. Traditional deep learning methods often struggle to capture the semantic information embedded in log data, which is typically organized in natural language. In this paper, we propose LogLLM, a log-based anomaly detection framework that leverages large language models (LLMs). LogLLM employs BERT for extracting semantic vectors from log messages, while utilizing Llama, a transformer decoder-based model, for classifying log sequences. Additionally, we introduce a projector to align the vector representation spaces of BERT and Llama, ensuring a cohesive understanding of log semantics. Unlike conventional methods that require log parsers to extract templates, LogLLM preprocesses log messages with regular expressions, streamlining the entire process. Our framework is trained through a novel three-stage procedure designed to enhance performance and adaptability. Experimental results across four public datasets demonstrate that LogLLM outperforms state-of-the-art methods. Even when handling unstable logs, it effectively captures the semantic meaning of log messages and detects anomalies accurately.

Paper Structure

This paper contains 28 sections, 4 equations, 4 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Traditional Deep Learning for Log-based Anomaly Detection
  4. LLMs for Log-based Anomaly Detection
  5. Preliminaries
  6. Methodology
  7. Preprocessing
  8. Model Architecture
  9. BERT
  10. Projector
  11. Llama
  12. Training
  13. Minority Class Oversampling
  14. Training Objective
  15. Training Procedure
  16. ...and 13 more sections

Figures (4)

  • Figure 1: An example of a system log.
  • Figure 2: Illustrative examples of log message partitioning.
  • Figure 3: The framework of LogLLM. Notably, the model includes a single instance of BERT and the projector.
  • Figure 4: Impact of minority class oversampling.