LogLLaMA: Transformer-based log anomaly detection with LLaMA
Zhuoyi Yang, Ian G. Harris
TL;DR
LogLLaMA tackles log anomaly detection by adapting a transformer-based foundation model (LLaMA2) to system logs. It preprocesses logs with the Drain parser into log keys, fine-tunes on normal sequences, and applies reinforcement learning with Top-K sampling and entropy bonuses to detect anomalies. Across BGL, Thunderbird, and HDFS, it achieves state-of-the-art F1 scores, with ablation confirming the RL component strengthens performance. The approach demonstrates the value of tailoring LLMs to structured log data and integrating policy-gradient RL for robust, scalable anomaly detection in large-scale systems.
Abstract
Log anomaly detection refers to the task that distinguishes the anomalous log messages from normal log messages. Transformer-based large language models (LLMs) are becoming popular for log anomaly detection because of their superb ability to understand complex and long language patterns. In this paper, we propose LogLLaMA, a novel framework that leverages LLaMA2. LogLLaMA is first finetuned on normal log messages from three large-scale datasets to learn their patterns. After finetuning, the model is capable of generating successive log messages given previous log messages. Our generative model is further trained to identify anomalous log messages using reinforcement learning (RL). The experimental results show that LogLLaMA outperforms the state-of-the-art approaches for anomaly detection on BGL, Thunderbird, and HDFS datasets.