On the Effectiveness of Log Representation for Log-based Anomaly Detection

TL;DR

This paper systematically compares six log representation techniques across multiple datasets and machine learning models to determine their impact on log-based anomaly detection performance, providing practical guidelines for selecting optimal methods.

Contribution

It offers a comprehensive evaluation of log representation techniques and their effects on anomaly detection, filling a gap in understanding their relative effectiveness.

Findings

Certain log representation techniques outperform others in specific datasets.

Log parsing and feature aggregation significantly influence detection accuracy.

Guidelines are provided for choosing suitable log representations in practice.

Abstract

Logs are an essential source of information for people to understand the running status of a software system. Due to the evolving modern software architecture and maintenance methods, more research efforts have been devoted to automated log analysis. In particular, machine learning (ML) has been widely used in log analysis tasks. In ML-based log analysis tasks, converting textual log data into numerical feature vectors is a critical and indispensable step. However, the impact of using different log representation techniques on the performance of the downstream models is not clear, which limits researchers and practitioners' opportunities of choosing the optimal log representation techniques in their automated log analysis workflows. Therefore, this work investigates and compares the commonly adopted log representation techniques from previous log analysis research. Particularly, we select six log representation techniques and evaluate them with seven ML models and four public log datasets (i.e., HDFS, BGL, Spirit and Thunderbird) in the context of log-based anomaly detection. We also examine the impacts of the log parsing process and the different feature aggregation approaches when they are employed with log representation techniques. From the experiments, we provide some heuristic guidelines for future researchers and developers to follow when designing an automated log analysis workflow. We believe our comprehensive comparison of log representation techniques can help researchers and practitioners better understand the characteristics of different log representation techniques and provide them with guidance for selecting the most suitable ones for their ML-based log analysis workflow.