AutoLog: A Log Sequence Synthesis Framework for Anomaly Detection

TL;DR

AutoLog is an automated framework that synthesizes high-quality, diverse log sequences for anomaly detection, overcoming data scarcity and scalability issues in existing log datasets, thereby aiding research and industry applications.

Contribution

AutoLog introduces the first automated method for generating realistic log sequences without system execution, enhancing dataset quality and scalability for anomaly detection research.

Findings

AutoLog produces 9x-58x more log events than existing datasets.

AutoLog generates logs 15x faster than passive collection methods.

AutoLog effectively supports benchmarking and development of log analysis techniques.

Abstract

The rapid progress of modern computing systems has led to a growing interest in informative run-time logs. Various log-based anomaly detection techniques have been proposed to ensure software reliability. However, their implementation in the industry has been limited due to the lack of high-quality public log resources as training datasets. While some log datasets are available for anomaly detection, they suffer from limitations in (1) comprehensiveness of log events; (2) scalability over diverse systems; and (3) flexibility of log utility. To address these limitations, we propose AutoLog, the first automated log generation methodology for anomaly detection. AutoLog uses program analysis to generate run-time log sequences without actually running the system. AutoLog starts with probing comprehensive logging statements associated with the call graphs of an application. Then, it constructs execution graphs for each method after pruning the call graphs to find log-related execution paths in a scalable manner. Finally, AutoLog propagates the anomaly label to each acquired execution path based on human knowledge. It generates flexible log sequences by walking along the log execution paths with controllable parameters. Experiments on 50 popular Java projects show that AutoLog acquires significantly more (9x-58x) log events than existing log datasets from the same system, and generates log messages much faster (15x) with a single machine than existing passive data collection approaches. We hope AutoLog can facilitate the benchmarking and adoption of automated log analysis techniques.