LogLLM: Log-based Anomaly Detection Using Large Language Models

TL;DR

LogLLM introduces a novel framework leveraging large language models to improve log-based anomaly detection by capturing semantic information more effectively than traditional methods.

Contribution

The paper presents LogLLM, a new approach combining BERT and Llama models with a vector space alignment technique for improved anomaly detection in logs.

Findings

Outperforms state-of-the-art methods on four datasets.

Effectively detects anomalies in unstable logs.

Captures semantic meaning of log messages accurately.

Abstract

Software systems often record important runtime information in logs to help with troubleshooting. Log-based anomaly detection has become a key research area that aims to identify system issues through log data, ultimately enhancing the reliability of software systems. Traditional deep learning methods often struggle to capture the semantic information embedded in log data, which is typically organized in natural language. In this paper, we propose LogLLM, a log-based anomaly detection framework that leverages large language models (LLMs). LogLLM employs BERT for extracting semantic vectors from log messages, while utilizing Llama, a transformer decoder-based model, for classifying log sequences. Additionally, we introduce a projector to align the vector representation spaces of BERT and Llama, ensuring a cohesive understanding of log semantics. Unlike conventional methods that require log parsers to extract templates, LogLLM preprocesses log messages with regular expressions, streamlining the entire process. Our framework is trained through a novel three-stage procedure designed to enhance performance and adaptability. Experimental results across four public datasets demonstrate that LogLLM outperforms state-of-the-art methods. Even when handling unstable logs, it effectively captures the semantic meaning of log messages and detects anomalies accurately.