LLMLogAnalyzer: A Clustering-Based Log Analysis Chatbot using Large Language Models

TL;DR

LLMLogAnalyzer is a novel clustering-based chatbot that enhances log analysis by leveraging large language models and machine learning, significantly improving accuracy, robustness, and usability across diverse cybersecurity log tasks.

Contribution

This paper introduces a modular framework combining LLMs and ML algorithms to address log analysis challenges, outperforming existing chatbots in accuracy and robustness.

Findings

Achieves 39-68% performance improvements over state-of-the-art chatbots

Reduces result variability by 93% in ROUGE-1 scores

Effective across four domain-specific log datasets

Abstract

System logs are a cornerstone of cybersecurity, supporting proactive breach prevention and post-incident investigations. However, analyzing vast amounts of diverse log data remains significantly challenging, as high costs, lack of in-house expertise, and time constraints make even basic analysis difficult for many organizations. This study introduces LLMLogAnalyzer, a clustering-based log analysis chatbot that leverages Large Language Models (LLMs) and Machine Learning (ML) algorithms to simplify and streamline log analysis processes. This innovative approach addresses key LLM limitations, including context window constraints and poor structured text handling capabilities, enabling more effective summarization, pattern extraction, and anomaly detection tasks. LLMLogAnalyzer is evaluated across four distinct domain logs and various tasks. Results demonstrate significant performance improvements over state-of-the-art LLM-based chatbots, including ChatGPT, ChatPDF, and NotebookLM, with consistent gains ranging from 39% to 68% across different tasks. The system also exhibits strong robustness, achieving a 93% reduction in interquartile range (IQR) when using ROUGE-1 scores, indicating significantly lower result variability. The framework's effectiveness stems from its modular architecture comprising a router, log recognizer, log parser, and search tools. This design enhances LLM capabilities for structured text analysis while improving accuracy and robustness, making it a valuable resource for both cybersecurity experts and non-technical users.