A Theoretical Framework for Understanding the Relationship Between Log Parsing and Anomaly Detection

Donghwan Shin, Zanis Ali Khan, Domenico Bianculli, Lionel Briand

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Log-based anomaly detection identifies systems’ anomalous behaviors by analyzing system runtime information recorded in logs. While many approaches have been proposed, all of them have in common an essential pre-processing step called log parsing. This step is needed because automated log analysis requires structured input logs, whereas original logs contain semi-structured text printed by logging statements. Log parsing bridges this gap by converting the original logs into structured input logs fit for anomaly detection. Despite the intrinsic dependency between log parsing and anomaly detection, no existing work has investigated the impact of the “quality” of log parsing results on anomaly detection. In particular, the concept of “ideal” log parsing results with respect to anomaly detection has not been formalized yet. This makes it difficult to determine, upon obtaining inaccurate results from anomaly detection, if (and why) the root cause for such results lies in the log parsing step. In this short paper, we lay the theoretical foundations for defining the concept of “ideal” log parsing results for anomaly detection. Based on these foundations, we discuss practical implications regarding the identification and localization of root causes, when dealing with inaccurate anomaly detection, and the identification of irrelevant log messages.

Original languageEnglish
Title of host publicationRuntime Verification - 21st International Conference, RV 2021, Proceedings
EditorsLu Feng, Dana Fisman
PublisherSpringer Science and Business Media Deutschland GmbH
Pages277-287
Number of pages11
ISBN (Print)9783030884932
DOIs
Publication statusPublished - 2021
Externally publishedYes
Event21st International Conference on Runtime Verification, RV 2021 - Virtual, Online
Duration: 11 Oct 202114 Oct 2021

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume12974 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference21st International Conference on Runtime Verification, RV 2021
CityVirtual, Online
Period11/10/2114/10/21

Keywords

  • Anomaly detection
  • Log analysis
  • Log parsing

Fingerprint

Dive into the research topics of 'A Theoretical Framework for Understanding the Relationship Between Log Parsing and Anomaly Detection'. Together they form a unique fingerprint.

Cite this