ECLIPSE: Semantic Entropy-LCS for Cross-Lingual Industrial Log Parsing

A lot of work has been proposed in the field of log parsing in recent years. In general, log parsing can be classified into four categories: frequent pattern mining, clustering, heuristics rules, and deep learning methods. 1) Frequent pattern mining: This category assumes that constants generally occur more frequently in log messages than variables. SLCT (Vaarandi, 2003) and LogCluster (Vaarandi and Pihelgas, 2015) mainly group logs into several clusters based on the frequency term of each log. Logram (Dai et al., 2020) uses frequent n-grams to separate constants and variables. 2) Clustering: This category usually clustering logs, then extracts templates from each cluster. LogMine (Hamooni et al., 2016) and SHISO (Mizutani, 2013) use hierarchical clustering to cluster logs and update the template. LKE (Fu et al., 2009) employs edit distance and k-means to cluster logs. LenMa (Shima, 2016) helps cluster logs based on length vector. LPV (** relation. Spell(Du and Li, 2016) regards log parsing as the LCS problem. Drain(He et al., 2017) utilizes length and prefix tokens to partition logs. Recently, Prefix-Graph(Chu et al., 2021) proposes that generate log templates form a prefix graph. 4) Deep Learning methods: In recent years, deep learning-based log parsing algorithms have emerged. For example, Nulog (Nedelkoski et al., 2021) uses a Transformer-based encoder layer to train a log parsing network. Uniparser (Liu et al., 2022) designs three modules and uses contrastive learning for log parsing. LogAP(Rand and Miranskyy, 2021) employs Machine Translation (MT) to perform parsing tasks. However, deep learning algorithms are usually inefficient and costly for training and inference. Therefore, it is still challenging to apply these methods in real scenarios.

With the rapid advances in language modeling (Guo et al., 2023b; Vaswani et al., 2017; Yang et al., 2020a; Shen et al., 2023; Zhang et al., 2024b; Wang et al., 2022; Bai et al., 2023; Yao et al., 2023; Shinn et al., 2023; Chi et al., 2020), and particularly the emergence of LLMs with Transformer-based architectures such as GPT-3.5, GPT-4 (OpenAI, 2023) and PaLM (Anil et al., 2023), Its excellent language understanding, generation, generalization, and reasoning capabilities greatly promote the integration of Natural Language Processor (NLP) and AIOps tasks. The integration of LLM with external databases and APIs further enhances its functionality(Chai et al., 2024; Guo et al., 2023b; Kojima et al., 2022; Wang et al., 2022), so that domain-specific knowledge can be more effectively integrated and continuously updated, especially when applied to the semantic analysis of logs, which greatly improves the accuracy of log parsing and anomaly detection (Rozière et al., 2023; Zhang et al., 2024a; Guo et al., 2023a). In addition, Retrieval Augmented Generation technology enables LLM to have the ability to access external knowledge sources, even when faced with more complex and knowledge-intensive tasks, generating answers that are more factual, specific, and diverse(Lewis et al., 2021; Bai et al., 2023; Yao et al., 2023). In our work, Using LLM to reorder the representation vector of log keywords to highlight the most relevant results, and then with the powerful background knowledge of LLM, the most credible template matching length is selected for the result sequence, which effectively reduces the number of templates that need to be matched in the current input log and realizes the dual purpose of information retrieval enhancer and filter. Provide refined inputs for more accurate log parsing algorithms.

The quantity level of industrial logs exceeds that of public data by one order of magnitude, and the resulting number of log templates is also relatively large. Illustrated in Table 1, we analyzed the official website and source code of open-source software and found that the number of log templates exceeded 6000. At the same time, the reason for the small number of log templates in the public dataset Loghub is that it comes from sampling, and in non-sampling situations, its log templates will also be equally large.

The time complexity of a cluster-based algorithm is typically represented as $O(mn)$ or $O(mlog(n))$, where $m$ denotes the data size and $n$ denotes the number of clusters. In log parsing, the number of clusters is the number of templates. Therefore, it is essential to consider the impact of the number of log templates for log parsing.

Many algorithms assume that logs belonging to the same template must have the same length, but this is not always the case in complex industrial logs, especially those with complex nested objects like JSON, XML, etc (Yang et al., 2019, 2020c, 2020b). Illustrated in Figure 2, $Log1$ and $Log2$ are printed by the same code, in other words, they belong to the same template. However, their lengths vary a lot due to the significant differences in the field named ”BUSI_INFO” of JSON objects. This happens very frequently, but most algorithms don’t have the ability to handle this issue because they regard the same log length as a prerequisite for logs to belong to the same template, like Drain(He et al., 2017), IPLOM(Makanju et al., 2009), Lenma(Shima, 2016), and so on.

We are glad to see Drain+(Fu et al., 2022) has also realized this issue, and to address it, Drain+ first uses Drain(He et al., 2017) to generate a series of templates and then merges them by comparing their Jaccard Similarity. However, the flaw of this approach is that Jaccard similarity only considers the number of identical tokens between two logs but ignores the order and position of identical tokens. So templates with similar tokens but different orders of tokens may be merged by it, just as illustrated in Figure 3. The two templates both have tokens ”backup”, ”not” and ”found”, but their orders are totally different, which may cause a big problem in extracting parameters from the log. This type of problem appears more in more non-standard logs and more in Chinese, Japanese, Korean, or other languages with more flexible syntax than English.

In addition to these two main issues that may significantly impact log parsing, most algorithms also often neglect the semantic differences between logs with similar characters. Logs reflect system behavior, and some events in the system are closely related. Therefore, developers often write similar-looking logs to maintain consistency. To illustrate this point, we take MySQL error logs as an example. We found three log templates that look very similar on the official website. In Figure 4, these three templates describe three totally different operations performed on the Unix socket lock file. However, in the data-driven algorithm, they are likely to be considered as one template. Similar situations can also occur when describing the same operations on different objects and so on. We analyzed the templates of MySQL error logs with error numbers MY-010000 to MY-010100 and found that around one-fifth of the templates have similar counterparts, which shows this is also a widespread problem.

Fig 5 illustrates how ECLIPSE uses a dynamic dictionary structure to store templates of previously seen logs. This structure takes log semantic keywords as keys and each key maps to a value containing a list of templates and a Faiss index. Our algorithm operates and starts with an empty dictionary. When a new log is coming, ECLIPSE takes five steps to identify the most suitable template: 1) Preprocess the log. 2) Extract the semantic keywords from the log, and take the log semantic keywords as the key to retrieve log templates and a Faiss index in the dynamic dictionary. 3) Utilize the corresponding Faiss index to recall k-nearest-neighbor templates. 4) Using Entropy-LCS to match the log to k-nearest-neighbor templates to choose the most suitable candidate. 5) Update the corresponding log templates and Faiss index.

When a new log $l_{i}$ arrives, ECLIPSE preprocesses it before template searching. Previous work has proved that preprocessing can effectively improve parsing accuracy. So in our algorithm, we also use some simple regex rules to replace some special objects with tags before template searching. Special objects include IP, URL, time, and so on. For example, in Fig 5, we replace ”198.1.1.1” with tag ”$<$ip$>$”. After replacing, ECLIPSE adopts some simple delimiters like space and colon to split logs into a token sequence $s_{i}$.

As mentioned previously, most algorithms have ignored the semantic differences between similar logs, we also gave an example in Fig 4 to explain. However, almost all semantic-based semantic algorithms have efficiency problems, and they may not be able to solve the problem shown in Fig 4.

To balance efficiency and effect, we adopt a compromise plan. Firstly, we use LLM to process our collected logs and identify the most commonly used and important words and expressions through a keyword extraction mission. In Figure 5, when the keyword library contains ”access”, ”denied” ”open” and ”close”, ECLIPSE will extract the keywords ”Access denied” from the log ”Access denied for user ‘root’. IP: $<$ip$>$” as its log abstract. Then, we construct a special dynamic dictionary by using semantic keywords as keys and the corresponding log templates as values.

Faiss is an open-source tool to retrieve the most similar neighbor vector efficiently from Meta, which is competent in handling efficiency issues for a huge volume of templates in industrial logs. We need to embed logs into vectors first.

However, logs are hard to be embedded as there are too many unseen tokens in logs like tokens containing digits (e.g., ”GIF534_234”), Camel-Case words (e.g., ”LogAnomalyDetection”), or some other special symbols (e.g., ”\etc\wfs\”), which cause out-of-vocabulary (OOV) problem easily. Based on investigation, we found that logs of the same template tend to have similar punctuation distribution, while logs of different templates tend to have different punctuation distribution. So we decide to utilize char-level embedding to encode logs into punctuation vectors. As shown in Fig 6, the vector has a dimension of m+1, where m denotes the number of selected punctuation features. The size of the first m dimensions of the vector reflects the number of occurrences of the corresponding punctuation in the log, while the last dimension of the vector represents the length of the log string. In ECLIPSE, we select the 39 most commonly used punctuation as punctuation features.

Before calling Faiss, we use LLM to generate punctuation vectors, and by setting prompt statements, LLM determines the number $K$ of candidate templates for Faiss in advance according to massive background knowledge and generates a ranking of candidate templates according to the semantic similarity of vector contexts. After LLM encodes log $l_{i}$ into a punctuation vector $v_{i}$, the vectors are normalized to have a mean of 0 and variance of 1. This ensures that the importance of each dimension is measured on the same scale. Next, ECLIPSE uses Faiss to recall the $k$-nearest-neighbor templates for log vector $v_{i}$. Only these templates need to be considered for future similarity calculations.

Only one of the $k$-nearest-neighbor templates will be a candidate in the recall process. We chose Entropy-LCS, an information entropy-improved LCS to choose the most suitable template as the candidate. We calculate the longest common subsequence $\gamma$ in $k$-nearest-neighbor templates $T$, which may either be non-empty or empty. Subsequently, For each $t$ in $T$, we compare it with the LCS $\gamma$ and record the location of the token that is not the same. Then, we calculate the information entropy by $E(x)=-\sum_{i}p(x_{i})\log p(x_{i})$ for these position in $t^{\prime}$. Following this, an exhaustive analysis is conducted over the positions of all divergent tokens, during which the information entropy and the list of tokens at these positions are calculated for all logs. The process of finding variables is the following:

where $V$ donates variation point determination, The calculation of entropy $H$ is based on the distribution of tokens occurring at a specific position. $T$ is the set of tokens at a specific position. $f(t)$ is the frequency of token $t$ in all logs. $N$ is the total number of logs. $\theta$ is the threshold value. The decision for variables is $Yes$ if the calculated entropy exceeds the threshold $\theta$, otherwise $No$.

If the most suitable template is returned by section 4.5, ECLIPSE will update the corresponding template in the template list. Tokens that are not present in the Entropy-LCS will be replaced by a special symbol (e.g., “$<$*$>$”) in the updated template.

In case section 4.5 does not return a suitable template, ECLIPSE will consider the log as a new template and save it in the dynamic dictionary with the log abstract extracted from section 4.3 as an index. Additionally, the vector obtained from section 4.4 will be added to the Faiss index associated with this new template.

To verify the effectiveness and efficiency of ECLIPSE, we conduct extensive experiments on both loghub and ECLIPSE-Bench, aiming to answer the following questions:

RQ1: How effective is ECLIPSE on public Loghub and our ECLIPSE-Bench?

RQ2: How efficient Is ECLIPSE with the change of log and template volume?

RQ3: How does ECLIPSE perform without LLM and Faiss to retrieve and recall by constructing the special dynamic dictionary?

RQ4: How do we set suitable hyperparameters in recall and E-LCS process affect the performance of ECLIPSE?

In our experiments, we set up a Virtual Machine (VM) with 64 Intel Core I5 CPU @ 2.0GHz processors and 16GB RAM. The operating system is Ubuntu-20.04. For strong keyword representation, cross-linguistic understanding, and cross-semantic comprehension of LLM, we choose ChatGPT-4 as the base of ECLIPSE. There are three hyperparameters provided for adjustment in ECLIPSE-Bench: the number of the nearest neighbor templates $k$ is set to $5$, the recall threshold $\tau$ is set to $0.5$, and the matching threshold $\theta$ is set to $4.5$. These default values remain consistent in most experiments. Using these default parameters, ECLIPSE achieves high accuracy and reliability across various datasets.

ECLIPSE is evaluated on the public LogHub and the industrial dataset ECLIPSE-Bench collected by us. LogHub contains 16 public datasets. The data from LogHub are collected from common open-source components, such as Spark, Zookeeper, and Apache. For each log source, 2000 logs are sampled and labeled manually. As for ECLIPSE-Bench, the data was collected from actual business scenarios in the fields of finance, communication, and manufacturing, spanning over 30 days, with over 300000 logs per domain, ranging from mixed logs across languages to single language logs. We have presented a summary of our industrial datasets ECLIPSE-Bench and public Loghub datasets in Table 3 and Table 2, respectively.

As for baselines, We choose Drain(He et al., 2017), IPLOM(Makanju et al., 2009), and Spell(Du and Li, 2016) as our baselines. They work well on the LogHub. To quantify the effectiveness of ECLIPSE, we leverage F-measure and Group Accuracy (GA) consistent with prior studies(He et al., 2017; Makanju et al., 2009; Du and Li, 2016). F-measure is a template-level metric that focuses on the ratio of correctly grouped templates and GA is computed as the ratio of correctly grouped log messages to the total count of log messages. Specifically, We also measure the execution time in seconds and compare ECLIPSE with other parsers in terms of efficiency.

To measure the efficiency of our proposed approach, we compare the execution time of ECLIPSE with the baselines as the number of logs and templates varies. Since LogHub does not have a large scale of templates, the data for the experiment are randomly sampled from the LogHub and ECLIPSE-Bench. For fairness, we utilize only a single executor and run each log parser five times for the average execution time.

For the execution time comparison on the number of logs, we measure the execution time of each parser under the different scales $\{3000,30000,300000\}$ of log data in Figure 8. Results demonstrate that ECLIPSE achieves the lowest time consumption regardless of the log volume. Besides, as logs grow, ECLIPSE becomes more efficient compared to baselines. Especially when the number of logs reaches $300000$, ECLIPSE takes almost half the execution time of Spell. In Figure 7, the number of logs remains unchanged $(100000)$. Thus we conduct experiments under the different numbers $\{3,30,300,3000\}$ of log templates. When the number of templates is small, ECLIPSE is not as efficient as baselines. However, as the number of templates rises to a specific order of magnitude, ECLIPSE shows a significant advantage in efficiency. Both experiments demonstrate that ECLIPSE is far more efficient in industrial scenarios, especially when more log templates and larger log volumes.

In this section, we conduct an ablation experiment to investigate the effectiveness and efficiency of LLM and Faiss in ECLIPSE. To verify this, we compare ECLIPSE with three variants of ECLIPSE: 1) ECLIPSE w/o LF (ECLIPSE without LLM and Faiss); 2) ECLIPSE w/o L (ECLIPSE without LLM); 3) ECLIPSE w/o F (ECLIPSE without Faiss).

In this section, we discuss the effect of three parameters: the number of the nearest neighbor templates $k$, the recall threshold $\tau$, and the matching threshold $\theta$. All experiments are conducted on Manufacturing, which is the subset of ECLIPSE-Bench.

For the validation of parameter $k$, we set three variables $\{5,10,15\}$ and keep the other parameters constant. The results in Table 6 show that the performance is less affected by the changes of $k$. As the parameter values become larger, the performance decreases a little, which demonstrates the robustness of the model.

For the validation of $\tau$, we set three variables $\{0.1,0.5,0.9\}$ and keep the other parameters constant. The results prove that the model is more sensitive to $\tau$. As the value of $\tau$ becomes larger, the performance is first superior and then inferior. Our optimal experimental setting is 0.5 for $\tau$. For $\theta$, we set five variables $\{3.5,4.0,4.5,5.0,\\ 5.5\}$ and keep the other parameters constant. The results show that the model is less influenced by the $\theta$. As the $\theta$ becomes larger, the performance increases and then decreases. Our best setting is 0.6 for $\theta$.