Demystifying the Logs

Bernard Chan
RaceCapital
Published in
4 min readSep 22, 2023
(prompt: A magician demystifying a bunch of small raw byte, transactional log data (json, xml,csv format) in front of a computer)

Log analysis is crucial for maintaining robust systems and troubleshooting purposes, particularly in the context of cloud computing and big data systems. However, as software scales, the volume of logs generated increases exponentially. These logs are indispensable for aiding developers and site reliability engineers in comprehending their system’s behavior and carrying out diagnostic tasks like failure prediction and diagnosis more effectively.

Nevertheless, manual analysis can be exceedingly challenging and time-consuming, given that log data can vary in structure, depending on how it is generated by the logging system, application, or device.

Some of the different characteristics of log data:

Although log data is not as structured as traditional relational data, it does have a recognizable format. Log parsing is often an important initial step in converting free-text raw log messages into a stream of structured events. Different techniques, such as clustering and frequent pattern mining, have been used to automatically distinguish the constant and variable parts of log messages.

Large Language Models (LLMs) like GPT-4 and BERT have demonstrated exceptional learning capabilities, enabling them to generate high-quality summaries and long-form text, even when trained with limited labeled data.

These powerful models have the capacity to revolutionize log data analysis by automatically extracting valuable insights and patterns from the often unstructured and voluminous log files generated by complex systems. With their ability to understand context, discern anomalies, and identify recurring issues, LLMs can significantly streamline the process of troubleshooting and system monitoring.

We are extremely enthusiastic about the potential of harnessing LLMs to demystify log data.

Some ideas we are excited about:

LLMs for Log parsing

Large Language Models (LLMs), including existing models like GPT-3 and GPT-4, can play a vital role in the log parsing process. They achieve this by abstracting dynamic variables within logs, utilizing clever prompting techniques in few-shot scenarios. Research conducted by the University of Newcastle, Australia, has demonstrated promising results using this approach.

(example Prompt template for a few-shot example from University of Newcastle’s research)

However, the study revealed that when dealing with log-specific information generated during runtime (such as domain URLs or API endpoint addresses), certain challenges persist in the log parsing process. We anticipate further research and development efforts aimed at addressing these difficulties, particularly in the realm of handling log-specific runtime data and achieving semantic-aware log parsing ( identification of variable categories based on semantic context) (Source)

Pretrained Log LLM Models

Models, whether trained from scratch or through the tuning of pre-existing language models using large volumes of diverse log data, have the potential to serve as a solid foundational infrastructure for other observability and monitoring applications to incorporate into their core product offerings. One noteworthy example is BERTOps, an early pioneering research initiative undertaken by IBM. BERTOps leverages Bert-Base as its foundational model (for domain-specific tokens and formats) and subsequently fine-tunes it with log analysis tasks, such as log format detection and fault category prediction. (Source)

However, such training can be impractical and costly due to the scarcity in computing resources and labeled data. We hope to continue to see more open-source attempts with public training datasets available so startups/scaleups can fine-tune to their specific needs with their proprietary log data.

Self healing systems

Imagine a self-healing system that automatically infers actions and makes changes based on alerts and logs without requiring additional code changes or human intervention.

Self-diagnosis and reporting is carried out when an issue is detected, and automatically notifies the developers and generates a diagnostic report.

Beyond just monitoring the activity of resource utilization (with the likes of AWS Cloudtrail), all of the log files retrieved from an autoscaling API (i.e. which requests were made, the source IP addresses where the requests came from, who made the request, when the request was made) and can be used to automatically adjust capacity: adding or removing instances or moving to a new instance type to optimize for cost and improve the performance of workloads.

Furthermore, health checks on third party APIs or services should also be monitored regularly. In the event of failures and unresponsiveness, automated retries will be implemented without human intervention.If all else fails, it would failover to an alternative solution. (The self healing system idea is inspired by a Github post from mwestwood further elaborated here)

To implement an effective self-healing system, log analysis tools will play a crucial role. This might require a monumental and ambitious effort of redesigning the end to end monitoring and observability platform from scratch (continuous monitoring systems, automation scripts, testing and orchestration tools, deep integrations with cloud services for resource management) with log analysis and management at its core.

Current Log Management landscape

(*non exhaustive list of current log management software)

Please reach out to deals@race.capital if you are building something in this area and would also like to be included in the log management market map.

--

--