LogPrompt: A Log-based Anomaly Detection
Framework Using Prompts
Ting Zhang1 , Xin Huang2,∗ , Wen Zhao3 , Shaohuang Bian4 , Peng Du1
1
School of Software and Microelectronics, Peking University, Beijing, China
2
School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing, China
3
National Engineering Research Center for Software Engineering, Peking University, Beijing, China
4
College of Information and Electrical Engineering, China Agricultural University, Beijing, China
{zhangting2019, zhaowen, pdu}@pku.edu.cn,
[email protected]
,
[email protected]
Abstract—Log data are widely used in anomaly detection tasks
of software system. At present, log anomaly detection methods
2023 International Joint Conference on Neural Networks (IJCNN) | 978-1-6654-8867-9/23/$31.00 ©2023 IEEE | DOI: 10.1109/IJCNN54540.2023.10191948
based on deep learning have greatly progressed. However, the
existing methods have the following limitations: (1) Logs are at
large scale but labeled logs are rare, so training a detection
model that requires a number of labeled log data from scratch is
costly and impractical; (2) Log anomaly detection tasks usually
need to comprehensively consider the semantic and sequential
information in logs, but most of the current log anomaly detection
frameworks only build models from either aspect; (3) Normal
and abnormal logs are imbalanced in real world, which seriously
reduces the detection recalls. This paper proposes a log anomaly
detection framework called LogPrompt to solve the problems
mentioned above. LogPrompt leverages prompts to guide the
pretrained language model (PLM) to better learn the semantic
and sequential information of logs, and avoids training a model
from scratch. Even with few training data, the model achieves
good detection performance. Moreover, it uses focal loss instead of
cross entropy loss to guide the model optimization during training
stage, for alleviating the class imbalance problem. Experiments
show that LogPrompt can detect log anomalies more effectively
and efficiently by prompts, and it can significantly improve the
recalls and F1 scores.
Index Terms—anomaly detection, pre-trained language model,
prompt tuning
I. I NTRODUCTION
The development of modern networks have increased the re-
quirement for the real-time property and accuracy of anomaly
detection technology. Log data are closely related to network
security and big data. Software systems usually record op-
eration and status information by printing console logs. A
complex software system may generate many logs. When
anomaly occurs, log data can help operation and maintenance
(O&M) personnel discover system failure in time. Therefore,
log data are widely used in log anomaly detection task.
Traditional log data analysis and anomaly detection are
performed manually by O&M personnel on the basis of
their professional knowledge. However, manual log analysis
cannot meet current requirements because of massive and
unstructured system log data. Therefore, log anomaly detection
based on deep learning has become an important research
trend. However, log anomaly detection tasks need to consider
the following issues:
* Corresponding author.
Authorized licensed use limited to: Zhejiang University. Downloaded on June 15,2024 at 15:29:21 UTC from IEEE Xplore. Restrictions apply.
(1) Learning from the whole labeled log data requires
tremendous resources because of its large amount [1]. There-
fore, a model suitable for training with few data is needed.
(2) Log anomaly detection task usually needs to compre-
hensively consider the semantic and sequence information that
reflect the point and conditional anomalies of logs, respectively
[1]. However, most of the current log anomaly detection
frameworks only build models from either aspect.
(3) Normal and abnormal logs are imbalanced [1], that is,
normal logs are often the majority, while abnormal logs are the
minority. Unbalanced data distribution makes model training
biased to most classes (i.e., normal logs), which negatively
affects the model.
To address the aforementioned problems, this paper pro-
poses a log anomaly detection framework called LogPrompt
based on prompt tuning. It aims to solve the current problems
of log anomaly detection task. LogPrompt mainly consists of
five stages: (1) log preprocessing, including log parsing and
grouping; (2) prompt and verbalizer construction; (3) semantic,
sequential, and prompt embeddings; (4) prompt-based tuning
on PLM, and using focal loss to alleviate log imbalance
problem; (5) log anomaly detection based on prompt-tuned
PLM.
The contributions of this paper are as follows:
• We propose a novel anomaly detection framework named
LogPrompt, which leverages prompts to enable the PLM
to learn more about the representations of logs. Com-
pared with training a model from scratch, PLM provides
good parameter initialization, which can reduce resource
consumption. Even with few training data, LogPrompt
achieves good detection performance.
• Semantic and sequential tokens are comprehensively
considered and embedded to help PLM effectively and
efficiently detect point and conditional anomalies.
• Focal loss is used to replace cross entropy loss, which
alleviates the class imbalance of real-world log data.
Thus, the evaluation metrics are improved.
II. R ELATED W ORK
A. Deep Learning-based Log Anomaly Detection
Du et al. [2] proposed DeepLog, which leverages long short-
term memory (LSTM) to capture the execution sequence of
normal logs in training stage, then determine whether the log
sequences are abnormal in anomaly detection stage.
Weibin Meng et al. [3] proposed LogAnomaly, which also
uses LSTM model. They also proposed a word embedding
method called Template2Vec that considers synonym and
antonym information. They aimed to learn semantic similarity
between log keywords and templates, and to solve the online
learning problem of new templates.
Xu Zhang et al. [4] proposed LogRobust, which extracts
the semantic information of log events and represents it as
a semantic vector. They use an attention-based bidirectional
LSTM (Bi-LSTM) model to capture contextual information in
log sequences and automatically learn the representations of
different log events. Thus, LogRobust can identify and handle
unstable log events and sequences.
At present, large-scale language models are widely used in
the field of natural language processing (NLP), and they show
good performance in various NLP tasks. Jacob Devlin et al.
[5] proposed BERT in 2017, which is based on bidirectional
Transformer encoder for pre-training. Inspired by BERT, Haix-
uan Guo et al [6] proposed LogBERT based on BERT, which
captures the sequential information by learning from normal
log sequences.
B. Pre-trained Language Model
Pre-trained language model learns from some general tasks
and changes the weights of some parameters in the model, and
then transfers the model to other downstream tasks for further
learning, so that it can further adapt to downstream tasks.
A great number of studies have shown that language mod-
els pre-trained on large corpora can learn general language
representations and provide better model initialization of pa-
rameters, which not only improves the generalization ability
of models, but also speeds up the convergence of target task.
In addition, pre-training saves a lot of resources by avoiding
training a new model from scratch.
BERT [5] is a widely used pre-trained language model, it
utilizes the mask language model (MLM), which predicts the
masked tokens in a sentence based on Transformer encoder.
RoBERTa [7] and ALBERT [8] are the improvements of
BERT. RoBERTa mainly changes static mask to dynamic
mask. ALBERT compresses the model size and reduces the
number of parameters through cross-layer parameter sharing
and factorized embedding parameterization.
C. Prompt Tuning
PLMs are usually pre-trained on large corpora, but the se-
mantics in logs may differ greatly from those in the pre-trained
tasks because of their diverse training objectives. Prompt
tuning [9] is a method to adapt downstream tasks to the PLM.
The PLM can better understand the log anomaly detection task
through prompt tuning. Moreover, prompt tuning is suitable for
few-shot learning which can significantly improve the learning
capabilities for machine intelligence and practical adaptive
applications by accessing only a small number of labeled
examples [10].
Authorized licensed use limited to: Zhejiang University. Downloaded on June 15,2024 at 15:29:21 UTC from IEEE Xplore. Restrictions apply.
Prompt tuning mainly includes three processes: prompt
engineering, answer searching and answer mapping. Template
engineering refers to the process of designing prompt tem-
plates, which can help PLMs ”recall” what they ”learned”
during pre-training. It is a technical approach to activate the
knowledge of PLMs. Prompt templates mainly include discrete
templates (e.g., PET [11]) and continuous templates (e.g., P-
tuning [12]), both of which contain a [M SK] token. Answer
searching refers to searching the token that involves in the
vocabularies of PLM with the highest probability of corre-
sponding [M SK] in the prompt template; answer mapping
maps the prediction of [M SK] into label, which is normal or
anomaly in log anomaly detection task. The mapping function
is also called verbalizer. Thus, the process of answer mapping
is also called verbalizing.
III. D EFINITIONS AND TASK D ESCRIPTION
A. Definitions
1) Log: A log is also called a log entry, which is typically
printed to a console or file by log print statements in programs.
Most logs contain information such as timestamp, log level,
and log content. Log content consists of constants and vari-
ables. The content printed by the same print statement is the
same. The variable is also called parameter, and it reflects the
variable information of the running system. Under different
states or activities, the variable may be different. In general,
log content is simply referred to as log. If the log content is
segmented by certain delimiters (e.g., blank space), then each
element obtained is called a token. The log length usually
refers to the number of tokens. We can represent a log as:
L = {t1 , t2 , . . . , tm } (1)
where L represents a log, ti represents the i-th token, and m
represents the log length.
2) Log sequence: A log sequence is usually composed of
logs in chronological order. The length of a log sequence
usually refers to the number of log entries contained in a log
sequence. Therefore, we can represent a log sequence as:
SL = {L1 , L2 , . . . , Ln } (2)
where SL represents a log sequence, Li represents the i-th
log, and n represents the length of the log sequence.
B. Task Description
Given a log sequence SL = {L1 , L2 , . . . , Ln }, we hope to
detect whether the log sequence reflects point anomalies or
conditional anomalies that occur in the system. Specifically, a
point anomaly refers to existing Li ∈ L, and Li can indicate
that the system occurs an anomaly. A conditional anomaly
refers to existing SL′ = {Li , Li+1 , . . . } ⊆ SL , and SL′ can
indicate that the system occurs an anomaly. The objective
of log anomaly detection task is to detect whether anomalies
occurs in the running system by analyzing logs.
 Verbalizer
(5) Log anomaly
(4) Prompt-based test detection
tuning on PLM size
Normal Normal
running
Focal Loss error Anomaly
Verbalizing
failure

(2) Verbalizer construction

Pre-trained Language Model (e.g., BERT, RoBERTa, ALBERT) test

Semantic Embedding
Sequential Embedding
Template Embedding [CLS] semantic Receiving ... allocateBlock sequential bbb51b95 3d91fa85 it is [MSK]

(3) Semantic, sequential,

and prompt embeddings
Log Semantic Tokens Prompt
Log Sequential Tokens
{"Receiving", "block", "src", "dest", {"semantic", <SEM>, "sequential",
{"bbb51b95", "3d91fa85"}
"NameSystem", "allocateBlock"} <SEQ>, "it", "is", [MSK]}

(2) Prompt construction Choose ①

Prompt Repository
Tokenizer Templates
① semantic <SEM> sequential <SEQ> it is [MSK]
② <SEM> <SEQ> it is [MSK]
③ <SEM> <SEQ> normal or anomaly ? [MSK]
④ <SEM> <SEQ> h[PRO] h[PRO] [MSK]
(1) Log preprocessing Structured Label words
Logs Anomaly: error, failure
Normal: test, size

Fig. 1. Workflow of LogPrompt

IV. L OG P ROMPT 1) Template: A template can be represented as:

In this section, we propose a log anomaly detection frame-
work called LogPrompt based on prompt tuning. The pipeline
of LogPrompt includes five steps: (1) log preprocessing; (2)
prompt and verbalizer construction; (3) semantic, sequential
and prompt embeddings; (4) tuning PLM based on prompts;
(5) log anomaly detection. The workflow of LogPrompt is
shown in Fig.1.
A. Log Preprocessing
In log preprocessing stage, raw logs are sent to a log
parser (e.g., Spell and Drain) to obtain structured logs. Log-
Prompt integrates Spell [13] and Drain [14] log parsers, which
parse logs through longest common subsequence and FT-Tree,
respectively. In structured logs, variables are replaced with
”< ∗ >”. Variables and special symbols (e.g., ”/” and ”$”) can
be ignored in log semantic sequences, so they are removed
from the semantic sequences. LogPrompt also deduplicates
tokens in semantic sequences because of the excessive long log
sequences. When a token is repeated for several times, only
the token that appears for the first time is retained, which also
ensures that the order of semantic sequences is appropriate. In
the case of log execution sequences, the complete execution
sequences are retained without any processing.
B. Prompt and Verbalizer Construction
Prompts are used for tuning PLM. Thus, the construction
of prompts is critical. A typical prompt consists of two parts:
a template and a set of label words.
T = {[P RO]1 , ..., <SEM >, [P RO]i ,
(3)
..., <SEQ>, [P RO]j , ..., [M SK]}
where T represents a template, [P RO]i represents the i-th
token of the template, <SEM > and <SEQ> represent the
semantic sequence and event execution sequence, respectively.
[M SK] represents the mask in the template.
However, manually constructing templates is suboptimal
because we usually have no prior knowledge of constructing
good templates. For this reason, continuous templates are
designed to enable the model to automatically ”learn” the
templates suitable for log anomaly detection task. The original
token [P RO]i is replaced with a learnable token h[P RO]i , and
thus, we obtain:
T = {h[P RO]1 , ..., <SEM >, h[P RO]i ,
(4)
..., <SEQ>, h[P RO]j , ..., [M SK]}
where h[P RO]i represents the i-th continuous token, which
is a trainable tensor. In addition, some tokens can be set to be
continuous and the other tokens remain discrete.
LogPrompt provides a model for training continuous tem-
plates, the model contains a Bi-LSTM head that uses ReLU as
the activation function and an MLP head. The training process
is represented as:
h[P RO]i ← M LP (Bi-LST M (h[P RO]i )) (5)

Authorized licensed use limited to: Zhejiang University. Downloaded on June 15,2024 at 15:29:21 UTC from IEEE Xplore. Restrictions apply.
 2) Label Words and Verbalizer: Label words Vlabel are
constructed manually, and they can represent normal and
abnormal meanings. The selected label words should be in the
vocabulary V of PLM L. Then, a mapping called verbalizer
that maps the label words to the class Y = {0, 1} (0 represents
normal, 1 represents anomaly) can be manually constructed.
Formally, the verbalizer can be represented as:
M :v→y
where v represents the word in the label words, that is, v ∈ V ,
and y represents the category of log anomaly detection task,
that is, normal or anomaly. For example, label words such
as ”error” and ”failure” can be used to indicate anomalies,
and the other words unrelated to anomalies such as ”test” and
”size” can be used to indicate normal instances.
C. Embeddings
Logs are unstructured text data. Thus, many works use
word embeddings to represent the semantic information of
logs. Word2Vec [15] is a non-contextual embedding method
and mainly includes skip-gram and continuous bag of words.
It has two main limitations. The first limitation is that the
embeddings are static, which means the embeddings for a
word is always the same regardless of its context. Thus, it
fails to model polysemous words. For example, the word
”block” may refer to the data block in HDFS, or refer to
preventing something from happening. However, Word2Vec
fails to distinguish between them. The second is the out-
of-vocabulary problem, which means it cannot represent the
words that do not appear in the vocabulary.
Language models, such as ELMo [16], GPT [17] and BERT
[5] are proposed to address the limitations of non-contextual
embeddings. They use contextual embedding to capture the
semantic information of words in different contexts. Moreover,
they can effectively alleviate the out-of-vocabulary problem by
pre-training on a large-scale corpus.
The contextual embeddings by PLMs are powerful. Thus,
we leverage BERT-based models to generate log semantic
and sequential embeddings by inputting the log texts and
log event execution sequences respectively. The main reason
for modeling the two kinds of embeddings is that system
anomalies can be mainly divided into point and conditional
anomalies [18]. Point anomalies are usually detected at the
semantic level of log texts, while conditional anomalies are
usually detected at the log event execution sequences. We
combine them to improve the robustness of LogPrompt.
D. Prompt Tuning
Prompt-based tuning enables the PLM to better understand
log anomaly detection task, learn the representations of normal
and abnormal logs, and distinguish them.
First, the semantic sequence xsem and execution sequence
xseq are filled into the placeholders <SEM > and <SEQ>
Authorized licensed use limited to: Zhejiang University. Downloaded on June 15,2024 at 15:29:21 UTC from IEEE Xplore. Restrictions apply.
of prompt template T , respectively. Then, the prompt sequence
xin is obtained:
xin = {[P RO]1 , ..., xsem , [P RO]i ,
(7)
..., xseq , [P RO]j , ..., [M SK]}
Then, the PLM L predicts the [M SK] in xin , that is,
P ([M SK] = v|xin ) is calculated to indicate which word v
in Vlabel is the best substitute for [M SK]. Finally, the word
(6) v with the highest probability is selected, and the result y is
obtained according to the mapping M :
y = M (arg max P ([M SK] = v|xin ) (8)
v∈V
For example, a log semantic sequence and an
execution sequence are represented as xsem =
{Receiving, block, src, dest, N ameSystem, allocateBlock}
and xseq = {bbb51b95, 3d91f a85}, and they
are filled into the given prompt template T =
{semantic, <SEM >, sequential, <SEQ>, it, is, [M SK]}
then obtain xin = {semantic, xsem , sequential, xseq ,
it, is, [M SK]}. PLM L will embed xin and
predict the [M SK] token. We define verbalizer as
M = {{error, f ailure} → 1, {test, size} → 0}. If
the prediction of [M SK] is ”error”, then the verbalizer maps
it to anomaly label. If the prediction of [M SK] is ”test”,
then it is normal. This case study is shown in Fig.2.
E. Loss Function
In the training stage, PLM learns the words represented as
normal or anomaly through prompts and performs anomaly
detection. For supervised training, loss function is used for
evaluating the performance of model and guiding model for
update. The target of log anomaly detection task is to detect
whether an anomaly occurs in the system through a log entry
or a log execution sequence. In essence, log anomaly detection
task is a binary classification task. Thus, most deep learning-
based models for log anomaly detection use cross entropy loss
as loss function. For log anomaly detection task, cross entropy
loss function is defined as follows:
LCE = −ylog(p) − (1 − y)log(1 − p)

−log(p), if y = 1 (9)
=
−log(1 − p), if y = 0
where y represents the ground true label of a single log entry
or a log event execution sequence, y = 1 represents the log is
abnormal, y = 0 represents the log is normal, and p represents
the probability that the log is predicted as an abnormal log.
However, abnormal logs are rarer than normal logs in real
world. Thus, capturing the semantic words representing system
anomalies is more difficult. To alleviate the impact of class
imbalance, a weight factor α is added to cross entropy loss
function to obtain the balance cross entropy loss function,
which is defined as follows:
LBCE = −yαlog(p) − (1 − y)(1 − α)log(1 − p)

−αlog(p), if y = 1 (10)
=
−(1 − α)log(1 − p), if y = 0
 1. Raw logs 3. Prompts

081109 203519 143 INFO dfs.DataNode Prompt Repository

$DataXceiver: Receiving block Templates
blk_-1608999687919862906 src: / ① semantic <SEM> sequential <SEQ> it is [MSK]
10.250.10.6:40524 dest: /10.250.10.6:50010 ② <SEM> <SEQ> it is [MSK]
③ <SEM> <SEQ> normal or anomaly ? [MSK]
081109 203520 26 INFO dfs.FSNamesystem: ④ <SEM> <SEQ> h[PRO] h[PRO] [MSK]
BLOCK* NameSystem.allocateBlock: /mnt/hadoop/ Label words
mapred/system/job_200811092030_0001/job.split. Anomaly: error, failure
blk_-1608999687919862906 Normal: test, size

2. Structured logs Log parsing 4. Prompt sequence

Date Time ... Event ID Event Template semantic Receiving block src
dest NameSystem allocateBlock
Receiving block <*> sequential bbb51b9 3d91fa85
08/11/09 20:35:19 ... bbb51b9 it is [MSK]
src: /<*> dest: /<*>

BLOCK*
08/11/09 20:35:20 ... 3d91fa85 NameSystem.allocateBl Anomaly Detection
ock: <*> <*> by PLM & Verbalizer

Fig. 2. Case study

where y and p are represented as above, α is a weight factor
and α ∈ [0, 1], which is used to adjust the imbalance between
normal logs and abnormal logs.
We hope that the model can pay more attention to the logs
that are difficult to be classified, to improve the accuracy of
classification. Focal loss [19] further improves balance cross
entropy loss by adding modulating factors (1 − p) and p, and
a focusing parameter γ, which not only alleviate the log class
imbalance problem, but also make the model focus more on
the hard-to-classify logs during training. Focal loss is defined
as follows:
LF = −yα(1 − p)γ log(p) − (1 − y)(1 − α)pγ log(1 − p)
−α(1 − p)γ log(p),

if y = 1
= frameworks.
−(1 − α)pγ log(1 − p), if y = 0
(11)
where y, p and α are represented as above, γ is the adjustable
focusing parameter.
V. E XPERIMENTS
A. Datasets
Loghub [20] is an open-source platform that collects many
real-world log datasets, including supercomputer, distributed
and operating system logs. HDFS and BGL datasets are
selected as experimental datasets in this paper.
• HDFS dataset is generated by MapReduce jobs (such
as distributed sorting and text scanning) running on 203
Amazon EC2 nodes. It includes 11,197,954 log entries,
about 2.9% of which are abnormal logs. Based on the
identifier block id in HDFS dataset, it can be grouped
into 575,060 log sequences. Since the anomalies in HDFS
dataset are labeled based on block id, it is necessary to
consider point anomalies and conditional anomalies that
may be included in the log event execution sequences of
the corresponding block id. In general, point anomalies
can be detected by the semantic information of log
texts, and conditional anomalies are detected by the log
execution sequences.
• BGL dataset is an open dataset of logs collected from
the BlueGene/L supercomputer system at Lawrence Liv-
ermore National Labs (LLNL). It contains fine-grained
labels, so it is widely used for log anomaly detection
task. Compared with HDFS dataset, BGL dataset does
not have identifiers.
Logs are randomly sampled for each kind of datasets to
build training sets that contains 10,000 log sequences for few-
shot learning since the whole datasets are so much larger.
The whole datasets are used to evaluate the performance of
LogPrompt and compare it with other log anomaly detection
TABLE I
D ETAILED STATISTICAL INFORMATION OF THE DATASETS USED IN THE
EXPERIMENTS
Dataset # Training set (ano.) # Testing set (ano.)
HDFS 10,000 (298) 575,060 (16,838)
BGL 10,000 (759) 4,747,963 (348,460)
B. Experimental Design and Results
The performance of log anomaly detection is usually evalu-
ated by four metrics: precision, recall, F1 score and accuracy.
We conduct contrastive experiments to explore the influence
of different parameter settings and to compare with previous
work, and conduct ablation study to prove the effectiveness of
leveraging semantic and sequential information in LogPrompt.
We put forward research questions (RQs) and answer these
RQs through experiments.
RQ1: What are the advantages of LogPrompt compared
with other log anomaly detection frameworks?
To evaluate the performance of LogPrompt, we compared
it with four other log anomaly detection frameworks based

Authorized licensed use limited to: Zhejiang University. Downloaded on June 15,2024 at 15:29:21 UTC from IEEE Xplore. Restrictions apply.
 TABLE II
P ERFORMANCE OF L OG P ROMPT AND FOUR OTHER LOG ANOMALY DETECTION FRAMEWORKS

HDFS BGL
Framework
Precision↑ Recall↑ F1 score↑ Precision↑ Recall↑ F1 score↑
DeepLog 0.8844 0.6949 0.7734 0.8974 0.8278 0.8612
LogAnomaly 0.9415 0.4047 0.5619 0.7312 0.7609 0.7408
LogRobust 0.9830 0.9480 0.9460 0.8970 0.7920 0.8410
LogBERT 0.8702 0.7810 0.8232 0.8940 0.9232 0.9083
LogPrompt (SEM) 0.9832 0.7436 0.8459 0.9841 0.8741 0.9219
LogPrompt (SEQ) 0.6819 0.5783 0.5202 0.8842 0.8963 0.8902
LogPrompt (SEM + SEQ) 0.9965 0.9474 0.9713 0.9848 0.9753 0.9799

TABLE III
P ERFORMANCE EFFECT OF DIFFERENT PLM S ON L OG P ROMPT

HDFS BGL
PLM
Precision↑ Recall↑ F1 score↑ Accuracy↑ Precision↑ Recall↑ F1 score↑ Accuracy↑
BERT-base-uncased 0.9964 0.8911 0.9406 0.9949 0.9861 0.9367 0.9607 0.9941
BERT-large-uncased 0.9981 0.5909 0.7065 0.9813 1.0000 0.7542 0.8599 0.9817
RoBERTa-base 0.9975 0.8938 0.9426 0.9951 0.9843 0.9363 0.9597 0.9939
RoBERTa-large 0.9811 0.6982 0.8092 0.9857 0.9649 0.8555 0.9030 0.9867
ALBERT-base-v1 0.9968 0.8938 0.9419 0.9951 0.9872 0.9607 0.9737 0.9961
ALBERT-base-v2 0.9965 0.9474 0.9713 0.9963 0.9848 0.9753 0.9799 0.9970

on deep learning, namely, DeepLog, LogAnomaly, LogRobust information of the logs, most metrics are worse than those
and LogBERT. Tabel II shows the performance of these using both the semantic and sequential information of the logs.
different log anomaly detection frameworks evaluated on two RQ2: What is the effect of using different PLMs on the
log datasets. performance of log anomaly detection?
We compare six different BERT, RoBERTa and ALBERT
TABLE IV models to explore the impact of using different PLMs on the
D ESIGN OF PROMPTS performance. Table III shows their performances on two log
Prompt Template Label words
datasets.
Anomaly:”error” The performance of different PLMs on different datasets
Bi-LSTM <SEM > <SEQ> h[P RO] h[P RO] [M SK]
Normal:”normal” may be different. For example, RoBERTa-large has good
Anomaly:”error”
Manual-0 <SEM > <SEQ> it is [M SK]
Normal:”normal” performance on BGL dataset, but is has poor performance
Anomaly:”normal” on HDFS dataset. We also find that light models are better
Manual-1 <SEM > <SEQ> it is [M SK]
Normal:”error”
Anomaly:”yes” than large models. For example, BERT-base-uncased and
Manual-2 <SEM > <SEQ> anomaly ? [M SK]
Normal:”no” RoBERTa-base get better recalls than BERT-large-uncased
Anomaly:”error”
None <SEM > <SEQ> [M SK] and RoBERTa-large, respectively. Moreover, ALBERT-base-
Normal:”normal”
v1 and ALBERT-base-v2 have better performance than BERT
The experimental results of LogPrompt are under the op- and RoBERTa models, one possible reason is that they com-
timal parameter combination. ALBERT-based-v2 is used as press the model size and reduce the number of parameters
the PLM, the prompt encoder type is Bi-LSTM, and other through cross-layer parameter sharing and factorized embed-
parameters are set to the default value of ALBERT-based-v2. ding parameterization.
In the experiment, three different random seeds are set and RQ3: What is the effect of using different kinds of
three models are trained respectively, and each model evaluates prompts on the performance of log anomaly detection?
the testing set after training. Table II shows the mean value We use PLM ALBERT-base-v2 for experiments. On the
of metrics that LogPrompt evaluates on the testing sets of the one hand, continuous template is constructed automatically
three models. based on Bi-LSTM. On the other hand, discrete templates
Table II shows that LogPrompt exceeds most baseline mod- are constructed manually. Prompts are designed and shown
els on HDFS dataset. It is only slightly lower than LogRobust in Table IV and the experiment results are shown in Table V.
in recall. It outperforms all baseline models on BGL dataset. The experimental results show that the precision, F1 score
In addition, through ablation experiments, it is found that and accuracy of constructing continuous template automati-
if LogPrompt only uses one of the semantic or sequential cally based on Bi-LSTM are higher than that of constructing

Authorized licensed use limited to: Zhejiang University. Downloaded on June 15,2024 at 15:29:21 UTC from IEEE Xplore. Restrictions apply.
 TABLE V
P ERFORMANCE OF USING DIFFERENT KINDS OF PROMPTS

HDFS BGL
Prompt
Precision↑ Recall↑ F1 score↑ Accuracy↑ Precision↑ Recall↑ F1 score↑ Accuracy↑
Bi-LSTM 0.9965 0.9474 0.9713 0.9963 0.9848 0.9753 0.9799 0.9970
Manual-0 0.8982 0.9849 0.9112 0.9947 0.9680 0.9734 0.9702 0.9955
Manual-1 0.9863 0.8219 0.8960 0.9857 0.9863 0.8219 0.8960 0.9857
Manual-2 0.9759 0.9420 0.9586 0.9961 0.9733 0.9795 0.9764 0.9964
None 0.3440 0.8456 0.4891 0.9196 0.6320 0.0178 0.0346 0.9253

TABLE VI
P ERFORMANCE OF USING DIFFERENT KINDS OF LOSS FUNCTIONS

Metrics
Dataset Loss function
Precision↑ Recall↑ F1 score↑ Accuracy↑
Cross entropy loss 0.8982 0.9849 0.9112 0.9947
HDFS
Focal loss 0.9965 0.9474 0.9713 0.9963
Cross entropy loss 0.9966 0.8861 0.9359 0.9912
BGL
Focal loss 0.9848 0.9753 0.9799 0.9970

(a) Predictions of using cross entropy (b) Truths of using cross entropy loss (c) Predictions of using focal loss (d) Truths of using focal loss
loss

Fig. 3. Visualization of logits

discrete templates manually (Manual-0,1,2) on HDFS dataset.
On BGL dataset, automatically constructing continuous tem-
plates outperforms manually constructing discrete templates in
F1 score and accuracy. In conclusion, constructing continuous
templates automatically is feasible and effective, and the
tedious procedures of manually constructing templates are
avoided.
Compared with Manual-0 and Manual-1, recalls and F1
scores decrease when the label word mapping is exchanged.
Therefore, the model misunderstands the semantic information
of the logs when the label words are used with the opposite
meanings of the ground true labels. For example, the label
word ”error” might be interpreted as having a positive meaning
and classified as normal instance.
If [M SK] is predicted without other prompt tokens (None),
then all metrics decrease significantly, which implies that
prompt construction is crucial to log anomaly detection task.
RQ4: Does focal loss alleviate log class imbalance prob-
lem compared with cross entropy loss?
We construct continuous template automatically based on
Bi-LSTM, using cross entropy loss and focal loss on PLM
ALBERT-base-v2 to conduct anomaly detection experiments.
The experimental results are showed in Table VI.
For HDFS dataset, precision, F1 score and accuracy are
higher when using focal loss than when using cross entropy
loss, but recall is lower. For BGL dataset, although using
cross entropy loss has a higher precision than focal loss, it
is lower than using focal loss on recall and F1 score. Overall,
using focal loss can alleviate log class imbalance problem to a
certain extent and improve the overall performance of anomaly
detection.
We visualize the outputted logits when evaluating on the
testing set of BGL dataset, as shown in Fig.3.
Fig.3(a) shows the predictions of ALBERT-base-v2 trained
with cross entropy loss. The upper left part of the line y = x
is classified as anomaly, and the lower right part is classified
as normal. Fig.3(b) shows the ground true labels of the logs.
We can observe that many anomalies are classified as normal.
Fig.3(c) shows the predictions of ALBERT-base-v2 trained
with focal loss. The upper left part of the line y = x is
classified as anomaly, and the lower right part is classified
as normal. Fig.3(d) shows the ground true labels of the logs.
Compared with cross entropy loss, logs of misclassification
are greatly reduced.

Authorized licensed use limited to: Zhejiang University. Downloaded on June 15,2024 at 15:29:21 UTC from IEEE Xplore. Restrictions apply.
 In conclusion, compared with using cross entropy loss, us-
ing focal loss can detect anomalies more accurately. Moreover,
the intra-class distance between normal and anomaly class
clusters is smaller and the inter-class distance is larger, which
greatly reduces the possibility of predicting anomalous logs as
normal logs.
VI. C ONCLUSION
This paper proposes LogPrompt, which is a prompt-based
log anomaly detection framework. It constructs prompts to
guide the PLM to learn semantic and sequential information
in the logs, improving the evaluation metrics of log anomaly
detection task. Focal loss is used instead of cross entropy
loss to guide model optimization during model training, for
alleviating the imbalance of normal and abnormal log samples.
Experiments show that LogPrompt can detect anomalies more
effectively and efficiently by learning semantic and sequential
information from prompts, even training with few log data.
[15] T. Mikolov, I. Sutskever, K. Chen, G. S. Corrado, and J. Dean,
“Distributed representations of words and phrases and their composi-
tionality,” Advances in neural information processing systems, vol. 26,
2013.
[16] M. E. Peters, M. Neumann, M. Iyyer, M. Gardner, C. Clark, K. Lee,
and L. Zettlemoyer, “Deep contextualized word representations,” in
Proceedings of NAACL-HLT, 2018, pp. 2227–2237.
[17] A. Radford, J. Wu, R. Child, D. Luan, D. Amodei, I. Sutskever et al.,
“Language models are unsupervised multitask learners,” OpenAI blog,
vol. 1, no. 8, p. 9, 2019.
[18] R. Chalapathy and S. Chawla, “Deep learning for anomaly detection: A
survey,” arXiv preprint arXiv:1901.03407, 2019.
[19] T.-Y. Lin, P. Goyal, R. Girshick, K. He, and P. Dollár, “Focal loss
for dense object detection,” in Proceedings of the IEEE international
conference on computer vision, 2017, pp. 2980–2988.
[20] S. He, J. Zhu, P. He, and M. R. Lyu, “Loghub: a large collection of
system log datasets towards automated log analytics,” arXiv preprint
arXiv:2008.06448, 2020.

R EFERENCES
[1] G. Pang, C. Shen, L. Cao, and A. V. D. Hengel, “Deep learning for
anomaly detection: A review,” ACM Computing Surveys (CSUR), vol. 54,
no. 2, pp. 1–38, 2021.
[2] M. Du, F. Li, G. Zheng, and V. Srikumar, “Deeplog: Anomaly detection
and diagnosis from system logs through deep learning,” in Proceedings
of the 2017 ACM SIGSAC conference on computer and communications
security, 2017, pp. 1285–1298.
[3] W. Meng, Y. Liu, Y. Zhu, S. Zhang, D. Pei, Y. Liu, Y. Chen, R. Zhang,
S. Tao, P. Sun et al., “Loganomaly: Unsupervised detection of sequential
and quantitative anomalies in unstructured logs.” in IJCAI, vol. 19, no. 7,
2019, pp. 4739–4745.
[4] X. Zhang, Y. Xu, Q. Lin, B. Qiao, H. Zhang, Y. Dang, C. Xie, X. Yang,
Q. Cheng, Z. Li et al., “Robust log-based anomaly detection on unstable
log data,” in Proceedings of the 2019 27th ACM Joint Meeting on
European Software Engineering Conference and Symposium on the
Foundations of Software Engineering, 2019, pp. 807–817.
[5] J. Devlin, M.-W. Chang, K. Lee, and K. Toutanova, “Bert: Pre-training
of deep bidirectional transformers for language understanding,” arXiv
preprint arXiv:1810.04805, 2018.
[6] H. Guo, S. Yuan, and X. Wu, “Logbert: Log anomaly detection via bert,”
in 2021 International Joint Conference on Neural Networks (IJCNN).
IEEE, 2021, pp. 1–8.
[7] Y. Liu, M. Ott, N. Goyal, J. Du, M. Joshi, D. Chen, O. Levy, M. Lewis,
L. Zettlemoyer, and V. Stoyanov, “Roberta: A robustly optimized bert
pretraining approach,” arXiv preprint arXiv:1907.11692, 2019.
[8] Z. Lan, M. Chen, S. Goodman, K. Gimpel, P. Sharma, and R. Soricut,
“Albert: A lite bert for self-supervised learning of language representa-
tions,” arXiv preprint arXiv:1909.11942, 2019.
[9] P. Liu, W. Yuan, J. Fu, Z. Jiang, H. Hayashi, and G. Neubig, “Pre-
train, prompt, and predict: A systematic survey of prompting methods
in natural language processing,” arXiv preprint arXiv:2107.13586, 2021.
[10] N. Zhang, S. Deng, Z. Sun, J. Chen, W. Zhang, and H. Chen, “Relation
adversarial network for low resource knowledge graph completion,” in
Proceedings of The Web Conference 2020, 2020, pp. 1–12.
[11] T. Schick and H. Schütze, “Few-shot text generation with natural lan-
guage instructions,” in Proceedings of the 2021 Conference on Empirical
Methods in Natural Language Processing, 2021, pp. 390–402.
[12] X. Liu, Y. Zheng, Z. Du, M. Ding, Y. Qian, Z. Yang, and J. Tang, “Gpt
understands, too,” arXiv preprint arXiv:2103.10385, 2021.
[13] M. Du and F. Li, “Spell: Streaming parsing of system event logs,” in
2016 IEEE 16th International Conference on Data Mining (ICDM).
IEEE, 2016, pp. 859–864.
[14] P. He, J. Zhu, Z. Zheng, and M. R. Lyu, “Drain: An online log parsing
approach with fixed depth tree,” in 2017 IEEE international conference
on web services (ICWS). IEEE, 2017, pp. 33–40.

Authorized licensed use limited to: Zhejiang University. Downloaded on June 15,2024 at 15:29:21 UTC from IEEE Xplore. Restrictions apply.