论文《自动日志解析的工具和基准》翻译

Tools and Benchmarks for Automated Log Parsing

自动日志解析的工具和基准

Abstract—Logs are imperative in the development and maintenance process of many

software systems. They record detailed runtime information that allows developers and

support engineers to monitor their systems and dissect anomalous behaviors and errors.

The increasing scale and complexity of modern software systems, however, make the

volume of logs explodes. In many cases, the traditional way of manual log inspection

becomes impractical. Many recent studies, as well as industrial tools, resort to powerful

text search and machine learning-based analytics solutions. Due to the unstructured nature

spanning distributed systems, supercomputers, operating systems, mobile systems, server

applications, and standalone software. We report the benchmarking results in terms of

accuracy, robustness, and efficiency, which are of practical importance when deploying

automated log parsing in production. We also share the success stories and lessons learned

in an industrial application at Huawei. We believe that our work could serve as the basis

and provide valuable guidance to future research and deployment of automated log parsing.

摘要—日志在许多软件系统的开发和维护中是必不可少的。他们记录详细的运行信

息，是开发人员和支持工程师能够监视他们的系统，并分析异常行为和错误。然而，

现代软件系统不断增长的规模和复杂性使得日志的数量爆炸式增长。在许多案例中，

传统的手工日志检查方法变得不具有实用性。最近的许多研究，以及工业工具，都

移动系统、服务器应用和脱机软件上的日志数据集）评估了 13 个日志解析器。我们

根据准确率、鲁棒性和效率方面报道了基准测试结果，准确率、鲁棒性和效率对于

在产品中部署自动日志解析是非常重要的。我们还分享了在企业应用（如华为）中

分享成功故事和经验教训。我们相信，我们的工作可以作为基础。同时为未来的研

究和自动日志解析的部署提供有价值的指导。

Index Terms—Log management, log parsing, log analysis, anomaly detection, AIOps

关键词—日志管理，日志解析，日志分析，异常检测，AIOps（Artificial Intelligence for

IT Operations）

1. INTRODUCTION

1. 引言

diagnosing errors and crashes [5], [6].

日志在软件系统的开发和维护中起着重要作用。将详细的系统运行时信息记录

到日志中是一种通用的做法，这使开发者和支持工程师能够理解系统行为并追踪可

能出现的问题。丰富的信息和广泛的日志能够支持各种各样的系统管理和诊断任务，

例如使用统计进行分析，确保应用程序安全性，识别性能异常，以及诊断错误和崩

Despite the tremendous value buried in logs, how to analyze them effectively is still a great

challenge [7]. First, modern software systems routinely generate tons of logs (e.g., about

gigabytes of data per hour for a commercial cloud application [8]). The huge volume of

logs makes it impractical to manually inspect log messages for key diagnostic information,

even provided with search and grep utilities. Second, log messages are inherently

of structured events.

尽管日志中隐藏着巨大的价值，如何有效地分析他们仍然是一个巨大的挑战。

首先，现代软件系统通常会生成大量的日志（例如，对于商业云应用程序每个小时

都能生成 GB 级别的数据）。大量的日志数据使得手动检查关键诊断信息的日志消息

变得不切实际，即使提供了搜索和正则表达式工具。第二，日志消息的本质是无结

构的，因为开发者通常使用方便和灵活的自由文本来记录系统事件。这进一步增加

了自动分析日志数据的困难。许多最近的研究，以及工业的解决方案（例如

Splunk， ELK， Logentrics），已经发展到提供强大的文本搜索和基于机器学习的

分析能力。

为了能够使用这样的日志分析，第一步也是最重要的一步就是日志解析，这是一种

a composition of constant strings and variable values. The constant part reveals the event

template of a log message and remains the same for every event occurrence. The variable part

carries dynamic runtime information (i.e., parameters) of interest, which may vary among

different event occurrences. The goal of log parsing is to convert each log message into a

specific event template (e.g., “Received block <*> of size <*> from /<*>”) associated with key

parameters (e.g., [“blk_-562725280853087685”, “67108864”, “10.251.91.84”]). Here, “<*>”

denotes the position of each parameter.

如图 1 所示，每个日志消息由一条日志语句数据，并记录一个具体地带消息头

和消息内容的系统事件。消息头是由日志框架决定的，因此可以相对容易地提取，

比如时间戳、详细级别(例如，错误/信息/调试)和组件。相反，通常很难结构化开发

The traditional way of log parsing relies on handcrafted regular expressions or grok

patterns [16] to extract event templates and key parameters. Although straightforward,

manually writing ad-hoc rules to parse a huge volume of logs is really a time-consuming

and error-prone pain (e.g., over 76K templates in our Android dataset). Especially, logging

code in modern software systems usually update frequently (up to thousands of log

statements every month [17]), leading to the inevitable cost of regularly revising these

handcrafted parsing rules. To reduce the manual efforts in log parsing, some studies [18],

[19] have explored the static analysis techniques to extract event templates from source

code directly. While it is a viable approach in some cases, source code is not always

accessible in practice (e.g., when using third-party components). Meanwhile, non-trivial

efforts are required to build such a static analysis tool for software systems developed

To achieve the goal of automated log parsing, many data-driven approaches have been

proposed from both academia and industry, including frequent pattern mining (SLCT [20],

and its extension LogCluster [21]), iterative partitioning (IPLoM [22]), hierarchical

clustering (LKE [23]), longest common subsequence computation (Spell [24]), parsing tree

(Drain [25]), etc. In contrast to handcrafted rules and source code-based parsing, these

approaches are capable of learning patterns from log data and automatically generating

common event templates. In our previous work [9], we have conducted an evaluation study

of four representative log parsers and made the first step towards reproducible research and