Event logs are widely used to record the status of high-tech systems, making log anomaly detection important for monitoring those systems. Most existing log anomaly detection methods take a log event count matrix or log event sequences as input, exploiting quantitative and/or sequential relationships between log events to detect anomalies. Unfortunately, only considering quantitative or sequential relationships may result in low detection accuracy. To alleviate this problem, we propose a graph-based method for unsupervised log anomaly detection, dubbed Logs2Graphs, which first converts event logs into attributed, directed, and weighted graphs, and then leverages graph neural networks to perform graph-level anomaly detection. Specifically, we introduce One-Class Digraph Inception Convolutional Networks, abbreviated as OCDiGCN, a novel graph neural network model for detecting graph-level anomalies in a collection of attributed, directed, and weighted graphs. By coupling the graph representation and anomaly detection steps, OCDiGCN can learn a representation that is especially suited for anomaly detection, resulting in a high detection accuracy. Importantly, for each identified anomaly, we additionally provide a small subset of nodes that play a crucial role in OCDiGCN's prediction as explanations, which can offer valuable cues for subsequent root cause diagnosis. Experiments on five benchmark datasets show that Logs2Graphs performs at least on par with state-of-the-art log anomaly detection methods on simple datasets while largely outperforming state-of-the-art log anomaly detection methods on complicated datasets.

翻译：事件日志被广泛用于记录高科技系统的运行状态，因此日志异常检测对于监控这些系统具有重要意义。现有的大多数日志异常检测方法以日志事件计数矩阵或日志事件序列作为输入，利用日志事件之间的数量关系和/或顺序关系来检测异常。然而，仅考虑数量关系或顺序关系可能导致检测精度较低。为解决这一问题，我们提出了一种基于图的非监督日志异常检测方法，命名为Logs2Graphs，该方法首先将事件日志转换为带属性、有向且带权重的图，随后利用图神经网络进行图级别的异常检测。具体而言，我们引入了一类有向图初始卷积网络（One-Class Digraph Inception Convolutional Networks，简称OCDiGCN），这是一种新颖的图神经网络模型，用于在一组带属性、有向且带权重的图中检测图级异常。通过将图表示与异常检测步骤相结合，OCDiGCN能够学习一种特别适用于异常检测的表示，从而实现高检测精度。更重要的是，对于每一个识别出的异常，我们还额外提供了一小部分在OCDiGCN预测中起关键作用的节点作为解释，这可为后续的根因诊断提供有价值的线索。在五个基准数据集上的实验表明，Logs2Graphs在简单数据集上的表现至少与最先进的日志异常检测方法相当，而在复杂数据集上则大幅超越最先进的日志异常检测方法。