Your microservices system generates gigabytes of logs per minute. Manual anomaly search in Kibana no longer suffices — incidents are missed, and response time grows. Developing an AI system that automatically parses logs, finds unusual patterns, and sends alerts becomes critical. We created a solution that reduces detection time by 10x (from hours to minutes) and cuts monitoring costs by up to 40% through automation.
In large projects with hundreds of microservices, manual log analysis is impossible. Engineers spend hours on dashboards but miss anomalies in long call chains. Our system automatically identifies abnormal situations and prioritizes them.
How Log Parsing Works
Unstructured logs are transformed into typed events. We use the stream parser Drain3 (algorithm from Drain3: Log Parsing) — it processes 100,000 lines per second, which is 10x faster than an LLM approach with GPT-4. After parsing, each log is reduced to a template with parameters (timestamp, level, service, request ID).
| Method |
Speed (lines/s) |
Accuracy |
Setup Complexity |
| Drain3 |
100,000 |
95% |
Low |
| Spell |
80,000 |
90% |
Low |
| LLM (GPT-4) |
1,000 |
99% |
High (prompts, cost) |
In practice, Drain3 covers 95% of cases. For non-standard formats (e.g., custom protocols), we connect LLM parsing on a small sample.
Why Three Levels of Detection?
One method does not cover all anomaly types. We use three complementary approaches for reliable detection.
| Detection Method |
Anomaly Type |
Accuracy |
Latency |
| Frequency-based |
Error spikes |
High |
Low (minutes) |
| Semantic |
Rare, unusual messages |
Medium |
Medium (minutes) |
| Sequence-based |
Non-standard chains |
High |
Low (real-time) |
Frequency Anomaly (count-based). We monitor the frequency of each template in a time window. If an ERROR-level template's frequency increases 5x relative to baseline, it's an anomaly. This catches error spikes.
import pandas as pd
from collections import deque
import numpy as np
class TemplateFrequencyMonitor:
def __init__(self, window_minutes=10, baseline_minutes=60):
self.baseline_window = deque(maxlen=baseline_minutes)
self.current_window = deque(maxlen=window_minutes)
def update(self, template_counts_per_minute):
self.baseline_window.append(template_counts_per_minute)
self.current_window.append(template_counts_per_minute)
if len(self.current_window) < self.current_window.maxlen:
return {}
anomalies = {}
current = pd.DataFrame(list(self.current_window)).mean()
baseline = pd.DataFrame(list(self.baseline_window)).mean()
for template_id in current.index:
base_rate = baseline.get(template_id, 1)
curr_rate = current[template_id]
spike_ratio = curr_rate / (base_rate + 0.1)
if spike_ratio > 5 and curr_rate > 10:
anomalies[template_id] = {
'spike_ratio': spike_ratio,
'current_rate': curr_rate,
'baseline_rate': base_rate
}
return anomalies
Semantic Anomaly (embedding-based). The frequency method misses rare but critical messages. We obtain log embeddings via Sentence-Transformer and apply Isolation Forest. The model finds semantically unusual messages even if their frequency is normal.
Sequence Anomaly (sequence-based). Some event chains are typical (e.g., Auth → DB query → Response). If the system goes Auth → Error → Wait, that's an anomaly. We build an n-gram model of normal sequences and detect non-standard transitions.
Each method covers its own anomaly class. In total, false positives are under 5%, and incident misses are under 1%. This allows the system to pay for itself within 3–6 months by reducing downtime.
ML Severity Classification
We fine-tune BERT (on client-labeled logs) to classify severity: informational, warning, error, critical. The classifier looks at semantics, not just the log level (ERROR may be non-critical). Example: a message "Connection timeout after 30000ms" gets a critical label if confidence is above 85%.
Practical Implementation: ELK + ML Layer
Architecture: Elasticsearch (storage), Logstash/Fluent Bit (collection), Kibana (visualization), Python FastAPI (ML layer with Drain3, detection, and classifier), Kafka (log streaming — prevents data loss). Large project: we integrated the system for a platform with 200+ microservices processing 5 TB of logs per day. Anomaly detection time dropped from 30 minutes to 2 minutes, and false alerts fell from 20 to 2 per day.
Implementation includes these steps:
- Audit current logging stack and gather requirements.
- Configure log collection (Fluent Bit, Filebeat) and Kafka.
- Develop and calibrate models (Drain3, detection, classifier).
- Integrate with existing monitoring systems (PagerDuty, OpsGenie).
- Documentation and team training.
- Three months of post-launch support.
To evaluate your scenario, contact us — we will conduct a free log audit and provide a preliminary estimate.
Why Choose Us
We are an AI/ML engineering team with 5 years of experience in NLP and MLOps. We have completed over 50 projects in log analysis and monitoring. Certified AWS and GCP specialists ensure solution reliability. We don't sell a box — we adapt the system to your data.
Timelines and Cost
Basic version (Drain3 + frequency anomaly + Elasticsearch) — from 3 to 4 weeks. Extended version (with semantic anomaly and correlation) — from 2 to 3 months. Cost is calculated individually based on log volume and number of services. Total monitoring cost (TCO) reduction is 30-50% depending on volume. Order a consultation — we will send an estimate within 2 business days.
Anomaly Detection: Autoencoders, Isolation Forest, PyOD
Server monitoring shows CPU 85%, memory 91% — is this the start of an attack or normal peak load? A classifier won’t help: anomalies are by definition rare, diverse, and not pre-labeled. Supervised learning requires examples of anomalies in the training set — so it fails on what you haven’t seen yet. Without an unsupervised approach, detection turns into guesswork.
Why Does Anomaly Detection Require an Unsupervised Approach?
The main problem: no labels and extreme class imbalance. Fraud transactions account for 0.01–0.1% of total volume, production defects 0.5–3%. With such ratios, a naive “all normal” classifier gives 99.9% accuracy but recall for the anomalous class near zero. Supervised models are powerless.
Second: “normality” is always contextual. A login at 3 AM may be normal for a night‑shift user but suspicious for a day‑worker. Bearing vibration at 2.3 mm/s depends on operating mode and machine age. So we embed context via feature engineering and time windows.
Third: quality assessment without ground truth. No standard test set — AUC‑ROC is possible only if a few labeled examples exist. For fully unlabeled data, only domain expert validation and indirect metrics work.
How to Distinguish an Anomaly from Noise in Real Time?
With adaptive thresholds and continuous monitoring of model statistics. In the case section we show how.
| Method |
Data Type |
Training Speed |
Typical Application |
| Isolation Forest |
Tabular, categorical |
High |
Baseline for initial hypotheses |
| Autoencoder |
Images, time series, logs |
Medium |
Unstructured data |
| LSTM-AE |
Multivariate time series |
Low |
Industrial telemetry |
| PyOD (ensemble) |
Tabular |
High |
Quick comparison of 40+ methods |
Isolation Forest is the standard baseline for tabular data. Idea: anomalies are isolated faster by random partitioning of the feature space. Works well at contamination=0.01–0.1, robust to feature scale, no normalization required. Implementation in sklearn.ensemble.IsolationForest.
Typical mistake: setting contamination='auto' without understanding the data. Auto mode assumes a threshold of -0.5, which may not match the actual anomaly proportion. Better: estimate expected anomaly percentage through domain knowledge and set it explicitly. We guarantee contamination tuning for your case.
PyOD (Python Outlier Detection) is a library with 40+ algorithms under a unified API — OCSVM, LOF, COPOD, ECOD, DeepSVDD, AutoEncoder. Useful for quickly comparing methods on the same data.
Autoencoders are the main method for unstructured data (time series, images, logs). Train the network to reconstruct normal data; anomalies yield high reconstruction error. Anomaly threshold is the 95th or 99th percentile of error on a validation set of normal data.
Practical problem with autoencoders: overfitting on “normal” patterns that are still rare. If the training set contains even a few anomalies, the model may learn to reconstruct them well. Solution: thorough cleaning of training data or using a Variational Autoencoder (VAE), which generalizes better.
LSTM‑AE for time series captures temporal dependencies better than a regular AE. Especially effective for multivariate time series (10+ sensors simultaneously). Implementation via PyTorch, training with MSELoss on sliding windows.
In Detail: Anomaly Detection in Industrial Time Series
Problem: vibration sensors on 12 pumps at a chemical plant, 6 sensors per pump, frequency 100 Hz. Need to warn of impending failure 4–24 hours in advance.
Solution architecture: raw data → feature extraction (RMS, kurtosis, peak factor, FFT amplitudes at resonant frequencies) → normalization by 24‑hour sliding window → LSTM‑AE → reconstruction error → threshold logic + alerting.
LSTM window size: 60 seconds (6000 points at 100 Hz). Too small a window misses slow patterns, too large loses sensitivity to rapid changes.
Anomaly threshold: not fixed, but adaptive. threshold = mean(errors_last_7d) + 3 * std(errors_last_7d). As normal state drifts (planned wear), the threshold adapts, avoiding false positives.
Result over a 6‑month pilot: detected 4 out of 5 real pre‑failure conditions (recall 0.8), with 2 false alarms over 6 months (precision 0.67). Before implementation: 3 unplanned shutdowns. After implementation: cost savings verified in the pilot report.
What Specifics Does Fraud Detection Face?
Financial transactions have several features that complicate detection:
- Concept drift: fraud patterns change faster than normal behavior. A model trained six months ago becomes obsolete.
- Adversarial adaptation: advanced fraudsters adapt — making transactions resemble normal ones.
- Temporal dependency: a series of normal transactions followed by one unusual transfer is a sequence anomaly, not a single point.
Practical stack for fraud detection: LightGBM with SMOTE oversampling for the supervised part (known fraud cases) + Isolation Forest for unsupervised (new patterns). Both signals combined in an ensemble; final decision via thresholds tuned for acceptable FPR (0.1–1% of transactions sent to manual review).
How to Evaluate Quality Without Labels?
When ground truth is absent, we evaluate using:
- Synthetic anomaly injection: add artificial anomalies (spike, level shift, point outlier) and check if the model detects them.
- Expert validation: random sample of top‑K anomalies → expert review → precision.
- Business metric: did the number of missed incidents / false alarms decrease after deployment?
Technical detail: the adaptive threshold is computed as mean(errors) + k * std(errors) on a 7‑day sliding window. Coefficient k is tuned on a validation set with synthetic anomalies to achieve FPR < 0.1%. When features drift, the window automatically shifts.
Process
- Interview with domain experts — understand what “normality” means and what incidents have occurred.
- EDA and data preparation — cleaning, feature creation, time windows.
- Baseline (Isolation Forest) — fast validation on known incidents.
- Model selection and customization — Autoencoder / LSTM‑AE / ensemble.
- Training, validation with synthetic anomalies.
- Deployment to production — pipeline on Kafka + Flink / Airflow, alerting to Telegram/Slack, drift monitoring.
- Post‑deployment support — monitor model metrics, update thresholds.
What's Included
- Audit of current data and processes
- Development and training of models (Isolation Forest / Autoencoder / LSTM‑AE / ensemble)
- Configuration of adaptive thresholds and alerting
- Anomaly monitoring dashboard (Grafana / Streamlit)
- Model card and pipeline documentation
- Training for your team (2–3 sessions)
- 3‑month warranty support
Timeline: baseline system with one method — 2–4 weeks. Production system with adaptive thresholds, alerting, and monitoring — 2–5 months. Pricing is calculated individually for your case.
Our team has 8+ years of experience in industrial analytics and 15+ successful projects in anomaly detection for telemetry, finance, and IT monitoring. Get a consultation — we’ll tell you how to solve your problem. Contact us to discuss your data and receive a preliminary architecture proposal.