This work addresses the challenge of distinguishing anomalous from normal log messages in log-based anomaly detection. Methodologically, we propose the first end-to-end generative framework built upon LLaMA2: (1) self-supervised autoregressive pretraining on large-scale normal logs to capture sequential log patterns; and (2) fine-tuning via Proximal Policy Optimization (PPO) reinforcement learning, where an anomaly discriminator provides reward signals to enhance anomaly identification capability. Our key contribution is the pioneering integration of an open-source large language model (LLaMA2) into log anomaly detection, synergistically combining generative modeling with discriminative reinforcement learning—eliminating reliance on handcrafted rules or rigid templates. Evaluated on three standard benchmarks—BGL, Thunderbird, and HDFS—our approach achieves new state-of-the-art performance, improving average F1-score by 3.2–5.8 percentage points over prior methods, demonstrating superior generalization and robustness.

Log anomaly detection refers to the task that distinguishes the anomalous log messages from normal log messages. Transformer-based large language models (LLMs) are becoming popular for log anomaly detection because of their superb ability to understand complex and long language patterns. In this paper, we propose LogLLaMA, a novel framework that leverages LLaMA2. LogLLaMA is first finetuned on normal log messages from three large-scale datasets to learn their patterns. After finetuning, the model is capable of generating successive log messages given previous log messages. Our generative model is further trained to identify anomalous log messages using reinforcement learning (RL). The experimental results show that LogLLaMA outperforms the state-of-the-art approaches for anomaly detection on BGL, Thunderbird, and HDFS datasets.