This work addresses the challenge of inefficient anomaly diagnosis due to the unstructured and semantically impoverished nature of traditional system logs. The authors propose a hierarchical log abstraction method that parses raw logs into a three-layer semantic structure—entities, actions, and states—and introduce a modular collaborative detection framework that performs anomaly detection at each semantic level. By integrating large language models (LLMs) with a human-in-the-loop interactive visualization system, the approach enables precise identification, localization, and interpretable analysis of anomalies. Evaluated on the HDFS benchmark dataset, the method demonstrates effectiveness while supporting hierarchical log browsing, highlighting of anomalous segments, and user-guided review and correction of LLM-generated explanations. The source code and an online demo platform have been publicly released.

Logs are ubiquitous in modern systems. Unfortunately, their unstructured nature in flat sequences limits understanding of execution behaviors, hindering effective anomaly diagnosis. To address this, Krone introduces a novel hierarchical log abstraction that transforms flat log sequences into semantically coherent units across entity, action, and status levels. Building on this abstraction, Krone introduces a hierarchical orchestration framework that decomposes flat log sequences into hierarchical execution units and performs modular detection over them. It executes and optimizes the modular detection tasks across levels, enabling precise anomaly detection, localization, and explanation with selective invocation of LLM-based reasoning. In this work, we present Krone-viz, an interactive visualization system based on Krone, which makes hierarchical log analysis interpretable and actionable for software engineers and system operators. Demonstrated on the widely used HDFS benchmark dataset, Krone-viz supports: 1) examining hierarchical decompositions of flat log sequences, 2) inspecting detection results and abnormal segments identified by Krone with LLM-generated explanations, and 3) reusing, reviewing, and revising knowledge generated by LLMs with human-in-the-loop guardrails. The code of Krone-viz is available at https://github.com/LeiMa0324/KRONE_Demo_official, and we deploy a live demo at https://leima0324.github.io/KRONE_Demo_official.