Detecting anomalies from logs

Anomalies are rare patterns or abnormalities that indicate a deviation from the normal behavior. BMC Helix Log Analytics provides automated analysis with machine learning (ML)-based anomaly detection of abnormal or rare log patterns. You can analyze anomalous logs to debug application errors and ensure optimum performance. You can proactively find concerns or errors before they become a problem.

Related topics

Deriving-insights-from-logs

Generating-alerts-from-logs

Example

Sarah is an administrator in Apex Global, which uses BMC Helix Log Analytics for log collection and analysis. Sarah wants to be alerted if there are any deviations from the normal behavior in the system. She knows that small deviations often lead to bigger failures, and she wants to debug these deviations before they become problems. How can Sarah receive such alerts?

Sarah configures alert policies to receive anomaly notifications. When an anomaly is detected, notifications are generated in the form of events. These events are generated in BMC Helix Operations Management. Sarah can also view these events in BMC Helix AIOps and BMC Helix Dashboards.

Anomaly detection_updated.png

The following procedure is used by BMC Helix Log Analytics to detect anomalous logs:

  1. Processing the ingested logs.
    An administrator configures alert policies to identify anomalies in the logs. These logs are processed to remove dates, special characters, and unnecessary keywords. The cleaning process uses regular expressions to remove dates and filter characters.
  2. Detecting anomalies.
    BMC Helix Log Analytics uses hierarchical clustering and cross-similarity techniques to detect anomalies in logs. Anomalies are detected by using the following method:

    1. The hierarchical clustering identifies anomalies from the first batch of logs.
      BMC Helix Log Analytics starts detecting anomalies after a default initial learning time of 15 minutes. The learning time is used to determine false positives.
      To change the learning time, contact BMC Support.

      Important

      Logs are ingested as a single file for any policy. If there are multiple log files matching the selection criteria defined in the policy, the logs from all files are combined in a single file.

    2. The identified anomalies are stored in a tags table in the binary format for further analysis.
    3. For every subsequent batch, the system performs a cross-similarity check between newly identified anomalies and the data stored in the tags binary.
    1. Any newly identified anomalies that differ from the previous data are considered new anomalies.
      An interval between the detection of anomalies is two hours. That means, if an anomaly is detected, and the anomaly reappears within two hours, the behavior is not considered anomalous. However, if an anomaly is detected, and the anomaly reappears after two hours, the behavior is flagged as anomalous.
      To change the interval duration, contact BMC Support.
      The complete list of anomalies includes both new and existing anomalies in tags.
    2. When the tag count reaches the maximum limit, 20% of the oldest tags are removed. 5000 is the tag count limit.
      To change the percentage of the oldest tags to be removed and the tag count limit,       contact BMC Support.

    3. The anomalies use the context extraction technique for quick insights, where the top three keywords are extracted from the anomalies.

      Important

      Logs that contain the INFO, DEBUG, and TRACE keywords are not considered for anomaly detection. The keywords are not case-sensitive.

  2. Analyzing anomalous logs.
    Use the Explorer tab to analyze log anomalies.
    Because of the anomaly detection alert policies, log anomaly events are generated in     BMC Helix Operations Management. Use the Events page in BMC Helix Operations Management to analyze the log anomaly events.
    For more information, see Analyzing anomalous logs and anomaly events.

Anamolous log record examples

Example of anomalous Apache logs

Non-anomalous logs

[Fri Mar 24 04:47:44 2023] [notice] workerEnv.init() ok /etc/httpd/conf/workers2.properties

[Fri Mar 24 04:51:08 2023] [notice] jk2_init() Found child 6725 in scoreboard slot 10

Anomalous logs

[Fri Mar 24 01:04:31 2023] [error] [client 218.62.18.218] Directory index forbidden by rule: /var/www/html/

[Fri Mar 24 20:47:17 2023] [error] jk2_init() Can't find child 2087 in scoreboard
Example of anomalous Linux logs

Non-anomalous logs

Mar 24 06:06:21 combo kernel: usbcore: registered new driver hub

Mar 24 06:06:23 combo kernel: ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx

Mar 24 06:06:28 combo kernel: PCI: Found IRQ 11 for device 0000:00:1f.2

Mar 24 06:06:29 combo kernel: uhci_hcd 0000:00:1f.2: new USB bus registered, assigned bus number 1

Anomalous Records

Mar 24 06:06:29 combo kernel: audit(1138278101.749:164014): avcdenied  { ioctl } for  pid=594 exe=/usr/lib/vte/gnome-pty-helper path=/dev/pts/0 dev= ino=2 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:devpts_t tclass=chr_file

Mar 24 06:06:29 combo kernel: audit(1138278101.766:164029): avcdenied  { setattr } for  pid=594 exe=/usr/lib/vte/gnome-pty-helper name=0 dev= ino=2 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:devpts_t tclass=chr_file
Example of anomalous Windows logs

Non-anomalous logs

2022-07-28 04:30:31, Info  CBS  SQM: Initializing online with Windows opt-in: False

2022-07-28 04:30:31, Info  CBS  SQM: Cleaning up report files older than 10 days.

2022-07-28 04:30:31, Info  CBS  SQM: Requesting upload of all unsent reports.

2022-07-29 00:00:46, Info  CBS  Startup processing thread terminated normally

Anomalous logs

2022-07-28 04:30:31, Warn CBS No startup processing required, TrustedInstaller service was not set as autostart, or else a reboot is still pending.

2022-07-29 00:00:47, Error CBS Failed to create backup log cab. [HRESULT = 0x80070001 - ERROR_INVALID_FUNCTION]


Configuring anomaly detection

As an administrator, create alert policies in BMC Helix Log Analytics to receive anomaly notifications. After you enable an alert policy, you can use the Explorer tab to analyze anomalous logs.

Best practice
You can configure a single anomaly detection alert policy for logs that belong to the same service or application. However, we recommend that you configure separate alert policies for logs that belong to different services or applications.

For instructions about creating an alert policy, see Generating-alerts-from-logs.


Analyzing anomalous logs and anomaly events

Use BMC Helix Log Analytics to analyze  anomalous logs. Use BMC Helix Operations Management to analyze the related anomaly events.

To analyze anomalous logs

  1. In BMC Helix Log Analytics, on the Explorer tab, select the logml-* index pattern to view all the anomalous log messages.
  2. Analyze the anomaly score of the logs to understand the anomaly strength.
    Each anomalous record contains the Anomaly and Anomaly_Score fields. The value of the Anomaly field is set to 1.0. The Anomaly_Score field represents the anomaly strength and has a value between 0 and 1. If the score is higher, the anomaly strength of the record is high.
    image-2024-6-7_18-36-6.png

BMC Helix Log Analytics automatically assigns severity to anomalous log messages depending on the keywords that the message contains.For example, if a message contains the words error or critical, the anomaly is assigned the High severity.The following table displays the severity level and its associated keywords:

To analyze log anomaly events

In BMC Helix Operations Management, use the Events page to analyze log anomaly events. Click the event to view the event details and analyze it.

The following procedure explains how you can go to BMC Helix Log Analytics from BMC Helix Operations Management.

  1. On the Events page in BMC Helix Operations Management, click an anomaly event to view the event details.
    Log anomaly events are generated with the Log Event class. You can hover over Class Event class icon.png to see the class of the event.

    Tip: Filter log anomaly events to quickly analyze them

    To filter all events of the Log Event class, use advanced filter in BMC Helix Operations Management. For more information about advanced filters, see Filtering events.

  2. Click the Others tab.
  3. In the Search Parameters field, click the Review Logs link to open the Explorer tab in BMC Helix Log Analytics.

search_para_link.png

The Explorer tab opens in BMC Helix Log Analytics and the logs that generated the event are displayed. The anomalous logs are shown in the index pattern that begins with logml.
The anomalous log events are further processed for creating situations. For more information about situations, see Monitoring and investigating situations in the BMC Helix AIOps documentation.


Visualizing log anomaly events in BMC Helix Dashboards

Use the Self Monitoring dashboard in BMC Helix Dashboards to visualize anomalous log data.

The following image displays the Self Monitoring dashboard:

self_monitoring_dashboard_emphasised.png

Use the Search parameter column to open the Explorer tab in BMC Helix Log Analytics.

Use the Event Details column to open the Event Details page in BMC Helix Operations Management.

For more information about the Self Monitoring dashboard, see Self-monitoring dashboard in the BMC Helix Dashboards documentation.







 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*