Fine-Tuning Small Language Models for Solution-Oriented Windows Event Log Analysis
For IT security practitioners needing local, efficient event log analysis with actionable solutions, this work demonstrates that fine-tuned SLMs can be a practical alternative to LLMs.
The authors created a synthetic Windows event log dataset with remediation actions and fine-tuned small language models (SLMs) using LoRA. The fine-tuned SLMs outperformed large language models (LLMs) in identifying issues and providing relevant remediation while requiring fewer computational resources.
Large language models (LLMs) have shown promise for event log analysis, but their high computational requirements, reliance on cloud infrastructure, and security concerns limit practical deployment. In addition, most existing approaches focus only on the identification of the problem and do not provide actionable remediation. Small language models (SLMs) present a light-weight alternative that can be fine-tuned for a specific purpose and hosted locally. This paper investigates whether SLMs, when fine-tuned for a specific task, can serve as a practical alternative for event log analysis while also generating solutions. We first create a large-scale synthetic Windows event log dataset that contains remediation actions using a high-performing LLM. We then fine-tune multiple SLMs and LLMs using the LoRA parameter-efficient fine-tuning technique and evaluate their performance by comparing with expert assessment. The results show that the dataset accurately reflects real-world scenarios and that fine-tuned SLMs consistently outperform LLMs in identifying issues and providing relevant remediation, while requiring fewer computational resources.