Hewagama, C.A.2026-02-102025-12https://rda.sliit.lk/handle/123456789/4592The reliance of modern organizations on information systems continues to increase, making these infrastructures frequent targets for malicious activity. System logs represent a primary source of forensic evidence, yet the volume generated by large-scale environments renders manual inspection infeasible. Security Information and Event Management (SIEM) platforms automate log collection and correlation but remain limited in detecting evolving or previously unseen threats. As a result, there is growing interest in augmenting SIEM functionality through Natural Language Processing (NLP) and machine learning. This study investigates lightweight Transformer models as candidates for log-based anomaly detection in SIEM contexts. Two compressed architectures, DistilBERT and TinyBERT, are evaluated under parameter-efficient adaptation strategies: frozen encoders with linear classification heads and Low-Rank Adaptation (LoRA). Log templates are extracted using the Drain algorithm to normalize unstructured log data, and experiments are conducted on two benchmark datasets, BGL and HDFS. A classical baseline using TF-IDF with Logistic Regression is also included for comparison. Evaluation covers both detection metrics (precision, recall, F1-score, PR-AUC, ROC-AUC) and efficiency metrics (latency, throughput, memory usage). The scope of this research is limited to training and evaluation rather than live SIEM deployment. Its contribution lies in assessing the trade-offs between detection accuracy and computational efficiency across lightweight adaptation strategies, providing guidance on configurations most viable for integration into real-time SIEM pipelines.enThreat detection basedlog analysisautomating SecuritySecurity informationevent management(SIEM) functionalityThesis