Secbert to detect anomalous log entries

Hi, I am using the secbert model to build a SIEM application that detects normal and anomalous log entries. I trained the secbert model using CSIC (web) log entries. During inferencing i am finding that the model is detecting even normal entries as anomalous entries. To keep the training time reasonable to start with i am using 2000 rows (log entries) to train the model. I am using a set of 4 diagnostic log entries for inferencing - 2 normal and 2 anomalous. the model is detecting all the 4 log entries as anomalous. while looking at the raw logits for the 4 entries, there seems to be a small difference in the raw logits, the risk scores are around the same value. How to go about determing what is happenning ? Has anyone used secbert for a similar purpose ? Thanks, Vijay