The massive smart devices in intelligent IoT can be broken due to malicious attacks and system failures. As a nonintrusive method, workflows mined from system logs facilitate administrators to quickly locate and diagnose anomalies in time. System logs are usually interleaved since there are lots of concurrent and asynchronous operations and executions on large scale IoT devices. Consequently, it is so challenging to construct an adaptive workflow from these logs and realize the real-time anomaly detection. To meet this challenge, in this paper, we propose a two-stage workflow construction approach named Sysnif, which includes offline construction and online adjustment. First, the window-based dependence computing method is employed to obtain the context of execution paths. Second, a weight-greedy algorithm is designed to denoise the interleaved system logs effectively. Third, in order to match system mechanism variation, the online micro-iteration adjusting algorithm is presented to update the workflow model. Experiment results highlight that Sysnif can outperform state-of-the-art methods, such as Logsed, on dataset of OpenStack logs by 22.4% on recall, meanwhile maintaining the same precision roughly. Sysnif can achieve an average precision and recall of 93.8% and 94.7%, respectively.