JP2008041041A - Log notification condition definition support apparatus, log monitoring system, program, and log notification condition definition support method - Google Patents

Abstract

It is an object of the present invention to reduce the man-hours required to create a “condition” necessary for detecting a new event including a failure and detecting an update of a known event in a monitored system.
A log notification condition definition support device 7000 is provided that creates candidates for “conditions” that an event detection device 3000 refers to in event detection processing. The log notification condition definition support device 7000 stores and manages the log information output from the monitoring target system 2000 as a database (accumulated log) 4000. The condition candidate creation function 7100 reads the log information and divides it into specific time units. In the time zone, the number of occurrences of the same log information included in the message is counted, and the count value is defined as the condition for the number of occurrences of the log information. A candidate is created and displayed on the GUI screen, and the condition candidate is stored in the database (condition DB) 5000 as a new condition in response to an instruction operation by the administrator 1000.
[Selection] Figure 1

Description

  The present invention relates to a technique for analyzing log information output from application software executed by a computer based on pre-defined conditions and detecting a specific event such as a failure, and is used particularly in analysis. The present invention relates to a technology that efficiently supports definition work and correction work of conditions to be performed.

  In a system using a conventional computer, middleware software such as DBMS (DataBase Management System) can be used to combine various application software, share data, and execute processing simultaneously. is there.

  In these computer systems, various types of information relating to each application software, middleware software, OS (Operating System), network, etc. used are output in a log format or the like.

  There are many monitoring techniques for analyzing such log information by a programmed computer and notifying a system administrator or application software of a failure and various events based on the analysis result.

  For example, in Patent Document 1, information in a log format output from a computer such as a server is analyzed based on the conditions of keywords, the number of times of expression within a specific time zone, the expression interval of each information, and the time of expression. A technique related to a log diagnosis apparatus that outputs and notifies the result when there is information that matches a condition is described.

  The conditions here are for the purpose of specifying the events that have occurred in the server or the like. In the technique described in Patent Document 1, the conditions are appropriately set in advance before analysis. There is a need.

  However, when the system subject to analysis changes, for example, when some application software upgrades, OS upgrades, and network environment changes occur, some of the conditions are changed. May need to be done.

  In that case, it is also necessary to manually investigate how the conditions should be changed. The log information output from each system is enormous, and even a slight change in the environment requires a lot of log information to be created in order to create conditions used to identify the change in the event.

  In addition, when an event that you want to detect newly occurs, for example, for a new failure with a high degree of importance, such as a monitored system being stopped, or for a newly introduced monitored system failure, It becomes necessary to investigate the conditions for detection.

  To create a condition for identifying such a new event, the log information output from each monitored system is accumulated so far, and the log information is output in what pattern when the event occurs. It is necessary to investigate whether there is.

  For example, in Patent Document 2, when a reference value of the operation status is calculated from various internal information output by a server or the like, internal information exceeding the reference value is used as a condition, and internal information that matches the condition is acquired. Describes a technique for determining that a failure has been detected, creating a Web page for notifying the failure, and notifying the administrator.

  However, even in this technology, when there is a change in the configuration of the system to be monitored, or when a new system for monitoring operations is added, the standard value used as a condition is defined from the internal information. In addition, the definition operator must read the internal information output from each server.

  In this way, when changing conditions or creating new conditions, it is necessary to manually investigate the conditions under which the event can be detected based on log information output from each application, etc., and define useful conditions You will spend a lot of time.

JP 2003-91434 A JP 2004-295314 A

  The problem to be solved is that, in the conventional technology, the definition work and the correction work used in the analysis process when detecting a specific event such as a failure from the log information output from the application software, etc. are performed manually. This is a point that requires investigation and takes time to define useful conditions.

  An object of the present invention is to solve these problems of the prior art, analyze log information output from a computer system, and monitor a new event including a failure of the system by a programmed computer. It is possible to improve the efficiency of definition work and correction work of conditions used for processing.

  In order to achieve the above object, the present invention collects and analyzes log information output from application software, an operation system, and the like, and based on a comparison between the analysis result and a condition stored in advance in a storage device. The above conditions in a log monitoring system that detects the occurrence of a specific event such as a failure or various events and notifies the system administrator or application software, etc. are automatically generated by a programmed computer, for example, as follows: . Store the collected log information in the storage device, read out the stored log information and divide it into specific time units, classify the contents of the messages included in the log information in each divided time zone, and the same message The number of occurrences of log information having the above is counted, and the count value is defined as a condition for the number of occurrences of the log information.

  According to the present invention, a system that analyzes log information output from a computer system and monitors a new event including a failure of the system reduces the man-hours and load required for creating conditions used for log analysis processing. Is possible.

  The best mode for carrying out the present invention will be described below with reference to the drawings. FIG. 1 is a block diagram showing a configuration example of a log monitoring system according to the present invention, in which 3000 is an event detection device (described as “device for detecting an event of a monitored system” in the figure). Based on this, a detection process of an event occurring in the monitored system is performed, and 7000 is a log notification condition definition support device (described as “condition definition support device” in the figure) according to the present invention, and the event detection device 3000 performs the detection process. Generate the conditions to be used.

  Each of the event detection device 3000 and the log notification condition definition support device 7000 constituting the log monitoring system in FIG. 1 has a computer configuration including a CPU (Central Processing Unit), a main memory, a display device, an input device, an external storage device, and the like. After installing a program or data recorded in a storage medium such as a CD-ROM via an optical disk drive or the like into the external storage device, the program is read from the external storage device into the main memory and processed by the CPU. The function of each processing unit is executed.

  First, a conventional monitoring operation by the event detection device 3000 will be described. The event detection device 3000 has application software (1) 2100, (2) 2200, which are components of the monitoring target system 2000, and a database (denoted as “DB (1)” in the figure) by the system operation status log collection function 3100. 2300, network 2400, etc., information related to the system operation status is collected in a log format, log information output from the system operation status log collection function 3100 is received by the log reception function 3200, and the log information received by the event detection function 3300 is received. To detect the event.

  In other words, the event detection function 3300 receives the log information received from the log reception function 3200, and the conditions stored in the storage device as a database (described as “condition DB” in FIG. Used to determine whether or not it is a target), and whether or not the log information matches the conditions, and if the log information meets the conditions, the output is “Event detected” I do.

  In this manner, when an event is detected and identified by log analysis in the event detection function 3300, the event data creation function 3400 creates data for displaying the identified event in a GUI (Graphical User Interface) operation environment. The created event data is displayed on the screen of the display device in the GUI environment by the display function 3500.

  The administrator 1000 of the monitoring target system 2000 confirms the event data displayed on the screen by the display function 3500 in the event detection device 3000, and implements some measures corresponding to the event on the monitoring target system 2000.

  Next, the operation of the log notification condition definition support device 7000 according to the present invention will be described. The log notification condition definition support device 7000 creates candidate conditions stored in a storage device as a database (condition DB) 5000 used by the event detection device 3000 for analysis.

  The log notification condition definition support device 7000 stores log information passed from the log reception function 3200 to the event detection function 3300 as a database (described as “accumulated log DB” in the figure) 4000 and manages the log information.

  Then, the log notification condition definition support device 7000 uses the condition candidate creation function 7100 to use the database (accumulation log DB) 4000 and the database (condition DB) 5000 used by the event detection device 3000 for event detection. (Condition DB) A candidate for a condition to be newly added to 5000 or an update candidate for an existing condition is generated.

  That is, the condition candidate creation function 7100 analyzes the log information stored in the database (accumulation log DB) 4000 using the conditions read from the database (condition DB) 5000, and log information that cannot be captured under the read conditions. Is present, a candidate condition related to the log information is created and stored in a storage device as a database (described as “condition candidate DB” in the figure) 6000 and managed.

  In addition, when a condition for capturing the log information is stored in the database (condition DB) 5000, the condition candidate creation function 7100 analyzes the log information under the condition and does not match the condition (the condition is captured). When a log element is detected, a new condition candidate for capturing the log element is created. For example, an existing condition is copied to create a condition candidate that is modified so that a log element that cannot be captured can be captured.

  In this example, the condition candidate creation function 7100 reads the log information stored in the database (accumulation log DB) 4000 and divides it by a predetermined specific time zone, and sets the log set of time zone (1), time zone ( 2) Log set, ... recognized as a log set of time zone (n), extracting the output pattern of the log information for each time zone (1) to (n), and candidate condition from the extracted output pattern Create

  For example, as an output pattern of log information, the number of times that the log information occurs in each time zone (1) to (n) is obtained, and the obtained number of times is the maximum number of times the log information is expressed in the time zone (Candidate) is created and stored in the database (condition candidate DB) 6000 in association with the log information.

  Further, the log notification condition definition support device 7000 displays the information stored in the database (condition candidate DB) 6000, the database (accumulation log DB) 4000, and the database (condition DB) 5000 by the display log data creation function 7200, respectively. Read and create log data for display that correlates them.

  For example, the display log data creation function 7200 is captured by any condition or condition candidate among the condition candidates stored in the database (condition candidate DB) 6000 and the conditions stored in the database (condition DB) 5000. Create log data for display that remembers

  In addition, the display log data creation function 7200 analyzes the log information stored in the database (accumulation log DB) 4000 using the condition candidates stored in the database (condition candidate DB) 6000 and matches them. Display log data including information on candidate conditions is created.

  Then, the log notification condition definition support device 7000 displays the display log data created by the display log data creation function 7200 in the GUI environment on the screen of the display device by the condition candidate display / edit function 7300.

  The administrator 1000 of the monitoring target system 2000 browses the condition candidates displayed on the screen by the condition candidate display / edit function 7300 in the log notification condition definition support device 7000, and edits the condition candidates by an operation in the GUI environment. .

  The log notification condition definition support device 7000 reflects the editing result from the administrator 1000 in the database (condition candidate DB) 6000 and the database (condition DB) 5000 by the condition candidate display / edit function 7300. For example, the condition candidate display / edit function 7300 stores / updates the condition candidates that the administrator 1000 has decided to adopt as conditions in the database (condition DB) 5000.

  The condition candidate display / edit function 7300 has a function of displaying the display log data created by the display log data creation function 7200 in the form of a distribution chart as shown in FIGS. When the administrator 1000 selects log information using the display log data, each condition candidate that matches the log information is displayed. Further, the administrator 1000 displays some of the condition candidates. When the selection is made, the condition candidate and the contents of the log information matching the condition are displayed.

  In the condition candidate display / edit function 7300, the administrator 1000 selects certain log information from the displayed display log data and relates the log information to a condition candidate different from the currently captured condition candidate. The change is reflected in the database (condition DB) 5000 according to the attached operation.

  The condition candidate creation processing operation by the condition candidate creation function 7100 will be described with reference to FIGS. 2 to 8 using a specific example.

  FIG. 2 is an explanatory diagram illustrating example condition items created by the condition candidate creation function 7100 in FIG. 1 and the condition definition items stored in the storage device as the database (condition DB) 5000.

  In FIG. 2, in the log-unit definition item 100 in the No. 1 record, for each log (A, B, C), message contents (A-1, B-1, C-1) indicating the message contents , The minimum number of expression (A-2, B-2, C-2) indicating how many times the message content is output and the maximum number of expression (A-3, B-) indicating how many times the message content is output 3, C-3) is defined for each log.

  For example, in the uppermost log xxx (A), the value “The System is operating normally” is set as the log message content (A-1), and a log having that value as a message is at least 15 times and at most 20 times. Defines a condition that occurs.

  According to this definition, even if the log information has the same message content (The System is operating normally), this condition is met if it occurs less than 15 times or 21 times or more. It is considered not to.

  For example, the log-unit definition item 100 in the No. 1 record is different for each system, and as a condition, the order of log expression, the expression interval between logs, and the like are added. Also good. In addition, regarding the minimum and maximum number of expression, it may be possible to set 0 or more times to infinity.

  In the record No. 2 flag “whether a failure or normality is met when the condition is met” 200, the administrator 1000 indicates that the event has been detected when the event detection device 3000 meets the condition defined in this item. Notify, but define whether the event type at that time is fault or normal.

  Here, when a failure is selected, the event detection device 3000 notifies the administrator 1000 that the failure event has been detected, for example, by displaying it on the display device. The detection device 3000 notifies the administrator 1000 that a normal event has been detected. In the case of a normal event, the administrator 1000 may not be notified.

  The specific time zone in record No3 means the time zone in which the log is captured and analyzed using the relevant conditions. Here, from 9 am to 6 pm (09:00:00-18:00:00 ). Logs generated outside this time zone are not subject to detection / notification even if there is a set of logs that meet this condition. The specific time period may be designated by the administrator 1000 or a default value may be prepared.

  Further, when adding a condition to the database (condition DB) 5000 and when adding a condition candidate to the database (condition candidate DB) 6000, an identifier (condition ID) that can uniquely identify each is added.

  The contents of condition candidate creation processing in the condition candidate creation function 7100 will be described with reference to FIG. FIG. 3 is a flowchart showing a first processing operation example according to the present invention of the condition candidate creation function in FIG. 1, and the process shown here creates condition candidate data having the condition definition items shown in FIG. The purpose is that.

  In the branch processing in step 7110, it is determined whether or not a condition is stored in the database (condition DB) 5000. If no condition exists, a new condition candidate is created for all log information read from the database (accumulation log DB) 4000. If more than one condition exists, The condition is read to check whether all logs can be captured. If there is a log that cannot be captured, a condition candidate indicating a condition correction proposal is created. The latter process will be described later with reference to FIG. 4, and the former process will be described below.

  The condition candidate creation function 7100 divides log information read from the database (accumulation log DB) 4000 for each specific time zone, and analyzes the output pattern for each time zone. The specific time zone here can be arbitrarily set by the user, and may be set freely, for example, in units of 1 second, units of 1 minute, or units of 1 hour. Also, it may be different, such as 5 minutes when it is 3 hours at some time. Here, it is assumed that 24 hours is one cycle, and the total of all the set time zones is 24 hours.

  If no condition exists in the database (condition DB) 5000, the following processing is performed for each set specific time zone to extract a log output pattern.

  In the iterative process in step 7120, the iterative process is performed for the number of specific time zones. That is, first, log information within a specific time period is read from the database (accumulation log DB) 4000 (step 7120a), and the occurrence frequency (number of occurrences) of log information having the same message string as the message string of each read log information ) Is recorded and stored in the storage device (step 7120b), and the process proceeds to the next log data reading process within the specific time period (step 7120c).

  In addition, when the frequency | count of log information generation | occurrence | production which generate | occur | produces in one time slot | zone changes with days, several pattern data are produced in the time slot | zone. For example, when the number of occurrences of log information in a certain time zone of a certain day is 10 times, but in the same time zone of the next day, the number of times of occurrence of log information is 20 times, in that time zone The pattern data with the number of times of expression of 10 and the pattern data with the number of times of expression of 20 are created.

  In the process of step 7130, all the pattern data created in the process of step 7120 is read (step 7130a), and each pattern data is classified and grouped for each time zone (A, B, C) (step 7130b).

  After the processing in step 7130, the iterative processing in step 7140 is repeated by the number of specific time zones (A, B, C) (step 7135). In the processing of step 7140, the processing in steps 7141 and 7142 is repeated for the number of pattern data in the specific time zone (A, B, or C), and the conditions in that time zone (A, B, C) are determined. Create candidate data.

  The process of step 7141 is a process when the first pattern data is handled, and the process of step 7142 is a process when the second and subsequent pattern data is handled (step 7140a).

  In the process of step 7141, the message content in each log information is read from the pattern data, condition candidate data is created with the configuration of the condition definition items shown in FIG. 2 (step 7141a), and the number of occurrences of the pattern data is set as a condition. By setting the minimum number of times of expression and the maximum number of times of expression of the candidate data (step 7141b) and setting a specific time zone (step 7141c), the message content of the log handled by the pattern data, the number of times of expression of each log, and Condition candidate data consisting of a specific time zone is newly created and temporarily stored in the storage device. Thus, in the case of the first pattern data, the same value (the same value as the number of expression of pattern data) is set for both the minimum expression count and the maximum expression count.

  The processing in the case of handling pattern data for the second and subsequent times in step 7142 is to improve the accuracy by correcting the condition candidate data created with the first pattern data in the processing of step 7141.

  First, it is determined whether or not a log message of the pattern data exists in the condition candidate data (step 7142a). If not, the log message is added to the condition candidate data and the number of occurrences is recorded ( Step 7142b).

  At this time, the number of times this log message is expressed is set to the maximum number of times and 0 is set to the minimum number of times. The reason why the minimum number of times of expression is set to 0 is that there is a case where the output is 0 times because the log is not output in the first pattern data.

  If the log message of the pattern data also exists in the condition candidate data as a result of the determination processing in step 7142a, the number of expression in the condition candidate data of the log message is compared with the number of expression in the pattern data, and the number of expression in the pattern data Whether or not the maximum number of times of expression in the condition candidate data is exceeded (step 7142c). If so, the maximum number of times of expression in the condition candidate data is updated with the number of times of expression in the pattern data (step 7142d). ).

  If the number of occurrences in the pattern data of the log message does not exceed the maximum number of occurrences in the condition candidate data as a result of the determination processing in step 7142c, then the number of occurrences in the pattern data of the log message is It is determined whether or not the minimum expression count in the data is reached (step 7142e). If the minimum expression count is not reached, the minimum expression count in the condition candidate data is updated with the expression count in the pattern data (step 7142f). ).

  In this way, the condition candidate data created by the iterative process in step 7140 and temporarily stored in the storage device is stored in the database (condition candidate DB) 6000 by the process in step 7150 (step 7150a).

  Next, the processing operation in the case where one or more conditions exist in the database (condition DB) 5000 in the branch process in step 7110 will be described with reference to FIG.

  FIG. 4 is a flowchart showing a second processing operation example according to the present invention of the condition candidate creation function in FIG. 1, and the processing flow shown here is a log that cannot be captured under the conditions having the condition definition items shown in FIG. When information is generated, a new condition candidate that captures the log information is created, and a condition candidate that is modified the existing condition so that the log information can be captured under the existing condition It is an object.

  In the process of step 7160, the process of steps 7160a to 7160g is repeated as many times as the number of specific time zones as follows to create log pattern data that cannot be supplemented. First, log information is read from the database (accumulation log DB) 4000 for each specific time zone (step 7160a), and conditions set in the same time zone are read from the database (condition DB) 500 (step 7160b).

  Next, each log information is analyzed under each read condition, and the log information captured under the condition is recorded in the storage device (steps 7160c to 7160e), and is not captured in the analysis under all conditions. It is determined whether or not a log exists (step 7160f). If there is a log that cannot be captured, pattern data of the log is created and stored in the storage device (step 7160g).

  After the processing of step 7160, the processing of steps 7130 and 7140 described in FIG. 3 is performed, and then the processing of step 7170 is executed.

  The process of step 7170 is a process of creating a “revision candidate” in particular for the conditions. Steps 7170c to 7170h are as many as the number of conditions defined in the specific time zone and the number of pattern data for each specific time zone. The process is repeated (steps 7170a and 7170b), and a condition “correction candidate (condition candidate data)” is created.

  First, it is determined whether there is a log that does not exist in the condition in the pattern data (step 7170c). If a log that does not exist in the condition exists in the pattern data, condition candidate data obtained by copying the condition is stored. Is created, a log that exists only in the pattern data is added, the number of times of expression in the pattern data is set as the maximum number of times of expression, and 0 is set as the minimum number of times of expression (step 7170d).

  If the log in the pattern data exists in the condition as a result of the determination processing in step 7170c, whether or not the number of times of expression of the pattern data exceeds the maximum number of times of expression in the condition (step 7170e), Alternatively, it is determined whether or not the number of times of expression is less than the minimum number (step 7170g).

  If the number of expression times of the pattern data exceeds the maximum number of expression times in the condition, condition candidate data in which the maximum number of expression times in the condition is updated with the number of expression times in the pattern data is created and stored in the storage device (step 7170f). If the number of expression times of the pattern data is less than the minimum number of expression times in the condition, condition candidate data in which the minimum expression number of times in the condition is updated with the number of expression times of the pattern data is created and stored in the storage device (step 7170h). .

  In this manner, the condition candidate data created by the processing in step 7140 and the processing in step 7170 and stored in the storage device is stored in the database (condition candidate DB) 6000 by the processing in step 7150 (step 7150a).

  Next, a processing operation example of the display log data creation function 7200 in FIG. 1 will be described with reference to FIG. The display log data creation function 7200 in FIG. 1 analyzes the log data read from the database (accumulation log DB) 4000 using the conditions of the database (condition DB) 5000 and the condition candidates of the database (condition candidate DB) 6000. The log data for display in which the condition that matches the log data and the condition ID of the condition candidate is additionally created is created.

  FIG. 5 shows an example of the log data 51 and the display log data 52. In the display log data 52 created from the log data 51 by the display log data creation function 7200, The matched condition and the condition ID of the condition candidate are added.

  In the display log data 52 shown in FIG. 5, a condition ID starting with “Cdd” represents a condition candidate, and a condition ID starting with “Cdt” represents a condition. Note that the display log data 52 has a No. As shown in FIG. 2, there may be logs in which a plurality of conditions and condition candidates match.

  Next, the processing operation of the condition candidate display / editing function 7300 in FIG. 1 will be described with reference to FIGS. FIG. 6 is an explanatory diagram showing a first processing operation example according to the present invention of the condition candidate display / editing function in FIG. 1, and FIG. 7 shows a first example of the condition candidate displaying / editing function according to the present invention in FIG. FIG. 8 is an explanatory diagram showing a third processing operation example according to the present invention of the condition candidate display / editing function in FIG.

  The condition candidate display / edit function 7300 in FIG. 1 first generates display data 61 having the contents shown in FIG. 6 by using the display log data 52 created by the display log data creation function 7200, and displays the screen of the display device. Display above.

  The display data 61 is first displayed on the screen after the administrator 1000 logs in. Here, the display data 61 indicates the presence / absence of a condition candidate for each time period (A to G).

  In the display data 61, when the administrator 1000 selects the time zone (A) in which the condition candidate is “present”, the condition candidate display / edit function 7300 displays the display log data 52 illustrated in FIG. All the condition candidates in the time zone A are read from the above, and the information of the contents exemplified in the condition candidate list 71 in FIG. 7 is generated and displayed on the screen of the display device.

  The condition candidate display / edit function 7300 reads log messages in all time zones (B to G) including the time zone A from the display log data 52 of FIG. A log distribution diagram 72 divided into time zones (A to G) is generated and displayed on the display device as a GUI screen together with the condition candidate list 71.

  In the condition candidate list 71 in FIG. 7, there is an item “new / update”, “new” is a newly created condition candidate, and “update” is created based on an existing condition for condition correction. It shows that it is a condition candidate. In addition, the conditions for each log message are displayed.

  Using the GUI screen including the condition candidate list 71 and the log distribution chart 72 as described above, the administrator 1000 selects condition candidates to be adopted as conditions. FIG. 8 shows a screen display example when the administrator 1000 performs a selection operation on the GUI screen in FIG.

  For example, in FIG. When the new condition candidate ID “Cdd-00334” 2 is selected and the “OK” button is pressed, the condition candidate display / editing function 7300 reflects the condition candidate data in the database (condition DB) 5000.

  When the administrator 1000 selects a condition candidate on the display screen shown in FIG. 8, the condition candidate display / edit function 7300 displays the log captured by the condition candidate in the log distribution chart 82 in a different color. To do.

  In addition, the condition candidate display / edit function 7300 associates the selected log message with the selected existing condition and other condition candidates in response to the selection operation on the display screen in FIGS. To do.

  As described above with reference to FIGS. 1 to 8, in this example, the event detection device 3000 executes computer processing based on a program, and monitors the monitoring target system 2000 (monitoring target system 2000) such as application software and an operation system. Log information output from a computer system) is collected and analyzed, and based on a comparison between the analysis result and notification condition information stored in advance as a database (condition DB) 5000 in a storage device, a failure, various events, etc. The occurrence of a specific event is detected and notified to the administrator 1000 of the monitoring target system 2000.

  For example, the number of occurrences of a log message included in log information output from the monitoring target system 2000 in a predetermined unit time is one piece of notification condition information stored as a database (condition DB) 5000 in the storage device in advance. If the expression number condition stored in correspondence with the log information is met, the log information is notified.

  In addition, the log notification condition definition support device 7000 executes computer processing based on a program and stores notification condition information stored and managed via a storage device as a database (condition DB) 5000 referred to by the event detection device 3000. Generate as follows.

  Log information is stored in a storage device, the stored log information is read out and divided into specific time units, the contents of the messages included in the log information are classified in each divided time zone, and have the same message The number of occurrences of log information is counted, and the count value is defined as a condition for the number of occurrences of the log information.

  Then, the created condition candidates are displayed, and the selected condition candidates are stored in the database (condition DB) 5000 as new conditions according to the selection instruction operation of the administrator 1000.

  More specifically, the log notification condition definition support device 7000 stores the log information collected from the monitoring target system 2000 by the system operation status log collection function 3100 as a database (accumulation log DB) 4000 in a storage device. Candidate creation function 7100 reads each log information from this database (accumulated log DB) 4000, classifies each log information into preset time zone units based on the log onset time included in each log information, and the same time The message included in each log information in the belt is compared and the number of log information including the same message is counted, and this count value is set as the expression frequency condition, and the log information including the expression frequency condition and the time zone is Notification condition information candidates are generated and stored as a database (condition candidate DB) 6000 in the storage device.

  In addition, the condition candidate creation function 7100 is configured so that the log information read from the database (accumulation log DB) 4000 includes each condition including the expression frequency condition that constitutes the notification condition information stored in the storage device as the database (condition DB) 5000 in advance. If it is captured by any of the elements and not captured by any of the elements, a new notification condition information candidate is generated by modifying the notification condition information so that the uncaptured condition element is captured, and a database (condition candidate DB) 6000 is generated. Is stored in the storage device.

  Then, the log notification condition definition support device 7000 reads and displays the notification condition information candidates stored in the storage device as the database (condition candidate DB) 6000 by the display log data creation function 7200 and the condition candidate display / edit function 7300. When the reflection instruction information from the administrator 1000 is input to the notification condition information candidate displayed on the display device screen in this way via the input device, the condition candidate display / editing is performed. The function 7300 stores the notification condition information candidate in the database (condition DB) 5000 as notification condition information referred to by the event detection device 3000.

  Further, the log notification condition definition support device 7000 uses the display log data creation function 7200 and the condition candidate display / edit function 7300 to notify each log information collected and stored in the storage device as a database (accumulated log DB) 4000. Information indicating which of the condition information and the notification condition information candidate is captured is generated and displayed on the screen of the display device.

  In addition, the log notification condition definition support device 7000 is an editing instruction that instructs the administrator 1000 to correct each condition element including the expression frequency condition constituting the notification condition information for the notification condition information candidate displayed on the screen of the display device. When the information is input via the input device, the condition candidate display / editing function 7300 corrects the notification condition information candidate according to the editing instruction information, and then stores it in the database (condition DB) 5000.

  In this way, in this example, in order to reduce the creation of conditions, the log output from each application, etc. is read, the condition candidates that can be expected to be used as useful conditions are created, and the created condition candidates Are presented in a form that is easy for the administrator 1000 to edit.

  This makes it possible to reduce the man-hours required to create conditions necessary for detecting a new event including a failure and detecting an update of a known event. Moreover, since the administrator 1000 can visually confirm the effectiveness of the condition, the maintainability of the condition is also improved.

  In addition, this invention is not limited to the example demonstrated using each figure, In the range which does not deviate from the summary, various changes are possible. For example, in this example, when the event detection device 3000 detects the occurrence of a specific event such as a failure or various events, the event detection device 3000 notifies the administrator 1000 of the monitored system 2000, but notifies the detection result to application software or the like. You can do it.

  Also, in this example, when the number of log information occurrences occurring in a certain time zone varies from day to day, a plurality of pattern data is created in that time zone. When the number of times of expression of log information is larger than the number of times of expression defined in the conditions managed in the database (condition DB) 5000, the maximum number of times of expression of the condition is updated, If the number of occurrences is less than the number of occurrences defined in the condition, a condition correction candidate is created when there is a log that cannot be captured under previously created conditions, such as updating the minimum number of occurrences of the condition. You can do it.

  Further, regarding the computer configuration example of the event detection device 3000 and the log notification condition definition support device 7000, in this example, each is configured by an individual computer, but the event detection device 3000 and the log notification condition definition in the same computer. It is good also as a structure which provided the function of the assistance apparatus 7000. FIG.

  In this example, log information accumulated in the database (accumulation log DB) 4000 is collected by using the system operation status log collection function 3100 in the event detection device 3000. This system operation status log collection function 3100 A separate collection function may be provided in the condition definition support apparatus 7000.

  In this example, an FD (Flexible Disk) or the like may be used as the recording medium in addition to the optical disk. As for the program installation, the program may be downloaded and installed via a network via a communication device.

It is a block diagram which shows the structural example of the log monitoring system which concerns on this invention. It is explanatory drawing which shows each definition item example of the conditions memorize | stored in the memory | storage device as a condition candidate and database (condition DB) which the condition candidate creation function in FIG. 1 produces. 3 is a flowchart showing a first processing operation example according to the present invention of a condition candidate creation function in FIG. 1. It is a flowchart which shows the 2nd processing operation example which concerns on this invention of the condition candidate creation function in FIG. FIG. 2 is an explanatory diagram illustrating a configuration example of display log data created by a display log data creation function in FIG. 1. It is explanatory drawing which shows the 1st processing operation example which concerns on this invention of the condition candidate display / edit function in FIG. It is explanatory drawing which shows the 2nd processing operation example which concerns on this invention of the condition candidate display / edit function in FIG. It is explanatory drawing which shows the 3rd processing operation example which concerns on this invention of the condition candidate display / edit function in FIG.

Explanation of symbols

  51: Log data, 52: Display log data, 61: Display data, 71, 81: Condition candidate list, 72, 82: Log distribution chart, 100: Definition item of log unit, 200: Flag (when the condition is met) 300: specific time zone, 1000: administrator, 2000: monitored system, 2100, 2200: application (1), (2), 2300: database (DB) ( 1) 2400: Network, 3000: Event detection device (device for detecting an event of the monitored system), 3100: System operation status log collection function, 3200: Log reception function, 3300: Event detection function, 3400: Event data creation Function, 3500: Event data display function, 4000: Database (accumulation log DB), 5000: Database ( Matter DB), 6000: database (condition candidate DB), 7000: log notification conditions definition support apparatus, 7100: condition candidate creation function, 7200: display log data creation function, 7300: condition candidate display and editing functions.

Claims (12)

The number of occurrences of the log message included in the log information output from the computer system to be monitored in a predetermined unit time is stored in advance in the storage device as one piece of notification condition information corresponding to the log information. A log notification condition definition support device that generates a candidate for the notification condition information referred to by the event detection device that performs the notification processing of the log information if the expression number condition is met,
Means for collecting log information output from the monitored computer system and storing it in a storage device;
Means for reading out the log information from the storage device and classifying each log information into preset time zone units based on the log onset time included in each log information;
Compare the messages included in each log information within the same time zone, count the number of log information containing the same message, the count value as the expression frequency condition, including the expression frequency condition and the time zone, A log notification condition definition support device, characterized by comprising means for generating notification condition information candidates for log information and storing them in a storage device. The log notification condition definition support device according to claim 1,
When log information read from the storage device is captured by any of the condition elements including the expression frequency condition constituting the notification condition information stored in the storage device in advance, and is not captured by any of the condition elements, the log information is not captured A log notification condition definition support device comprising means for generating a new notification condition information candidate in which the notification condition information is corrected so as to capture a condition element and storing the candidate in the storage device. The log notification condition definition support device according to claim 1 or 2,
Means for reading the notification condition information candidate from the storage device and displaying it on the screen of the display device;
Means for storing the notification condition information candidate in the storage device as the notification condition information referred to by the event detection device when the reflection instruction information for the notification condition information candidate displayed on the screen of the display device is input from the input device; A log notification condition definition support device. The log notification condition definition support device according to claim 3,
The log information collected and stored in the storage device includes means for generating information indicating whether the log information is captured by the notification condition information or the notification condition information candidate and displaying the information on the screen of the display device. A log notification condition definition support device as a feature. The log notification condition definition support device according to any one of claims 1 to 4,
When editing instruction information for instructing correction of each condition element including the expression frequency condition constituting the notification condition information for the notification condition information candidate displayed on the screen of the display device is input from the input device, the editing instruction information A log notification condition definition support device comprising means for storing in a storage device as notification condition information referred to by the event detection device after correcting the notification condition information candidate according to the above. If a log message included in log information output from the computer system to be monitored is stored in advance as one of the notification condition information in the storage device, an event detection device that performs notification processing of the log information;
A log monitoring system comprising the log notification condition definition support device according to any one of claims 1 to 5.   The program for functioning a computer as each means in the log notification condition definition assistance apparatus in any one of Claims 1-5. The number of occurrences of the log message included in the log information output from the computer system to be monitored in a predetermined unit time is stored in advance in the storage device as one piece of notification condition information corresponding to the log information. A log notification condition definition support method for generating a candidate for the notification condition information referred to by the event detection device that performs the notification process of the log information if the expression number condition is met,
Collecting log information output from the monitored computer system and storing it in a storage device;
A procedure for reading the log information from the storage device and classifying each log information into preset time zone units based on the log onset time included in each log information;
Compare the messages included in each log information within the same time zone, count the number of log information containing the same message, the count value as the expression frequency condition, including the expression frequency condition and the time zone, A log notification condition definition support method comprising: generating a notification condition information candidate for the log information and storing the candidate notification condition information in a storage device. The log notification condition definition support method according to claim 8,
When log information read from the storage device is captured by any of the condition elements including the expression frequency condition constituting the notification condition information stored in the storage device in advance, and is not captured by any of the condition elements, the log information is not captured A log notification condition definition support method comprising a procedure of generating a new notification condition information candidate in which the notification condition information is corrected so as to capture a condition element and storing the candidate in the storage device. A log notification condition definition support method according to any one of claims 8 and 9,
A procedure for reading the notification condition information candidate from the storage device and displaying it on the screen of the display device;
When reflecting instruction information for the notification condition information candidate displayed on the screen of the display device is input from the input device, the notification condition information candidate is stored in the storage device as the notification condition information referred to by the event detection device; A log notification condition definition support method characterized by comprising: The log notification condition definition support method according to claim 10,
Each log information collected and stored in the storage device has a procedure for generating information indicating whether the log information is captured by the notification condition information or the notification condition information candidate and displaying the information on the screen of the display device. A characteristic log notification condition definition support method. A log notification condition definition support method according to any one of claims 8 to 11,
When editing instruction information for instructing correction of each condition element including the expression frequency condition constituting the notification condition information for the notification condition information candidate displayed on the screen of the display device is input from the input device, the editing instruction information A log notification condition definition support method, comprising: a step of storing the notification condition information candidate in accordance with the information stored in the storage device as notification condition information referred to by the event detection device.

Images