JP2021069009A - Information processing system, information processing system control method, information processing device, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To realize monitoring of a state of a monitoring target using a plurality of monitoring means in a more preferable manner. An information processing system according to the present invention includes an acquisition means for acquiring a message according to a result of the monitoring from each of a plurality of monitoring means for monitoring a state based on different monitoring conditions, and the plurality of monitoring means. According to the generation means for generating event data based on the message acquired from at least one of the monitoring means, the extraction means for extracting the event data based on the predetermined extraction conditions, and the extraction result of the event data. An output control means for controlling the output of output information is provided. [Selection diagram] Fig. 1

Description

The present disclosure relates to an information processing system, a control method of the information processing system, an information processing device, and a program.

Various monitoring tools may be used to monitor the status of systems and computers. Such a monitoring tool monitors the status of a monitoring target such as a server, network, application, etc., and when it detects the occurrence of an event presumed to be abnormal, it outputs a message or the like to a user (for example, an administrator or the like). ) Is notified of information. As a result, the user can recognize the occurrence of the abnormality and quickly respond to the abnormality. For example, Patent Document 1 discloses an example of a technique for monitoring the state of a system or a computer.

In particular, in recent years, there have been cases where a system larger than the conventional one, such as a so-called cloud system, has been introduced, and a technology that further reduces the burden on the user related to system management by using a monitoring tool. Is attracting attention.

JP-A-2002-252614

By the way, in recent years, various monitoring tools have been proposed, and among these, monitoring tools having different monitoring targets (for example, servers, networks, applications, etc.) and monitoring methods are also included. Therefore, for each monitoring tool, the function and performance related to monitoring the state of the monitored target may differ depending on the type of monitored target, the conditions related to monitoring (for example, restrictions), and the like.

In particular, in a large-scale system, there are cases where more servers, networks, applications, and the like operate in cooperation with each other to affect each other. Under such circumstances, the effects of functional differences and performance differences for each monitoring tool according to the type of monitoring target and the conditions related to monitoring may become more noticeable. Against this background, there is a demand for the realization of a technique that enables monitoring of the state of a monitored object using a plurality of monitoring means (for example, a monitoring tool).

Therefore, the present disclosure proposes a technique that makes it possible to monitor the state of a monitored object using a plurality of monitoring means in a more preferable manner.

The information processing system according to the present invention includes an acquisition means for acquiring a message according to the result of the monitoring from each of a plurality of monitoring means for monitoring the state based on different monitoring conditions, and at least one of the plurality of monitoring means. A generation means that generates event data based on the message acquired from the above monitoring means, an extraction means that extracts the event data based on predetermined extraction conditions, and output of output information according to the extraction result of the event data. It is provided with an output control means for controlling the above.

It is possible to monitor the state of the monitored object using a plurality of monitoring means in a more preferable manner.

FIG. 1 is a block diagram showing an example of the functional configuration of the monitoring system. FIG. 2 is a diagram showing an example of the hardware configuration of the information processing device. FIG. 3 is a flowchart showing an example of processing of the monitoring system. FIG. 4 is a diagram showing an example of a message output for each monitoring tool. FIG. 5 is a diagram showing an example of a method of defining the conditions for determining the state by the filter.

Preferred embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings. In the present specification and the drawings, components having substantially the same functional configuration are designated by the same reference numerals, so that duplicate description will be omitted.

<Overview>
First, the outline of the monitoring system according to the present embodiment will be described. In the following description, the monitoring system according to the present embodiment will be referred to as "monitoring system 100" for convenience in order to distinguish it from other systems. The monitoring system 100 monitors the state of the system to be monitored by using a plurality of monitoring units (for example, a monitoring tool), and outputs information according to the result of the monitoring to a predetermined output destination. In the present disclosure, the system to be monitored may be a system realized by a plurality of devices, or may be a system realized by one device.

The plurality of monitoring units used by the monitoring system 100 may include two or more monitoring units that monitor the state of a desired monitoring target based on different monitoring conditions. As a specific example, the monitoring system 100 may monitor the state of a desired monitoring target by using two or more monitoring units having different types of monitoring targets and monitoring methods.
Further, an existing monitoring unit may be used. As a specific example, the monitoring system 100 may use a monitoring tool published as OSS (Open Source Software) as at least a part of the plurality of monitoring units.

The monitoring system 100 can also estimate the state of the system to be monitored by combining the monitoring results of each of the plurality of monitoring units. This makes it possible to estimate a state that is difficult to estimate only from the monitoring results of individual monitoring units.

As a specific example, it is assumed that the monitoring unit A outputs a message indicating that the load of the CPU (Central Processing Unit) has exceeded the threshold value according to the monitoring result. From this monitoring result alone, it may be presumed that the load on the CPU is increasing due to the occurrence of some abnormality in the system. On the other hand, some of the normal processes scheduled to be executed, such as backup jobs, have a relatively large load associated with the execution. Therefore, for example, it is assumed that immediately before the monitoring unit A outputs the above message, another monitoring unit B outputs a message indicating that an event for starting a backup job has been detected according to the monitoring result. In this case, the load on the CPU increases with the execution of the backup job based on the messages output from each of the monitoring unit A and the monitoring unit B, so that the monitoring result of the monitoring unit A is due to normal operation. It becomes possible to recognize that there is.

Further, as another example, it is assumed that the monitoring unit A outputs a message indicating that the process of the Web server has stopped according to the monitoring result. From this monitoring result alone, it may be presumed that the process of the Web server has stopped due to some abnormality occurring in the system. On the other hand, for example, immediately before the monitoring unit A outputs the above message, another monitoring unit B sends an event indicating that the scale-in of the Web server has been executed by the cloud provider according to the monitoring result. It is assumed that a message indicating that the detection has been output has been output. The scale-in of the Web server occurs irregularly according to the increase or decrease in the number of requests, but at that time, the process of the Web server may be stopped. Therefore, in this case, based on the messages output from each of the monitoring unit A and the monitoring unit B, the process of the Web server is stopped due to the scale-in of the Web server, so that the monitoring result of the monitoring unit A is normal. It becomes possible to recognize that it is due to the operation.

As illustrated above, the monitoring system 100 specifies information (messages) output from each of the plurality of monitoring units according to the monitoring results in a predetermined format, and is an event for each event targeted for state detection. Generate data.
The message indicates, among the information output by each monitoring unit according to the monitoring result, the information expressed in character information in particular. Further, the event data is data generated by the monitoring system 100 in association with at least a part of the information included in the message output from each monitoring unit in association with the event corresponding to the desired event.
The monitoring system 100 may generate one event data by associating a plurality of information (messages) when generating the event data. Further, the monitoring system 100 may extract a plurality of pieces of information from one message and generate event data for each piece of information. As described above, in the monitoring system 100, event data is generated for each detection unit related to the state detection.

Then, the monitoring system 100 divides the generated series of event data into event data indicating a normal state and event data indicating an abnormal state based on a filter according to the format related to the generation of the event data. .. As a result, a series of event data can be distributed based on desired conditions without depending on a rule unique to each monitoring unit (for example, a rule related to the regulation of the filter).
Further, the monitoring system 100 may determine either normal or abnormal based on a combination of two or more event data extracted based on a predetermined condition. With such a configuration, it is possible to carry out monitoring that makes use of the functional differences and performance differences of each monitoring tool according to the type of monitoring target and the conditions related to monitoring, and to grasp the status of the monitoring target more accurately. Is possible.

Therefore, the monitoring system 100 according to the present embodiment will be described in more detail below, paying particular attention to the functional configuration and processing for realizing the above-mentioned features.

<Functional configuration>
An example of the functional configuration of the system 1 including the monitoring system 100 according to the present embodiment will be described with reference to FIG. FIG. 1 is a block diagram showing an example of the functional configuration of the system 1. The system 1 includes one or more monitoring targets 190 and a monitoring system 100. The monitoring system 100 corresponds to a configuration for realizing monitoring of the state of each of one or more monitoring targets 190 in the system 1. The monitoring target 190 schematically shows a monitoring target for condition monitoring by the monitoring system 100. In addition, at least the part corresponding to the monitoring system 100 in the system 1 corresponds to an example of the "information processing system" according to the present embodiment.

In the present embodiment, the monitoring target 190 targeted by the monitoring system 100 for status monitoring may have a hardware configuration or a software configuration. An example of the monitoring target 190 as a hardware configuration includes hardware such as a server, a network switch, and a storage. Further, as an example of the monitoring target 190 as a software configuration, an OS (Operating System), a hypervisor, middleware, a database, an application, a container, and the like can be mentioned. The so-called network can also be included in the monitoring target 190. In this case, both the physical network and the logical network defined to include one or more physical networks may be included in the monitored object 190.
Further, even when an information processing device such as a server is to be monitored, the information processing device may be realized by software by using a so-called virtual machine. In this case, both the information processing device as hardware for operating the virtual machine and the information processing device for software operation on the virtual machine can be included in the monitoring target 190. Further, under such a situation, for example, it can be assumed that a plurality of hardware-like information processing devices are operated as if they are software-like one information processing device. Even in such a case, each of the plurality of hardware-like information processing devices and the information processing device operated by software can be included in the monitoring target 190.
Further, each of the plurality of monitoring targets 190 shown in FIG. 1 may be monitoring targets of different types.

The monitoring system 100 includes a plurality of monitoring units 110, an event generation unit 121, a message storage unit 122, an event extraction unit 123, a rule storage unit 124, an event storage unit 125, an output control unit 126, and an output unit. Includes 127 and. In the example shown in FIG. 1, it is assumed that the monitoring units 110a and 110b having different characteristics are included as the plurality of monitoring units 110.

The monitoring unit 110 monitors the status of one or more monitoring targets 190 based on predetermined monitoring conditions. The monitoring units 110a and 110b may monitor the status of one or more monitoring targets 190 based on different monitoring conditions. Further, each of the monitoring units 110a and 110b may monitor the states of different monitoring targets 190 (for example, different types of monitoring targets 190).

As a specific example, at least a part of the monitoring unit 110 may monitor the state of the monitored object 190, particularly the state related to the performance of the monitored object 190. Examples of performance-related states include CPU usage rate, working area usage rate such as RAM (Random Access Memory), usage rate of areas for storing various data such as auxiliary storage devices, and network communication speed. And so on.
Further, as another example, at least a part of the monitoring units 110 may monitor the state of the monitored target 190 by monitoring the history sequentially recorded in the file of the predetermined storage area in the monitored target 190. .. In this case, for example, when the monitoring unit 110 detects that a history of a predetermined type has been recorded in the monitoring target 190, the monitoring unit 110 determines the state of the monitoring target 190 according to the detection result of the history. May be good.
Of course, the above is only an example, and does not necessarily limit the monitoring conditions related to the monitoring of the state of the monitored object 190 by the monitoring unit 110. For example, the monitoring conditions may be determined depending on which type of monitoring target 190, such as an application, a container, a hypervisor, an OS, hardware, or a network, is to be monitored. In addition, monitoring conditions may be determined according to the monitoring tool used as the monitoring unit 110.
Further, the monitoring method of the monitoring target 190 by the monitoring unit 110 may be appropriately changed according to the type of the monitoring target 190. For example, when monitoring another device, the monitoring unit 110 may monitor the device based on the information by collecting various information from the device via the network.

The monitoring unit 110 outputs information according to the monitoring result of the state of the monitoring target 190 to a predetermined output destination. In the following, in order to make the features of the monitoring system 100 according to the present embodiment easier to understand, the monitoring unit 110 specifies a message in which information corresponding to the monitoring result of the state of the monitoring target 190 is indicated by character information. It shall be output to the output destination of.
The message output from the monitoring unit 110 is used by the event generation unit 121, which will be described later. Therefore, for example, the monitoring unit 110 may directly output a message according to the monitoring result to the event generation unit 121. Further, as another example, the monitoring unit 110 may store a message according to the monitoring result in a predetermined storage area. The message storage unit 122 indicates a storage area for storing a message output from the monitoring unit 110. In this case, the event generation unit 121 may extract and use the message stored in the message storage unit 122.

Of the plurality of monitoring units 110, the conditions related to the monitoring of the state of the monitored target 190 by some of the monitoring units 110 correspond to an example of the "first monitoring condition", and some of the other monitoring units 110. The condition relating to the monitoring of the state of the monitoring target 190 by the above corresponds to an example of the "second monitoring condition". Further, the message output from the monitoring unit 110 corresponding to the monitoring result based on the first monitoring condition corresponds to an example of the "first message". Similarly, the message output from the monitoring unit 110 corresponding to the monitoring result based on the second monitoring condition corresponds to an example of the "second message".
As a more specific example, among the conditions relating to the monitoring of the state of the monitoring target 190, the monitoring condition relating to the performance of the monitoring target 190 corresponds to an example of the "first monitoring condition". Further, among the conditions relating to the monitoring of the state of the monitoring target 190, the monitoring condition relating to the history sequentially recorded in the monitoring target 190 corresponds to an example of the "second monitoring condition".
The monitoring unit 110 that monitors the state of the monitoring target 190 based on the first monitoring condition may be referred to as a "first monitoring means" for convenience. Similarly, the monitoring unit 110 that monitors the state of the monitored object 190 based on the second monitoring condition may be referred to as a "second monitoring means" for convenience.

The event generation unit 121 generates event data for each event that the monitoring system 100 targets for state detection, based on a message output by the monitoring unit 110 according to the monitoring result of the state of the monitoring target 190. For example, the event generation unit 121 may generate event data for each message output by each monitoring unit 110. Further, as another example, the event generation unit 121 may generate one event data based on a plurality of messages. Further, the event generation unit 121 may extract a plurality of information included in one message and generate event data for each of the information.

The event generation unit 121 uses a common format when generating event data, regardless of the monitoring unit 110 that is the output source of the message.
On the other hand, the messages output from each of the plurality of monitoring units 110 may be described in different formats for each monitoring unit 110 that is the output source. Therefore, the event generation unit 121 extracts the information in the message by analyzing the message output from each of the plurality of monitoring units 110 based on the format associated with the monitoring unit 110, and based on the extracted information. Event data may be generated.
In addition, one message may contain information about a plurality of events. In such a case, the event generation unit 121 analyzes the target message based on the format associated with the monitoring unit 110 that is the output source of the message, thereby providing information corresponding to each of the plurality of events. Can be extracted individually. In this case, as described above, the event generation unit 121 may generate event data for each of the extracted information.
Further, when the event generation unit 121 estimates or recognizes that the plurality of messages are related based on the information extracted from each of the plurality of messages, the event generation unit 121 associates the plurality of messages with one event data. May be generated.
Information about the format associated with each monitoring unit 110 may be stored in a storage area (for example, a rule storage unit 124 described later) that can be referred to by the event generation unit 121. Further, the format associated with the monitoring unit 110 (that is, the format unique to each monitoring unit 110) corresponds to an example of the "first format".

Further, the event generation unit 121 may extract a part of the series of messages output from each of the plurality of monitoring units 110 and use them for event generation. In other words, the event generation unit 121 does not necessarily have to generate event data for all the series of messages output from each of the plurality of monitoring units 110. In this case, the event generation unit 121 may extract the message to be used for event generation by filtering a series of messages output from each of the plurality of monitoring units 110 based on a predetermined condition. The conditions for extracting the message may be appropriately set according to the type of the monitoring unit 110 that uses the message for generating the event and the event for which the event is to be generated.

The details of the process related to the event generation by the event generation unit 121 will be described later together with a specific example. Then, the event generation unit 121 outputs the generated event to the event extraction unit 123.

The event extraction unit 123 acquires the event data generated from the event generation unit 121. The event extraction unit 123 extracts at least a part of the event data by filtering the acquired series of event data based on a predetermined extraction condition. As a specific example, the event extraction unit 123 may extract event data including a predetermined character string from the generated series of event data. The information indicating the extraction conditions related to the extraction of the event data may be stored in advance in a predetermined storage area that can be referred to by the event extraction unit 123. For example, the rule storage unit 124 may store information indicating extraction conditions related to the above-mentioned extraction of event data. The rule storage unit 124 is a storage area for storing various information and data used by the event generation unit 121 and the event extraction unit 123.

Further, the event extraction unit 123 may correlate and extract two or more event data that are presumed to have relevance based on a predetermined extraction condition.
As a specific example, the event extraction unit 123 may associate event data indicating an increase in CPU load with event data related to a backup job start event, as described above as an outline. As a result, even in a situation where it is determined that the monitored target 190 is in an abnormal state based on individual event data alone, the monitored target 190 is in a normal state based on a plurality of event data associated with each other. It is also possible to determine that.

The details of the process related to the extraction of event data by the event extraction unit 123 will be described later together with a specific example. Then, the event extraction unit 123 stores the extracted event data in the event storage unit 125. For example, the event storage unit 125 is a storage area for storing the extracted event data.

The output control unit 126 reads the event data stored in the event storage unit 125 (that is, the event data extracted by the event extraction unit 123), and outputs the information corresponding to the event data to a predetermined output destination. For example, the output control unit 126 may notify the user of the information by outputting the information corresponding to the read event data to a predetermined output unit (for example, the output unit 127 described later). Further, as another example, the output control unit 126 may transfer the read event data to another device via the network. As a result, the other device can execute various processes using the acquired event data.
Further, the output control unit 126 may read at least a part of the event data according to a predetermined condition when reading the event data stored in the event storage unit 125. As a specific example, the output control unit 126 may read event data indicating "abnormality" as the state of the monitoring target 190 from the event storage unit 125 in order to display a screen prompting the user to respond.
Further, the output control unit 126 may read out a plurality of event data associated with each other. In this case, the output control unit 126 may output information according to the combination of the plurality of event data to a predetermined output unit. As a specific example, the output control unit 126 may output information according to the state (for example, normal or abnormal) of the monitoring target 190 based on the combination of the plurality of event data to a predetermined output unit.

The output unit 127 has a configuration for outputting various information, and is used for presenting various information to the user. As a specific example, the output unit 127 may be realized by a display device such as a display. In this case, the output unit 127 presents the information to the user by displaying various display information.
Further, as another example, the output unit 127 may be realized by an acoustic output device such as a speaker that outputs an acoustic sound such as a voice or an electronic sound. In this case, the output unit 127 presents information to the user by outputting sound such as voice or telegraph.
As described above, the device applied as the output unit 127 may be appropriately changed depending on the medium used for presenting the information to the user.

The functional configuration shown in FIG. 1 is merely an example, and does not necessarily limit the functional configuration of the system 1 (particularly, the monitoring system 100). For example, each functional configuration of the monitoring system 100 may be realized by one device. In this case, the one device corresponds to an example of the "information processing device" according to the present embodiment.
Further, each functional configuration of the monitoring system 100 may be realized by coordinating a plurality of devices. In this case, for example, even if the processing of at least a part of the functional configurations of the monitoring system 100 is executed by the plurality of devices, the load related to the processing is distributed to the plurality of devices. Good. Further, as another example, some of the functional configurations of the monitoring system 100 and other functional configurations may be realized by different devices connected via a network. As a specific example, the functional configuration corresponding to the event generation unit 121 and the event extraction unit 123 and the functional configuration corresponding to the output control unit 126 may be realized by different devices.

Further, some of the functional configurations of the monitoring system 100 may be provided outside the monitoring system 100. As a specific example, at least a part of the monitoring units 110 among the plurality of monitoring units 110 may be provided outside the monitoring system 100 and connected to the monitoring system 100 via a network.

<Hardware configuration>
FIG. 2 is a diagram showing an example of the hardware configuration of the information processing apparatus 200 used to realize the monitoring system 100 according to the present embodiment. As shown in FIG. 2, the information processing device 200 according to the present embodiment includes a CPU (Central Processing Unit) 210, a ROM (Read Only Memory) 220, and a RAM (Random Access Memory) 230. The information processing device 200 includes an auxiliary storage device 240, an output device 250, an input device 260, and a network I / F 270. The CPU 210, ROM 220, RAM 230, auxiliary storage device 240, output device 250, input device 260, and network I / F 270 are connected to each other via a bus 280.

The CPU 210 is a central processing unit that controls various operations of the information processing device 200. For example, the CPU 210 may control the operation of the entire information processing device 200. The ROM 220 stores a control program, a boot program, and the like that can be executed by the CPU 210. The RAM 230 is the main storage memory of the CPU 210, and is used as a work area or a temporary storage area for developing various programs.

The auxiliary storage device 240 stores various data and various programs. The auxiliary storage device 240 is realized by a storage device that can temporarily or continuously store various data such as an HDD (Hard Disk Drive) and a non-volatile memory typified by an SSD (Solid State Drive). ..

The output device 250 is a device that outputs various types of information, and is used for presenting various types of information to the user. In the present embodiment, the output device 250 is realized by a display device such as a display. The output device 250 presents information to the user by displaying various display information. However, as another example, the output device 250 may be realized by an acoustic output device that outputs sounds such as voice and electronic sounds. In this case, the output device 250 presents information to the user by outputting sounds such as voice and telegraph. Further, the device applied as the output device 250 may be appropriately changed depending on the medium used for presenting information to the user. The output device 250 corresponds to an example of an "output unit" used for presenting various types of information.

The input device 260 is used for receiving various instructions from the user. In the present embodiment, the input device 260 includes an input device such as a mouse, a keyboard, and a touch panel. However, as another example, the input device 260 may include a sound collecting device such as a microphone and collect sound spoken by the user. In this case, the collected voice is subjected to various analysis processes such as acoustic analysis and natural language processing, so that the content indicated by the voice is recognized as an instruction from the user. Further, the device applied as the input device 260 may be appropriately changed depending on the method of recognizing the instruction from the user. Further, a plurality of types of devices may be applied as the input device 260.

The network I / F270 is used for communication with an external device via a network. The device applied as the network I / F270 may be appropriately changed according to the type of communication path and the applicable communication method.

The CPU 210 expands the program stored in the ROM 220 or the auxiliary storage device 240 into the RAM 230, and by executing this program, the functional configuration of the monitoring system 100 shown in FIG. 1 and the processing shown in the flowchart shown in FIG. Is realized.

<Processing>
An example of processing of the monitoring system 100 will be described with reference to FIG. FIG. 3 is a flowchart showing an example of processing of the monitoring system 100 according to the present embodiment.

In S101, the event generation unit 121 acquires messages from each of the plurality of monitoring units 110 according to the monitoring result of the state of the monitoring target 190.

In S102, the event generation unit 121 generates event data for each event for which the monitoring system 100 targets state detection, based on the message acquired from each monitoring unit 110.

In S103, the event extraction unit 123 extracts at least a part of the event data by filtering a series of event data generated by the event generation unit 121 based on a predetermined extraction condition. As a specific example, the event extraction unit 123 may extract event data including a predetermined character string from the generated series of event data. Further, the event extraction unit 123 may correlate and extract two or more event data that are presumed to have relevance based on a predetermined extraction condition.

In S104, the output control unit 126 controls so that the information corresponding to the event data extracted by the event extraction unit 123 is output to a predetermined output destination. For example, the output control unit 126 may notify the user of information by causing the output unit 127 to output the event extracted by the event extraction unit 123. Further, as another example, the output control unit 126 may transfer the read event data to another device via the network.
Further, the output control unit 126 may read out a plurality of event data associated with each other. In this case, the output control unit 126 may output information according to the combination of the plurality of event data to a predetermined output destination.

The monitoring system 100 executes a series of processes shown in FIG. 3 at predetermined triggers. As a specific example, the monitoring system 100 may execute a series of processes shown in FIG. 3 periodically at predetermined intervals. Further, as another example, the monitoring system 100 may execute a series of processes shown in FIG. 3 in conjunction with a predetermined trigger.

<Example>
Subsequently, as an embodiment of the monitoring system 100, an example of processing related to generation and extraction of event data based on a message output from the monitoring unit 110 will be described with specific examples. In this embodiment, an example will be described in which an OSS (Open Source Software) monitoring tool called Zabbix and an OSS monitoring tool called Prometheus are used as the plurality of monitoring units 110. To do.

In the monitoring system 100, event data is generated based on the messages output from each of the plurality of monitoring units 110, and the state of the monitored target 190 is monitored based on the event data. Specifically, in the monitoring system 100, when detecting an abnormal operation of a desired monitoring target 190, it is possible to extract event data corresponding to a desired event based on the format according to the above-mentioned event data regulation. Is. Therefore, according to the monitoring system 100, it is possible to extract event data corresponding to a desired event without depending on the format of the message output by each monitoring unit 110.

(Generation of event data)
Here, a specific example of a process related to the generation of the event data in order to enable the extraction of the event data corresponding to the desired event without depending on the format of the message output by each monitoring unit 110 is specified. An example will be given.

In Zabbix, for example, when extracting a message indicating the restart of the server, the conditional expression related to the extraction is expressed as follows.

Further, in Prometheus, for example, when extracting a message indicating that the CPU usage rate exceeds 90%, the conditional expression related to the extraction is expressed as follows.

In these monitoring tools, in order to suppress the output of a message as if it is not abnormal when a specific condition is satisfied, for example, after understanding the description method of the conditional expression for each monitoring tool shown above, Scripts related to control will be described or modified. That is, for each monitoring tool, the user is required to understand the item names and syntax used in the monitoring tool. Therefore, in a situation where a plurality of monitoring tools are used, the user is required to understand the item name and syntax used for each monitoring tool, which may increase the burden on the user.

On the other hand, when a filter is used separately from the monitoring tool group, it is possible to add a condition for status determination by the filter to the message output by the monitoring tool. In this case, the condition can be described by the message structure and the syntax of the filter tool. At this time, it is required to understand the syntax of the conditional expression in the monitoring tool that is the output source of the message. Absent.

For example, FIG. 4 is a diagram showing an example of a message output for each monitoring tool.
Specifically, FIG. 4A shows an example of a message output by Zabbix when the server is restarted. “Date” is a time stamp indicating the date and time when the message was output. “Host” indicates the host name of the server to be monitored. “Subject” indicates the type of message. "Message" indicates the body of the message. "Severity" indicates an index of importance or urgency.
Further, FIG. 4B shows an example of a message output by Prometheus when the CPU usage rate exceeds 90%. “Date” is a time stamp indicating the date and time when the message was output. “Node” indicates the host name of the server to be monitored. "Summary" indicates the type of message. “Status” indicates the status of the monitoring target. "Severity" indicates an index of importance or urgency.

Further, FIG. 5 is a diagram showing an example of a script in which a condition for determining a state is added by a filter to a message output by a monitoring tool. Specifically, the example shown in FIG. 5 presupposes the output of the message illustrated in FIG. 4, and if the time when each message is output is between 23:00 and 24:00, the condition for determining normal operation is set. An example of the specified script is shown. Note that FIG. 5 is just an example, and at least a part of the description method may be appropriately changed depending on the syntax of the filter tool to be used.

Specifically, in the example shown in FIG. 5, the host name of the server to be monitored is acquired from the items (“host” and “node”, respectively) indicating the host name in each tool. In addition, information (character string) indicating the type of the message is acquired from the items (“subject” and “summary”, respectively) indicating the type of the message in each tool. When the information acquired as described above satisfies a predetermined condition, information indicating the date and time when the message was output is further acquired from the item indicating the date and time (both are "date"). Then, either normal or abnormal is determined depending on whether or not the time when the message is output is between 23:00 and 24:00.
As can be seen by referring to FIG. 5, the item name and the content of the message may differ depending on the monitoring tool, but the conditional expression for determining the condition should be described without depending on each monitoring tool. Is possible.

In the monitoring system 100 according to the present embodiment, by utilizing the above-mentioned characteristics, the information output by each monitoring tool according to the monitoring result can be set to a common rule without depending on the rules unique to each monitoring tool. It will be possible to manage centrally based on.

Specifically, the event generation unit 121 extracts desired information from the message output from each monitoring unit 110 by using the above-mentioned characteristics, and uses the information extracted based on a predetermined format to perform an event. Generate data. The format according to the definition of event data corresponds to an example of the "second format".

An example of event data is listed below for each type shown as (A) to (D).
(A) A message related to history indicating that something has happened-A backup job has started-A specific error has occurred in the software-The port of the network device has been disconnected-The server has restarted-The cloud Storage resource added (B) History message indicating that the user has performed some operation-The administrator has remotely logged in to the server-The administrator has executed the user account creation operation-The user is in the cloud -The user executed the server deletion operation on the cloud. (C) The message regarding the performance and status indicates that the conditions defined in advance were met.-The CPU usage rate exceeds 90%.・ Connection to the Web server failed 3 times in a row ・ Backup job execution continues even after 3 hours ・ Process changed from running state to stopped state (D) Message about performance and status Represents the current state-The server is currently stopped-The process is currently stopped-The current CPU usage is 20% -The backup job is running

In addition, the event extraction unit 123 extracts at least a part of the event data from the generated series of event data based on the predetermined extraction conditions according to the format related to the generation of the event data.
As described above, the event extraction unit 123 may correlate and extract two or more event data that are presumed to have relevance based on predetermined extraction conditions. By associating a plurality of event data in this way, it is possible to more accurately determine the state of the monitored target 190 based on the plurality of event data.

Below, for an example (in other words, an application example of a filter) of the conditions related to the extraction of event data and the determination of the state of the monitored object 190 according to the extraction result, in particular, two or more event data are used in combination. A specific example will be given to explain by focusing on the case. In the example shown below, an example of a method for determining the state of the corresponding monitoring target 190 will be described focusing on the case where two or more event data out of the above-mentioned event data (A) to (D) are combined. ..

-Filter application example 1
Even when the event data shown as (A) shows an "abnormal" state, it may be determined that the event data is in the "normal" state according to the combination with the event data shown as (B).
As a specific example, the event data corresponding to the event indicating that "the port of the network device has been disconnected" indicates that the monitored target 190 is in an "abnormal" state by itself. On the other hand, if event data corresponding to the event indicating that "the user has performed a network deletion operation in the cloud" has been generated within the past 3 minutes, the connection of the network device port is caused by the operation. It is possible to presume that has expired. That is, in this case, it is possible to determine that the monitored object 190 is in the "normal" state.

-Filter application example 2
Even when the event data shown as (C) shows an "abnormal" state, it may be determined that the event data is in the "normal" state according to the combination with the event data shown as (A).
As a specific example, the event data corresponding to the event indicating that "the CPU usage rate of the server has exceeded 90%" indicates that the monitored target 190 is in an "abnormal" state by itself. On the other hand, if event data corresponding to the event indicating "the server has been restarted" has been generated within the past 10 minutes, the CPU usage rate of the server will be 90% due to the restart. It is possible to presume that it has exceeded. That is, in this case, it is possible to determine that the monitored object 190 is in the "normal" state.

-Filter application example 3
Even when the event data shown as (A) shows a "normal" state, it may be determined that the event data is in an "abnormal" state depending on the combination with the event data shown as (D).
As a specific example, the event data corresponding to the event indicating that "a specific error has occurred on the server" is determined to be in the "normal" state if the error does not have an immediate effect. Is possible. On the other hand, if event data corresponding to the event indicating "the server is stopped" is generated for the other server on which the server depends, the above error affects the entire system. May affect. That is, in this case, it may be determined that the monitored object 190 is in an "abnormal" state.

-Filter application example 4
Even when the event data shown as (C) shows an "abnormal" state, it may be determined that the event data is in the "normal" state according to the combination with the event data shown as (B).
As a specific example, the event data corresponding to the event indicating that "the process has changed from the started state to the stopped state" indicates that the monitored target 190 is in the "abnormal" state by itself. On the other hand, if event data corresponding to the event indicating that "the user has performed the server addition operation" is generated within the past 3 minutes, the process is started from the started state due to the server addition operation. It is possible to presume that the state has changed to a stopped state. That is, in this case, it is possible to determine that the monitored object 190 is in the "normal" state.

-Filter application example 5
Even when the event data shown as (B) shows an "abnormal" state, it may be determined that the event data is in the "normal" state according to the combination with the event data shown as (D).
As a specific example, the event data corresponding to the event indicating that "the administrator has remotely logged in to the DB server" is monitored by itself when remote login to the DB server is prohibited by the operation rules. It indicates that 190 is in an "abnormal" state. On the other hand, in the case where "the work server is stopped" most recently, remote login to the DB server may be permitted as an exception according to the operation rules. In such a case, if the event data corresponding to the event indicating that "the work server is stopped" is generated most recently, it is determined that the monitored target 190 is in the "normal" state. It is possible to do.

-Filter application example 6
Even when the event data shown as (C) shows an "abnormal" state, it may be determined that the event data is in the "normal" state according to the combination with the event data shown as (D).
As a specific example, the event data corresponding to the event indicating that "the memory usage rate of the server exceeds 80%" indicates that the monitored target 190 is in an "abnormal" state by itself. On the other hand, if event data corresponding to the event indicating that "the backup job is being executed" has been generated most recently, the memory usage rate of the server will be 80% due to the execution of the backup job. It is possible to presume that it has exceeded. That is, in this case, it is possible to determine that the monitored object 190 is in the "normal" state.

In addition, when a certain event occurs, an example of the condition for associating the event data corresponding to another event that occurred in the past with the event data corresponding to the event for condition determination is shown below. ..
-Search for the presence or absence of a predetermined type of event that occurred within a certain period in the past based on the event occurrence timing-For a predetermined type of event that occurred within a certain period thereafter based on the event occurrence timing Monitor the presence / absence ・ Hold the latest event data indicating that the state is shown in (D) ・ Hold the latest event data indicating that the state has changed to the state shown in (C) , The above is only an example, and does not necessarily limit the method of associating the event data corresponding to another event that has occurred in the past with the event data corresponding to the desired event.

<Supplement>
The above-mentioned example as an embodiment is merely an example, and does not necessarily limit the configuration for realizing the monitoring system 100 and the processing of the monitoring system 100. That is, a part of the configuration and processing of the monitoring system 100 may be appropriately changed without departing from the above-mentioned technical idea.

For example, in the above-described example as the embodiment, a message (character information) is mainly assumed as the information output from the monitoring unit 110, event data is generated based on the message, and the monitoring target 190 is based on the event data. The explanation focused on the case of determining the state.
On the other hand, if the state of the monitoring target 190 can be determined according to the information output by the monitoring unit 110, the type of the information is not particularly limited, and event data is generated based on the information to be monitored. It can be used to determine the state of 190.

As a specific example, various sensors may be applied as the monitoring unit 110. In this case, the event generation unit 121 may generate event data based on, for example, a signal output from the monitoring unit 110 (sensor) according to the detection result of a predetermined state. As a more specific example, when the level or phase of the signal output from the monitoring unit 110 changes according to the state of the monitoring target 190, the event generation unit 121 indicates the monitoring indicated by the level or phase of the signal. Event data may be generated according to the state of the target 190.

Further, as another example, the monitoring unit 110 may output a code corresponding to the monitoring result of the state of the monitoring target 190 as information according to the monitoring result. Even in such a case, the event generation unit 121 generates event data by specifying the monitoring result by the monitoring unit 110 based on the above code, for example, if it is known which state each code corresponds to. It is possible to do.

Further, as another example, the monitoring unit 110 may output data in which the monitoring result of the state of the monitoring target 190 is encoded as information according to the monitoring result. Even in such a case, for example, if the information coding method is known, the event generation unit 121 identifies the monitoring result by the monitoring unit 110 and generates event data based on the coded data. It is possible.
As a specific example, if the list of information acquired as the monitoring result of the state of the monitoring target 190 is known, the event generation unit 121 obtains data in which each of the information is encoded based on a known coding method. It may be held in advance. Then, the event generation unit 121 collates the encoded data output from the monitoring unit 110 according to the monitoring result with each of the encoded data held in advance, whereby the state of the monitoring target 190 is set. May be specified.
Further, as another example, the event generation unit 121 decodes the encoded data output from the monitoring unit 110 according to the monitoring result by a decoding method corresponding to a known encoding method, and the decoded information. The state of the monitoring target 190 may be specified based on the above.
As a result, the event generation unit 121 can generate event data according to the monitoring result even when the encoded data is acquired from the monitoring unit 110 as information according to the monitoring result.

Further, in the example shown in FIG. 1, the state of the monitored object 190 is monitored by each of the plurality of monitoring units 110 according to different monitoring conditions. On the other hand, one device may play the role of a plurality of monitoring units 110. In this case, the apparatus may output information according to the monitoring result of the state of the monitored object 190 based on the different monitoring conditions.

Further, it is possible to create a computer program for realizing each functional configuration of the monitoring system 100 described above and implement it on a personal computer or the like. It is also possible to provide a computer-readable recording medium in which such a computer program is stored. Examples of the recording medium include magnetic disks, optical disks, magneto-optical disks, flash memories, and the like. Further, the above computer program may be distributed via, for example, a network without using a recording medium. Further, the number of computers for executing the above computer program is not particularly limited. For example, the computer program may be executed by a plurality of computers (for example, a plurality of servers) in cooperation with each other. Further, as another example, when the computer includes a plurality of processors, the computer program may be executed by the plurality of processors in cooperation with each other.

<Conclusion>
As described above, the information processing system (for example, the monitoring system 100) according to the present embodiment acquires a message according to the result of the monitoring from each of a plurality of monitoring means for monitoring the state based on different monitoring conditions. To do. In addition, the information processing system generates event data based on the message acquired from at least one of the plurality of monitoring means. In addition, the information processing system extracts the event data based on predetermined extraction conditions. Then, the information processing system controls the output of output information according to the extraction result of the event data.

With the above configuration, it is possible to centrally manage the information output by each monitoring means according to the monitoring result based on the common rules without depending on the rules unique to each monitoring means. As a result, the state of the monitoring target based on the information output by each monitoring means according to the monitoring result can be determined based on the conditions (in other words, the filter) defined by the common rule. That is, according to the information processing system according to the present embodiment, it is possible to realize monitoring of the state of the monitored object using a plurality of monitoring means in a more preferable manner.

Further, from the above-mentioned characteristics, in the information processing system according to the present embodiment, it is possible to determine the state of the monitoring target by combining the monitoring results by a plurality of different monitoring means based on a common rule. As a result, the state of the monitoring target can be accurately determined in a more operational manner as compared with the case where only the monitoring results by the individual monitoring means are used.

100 Monitoring system 110 Monitoring unit 121 Event generation unit 122 Message storage unit 123 Event extraction unit 124 Rule storage unit 125 Event storage unit 126 Output control unit 127 Output unit 190 Monitoring target

Claims (11)

An acquisition means for acquiring a message according to the result of the monitoring from each of a plurality of monitoring means for monitoring the status based on different monitoring conditions, and an acquisition means.
A generation means that generates event data based on the message acquired from at least one of the plurality of monitoring means, and a generation means.
An extraction means that extracts the event data based on predetermined extraction conditions, and
An output control means that controls the output of output information according to the extraction result of the event data, and
Information processing system equipped with. The predetermined extraction conditions include extraction conditions corresponding to two or more monitoring conditions that are different from each other.
The extraction means associates two or more event data extracted based on the extraction conditions corresponding to the two or more monitoring conditions, respectively.
The output control means controls the output of the output information according to two or more associated event data.
The information processing system according to claim 1. The first monitoring means among the plurality of monitoring means monitors the state based on the first monitoring condition regarding the performance of the monitored target.
The acquisition means acquires the first message according to the result of monitoring based on the first monitoring condition.
The information processing system according to claim 1 or 2. The second monitoring means among the plurality of monitoring means monitors the state based on the second monitoring condition regarding the history sequentially recorded in the monitoring target.
The acquisition means acquires a second message according to the result of monitoring based on the second monitoring condition.
The information processing system according to any one of claims 1 to 3. The generation means extracts information of a predetermined type from the message acquired from the monitoring means based on the first format associated with the monitoring means, and obtains the event data based on the extracted information. The information processing system according to any one of claims 1 to 4, which is generated. The information processing system according to claim 5, wherein the generation means generates the event data by applying the predetermined type of information extracted from the message to the second format. The information processing system according to claim 6, wherein the extraction conditions are set based on the second format. The information processing system according to any one of claims 1 to 7, further comprising at least a part of the plurality of monitoring means. It is a control method for information processing systems.
An acquisition step of acquiring a message according to the result of the monitoring from each of a plurality of monitoring means that monitor the status based on different monitoring conditions, and an acquisition step.
A generation step of associating the messages acquired from at least two or more monitoring means among the plurality of monitoring means to generate event data, and a generation step.
An extraction step for extracting the event data based on predetermined extraction conditions, and
An output control step that controls the output of output information according to the extraction result of the event data, and
Information processing system control methods, including. An acquisition means for acquiring a message according to the result of the monitoring from each of a plurality of monitoring means for monitoring the status based on different monitoring conditions, and an acquisition means.
A generation means that generates event data based on the message acquired from at least one of the plurality of monitoring means, and a generation means.
An extraction means that extracts the event data based on predetermined extraction conditions, and
An output control means that controls the output of output information according to the extraction result of the event data, and
Information processing device. On the computer
An acquisition step of acquiring a message according to the result of the monitoring from each of a plurality of monitoring means that monitor the status based on different monitoring conditions, and an acquisition step.
A step of generating event data based on the message acquired from at least one of the plurality of monitoring means, and a step of generating event data.
An extraction step for extracting the event data based on predetermined extraction conditions, and
An output control step that controls the output of output information according to the extraction result of the event data, and
A program to execute.

Images