JP2011013793A - Data processing apparatus and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To efficiently record log data by dynamically changing the output setting of log data according to the attributes of the log data.SOLUTION: A log output device 10 performs output setting as initial setting, to define only log data with a fixed output level or greater as the object of output to a data storage device 310, and specifies an output level to change the output setting as change conditions, and confirms the output level of the log data input from an APP 20, and when the output level is equal to or more than an output level predetermined as change conditions, the log output device 10 changes the output setting to that to define the other output level as the object of output, and outputs the log data to the data storage device 310, and when the log data before and after the pertinent log data are matched with the output level of the new output setting, outputs the log data before and after the pertinent log data as well to the data storage device 310.

Description

  The present invention relates to, for example, a log output method used for analysis when a system failure occurs and internal control, and more particularly to a system that dynamically changes log output settings.

  With the conventional log output method, it is possible to specify the log output destination and generation, level specification (minimum to maximum), format specification, etc. The output destination is monitored by checking the remaining disk capacity and falling below the threshold. In such a case, there is a mechanism for switching the output destination (for example, Patent Document 1).

  Further, there is a mechanism in which error information to be generated is classified, the number of occurrences of each error is managed with a threshold value, and an action such as notification is executed when the condition is met (for example, Patent Document 2).

JP 2007-34416 A Japanese Patent Application Laid-Open No. 07-262054

In the conventional log management method, a file with a predetermined capacity and an HDD (Hard Disc Drive) area are reused for log output, so if a system failure actually occurs, the time elapses from the time of the failure. Sometimes, there is a problem that information at the time of failure is overwritten by new log data.
Further, if the log output level is set so that all log data is output to the HDD, there is a problem that the time required for writing to the file affects the system performance.
On the other hand, if only the most important log data is set to be output to the HDD, only the most important log data remains even if log data other than the most important log data is required for analysis when a failure occurs. Therefore, there is a problem that analysis is difficult.
For example, since only the most important log data remains, there is a problem that an occurrence event cannot be reproduced using all log data.

  One of the main objects of the present invention is to solve the above-mentioned problems. The main object of the present invention is to dynamically change data output settings according to data attributes and efficiently record data. With a purpose.

The data processing apparatus according to the present invention
A data input section for sequentially inputting data;
A data output unit connected to the data storage device and outputting the data input by the data input unit to the data storage device in accordance with a specified output setting;
An output for determining whether or not the data input by the data input unit matches an output setting change condition, and changing the output setting of the data output unit when the input data matches the change condition And a setting change unit.

  According to the present invention, since the data output setting is dynamically changed according to the data attribute, the output target is limited to highly important data, the write processing time is shortened, and the storage area that is the write destination is effective. While being used, it is possible to change the output setting to output data that is strongly related to highly important data when highly important data is input, which is useful for analysis processing and reproduction processing at the time of failure, etc. Secure data.

The figure which shows the structural example of the log output apparatus which concerns on Embodiment 1-7. FIG. 3 is a diagram illustrating an example of log data according to the first embodiment. FIG. 3 is a diagram illustrating an example of initial setting according to the first embodiment. FIG. 4 is a diagram illustrating an example of log output according to the first embodiment. The figure which shows the example of the change conditions and change setting which concern on Embodiment 1. FIG. The figure which shows the example of the change conditions and change setting which concern on Embodiment 1. FIG. FIG. 3 is a flowchart showing an operation example of the log output device according to the first embodiment. FIG. 6 is a sequence diagram illustrating an operation example of the log output device according to the first embodiment. FIG. 6 is a sequence diagram illustrating an operation example of the log output device according to the first embodiment. FIG. 6 is a sequence diagram illustrating an operation example of the log output device according to the first embodiment. FIG. 6 is a sequence diagram illustrating an operation example of the log output device according to the first embodiment. FIG. 6 is a sequence diagram illustrating an operation example of the log output device according to the first embodiment. FIG. 3 is a diagram showing an example of an output level setting program according to the first embodiment. The figure which shows the example of the change condition which concerns on Embodiment 2, and a change setting. FIG. 10 is a sequence diagram illustrating an operation example of the log output device according to the second embodiment. The figure which shows the example of the change condition which concerns on Embodiment 3, and a change setting. FIG. 10 is a diagram illustrating an example of log data according to the fourth embodiment. FIG. 10 is a diagram illustrating an example of extraction conditions according to the fourth embodiment. The figure which shows the example of the change condition which concerns on Embodiment 4, and a change setting. The figure which shows the example of the change condition which concerns on Embodiment 4, and a change setting. FIG. 10 is a sequence diagram illustrating an operation example of the log output device according to the fourth embodiment. The figure which shows the hardware structural example of the log output apparatus which concerns on Embodiment 1-7.

Embodiment 1 FIG.
In this embodiment and the following embodiments, log data output settings can be changed dynamically according to log data attributes, application operations on the system, and external factors to ensure log data at the time of failure Explains the system that collects and saves and optimizes log settings.
The output setting includes output level setting, generation setting, log output destination setting, signature presence / absence setting, encryption presence / absence setting, and the like.
In this embodiment, an example of changing the output level setting as an output setting change will be described. In the following embodiments, the generation setting change, the log output destination setting change, and the signature presence / absence setting The setting for the presence / absence of encryption will be described.

First, output level setting will be described.
An output level is specified for log data handled in the present embodiment. The output level is synonymous with priority. For example, one of two levels of “high” and “low” is designated, or three levels of “high”, “medium”, and “low” are specified. One of the levels is specified. In addition, more output levels may be used.
In the log output apparatus according to the present embodiment, an output level is set.
For example, when the output level is set to “High” and “Low”, and the setting is made so that only the log data with the output level “High” is output, the log output device will output the log data sequentially input. Only log data for which the output level “high” is displayed is selected and output to the data storage device.
Then, the log output device according to the present embodiment analyzes the attribute of the input log data, determines whether the input log data matches the output setting change condition, and the input log data is output. If the setting change condition is met, for example, the output level setting is changed to “low”. After the setting of the output level is changed, only the log data with the output level “high” or “low” is selected and output to the data storage device.

  FIG. 1 is a block diagram showing a system configuration example including a log output device according to the present embodiment.

The log output device 10 (data processing device) according to the present embodiment inputs log data from an application program 20 (hereinafter referred to as APP 20), and outputs the input log data to the data storage device 310 according to output settings. The log data is stored in the data storage device 310.
The APP 20 may be an application program that operates on a separate device connected to the log output device 10 via a network, or may be an application program that operates on the same machine as the log output device 10. The APP 20 includes large-scale items such as a single execution file to a business system.
The data storage device 310 may also be a storage device connected to the log output device 10 via a network, or may be a storage device that operates on the same machine as the log output device 10.

  The log output device 10 includes a log analysis unit 100, a log management unit 200, an output destination management unit 300, a format management unit 400, a signature / encryption unit 500, a level management unit 600, a situation dependent log setting unit 700, and an external situation acquisition unit. 800, a cache 110, an initial setting information storage unit 210, and a change setting information storage unit 710.

The log analysis unit 100 sequentially inputs log data in which any one of a plurality of output levels (priorities) is designated. The log analysis unit 100 is an example of a data input unit.
Further, the log analysis unit 100 extracts output level / same number of times of processing / transition probability / argument information, etc. as information related to the change of the log data output setting from the log data contents.
In addition, the log analysis unit 100 notifies the situation-dependent log setting unit 700 of information related to the setting change.
In addition, the log analysis unit 100 performs a setting change request to the log management unit 200, stores log data in the cache 110, and loads log data from the cache 110.
In addition, the log analysis unit 100 makes a log output request to the log management unit 200.

FIG. 2 shows an example of log data input by the log analysis unit 100. FIG. 2 shows log data notifying that the user: ABCDEF is driving on December 13 in Nagoya.
Note that [ABC: main: 18] in the log data shown in FIG. 2 represents the class name, method name, and line number of the caller, and indicates the ABC class, main method, and 18th line.
“Low” represents the output level, and the output level of the log data in FIG. 2 is “low”.
In FIG. 2, “000” indicates a status code indicating normality. The status code indicating the error is “100”.
Thereafter, in the present embodiment, the output level is only “high” and “low”, the log data at normal time (log data with the status code “000”) is set to “low”, and the error level is An example in which the log data (log data with the status code “100”) is “high” will be described.
In such an example, the APP 20 designates the output level of the log data at normal time as “low” and designates the output level of the log data at error as “high” by the program illustrated in FIG. 13, for example. .
As described above, the output level may have more stages. In addition, what kind of situation is mapped to which level is a policy of the application, system or project.

The cache 110 stores log data input by the log analysis unit 100 and not yet output to the data storage device 310.
The cache 110 is an example of a data storage unit.
In the following description, it is assumed that the cache 110 can store only one log data.

The log management unit 200 designates a predetermined output level (priority equal to or higher than the first level) as the output setting before log data (condition matching data) that matches the log data output setting change condition is input. When the initial setting (first output setting) to instruct the output of the log data being specified is specified and log data that matches the log data output setting changing condition is input, the output level that is different from the initial setting ( Change to a new output setting (second output setting) for instructing the output of log data in which the priority of the second level or higher is designated.
If the initial setting is specified, the log data specified by the output level indicated by the initial setting is selected from the log data input by the log analysis unit 100 and output to the data storage device 310. When a new output setting is specified, the data storage device selects the log data in which the output level indicated by the new output setting is specified from the log data input by the log analysis unit 100 To 310.
The log management unit 200 is an example of an output setting change unit and a data output unit.
In performing the above operation, the log management unit 200 performs initialization processing based on initial settings, log data output setting change reception, level management, format management, output destination management initial settings, log level confirmation to output. Control.

The initial setting information storage unit 210 stores initial setting information indicating an initial setting of log data output settings.
FIG. 3 shows an example of the initial setting information stored in the initial setting information storage unit 210.
The initial setting in FIG. 3 indicates that only log data with an output level “high” is selected and output.
The generation is 1, and no signature or encryption is performed. The meaning of the generation will be described in the second embodiment.

  The output destination management unit 300 performs log output control to a file based on the setting, a console, etc., generation management of the output file (rolling designation, etc.), and management of the maximum size of the output file.

  The format management unit 400 controls the log output item format (text, XML, etc.), log output item shaping (including output order control, format and string concatenation operations), and log output item output enable / disable. (Do not output date etc.).

The signature / encryption unit 500 performs signature attachment (authentication value generation processing) and encryption processing on the log output item. The target item, signature, and key based on encryption are based on settings.
Details of the signature / encryption unit 500 will be described in the fourth embodiment.

  The level management unit 600 compares and determines the level information specified in the log to be output and the level permitted to be output.

The situation-dependent log setting unit 700 determines whether or not log data that matches the log data output setting change condition is input, and when log data that matches the log data output setting change condition is input. Determine new output settings.
The situation-dependent log setting unit 700 constitutes an output setting change unit together with the log management unit 200.
In the present embodiment, the situation-dependent log setting unit 700 determines whether or not the output setting has been changed based on the analysis of log data (output level analysis), but the information obtained by the external situation acquisition unit 800, Judgment whether or not to change log output settings based on information on cache capacity, time lapse, and preset change settings (cache capacity, time lapse basically when returning to the original state based on the changed settings Can also be used. An example using elements other than the output level analysis will be described in the sixth embodiment.

The change setting information storage unit 710 stores change setting information indicating output setting change conditions and changed output settings.
FIG. 5 shows an example of change setting information stored in the change setting information storage unit 710.
In FIG. 5, the change condition is “high” and the change setting is “low”.
In this example, when log data whose output level is “high” is input, the log management unit 200 and the situation-dependent log setting unit 700 also output log data whose output level is “low” to the data storage device 310. Change the output setting to
That is, while log data with an output level of “low” is being input, the initial setting remains unchanged, so log data is not output to the data storage device 310 and log data with an output level of “high” is input. At this stage, the log management unit 200 and the situation-dependent log setting unit 700 change the output setting, so that not only log data whose output level is “high” but also log data whose output level is “low” is output.
In the present embodiment, the preceding log data stored in the cache 110 at the time when log data having an output level “high” is input (even if the output level is “low”) is also a data storage device. It is output to 310.

FIG. 6 shows an example of other change setting information stored in the change setting information storage unit 710.
FIGS. 6A to 6C show a reference for returning the output setting after the output setting is changed by the change setting information of FIG. In actual operation, any one of FIGS. 6A to 6C is used.
In FIG. 6A, the change condition is that the log data with the output level “low” is continuously input the number of times corresponding to the number of log data +1 that can be stored in the cache 110, and the change condition is met. In this case, the output setting is changed so as to instruct the output of only the log data whose output level is “high”. In this embodiment, since the cache 110 can store one log data, the output setting is returned to the initial setting when the log data with the output level “low” is input twice in succession.
Further, in FIG. 6B, the change condition is that the log data with the output level “low” is continuously input five times, and the log data with the output level “high” when the change condition is met. Change to the output setting that instructs only output (return to the initial setting).
Further, in FIG. 6C, the log data with the output level “low” is set as a change condition when the log data with the output level “low” is continuously input for 10 minutes. Change to the output setting that instructs only output (return to the initial setting).

The external status acquisition unit 800 monitors a specified hardware state such as a CPU (Central Processing Unit) temperature, a HDD (Hard Disk Drive) remaining amount, and notifies the status-dependent log setting unit 700.
The external situation acquisition unit 800 is an example of a state monitoring unit.
An example in which the external situation acquisition unit 800 is used will be described in Embodiment 6.

  Next, an operation example of the log output device 10 according to the present exemplary embodiment will be described using the flowchart of FIG.

After the predetermined initialization process is completed, the log analysis unit 100 receives a log output request from the APP 20 (S701).
The log output request includes log data and a command for requesting output of the log data to the data storage device 310.

Next, the log analysis unit 100 notifies the status-dependent log setting unit 700 of the output level of the log data included in the log output request, and the status-dependent log setting unit 700 analyzes the log data and determines the attribute of the log data. It is determined whether or not satisfies the change condition. More specifically, the situation-dependent log setting unit 700 analyzes the output level of the input log data, and checks whether the output level of the input log data matches the output level indicated in the change condition. It is determined whether or not (S702).
If the log data matches the change condition (YES in S703), the situation-dependent log setting unit 700 notifies the log management unit 200 of the changed output setting via the log analysis unit 100, and logs management The unit 200 changes the output setting (S704).
For example, when log data whose output level is “high” is input in the situation where the initial setting (FIG. 3) is used, the change condition of the change setting information shown in FIG. 700 notifies the log management unit 200 of a change to the output setting for which log data having an output level of “low” is also output, and the log management unit 200 changes the output setting.
Further, for example, when log data with an output level “low” is input twice in a situation where the output setting is changed according to the change setting information of FIG. 5, the change setting information shown in FIG. The condition-dependent log setting unit 700 notifies the log management unit 200 of the change to the output setting for outputting only the log data whose output level is “high”, and the log management unit 200 outputs the change. Change the setting.
On the other hand, if the change condition is not met (NO in S703), the process proceeds to S705.

Next, the log analysis unit 100 checks the capacity of the cache 110 (S705).
As a result of the capacity check, if the cache 110 is free (YES in S706), the process proceeds to S712, and the log analysis unit 100 stores the input log data in the cache 110.
On the other hand, if there is no free space in the cache 110 (NO in S706), the process proceeds to S707.

In step S <b> 707, the log analysis unit 100 loads log data from the cache 110.
Then, the log management unit 200 compares the output level of the log data loaded from the cache 110 with the output level specified as the output target in the output setting, and the output level of the log data loaded from the cache 110 is output. It is determined whether or not the output level instructed in the setting is met (S708).
When the output level of the log data loaded from the cache 110 matches the output level specified in the output setting, the log data becomes an output target (YES in S709), and the log management unit 200 displays the log data. Is output to the data storage device 310 (S710).
On the other hand, when the output level of the log data loaded from the cache 110 does not match the output level specified in the output setting, the log data is not output (NO in S709), and the log management unit 200 The log data is discarded (S711).

  Finally, the log analysis unit 100 stores the log data input in step S701 in the cache 110 (S712).

Note that the log data input in step S701 is temporarily accumulated in a buffer memory or the like allocated to the log analysis unit 100 until it is stored in the cache 110 in step S712.
The log data loaded in step S707 is temporarily stored in the buffer memory allocated to the log management unit 200 until it is output to the data storage device 310 in step S710 or discarded in step S711. To accumulate.

Based on the above operation example, the operation of the log output device 10 will be specifically described with reference to the sequence diagrams of FIGS.
8 to 12, the first log data whose output level is “low” (denoted as low (1)) and the second log data whose output level is “low” (denoted as low (2)) ), Log data whose output level is “high” (denoted as high (1)), third log data whose output level is “low” (denoted as low (3)), and whose output level is “low” 4 An example in which the first log data (indicated as low (4)) is input in this order will be described.

First, as illustrated in FIG. 8, the APP 20 performs log initialization “1: initialization”, and obtains an instance (or an equivalent) of the log for the APP 20.
In response to the initialization request “1: initialization”, the log analysis unit 100 issues an initialization request to each connected unit (1.1: initialization to 1.3: initialization).
In the initial setting of the present embodiment, as shown in FIG. 3, the output setting is for instructing “high” level output. The number of generations, presence / absence of signature, and presence / absence of encryption are also set in the initialization process, but are not shown in FIG.

Next, as illustrated in FIG. 9, the APP 20 outputs a log output request to the log analysis unit 100 (“3: log output request (low (1))”). Here, a log output request including log data (low (1)) is output.
The APP 20 makes a log output request to the log analysis unit 100 using, for example, a Java (registered trademark) API (Application Programming Interface).
In this example, it is assumed that the correspondence between the session and the log output device 10 is managed on the APP 20 side. When managing on the log output device 10 side, the session identifier is added to the above.

The log analysis unit 100 receives the log output request, and extracts level information indicating the output level as information related to the log setting change from the log output request. There may be a plurality of items to be extracted, and specification is made in advance using a QUERY expression or the like. The QUERY expression is equivalent to an XPATH expression for XML (Extensible Markup Language), an SQL SELECT expression, or a function expression such as substring.
In addition, the log analysis unit 100 notifies log information (level information) in order to make an inquiry to the situation-dependent log setting unit 700 as to whether or not the log setting needs to be changed (“3.1: Log information ( Low (1)))).

  The situation-dependent log setting unit 700 determines whether or not the output level indicated in the log information (level information) from the log analysis unit 100 matches the change condition, but the input log data (low (1)) ) Is “low”, the change condition of FIG. 5 is not met, and the situation-dependent log setting unit 700 does not notify the change of the output setting.

  Next, the log analysis unit 100 checks the capacity of the cache 110 (“3.2: capacity check”), and outputs log data to the cache 110 when there is a free storage area. ("3.3: Save (Low (1))"). Since the input log data (low (1)) is the first log data, the cache 110 is empty, and the log data (low (1)) is stored in the cache 110 as it is.

Next, a log output request including log data (low (2)) is output from the APP 20 (“4: log output request (low (2))”).
Similarly to the above, log information (level information) is notified from the log analysis unit 100 to the situation-dependent log setting unit 700 (“4.1: log information (low (2))”), and the situation-dependent log setting unit 700 Since the output level is “low”, the change of the output setting is not instructed.
Further, the log analysis unit 100 checks the capacity of the cache 110 (“4.2: capacity check”).
At this time, since the log data (low (1)) is stored in the cache 110, there is no space in the cache 110.
In this case, the log analysis unit 100 acquires (“4.3: load”) the log data (low (1)) accumulated from the cache 110 and requests the log management unit 200 to output a log. ("4.4: Log output (low (1))").
As described above, in this example, the information that can be stored in the cache 110 is one log data.

  The log data from the cache 110 may be acquired by checking the capacity by extending the log output request from the APP 20 as described above, and loading (log acquisition) when the capacity is not available. It is also possible to periodically check the capacity with a timer or the like and load (acquire a log) when the capacity is not available. Further, the above two methods may be used in combination.

In the log management unit 200, since the designation of the output level of the log data notified by “4.4: log output (low (1))” is “low”, the output level “high” which is the output instruction of the initial setting is set. ”(“ 4.4.1 Level Check ”, FALSE), the log data (low (1)) is discarded.
Thereafter, the log analysis unit 100 stores the input log data (low (2)) in the cache 110 (“4.5: save (low (2))”).

Next, as shown in FIG. 10, a log output request including log data (high (1)) is output from the APP 20 (“5: log output request (high (1))”).
Similarly to the case of FIG. 9, log information (level information) is notified from the log analysis unit 100 to the situation-dependent log setting unit 700 (“5.1: log information (high (1))”), and the output level is “ Since it is “high”, the change condition in FIG. 5 is met, and the situation-dependent log setting unit 700 notifies the output setting change. In this case, the log data of the output level “low” is also notified to be changed to the output setting to be output (“change setting (level = low)”).
The log analysis unit 100 notifies the log management unit 200 of new log setting information that permits output of the output level “low” and makes a setting change request (“5.2 setting change request”).
The log management unit 200 changes the log data of the output level “low” to the output setting to be output (“5.2.1: setting (level = low)”).

Next, the log analysis unit 100 checks the capacity of the cache 110 (“5.3: capacity check”).
At this time, since the log data (low (2)) is stored in the cache 110, there is no space in the cache 110.
In this case, the log analysis unit 100 acquires (“5.4: load”) the log data (low (2)) accumulated from the cache 110 and requests the log management unit 200 to output a log. ("5.5: Log output (low (2))").
In the log management unit 200, since the output level in the new output setting is reset as “low”, the log data (low (2)) becomes an output target (“5.5. 1 level confirmation”, TRUE) is passed to the output destination management unit 300 and written to the data storage device 310 (“5.5.3: log output (low (2))).
Thereafter, the log analysis unit 100 stores the input log data (high (1)) in the cache 110 (“5.6: save (high (1))”).

Next, as shown in FIG. 11, a log output request including log data (low (3)) is output from the APP 20 (“6: log output request (low (3))”).
Similarly to the case of FIG. 9 and FIG. 10, log information (level information) is notified from the log analysis unit 100 to the situation-dependent log setting unit 700 (“6.1: log information (low (3))”). Here, it is assumed that it is necessary to change the output setting based on the reference shown in FIG. 6A, the “low” level log data corresponding to the number of log data stored in the cache 110 plus one is continuously input (that is, the “low” level log data is continuous twice). Is entered as a change condition. At the time when the log data (low (3)) is inputted, the log data of “low” level is inputted only once, so it does not meet the change condition, and the situation-dependent log setting unit 700 changes the output setting. Do not instruct.
In addition, the log analysis unit 100 checks the capacity of the cache 110 (“6.2: capacity check”).
At this time, since the log data (high (1)) is stored in the cache 110, there is no space in the cache 110.
In this case, the log analysis unit 100 acquires (“6.3: load”) the log data (high (1)) accumulated from the cache 110 and requests the log management unit 200 to output a log. ("6.4: Log output (high (1))").
In the log management unit 200, since the output level in the current output setting is “low”, the log data (high (1)) is an output target (“6.4.1 level confirmation”, TRUE), and the output destination The data is transferred to the management unit 300 and written to the data storage device 310 (“6.4.3: Log output (high (1))”.
Thereafter, the log analysis unit 100 stores the input log data (low (3)) in the cache 110 (“6.5: save (low (3))”).

Next, as shown in FIG. 12, a log output request including log data (low (4)) is output from the APP 20 (“7: log output request (low (4))”).
Log information (level information) is notified from the log analysis unit 100 to the situation-dependent log setting unit 700 as in the case of FIG. 9, FIG. 10, and FIG. 11 (“7.1: Log information (low (4))”. "). In the criterion of FIG. 6A, the change condition is that log data of “low” level is input twice in succession, and when the log data (low (4)) is input, “low”. Since the level log data is input twice in succession, the condition-dependent log setting unit 700 instructs to change the output setting in accordance with the change condition of FIG.
In this case, notification is made to change only the log data of the output level “high” to the output setting to be output (“change setting (level = high)”).
The log analysis unit 100 notifies the log management unit 200 of log setting information that permits only output of the output level “high” and makes a setting change request (“7.2 setting change request”).
In the log management unit 200, only the log data of the output level “high” is changed to the output setting to be output (“7.2.1: setting (level = high)”). As a result, the output setting is returned to the initial setting.

Next, the log analysis unit 100 checks the capacity of the cache 110 (“7.3: capacity check”).
At this time, since the log data (low (3)) is stored in the cache 110, there is no space in the cache 110.
In this case, the log analysis unit 100 acquires (“7.4: load”) the log data (low (3)) accumulated from the cache 110 and requests the log management unit 200 to output a log. ("7.5: Log output (low (3))").
In the log management unit 200, since the designation of the output level of the log data notified by “7.5: log output (low (3))” is “low”, the output level “high” which is the output instruction of the initial setting is set. ”(“ 7.5. 1 level confirmation ”, FALSE), the log data (low (3)) is discarded.
Thereafter, the log analysis unit 100 stores the input log data (low (4)) in the cache 110 (“7.6: save (low (4))”).

In this way, before log data matching the change condition is input, the log data that matches the change condition according to the initial setting that only the log data for which the output level “high” is specified is output. Log data (high (1)) is specified to be output when the log level (low (1)) is specified. The log data (high (1)) before input is also changed. Log data (low (2)) stored in the cache 110 is also an output target.
In addition, when the log data (low (3)) and log data (low (4)) and the low-level log data are input twice in succession, the output setting is returned to the initial setting. (Low (3)) is output to the data storage device 310.
Therefore, for example, as shown in FIG. 4, the data storage device 310 includes log data of “low” level indicating normal (“000”) (corresponding to log data (low (2))) and an error ( “001”) indicating “high” level log data (corresponding to log data (high (1))) and “low” level log data indicating normal (“000”) (log data (low (3)) ) Is output sequentially.
In FIG. 4, time information (2008-12-13 14:00: 00) is added to the log data of FIG. 2, but this time information is added by the format management unit 400.

As described above, according to the present embodiment, only high-level log data is normally output, but low-level log data is also output only before and after the occurrence of high-level log data such as an error. It becomes possible.
In other words, in the present embodiment, since the log data output setting is dynamically changed according to the log data attribute, the output target is limited to highly important log data, the write processing time is shortened, and the write destination Can be changed to an output setting that also outputs log data that is strongly related to log data with high importance when the log data with high importance is input. Data useful for the analysis process and the reproduction process can be secured.
In addition, since log data with high relevance between log data with high importance and log data with high importance is stored only in a limited manner, the possibility that log data with high importance will be deleted by overwriting can be reduced. it can.

As described above, in the present embodiment,
Log analysis unit that analyzes the contents of log output requests,
Log management unit for setting log output and managing execution,
Output destination management unit that manages log output destination and number of generations,
Format management unit that forms logs into a specified format,
A signature / encryption part that gives a signature / encryption to the log,
Level management unit that manages log output availability by level,
A context-dependent log setting section that changes log settings according to log output contents and conditions according to external conditions,
A log output device has been described that includes an external status acquisition unit that monitors external devices and systems and notifies status changes, and dynamically changes log output settings according to log output requests and external status.

Embodiment 2. FIG.
In the first embodiment, the low-level log is output. However, in this embodiment, when the log data matching the change condition is input, the output setting is increased to increase the number of file generations. An example will be described.

Here, the number of file generations will be described.
The data storage device targeted in this embodiment stores data in units of files having a predetermined data capacity.
The log output device according to the present embodiment outputs log data to the data storage device while performing control to overwrite new log data in order from the old log data and store new data when the free space of the file runs out.
The number of file generations means the number of files managed by the data storage device. When the number of generations is 1, the log output device deletes the file when there is no free space in one file. Write new log data to a new file. If the number of generations is 3, the oldest log file can be deleted when there is no more free space in the three files, and new log data can be written to a new file. Data increases.

In the present embodiment, for example, change setting information shown in FIG. 14 is used.
In the present embodiment, the output setting with the generation number 1 is set as the initial setting, and when the log data with the output level “high” is input, the output setting with the generation number 3 is performed according to the change setting information in FIG. Change to
The number of generations once increased will not decrease.
Also, in this embodiment, the configuration example of the log output device 10 is as shown in FIG.

FIG. 15 shows a processing example when the log output apparatus 10 according to the present embodiment increases the number of file generations.
As described above, in the data storage device 310 that is the output destination, the file is managed in a rolling manner (rewriting from the beginning of the file when a certain size is exceeded). The number of generations in the initial setting is 1.
In FIG. 15, until high-level log data (high (1)) is input, the log management unit 200 starts a new log at the beginning of a file when there is no free space in one file in the data storage device 310. Save the data by overwriting.
In FIG. 15, “low” level log data is not output to the data storage device 310, but “low” level log data may also be output.
In FIG. 15, at the stage when “high” level log data (high (1)) is input, the log management unit 200 changes the output setting to “3.2.1: Setting”. (Generation = 3) ”).
Thereafter, the log management unit 200 does not perform overwrite saving until there is no more free space in the three files in the data storage device 310.

  In an operation in which “low” level log data is also output to the data storage device 310, only “low” level log data is stored until “high” level log data is input. If the log data is “low” level, there is no problem even if the previous log data is deleted by overwriting relatively early. However, when “high” level log data is input, it is necessary to maintain the “high” level log data for a long time, so the number of file generations is increased and the time to overwrite is increased. Thus, the “high” level log data is maintained for a long time.

In addition, the processing sequence for temporarily changing the output destination file and saving it to a file other than the file that would normally be overwritten by rolling is the same as above, and the output destination is changed instead of the number of generations. File name information etc. are passed.
When the output destination is changed, processing for returning to the initial setting is performed later.
In other words, when the data storage device 310 can store log data by providing a plurality of file systems, the log management unit 200 uses the rolling method before inputting “high” level log data that matches the change condition. The initial setting that designates the first file system as the data output destination is specified, and the log data of the “low” level is output to the first file system.
In addition, when “high” level log data is input, the log management unit 200 changes to a new output setting that instructs a second file system different from the first file system as a data output destination. The second file system is not a rolling method, and only the “high” level log data and the log data before and after the “high” level log data are output to the second file system.

  As described above, in the present embodiment, since the number of file generations and the file system are dynamically changed according to the attribute of the log data, when only log data with low importance is input, the storage area When the operation for effective use is performed and log data with high importance is input, the operation for reducing the chance that the log data with high importance is deleted by overwriting is performed.

  As described above, in this embodiment, when a high-level log output such as a serious error is output by a log output request, the number of generations managed at the output destination is increased, so that information loss due to file overwriting or the like is eliminated. Described log output device to prevent.

Embodiment 3 FIG.
In the present embodiment, an example will be described in which the log output setting is changed only when there is an output request from a specific source (request destination).

FIG. 16 shows an example of change setting information according to the present embodiment.
In the change setting information according to the present embodiment, a source and a method are specified as change conditions.
In this embodiment, the log management unit 200 outputs log data at the output level defined by the initial setting shown in FIG. 3 before log data including the display of the corresponding source and method is input. When the log data including the display of the corresponding source and method is input (selected as the target (and managing the file with the number of generations shown in the initial setting)), the output setting shown in the change setting in FIG. And log data of the output level specified by the changed output setting is selected as an output target (and files are managed with the number of generations indicated in the changed output setting).
Other operations are as shown in the first and second embodiments.

  As described above, in this embodiment, the log output device that changes the log output setting when log data related to a specific source and method is input has been described.

  In the above description, an example in which the output level or the number of generations is changed for log data from a specific source has been described. However, the setting for whether to sign or encrypt log data from a specific source is changed. You may do it.

Embodiment 4 FIG.
In this embodiment, another example of changing the log output setting according to the message content of the log will be described. In the present embodiment, an example will be described in which the log data includes a specific identifier as a change condition. Specifically, for example, when a specific user name is included in the log data as a specific identifier, the log data is output even if the log data is at a low level.
Also, in the present embodiment, an example will be described in which the output is changed in accordance with the message content of the log, such as performing signature and encryption only when a confidential document is included.

In the present embodiment, for example, log data in the format shown in FIG. 17 is targeted.
FIG. 17A shows components of log data according to the present embodiment, and FIG. 17B shows a specific example of FIG. 17A.
It is assumed that the log data according to the present embodiment is created in the CSV format, for example.
In the present embodiment, the log analysis unit 100 holds, for example, the extraction condition illustrated in FIG. 18, and logs that include “XYZabc” in the user name from the input log data according to the extraction condition illustrated in FIG. 18. Log data including “confidential document” in data and document type is extracted.

In this embodiment, for example, change setting information shown in FIGS. 19 and 20 is used.
In the change setting information of FIG. 19, the user name “XYZabc” is an example of a specific identifier.
In this example, for example, the output setting for which only the log data of the output level “high” is output to the data storage device 310 is set as the initial setting, and “XYZabc” is set in the user name according to the change setting information in FIG. When the log data included is extracted by the log analysis unit 100, the log management unit 200 changes the output setting for the log data, and even if the log data is output level “low”, Output to the data storage device 310.
In the change setting information in FIG. 20, the document type “confidential document” is an example of a specific identifier.
In this example, for example, an output setting in which neither an electronic signature is added to log data nor log data encryption is set as an initial setting, and “confidential document” is set as the document type according to the change setting information in FIG. When the included log data is extracted by the log analysis unit 100, the log management unit 200 changes the output setting for the log data, adds an electronic signature to the log data, and encrypts the log data. Do.

FIG. 21 is a diagram showing a processing example when signing and encrypting log data.
In the log management unit 200, when the log analysis unit 100 extracts log data including “confidential document” in the document type by the log analysis unit 100, the log management unit 200 changes the setting to the output setting with signature and encryption (“1: Setting (signature and encryption) ”), the signature / encryption unit 500 assigns and encrypts the log data, and the log data subjected to the signature and encryption is output to the data storage device 310. .
The signature / encryption unit 500 holds a key used for signature and encryption for each source, extracts the corresponding key using the source information of the input log data as a key, and uses the extracted key to sign Encrypt.

As described above, in the present embodiment, the log output device that changes the log output setting when the log data related to the specific user is input has been described.
Further, in the present embodiment, the log output device has been described in which it is possible to control the addition of signature / encryption to log data when log data related to confidential information is input.

Embodiment 5 FIG.
The log analysis unit 100 can calculate and calculate the transition probability after encoding and accumulating the source information included in the log output request and performing the processing flow mining.
By calculating the transition probability and passing it as log information, the log output setting based on the transition probability can be changed.
That is, in the log output device according to the present embodiment, the log analysis unit 100 analyzes the tendency of the log data input from the APP 20 to calculate the transition probability of the log data, and the log management unit 200 and the situation-dependent log setting unit In 700, a change condition is that a specific tendency is observed in the transition probability, and the output setting is changed when a specific tendency is observed.
Also, by setting a counter for each source information, a low level log can be output until a certain number of times have passed, and thereafter the setting can be changed to a medium / high level.

  In the present embodiment, the log output device has been described in which the transition probability of the log output pattern is obtained and the log output setting can be changed based on the prediction of future error (high level log output) occurrence.

Embodiment 6 FIG.
It is also possible to change log settings according to external conditions such as CPU temperature and HDD remaining capacity as well as the contents of the log output request.
In this case, the external status acquisition unit 800 monitors the monitoring items such as the CPU temperature and the HDD remaining amount regularly or by event notification of a status change, and when a change is detected, the status-dependent log setting is performed. Notification is made to the unit 700.
You may implement using a threshold value as notification conditions at this time. For example, notification is made when the remaining HDD capacity is reduced from 2 GB to 1 GB.
The situation-dependent log setting unit 700 manages change settings for monitoring items, and changes output settings such as increasing the log output level when the remaining HDD capacity reaches 1 GB, for example. Alternatively, after the HDD remaining capacity has run out, the log output setting for stopping the log output is performed, and then processing such as stopping input of log data from the APP is performed.

Embodiment 7 FIG.
If a plurality of conditions among the change conditions shown in the first to sixth embodiments are applicable, the change setting can be calculated based on the following criteria, for example.
1) Maximum value / average value / minimum value of change settings 2) Specification using multi-dimensional matrix 3) Formulas such as nth-order equations Also, priority is set, and if specific conditions are met, the specification is given top priority It may be set such as.

Finally, a hardware configuration example of the log output device 10 shown in the first to seventh embodiments will be described.
FIG. 22 is a diagram illustrating an example of hardware resources of the log output device 10 illustrated in the first to seventh embodiments.
Note that the configuration in FIG. 22 is merely an example of the hardware configuration of the log output device 10, and the hardware configuration of the log output device 10 is not limited to the configuration illustrated in FIG. Also good.

In FIG. 22, the log output device 10 includes a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, a processing unit, a microprocessor, a microcomputer, and a processor) that executes a program.
The CPU 911 is connected to, for example, a ROM (Read Only Memory) 913, a RAM (Random Access Memory) 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903, and a magnetic disk device 920 via a bus 912. Control hardware devices.
Further, the CPU 911 may be connected to an FDD 904 (Flexible Disk Drive), a compact disk device 905 (CDD), a printer device 906, and a scanner device 907. Further, instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card (registered trademark) read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device.
The “initial setting information storage unit 210” and the “change setting information storage unit 710” described in the first to seventh embodiments are realized by the RAM 914, the magnetic disk device 920, and the like. The “data storage device 310” is realized by, for example, the magnetic disk device 920.
A communication board 915, a keyboard 902, a mouse 903, a scanner device 907, an FDD 904, and the like are examples of input devices.
The communication board 915, the display device 901, the printer device 906, and the like are examples of output devices.

  The communication board 915 may be connected to a LAN (Local Area Network), the Internet, a WAN (Wide Area Network), a SAN (Storage Area Network), etc., for example.

The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924.
If the APP 20 and the log output device 10 are on the same machine, the APP 20 is included in the program group 923.
The programs in the program group 923 are executed by the CPU 911 using the operating system 921 and the window system 922.

The RAM 914 temporarily stores at least part of the operating system 921 program and application programs to be executed by the CPU 911.
The RAM 914 stores various data necessary for processing by the CPU 911.

The ROM 913 stores a BIOS (Basic Input Output System) program, and the magnetic disk device 920 stores a boot program.
When the log output device 10 is activated, the BIOS program in the ROM 913 and the boot program in the magnetic disk device 920 are executed, and the operating system 921 is activated by the BIOS program and the boot program.

  In the program group 923, a program that executes a function that is described as “to part” (other than “initial setting information storage unit 210” and “change setting information storage unit 710”) in the description of the first to seventh embodiments. Is remembered. The program is read and executed by the CPU 911.

In the file group 924, in the description of the first to seventh embodiments, “determination of”, “calculation of”, “comparison of”, “confirmation of”, “update of”, “setting of” ”,“ Registration of ”,“ Selection of ”, etc. Information, data, signal values, variable values, and parameters indicating the results of the processing are indicated as“ ˜file ”and“ ˜database ”items. It is remembered.
In addition, the arrows in the flowcharts described in the first to seventh embodiments mainly indicate input / output of data and signals, and the data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic field. Recording is performed on a recording medium such as a magnetic disk of the disk device 920, other optical disks, mini disks, DVDs, and the like. Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In addition, what is described as “to part” in the description of the first to seventh embodiments may be “to circuit”, “to apparatus”, “to device”, and “to step”, It may be “˜procedure” or “˜processing”. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, only hardware such as elements, devices, substrates, wirings, etc., or a combination of software and hardware, and further a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part” in the first to seventh embodiments. Alternatively, the computer executes the procedure and method of “to part” in the first to seventh embodiments.

  As described above, the log output device 10 according to the first to seventh embodiments includes a CPU that is a processing device, a memory that is a storage device, a magnetic disk, a keyboard that is an input device, a mouse, a communication board, and a display device that is an output device and a communication device. A computer including a board or the like, and implements the functions indicated as “to part” as described above using these processing devices, storage devices, input devices, and output devices.

  10 log output device, 20 APP, 100 log analysis unit, 110 cache, 200 log management unit, 210 initial setting information storage unit, 300 output destination management unit, 310 data storage device, 400 format management unit, 500 signature / encryption unit, 600 level management unit, 700 situation-dependent log setting unit, 710 change setting information storage unit, 800 external situation acquisition unit.

Claims (20)

A data input section for sequentially inputting data;
A data output unit connected to the data storage device and outputting the data input by the data input unit to the data storage device in accordance with a specified output setting;
An output for determining whether or not the data input by the data input unit matches an output setting change condition, and changing the output setting of the data output unit when the input data matches the change condition A data processing apparatus comprising: a setting change unit. The data input unit includes:
Enter the data in which the priority of any one of the multiple levels of priority is specified,
The output setting change unit
Before the condition matching data that matches the change condition is input, specify the first output setting that instructs the output of data for which the priority of the first level or higher is specified,
When the condition-matching data is input, the second output setting for instructing the output of data in which the priority of the second level or higher that is different from the first level is designated is changed,
The data output unit includes:
When the first output setting is specified, the data input by the data input unit is selected and output to the data storage device, the data specifying the priority of the first level or higher,
When the second output setting is designated, the data having the second or higher priority designated among the data inputted by the data input unit is selected and outputted to the data storage device. The data processing apparatus according to claim 1. The data processing device further includes:
A data storage unit that stores data that has been input by the data input unit and has not yet been output by the data output unit;
The output setting change unit
When the condition matching data is input, the second output setting is changed to indicate a second level lower than the first level,
The data output unit includes:
When the output setting is changed to the second output setting by the output setting change unit, the priority of the storage data input prior to the input of the condition matching data and stored in the data storage unit is the second 3. The data processing apparatus according to claim 2, wherein the stored data is output to the data storage device when the level is equal to or higher than the level. The data output unit includes:
4. The data processing according to claim 3, wherein when the priority of the condition matching data is a second level or higher, the condition matching data is output to the data storage device after the storage data is output. apparatus. The output setting change unit
At least when a predetermined number of pieces of data having a second priority or higher are output from the data output unit after the change to the second output setting and when a predetermined time has elapsed since the change to the second output setting 5. The data processing apparatus according to claim 2, wherein the output setting is returned to the first output setting. The data output unit includes:
Connected to a data storage device that stores data in units of a file with a predetermined data capacity, and when the free space of the file runs out, the data storage is performed while performing control to overwrite new data in order from the old data Output data to the device,
The output setting change unit
Before the condition matching data that matches the change condition is input, specify the first output setting that indicates the first value as the number of files,
When the condition-matching data is input, the number of files is changed to a second output setting that indicates a second value different from the first value,
The data output unit includes:
If the first output setting is designated, data output to the data storage device is performed based on the number of files corresponding to the first value, and the number of files corresponding to the first value has free space. When there is no more data, the old data is overwritten in order and new data is stored.
When the second output setting is designated, data is output to the data storage device based on the number of files corresponding to the second value, and the number of files corresponding to the second value is freed up. 6. The data processing apparatus according to claim 1, wherein when there is no more data, control is performed to store new data by overwriting in order from old data. The output setting change unit
The data processing apparatus according to claim 6, wherein when the condition matching data is input, the data processing apparatus is changed to a second output setting that indicates a second value that is larger than the first value. The data output unit includes:
Connected to a data storage device for storing data by providing a plurality of file systems each including at least one file;
The output setting change unit
Before the condition-matching data is input, specify the first output setting that indicates the first file system as the data output destination,
When the condition-matching data is input, the second file system different from the first file system is changed to the second output setting indicating the data output destination,
The data output unit includes:
When the first output setting is specified, the first file system is output to the data storage device as the output destination,
8. The data processing apparatus according to claim 6, wherein when the second output setting is designated, data output to the data storage apparatus is performed using the second file system as an output destination. The output setting change unit
Before the condition matching data that matches the change condition is input, specify a first output setting that indicates that neither encryption processing nor authentication value generation processing is performed,
When the condition matching data is input, the second output setting is changed to instruct to perform at least one of the encryption process and the authentication value generation process,
The data output unit includes:
When the first output setting is specified, the data that has not been subjected to either the encryption process or the authentication value generation process is output to the data storage device,
The data according to any one of claims 1 to 8, wherein when the second output setting is designated, data subjected to at least one of encryption processing and authentication value generation processing is output to the data storage device. A data processing device according to any one of the above. The data input unit includes:
Enter the data in which the priority of any one of the multiple levels of priority is specified,
The output setting change unit
The change condition is that a priority of a specific level or higher is specified,
The data processing apparatus according to any one of claims 1 to 9, wherein an output setting is changed when data having a priority level higher than the specific level is input. The output setting change unit
The change condition is that the data comes from a specific source,
The data processing apparatus according to claim 1, wherein an output setting is changed when data from the specific source is input. The data input unit includes:
Enter the data in which the priority of any one of the multiple levels of priority is specified,
The output setting change unit
Before the data from the specific source is input, specify a first output setting that directs the output of data with a priority of the first level or higher,
When data from the specific source is input, a second instruction is given to output data in which a priority of a second level or higher that is different from the first level is specified for the data from the specific source. Change the output setting to
The data output unit includes:
When the first output setting is specified, the data input by the data input unit is selected and output to the data storage device, the data specifying the priority of the first level or higher,
When the second output setting is designated, for the data from the specific source, the data designated with the priority of the second level or higher is selected and output to the data storage device. The data processing apparatus according to claim 11, wherein the data processing apparatus is characterized in that: The output setting change unit
Specifying a first output setting that indicates that neither encryption processing nor authentication value generation processing is performed before data from the specific source is input;
When data from the specific source is input, the data from the specific source is changed to a second output setting that instructs to perform at least one of encryption processing and authentication value generation processing,
The data output unit includes:
When the first output setting is specified, the data that has not been subjected to either the encryption process or the authentication value generation process is output to the data storage device,
When the second output setting is designated, for the data from the specific source, the data subjected to at least one of the encryption process and the authentication value generation process is output to the data storage device. The data processing apparatus according to claim 11 or 12, characterized in that The output setting change unit
The change condition is that the data contains a specific identifier,
The data processing apparatus according to claim 1, wherein an output setting is changed when data including the specific identifier is input. The data input unit includes:
Enter the data in which the priority of any one of the multiple levels of priority is specified,
The output setting change unit
Before the data including the specific identifier is input, specify the first output setting to instruct the output of the data with the priority of the first level or higher,
When the data including the specific identifier is input, the data including the specific identifier is designated with a priority of a second level or higher that is different from the first level. Change to the second output setting that instructs the output of
The data output unit includes:
When the first output setting is specified, the data input by the data input unit is selected and output to the data storage device, the data specifying the priority of the first level or higher,
When the second output setting is specified, for the data including the specific identifier, the data specifying the priority of the second level or higher is selected and output to the data storage device The data processing apparatus according to claim 14, wherein The output setting change unit
Before the data including the specific identifier is input, specify a first output setting that indicates that neither encryption processing nor authentication value generation processing is performed,
A second output for instructing to perform at least one of an encryption process and an authentication value generation process on the data including the specific identifier when the data including the specific identifier is input; Change to settings,
The data output unit includes:
When the first output setting is specified, the data that has not been subjected to either the encryption process or the authentication value generation process is output to the data storage device,
When the second output setting is specified, the data including at least one of the encryption process and the authentication value generation process is output to the data storage device for the data including the specific identifier 16. The data processing device according to claim 14, wherein the data processing device is a data processing device. The output setting change unit
The change condition is that a specific tendency is observed in the tendency of data input by the data input unit,
The data processing apparatus according to claim 1, wherein the output setting is changed when a specific tendency is observed. The data processing device further includes:
A state monitoring unit for monitoring a state of hardware included in the data processing device;
The output setting change unit
It is a change condition that the state monitoring unit detects a specific state of hardware,
The data processing apparatus according to claim 1, wherein the output setting is changed when the state monitoring unit detects a specific state of hardware. The data input unit includes:
The data processing apparatus according to claim 1, wherein log data is sequentially input. To a computer connected to a data storage device,
Data input processing to input data sequentially;
A data output process for outputting the data input by the data input process to the data storage device in accordance with a specified output setting;
An output for determining whether or not the data input by the data input process matches an output setting change condition, and for changing the output setting of the data output process when the input data matches the change condition A program for executing a setting change process.

Images