JP2012198796A - Log collection system, device, method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce time and effort of managing and setting for collecting the log information of a terminal device when remotely monitoring an operation state of the terminal device in real time.SOLUTION: A log collection system comprises a terminal apparatus and a server device. The terminal apparatus comprises: log collection storage means for collecting and storing log information; abnormality detection means for analysing stored log information and detecting an abnormal state; abnormality notification means for notifying an abnormal sate to the server device upon detection of abnormality. The server device comprises: log collection means for collecting log information stored in the terminal apparatus; abnormality analysis means for analysing the notified abnormal state; abnormality detection instruction means for instructing the abnormality detection means on setting of a detection method of an abnormal state in accordance with the contents of the abnormal state; terminal log collection storage instruction means for instructing the log collection storage means on setting of granularity and contents of log information to be collected and stored and on frequency of collecting and storing the log information; and log collection instruction means for instructing the log collection means on setting of contents and a collection frequency of log information to be collected from the terminal apparatus.

Description

  The present invention relates to a log collection system, a log collection device, a log collection method, and a log collection program that collect log information indicating an operation status from a terminal device, including a terminal device and a server device that manages the terminal device.

  Hardware and software defects in terminal equipment (hereinafter also simply referred to as terminals) due to the increased functionality and functionality of software and the spread of additional applications dynamically installed from external server devices to terminals The malfunction due to is increasing.

  On the other hand, once a terminal hardware product or a software product that operates on the terminal is shipped, it is difficult for those developers to know the operating status of each hardware and software in detail.

  As a method of collecting data indicating these operating conditions, there is a method of collecting log information recorded in a terminal when a user brings the terminal to a store or a support base when a problem occurs. There is also a system in which the operating status of terminal hardware or software is recorded as a log in a terminal in advance, and log information is transmitted to a specific server device using communication means.

  In the case of the latter system, a method is conceivable in which after a certain amount of log information is accumulated in the terminal, the log information is collectively transmitted from the terminal side or collected from the server device side. Alternatively, there is a method of transmitting to the server device whenever log information is generated. Further, the contents to be stored and transmitted can be set from management software on the terminal or management software on the server device.

  For example, Patent Document 1 collects log information output in association with data processing on each client terminal from a plurality of client terminals connected to a host computer, and stores it in a log database provided in a database server Techniques to do this are disclosed. In the technique described in Patent Document 1, the host computer predicts a process end time based on accumulated log information, and determines a process start time according to a preset desired end time.

  Patent Document 2 discloses a technique for transmitting operation log information of a user terminal to a user support server, detecting whether a failure has occurred in the user terminal based on the transmitted log information, and a failure. In such a case, a technique for displaying failure information on a display unit of a user support server is disclosed. In the technique described in Patent Document 2, all operation log information is always downloaded regardless of whether there is a failure or not, and failure analysis is performed on the server based on the extracted information. The failure analysis result is presented to the operator who uses the user support server.

JP 2008-059470 A JP 2006-099293 A

  When a user brings a terminal to a store or support base as described above, the method of collecting and analyzing log information from the terminal cannot monitor the state of the terminal in real time. Can not cope with.

  Therefore, it is conceivable to apply the techniques described in Patent Document 1 and Patent Document 2 to transmit the current log information from the terminal to the server device using the communication means and monitor the state of the terminal in real time. However, in this case, if all log information is collected and transmitted as needed, various terminal resources such as disk capacity on the terminal, CPU, memory, power, and network bandwidth during communication are wasted. .

  In order to improve such waste of resources, it is also possible to instruct the server device to change settings such as the level of detail and contents of log information collected by the terminal as needed. However, in that case, management of the administrator who operates the server device and work man-hours occur, and particularly when the number of terminals to be managed becomes large, the work man-hours also become large. Patent Document 2 describes a technique for presenting a failure analysis result to an operator who uses a user support server, but does not describe waste of resources, subsequent troubleshooting, and the like.

  Accordingly, the present invention provides a log collection system and log collection that can reduce the trouble of collecting and managing log information of a terminal device when remotely monitoring the operation status of the hardware and software of the terminal device in real time. An object is to provide an apparatus, a log collection method, and a log collection program.

  A log collection system according to the present invention includes a terminal device and a server device connected to the terminal device by wireless or wired communication means, and the terminal device collects log information on the operation status of the hardware and software of the terminal device. A server that collects the log information stored in the terminal device, analyzes the log information collected and stored by the log collector, detects an abnormal condition, and detects the abnormal condition. The server device includes a log collection unit that collects log information accumulated in the terminal device, an abnormality analysis unit that analyzes the abnormal state notified by the abnormality notification unit, According to the content of the abnormal state analyzed by the abnormality analysis means, the abnormality detection instruction means for instructing the abnormality detection means to set the detection method of the abnormal state, and the abnormality analysis means analyze Terminal log collection and accumulation instruction means for instructing the setting of the granularity and contents of log information collected and accumulated in the log collection and accumulation means and the frequency of collection and accumulation according to the contents of the abnormal state, and abnormality analysis means And log collection instructing means for instructing the log collecting means to set the contents of log information collected from the terminal device and the collection frequency in accordance with the contents of the abnormal state analyzed by the above.

  The log collection device according to the present invention includes log collection means for collecting log information on the operation status of the hardware and software of the terminal device collected and accumulated by the terminal device, and detects and notifies an abnormal state from the terminal device. An abnormality analysis unit that analyzes the abnormal state, an abnormality detection instruction unit that instructs the terminal device to set an abnormal state detection method according to the content of the abnormal state analyzed by the abnormality analysis unit, Terminal log collection and accumulation instruction means for instructing the terminal device to set the granularity and contents of log information to be collected and accumulated and the frequency of collection and accumulation according to the contents of the abnormal state analyzed by the analysis means; Log collection instruction means for instructing the log collection means to set the content of log information collected from the terminal device and the collection frequency according to the contents of the abnormal state analyzed by the abnormality analysis means. And said that there were pictures.

  The log collection method according to the present invention collects the log information of the operation status of the hardware and software of the terminal device on the terminal device and accumulates it in the terminal device, analyzes the log information collected and accumulated on the terminal device, When an abnormal state is detected and an abnormal state is detected on the terminal device, the abnormal state is notified to the server device, the log information accumulated in the terminal device is collected on the server device, and the abnormal state notified on the server device In accordance with the contents of the abnormal state analyzed on the server device, the abnormality detection unit is instructed to set the detection method of the abnormal state, and the log is displayed according to the content of the abnormal state analyzed on the server device. Instruct the collection and storage means to set the granularity and contents of log information to be collected and stored, and the frequency to collect and store, and Depending on the contents of the status, the log collecting means, characterized by instructing the contents of the log information collected from the terminal device, the setting of the collection frequency.

  The log collection program according to the present invention is a log collection process that collects log information on the operation status of hardware and software of a terminal device collected and accumulated in a terminal device from a terminal device, and detects an abnormal state from the terminal device. When notified, the abnormality analysis processing for analyzing the abnormal state, the abnormality detection instruction processing for instructing the terminal device to set the detection method of the abnormal state according to the content of the analyzed abnormal state, and the analysis Depending on the contents of the abnormal state, the terminal log collection and accumulation instruction processing for instructing the terminal device to set the granularity and contents of the log information to be collected and accumulated and the frequency to collect and accumulate, and the analyzed abnormal state According to the content, the log collection means is caused to execute log collection instruction processing for instructing the setting of the content of the log information collected from the terminal device and the collection frequency. To.

  ADVANTAGE OF THE INVENTION According to this invention, when the operating condition of the hardware and software of a terminal device is monitored remotely in real time, the effort of collection management and setting of the log information of a terminal device can be reduced.

It is a block diagram which shows an example of a structure of the log collection system by this invention. It is a flowchart which shows the operation example of a log collection system. It is a sequence diagram which shows the operation example of a log collection system. It is a block diagram which shows an example of a structure of 2nd Embodiment of a log collection system. It is a block diagram which shows an example of a structure of 3rd Embodiment of a log collection system. It is a block diagram which shows the other application example of this invention. It is a block diagram which shows the other application example of this invention. It is a block diagram which shows the minimum structural example of a log collection system.

Embodiment 1. FIG.
Next, a first embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a block diagram showing an example of the configuration of a log collection system according to the present invention. Referring to FIG. 1, in the first embodiment of the present invention, the log collection system includes terminal devices 100 to 10N and a server device 200. Further, the terminal devices 100 to 10N and the server device 200 are connected to each other via a communication network such as wireless, LAN, or the Internet.

  Specifically, the terminal device 100 is realized by an information processing apparatus such as a personal computer that operates according to a program. As shown in FIG. 1, the terminal device 100 includes a log collection and storage unit 110, a terminal log database 120, an abnormality detection unit 130, and an abnormality notification unit 140. Note that the terminal 100 to the terminal device 10N all have the same configuration.

  Specifically, the server device 200 is realized by an information processing device such as a personal computer that operates according to a program. As shown in FIG. 1, the server device 200 includes a log collection unit 210, a log database 220, an abnormality analysis unit 230, an abnormality detection instruction unit 240, a terminal log collection accumulation instruction unit 250, and a log collection instruction unit 260. Each of these means included in the terminal device 100 or the server device 200 generally operates as follows.

  The log collection / accumulation unit 110 has a function of collecting hardware and software operation log information generated in the terminal device 100 and accumulating it in the terminal log database 120. Note that the content, granularity, and collection frequency of log information collected by the log collection and accumulation unit 110 and accumulated in the terminal log database 120 can be changed from the outside of the terminal. For example, these settings are changed according to the setting change instruction transmitted by the terminal log collection / accumulation instruction means 250. Further, the log collection and accumulation unit 110 is specifically realized by a CPU of an information processing apparatus that operates according to a program.

  The terminal log database 120 includes log information collected by the log collection and accumulation unit 110. Specifically, the terminal log database 120 is stored in the storage unit of the terminal device 100.

  The abnormality detection unit 130 has a function of analyzing the log information stored in the terminal log database 120 by the log collection storage unit 110 and detecting a hardware and software abnormality of the terminal device 100. The analysis method executed by the abnormality detection unit 130 can be changed from the outside of the terminal. For example, this setting is changed according to an analysis instruction transmitted by the abnormality detection instruction unit 240. Further, the abnormality detection unit 130 is specifically realized by a CPU of an information processing apparatus that operates according to a program.

  The abnormality notification unit 140 has a function of notifying the server device 200 of an abnormality when the abnormality detection unit 130 detects an abnormality. Further, the abnormality notification unit 140 is specifically realized by a CPU and a network interface unit of an information processing apparatus that operates according to a program.

  The log collecting unit 210 collects log information collected by each log collecting and accumulating unit 110 of the terminal devices 100 to 10N managed by the server device 200 through a communication network in which the terminal devices 100 to 10N and the server device 200 are connected to each other. And a function of collecting the data in the log database 220. The target terminal device from which the log collecting unit 210 collects logs, log contents, granularity, collection frequency, and the like can be changed. For example, these settings are changed according to a setting change instruction output by the log collection instruction unit 260.

  The log database 220 includes log information collected by the log collection unit 210. Specifically, the log database 220 is stored in the storage unit of the server device 200.

  When the abnormality analysis unit 230 receives the abnormality notification from the abnormality notification unit 140 of the terminal device 100 to 10N, based on the content of the abnormality notification and the log information accumulated in the log database 220, a detailed analysis of the abnormality that has occurred, It has a function to list log information that is insufficient for analysis. Specifically, the abnormality analysis unit 230 is realized by a CPU of an information processing apparatus that operates according to a program.

  The abnormality detection instruction unit 240 is an optimum analysis method for detecting an abnormality with respect to the abnormality detection unit 140 of the terminal devices 100 to 10N based on the analysis result indicating the content of the abnormality analyzed by the abnormality analysis unit 230. It has a function to specify. For example, the abnormality detection instruction unit 240 transmits an analysis instruction by an optimal analysis method to the abnormality detection unit 140 of the terminal devices 100 to 10N. Further, the abnormality detection instruction unit 240 is specifically realized by a CPU and a network interface unit of an information processing apparatus that operates according to a program.

  The terminal log collection / accumulation instruction unit 250 collects and accumulates the logs of the terminal devices 100 to 10N based on the content of the abnormality analyzed by the abnormality analysis unit 230 and the type of log information listed as insufficient for analysis. A function is provided for instructing means 110 to change the settings of the log contents and granularity to be collected and accumulated, and the frequency of collection and accumulation. Specifically, the terminal log collection / accumulation instruction unit 250 is realized by a CPU and a network interface unit of an information processing apparatus that operates according to a program.

  Based on the content of the abnormality analyzed by the abnormality analysis unit 230 and the type of log information listed as insufficient for analysis, the log collection instruction unit 260 sends the log collection instruction unit 260 to the log collection unit 210 of the server device 200. And a function for outputting a setting change instruction for the contents, granularity, and frequency of log information collected from the terminal devices 100 to 10N. Specifically, the log collection instruction unit 260 is realized by a CPU of an information processing apparatus that operates according to a program.

  Next, the overall operation of the present embodiment will be described with reference to FIG. 1, FIG. 2, and FIG. FIG. 2 is a flowchart illustrating an operation example of the log collection system. FIG. 3 is a sequence diagram illustrating an operation example of the log collection system.

  In the example described below, the log collection and accumulation means 110 of the terminal devices 100 to 10N always operates on the terminal, monitors the operation status of the hardware and software of the terminal device, collects the operation log information, and It is recorded in the log database 120 and continues to be accumulated.

  For example, in the case of the operation log of the hardware of the terminal device, the data indicating the operation status such as the power-on time, the device temperature, the rotation speed, etc. A warning message when it occurs, code information indicating the cause, and the like are included.

  In the case of the operation log of the software of the terminal device, individual debug information embedded in the source code of each software, application start / end information, information on each generated software or error occurring in the OS OS resource information such as CPU usage and memory usage.

  Log recording format includes, for example, the date and time of occurrence, log type such as general information or error information, the importance of the log, the hardware location and software module name that caused the log output, the event that occurred, etc. These are sequentially stored in the terminal log database 120 as one piece of log information.

  The contents, granularity, and frequency of the log recorded by the log collection and storage unit 110 in the terminal log database 120 can be changed from other modules existing inside and outside the terminal. For example, in a normal state in which no abnormality has occurred, the log collection and accumulation unit 110 collects only important information as the log contents and only the summary level as the log granularity to collect the terminal log database at a low frequency. Record at 120. Thereby, the usage amount of the CPU, the memory, and the disk of the terminal device related to the log collection and accumulation in the normal state can be suppressed.

  In this example, the log collecting unit 210 on the server device 200 collects log information from the terminal log database 120 of the terminal devices 100 to 10N managed by the server device 200 via the communication network every predetermined period. Are accumulated in the log database 210. For example, each terminal device may be controlled to transmit log information to the server device 200 every predetermined period. Alternatively, the server device 200 transmits a log information acquisition request to the terminal device each time, and the terminal device requests the acquisition. Accordingly, the log information may be transmitted to the server device 200.

  The log collection contents, granularity, and frequency when collecting logs from the terminal log database 120 can be changed at any time. For example, in the normal state, only important information is collected and accumulated only at the overview level and at a low frequency.

  If an abnormality occurs in the operation status of the hardware or software of the terminal device while the operation as described above is being performed, the abnormality detection unit 130 detects the abnormality (step A1 in FIGS. 2 and 3).

  As an abnormality detection method, when the type of log generated this time indicates a hardware or software error, or when the sensor value in the terminal or the OS resource usage exceeds a certain value, the log contents An example is to interpret and detect. In this case, the log type, content, and sensor value threshold treated as abnormal are separately managed as setting information.

  As another abnormality detection method, there is a method of analyzing not only the contents of the log generated this time but also data accumulated in the terminal log database 120 so far. As an example of analysis of this case, there is a method in which a normal value is calculated by integrating and averaging accumulated log information, and a case where a log generated this time deviates from the normal value is regarded as abnormal.

  When the abnormality detection unit 130 detects an abnormality, the abnormality notification unit 140 notifies the details of the detected abnormality to the server device 200 via the communication network (step A2 in FIGS. 2 and 3).

  As an example of notification content, the time of occurrence of the abnormality, the location of the hardware or software module where the abnormality occurred, the importance of the abnormality that occurred, the details of the abnormality that occurred, such as temperature abnormality, other hardware at that time, The operating status of the software module.

  The server device 200 that has received the notification from the abnormality notification unit 140 analyzes the abnormality that has occurred using the abnormality analysis unit 230 (step A3 in FIGS. 2 and 3). Here, if the cause of the abnormality can be identified, the abnormality analysis unit 230 controls to display the identification result on the display unit and presents it to the administrator. When the cause of the abnormality cannot be identified, the abnormality analysis unit 230 identifies an event candidate that is assumed to be the cause of the abnormality. Hereinafter, in this example, a case where a single cause of an abnormality cannot be specified will be described.

  As a method of abnormality analysis, for example, using the log information of other terminals stored in the log database 210 collected and accumulated so far from each terminal, abnormality occurrence conditions, abnormal value comparison, etc. are performed. Searching for the cause of the abnormality. It is also possible to send a notice of the occurrence of an abnormality to the terminal hardware, software developer, or administrator who caused the problem.

  Here, if there is no abnormality at the other terminal at the present time, but there is a possibility that an abnormality will occur at the other terminal in the future, or if the information necessary for abnormality analysis is insufficient, the abnormality analysis means 230 calculates and lists the contents of log information necessary for further analysis, its detection method, and log collection frequency (step A4 in FIGS. 2 and 3).

  As this calculation method, for example, for each abnormality occurrence result, an assumed cause, a kind of factor information necessary for specifying the cause, and a data amount thereof are prepared as an analysis process definition file. Then, the necessary amount of necessary factor information is prepared by comparing the analysis process definition file with the current abnormality result, the content of the abnormality notification transmitted from the terminal device, and the log information accumulated in the log database 210. There is a method of checking whether or not.

  As an example of the abnormality occurrence result, the assumed cause, and the factor information necessary for identification, the assumed cause for the abnormality occurrence result of the temperature sensor value abnormality in the terminal is the malfunction of the cooling fan, the outside temperature An increase, an increase in CPU load, etc. can be considered. The factor information necessary for specifying the cause includes outside air temperature data, a change in the CPU usage rate during a certain period of time, and the number of rotations of the cooling fan.

  For example, by preparing these pieces of information as an analysis process definition file, if an abnormal state that is a temperature sensor value abnormality is transmitted as an abnormality notification from the terminal device 100 this time, the abnormality analysis unit 230 is necessary for the cause analysis. It is checked whether or not the cooling fan rotation speed data, the outside air temperature data, and the CPU usage rate data are available for a certain period of time, and if there is insufficient information, it is listed.

  As described above, the abnormality analysis unit 230 identifies information indicating an event candidate assumed to be the cause of the abnormality in the process of step A3, and is insufficient for further detailed analysis and cause identification in the process of step A4. Information (for example, log information of a predetermined type) is listed. Next, using this information, each of the abnormality detection instruction means 240, terminal end log collection / storage instruction means 250, and log collection instruction means 260 executes the following processing.

  First, the abnormality detection instructing unit 240 performs abnormality detection on the abnormality detecting unit 130 of the terminal devices 100 to 10N based on information indicating event candidates assumed to be the cause of the occurrence of the abnormality analyzed by the abnormality analyzing unit 230. For this purpose, an optimal analysis method is designated (step A5 in FIGS. 2 and 3).

  For example, when an example of occurrence of temperature sensor value abnormality is used, the abnormality detection instructing means 240 is used when the cooling fan rotation speed falls below a certain predetermined value or when the CPU usage rate exceeds a certain predetermined value as an average over a predetermined period. In addition, the abnormality detection unit 130 is instructed to detect the abnormality. Specifically, the abnormality detection instruction unit 240 transmits an instruction of the analysis method to the abnormality detection unit 130, and the abnormality detection unit 130 executes analysis processing according to the received instruction.

  As a result, each abnormality detection means 130 of the terminal devices 100 to 10N detects only an abnormal value that is apparent during normal operation, but operates at a low load, but an abnormality occurs, and a detailed analysis of the abnormality is performed. In a situation where there is a need, it is possible to operate in detail to execute an abnormality detection process specialized in the abnormality analysis.

  Further, the terminal log collection / accumulation instruction unit 250 includes information indicating an event candidate assumed to be the cause of the abnormality analyzed by the abnormality analysis unit 230 and the type of log information listed as insufficient for analysis. Based on this, the log collection / storage means 110 of the terminal devices 100 to 10N is instructed to change the settings of the content and granularity of log information to be collected and stored, and the frequency of collection and storage (steps in FIGS. 2 and 3) A6). Specifically, the terminal log collection / accumulation instruction unit 250 transmits a setting change instruction to the log collection / accumulation unit 110, and the log collection / accumulation unit 110 collects log information according to the received instruction.

  In response to this instruction, the log collecting / accumulating means 110, using the example of the occurrence of the temperature sensor value abnormality as well, with respect to the terminal operating status such as the value of the cooling fan rotation speed, the value of the outside air temperature, and the value of the CPU usage rate, More specifically, the log contents that have not been collected and accumulated in a high frequency or in a normal state are also recorded and accumulated in the terminal log database 120.

  Further, the log collection instructing unit 260 is based on information indicating an event candidate assumed to be the cause of the abnormality analyzed by the abnormality analyzing unit 230 and the type of log information listed as insufficient for analysis. Then, the log collection unit 210 of the server apparatus 200 is instructed to change the settings of the content and granularity of log information collected from the terminal devices 100 to 10N and the collection frequency (step A7 in FIGS. 2 and 3). Specifically, the log collection instruction unit 260 outputs a setting change instruction to the log collection unit 210, and the log collection unit 210 collects log information according to the received instruction.

  The change in the contents, granularity, and frequency corresponds to the change instructed by the terminal log collection / storage instruction unit 250 to the log collection / storage unit 110. That is, this is a process for collecting and accumulating log information recorded and accumulated in the terminal log database 120 with new contents, granularity, and frequency in the log database 220 through the log collecting means 210 of the server device 200.

  With these instructions, it is possible to collect information that was insufficient for the abnormality analysis at the time of step A3. Steps A5 to A7 are not limited to the execution order described above, and any process may be executed first. Thereafter, the abnormality analysis unit 230 analyzes the abnormality that has occurred again based on the collected information (step A8 in FIGS. 2 and 3).

  Here, the additional collection and analysis of information is performed not only on the terminal where the abnormality actually occurred, but also on other terminals, so that the device between the malfunctioning device and the device operating normally Can be compared, and more detailed cause analysis processing can be performed.

  When a new abnormality cause candidate appears by this analysis processing and the existence of information that is insufficient for analysis becomes clear, the operation may be repeated from step A4.

  Thereafter, when the cause identification is finally completed, each of the abnormality detection instruction means 240, the terminal end log collection accumulation instruction means 250, and the log collection instruction means 260 includes the abnormality detection means 130, the log collection accumulation means 110, the log An instruction is transmitted to each means of the collection instruction means 260 so as to return to the normal setting before the occurrence of the abnormality.

  The procedure for instructing the return to the normal setting may be the timing of completion of the cause identification by the abnormality analysis means 230. In addition, the fact that the abnormality is no longer detected by hardware repair or replacement of the terminal device in which the abnormality has occurred or software update is stored in the log database 220 on the server device 200 via the terminal log database 120 by this system. An operation in which an instruction is transmitted after the abnormality analysis unit 230 confirms with log information is also conceivable.

  Next, the effect of this embodiment will be described. The effect of this embodiment is that, in a system composed of a server device and a plurality of terminal groups managed by the server device, the terminal group and the server device cooperate with each other to monitor and analyze terminal hardware and software abnormalities. By performing autonomously, it is possible to perform timely and detailed monitoring and analysis of terminal hardware and software abnormalities while realizing reduction in man-hours for server administrators. The reason for this is that when a hardware or software abnormality occurs in a certain terminal, the log collection / accumulation means and abnormality detection means on the terminal, the abnormality analysis means on the server device and each instruction means cooperate with each other on the terminal. This is because the server administrator's log setting change instruction work becomes unnecessary by autonomously changing the log collection contents, granularity, and frequency. In addition, it is possible to collect various log information for abnormality analysis at high speed by instructing not only the terminal in which the abnormality has occurred but also the other terminals to collect log information relating to the abnormality.

Embodiment 2. FIG.
Next, a second embodiment of the present invention will be described with reference to the drawings. FIG. 4 is a block diagram showing an example of the configuration of the second embodiment of the log collection system.

  The configuration of the present embodiment shown in FIG. 4 is obtained by adding a server abnormality detection unit 270 on the server device 200 to the first embodiment. The configuration and operation of this embodiment are the same as those of the first embodiment, except for the abnormality detection processing by the server abnormality detection means 270 on the server device 200. Only the parts different from the first embodiment will be described below.

  The server abnormality detection means 270 on the server device 200 performs abnormality detection processing based on the log information collected from the terminals 100 to 10N stored in the log database 210 on the server device 200. A major difference from the abnormality detection means 130 on the terminal 100 is that, when monitoring logs and detecting an abnormality regarding the operating status of certain hardware or software, this is performed while comparing the corresponding log information between different terminals. It is.

  As a result, in this embodiment, in addition to the effects of the first embodiment, even when the abnormal value cannot be detected when viewed from a single terminal, the log information value is different from the log information of other terminals. If there is a terminal indicating the error, it is possible to detect it early as an abnormality or a sign of the abnormality and take a countermeasure. Further, in the present embodiment, an instruction for early detection as an abnormality or a sign thereof and collecting related logs in more detail is displayed again on the server device 200 as an abnormality detection instruction means 240, terminal-end log collection accumulation instruction means 250, log collection It is possible to obtain an effect that it can be performed using each instruction unit of the instruction unit 260.

Embodiment 3. FIG.
Next, a third embodiment of the present invention will be described. FIG. 5 is a block diagram illustrating an example of a configuration of the third embodiment of the log collection system.

  The configuration of the present embodiment illustrated in FIG. 5 is obtained by adding terminal device attribute information management means 280 on the server device 200 to the first embodiment. The operation of the present embodiment is as follows. The terminal device attribute information management unit 280 on the server device 200, the abnormality detection instruction unit 240, the terminal end log collection / storage instruction unit 250, and the log collection for the terminal devices 100 to 10N using the terminal device attribute information management unit 280 The second embodiment is the same as the first embodiment except for the instruction process using the instruction means of the instruction means 260. Only the parts different from the first embodiment will be described below.

  The terminal device attribute information management means 280 on the server device 200 stores various attribute information related to the terminal devices 100 to 10N managed by the server device 200. Examples of attribute information include, for example, the terminal hardware specifications, the list of installed applications, the geographical location of the terminal, the age of the user using the terminal, profile information such as gender, and the frequency of use of individual applications There is something like. These may be registered in the server device 200 in advance, or information may be dynamically transmitted from the terminal device.

  In the present embodiment, after the abnormality analysis unit 230 executes the analysis process, the abnormality detection instruction unit 240, the terminal end log collection accumulation instruction unit 250, and the log collection instruction unit 260 are instructed to the terminal devices 100 to 10N. Instructs to change log collection, accumulation, and error detection processing settings. At this time, in this embodiment, each of the instruction means of the abnormality detection instruction means 240, terminal end log collection / storage instruction means 250, and log collection instruction means 260 is set for each terminal device stored in the terminal device attribute information management means 280. It operates to refer to attribute information and issue a setting change instruction according to the attribute.

  As an example, it is conceivable that log content, granularity, and frequency change instructions are transmitted only to terminal devices that have the same hardware specifications or the same software installed as the terminal where the abnormality occurred. On the other hand, it can be considered that the change instruction is transmitted only to terminal devices having different attribute values, for example, the geographical location of the terminal, the gender of the possessing user, and different age groups. It is also possible to change the contents, granularity, and frequency of collected logs according to the difference in attribute information.

  From the above, in this embodiment, in addition to the effects of the first embodiment, these operations make it easy to perform log information with wide variations without causing high-load processing to all terminal devices. Can be collected. Note that the present embodiment can also be configured to include the server abnormality detection means 270, and the same effects as those of the second embodiment can be obtained.

  As described above, in a server-terminal system including a server device and a plurality of terminal devices connected to each other via a wired or wireless communication network, hardware and software operation information of the terminal device is accumulated and collected as log information, and the server An embodiment of an autonomous log collection system that is analyzed by a device has been described. However, the present invention is not limited to the embodiment described above. For example, as another embodiment, autonomous sensor information in a system including a server device and a plurality of sensors as shown in FIG. The present invention can be applied to a collection, storage, and analysis system. In addition, autonomous sensor information collection, storage, and analysis in a system including a server device and a plurality of sensors and a terminal device that collects the sensors as shown in FIG. It is also applicable to the system. The operation at that time is the same as that described in the first to third embodiments. Moreover, the same effect can be acquired by the operation | movement.

  As an example of the terminal device illustrated in FIG. 7, a device cooperation unit with a sensor device such as a mobile phone, a home server device, an access point, a TV receiver, and the like, and a wired or wireless communication unit with the server device are provided. Equipment is assumed.

  As described above, the present invention, in a configuration comprising a plurality of terminal groups and a server device that manages the group, logs information about hardware and software operating status generated and collected on each terminal, The present invention also relates to a log collection system that collects and analyzes data of various sensors existing in the vicinity of a terminal by a management server device.

  Moreover, it can be said that the present invention has the following features. That is, the log collection system of the present invention collects, monitors, and analyzes the corresponding log in the server device while monitoring the operation status of the hardware and software on a plurality of terminals on each terminal and storing the log information. In the system, log collection and storage means for storing the operating status log information of terminal hardware and software on each terminal in each terminal, and the collection and accumulation of log information collected on each terminal and analyzing the accumulated log information to detect abnormalities An anomaly detecting means for detecting an anomaly to the server device when an abnormality is detected in the anomaly detecting means on each terminal, and collecting log information accumulated in each terminal on the server device, Log collection means and anomaly analysis means for analyzing the anomaly transmitted by the anomaly notification means on the terminal on the server device An abnormality detection instruction means for instructing the abnormality detection means on each terminal to set an abnormality detection method according to the content of the abnormality analyzed by the abnormality analysis means on the server device, and an abnormality analysis means on the server device. Terminal log collection and accumulation instruction means for instructing log collection accumulation granularity, content, and frequency settings for the log collection and accumulation means on each terminal according to the content of the analyzed abnormality, and the abnormality analyzed by the abnormality analysis means on the server device Log collection instructing means for instructing log collection means on the server device to set log collection contents and frequency from each terminal.

  The above means operate as follows. The log collection and storage means on each terminal constantly monitors the operating status of the hardware and software in the terminal, and stores log information indicating the operating status in the terminal. Further, the abnormality detection means on the terminal analyzes the log information of the operating status and monitors whether an abnormality has occurred in the hardware and software.

  In a normal state in which no abnormality has occurred, the log collection unit on the server device collects only the main log information accumulated in each terminal, for example, at a predetermined frequency, and collects it on the server device. Accumulated. Therefore, in this state, the amount of log information collected from each terminal by the server using the communication means is small.

  Here, when a hardware or software abnormality occurs in any one of the plurality of terminals managed by the server device, the abnormality detecting means on the terminal detects this and the abnormality notifying means The fact that an abnormality has occurred to the server device is transmitted together with the analysis result.

  The abnormality analysis unit on the server apparatus that has received the information analyzes the abnormal state by combining the information transmitted by the abnormality notification unit and the log information collected so far from each terminal. At the same time, in order to collect more detailed information on the hardware and software related to this abnormality, collect the related hardware and software logs in more detail for all terminals managed by the server. Instruct to accumulate.

  When issuing an instruction, the server device uses the terminal log collection / accumulation instruction means to instruct the log collection / accumulation means of each terminal to change log information collection, accumulation granularity, and frequency. The server device also uses the log collection instruction unit to instruct the log collection unit on the server to change the contents of the log collected from each terminal and the collection frequency. Further, the server device uses the abnormality detection instruction means to instruct the abnormality detection means of each terminal to execute an abnormality detection method that can detect the abnormality that has occurred this time in more detail.

  After this, the cause of the abnormality will be determined by the analysis result of the abnormality, and the operation when the occurrence of the abnormal event is reduced or the occurrence of the abnormal event is stopped due to the terminal hardware and software renovation or improvement update. explain. In this case, the abnormality analysis unit on the server device detects by analyzing the log information collection result from each terminal and uses each of the terminal log collection accumulation instruction unit, the log collection instruction unit, and the abnormality detection instruction unit, It operates to restore the log collection contents, granularity, frequency, etc. to the initial state.

  As described above, when each means executes processing, in a system composed of a server device and a plurality of terminal groups managed by the server device, monitoring and analysis of terminal hardware and software abnormalities are performed with the terminal group. Servers can cooperate and perform autonomously.

  Next, the minimum configuration of the log collection system according to the present invention will be described. FIG. 8 is a block diagram illustrating a minimum configuration example of the log collection system. As illustrated in FIG. 8, the log collection system includes a terminal device 100 and a server device 200 as minimum components.

  In addition, the terminal device 100 includes a log collection / accumulation unit 110 that collects and accumulates log information on the operation status of the terminal device, an abnormality detection unit 130, and an abnormality notification unit 140. The server device 200 also includes a log collection unit 210 that collects log information accumulated in the terminal device, an abnormality analysis unit 230, an abnormality detection instruction unit 240, a terminal log collection accumulation instruction unit 250, and a log collection instruction unit 260.

  In the log collection system with the minimum configuration shown in FIG. 8, when the abnormality detection unit 130 analyzes the log information and detects an abnormal state, the abnormality notification unit 140 notifies the server device of the abnormal state. Then, the abnormality analysis unit 230 analyzes the notified abnormal state.

  Then, the abnormality detection instruction unit 240 instructs the abnormality detection unit 130 to set an abnormal state detection method according to the content of the abnormal state. Further, the terminal log collection / accumulation instruction unit 250 instructs the log collection / accumulation unit 110 to set the granularity and content of log information to be collected and accumulated and the frequency of collection and accumulation in accordance with the contents of the abnormal state. . In addition, the log collection instruction unit 260 instructs the log collection unit 210 to set the content of log information collected from the terminal device and the collection frequency according to the content of the abnormal state analyzed by the abnormality analysis unit 230. .

  Therefore, according to the minimally configured log collection system, when the operation status of the hardware and software of the terminal device is remotely monitored in real time, the terminal device and the server device can change settings autonomously. Accordingly, it is possible to reduce the trouble of collecting and managing log information of the terminal device.

  In the present embodiment, the characteristic configuration of the log collection system as shown in the following (1) to (5) is shown.

  (1) The log collection system includes a terminal device (for example, realized by the terminal device 100) and a server device (for example, realized by the server device 200) connected to the terminal device by wireless or wired communication means. The terminal device collects log information on the operation status of the hardware and software of the terminal device and stores the log information in the terminal device (for example, realized by the log collection storage unit 110), and a log When the collecting means analyzes the log information collected and accumulated and detects an abnormal state (for example, realized by the abnormality detecting means 130), and when the abnormality detecting means detects the abnormal state, the server device detects an abnormal state. The server device includes a log stored in the terminal device, including an abnormality notification unit (for example, realized by the abnormality notification unit 140). Log collecting means for collecting information (for example, realized by the log collecting means 210), an abnormality analyzing means for analyzing the abnormal state notified by the abnormality notifying means (for example, realized by the abnormality analyzing means 230), an abnormality An abnormality detection instruction means (for example, realized by the abnormality detection instruction means 240) for instructing the abnormality detection means to set the detection method of the abnormal state according to the contents of the abnormal state analyzed by the analysis means; Depending on the contents of the abnormal state analyzed by the means, terminal log collection and accumulation instruction means for instructing the setting of the granularity and contents of log information collected and accumulated to the log collection and accumulation means and the frequency of collection and accumulation (for example, And the terminal log collection / accumulation instruction means 250) and the terminal device for the log collection means according to the contents of the abnormal state analyzed by the abnormality analysis means. And contents of the log information collected from the log collection instructing means for instructing the setting of the collection frequency (e.g., as implemented by the log collection instructing means 260), characterized in that it comprises a.

  (2) In the log collection system, the abnormality analysis unit includes information indicating the abnormal state notified by the abnormality notification unit, and log information of the operation status of the hardware and software of the terminal device collected and accumulated by the log collection unit. May be configured to analyze an abnormal condition based on

  (3) In the log collection system, the abnormality analysis unit includes information indicating the abnormal state notified by the abnormality notification unit, and log information on the operation status of the hardware and software of the terminal device collected and accumulated by the log collection unit, When analyzing the cause of the abnormal condition based on the above, for each of the abnormal conditions that occurred, for each possible cause of multiple abnormal causes, the type of the cause information and the amount of data required to identify each cause, The analysis process definition file is stored in advance, and the cause of the abnormal condition is identified by comparing the analysis process definition file with the current abnormal condition, information indicating the abnormal condition notified from the terminal device, and log information. It may be configured as follows.

  (4) In the log collection system, when analyzing the cause of the abnormal condition in the error analysis means, the log information on the operation status of the type, granularity, or data amount necessary for identifying the cause included in the analysis processing definition file , An abnormality detection instructing means when it cannot be obtained only from the information indicating the abnormal state notified by the abnormality notifying means and the log information of the operation status of the hardware and software of the terminal device collected and accumulated by the log collecting means The terminal log collection / accumulation instructing unit and the log collection instructing unit may be configured to perform control so as to newly collect log information of operation status necessary for cause analysis from each terminal device.

  (5) In the log collection system, the server device uses the log information of the operation status of the hardware and software of the terminal device collected and accumulated by the log collection means, and the same hardware or software among the plurality of terminal devices It is configured to include server abnormality detection means (for example, realized by the server abnormality detection means 270) that compares and analyzes the operation status of the locations, extracts differences, and detects early malfunctions that lead to abnormalities. May be.

  A part or all of the above embodiments can be described as in the following supplementary notes, but is not limited thereto.

(Supplementary note 1) The abnormal state is analyzed based on the information indicating the notified abnormal state and the log information of the operation status of the hardware and software of the terminal device collected and accumulated by the log collecting means. Log collection method.

(Appendix 2) When analyzing the cause of the abnormal state based on the information indicating the notified abnormal state and the log information of the operation status of the hardware and software of the terminal device collected and accumulated by the log collecting means, For each of the abnormal conditions that occurred, multiple possible causes of abnormal causes, the types of cause information necessary to identify each cause, and the amount of data are stored in advance as an analysis process definition file. The log collection method according to claim 8 or 2, wherein the cause of the abnormality is identified by comparing the definition file with the abnormal state that has occurred this time, information indicating the abnormal state notified from the terminal device, and log information.

(Supplementary Note 3) When analyzing the cause of an abnormal condition, the log information on the operating status of the type, granularity, or data amount necessary for identifying the cause, included in the analysis process definition file, indicates the notified abnormal condition Information and the log information on the operation status necessary for the cause analysis from the terminal device when it cannot be obtained only from the log information on the operation status of the hardware and software of the terminal device collected and accumulated by the log collection means The log collection method according to appendix 2, which operates to collect.

(Appendix 4) Using collected and accumulated terminal device hardware and software operating status log information, the operating status of the same hardware or software location between multiple terminal devices is compared and analyzed, and the difference The log collection method according to any one of claims 8 and appendix 1 to appendix 3, wherein a point is extracted to detect an operation failure leading to occurrence of an abnormality at an early stage.

  The present invention can be applied to a remote information collection and failure analysis system of a server-terminal system comprising a server device and a plurality of terminal devices connected to each other by a wired or wireless communication network.

100 to 10N terminal equipment 110 log collection and storage means 120 terminal log database 130 abnormality detection means 140 abnormality notification means 200 server device 210 log collection means 220 log database 230 abnormality analysis means 240 abnormality detection instruction means 250 terminal log collection accumulation instruction means 260 log Collection instruction means 270 Server abnormality detection means 280 Terminal device attribute information management means

Claims (8)

Terminal equipment,
A server device connected to the terminal device by wireless or wired communication means,
The terminal device is
Log collection and storage means for collecting log information on the operating status of the hardware and software of the terminal device and storing the log information in the terminal device;
Analyzing the log information collected and accumulated by the log collecting means, and detecting an abnormal state;
When the abnormality detection means detects an abnormal condition, the abnormality notification means for notifying the server apparatus of the abnormal condition,
The server device
Log collection means for collecting the log information accumulated in the terminal device;
Abnormality analysis means for analyzing the abnormal state notified by the abnormality notification means;
In accordance with the contents of the abnormal state analyzed by the abnormality analysis means, an abnormality detection instruction means for instructing the abnormality detection means to set an abnormal state detection method;
Terminal log collection that instructs setting of the granularity and contents of log information collected and accumulated to the log collection and accumulation means and the frequency of collection and accumulation according to the contents of the abnormal state analyzed by the abnormality analysis means Accumulation instruction means;
Log collection instructing means for instructing the log collecting means to set the contents of log information collected from the terminal device and the collection frequency according to the contents of the abnormal state analyzed by the abnormality analyzing means. Log collection system characterized by that. The abnormality analysis unit analyzes the abnormal state based on the information indicating the abnormal state notified by the abnormality notifying unit and the log information of the operation status of the hardware and software of the terminal device collected and accumulated by the log collecting unit. The log collection system according to claim 1. The abnormality analysis unit is configured to cause the abnormal state based on the information indicating the abnormal state notified by the abnormality notification unit and the log information of the operation status of the hardware and software of the terminal device collected and accumulated by the log collection unit. For each abnormal condition that occurred, multiple possible causes of the cause of the abnormality and the type and amount of cause information required to identify each cause are stored in advance as an analysis process definition file. The cause of the abnormal state is identified by comparing the analysis process definition file with the abnormal state that has occurred this time, information indicating the abnormal state notified from the terminal device, and the log information. The log collection system according to claim 2. During the analysis process of the cause of the abnormal condition in the error analysis unit, the log information of the operation status of the type, granularity, or data amount necessary for identifying the cause included in the analysis process definition file was notified by the error notification unit When it cannot be obtained only from the information indicating the abnormal state and the log information of the operation status of the hardware and software of the terminal device collected and accumulated by the log collecting means, the abnormality detection instruction means, the terminal log collection accumulation instruction means, and The log collection system according to claim 3, wherein the log collection instructing unit performs control so as to newly collect log information of operation status necessary for cause analysis from each terminal device. The server device uses the log information on the operation status of the hardware and software of the terminal device collected and accumulated by the log collecting means to compare and analyze the operation status of the same hardware or software location between multiple terminal devices. The log collection system according to any one of claims 1 to 4, further comprising server abnormality detection means for extracting a difference and detecting an operation failure leading to the occurrence of an abnormality at an early stage. Log collecting means for collecting log information on the operating status of the hardware and software of the terminal device collected and accumulated by the terminal device;
When an abnormal state is detected and notified from the terminal device, an abnormal analysis means for analyzing the abnormal state;
In accordance with the contents of the abnormal state analyzed by the abnormality analysis means, abnormality detection instruction means for instructing the terminal device to set an abnormal state detection method,
Terminal log collection and accumulation instruction for instructing the setting of the granularity and contents of log information collected and accumulated for the terminal device and the frequency of collection and accumulation according to the contents of the abnormal state analyzed by the abnormality analysis means Means,
Log collection instruction means for instructing the log collection means to set the content of log information collected from the terminal device and the collection frequency according to the contents of the abnormal state analyzed by the abnormality analysis means. A log collection device characterized by that. Collecting log information of the operating status of the hardware and software of the terminal device on the terminal device and storing it in the terminal device,
Analyzing the log information collected and accumulated on the terminal device to detect an abnormal state,
When an abnormal state is detected on the terminal device, the server device is notified of the abnormal state,
Collecting log information accumulated in the terminal device on the server device,
Analyzing the abnormal state notified on the server device,
In accordance with the content of the abnormal state analyzed on the server device, the abnormality detection unit is instructed to set an abnormal state detection method,
In accordance with the content of the abnormal state analyzed on the server device, instruct the log collection and storage means to set the granularity and content of log information collected and stored, and the frequency of collection and storage,
Log collection, instructing the log collection unit to set the content of log information collected from the terminal device and the collection frequency according to the content of the abnormal state analyzed on the server device Method. On the computer,
Log collection processing for collecting log information on the operation status of the hardware and software of the terminal device collected and accumulated in the terminal device;
When an abnormal state is detected and notified from the terminal device, an abnormal analysis process for analyzing the abnormal state;
An abnormality detection instruction process for instructing the terminal device to set an abnormal state detection method according to the analyzed content of the abnormal state;
Terminal log collection and accumulation instruction processing for instructing the terminal device to set the granularity and contents of log information to be collected and accumulated, and the frequency of collection and accumulation, according to the contents of the analyzed abnormal state,
A log for executing log collection instruction processing for instructing the log collection means to set the content of log information collected from the terminal device and the collection frequency according to the analyzed content of the abnormal state Collection program.

Images