CN101651576B - Alarm information processing method and system - Google Patents

Alarm information processing method and system Download PDF

Info

Publication number
CN101651576B
CN101651576B CN2009100918296A CN200910091829A CN101651576B CN 101651576 B CN101651576 B CN 101651576B CN 2009100918296 A CN2009100918296 A CN 2009100918296A CN 200910091829 A CN200910091829 A CN 200910091829A CN 101651576 B CN101651576 B CN 101651576B
Authority
CN
China
Prior art keywords
rule
alarm
business rule
information
warning information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2009100918296A
Other languages
Chinese (zh)
Other versions
CN101651576A (en
Inventor
聂华
邵宗有
历军
刘欣然
杜翠兰
王�琦
毕慧
刘润峰
李绍辉
刘庆伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Dawning Information Industry Beijing Co Ltd
Original Assignee
National Computer Network and Information Security Management Center
Dawning Information Industry Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center, Dawning Information Industry Beijing Co Ltd filed Critical National Computer Network and Information Security Management Center
Priority to CN2009100918296A priority Critical patent/CN101651576B/en
Publication of CN101651576A publication Critical patent/CN101651576A/en
Application granted granted Critical
Publication of CN101651576B publication Critical patent/CN101651576B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an alarm information processing method and a system. The information processing method comprises the following steps: analyzing a cluster system to obtain one or more actual service rules and establishing a rule-associated model according to one or more actual service rules; enabling users to define the service rule for displaying according to the rule-associated model, wherein the service rule for displaying corresponds to and synchronizes the actual service rule; obtaining the alarm information to be analyzed and the auxiliary information to be needed, and associating the alarm information to be analyzed according to the alarm information to be analyze, the actual service rule and the auxiliary information to be needed using the alarm associated rule engine to obtain all of the source alarm information, associated alarm information and the number thereof; and presenting the obtained source alarm information, the associated alarm information and the number thereof as well as the service rule for displaying to the users, and the users can also check a topological graph of alarm information associated with certain source alarm information.

Description

Alarm information processing method and system
Technical field
The present invention relates to the communications field, relate in particular to a kind of alarm information processing method and system.
Background technology
Clustering is applied to fields such as science calculating, network service and database more and more, these fields are because himself characteristic, need large number quipments that data are carried out computing or storage, therefore often comprise thousands of equipment in a large-scale group system, on these equipment, moving corresponding software, the environment of influential these equipment running status and network in addition.Expansion along with the group system scale, in the group system by managed network element physically and relevance in logic more and more, single fault tends to produce a large amount of warning information in relevant network element, make the identification and the location of fault become difficult, when a plurality of faults were concurrent, it is complicated more that situation becomes.The keeper often is difficult to therefrom find the true cause of fault in the face of the warning information of magnanimity, thereby can't implement fault restoration and fault eliminating fast.
About warning association analysis, multiple theoretic implementation method is arranged at present, actual product all is based on these methods and realizes.
External several large manufacturers of dominate in the industry cycle all provide the alarm association solution of oneself, and the product of each company is realized based on different alarm association methods.Such as the product E CS of Hewlett-Packard, adopt rule-based method to realize; The product NetFACT of IBM Corporation adopts the method based on model reasoning to realize.
Domestic alarm association product is mainly used in telecommunications industry at present, to the warning association analysis of network.Present most of Related product, the support function of alarm association all is provided, also there are many products to say that oneself has realized alarm association, but functions such as some basic alarm logs, alarm filter may have just been realized in fact, and do not carry out deep warning association analysis, even have than strong functions, the also major part like product abroad that has been integrated.
For the alarm association research in cluster monitoring field, start late, present domestic totally still be in theoretic discussion, application test stage, also there is not the product of full maturity commercialization to come into operation on a large scale.
Summary of the invention
One or more problems at existing in the correlation technique the object of the present invention is to provide a kind of alarm information processing method and system, with in addressing the above problem one of at least.
For achieving the above object, according to an aspect of the present invention, provide a kind of alarm information processing method, having comprised:
Analyze group system obtaining the business rule of one or more reality, and set up rule-associated model according to the business rule of one or more reality;
Make the user define the business rule that is used to show according to rule-associated model, wherein, the business rule that is used to show is corresponding and synchronous with actual business rule;
Obtain warning information and the needed supplementary that to analyze, and it is related to utilize the alarm association regulation engine that the warning information that will analyze is carried out according to the business rule and the needed supplementary of the warning information that will analyze, reality, obtains all Root alarm information and related warning information and quantity thereof;
Resulting Root alarm information and related warning information thereof and quantity and the business rule that is used to show are presented to the user, and the user can check the topological diagram of the warning information of certain Root alarm association.
Preferably, the step of setting up rule-associated model comprises: analyze the characteristics of group system, obtain the business rule of one or more reality; And can identification mode set up the business rule correlation model with the alarm association regulation engine according to the business rule of one or more reality.
Preferably, the business rule correlation model comprise following one or more: same parts are applicable to have causal alarm on the same parts; Same unit type is applicable to that there is causal alarm in same unit type; Same equipment is applicable to have causal alarm on the same equipment; Same device type is applicable to that there is causal alarm in same device type; And topological relation, be applicable to that reason alarm and result alarm is that topology is related and have causality, and the reason alarm being that switch is alarmed, it is equipment alarm that the result alarms, the result alarms the situation of spot number of times greater than set point.
Preferably, the step of the business rule that is used for showing at user definition, the business rule that is used for showing is stored in database, and actual business rule is stored under the catalogue of regulation.
Preferably, needed supplementary comprises following one or more: equipment and rack corresponding informance, topology information, node grouping information and software and hardware corresponding informance.
Preferably, the alarm association regulation engine after each actual business rule is performed, the state of the business rule of automatic gauging reality, and it is carried out corresponding operating according to state.
Preferably, the alarm association regulation engine defines the operation of establishment, modification and/or deletion rule in rule.
For achieving the above object, according to another aspect of the present invention, provide a kind of warning information treatment system, having comprised:
The modelling device is used for group system analysis is obtained the business rule of one or more reality, and sets up rule-associated model according to the business rule of one or more reality;
The rule definition device is used to make the user to define the business rule that is used to show according to rule-associated model, and wherein, the business rule that the rule definition unit is used in demonstration is corresponding and synchronous with actual business rule;
The warning information associated apparatus, be used to obtain warning information and the needed supplementary that to analyze, and according to the warning information that will analyze, actual business rule and needed supplementary the warning information that will analyze is carried out relatedly, obtain the warning information and the quantity of all Root alarm information and association thereof; And
Association results presents device, is used for resulting Root alarm information and related warning information thereof and quantity and the business rule that is used to show are presented to the user.
Preferably, the modelling device comprises: analytic unit, be used to analyze the characteristics of group system, and obtain the business rule of one or more reality; Set up the unit, be used for identification mode to set up the business rule correlation model with the warning information associative cell according to the business rule of one or more reality.
Preferably, the business rule correlation model comprise following one or more:
Same parts are applicable to have causal alarm on the same parts;
Same unit type is applicable to that there is causal alarm in same unit type;
Same equipment is applicable to have causal alarm on the same equipment;
Same device type is applicable to that there is causal alarm in same device type; And
Topological relation is applicable to that reason alarm and result alarm is that topology is related and have causality, and the reason alarm is that switch is alarmed, and it is equipment alarm that the result alarms, and the result alarms the situation of spot number of times greater than set point.
Preferably, the business rule that the rule definition unit will be used for showing is stored in database, and the business rule of reality is stored under the catalogue of regulation.
Preferably, needed supplementary comprises following one or more: equipment and rack corresponding informance, topology information, node grouping information and software and hardware corresponding informance.
Preferably, the alarm association regulation engine defines the operation of establishment, modification and/or deletion rule in rule.
By above-mentioned at least one technical scheme of the present invention,, find Root alarm by the mass alarm information incidence relation is analyzed, present to the keeper, reduce alarm quantity, can greatly alleviate keeper's work load, realized the promptness and the stability of alarm and control system.
Description of drawings
Fig. 1 is the flow chart according to alarm information processing method of the present invention;
Fig. 2 is the block diagram according to warning information treatment system of the present invention;
Fig. 3 is the realization in correlation rule storehouse according to an embodiment of the invention and the schematic diagram of management system;
Fig. 4 is the flow chart that increases rule according to an embodiment of the invention;
Fig. 5 is the simple logic schematic diagram of warning association analysis according to an embodiment of the invention;
Fig. 6 is warning association analysis result's a schematic diagram according to an embodiment of the invention; And
Fig. 7 is the detail flowchart of warning association analysis according to an embodiment of the invention.
Embodiment
Functional overview
Consider the one or more problems that exist in the correlation technique, the present invention proposes a kind of alarm information processing method and system, by the mass alarm information incidence relation is analyzed, find Root alarm, present to the keeper, reduce alarm quantity, can greatly alleviate keeper's work load, realized the promptness and the stability of alarm and control system.
Fig. 1 is the flow chart according to alarm information processing method of the present invention.As shown in Figure 1, alarm information processing method of the present invention may further comprise the steps:
Step 102 is analyzed group system obtaining the business rule of one or more reality, and is set up rule-associated model according to the business rule of one or more reality;
Step 104 makes the user define the business rule that is used to show according to rule-associated model, and wherein, the business rule that is used to show is corresponding and synchronous with actual business rule;
Step 106, obtain warning information and the needed supplementary that to analyze, and it is related to utilize the alarm association regulation engine that the warning information that will analyze is carried out according to the business rule and the needed supplementary of the warning information that will analyze, reality, obtains all Root alarm information and related warning information and quantity thereof;
Step 108 is presented to the user with resulting Root alarm information and related warning information thereof and quantity and the business rule that is used to show, and the user can check the topological diagram of the warning information of certain Root alarm associating information.
Wherein, step 102 comprises: analyze the characteristics of group system, obtain the business rule of one or more reality; And can identification mode set up the business rule correlation model with the alarm association regulation engine according to the business rule of one or more reality.
Wherein, the business rule correlation model comprise following one or more: same parts are applicable to have causal alarm on the same parts; Same unit type is applicable to that there is causal alarm in same unit type; Same equipment is applicable to have causal alarm on the same equipment; Same device type is applicable to that there is causal alarm in same device type; And topological relation, be applicable to that reason alarm and result alarm is that topology is related and have causality, and the reason alarm being that switch is alarmed, it is equipment alarm that the result alarms, the result alarms the situation of spot number of times greater than set point.
Wherein, in the step 104, the business rule that is used for showing is stored in database, and actual business rule is stored under the catalogue of regulation.
Wherein, needed supplementary comprises following one or more: equipment and rack corresponding informance, topology information, node grouping information and software and hardware corresponding informance.
Wherein, the alarm association regulation engine after each actual business rule is performed, the state of the business rule of automatic gauging reality, and it is carried out corresponding operating according to state.The alarm association regulation engine defines the operation of establishment, modification and/or deletion rule in rule.
Fig. 2 is the block diagram according to warning information treatment system of the present invention.As shown in Figure 2, warning information treatment system of the present invention comprises:
Modelling device 202 is used for group system analysis is obtained the business rule of one or more reality, and sets up rule-associated model according to the business rule of one or more reality.Modelling device 202 comprises: analytic unit 202-2, be used to analyze the characteristics of group system, and obtain the business rule of one or more reality; Set up unit 202-4, be used for identification mode to set up the business rule correlation model with the warning information associative cell according to the business rule of one or more reality.
Rule definition device 204 is used to make the user to define the business rule that is used to show according to rule-associated model, and wherein, the business rule that the rule definition unit is used in demonstration is corresponding and synchronous with actual business rule.
Warning information associated apparatus 206, be used to obtain warning information and the needed supplementary that to analyze, and according to the warning information that will analyze, actual business rule and needed supplementary the warning information that will analyze is carried out relatedly, obtain the warning information and the quantity of all Root alarm information and association thereof.
Association results presents device 208, is used for resulting Root alarm information and related warning information thereof and quantity and the business rule that is used to show are presented to the user.
Wherein, the business rule correlation model comprise following one or more: same parts are applicable to have causal alarm on the same parts; Same unit type is applicable to that there is causal alarm in same unit type; Same equipment is applicable to have causal alarm on the same equipment; Same device type is applicable to that there is causal alarm in same device type; And topological relation, be applicable to that reason alarm and result alarm is that topology is related and have causality, and the reason alarm being that switch is alarmed, it is equipment alarm that the result alarms, the result alarms the situation of spot number of times greater than set point.
Wherein, the business rule that the rule definition unit will be used for showing is stored in database, and the business rule of reality is stored under the catalogue of regulation.
Wherein, needed supplementary comprises following one or more: equipment and rack corresponding informance, topology information, node grouping information and software and hardware corresponding informance.The alarm association regulation engine defines the operation of establishment, modification and/or deletion rule in rule.
Below introduce more specifically realization of the present invention in detail.
Particularly, the present invention adopts rule-based correlating method to realize.In exploitation of the present invention, relate to following key point:
One, the foundation of rule-associated model
The foundation of rule-associated model mainly was divided into for two steps:
The first step: analyze the characteristics of group system, find out its rule, rule is concluded summary, a kind of general business rule model is provided.
In the following table several examples of business rule model.
The correlation model title Describe
Same parts This model is applicable to and has causal alarm on the same parts.Such as: alarm of CPU overtension and the too high alarm of cpu temperature have causality between them, and this causality are only limited to same CPU inside.
Same unit type This model is applicable to that there is causal alarm in same unit type.
Same equipment This model is applicable to and has causal alarm on the same equipment.Such as: too high alarm of switch memory utilance and the too high alarm of port input packet loss have causality between them, and this causality are only limited to same device interior.
Same device type This model is applicable to that there is causal alarm in same device type.
Topological relation (switch-equipment) This model is applicable to that reason alarm and result's alarm are that topology is related and have causality, and the reason alarm is that switch is alarmed, and it is equipment alarm that the result alarms, and the result alarms the situation of the number of times of generation greater than set point.Such as: switch oneself state (can not arrive) alarm and server oneself state (can not arrive) alarm have causality between them, and this causality are topological relations.When certain switch took place to arrive alarm, the server that is connected with this switch had and takes place more than 3 to arrive alarm, thought then that switch can not arrive to alarm to have caused that server can not arrive alarm.
Second step was to be that regulation engine can identification mode in the system with these business rule model conversion, promptly with certain rule syntax service logic was showed.
Logic with same part relation model is that example describes below.
1package?rules.correlation_${templateName}_${causeAlarmValueID}_${resultAlarmValueID} 2 3import?com.dawning.gridview.alarmSystem.generic.type.database.AlarmInfo; 4import?com.dawning.gridview.alarmSystem.generic.type.correlation.EquipToRack; 5import?com.dawning.gridview.alarmSystem.generic.type.correlation.NodeGroup; 6import?com.dawning.gridview.alarmSystem.generic.type.correlation.Topo; 7import?com.dawning.gridview.alarmSystem.alarmcorrelation.AlarmAnalyze; 8 9global?com.dawning.gridview.alarmSystem.alarmcorrelation.AlarmAnalyze?aiAnalyze; 10 11rule″${ruleName}″ 12?when 13 $cause:AlarmInfo(alarmValueID==″${causeAlarmValueID}″) 14 $result:AlarmInfo(alarmValueID==″${resultAlarmValueID}″, 15 name_type==$cause.name_type, 16 name_typeName==$cause.name_typeName, 17 name_subtype==$cause.name_subtype, 18 name_subtypeName==$cause.name_subtypeName, 19 alarmTime>=$cause.alarmTime) 20?then 21 aiAnalyze.addEdge($cause,$result,″${databaseRuleName}″,″${templateName}″); 22?end
The syntactic description of top code is as follows:
(1) the 1st row: package package-name (bag name)
The bag name is enforceable.Just as the bag among the java, the bag name is the name space name just, and is irrelevant with file or directory name.
Wherein , ${templateName}, ${causeAlarmValueID}, ${resultAlarmValueID} is a configurable data, and the value of being set by the user replaces when actual create-rule.
(2) the 3rd row-Di 7 row: import
Import is the same with the implication among the java.For any object that will in rule, use, need to formulate complete path and type name.Regulation engine will import class automatically from java bag of the same name.
(3) the 9th row: global
Global is a global variable, is commonly used to return data, as the record of an action, obtains to provide data or service to use to rule.
Global variable is stated in rule file and is used, and carries out assignment in the Java file.The aiAnalyze here is the global variable of alert analysis class example.
(4) the 11st row: rule " name "
Rule name.Here, " name " is a configurable data, replaces configurable data in the time standby actual value of create-rule.
(5) the 12nd row-Di 19 row: when
The condition part of rule.In the alarm association module, correlation model difference, corresponding condition are also different.
(6) the 20th row-Di 21 row: then
The action part of rule.It allows java code semantic chunk.The aiAnalyze.addEdge () here is a method of calling the interpolation limit of alert analysis class.
Two, the management of business rule
The prerequisite of user definition rule is to have the business rule model.More pre-defined business rules in the system, in addition, the user can formulate business rule according to actual conditions, and can operation such as make amendment, deletes, check to the business rule that has defined.The user operates in user interface, and what see is the information that can understand, and the rule file of the reality of bottom operation is some coding forms, therefore need change mutually between the two, promptly rule that is used to show and actual rule file is separated.System realize be the rale store that will be used for showing to database, actual rule file is stored under the catalogue of regulation, is synchronous between the two.
As shown in Figure 3, user interface to the operation of rule by carrying out alternately with database, actual rule file generates according to the content in the database, when the user carries out the warning association analysis operation, what the Drools regulation engine used is actual rule file, rather than user-defined rule file in the database.
Fig. 4 shows according to an embodiment of the invention that the user increases regular flow process, and as shown in Figure 4, this flow process may further comprise the steps:
Step 402-404: judge the legitimacy of user's set point, can not judge whether to be sky for the field of sky.
The alarmValueID (warning value ID) of rule name, correlation model, reason alarm and the alarmValueID of result's alarm can not be sky, if be empty, then need to point out the user.
Step 406: judge whether the alarmValueID that reason is alarmed and the result alarms that the user sets exists.
If alarmValueID does not exist, the prompting corresponding information.
Step 408-410: whether the judgment rule name exists.
The rule name that relatively increases newly whether with Table A larmCorrelationRule in the Name field repeat, if deposit repetition, prompting user policy name repeats, and need re-enter a rule name.
Step 412: whether the rule that judgement will increase exists.
Whether the correlation model of the rule that relatively increases newly+reason alarm alarmValueID+ result alarms alarmValueID and exists in the AlarmCorrelationRule table, if exist, the prompting user policy exists.
Step 414; Whether can form ring after judging the increase rule.
Strictly all rules is stored in the mode of scheming, and vertex representation alarmValueID stores all alarmValueID in the alarm cause table into the figure summit, and figure stores in the adjacency matrix mode.When the user increases rule, alarm in the alarm of the reason of rule and result between the summit of alarmValueID correspondence and add a limit, judge whether to exist ring, if it is exist, illegal.
Step 416: judge whether reason alarm, the result's alarm selected mate with correlation model.
Step 418: if coupling then increases a record in database table.
Step 420: generate corresponding rule file, call create-rule file sub-process.
Three, the handling process of warning association analysis
The prerequisite of warning association analysis is the data that have rule and will analyze, and in addition, analyze also needs some supplementarys.If the data owner warning information of analyzing, supplementary comprise equipment and rack corresponding informance, topology information, node grouping information etc.
Fig. 5 is the simple logic schematic diagram of a warning association analysis according to an embodiment of the invention.As shown in Figure 5, the warning association analysis overall flow is divided into following steps:
Step 1, obtain the warning information that will analyze, the user is provided with querying condition by UI;
Step 2, send warning information to the warning association analysis logic;
Step 3, warning association analysis logic are obtained supplementary and the rule base information that is used to analyze;
The supplementary that is used to analyze comprises: topology information, equipment and rack corresponding informance, node grouping information, hardware and software corresponding informance etc.;
The rule base information that is used to analyze is all Rule Informations that come into force of current large-scale computer;
Step 4, warning association analysis
Regulation engine is inserted into the work internal memory with Rule Information, warning information and supplementary, and warning information is carried out association and subsequent treatment.
The result returns to UI.
Obtain all Root alarm and related warning information and quantity thereof after the analysis, return UI with the form of tabulation.Obtain the warning information of Root alarm association, be shown to the user in the mode of scheming.Fig. 6 is a warning association analysis result's a schematic diagram according to an embodiment of the invention.
Fig. 7 is the detail flowchart of warning association analysis according to an embodiment of the invention.
As shown in Figure 7, the detailed process of warning association analysis can be divided into following steps:
Step 702-704: if the current data that will not analyze of prompting user, are then dished out unusually in the warning information of analyzing tabulation for empty;
Step 706-708: check whether rule file correctly generates, if incorrect the generation then regenerates;
Step 710-714: if there is no rule file, it is unusual then to dish out, and the prompting user is current not to have definition rule, can't analyze;
Step 716: read rule, create the work internal memory of regulation engine;
Step 718: regular global variable aiAnalyze is set, and its value is for this, the example of the alert analysis class of generation when represent the Action of Strust to call;
Step 720: obtain the required supplementary of alert analysis, comprising: topology information tabulation, node grouping information list, equipment and the tabulation of rack corresponding informance etc.;
Step 722; Various supplementarys and warning information all are inserted in the work internal memory;
Step 724: activate rule, carry out Data Matching;
Step 726; Release work internal memory;
Step 728: data are carried out subsequent treatment.The subsequent treatment sub-process mainly is that the information after regulation engine is filtered is handled.At first with in storage to a directed graph, the vertex representation warning information among the figure, directed edge is represented Rule Information, the initial vertex on limit is represented the reason alarm, is stopped vertex representation result alarm.To operations such as figure travel through, obtain Root alarm warning information related and quantity with Root alarm, and the message sense of all alarms that cause by Root alarm.
Four, the realization of alarm association regulation engine
System adopts the Drools regulation engine of increasing income as the alarm association regulation engine, carries out the checking of Data Matching.The object that the Drools regulation engine needs comprises rule, the data that will analyze, other supplementary.The Drools regulation engine meets the JSR-94 standard, and the interface API of external program use and control law engine is provided, and therefore, only need call these API and just can realize being loaded into rule in the system and using them.The step that rule is loaded in the system is as follows:
The first step: create the regulation engine object, this to as if dynamically generate by configuration information.
At first, generate configuration information.
Properties?baseProp=new?Properties(); baseProp.put(″newInstance″,true); baseProp.put(″poll″,10); baseProp.put(″dir″,this.getClass().getResource(″/″).toURI().getPath() +this.RULE_PATH+″/″+hpcID);
Then, create the regulation engine object according to configuration information.
RuleAgent?ruleAgent=RuleAgent.newRuleAgent(props);
Second step: from rule base, obtain the rule bag relevant, and be loaded in the regulation engine with alarm association.
StatefulSession?workingMemory=ruleAgent.getRuleBase(hpcID).newStatefulSession();
The 3rd step: import the business object that needs processing to regulation engine.Import to as if user's oneself object, alarm object for example, topology information object, node grouping object etc.In example, suppose rules engines processes to as if user-defined alarm object and topology information object.It is right that engine will carry out matching ratio to the rule in the rule bag of the property value of all objects of importing and current loading, and the rule that the match is successful is placed among the Agenda.
for(int?i=0;i<lsAi.size();i++){ workingMemory.insert(lsAi.get(i));
} for(int?i=0;i<lsTopo.size();i++){ workingMemory.insert(lsTopo.get(i)); }
The 4th step: activate rule.In the process of regulation engine executing rule, the operation that may occur comprises:
The property value of some object will be modified (such as revising alarm level);
Some new object is created (behind alert analysis, causing the alarm of some newtypes to be created);
Some object deleted (as alarm filter);
Regulation engine can be after each rule be performed from moving such check: under the current state, whether the medium pending rule of Agenda also satisfies condition, reject do not satisfy condition etc. pending rule; Check simultaneously whether the original not rule in Agenda meets the rule of current state in the rule bag, if having then they are joined among the Agenda.Engine finally can empty Agenda.
workingMemory.fireAllRules();
Regulation engine will all be defined in the rule operations such as the establishment of object, modification, deletions, and this has guaranteed the stability of program.After some alarm filter and alarm association rule change, only the rule bag after changing need be called in engine again.Engine only is responsible for (as guaranteeing the mutex relation between rule, the execution sequence of rule) to the accuracy that rule is carried out, but can not be concerned about the particular content of rule.
The present invention has selected the Drools regulation engine of increasing income for use.This can also perhaps select for use commercial regulation engine product to realize by the mode of independent development.
By above-mentioned alarm information processing method and system, the present invention adopts the rule-based method that occupy main flow at present to solve the warning association analysis problem that continues solution in the cluster monitoring.The method that invention realizes is separated business rule logical AND program, make things convenient for user management and formulate business rule flexibly, after warning association analysis, reduced alarm quantity, alleviate system manager's work load, realized the promptness and the stability of alarm and control system.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and carry out by calculation element, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (12)

1. an alarm information processing method is characterized in that, comprising:
Analyze group system obtaining the business rule of one or more reality, and set up rule-associated model according to the business rule of one or more described reality;
Make the user define the business rule that is used to show according to described rule-associated model, wherein, the described business rule that is used to show is corresponding and synchronous with the business rule of described reality;
Obtain warning information and the needed supplementary that to analyze, and it is related to utilize the alarm association regulation engine that the warning information that will analyze is carried out according to the business rule of the warning information that will analyze, described reality and needed supplementary, obtains all Root alarm information and related warning information and quantity thereof; And
Resulting Root alarm information and related warning information thereof and quantity and the business rule that is used to show are presented to the user, and described user can check the topological diagram of the warning information of certain Root alarm associating information.
2. method according to claim 1 is characterized in that, the step of setting up rule-associated model comprises:
Analyze the characteristics of described group system, obtain the business rule of one or more reality; And, can identification mode set up described rule-associated model with described alarm association regulation engine according to the business rule of one or more described reality.
3. method according to claim 2 is characterized in that, described rule-associated model comprise following one or more:
Same parts are applicable to have causal alarm on the same parts;
Same unit type is applicable to that there is causal alarm in same unit type;
Same equipment is applicable to have causal alarm on the same equipment;
Same device type is applicable to that there is causal alarm in same device type; And
Topological relation is applicable to that reason alarm and result alarm is that topology is related and have causality, and the reason alarm is that switch is alarmed, and it is equipment alarm that the result alarms, and the result alarms the situation of spot number of times greater than set point.
4. method according to claim 1 is characterized in that, the step of the business rule that is used for showing at user definition, and the described business rule that is used for showing is stored in database, and the business rule of described reality is stored under the catalogue of regulation.
5. method according to claim 1 is characterized in that, needed supplementary comprises following one or more: equipment and rack corresponding informance, topology information, node grouping information and software and hardware corresponding informance.
6. method according to claim 1 is characterized in that, described alarm association regulation engine after each actual business rule is performed, the state of the business rule of the described reality of automatic gauging, and it is carried out corresponding operating according to described state.
7. method according to claim 6 is characterized in that, described alarm association regulation engine defines the operation of establishment, modification and/or deletion rule in rule.
8. a warning information treatment system is characterized in that, comprising:
The modelling device is used for group system analysis is obtained the business rule of one or more reality, and sets up rule-associated model according to the business rule of one or more described reality;
The rule definition device is used to make the user to define the business rule that is used to show according to described rule-associated model, and wherein, described rule definition device makes the described business rule that is used to show corresponding and synchronous with the business rule of described reality;
The warning information associated apparatus, be used to obtain warning information and the needed supplementary that to analyze, and according to the business rule of the warning information that will analyze, described reality and needed supplementary the warning information that will analyze is carried out relatedly, obtain all Root alarm information and related warning information and quantity thereof; And
Association results presents device, is used for resulting Root alarm information and related warning information thereof and quantity and the business rule that is used to show are presented to the user.
9. system according to claim 8 is characterized in that, the modelling device comprises:
Analytic unit is used to analyze the characteristics of described group system, obtains the business rule of one or more reality;
Set up the unit, be used for identification mode to set up described rule-associated model with described warning information associated apparatus according to the business rule of one or more described reality.
10. system according to claim 9 is characterized in that, described rule-associated model comprise following one or more:
Same parts are applicable to have causal alarm on the same parts;
Same unit type is applicable to that there is causal alarm in same unit type;
Same equipment is applicable to have causal alarm on the same equipment;
Same device type is applicable to that there is causal alarm in same device type; And
Topological relation is applicable to that reason alarm and result alarm is that topology is related and have causality, and the reason alarm is that switch is alarmed, and it is equipment alarm that the result alarms, and the result alarms the situation of spot number of times greater than set point.
11. system according to claim 8 is characterized in that, described rule definition device is stored in database with the described business rule that is used for showing, the business rule of described reality is stored under the catalogue of regulation.
12. system according to claim 8 is characterized in that, needed supplementary comprises following one or more: equipment and rack corresponding informance, topology information, node grouping information and software and hardware corresponding informance.
CN2009100918296A 2009-08-28 2009-08-28 Alarm information processing method and system Active CN101651576B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100918296A CN101651576B (en) 2009-08-28 2009-08-28 Alarm information processing method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100918296A CN101651576B (en) 2009-08-28 2009-08-28 Alarm information processing method and system

Publications (2)

Publication Number Publication Date
CN101651576A CN101651576A (en) 2010-02-17
CN101651576B true CN101651576B (en) 2011-11-30

Family

ID=41673705

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100918296A Active CN101651576B (en) 2009-08-28 2009-08-28 Alarm information processing method and system

Country Status (1)

Country Link
CN (1) CN101651576B (en)

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102790706B (en) * 2012-07-27 2015-01-21 福建富士通信息软件有限公司 Safety analyzing method and device of mass events
CN104854820B (en) * 2012-12-12 2018-06-15 三菱电机株式会社 Monitor control device and monitoring control method
CN104125087B (en) * 2013-04-28 2017-10-24 中国移动通信集团设计院有限公司 A kind of alarm information processing method and device
CN103729977B (en) * 2013-11-14 2016-05-04 大唐陈村水力发电厂 Water regime monitoring automatic alarm
CN103617705B (en) * 2013-12-10 2016-01-13 北京邮电大学 A kind of rule-based Internet of Things alarm method and system
CN106155468B (en) * 2015-04-16 2019-12-10 腾讯科技(深圳)有限公司 Alarm display method and terminal
CN105095523A (en) * 2015-09-28 2015-11-25 浪潮(北京)电子信息产业有限公司 Alarm event handling method and system
CN105427545B (en) * 2015-12-30 2018-07-17 山东中创软件商用中间件股份有限公司 Device Alarm Management method and device based on drools
CN105956384A (en) * 2016-04-26 2016-09-21 江苏物联网研究发展中心 Method for realizing assessment engine in health assessment system
CN106209431B (en) * 2016-06-29 2019-06-11 瑞斯康达科技发展股份有限公司 A kind of Approaches of Alarm Correlation and network management system
CN106850463A (en) * 2017-02-28 2017-06-13 深圳市风云实业有限公司 A kind of access switch
CN108696369A (en) * 2017-04-06 2018-10-23 华为技术有限公司 A kind of warning information processing equipment and method
CN107301125B (en) * 2017-06-19 2021-08-24 广州华多网络科技有限公司 Method and device for searching root error and electronic equipment
CN107632924B (en) * 2017-09-08 2020-09-01 携程旅游信息技术(上海)有限公司 Alarm application visual display method, system, equipment and storage medium
CN109450677B (en) * 2018-10-29 2021-07-13 中国联合网络通信集团有限公司 Method and device for positioning root fault
CN110262946B (en) * 2019-06-14 2020-05-08 上海英方软件股份有限公司 Topology display method and device for database synchronization rule information
CN110851428B (en) * 2019-11-19 2022-05-20 厦门市美亚柏科信息股份有限公司 Database analysis method, device and medium based on rule operator dynamic arrangement
CN111564027B (en) * 2020-05-08 2022-05-13 北京深演智能科技股份有限公司 Alarm information processing method and device
CN112735103A (en) * 2020-12-16 2021-04-30 中盈优创资讯科技有限公司 Alarm correlation identification method, device and equipment
CN112927481B (en) * 2021-01-21 2023-05-23 中广核工程有限公司 Nuclear power plant alarm filtering method, system, medium and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101183996A (en) * 2007-12-13 2008-05-21 浪潮电子信息产业股份有限公司 Cluster information monitoring method
CN101242549A (en) * 2007-11-22 2008-08-13 中国移动通信集团山东有限公司 Neutral network construction method for communication network alarm association

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242549A (en) * 2007-11-22 2008-08-13 中国移动通信集团山东有限公司 Neutral network construction method for communication network alarm association
CN101183996A (en) * 2007-12-13 2008-05-21 浪潮电子信息产业股份有限公司 Cluster information monitoring method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王杨等.《面向集群系统的告警信息处理》.《计算机科学》.2007,第34卷(第10B期),113-115,122. *

Also Published As

Publication number Publication date
CN101651576A (en) 2010-02-17

Similar Documents

Publication Publication Date Title
CN101651576B (en) Alarm information processing method and system
US10891297B2 (en) Method and system for implementing collection-wise processing in a log analytics system
CN102541529B (en) A kind of query page generating device and method
WO2017165018A1 (en) Automated event id field analysis on heterogeneous logs
CN105183625A (en) Log data processing method and apparatus
CN111240876B (en) Fault positioning method and device for micro-service, storage medium and terminal
JP7313382B2 (en) Frequent Pattern Analysis of Distributed Systems
CN108446327A (en) Operation system dynamic creation method, device, computer equipment and storage medium
CN112199394A (en) Alarm information pushing method and system, intelligent terminal and storage medium
CN103176892A (en) Page monitoring method and system
CN114461644A (en) Data acquisition method and device, electronic equipment and storage medium
CN103077192A (en) Data processing method and system thereof
CN116719799A (en) Environment-friendly data management method, device, computer equipment and storage medium
CN107609179A (en) A kind of data processing method and equipment
CN105426544A (en) Method and device for monitoring state of database
CN110134646A (en) The storage of knowledge platform service data and integrated approach and system
CN109768878A (en) A kind of network work order calculation method and device based on big data
CN101968747B (en) Cluster application management system and application management method thereof
CN115130959B (en) Method, system, terminal and storage medium for generating spare part BOM
CN113868138A (en) Method, system, equipment and storage medium for acquiring test data
CN105574195A (en) Method and device for judging whether to perform offline recycling on database or not
CN111045953A (en) Distributed test case execution system and method
CN111352824A (en) Test method and device and computer equipment
CN117850764B (en) Design modeling method and device based on integrated model driving architecture
CN101883004A (en) Method, device and system for synthesizing service data

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
ASS Succession or assignment of patent right

Owner name: STATE COMPUTER NETWORK AND INFORMATION SAFETY MANA

Free format text: FORMER OWNER: SUGON INFORMATION INDUSTRIAL (BEIJING) CO., LTD.

Effective date: 20110811

Owner name: SUGON INFORMATION INDUSTRIAL (BEIJING) CO., LTD.

C41 Transfer of patent application or patent right or utility model
C53 Correction of patent for invention or patent application
CB03 Change of inventor or designer information

Inventor after: Nie Hua

Inventor after: Liu Qingwei

Inventor after: Shao Zongyou

Inventor after: Li Jun

Inventor after: Liu Xinran

Inventor after: Du Cuilan

Inventor after: Wang Qi

Inventor after: Bi Hui

Inventor after: Liu Runfeng

Inventor after: Li Shaohui

Inventor before: Nie Hua

Inventor before: Shao Zongyou

Inventor before: Li Jun

Inventor before: Liu Runfeng

Inventor before: Li Shaohui

Inventor before: Liu Qingwei

COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 100084 HAIDIAN, BEIJING TO: 100029 CHAOYANG, BEIJING

Free format text: CORRECT: INVENTOR; FROM: NIE HUA SHAO ZONGYOU LI JUN LIU RUNFENG LI SHAOHUI LIU QINGWEI TO: NIE HUASHAO ZONGYOU LI JUN LIU XINRAN DU CUILAN WANG QI BI HUI LIU RUNFENG LI SHAOHUI LIU QINGWEI

TA01 Transfer of patent application right

Effective date of registration: 20110811

Address after: 100029 Beijing Chaoyang District Yumin Road No. 3

Applicant after: State Computer Network and Information Safety Management Center

Co-applicant after: Dawning Information Industry (Beijing) Co., Ltd.

Address before: 100084 No. 6 South Road, Zhongguancun Academy of Sciences, Beijing, Haidian District

Applicant before: Dawning Information Industry (Beijing) Co., Ltd.

C14 Grant of patent or utility model
GR01 Patent grant