CN102014020A - Equipment for performing network monitoring on network equipment and method thereof - Google Patents

Equipment for performing network monitoring on network equipment and method thereof Download PDF

Info

Publication number
CN102014020A
CN102014020A CN 201010543151 CN201010543151A CN102014020A CN 102014020 A CN102014020 A CN 102014020A CN 201010543151 CN201010543151 CN 201010543151 CN 201010543151 A CN201010543151 A CN 201010543151A CN 102014020 A CN102014020 A CN 102014020A
Authority
CN
China
Prior art keywords
alert event
network equipment
alert
information
event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 201010543151
Other languages
Chinese (zh)
Inventor
彭炼钢
田春英
李力
梁振方
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Baidu Online Network Technology Beijing Co Ltd
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN 201010543151 priority Critical patent/CN102014020A/en
Publication of CN102014020A publication Critical patent/CN102014020A/en
Pending legal-status Critical Current

Links

Abstract

The invention provides monitoring equipment for performing network monitoring on network equipment and a monitoring method thereof. The monitoring method comprises the following steps of: acquiring a plurality of alarming incidents of the network equipment; acquiring alarming relevant information corresponding to the plurality of alarming incidents according to the plurality of alarming incidents; integrating the plurality of alarming incidents according to the alarming relevant information to acquire the integrated alarming incidents; and sending the integrated alarming incidents to a corresponding alarming response party. Compared with the prior art, the equipment and the method have the advantages that: the plurality of alarming incidents are integrated and are merged into an alarm incident or part of alarming incidents are screened, so the network equipment can be subjected to multi-azimuth monitoring, and the aim of precise alarming is fulfilled.

Description

A kind of Apparatus for () and method therefor that is used for the network equipment is carried out network monitoring
Technical field
The present invention relates to the monitoring technique of the network equipment, relate in particular to the technology of the network equipment being carried out network monitoring based on a plurality of alert events.
Background technology
Along with the high speed development of Internet technology, the scale of bottom-layer network is also increasing.For this reason, large-scale bottom-layer network is carried out effective monitoring and just become the problem that presses for solution.Yet, in existing network management system, be example with the alert event, often according to type of alarm, the different management software of alert event operation to different not only causes the reusability of management software low, but also may make the operation response of alert event can not solve network failure exactly.
In view of this, how realizing multi-faceted monitoring and management to the network equipment, with the height manageability of the assurance network equipment and the controllability under the malfunction, is a problem needing solution now badly.
Summary of the invention
The purpose of this invention is to provide a kind of Apparatus for () and method therefor that is used for the network equipment is carried out network monitoring.
According to an aspect of the present invention, provide a kind of method that is used for the network equipment is carried out network monitoring, wherein, this method may further comprise the steps:
A obtains a plurality of alert events of the described network equipment;
B obtains and the corresponding warning related information of described a plurality of alert events according to described a plurality of alert events;
C carries out integration processing according to described warning related information to described a plurality of alert events, with the alert event that obtains to have integrated;
D sends to corresponding alarm response side with the described alert event of having integrated.
According to another aspect of the present invention, also provide a kind of equipment that is used for the network equipment is carried out network monitoring, wherein, described equipment comprises:
The incident deriving means is used to obtain a plurality of alert events of the described network equipment;
The related information deriving means is used for according to described a plurality of alert events, obtains and the corresponding warning related information of described a plurality of alert events;
Integrating apparatus is used for according to described warning related information described a plurality of alert events being carried out integration processing, with the alert event that obtains to have integrated;
Dispensing device is used for the described alert event of having integrated is sent to corresponding alarm response side.
Compared with prior art, the present invention is by carrying out integration processing to a plurality of alert events, these alert events are merged into an alert event or screened out wherein part alert event, not only can carry out multi-faceted monitoring, also can reach the purpose of simplifying warning the network equipment.
Description of drawings
By reading the detailed description of doing with reference to the following drawings that non-limiting example is done, it is more obvious that other features, objects and advantages of the present invention will become:
Fig. 1 illustrates the system topological figure that is used for the network equipment of network is carried out network monitoring according to one aspect of the invention;
Fig. 2 illustrates the structural representation that is used for the network equipment of network is carried out the equipment of network monitoring according to one aspect of the invention;
Fig. 3 illustrates the structural representation that is used for the network equipment of network is carried out the equipment of network monitoring according to a further aspect of the present invention;
Fig. 4 illustrates the method flow diagram that is used for the network equipment of network is carried out network monitoring in accordance with a preferred embodiment of the present invention;
Fig. 5 illustrates the method flow diagram that is used for the network equipment of network is carried out network monitoring according to another preferred embodiment of the present invention.
Same or analogous Reference numeral is represented same or analogous parts in the accompanying drawing.
Embodiment
Below in conjunction with accompanying drawing the present invention is described in further detail.
Fig. 1 illustrates the system topological figure that is used for the network equipment of network is carried out network monitoring according to one aspect of the invention.At this, network includes but not limited to the Internet, wide area network, metropolitan area network, local area network (LAN), VPN network, wireless self-organization network (Ad Hoc network) etc.
With reference to Fig. 1, in this topological structure, the network equipment that is positioned at a plurality of diverse locations is connected to watch-dog by network, utilize this watch-dog, when the arbitrary network equipment in these network equipments takes place to report to the police, watch-dog can detect or receive this alert event in real time, and alert event is sent to alarm response side together with the relevant information of the network equipment of correspondence, and then tracing trouble reason and the normal operation that recovers this network equipment apace.For example, the framework that is used for network monitoring of Fig. 1 can be the computer network that a comprehensive utilization computer networking technology, database technology, the communication technology, automatic control technology, novel sensing technology etc. constitute, and its concrete monitored object comprises computer, server and other network equipments that is distributed in each machine room.Those skilled in the art will be understood that the above topology structure is only for schematically illustrating; the present invention is network topology structure existing or that may occur from now on applicable to other also; also should be included in the protection range of the present invention, and be contained in this with way of reference.
Fig. 2 illustrates the structural representation that is used for the network equipment of network is carried out the watch-dog of network monitoring according to one aspect of the invention.In general, watch-dog for the monitoring behavior of the network equipment include but not limited to monitor, report to the police, other monitoring aspects of control or network management personnel's preference.In addition, watch-dog 1 includes but not limited to any network equipment that can monitor other network equipments by network, for example switch, router, server, gateway, bridge etc.Watch-dog 1 includes but not limited to network host, single network server, a plurality of webserver collection or based on the set of computers of cloud computing.Those skilled in the art should also be understood that watch-dog 1 can be independently or with other network equipment all-in-one-piece network equipments.In addition, communicating by letter between watch-dog 1 and the monitored a plurality of network equipments can be based on the packet data transmission such as ICP/IP protocol, udp protocol etc.
This watch-dog 1 comprises incident deriving means 11, related information deriving means 12, integrating apparatus 13 and dispensing device 14.Wherein, incident deriving means 11 is used to obtain a plurality of alert events of the described network equipment.Among the present invention from the alert event of the network equipment, include but not limited to, below at least each: connectivity of link alert event, system journal alert event, based on the alert event of SNMP (Simple Network Management Protocol, Simple Network Management Protocol).Particularly, for example, incident deriving means 11 is a plurality of network equipments of poll in the guarded region of watch-dog 1 on one's own initiative, if incident deriving means 11 once needs to spend 10s with all network equipment inquiries, so one or more network equipments all can get access to alert event by incident deriving means 11 no matter when alert event takes place during this predetermined space of 10s.Replacedly, incident deriving means 11 is a plurality of network equipments in the guarded region of poll watch-dog 1 initiatively also, change into and receive the regular or irregular alert event that sends of one or more network equipments passively.Need to prove at this, when the network equipment regularly sends alert event, also can set predetermined time interval similarly, and constantly send alert event on one's own initiative to incident deriving means 11 in the boundary in twice time interval of front and back; When the network equipment irregularly sends alert event, preferably, can be set at the instant alarming mode, in a single day alert event takes place in the network equipment, just sends it to incident deriving means 11 at once on one's own initiative.Those skilled in the art will be understood that the alert event of the above-mentioned network equipment is only for giving an example; the alert event of other network equipments existing or that may occur from now on is as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.
Related information deriving means 12 is used for according to described a plurality of alert events, obtains and the corresponding warning related information of described a plurality of alert events.Warning related information among the present invention includes but not limited to, below at least each: produce type of alarm, the alert event of network equipment sign, the alert event of alert event time of origin, produce the network equipment of alert event type, produce the position and the significance level of the network equipment of alert event.Particularly, get access to a plurality of alert events of the network equipment at incident deriving means 11 after, obtain and the corresponding warning related information of a plurality of alert events by related information deriving means 12.Type of alarm with alert event is an example, when the network equipment produces alert event, this alert event offered incident deriving means 11 via network after, can also will offer related information deriving means 12 with the corresponding type of alarm of this alert event.Be designated example with the network equipment that produces alert event, when the network equipment produces alert event, after this alert event is obtained by incident deriving means 11, can also will offer related information deriving means 12 with the corresponding network equipment sign of this alert event.Hereinafter, the process of carrying out integration processing based on the type of alarm or the corresponding network equipment sign of alert event of alert event will be described in detail.Those skilled in the art will be understood that above-mentioned incident deriving means 11 and related information deriving means can be separate or merge into a device; In addition; above-mentioned and the corresponding warning related information of alert event and obtain manner are only for for example; other other types warning related informations existing or that may occur from now on and other obtain manners are as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.
Integrating apparatus 13 is used for according to described warning related information described a plurality of alert events being carried out integration processing, with the alert event that obtains to have integrated.Particularly, after having obtained a plurality of alert events of the network equipment and obtained warning related information by incident deriving means 11, utilize the warning related information between a plurality of alert events to come a plurality of alert events of integration processing corresponding to a plurality of alert events by related information deriving means 12.
Preferably, integrating apparatus 13 includes but not limited to, below at least each: merge cells (not shown), filter element (not shown).Particularly, merge cells is used for according to described warning related information described a plurality of alert events being merged into an alert event, with the alert event that obtains to have merged.Filter element is used for according to described warning related information described a plurality of alert events being carried out filtration treatment, screens out part alert event wherein, with the alert event that obtains to have filtered.Connect example, when the warning related information that obtains comprises the network equipment sign that produces alert event, merge cells is used for a plurality of alert events that consolidated network equipment is interior at interval at the fixed time and merges into an alert event, and the alert event after merge this moment is corresponding to consolidated network equipment.Still connect example, when the warning related information that obtains comprises the type of alarm of alert event, in merge cells is used at the fixed time at interval, the identical a plurality of alert events of type of alarm that a plurality of network equipment produced are merged into an alert event, though only keep an alert event after merging this moment, the pairing fault object of alert event is for producing the all-network equipment of reporting to the police.Filter element is used for according to described warning related information, screen out the part alert event in described a plurality of alert event, for example, under the application scenarios of some the known network adjustment and the network rebuilding, because the network equipment of this application scenarios can produce alert event, but this alert event is the inevitable outcome of the network adjustment and the network rebuilding, in this case, can know such as particular location or the sign of the network equipment etc. of the network equipment in network according to the warning related information, and corresponding alert event filtered or shielding processing, with interruption-free alarm response side.Those skilled in the art will be understood that above-mentioned only is for example according to the warning related information to the mode that a plurality of alert events carry out such as the integration processing that merges and/or filter; other existing or modes of a plurality of alert events being carried out integration processing according to the warning related information that may occur from now on are as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.
Dispensing device 14 is used for the described alert event of having integrated is sent to corresponding alarm response side.Particularly, by integrating apparatus 13 a plurality of alert events of one or more network equipments are carried out integration processing after, the alert event of having been integrated, and utilize dispensing device 14 that the described alert event of having integrated is sent to corresponding alarm response side.For example, when being the system journal alert event as if the alert event of having integrated, dispensing device 14 sends to described alert event the alarm response side of maintenance system journal file.And for example, when being the connectivity of link alert event as if the alert event of having integrated, dispensing device 14 sends to described alert event the alarm response side that is responsible for connectivity of link.In order to embody different alert events, the preferential sending order between the alert event can be set also for the different influence degree of the network equipment.Such as, the priority that preestablishes the connectivity of link warning will be higher than the priority that syslog file is reported to the police, so at certain time intervals, when integrating apparatus 13 obtains the alert event of having integrated, dispensing device 14 sends those connectivity of link alert events in advance, and with the follow-up transmission of those syslog file alert events.Those skilled in the art will be understood that the send mode of the above-mentioned alert event of having integrated is only for giving an example; the send mode of other existing or alert events of having integrated that may occur from now on is as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.
Preferably, on the basis of the described embodiment of above-mentioned Fig. 2, described incident deriving means 11 also comprises parameter acquiring unit and comparing unit (all not showing among the figure), wherein parameter acquiring unit is used to obtain the parameter current of the monitored object of the described network equipment, and comparing unit is used for described parameter current and predetermined threshold value are compared, and when described parameter current surpasses described predetermined threshold value, generate the corresponding alert event of monitored object with the described network equipment.The object identity value that the monitored object here includes but not limited to the connectivity of link of the network equipment, obtains based on SNMP.The connectivity of link that with the monitored object is the network equipment is an example, use the connectivity of link probe to wrap the connectivity of link of monitor network equipment based on the Traceroute of the PING bag of ICMP or UDP, when the continuous packet loss number of times of link reaches predetermined threshold value, show that connectivity of link breaks down, generate the corresponding connectivity of link alert event of connectivity of link with the network equipment; When the continuous packet loss number of times of link during, continue to come the continuous packet loss number of times of accumulative total link by the connectivity of link probe less than predetermined threshold value.With the monitored object is that the object identity value that SNMP obtains is an example, uses the SNMP probe to grasp the object identity value of the network equipment, and this object identity value includes but not limited to the object identity value of port flow, the object identity value of cpu busy percentage.When the object identity value of obtaining as SNMP surpasses predetermined threshold value, generate alert event based on SNMP; The object identity value of obtaining as SNMP uses the SNMP probe to continue to gather corresponding object identity value during less than predetermined threshold value.More preferably, when the object identity value of the monitored object that obtains the described network equipment according to snmp protocol, the mode of described object identity value with graphic user interface shown, thus the current running status of the described network equipment of real time inspection and history run state.
Preferably, on the basis of the described embodiment of above-mentioned Fig. 2, described incident deriving means 11 also comprises log acquisition unit and matching unit (all not showing among the figure), wherein the log acquisition unit is used to obtain the syslog file of the described network equipment, and matching unit is used for described syslog file and the regular expression of being scheduled to are mated, and when described syslog file and described regular expression coupling, generate the system journal alert event of the described network equipment.In one embodiment, the main flow process of generation system daily record alert event comprises: read in regular expression, the device type of the network equipment and software version information, open then and the reading system journal file, whether check has new system journal L to write, have only when having new system journal L, just obtain the source IP address of new daily record, and from database, inquire about corresponding equipment type M and software version information N according to this IP address, search corresponding regular expression P (the acquiescence regular expression is Q) based on device type M and software version information N at last, new system journal L and regular expression P or Q are mated, and when coupling is consistent, generation system daily record alert event.
Fig. 3 illustrates the structural representation that is used for the network equipment is carried out the equipment of network monitoring according to a further aspect of the present invention.In general, watch-dog for the monitoring behavior of the network equipment include but not limited to monitor, report to the police, other monitoring aspects of control or network management personnel's preference.In addition, watch-dog includes but not limited to any network equipment that can monitor other network equipments by network, for example switch, router, server, gateway, bridge etc.Watch-dog includes but not limited to network host, single network server, a plurality of webserver collection or based on the set of computers of cloud computing.Those skilled in the art should also be understood that watch-dog can be independently or with other network equipment all-in-one-piece network equipments.In addition, communicating by letter between watch-dog and the monitored a plurality of network equipments can be based on the packet data transmission such as ICP/IP protocol, udp protocol etc.
This watch-dog 1 ' comprises incident deriving means 11 ', related information deriving means 12 ', integrating apparatus 13 ', dispensing device 14 ' and satellite information deriving means 15 '.Wherein, incident deriving means 11 ' is used to obtain a plurality of alert events of the described network equipment.From the alert event of the network equipment, include but not limited among the present invention, below at least each: connectivity of link alert event, system journal alert event, based on the alert event of SNMP.Particularly, for example, incident deriving means 11 ' is a plurality of network equipments of poll in the guarded region of watch-dog 1 ' on one's own initiative, if incident deriving means 11 ' once needs to spend 10s with all network equipment inquiries, so one or more network equipments all can get access to alert event by incident deriving means 11 ' no matter when alert event takes place during this predetermined space of 10s.Replacedly, incident deriving means 11 ' is a plurality of network equipments in the guarded region of poll watch-dog 1 ' initiatively also, change into and receive the regular or irregular alert event that sends of one or more network equipments passively.Need to prove at this, when the network equipment regularly sends alert event, also can set predetermined time interval similarly, and constantly send alert event on one's own initiative to incident deriving means 11 ' in the boundary in twice time interval of front and back; When the network equipment irregularly sends alert event, preferably, can be set at the instant alarming mode, in a single day alert event takes place in the network equipment, just sends it to incident deriving means 11 ' at once on one's own initiative.Those skilled in the art will be understood that the alert event of the above-mentioned network equipment is only for giving an example; the alert event of other network equipments existing or that may occur from now on is as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.
Related information deriving means 12 ' is used for according to described a plurality of alert events, obtains and the corresponding warning related information of described a plurality of alert events.Warning related information among the present invention includes but not limited to, below at least each: produce type of alarm, the alert event of network equipment sign, the alert event of alert event time of origin, produce the network equipment of alert event type, produce the position and the significance level of the network equipment of alert event.Particularly, get access to a plurality of alert events of the network equipment at incident deriving means 11 ' after, obtain and the corresponding warning related information of a plurality of alert events by related information deriving means 12 '.Type of alarm with alert event is an example, when the network equipment produces alert event, this alert event offered incident deriving means 11 ' via network after, can also will offer related information deriving means 12 ' with the corresponding type of alarm of this alert event.Be designated example with the network equipment that produces alert event, when the network equipment produces alert event, after this alert event offered incident deriving means 11 ' via network, can also offer related information deriving means 12 ' with the corresponding network equipment sign of this alert event.Hereinafter, the process of carrying out integration processing based on the type of alarm or the corresponding network equipment sign of alert event of alert event will be described in detail.Those skilled in the art will be understood that above-mentioned incident deriving means 11 ' and related information deriving means 12 ' can be two separate modules, or merge into a module; Those skilled in the art will be understood that; above-mentioned and the corresponding warning related information of alert event and obtain manner are only for for example; other existing or other warning related informations that may occur from now on and obtain manner are as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.
Integrating apparatus 13 ' is used for according to described warning related information described a plurality of alert events being carried out integration processing, with the alert event that obtains to have integrated.Particularly, after having obtained a plurality of alert events of the network equipment and obtained warning related information by incident deriving means 11 ', utilize the warning related information between a plurality of alert events to come a plurality of alert events of integration processing corresponding to a plurality of alert events by related information deriving means 12 '.
Preferably, integrating apparatus 13 ' includes but not limited to, below at least each: merge cells (not shown), filter element (not shown).In further detail, merge cells is used for according to described warning related information described a plurality of alert events being merged into an alert event, with the alert event that obtains to have merged.Filter element is used for according to described warning related information described a plurality of alert events being carried out filtration treatment, screens out part alert event wherein, with the alert event that obtains to have filtered.Connect example, when the warning related information that obtains comprises the network equipment sign that produces alert event, merge cells is used for a plurality of alert events that consolidated network equipment is interior at interval at the fixed time and merges into an alert event, and the alert event after merge this moment is corresponding to consolidated network equipment.Still connect example, when the warning related information that obtains comprises the type of alarm of alert event, in merge cells is used at the fixed time at interval, the identical a plurality of alert events of type of alarm that a plurality of network equipment produced are merged into an alert event, though only keep an alert event after merging this moment, the pairing fault object of alert event is for producing the all-network equipment of reporting to the police.Filter element is used for according to described warning related information, screen out the part alert event in described a plurality of alert event, for example, under the application scenarios of some the known network adjustment and the network rebuilding, because the network equipment of this application scenarios can produce alert event, but this alert event is the inevitable outcome of the network adjustment and the network rebuilding, in this case, can know such as particular location or the sign of the network equipment etc. of the network equipment in network according to the warning related information, and corresponding alert event filtered or shielding processing, with interruption-free alarm response side.Those skilled in the art will be understood that above-mentioned only is for example according to the warning related information to the mode that a plurality of alert events carry out such as the integration processing that merges and/or filter; other existing or modes of a plurality of alert events being carried out integration processing according to the warning related information that may occur from now on are as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.
Satellite information deriving means 15 ' is used for the alert event integrated according to described, obtains and the corresponding satellite information of the described alert event of having integrated.Satellite information of the present invention includes but not limited to, below at least each: the routing table of the CPU information of the integrated circuit board information of the title of the described network equipment, the described network equipment, the described network equipment, the described network equipment, vlan table or MAC table.With the CPU information of the described network equipment example as satellite information, after obtaining the alert event of having integrated by integrating apparatus 13 ', all relevant informations that always do not comprise the network equipment in this alert event, thereby after obtaining the alert event of having integrated, also should obtain the CPU information of the described network equipment as satellite information by satellite information deriving means 15 ' according to the described alert event of having integrated.Thus, alarm response can be with by receiving the alert event integrated and handling this alert event with the CPU information of the described corresponding network equipment of having integrated of alert event.Those skilled in the art will be understood that above-mentioned satellite information corresponding to the alert event of having integrated only is for example; other existing or may occur from now on corresponding to the satellite information of the alert event of having integrated as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.
Dispensing device 14 ' is used for the described alert event of having integrated and describedly sends to corresponding alarm response side together with the corresponding satellite information of the alert event of having integrated.Particularly, by integrating apparatus 13 ' a plurality of alert events of one or more network equipments are carried out the alert event integrated after the integration processing, and utilize satellite information deriving means 15 ' obtain with the corresponding satellite information of the described alert event of having integrated after, watch-dog 1 ' of the present invention utilizes dispensing device 14 ' that described alert event of having integrated and corresponding satellite information are sent to corresponding alarm response side.For example, if the alert event of having integrated is the system journal alert event, and when being the routing table, vlan table of the network equipment or MAC table with the corresponding satellite information of system journal alert event, dispensing device 14 ' sends to described alert event and the routing table, vlan table or the MAC table that produce the network equipment of described alert event the alarm response side of maintenance system journal file together.And for example, if the alert event of having integrated is the connectivity of link alert event, and when being the integrated circuit board information of the described network equipment with the corresponding satellite information of described connectivity of link alert event, dispensing device 14 ' sends to the alarm response side that is responsible for connectivity of link together with described alert event and the integrated circuit board information that produces the network equipment of described alert event.In order to embody different alert events, the preferential sending order between the alert event can be set also for the different influence degree of the network equipment.Such as, the priority that preestablishes the connectivity of link alert event will be higher than the priority of system journal alert event, so at certain time intervals, when integrating apparatus 13 ' obtains the alert event integrated and satellite information deriving means 15 ' and obtains satellite information corresponding to the described alert event of having integrated, dispensing device 14 ' sends those connectivity of link alert events in advance, and with the follow-up transmission of those system journal alert events.Those skilled in the art will be understood that above-mentioned send mode only for giving an example, and other send modes existing or that may occur from now on also should be included in the protection range of the present invention as applicable to the present invention, and are contained in this with way of reference.
Preferably, on the basis of the described embodiment of above-mentioned Fig. 3, described incident deriving means 11 ' also comprises parameter acquiring unit and comparing unit (all not showing among the figure), wherein parameter acquiring unit is used to obtain the parameter current of the monitored object of the described network equipment, and comparing unit is used for described parameter current and predetermined threshold value are compared, and when described parameter current surpasses described predetermined threshold value, generate the corresponding alert event of monitored object with the described network equipment.The object identity value that the monitored object here includes but not limited to the connectivity of link of the network equipment, obtains based on SNMP.The connectivity of link that with the monitored object is the network equipment is an example, use the connectivity of link probe to wrap the connectivity of link of monitor network equipment based on the Traceroute of the PING bag of ICMP or UDP, when the continuous packet loss number of times of link reaches predetermined threshold value, show that connectivity of link breaks down, generate the corresponding connectivity of link alert event of connectivity of link with the network equipment; When the continuous packet loss number of times of link during, continue to come the continuous packet loss number of times of accumulative total link by the connectivity of link probe less than predetermined threshold value.With the monitored object is that the object identity value that SNMP obtains is an example, uses the SNMP probe to grasp the object identity value of the network equipment, and this object identity value includes but not limited to the object identity value of port flow, the object identity value of cpu busy percentage.When the object identity value of obtaining as SNMP surpasses predetermined threshold value, generate alert event based on SNMP; The object identity value of obtaining as SNMP uses the SNMP probe to continue to gather corresponding object identity value during less than predetermined threshold value.More preferably, when the object identity value of the monitored object that obtains the described network equipment according to snmp protocol, the mode of described object identity value with graphic user interface shown, thus the current running status of the described network equipment of real time inspection and history run state.
Preferably, on the basis of the described embodiment of above-mentioned Fig. 3, described incident deriving means 11 ' also comprises log acquisition unit and matching unit (all not showing among the figure), wherein the log acquisition unit is used to obtain the syslog file of the described network equipment, and matching unit is used for described syslog file and the regular expression of being scheduled to are mated, and when described syslog file and described regular expression coupling, generate the system journal alert event of the described network equipment.In one embodiment, the main flow process of generation system daily record alert event comprises: read in regular expression, the device type of the network equipment and software version information, open then and the reading system journal file, whether check has new system journal L to write, have only when having new system journal L, just obtain the source IP address of new daily record, and from database, inquire about corresponding equipment type M and software version information N according to this IP address, search corresponding regular expression P (the acquiescence regular expression is Q) based on device type M and software version information N at last, new system journal L and regular expression P or Q are mated, and when coupling is consistent, generation system daily record alert event.
Preferably, on the basis of the described embodiment of above-mentioned Fig. 3, described satellite information deriving means 15 ' also comprises the updating block (not shown), be used to upgrade the satellite information of the described network equipment, and described satellite information deriving means also is used for the alert event integrated according to described, obtains and the corresponding described satellite information of having upgraded of the described alert event of having integrated.More preferably, by collecting the satellite information of the described network equipment, and upgrade the described satellite information of the described network equipment based on the probe of snmp protocol.Particularly, in one embodiment, watch-dog 1 ' also comprises the storage part, is used to upgrade or inquire about the described satellite information of the described network equipment, and comes partly to provide storage and organizational form for described storage by database.Preferably, utilize the SNMP probe to come the satellite information of the all-network equipment in the guarded region of watch-dog 1 ' is collected and upgraded, for example, the time interval of collection decided according to the network actual conditions, such as 24 hours.Then described updating block assigns to upgrade the satellite information of the described network equipment by the data query storage part, correspondingly, satellite information deriving means 15 ' obtains and the corresponding described satellite information of having upgraded of the described alert event of having integrated according to the described alert event of having integrated.
Fig. 4 illustrates the method flow diagram that is used for the network equipment is carried out network monitoring in accordance with a preferred embodiment of the present invention.The watch-dog here includes but not limited to any network equipment that can monitor other network equipments by network, for example switch, router, server, gateway, bridge etc.Watch-dog includes but not limited to network host, single network server, a plurality of webserver collection or based on the set of computers of cloud computing.Those skilled in the art should also be understood that watch-dog can be independently or with other network equipment all-in-one-piece network equipments.In addition, communicating by letter between watch-dog and the monitored a plurality of network equipments can be based on the packet data transmission such as ICP/IP protocol, udp protocol etc.
In step S31, watch-dog is used to obtain a plurality of alert events of the described network equipment.From the alert event of the network equipment, include but not limited among the present invention, below at least each: connectivity of link alert event, system journal alert event, based on the alert event of SNMP.Particularly, for example, watch-dog is a plurality of network equipments of poll in its guarded region on one's own initiative, if described watch-dog once needs to spend 10s with all network equipment inquiries, so one or more network equipments all can get access to this alert event by watch-dog no matter when alert event takes place during this predetermined space of 10s.Replacedly, watch-dog is a plurality of network equipments in its guarded region of poll initiatively also, change into and receive the regular or irregular alert event that sends of one or more network equipments passively.Need to prove at this, when the network equipment regularly sends alert event, also can set predetermined time interval similarly, and constantly send alert event on one's own initiative to watch-dog in the boundary in twice time interval of front and back; When the network equipment irregularly sends alert event, preferably, can be set at the instant alarming mode, in a single day alert event takes place in the network equipment, just sends it to watch-dog at once on one's own initiative.Those skilled in the art will be understood that the alert event of the above-mentioned network equipment is only for giving an example; the alert event of other network equipments existing or that may occur from now on is as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.
In step S32, watch-dog is used for according to described a plurality of alert events, obtains and the corresponding warning related information of described a plurality of alert events.Warning related information among the present invention includes but not limited to, below at least each: produce type of alarm, the alert event of network equipment sign, the alert event of alert event time of origin, produce the network equipment of alert event type, produce the position and the significance level of the network equipment of alert event.Particularly, get access to a plurality of alert events of the network equipment at watch-dog after, also be used to obtain and the corresponding warning related information of a plurality of alert events.Type of alarm with alert event is an example, when the network equipment produces alert event, this alert event offered described watch-dog after, can also will offer described watch-dog with the corresponding type of alarm of this alert event.Be designated example with the network equipment that produces alert event, when the network equipment produces alert event, this alert event offered watch-dog after, can also offer watch-dog with the corresponding network equipment sign of this alert event.Hereinafter, the process of carrying out integration processing based on the type of alarm or the corresponding network equipment sign of alert event of alert event will be described in detail.Those skilled in the art will be understood that above-mentioned steps S31 and step S32 can be separate operation or union operation; In addition; above-mentioned and the corresponding warning related information of alert event and obtain manner are only for for example; other other types warning related informations existing or that may occur from now on and other obtain manners are as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.
In step S33, watch-dog is used for according to described warning related information described a plurality of alert events being carried out integration processing, with the alert event that obtains to have integrated.Particularly, after having obtained a plurality of alert events of the network equipment and obtained warning related information by execution in step S31, utilize the warning related information between a plurality of alert events to come a plurality of alert events of integration processing corresponding to a plurality of alert events by execution in step S32.Preferably, the integration processing of watch-dog includes but not limited to, below at least each: union operation, filter operation.In further detail, union operation comprises merges into an alert event according to described warning related information with described a plurality of alert events, with the alert event that obtains to have merged.Filter operation comprises carries out filtration treatment according to described warning related information with described a plurality of alert events, screens out part alert event wherein, with the alert event that obtains to have filtered.Connect example, when the warning related information that obtains comprises the network equipment sign that produces alert event, union operation is used for a plurality of alert events that consolidated network equipment is interior at interval at the fixed time and merges into an alert event, and the alert event after merge this moment is corresponding to consolidated network equipment.Still connect example, when the warning related information that obtains comprises the type of alarm of alert event, in union operation is used at the fixed time at interval, the identical a plurality of alert events of type of alarm that a plurality of network equipment produced are merged into an alert event, though only keep an alert event after merging this moment, the pairing fault object of alert event is for producing the all-network equipment of reporting to the police.Filter operation is used for according to described warning related information, screen out the part alert event in described a plurality of alert event, for example, under the application scenarios of some the known network adjustment and the network rebuilding, because the network equipment of this application scenarios can produce alert event, but this alert event is the inevitable outcome of the network adjustment and the network rebuilding, in this case, can know such as particular location or the sign of the network equipment etc. of the network equipment in network according to the warning related information, and corresponding alert event filtered or shielding processing, with interruption-free alarm response side.Those skilled in the art will be understood that above-mentioned only is for example according to the warning related information to the mode that a plurality of alert events carry out such as the integration processing that merges and/or filter; other existing or modes of a plurality of alert events being carried out integration processing according to the warning related information that may occur from now on are as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.。
In step S34, watch-dog is used for the described alert event of having integrated is sent to corresponding alarm response side.Particularly, after watch-dog carries out integration processing with a plurality of alert events of one or more network equipments, the alert event of having been integrated, and the described alert event of having integrated sent to corresponding alarm response side.For example, when being the system journal alert event as if the alert event of having integrated, watch-dog sends to described alert event the alarm response side of maintenance system journal file.And for example, when being the connectivity of link alert event as if the alert event of having integrated, watch-dog sends to described alert event the alarm response side that is responsible for connectivity of link.In order to embody different alert events, the preferential sending order between the alert event can be set also for the different influence degree of the network equipment.Such as, the priority that preestablishes the connectivity of link warning will be higher than the priority that syslog file is reported to the police, so at certain time intervals, after obtaining the alert event of having integrated as execution in step S33, execution in step S34 sends those connectivity of link alert events in advance, and with the follow-up transmission of those system journal alert events.Those skilled in the art will be understood that the send mode of the above-mentioned alert event of having integrated is only for giving an example; the send mode of other existing or alert events of having integrated that may occur from now on is as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.
Preferably, on the basis of the described embodiment of above-mentioned Fig. 4, described step S31 also comprises parameter acquiring operation and compare operation (all not showing among the figure), wherein parameter acquiring operation is used to obtain the parameter current of the monitored object of the described network equipment, and compare operation is used for described parameter current and predetermined threshold value are compared, and when described parameter current surpasses described predetermined threshold value, generate the corresponding alert event of monitored object with the described network equipment.The object identity value that the monitored object here includes but not limited to the connectivity of link of the network equipment, obtains based on SNMP.The connectivity of link that with the monitored object is the network equipment is an example, use the connectivity of link probe to wrap the connectivity of link of monitor network equipment based on the Traceroute of the PING bag of ICMP or UDP, when the continuous packet loss number of times of link reaches predetermined threshold value, show that connectivity of link breaks down, generate the corresponding connectivity of link alert event of connectivity of link with the network equipment; When the continuous packet loss number of times of link during, continue to come the continuous packet loss number of times of accumulative total link by the connectivity of link probe less than predetermined threshold value.With the monitored object is that the object identity value that SNMP obtains is an example, uses the SNMP probe to grasp the object identity value of the network equipment, and this object identity value includes but not limited to the object identity value of port flow, the object identity value of cpu busy percentage.When the object identity value of obtaining as SNMP surpasses predetermined threshold value, generate alert event based on SNMP; The object identity value of obtaining as SNMP uses the SNMP probe to continue to gather corresponding object identity value during less than predetermined threshold value.More preferably, when the object identity value of the monitored object that obtains the described network equipment according to snmp protocol, the mode of described object identity value with graphic user interface shown, thus the current running status of the described network equipment of real time inspection and history run state.
Preferably, on the basis of the described embodiment of above-mentioned Fig. 4, described step S31 also comprises log acquisition operation and matching operation (all not showing among the figure), wherein the log acquisition operation is used to obtain the syslog file of the described network equipment, and matching operation is used for described syslog file and the regular expression of being scheduled to are mated, and when described syslog file and described regular expression coupling, generate the system journal alert event of the described network equipment.In one embodiment, the main flow process of generation system daily record alert event comprises: read in regular expression, the device type of the network equipment and software version information, open then and the reading system journal file, whether check has new system journal L to write, have only when having new system journal L, just obtain the source IP address of new daily record, and from database, inquire about corresponding equipment type M and software version information N according to this IP address, search corresponding regular expression P (the acquiescence regular expression is Q) based on device type M and software version information N at last, new system journal L and regular expression P or Q are mated, and when coupling is consistent, generation system daily record alert event.
Fig. 5 illustrates the method flow diagram that is used for the network equipment is carried out network monitoring according to another preferred embodiment of the present invention.In general, watch-dog for the monitoring behavior of the network equipment include but not limited to monitor, report to the police, other monitoring aspects of control or network management personnel's preference.In addition, watch-dog includes but not limited to any network equipment that can monitor other network equipments by network, for example switch, router, server, gateway, bridge etc.Watch-dog includes but not limited to network host, single network server, a plurality of webserver collection or based on the set of computers of cloud computing.Those skilled in the art should also be understood that watch-dog can be independently or with other network equipment all-in-one-piece network equipments.In addition, communicating by letter between watch-dog and the monitored a plurality of network equipments can be based on the packet data transmission such as ICP/IP protocol, udp protocol etc.
In step S41, watch-dog obtains a plurality of alert events of the described network equipment.From the alert event of the network equipment, include but not limited among the present invention, below at least each: connectivity of link alert event, system journal alert event, based on the alert event of SNMP.Particularly, for example, watch-dog is a plurality of network equipments of poll in its guarded region on one's own initiative, if described watch-dog once needs to spend 10s with all network equipment inquiries, so one or more network equipments all can get access to alert event by watch-dog no matter when alert event takes place during this predetermined space of 10s.Replacedly, described watch-dog is a plurality of network equipments in its guarded region of poll initiatively also, change into and receive the regular or irregular alert event that sends of one or more network equipments passively.Need to prove at this, when the network equipment regularly sends alert event, also can set predetermined time interval similarly, and constantly send alert event on one's own initiative to watch-dog in the boundary in twice time interval of front and back; When the network equipment irregularly sends alert event, preferably, can be set at the instant alarming mode, in a single day alert event takes place in the network equipment, just sends it to watch-dog at once on one's own initiative.Those skilled in the art will be understood that the alert event of the above-mentioned network equipment is only for giving an example; the alert event of other network equipments existing or that may occur from now on is as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.
In step S42, watch-dog obtains and the corresponding warning related information of described a plurality of alert events according to described a plurality of alert events.Warning related information among the present invention includes but not limited to, below at least each: produce type of alarm, the alert event of network equipment sign, the alert event of alert event time of origin, produce the network equipment of alert event type, produce the position and the significance level of the network equipment of alert event.Particularly, get access to a plurality of alert events of the network equipment at execution in step S41 after, watch-dog is used to obtain and the corresponding warning related information of a plurality of alert events.Type of alarm with alert event is an example, when the network equipment produces alert event, obtain this alert event by step S41 after, can also will offer watch-dog with the corresponding type of alarm of this alert event.Be designated example with the network equipment that produces alert event, when the network equipment produces alert event, obtain this alert event by step S41 after, can also offer watch-dog with the corresponding network equipment sign of this alert event.Hereinafter, the process of carrying out integration processing based on the type of alarm or the corresponding network equipment sign of alert event of alert event will be described in detail.Those skilled in the art will be understood that above-mentioned steps S41 and step S42 can be separate operation or union operation; In addition; above-mentioned and the corresponding warning related information of alert event and obtain manner are only for for example; other other types warning related informations existing or that may occur from now on and other obtain manners are as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.
In step S43, watch-dog carries out integration processing according to described warning related information to described a plurality of alert events, with the alert event that obtains to have integrated.Particularly, after having obtained a plurality of alert events of the network equipment and obtained warning related information by execution in step S41, utilize the warning related information between a plurality of alert events to come a plurality of alert events of integration processing corresponding to a plurality of alert events by execution in step S42.Preferably, integration processing includes but not limited to, below at least each: union operation, filter operation.Particularly, union operation is used for according to described warning related information described a plurality of alert events being merged into an alert event, with the alert event that obtains to have merged.Filter operation is used for according to described warning related information described a plurality of alert events being carried out filtration treatment, screens out part alert event wherein, with the alert event that obtains to have filtered.Connect example, when the warning related information that obtains comprises the network equipment sign that produces alert event, union operation is used for a plurality of alert events that consolidated network equipment is interior at interval at the fixed time and merges into an alert event, and the alert event after merge this moment is corresponding to consolidated network equipment.Still connect example, when the warning related information that obtains comprises the type of alarm of alert event, in union operation is used at the fixed time at interval, the identical a plurality of alert events of type of alarm that a plurality of network equipment produced are merged into an alert event, though only keep an alert event after merging this moment, the pairing fault object of alert event is for producing the all-network equipment of reporting to the police.Filter operation is used for according to described warning related information, screen out the part alert event in described a plurality of alert event, for example, under the application scenarios of some the known network adjustment and the network rebuilding, because the network equipment of this application scenarios can produce alert event, but this alert event is the inevitable outcome of the network adjustment and the network rebuilding, in this case, can know such as particular location or the sign of the network equipment etc. of the network equipment in network according to the warning related information, and corresponding alert event filtered or shielding processing, with interruption-free alarm response side.Those skilled in the art will be understood that above-mentioned only is for example according to the warning related information to the mode that a plurality of alert events carry out such as the integration processing that merges and/or filter; other existing or modes of a plurality of alert events being carried out integration processing according to the warning related information that may occur from now on are as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.
In step S44, described watch-dog obtains and the corresponding satellite information of the described alert event of having integrated according to the described alert event of having integrated.Satellite information of the present invention includes but not limited to, below at least each: the routing table of the CPU information of the integrated circuit board information of the title of the described network equipment, the described network equipment, the described network equipment, the described network equipment, vlan table or MAC table.With the CPU information of the described network equipment example as satellite information, after obtaining the alert event of having integrated by execution in step S43, all relevant informations that always do not comprise the network equipment in this alert event, thereby after obtaining the alert event of having integrated, also should obtain the CPU information of the described network equipment as satellite information by execution in step S44 according to the described alert event of having integrated.Thus, alarm response can be with by receiving the alert event integrated and handling this alert event with the CPU information of the described corresponding network equipment of having integrated of alert event.Those skilled in the art will be understood that above-mentioned satellite information corresponding to the alert event of having integrated only is for example; other existing or may occur from now on corresponding to the satellite information of the alert event of having integrated as applicable to the present invention; also should be included in the protection range of the present invention, and be contained in this with way of reference.
In step S45, described watch-dog is with the described alert event of having integrated and describedly send to corresponding alarm response side together with the corresponding satellite information of the alert event of having integrated.Particularly, by execution in step S43 a plurality of alert events of one or more network equipments are carried out the alert event integrated after the integration processing, and execution in step S44 obtain with the corresponding satellite information of the described alert event of having integrated after, watch-dog sends to corresponding alarm response side with described alert event of having integrated and corresponding satellite information.For example, if the alert event of having integrated is the system journal alert event, and when being the routing table, vlan table of the network equipment or MAC table with the corresponding satellite information of system journal alert event, described watch-dog sends to described alert event and the routing table, vlan table or the MAC table that produce the network equipment of described alert event the alarm response side of maintenance system journal file together.And for example, if the alert event of having integrated is the connectivity of link alert event, and when being the integrated circuit board information of the described network equipment with the corresponding satellite information of described connectivity of link alert event, watch-dog sends to the alarm response side that is responsible for connectivity of link together with described alert event and the integrated circuit board information that produces the network equipment of described alert event.In order to embody different alert events, the preferential sending order between the alert event can be set also for the different influence degree of the network equipment.Such as, the priority that preestablishes the connectivity of link alert event will be higher than the priority of system journal alert event, so at certain time intervals, when execution in step S43 obtains the alert event integrated and execution in step S44 and obtains satellite information corresponding to the described alert event of having integrated, watch-dog sends those connectivity of link alert events in advance, and with the follow-up transmission of those system journal alert events.Those skilled in the art will be understood that above-mentioned send mode only for giving an example, and other send modes existing or that may occur from now on also should be included in the protection range of the present invention as applicable to the present invention, and are contained in this with way of reference.
Preferably, on the basis of the described embodiment of above-mentioned Fig. 5, described step S41 also comprises parameter acquiring operation and compare operation (all not showing among the figure), wherein parameter acquiring operation is used to obtain the parameter current of the monitored object of the described network equipment, and compare operation is used for described parameter current and predetermined threshold value are compared, and when described parameter current surpasses described predetermined threshold value, generate the corresponding alert event of monitored object with the described network equipment.The object identity value that the monitored object here includes but not limited to the connectivity of link of the network equipment, obtains based on SNMP.The connectivity of link that with the monitored object is the network equipment is an example, use the connectivity of link probe to wrap the connectivity of link of monitor network equipment based on the Traceroute of the PING bag of ICMP or UDP, when the continuous packet loss number of times of link reaches predetermined threshold value, show that connectivity of link breaks down, generate the corresponding connectivity of link alert event of connectivity of link with the network equipment; When the continuous packet loss number of times of link during, continue to come the continuous packet loss number of times of accumulative total link by the connectivity of link probe less than predetermined threshold value.With the monitored object is that the object identity value that SNMP obtains is an example, uses the SNMP probe to grasp the object identity value of the network equipment, and this object identity value includes but not limited to the object identity value of port flow, the object identity value of cpu busy percentage.When the object identity value of obtaining as SNMP surpasses predetermined threshold value, generate alert event based on SNMP; The object identity value of obtaining as SNMP uses the SNMP probe to continue to gather corresponding object identity value during less than predetermined threshold value.More preferably, when the object identity value of the monitored object that obtains the described network equipment according to snmp protocol, the mode of described object identity value with graphic user interface shown, thus the current running status of the described network equipment of real time inspection and history run state.
Preferably, on the basis of the described embodiment of above-mentioned Fig. 5, described step S41 also comprises log acquisition operation and matching operation (all not showing among the figure), wherein the log acquisition operation is used to obtain the syslog file of the described network equipment, and matching operation is used for described syslog file and the regular expression of being scheduled to are mated, and when described syslog file and described regular expression coupling, generate the system journal alert event of the described network equipment.In one embodiment, the main flow process of generation system daily record alert event comprises: read in regular expression, the device type of the network equipment and software version information, open then and the reading system journal file, whether check has new system journal L to write, have only when having new system journal L, just obtain the source IP address of new daily record, and from database, inquire about corresponding equipment type M and software version information N according to this IP address, search corresponding regular expression P (the acquiescence regular expression is Q) based on device type M and software version information N at last, new system journal L and regular expression P or Q are mated, and when coupling is consistent, generation system daily record alert event.
Preferably, on the basis of the described embodiment of above-mentioned Fig. 5, described step S44 also comprises renewal operation (not shown), be used to upgrade the satellite information of the described network equipment, and described step S44 also comprises the alert event of having integrated according to described, obtains and the corresponding described satellite information of having upgraded of the described alert event of having integrated.More preferably, by collecting the satellite information of the described network equipment, and upgrade the described satellite information of the described network equipment based on the probe of snmp protocol.Particularly, in one embodiment, described watch-dog also comprises the storage part, is used to upgrade or inquire about the described satellite information of the described network equipment, and comes partly to provide storage and organizational form for described storage by database.Preferably, utilize the SNMP probe to come the satellite information of the all-network equipment in the guarded region of watch-dog is collected and upgraded, for example, the time interval of collection decided according to the network actual conditions, such as 24 hours.Then described updating block assigns to upgrade the satellite information of the described network equipment by the data query storage part, correspondingly, step S45 comprises the alert event of having integrated according to described, obtains and the corresponding described satellite information of having upgraded of the described alert event of having integrated.
To those skilled in the art, obviously the invention is not restricted to the details of above-mentioned one exemplary embodiment, and under the situation that does not deviate from spirit of the present invention or essential characteristic, can realize the present invention with other concrete form.Therefore, no matter from which point, all should regard embodiment as exemplary, and be nonrestrictive, scope of the present invention is limited by claims rather than above-mentioned explanation, therefore is intended to be included in the present invention dropping on the implication that is equal to important document of claim and all changes in the scope.Any Reference numeral in the claim should be considered as limit related claim.In addition, obviously other unit or step do not got rid of in " comprising " speech, and odd number is not got rid of plural number.A plurality of unit of stating in the device claim or device also can be realized by software or hardware by a unit or device.The first, the second word such as grade is used for representing title, and does not represent any specific order.

Claims (26)

1. method that is used for the network equipment is carried out network monitoring, wherein, this method may further comprise the steps:
A obtains a plurality of alert events of the described network equipment;
B obtains and the corresponding warning related information of described a plurality of alert events according to described a plurality of alert events;
C carries out integration processing according to described warning related information to described a plurality of alert events, with the alert event that obtains to have integrated;
D sends to corresponding alarm response side with the described alert event of having integrated.
2. method according to claim 1, wherein, described method also comprises:
E obtains and the corresponding satellite information of the described alert event of having integrated according to the described alert event of having integrated;
Wherein, described steps d also is used for:
The described alert event of having integrated and described satellite information are sent to together the alarm response side of described correspondence.
3. method according to claim 2, wherein, described satellite information comprise following at least each:
The title of-described the network equipment;
The integrated circuit board information of-described network equipment;
The CPU information of-described network equipment;
The routing table of-described the network equipment, vlan table or MAC table.
4. according to each described method in the claim 1 to 3, wherein, described alert event comprise following at least each:
-connectivity of link alert event;
-system journal alert event;
-based on the alert event of snmp protocol.
5. according to each described method in the claim 4, wherein, described step a also comprises:
A1 obtains the parameter current of the monitored object of the described network equipment;
A2 compares described parameter current and predetermined threshold value, and when described parameter current surpasses described predetermined threshold value, generates the corresponding alert event of monitored object with the described network equipment.
6. method according to claim 5, wherein, described step a1 also comprises:
-obtain the object identity value of the monitored object of the described network equipment according to snmp protocol;
-mode of described object identity value with graphic user interface shown, with the current running status and the history run state of the described network equipment of real time inspection.
7. method according to claim 4, wherein, described step a also comprises:
-obtain the syslog file of the described network equipment;
-described syslog file and the regular expression of being scheduled to are mated, and when described syslog file and described regular expression coupling, generate the system journal alert event of the described network equipment.
8. according to each described method in the claim 1 to 7, wherein, described warning related information comprise following at least each:
The network equipment sign of-generation alert event;
The type of alarm of-alert event;
The time of origin of-alert event;
The type of the network equipment of-generation alert event;
The position and the significance level of the network equipment of-generation alert event.
9. according to each described method in the claim 1 to 8, wherein, described step c also comprise following at least each:
-according to described warning related information, described a plurality of alert events are merged into an alert event, with the alert event that obtains to have merged;
-according to described warning related information, described a plurality of alert events are carried out filtration treatment, screen out wherein part alert event, with the alert event that obtains to have filtered.
10. method according to claim 9, wherein, the described step that a plurality of alert events are merged into an alert event also comprises:
A plurality of alert events that consolidated network equipment is interior are at interval at the fixed time merged into an alert event.
11. method according to claim 9, wherein, the described step that a plurality of alert events are merged into an alert event also comprises:
In the interval, the identical a plurality of alert events of type of alarm that a plurality of network equipment produced are merged into an alert event at the fixed time.
12. according to each described method in the claim 1 to 11, wherein, described step e comprises:
E1 upgrades the satellite information of the described network equipment;
E2 obtains and the corresponding described satellite information of having upgraded of the described alert event of having integrated according to the described alert event of having integrated.
13. method according to claim 12, wherein, described step e1 also comprises:
By collecting the satellite information of the described network equipment, and upgrade the described satellite information of the described network equipment based on the probe of snmp protocol.
14. a watch-dog that is used for the network equipment is carried out network monitoring, wherein, described watch-dog comprises:
The incident deriving means is used to obtain a plurality of alert events of the described network equipment;
The related information deriving means is used for according to described a plurality of alert events, obtains and the corresponding warning related information of described a plurality of alert events;
Integrating apparatus is used for according to described warning related information described a plurality of alert events being carried out integration processing, with the alert event that obtains to have integrated;
Dispensing device is used for the described alert event of having integrated is sent to corresponding alarm response side.
15. watch-dog according to claim 14, wherein, described watch-dog also comprises:
The satellite information deriving means is used for the alert event integrated according to described, obtains and the corresponding satellite information of the described alert event of having integrated,
Wherein, described dispensing device also is used for:
The described alert event of having integrated and described satellite information are sent to together the alarm response side of described correspondence.
16. watch-dog according to claim 15, wherein, described satellite information comprise following at least each:
The title of-described the network equipment;
The integrated circuit board information of-described network equipment;
The CPU information of-described network equipment;
The routing table of-described the network equipment, vlan table or MAC table.
17. according to each described watch-dog in the claim 14 to 16, wherein, described alert event comprise following at least each:
-connectivity of link alert event;
-system journal alert event;
-based on the alert event of snmp protocol.
18. according to each described watch-dog in the claim 17, wherein, described incident deriving means also comprises:
Parameter acquiring unit is used to obtain the parameter current of the monitored object of the described network equipment;
Comparing unit is used for described parameter current and predetermined threshold value are compared, and when described parameter current surpasses described predetermined threshold value, generates the corresponding alert event of monitored object with the described network equipment.
19. watch-dog according to claim 18, wherein, described parameter acquiring unit also is used for:
-obtain the object identity value of the monitored object of the described network equipment according to snmp protocol;
-mode of described object identity value with graphic user interface shown, with the current running status and the history run state of the described network equipment of real time inspection.
20. watch-dog according to claim 17, wherein, described incident deriving means also comprises:
The log acquisition unit is used to obtain the syslog file of the described network equipment;
Matching unit is used for described syslog file and the regular expression of being scheduled to are mated, and when described syslog file and described regular expression coupling, generates the system journal alert event of the described network equipment.
21. according to each described watch-dog in the claim 14 to 20, wherein, described warning related information comprise following at least each:
The network equipment sign of-generation alert event;
The type of alarm of-alert event;
The time of origin of-alert event;
The type of the network equipment of-generation alert event;
The position and the significance level of the network equipment of-generation alert event.
22. according to each described watch-dog in the claim 14 to 21, wherein, described integrating apparatus also comprise following at least each:
-merge cells is used for according to described warning related information described a plurality of alert events being merged into an alert event, with the alert event that obtains to have merged;
-filter element is used for according to described warning related information described a plurality of alert events being carried out filtration treatment, screens out wherein part alert event, with the alert event that obtains to have filtered.
23. watch-dog according to claim 22, wherein, described merge cells also is used for:
A plurality of alert events that consolidated network equipment is interior are at interval at the fixed time merged into an alert event.
24. watch-dog according to claim 22, wherein, described merge cells also is used for:
In the interval, the identical a plurality of alert events of type of alarm that a plurality of network equipment produced are merged into an alert event at the fixed time.
25. according to each described watch-dog in the claim 14 to 24, wherein, described satellite information deriving means comprises:
Updating block is used to upgrade the satellite information of the described network equipment;
Wherein, described satellite information deriving means also is used for:
According to the described alert event of having integrated, obtain and the corresponding described satellite information of having upgraded of the described alert event of having integrated.
26. watch-dog according to claim 25, wherein, described updating block also is used for:
By collecting the satellite information of the described network equipment, and upgrade the described satellite information of the described network equipment based on the probe of snmp protocol.
CN 201010543151 2010-11-12 2010-11-12 Equipment for performing network monitoring on network equipment and method thereof Pending CN102014020A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010543151 CN102014020A (en) 2010-11-12 2010-11-12 Equipment for performing network monitoring on network equipment and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010543151 CN102014020A (en) 2010-11-12 2010-11-12 Equipment for performing network monitoring on network equipment and method thereof

Publications (1)

Publication Number Publication Date
CN102014020A true CN102014020A (en) 2011-04-13

Family

ID=43844046

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010543151 Pending CN102014020A (en) 2010-11-12 2010-11-12 Equipment for performing network monitoring on network equipment and method thereof

Country Status (1)

Country Link
CN (1) CN102014020A (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012174832A1 (en) * 2011-06-23 2012-12-27 中兴通讯股份有限公司 Method and system for suppressing inter-board alarm priority
WO2013075297A1 (en) * 2011-11-23 2013-05-30 湖南深拓智能设备股份有限公司 Remote real-time monitoring system based on cloud computing
CN103763143A (en) * 2014-01-23 2014-04-30 北京华胜天成科技股份有限公司 Method and system for equipment abnormality alarming based on storage server
CN104243192A (en) * 2013-06-17 2014-12-24 北京神州泰岳软件股份有限公司 Fault treatment method and system
CN105549508A (en) * 2015-12-25 2016-05-04 北京奇虎科技有限公司 Alarm method based on information combination and apparatus thereof
CN106533727A (en) * 2015-09-14 2017-03-22 飞幕科技有限公司 Management system for network terminal equipment correspondingly displaying physical geographical position
CN107332915A (en) * 2017-07-05 2017-11-07 北京辰安信息科技有限公司 A kind of information processing method and device
CN107534886A (en) * 2014-10-30 2018-01-02 适应性频谱和信号校正股份有限公司 Method and apparatus for providing performance and use information for WLAN
CN108827382A (en) * 2018-06-13 2018-11-16 珠海格力电器股份有限公司 Method for diagnosing faults, apparatus and system
CN108924004A (en) * 2018-06-29 2018-11-30 中国科学院深圳先进技术研究院 The abnormality detection analysis method and Related product of commercial hotel kitchen internet of things data
CN109768899A (en) * 2018-12-26 2019-05-17 北京奇安信科技有限公司 Website Usability monitoring method, device, equipment and medium
CN111105588A (en) * 2019-12-24 2020-05-05 武汉理工光科股份有限公司 Alarm signal merging processing method and system based on fire alarm system
CN111786806A (en) * 2019-04-04 2020-10-16 大唐移动通信设备有限公司 Network element exception handling method and network management system
CN112383578A (en) * 2019-10-21 2021-02-19 北京城建智控科技有限公司 Data transmission method, device and equipment

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101247265A (en) * 2008-03-06 2008-08-20 华为技术有限公司 Alarm processing method, device and system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101247265A (en) * 2008-03-06 2008-08-20 华为技术有限公司 Alarm processing method, device and system

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012174832A1 (en) * 2011-06-23 2012-12-27 中兴通讯股份有限公司 Method and system for suppressing inter-board alarm priority
WO2013075297A1 (en) * 2011-11-23 2013-05-30 湖南深拓智能设备股份有限公司 Remote real-time monitoring system based on cloud computing
CN104243192B (en) * 2013-06-17 2017-11-10 北京神州泰岳软件股份有限公司 Fault handling method and system
CN104243192A (en) * 2013-06-17 2014-12-24 北京神州泰岳软件股份有限公司 Fault treatment method and system
CN103763143A (en) * 2014-01-23 2014-04-30 北京华胜天成科技股份有限公司 Method and system for equipment abnormality alarming based on storage server
US10862778B2 (en) 2014-10-30 2020-12-08 Assia Spe, Llc Method and apparatus for providing performance and usage information for a wireless local area network
CN107534886A (en) * 2014-10-30 2018-01-02 适应性频谱和信号校正股份有限公司 Method and apparatus for providing performance and use information for WLAN
CN107534886B (en) * 2014-10-30 2021-06-01 适应性频谱和信号校正股份有限公司 Method and apparatus for providing performance and usage information for wireless local area networks
CN106533727A (en) * 2015-09-14 2017-03-22 飞幕科技有限公司 Management system for network terminal equipment correspondingly displaying physical geographical position
CN106533727B (en) * 2015-09-14 2019-07-09 飞幕科技有限公司 The corresponding display network-termination device management system in entity geographical location
CN105549508A (en) * 2015-12-25 2016-05-04 北京奇虎科技有限公司 Alarm method based on information combination and apparatus thereof
CN107332915A (en) * 2017-07-05 2017-11-07 北京辰安信息科技有限公司 A kind of information processing method and device
CN108827382A (en) * 2018-06-13 2018-11-16 珠海格力电器股份有限公司 Method for diagnosing faults, apparatus and system
CN108924004A (en) * 2018-06-29 2018-11-30 中国科学院深圳先进技术研究院 The abnormality detection analysis method and Related product of commercial hotel kitchen internet of things data
CN108924004B (en) * 2018-06-29 2021-01-19 中国科学院深圳先进技术研究院 Anomaly detection and analysis method for commercial hotel kitchen Internet of things data and related products
CN109768899A (en) * 2018-12-26 2019-05-17 北京奇安信科技有限公司 Website Usability monitoring method, device, equipment and medium
CN111786806A (en) * 2019-04-04 2020-10-16 大唐移动通信设备有限公司 Network element exception handling method and network management system
CN112383578A (en) * 2019-10-21 2021-02-19 北京城建智控科技有限公司 Data transmission method, device and equipment
CN111105588A (en) * 2019-12-24 2020-05-05 武汉理工光科股份有限公司 Alarm signal merging processing method and system based on fire alarm system

Similar Documents

Publication Publication Date Title
CN102014020A (en) Equipment for performing network monitoring on network equipment and method thereof
CN105959144B (en) Secure data acquisition and method for detecting abnormality and system towards industrial control network
CN104506393B (en) A kind of system monitoring method based on cloud platform
CN102447570B (en) Monitoring device and method based on health degree analysis
CN105183609B (en) A kind of real-time monitoring system for being applied to software system and method
CN104407964B (en) A kind of centralized monitoring system and method based on data center
CN106371986A (en) Log treatment operation and maintenance monitoring system
CN104144071B (en) The processing platform of the processing method and system daily record of system journal
CN101312405B (en) Alarm processing method and network management system
US10389596B2 (en) Discovering application topologies
CN103716173B (en) A kind of method for storing monitoring system and monitoring alarm issue
CN104022904A (en) Unified management platform for IT devices in distributed computer rooms
CN101282237A (en) Synthetic network management system based on SNMP
CN107508722B (en) Service monitoring method and device
CN103166788B (en) A kind of collection control Control management system
CN102820993A (en) Network resource monitoring system and network resource monitoring method
CN106055608A (en) Method and apparatus for automatically collecting and analyzing switch logs
CN107995049A (en) The transregional synchronous fault monitoring method of the power ampere whole district, device and system
Stiawan et al. Anomaly detection and monitoring in Internet of Things communication
CN105528273A (en) A server host hardware monitoring method and device and an electronic apparatus
CN109951313A (en) A kind of monitoring device and method of Hadoop cloud platform
CN102377619A (en) Automatic detecting and processing method for communication abnormality of simple network management protocol (SNMP) agent
CN101197714A (en) Method for centrally capturing mobile data service condition
CN106533747A (en) Network server running state monitoring system
CN109240891A (en) A kind of monitoring method and device of SR whole machine cabinet server

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20110413

C12 Rejection of a patent application after its publication