Embodiment
In order to solve in prior art, solve the poor problem of alarm correlation analysis accuracy in prior art, the embodiment of the present invention provides a kind of method, equipment and system of correlation analysis.
As shown in Figure 1, the method for the correlation analysis that the embodiment of the present invention provides, comprising:
Step 101, obtains the event-identification number of father's event and the event-identification number of this current event of current event; Described event-identification number has global uniqueness.
Step 102, according to default alarm event list, judges whether described current event is alarm event.
Step 103, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, described warning information comprises described event-identification number and described father's event-identification number;
Step 104, when described current event is not alarm event, for described current event generating log information is also stored in this log information in system journal, described log information comprises the event-identification number of father's event and the event-identification number of this current event of current event.
In the present embodiment, when described current event does not have father's event, the event-identification number of father's event of described current event is default value.
The method of the correlation analysis that the embodiment of the present invention provides, obtain and preserve the event-identification number of father's event and the event-identification number of this current event of current event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, make Network Management Equipment to analyze accurately the correlation between this warning information and other warning information of Network Management Equipment reception according to described warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, described Network Management Equipment carries out correlation analysis according to described warning information, can analyze accurately the root event that triggers alarm event, according to described root event, carries out the eliminating of network element device fault.
The method of the correlation analysis that further embodiment of this invention provides, comprising:
Step 201, more than two warning information of reception reported by network element equipment, described warning information comprises the event-identification number of the event-identification number of alarm event and father's event of this alarm event;
Step 202, according to the event-identification number of father's event of the event-identification number of the alarm event in described warning information and this alarm event, search in described network element device and to preserve in advance the log information relevant to described alarm thing information, described log information comprise the event relevant to alarm event father's event event-identification number and with alarm event the event-identification number of relevant event;
Step 203, analyzes described more than two correlation between warning information according to described warning information and described log information.
The method of the correlation analysis that the embodiment of the present invention provides, the plural warning information receiving comprises the event-identification number of the event-identification number of alarm event and father's event of this alarm event, according to described warning information, can find out accurately the identification list of preserving in advance in network element device, according to described identification list, can analyze accurately the root event that triggers alarm event, and further analyze described more than two correlation between warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, described Network Management Equipment carries out correlation analysis according to described warning information, can analyze accurately the root event that triggers alarm event, according to described root event, carries out the eliminating of network element device fault.
In order to make those skilled in the art can more clearly understand the technical scheme that the embodiment of the present invention provides, below by specific embodiment, the method for the correlation analysis that the embodiment of the present invention is provided is elaborated.
As shown in Figure 3, the method for the correlation analysis that yet another embodiment of the invention provides, comprising:
Step 301, the default event that needs sign;
In the present embodiment, the default list of thing that needs identified event in network element device, this list is called when event occurs, and by this list, judges whether event needs to identify.
Step 302, network element device obtains the event-identification number of father's event and the event-identification number of this current event of current event;
In the present embodiment, the event-identification number of father's event of described current event and the event-identification number of current event can be VB values, with PEvent ID and Event ID, represent respectively, for example, as shown in Figure 4, when event c occurs, event c is current event, to get event-identification number be Event ID (c) to event c, and event c gets the event-identification number PEvent ID (a) of father's event a simultaneously.
What deserves to be explained is, when described current event does not have father's event, father's event-identification number of described current event is default value.For example, as shown in Figure 4, when event a occurs, event a does not have father's event, described event a, when obtaining self event-identification number Event ID (a), gets the event-identification number of a default value PEvent ID (0) as father's event of described event a.
Step 303, described network element device sends the event-identification number of described current event to the subevent of being triggered by described current event;
For example, as shown in Figure 4, event c has triggered event d and event g, and described event c sends its event-identification number Event ID (c) to described event d and event g.
Step 304, described network element device, according to default alarm event list, judges whether described current event is alarm event;
Step 305, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, described warning information comprises described event-identification number and described father's event-identification number.
Step 306, when described current event is not alarm event, for described current event generating log information is also stored in this log information in system journal, described log information comprises the event-identification number of father's event and the event-identification number of this current event of current event.
For example, as shown in Figure 4, when event c occurs, described event c is non-alarm event, do not need to generate warning information, and event f occur time, owing to judging described event f, be alarm event, need to report a warning information to Network Management Equipment, described warning information comprises the event-identification number PEvent ID (e) of father's event and the event-identification number Event ID (f) of event f self of described event f.Described PEvent ID (e) and EventID (f) write in warning information as VB value.
Step 307, described Network Management Equipment receives more than two warning information of described reported by network element equipment, and described warning information comprises the event-identification number of the event-identification number of alarm event and father's event of this alarm event;
In the present embodiment, by the caching alarm message receiving in alarm list, for example, as shown in Figure 4, described Network Management Equipment receives warning information A, warning information B, warning information C and warning information D, by described warning information A, warning information B, warning information C and warning information D buffer memory with form alarm list.
Step 308, according to the event-identification number of father's event of the event-identification number of the alarm event in described warning information and this alarm event, search in described network element device and to preserve in advance the log information relevant to described alarm thing information, described log information comprise the event relevant to alarm event father's event event-identification number and with alarm event the event-identification number of relevant event;
Step 309, analyzes described more than two correlation between warning information according to described warning information and described log information.
Described step 309, as shown in Figure 5, comprising:
Step 3091, according to the event chain of alarm letter described in described warning information and described flap-list completion;
For example, as shown in Figure 4, after Network Management Equipment receives warning information A, warning information B, warning information C and warning information D, can obtain four event chain: event chain A according to these four warning information and the corresponding identification list finding, as shown in table 1, event chain B, as shown in table 2, event chain C, as shown in table 3, and event chain D, as shown in table 4.
Table 1: event chain A, (a)-> (b)
<event a> |
<event b> |
Alarm A |
Event ID(a) |
Event ID(b) |
Event ID(b) |
PEvent ID(0) |
PEvent ID(a) |
PEvent ID(a) |
Table 2: event chain B, (a)-> (c)-> (d)-> (e)-> (f)
<event a> |
<event c> |
<event d> |
<event e> |
<event f> |
Alarm B |
Event ID(a) |
Event ID(c) |
Event ID(d) |
Event ID(e) |
Event ID(f) |
Event ID(f) |
PEvent ID(0) |
PEventID(a) |
PEventID(c) |
PEventID(d) |
PEventID(e) |
PEventID(e) |
Table 3: event chain C, (a)-> (c)-> (g)
<event a> |
<event c> |
<event g> |
Alarm C |
Event ID(a) |
Event ID(c) |
Event ID(g) |
Event ID(g) |
PEvent ID(0) |
PEvent ID(a) |
PEvent ID(c) |
PEvent ID(c) |
Table 4: event chain D, (a)
<event a> |
Alarm D |
Event ID(a) |
Event ID(a) |
PEvent ID(0) |
PEvent ID(0) |
Step 3092, generates described more than two relational tree between warning information according to described event chain analysis.
According to above-mentioned example, draw warning relation tree as shown in Figure 6.
What deserves to be explained is, the described correlation of analyzing between described two above 0 warning information according to described warning information and described identification list is not limited in above-mentioned step 3091 and step 3092, repeats no more herein.
In order to make those skilled in the art can further understand the technical scheme that the embodiment of the present invention provides, the transmittance process below by interface interrupt event in router device is elaborated for the method for the correlation analysis that example provides the embodiment of the present invention.
In described router device, when router driver module finds that optical module is abnormal, produce dropout (LOS), described router driver module reports the event of failure of physical interface interruption to interface management module, the fault that described interface interrupts is to produce because optical module causes the event of dropout extremely, now, generate the event-identification number Event ID (1) of dropout event.
Interface management module is found to comprise some logical subinterface on this physical interface, and this physical interface interrupts causing other logical subinterface to interrupt.
Physical interface interrupts generating an event-identification number Event ID (2), and his father's event-identification number is PEventID (1).
Certain sub-interface in described physical interface interrupts generating an event-identification number Event ID (9), and his father's event-identification number is PEvent ID (2).
Interface management module passes to ospf (OpenShortest Path First described certain sub-interface interrupt event, OSPF) Routing Protocol subsystem, cause OSPF virtual link (Vlink) state variation, OSPF Vlink state variation generates an Event ID (87), and his father's event-identification number is PEvent ID (9).
Described OSPF Vlink state variation is alarm event, according to the event-identification number of described OSPF Vlink state variation and father's event-identification number, generates alarm and reports Network Management Equipment, and described Network Management Equipment carries out correlation analysis according to described alarm.Obtaining whole event chain is (1)-> (2)-> (9)-> (87).
According to described event chain, the root that can know this alarm because of event-identification number be 1, described because of event be the abnormal dropout producing of optical module.
The method of the correlation analysis that the embodiment of the present invention provides, obtain and preserve the event-identification number of father's event and the event-identification number of this current event of current event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, make Network Management Equipment to analyze accurately the correlation between this warning information and other warning information of Network Management Equipment reception according to described warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, described Network Management Equipment carries out correlation analysis according to described warning information, can analyze accurately the root event that triggers alarm event, according to described root event, carries out the eliminating of network element device fault.
In order to strengthen the reliability of correlation analysis, the method for the correlation analysis that another embodiment of the present invention provides, as shown in Figure 7, also comprises:
Step 401, obtains the event-identification number of root event that triggers this current event.
In the present embodiment, when described current event is alarm event, the described warning information generating for this alarm event also comprises root event-identification number; When described current event is not alarm event, the described log information generating for described current event also comprises root event-identification number.
Step 402, sends the event-identification number of described root event to the subevent of being triggered by described current event.
In the present embodiment, the event-identification number of described root event can be a VB value, represent with AID, for example, as shown in Figure 4, described event c obtains the event-identification number AID (a) of a root event, and the root getting is sent to subevent d and subevent g because of event-identification number AID (a).
Be worth illustrating to such an extent that be, when described event does not have father's event, as, when PEvent ID is PEvent ID (0), the root event of described event is event itself, event chain B as above, event a is wherein root event, according to the event-identification number of event a, show that the event-identification number of the root event of its event a is AID (a).Described event chain B can be as shown in table 5.
Table 5: event chain B
<event a> |
<event c> |
<event d> |
<event e> |
<event f> |
Alarm B |
Event ID(a) |
Event ID(c) |
Event ID(d) |
Event ID(e) |
Event ID(f) |
Event ID(f) |
PEventID(0) |
PEventID(a) |
PEventID(c) |
PEventID(d) |
PEventID(e) |
PEventID(e) |
AID(a) |
AID(a) |
AID(a) |
AID(a) |
AID(a) |
AID(a) |
In concrete example in the present embodiment, together with the event-identification number of described root event being kept at the event-identification number of current event in identification list, when current event is alarm event, in warning information for this alarm event generation, can also comprise root event-identification number AID (a), solved in network element device, because software reliability is not high, cause certain or some events in event chain not to be stored in network element device, be system journal no record, thereby make event chain disconnect the problem that cannot search out root event.For example, the event e in table 5 causes it in system journal no record for a certain reason, but according to root event-identification number, can not be just can search out root event by completion event chain.
What deserves to be explained is, not harsh to troubleshooting section requirement in the situation that, when carrying out alarm, described warning information can only include the event flag number of alarm event and trigger the event-identification number of the root event of this alarm event, by these two mark numbers, just can search out root event, then carry out fault eliminating according to described root event.But do not get rid of, even if Network Management Equipment has been known described root event, but cannot to fault, get rid of according to described root event.Now, if there is complete event chain, can be by solving the subevent by root Event triggered, exclusive segment fault, can get rid of some fault in network element device.Event chain C shown in event chain B and table 3 as shown in table 2, its root event is event a, when carrying out alarm, described warning information B comprises Event ID (f), PeventID (e), and AID (a).Described warning information C comprises Event ID (g), PeventID (c), and AID (a).When the fault being caused by described event a cannot be got rid of, owing to having obtained complete event chain when carrying out correlation analysis, subevent-event c that Network Management Equipment can trigger according to event a, carry out the eliminating of local fault, solved the fault that the event c in event chain B causes to event f, and the fault of the event c in event chain C and event g initiation.
The method of the correlation analysis that the embodiment of the present invention provides, obtain and preserve the event-identification number of father's event and the event-identification number of this current event of current event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, make Network Management Equipment to analyze accurately the correlation between this warning information and other warning information of Network Management Equipment reception according to described warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, described Network Management Equipment carries out correlation analysis according to described warning information, can analyze accurately the root event that triggers alarm event, according to described root event, carries out the eliminating of network element device fault.
In order to prevent occurring loop situation between father's event of current event and current event, cause the phenomenon of current event perseveration to occur, the embodiment of the present invention provides the method for one correlation analysis again, as shown in Figure 8, also comprises:
Step 501, obtains the transmission jumping figure to current event by root event.
In the present embodiment, described root event obtains by described root event is added to 1 to the transmission number of father's event of described current event to the transmission jumping figure of current event.When described current event does not have father's event, described root event is 0 to the transmission jumping figure assignment of current event.
What deserves to be explained is, transmit obtaining of jumping figure and be not limited in said method, do not repeat one by one herein.
Step 502, judges whether described transmission jumping figure is greater than default maximum delivered jumping figure.
Step 503, when described transmission jumping figure is greater than maximum delivered jumping figure, stops the action of described current event.
In the present embodiment, when described transmission jumping figure is greater than maximum delivered jumping figure, illustrates between described current event and his father's event and occur loop phenomenon, now stop the action of current event to solve owing to occurring that loop phenomenon causes current event perseveration.
Step 504, when described transmission jumping figure is not more than maximum delivered jumping figure, allows to judge whether described current event is alarm event.
Step 505, sends the transmission jumping figure of described event to the subevent of being triggered by described current event.
In the present embodiment, when described current event is alarm event, the described warning information generating for this alarm event also comprises the transmission jumping figure to current event by root event; When described current event is not alarm event, the described log information generating for described current event also comprises the transmission jumping figure to current event by root event.Described transmission jumping figure can represent by a VB value, and as TTL, for example, described event chain B can be as shown in table 6.
Table 6: event chain B
<event a> |
<event c> |
<event d> |
<event e> |
<event f> |
Alarm B |
Event ID(a) |
Event ID(c) |
Event ID(d) |
Event ID(e) |
Event ID(f) |
Event ID(f) |
PEventID(0) |
PEventID(a) |
PEventID(c) |
PEventID(d) |
PEventID(e) |
PEventID(e) |
AID(a) |
AID(a) |
AID(a) |
AID(a) |
AID(a) |
AID(a) |
TTL(1) |
TTL(2) |
TTL(3) |
TTL(4) |
TTL(5) |
TTL(5) |
What deserves to be explained is, by described transmission jumping figure, can support Network Management Equipment to know the transmission degree of depth of root event to current event, if event a in alarm B is 5 to the transmission degree of depth of event f, and whether there is omission event by described event transfer jumping figure detecting, as in system journal due to not recording events e of some cause, in the process of completion event chain, find that there is omission, event chain cannot completion, now according to described transmission jumping figure, can know accurately, omit one and transmitted the event that jumping figure is 4.
The method of the correlation analysis that the embodiment of the present invention provides, obtain and preserve the event-identification number of father's event and the event-identification number of this current event of current event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, make Network Management Equipment to analyze accurately the correlation between this warning information and other warning information of Network Management Equipment reception according to described warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, described Network Management Equipment carries out correlation analysis according to described warning information, can analyze accurately the root event that triggers alarm event, according to described root event, carries out the eliminating of network element device fault.
The embodiment of the present invention provides a kind of network element device, as shown in Figure 9, comprising:
The first acquiring unit 601, for obtaining the event-identification number of father's event and the event-identification number of this current event of current event.
In the present embodiment, described the first acquiring unit can be the application-specific module in an embedded fault management storehouse, and its concrete implementation method can, referring to described in step 302 as shown in Figure 3, repeat no more herein.
The first judging unit 602, for according to default alarm event list, judges whether described current event is alarm event; Its concrete implementation method can, referring to described in step 304 as shown in Figure 3, repeat no more herein.
The first generation unit 603, for when described the first judging unit judges that described current event is alarm event, for this alarm event generates warning information, described warning information comprises described event-identification number and described father's event-identification number.Its concrete implementation method can, referring to described in step 305 as shown in Figure 3, repeat no more herein.
Report unit 604, for reporting the warning information of described the first generation unit generation to Network Management Equipment; Its concrete implementation method can, referring to described in step 305 as shown in Figure 3, repeat no more herein.
The second generation unit 605, for when described the first judging unit judges that described current event is not alarm event, for described current event generating log information, described log information comprises the event-identification number of father's event and the event-identification number of this current event of current event; Its concrete implementation method can, referring to described in step 306 as shown in Figure 3, repeat no more herein.
Storage unit 606, is stored in system journal for the log information that described the second generation unit is generated.Its concrete implementation method can, referring to described in step 306 as shown in Figure 3, repeat no more herein.
The network element device that the embodiment of the present invention provides, for obtaining and preserve the event-identification number of father's event and the event-identification number of this current event of current event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, make Network Management Equipment to analyze accurately the correlation between this warning information and other warning information of Network Management Equipment reception according to described warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, the warning information that described Network Management Equipment reports according to described identity device carries out correlation analysis, can analyze accurately the root event that triggers alarm event, according to described root event, carry out the eliminating of network element device fault.
As shown in figure 10, the network element device that further embodiment of this invention provides, also comprises:
The first transmitting element 607, for the event-identification number that sends the current event that described acquiring unit obtains to the subevent of being triggered by current event.Its concrete implementation method can, referring to described in step 303 as shown in Figure 3, repeat no more herein.
In order to add the reliability of strong correlation, described network element device, also comprises:
Second acquisition unit 608, for obtaining the event-identification number of the root event that triggers this current event; Its concrete implementation method can, referring to described in step 401 as shown in Figure 7, repeat no more herein.
The second transmitting element 609, for the event-identification number that sends the source event that described second acquisition unit obtains to the subevent of being triggered by described current event.Its concrete implementation method can, referring to described in step 402 as shown in Figure 7, repeat no more herein.
In the present embodiment, when described current event is alarm event, the described warning information generating for this alarm event also comprises root event-identification number; When described current event is not alarm event, the described log information generating for described current event also comprises root event-identification number.
In order to prevent occurring loop situation between father's event of current event and described current event, cause current event perseveration, described network element device, also comprises:
The 3rd acquiring unit 610, for obtaining the transmission jumping figure to current event by root event; Its concrete implementation method can, referring to described in step 501 as shown in Figure 8, repeat no more herein.
The second judging unit 611, for judging whether the transmission jumping figure that described the 3rd acquiring unit obtains is greater than maximum delivered jumping figure; Its concrete implementation method can, referring to described in step 502 as shown in Figure 8, repeat no more herein.
Stop element 612, while being greater than maximum delivered jumping figure for obtaining described transmission jumping figure in described the second judging unit judgement, stops the action of described current event; Its concrete implementation method can, referring to described in step 503 as shown in Figure 8, repeat no more herein.
Allow unit 613, while being not more than maximum delivered jumping figure for obtaining described transmission jumping figure in described the second judging unit judgement, allow described the first judging unit to judge whether described current event is alarm event; Its concrete implementation method can, referring to described in step 504 as shown in Figure 8, repeat no more herein.
The 3rd transmitting element 614, for sending transmission jumping figure that described acquiring unit generates to the subevent of being triggered by described current event.Its concrete implementation method can, referring to described in step 505 as shown in Figure 8, repeat no more herein.
In the present embodiment, when described current event is alarm event, the described warning information generating for this alarm event also comprises the transmission jumping figure to current event by root event; When described current event is not alarm event, the described log information generating for described current event also comprises the transmission jumping figure to current event by root event.
The network element device that the embodiment of the present invention provides, for obtaining and preserve the event-identification number of father's event and the event-identification number of this current event of current event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, make Network Management Equipment to analyze accurately the correlation between this warning information and other warning information of Network Management Equipment reception according to described warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, the warning information that described Network Management Equipment reports according to described identity device carries out correlation analysis, can analyze accurately the root event that triggers alarm event, according to described root event, carry out the eliminating of network element device fault.
The correlativity analysis analysis apparatus that the embodiment of the present invention provides, as shown in figure 11, comprising:
Receiving element 701, for receiving more than two warning information of reported by network element equipment, described warning information comprises the event-identification number of the event-identification number of alarm event and father's event of this alarm event; Its concrete implementation method can, referring to described in step 307 as shown in Figure 3, repeat no more herein.
Search unit 702, for the event-identification number of alarm event of warning information that receives according to described receiving element and the event-identification number of father's event of this alarm event, search in described network element device the preservation log information relevant to described alarm thing information in advance, described log information comprise the event relevant to alarm event father's event event-identification number and with alarm event the event-identification number of relevant event; Its concrete implementation method can, referring to described in step 308 as shown in Figure 3, repeat no more herein.
Analytic unit 703, for the warning information that receives according to receiving element and described in search the log information that unit finds and analyze described more than two correlation between warning information.Its concrete implementation method can, referring to described in step 309 as shown in Figure 3, repeat no more herein.
Described analytic unit, as shown in figure 12, comprising:
Carry out subelement 7031, for the warning information that receives according to described receiving element and described in search warning information described in the flap-list completion that unit finds event chain; Its concrete implementation method can, referring to described in step 3091 as shown in Figure 5, repeat no more herein.
Generate subelement 7032, for generate described more than two relational tree between warning information according to the event chain analysis of described performance element completion.Its concrete implementation method can, referring to described in step 3092 as shown in Figure 5, repeat no more herein.
The correlativity analysis analysis apparatus that the embodiment of the present invention provides, for the plural warning information receiving, comprise the event-identification number of the event-identification number of alarm event and father's event of this alarm event, according to described warning information, can find out accurately the identification list of preserving in advance in network element device, according to described identification list, can analyze accurately the root event that triggers alarm event, and further analyze described more than two correlation between warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, described Network Management Equipment carries out correlation analysis according to described warning information, can analyze accurately the root event that triggers alarm event, according to described root event, carries out the eliminating of network element device fault.
The correlation analysis system that the embodiment of the present invention provides, as shown in figure 13, comprising:
Network element device 801, as shown in Fig. 9-10, for obtaining the event-identification number of father's event and the event-identification number of this current event of current event, the event-identification number of father's event of described current event and the event-identification number of this current event are kept in identification list, according to default alarm event list, judge whether described current event is alarm event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, described warning information comprises described event-identification number and described father's event-identification number, concrete structure function is substantially similar to the structure function of above-mentioned identity device embodiment, repeats no more herein.
Network Management Equipment 802, as shown in Figure 11-12, for receiving more than two warning information of described reported by network element equipment, according to described warning information, search the identification list of preserving in advance in described network element device, according to described warning information and described identification list, analyze described more than two correlation between warning information.Concrete structure function is substantially similar to the structure function of above-mentioned correlativity analysis analysis apparatus embodiment, repeats no more herein.
The correlation analysis system that the embodiment of the present invention provides, for obtaining and preserve the event-identification number of father's event and the event-identification number of this current event of current event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, make Network Management Equipment to analyze accurately the correlation between this warning information and other warning information of Network Management Equipment reception according to described warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, described Network Management Equipment carries out correlation analysis according to described warning information, can analyze accurately the root event that triggers alarm event, according to described root event, carries out the eliminating of network element device fault.
The method of the correlation analysis that the embodiment of the present invention provides, Apparatus and system, can be applied to network equipment failure analysis.
One of ordinary skill in the art will appreciate that all or part of step realizing in above-described embodiment method is can carry out the hardware that instruction is relevant by program to complete, described program can be stored in a computer-readable recording medium, as ROM/RAM, magnetic disc or CD etc.
The above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited to this, any be familiar with those skilled in the art the present invention disclose technical scope in; can expect easily changing or replacing, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of described claim.