CN102136922B - Correlation analysis method, equipment and system - Google Patents

Correlation analysis method, equipment and system Download PDF

Info

Publication number
CN102136922B
CN102136922B CN201010002626.8A CN201010002626A CN102136922B CN 102136922 B CN102136922 B CN 102136922B CN 201010002626 A CN201010002626 A CN 201010002626A CN 102136922 B CN102136922 B CN 102136922B
Authority
CN
China
Prior art keywords
event
identification number
alarm
current
warning information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201010002626.8A
Other languages
Chinese (zh)
Other versions
CN102136922A (en
Inventor
纪晓峰
潘军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu wisdom Technology Service Co., Ltd.
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201010002626.8A priority Critical patent/CN102136922B/en
Publication of CN102136922A publication Critical patent/CN102136922A/en
Application granted granted Critical
Publication of CN102136922B publication Critical patent/CN102136922B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The embodiment of the invention discloses a correlation analysis method, correlation analysis equipment and a correlation analysis system, which relate to the technical field of networks and aim to solve the problem of relatively lower alarming correlation analysis accuracy of the prior art. The technical scheme provided by the invention comprises the following steps of: acquiring an event identification number of a parent event of a current event and the event identification number of the current event; judging whether the current event is an alarming event or not according to a preset alarming event list; if the current event is the alarming event, generating alarming information for the alarming event, and reporting the alarming information to network management equipment, wherein the alarming information comprises the event identification number and the parent event identification number; and if the current event is not the alarming event, generating log information for the current event, and storing the log information in a system log, wherein the log information comprises the event identification number of the parent event of the current event and the event identification number of the current event. The correlation analysis method, the correlation analysis equipment and the correlation analysis system provided by the embodiment of the invention can be applied to failure analysis on network equipment.

Description

The method of correlation analysis, equipment and system
Technical field
The present invention relates to networking technology area, relate in particular to a kind of method, equipment and system of correlation analysis.
Background technology
Device fails in network needs active reporting to webmaster, and the information reporting is called alarm.Because the various faults of device interior are relevant, so also possess certain correlation between each alarm reporting.By analyzing alarm correlation, can show that root is because of alarm, according to root, realize fault management because of alarm, further realize fault and get rid of.
In prior art, analyze alarm correlation mostly by the alarm correlation analysis Implementation of Expert System in rule-based storehouse, Network Management Equipment calls this expert system and carries out the analysis of alarm correlation.In described rule base, preserve the alarm regulation of artificial definition, when Network Management Equipment receives alarm, call expert system, expert system is searched the alarm regulation relevant to this alarm according to described alarm, by alarm regulation, is drawn and is caused the root event of this alarm and analyze the correlation between each alarm receiving.
Realizing in process of the present invention, inventor finds, expert system is to analyze correlation between each alarm according to the association rules storehouse of artificial definition carrying out alarm correlation analysis, and the association rules that the association rules storehouse of artificial definition comprises can not comprehensively be concluded the correlation between all alarms, make the accuracy of alarm correlation analysis poor.
Summary of the invention
The embodiment of the present invention provides a kind of method, equipment and system of correlation analysis, to solve the poor problem of alarm correlation analysis accuracy in prior art.
For achieving the above object, the embodiment of the present invention adopts following technical scheme:
The method of correlation analysis, comprising: the event-identification number of father's event and the event-identification number of this current event of obtaining current event; According to default alarm event list, judge whether described current event is alarm event; When described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, described warning information comprises described event-identification number and described father's event-identification number; When described current event is not alarm event, for described current event generating log information is also stored in this log information in system journal, described log information comprises the event-identification number of father's event and the event-identification number of this current event of current event.
The method of correlation analysis, comprising: receive more than two warning information of reported by network element equipment, described warning information comprises the event-identification number of the event-identification number of alarm event and father's event of this alarm event; According to the event-identification number of father's event of the event-identification number of the alarm event in described warning information and this alarm event, search in described network element device and to preserve in advance the log information relevant to described alarm thing information, described log information comprise the event relevant to alarm event father's event event-identification number and with alarm event the event-identification number of relevant event; According to described warning information and described log information, analyze described more than two correlation between warning information.
Network element device, comprising:
The first acquiring unit, for obtaining the event-identification number of father's event and the event-identification number of this current event of current event;
The first judging unit, for according to default alarm event list, judges whether described current event is alarm event;
The first generation unit, for when described the first judging unit judges that described current event is alarm event, for this alarm event generates warning information, described warning information comprises described event-identification number and described father's event-identification number;
Report unit, for reporting the warning information of described the first generation unit generation to Network Management Equipment;
The second generation unit, for when described the first judging unit judges that described current event is not alarm event, for described current event generating log information, described log information comprises the event-identification number of father's event and the event-identification number of this current event of current event;
Storage unit, is stored in system journal for the log information that described the second generation unit is generated.
Correlativity analysis analysis apparatus, comprising:
Receiving element, for receiving more than two warning information of reported by network element equipment, described warning information comprises the event-identification number of the event-identification number of alarm event and father's event of this alarm event;
Search unit, for the event-identification number of alarm event of warning information that receives according to described receiving element and the event-identification number of father's event of this alarm event, search in described network element device the preservation log information relevant to described alarm thing information in advance, described log information comprise the event relevant to alarm event father's event event-identification number and with alarm event the event-identification number of relevant event;
Analytic unit, for the warning information that receives according to receiving element and described in search the log information that unit finds and analyze described more than two correlation between warning information.
Correlation analysis system, comprising:
Network element device, for obtaining the event-identification number of father's event and the event-identification number of this current event of current event, according to default alarm event list, judge whether described current event is alarm event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, described warning information comprises described event-identification number and described father's event-identification number, when described current event is not alarm event, for described current event generating log information is also stored in this log information in system journal, described log information comprises the event-identification number of father's event and the event-identification number of this current event of current event,
Network Management Equipment, for receiving more than two warning information of reported by network element equipment, according to the event-identification number of father's event of the event-identification number of the alarm event in described warning information and this alarm event, search in described network element device and preserve in advance the log information relevant to described alarm thing information, according to described warning information and described log information, analyze described more than two correlation between warning information.
The method of the correlation analysis that the embodiment of the present invention provides, equipment and system, obtain and preserve the event-identification number of father's event and the event-identification number of this current event of current event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, make Network Management Equipment to analyze accurately the correlation between this warning information and other warning information of Network Management Equipment reception according to described warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, described Network Management Equipment carries out correlation analysis according to described warning information, can analyze accurately the root event that triggers alarm event, according to described root event, carries out the eliminating of network element device fault.
Accompanying drawing explanation
The flow chart of the method for the correlation analysis that Fig. 1 provides for the embodiment of the present invention;
The flow chart of the method for the correlation analysis that Fig. 2 provides for further embodiment of this invention;
The flow chart of the method for the correlation analysis that Fig. 3 provides for yet another embodiment of the invention;
Fig. 4 is the schematic diagram that A, B, C and tetra-warnings of D occur;
The flow chart of step 309 in the method flow diagram of the correlation analysis that the inventive embodiments shown in Fig. 5 Fig. 3 provides;
Fig. 6 is the warning relation tree forming according to the alarm shown in Fig. 3;
The flow chart of the method for the correlation analysis that Fig. 7 provides for another embodiment of the present invention;
The flow chart of the method for the correlation analysis that Fig. 8 provides for yet another embodiment of the invention;
The structural representation of the network element device that Fig. 9 provides for the embodiment of the present invention;
The structural representation of the network element device that Figure 10 provides for further embodiment of this invention;
The structural representation of the correlativity analysis analysis apparatus that Figure 11 provides for the embodiment of the present invention;
The structural representation of analytic unit in the correlativity analysis analysis apparatus that Figure 12 provides for inventive embodiments shown in Figure 11;
The structural representation of the correlation analysis system that Figure 13 provides for the embodiment of the present invention.
Embodiment
In order to solve in prior art, solve the poor problem of alarm correlation analysis accuracy in prior art, the embodiment of the present invention provides a kind of method, equipment and system of correlation analysis.
As shown in Figure 1, the method for the correlation analysis that the embodiment of the present invention provides, comprising:
Step 101, obtains the event-identification number of father's event and the event-identification number of this current event of current event; Described event-identification number has global uniqueness.
Step 102, according to default alarm event list, judges whether described current event is alarm event.
Step 103, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, described warning information comprises described event-identification number and described father's event-identification number;
Step 104, when described current event is not alarm event, for described current event generating log information is also stored in this log information in system journal, described log information comprises the event-identification number of father's event and the event-identification number of this current event of current event.
In the present embodiment, when described current event does not have father's event, the event-identification number of father's event of described current event is default value.
The method of the correlation analysis that the embodiment of the present invention provides, obtain and preserve the event-identification number of father's event and the event-identification number of this current event of current event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, make Network Management Equipment to analyze accurately the correlation between this warning information and other warning information of Network Management Equipment reception according to described warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, described Network Management Equipment carries out correlation analysis according to described warning information, can analyze accurately the root event that triggers alarm event, according to described root event, carries out the eliminating of network element device fault.
The method of the correlation analysis that further embodiment of this invention provides, comprising:
Step 201, more than two warning information of reception reported by network element equipment, described warning information comprises the event-identification number of the event-identification number of alarm event and father's event of this alarm event;
Step 202, according to the event-identification number of father's event of the event-identification number of the alarm event in described warning information and this alarm event, search in described network element device and to preserve in advance the log information relevant to described alarm thing information, described log information comprise the event relevant to alarm event father's event event-identification number and with alarm event the event-identification number of relevant event;
Step 203, analyzes described more than two correlation between warning information according to described warning information and described log information.
The method of the correlation analysis that the embodiment of the present invention provides, the plural warning information receiving comprises the event-identification number of the event-identification number of alarm event and father's event of this alarm event, according to described warning information, can find out accurately the identification list of preserving in advance in network element device, according to described identification list, can analyze accurately the root event that triggers alarm event, and further analyze described more than two correlation between warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, described Network Management Equipment carries out correlation analysis according to described warning information, can analyze accurately the root event that triggers alarm event, according to described root event, carries out the eliminating of network element device fault.
In order to make those skilled in the art can more clearly understand the technical scheme that the embodiment of the present invention provides, below by specific embodiment, the method for the correlation analysis that the embodiment of the present invention is provided is elaborated.
As shown in Figure 3, the method for the correlation analysis that yet another embodiment of the invention provides, comprising:
Step 301, the default event that needs sign;
In the present embodiment, the default list of thing that needs identified event in network element device, this list is called when event occurs, and by this list, judges whether event needs to identify.
Step 302, network element device obtains the event-identification number of father's event and the event-identification number of this current event of current event;
In the present embodiment, the event-identification number of father's event of described current event and the event-identification number of current event can be VB values, with PEvent ID and Event ID, represent respectively, for example, as shown in Figure 4, when event c occurs, event c is current event, to get event-identification number be Event ID (c) to event c, and event c gets the event-identification number PEvent ID (a) of father's event a simultaneously.
What deserves to be explained is, when described current event does not have father's event, father's event-identification number of described current event is default value.For example, as shown in Figure 4, when event a occurs, event a does not have father's event, described event a, when obtaining self event-identification number Event ID (a), gets the event-identification number of a default value PEvent ID (0) as father's event of described event a.
Step 303, described network element device sends the event-identification number of described current event to the subevent of being triggered by described current event;
For example, as shown in Figure 4, event c has triggered event d and event g, and described event c sends its event-identification number Event ID (c) to described event d and event g.
Step 304, described network element device, according to default alarm event list, judges whether described current event is alarm event;
Step 305, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, described warning information comprises described event-identification number and described father's event-identification number.
Step 306, when described current event is not alarm event, for described current event generating log information is also stored in this log information in system journal, described log information comprises the event-identification number of father's event and the event-identification number of this current event of current event.
For example, as shown in Figure 4, when event c occurs, described event c is non-alarm event, do not need to generate warning information, and event f occur time, owing to judging described event f, be alarm event, need to report a warning information to Network Management Equipment, described warning information comprises the event-identification number PEvent ID (e) of father's event and the event-identification number Event ID (f) of event f self of described event f.Described PEvent ID (e) and EventID (f) write in warning information as VB value.
Step 307, described Network Management Equipment receives more than two warning information of described reported by network element equipment, and described warning information comprises the event-identification number of the event-identification number of alarm event and father's event of this alarm event;
In the present embodiment, by the caching alarm message receiving in alarm list, for example, as shown in Figure 4, described Network Management Equipment receives warning information A, warning information B, warning information C and warning information D, by described warning information A, warning information B, warning information C and warning information D buffer memory with form alarm list.
Step 308, according to the event-identification number of father's event of the event-identification number of the alarm event in described warning information and this alarm event, search in described network element device and to preserve in advance the log information relevant to described alarm thing information, described log information comprise the event relevant to alarm event father's event event-identification number and with alarm event the event-identification number of relevant event;
Step 309, analyzes described more than two correlation between warning information according to described warning information and described log information.
Described step 309, as shown in Figure 5, comprising:
Step 3091, according to the event chain of alarm letter described in described warning information and described flap-list completion;
For example, as shown in Figure 4, after Network Management Equipment receives warning information A, warning information B, warning information C and warning information D, can obtain four event chain: event chain A according to these four warning information and the corresponding identification list finding, as shown in table 1, event chain B, as shown in table 2, event chain C, as shown in table 3, and event chain D, as shown in table 4.
Table 1: event chain A, (a)-> (b)
<event a> <event b> Alarm A
Event ID(a) Event ID(b) Event ID(b)
PEvent ID(0) PEvent ID(a) PEvent ID(a)
Table 2: event chain B, (a)-> (c)-> (d)-> (e)-> (f)
<event a> <event c> <event d> <event e> <event f> Alarm B
Event ID(a) Event ID(c) Event ID(d) Event ID(e) Event ID(f) Event ID(f)
PEvent ID(0) PEventID(a) PEventID(c) PEventID(d) PEventID(e) PEventID(e)
Table 3: event chain C, (a)-> (c)-> (g)
<event a> <event c> <event g> Alarm C
Event ID(a) Event ID(c) Event ID(g) Event ID(g)
PEvent ID(0) PEvent ID(a) PEvent ID(c) PEvent ID(c)
Table 4: event chain D, (a)
<event a> Alarm D
Event ID(a) Event ID(a)
PEvent ID(0) PEvent ID(0)
Step 3092, generates described more than two relational tree between warning information according to described event chain analysis.
According to above-mentioned example, draw warning relation tree as shown in Figure 6.
What deserves to be explained is, the described correlation of analyzing between described two above 0 warning information according to described warning information and described identification list is not limited in above-mentioned step 3091 and step 3092, repeats no more herein.
In order to make those skilled in the art can further understand the technical scheme that the embodiment of the present invention provides, the transmittance process below by interface interrupt event in router device is elaborated for the method for the correlation analysis that example provides the embodiment of the present invention.
In described router device, when router driver module finds that optical module is abnormal, produce dropout (LOS), described router driver module reports the event of failure of physical interface interruption to interface management module, the fault that described interface interrupts is to produce because optical module causes the event of dropout extremely, now, generate the event-identification number Event ID (1) of dropout event.
Interface management module is found to comprise some logical subinterface on this physical interface, and this physical interface interrupts causing other logical subinterface to interrupt.
Physical interface interrupts generating an event-identification number Event ID (2), and his father's event-identification number is PEventID (1).
Certain sub-interface in described physical interface interrupts generating an event-identification number Event ID (9), and his father's event-identification number is PEvent ID (2).
Interface management module passes to ospf (OpenShortest Path First described certain sub-interface interrupt event, OSPF) Routing Protocol subsystem, cause OSPF virtual link (Vlink) state variation, OSPF Vlink state variation generates an Event ID (87), and his father's event-identification number is PEvent ID (9).
Described OSPF Vlink state variation is alarm event, according to the event-identification number of described OSPF Vlink state variation and father's event-identification number, generates alarm and reports Network Management Equipment, and described Network Management Equipment carries out correlation analysis according to described alarm.Obtaining whole event chain is (1)-> (2)-> (9)-> (87).
According to described event chain, the root that can know this alarm because of event-identification number be 1, described because of event be the abnormal dropout producing of optical module.
The method of the correlation analysis that the embodiment of the present invention provides, obtain and preserve the event-identification number of father's event and the event-identification number of this current event of current event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, make Network Management Equipment to analyze accurately the correlation between this warning information and other warning information of Network Management Equipment reception according to described warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, described Network Management Equipment carries out correlation analysis according to described warning information, can analyze accurately the root event that triggers alarm event, according to described root event, carries out the eliminating of network element device fault.
In order to strengthen the reliability of correlation analysis, the method for the correlation analysis that another embodiment of the present invention provides, as shown in Figure 7, also comprises:
Step 401, obtains the event-identification number of root event that triggers this current event.
In the present embodiment, when described current event is alarm event, the described warning information generating for this alarm event also comprises root event-identification number; When described current event is not alarm event, the described log information generating for described current event also comprises root event-identification number.
Step 402, sends the event-identification number of described root event to the subevent of being triggered by described current event.
In the present embodiment, the event-identification number of described root event can be a VB value, represent with AID, for example, as shown in Figure 4, described event c obtains the event-identification number AID (a) of a root event, and the root getting is sent to subevent d and subevent g because of event-identification number AID (a).
Be worth illustrating to such an extent that be, when described event does not have father's event, as, when PEvent ID is PEvent ID (0), the root event of described event is event itself, event chain B as above, event a is wherein root event, according to the event-identification number of event a, show that the event-identification number of the root event of its event a is AID (a).Described event chain B can be as shown in table 5.
Table 5: event chain B
<event a> <event c> <event d> <event e> <event f> Alarm B
Event ID(a) Event ID(c) Event ID(d) Event ID(e) Event ID(f) Event ID(f)
PEventID(0) PEventID(a) PEventID(c) PEventID(d) PEventID(e) PEventID(e)
AID(a) AID(a) AID(a) AID(a) AID(a) AID(a)
In concrete example in the present embodiment, together with the event-identification number of described root event being kept at the event-identification number of current event in identification list, when current event is alarm event, in warning information for this alarm event generation, can also comprise root event-identification number AID (a), solved in network element device, because software reliability is not high, cause certain or some events in event chain not to be stored in network element device, be system journal no record, thereby make event chain disconnect the problem that cannot search out root event.For example, the event e in table 5 causes it in system journal no record for a certain reason, but according to root event-identification number, can not be just can search out root event by completion event chain.
What deserves to be explained is, not harsh to troubleshooting section requirement in the situation that, when carrying out alarm, described warning information can only include the event flag number of alarm event and trigger the event-identification number of the root event of this alarm event, by these two mark numbers, just can search out root event, then carry out fault eliminating according to described root event.But do not get rid of, even if Network Management Equipment has been known described root event, but cannot to fault, get rid of according to described root event.Now, if there is complete event chain, can be by solving the subevent by root Event triggered, exclusive segment fault, can get rid of some fault in network element device.Event chain C shown in event chain B and table 3 as shown in table 2, its root event is event a, when carrying out alarm, described warning information B comprises Event ID (f), PeventID (e), and AID (a).Described warning information C comprises Event ID (g), PeventID (c), and AID (a).When the fault being caused by described event a cannot be got rid of, owing to having obtained complete event chain when carrying out correlation analysis, subevent-event c that Network Management Equipment can trigger according to event a, carry out the eliminating of local fault, solved the fault that the event c in event chain B causes to event f, and the fault of the event c in event chain C and event g initiation.
The method of the correlation analysis that the embodiment of the present invention provides, obtain and preserve the event-identification number of father's event and the event-identification number of this current event of current event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, make Network Management Equipment to analyze accurately the correlation between this warning information and other warning information of Network Management Equipment reception according to described warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, described Network Management Equipment carries out correlation analysis according to described warning information, can analyze accurately the root event that triggers alarm event, according to described root event, carries out the eliminating of network element device fault.
In order to prevent occurring loop situation between father's event of current event and current event, cause the phenomenon of current event perseveration to occur, the embodiment of the present invention provides the method for one correlation analysis again, as shown in Figure 8, also comprises:
Step 501, obtains the transmission jumping figure to current event by root event.
In the present embodiment, described root event obtains by described root event is added to 1 to the transmission number of father's event of described current event to the transmission jumping figure of current event.When described current event does not have father's event, described root event is 0 to the transmission jumping figure assignment of current event.
What deserves to be explained is, transmit obtaining of jumping figure and be not limited in said method, do not repeat one by one herein.
Step 502, judges whether described transmission jumping figure is greater than default maximum delivered jumping figure.
Step 503, when described transmission jumping figure is greater than maximum delivered jumping figure, stops the action of described current event.
In the present embodiment, when described transmission jumping figure is greater than maximum delivered jumping figure, illustrates between described current event and his father's event and occur loop phenomenon, now stop the action of current event to solve owing to occurring that loop phenomenon causes current event perseveration.
Step 504, when described transmission jumping figure is not more than maximum delivered jumping figure, allows to judge whether described current event is alarm event.
Step 505, sends the transmission jumping figure of described event to the subevent of being triggered by described current event.
In the present embodiment, when described current event is alarm event, the described warning information generating for this alarm event also comprises the transmission jumping figure to current event by root event; When described current event is not alarm event, the described log information generating for described current event also comprises the transmission jumping figure to current event by root event.Described transmission jumping figure can represent by a VB value, and as TTL, for example, described event chain B can be as shown in table 6.
Table 6: event chain B
<event a> <event c> <event d> <event e> <event f> Alarm B
Event ID(a) Event ID(c) Event ID(d) Event ID(e) Event ID(f) Event ID(f)
PEventID(0) PEventID(a) PEventID(c) PEventID(d) PEventID(e) PEventID(e)
AID(a) AID(a) AID(a) AID(a) AID(a) AID(a)
TTL(1) TTL(2) TTL(3) TTL(4) TTL(5) TTL(5)
What deserves to be explained is, by described transmission jumping figure, can support Network Management Equipment to know the transmission degree of depth of root event to current event, if event a in alarm B is 5 to the transmission degree of depth of event f, and whether there is omission event by described event transfer jumping figure detecting, as in system journal due to not recording events e of some cause, in the process of completion event chain, find that there is omission, event chain cannot completion, now according to described transmission jumping figure, can know accurately, omit one and transmitted the event that jumping figure is 4.
The method of the correlation analysis that the embodiment of the present invention provides, obtain and preserve the event-identification number of father's event and the event-identification number of this current event of current event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, make Network Management Equipment to analyze accurately the correlation between this warning information and other warning information of Network Management Equipment reception according to described warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, described Network Management Equipment carries out correlation analysis according to described warning information, can analyze accurately the root event that triggers alarm event, according to described root event, carries out the eliminating of network element device fault.
The embodiment of the present invention provides a kind of network element device, as shown in Figure 9, comprising:
The first acquiring unit 601, for obtaining the event-identification number of father's event and the event-identification number of this current event of current event.
In the present embodiment, described the first acquiring unit can be the application-specific module in an embedded fault management storehouse, and its concrete implementation method can, referring to described in step 302 as shown in Figure 3, repeat no more herein.
The first judging unit 602, for according to default alarm event list, judges whether described current event is alarm event; Its concrete implementation method can, referring to described in step 304 as shown in Figure 3, repeat no more herein.
The first generation unit 603, for when described the first judging unit judges that described current event is alarm event, for this alarm event generates warning information, described warning information comprises described event-identification number and described father's event-identification number.Its concrete implementation method can, referring to described in step 305 as shown in Figure 3, repeat no more herein.
Report unit 604, for reporting the warning information of described the first generation unit generation to Network Management Equipment; Its concrete implementation method can, referring to described in step 305 as shown in Figure 3, repeat no more herein.
The second generation unit 605, for when described the first judging unit judges that described current event is not alarm event, for described current event generating log information, described log information comprises the event-identification number of father's event and the event-identification number of this current event of current event; Its concrete implementation method can, referring to described in step 306 as shown in Figure 3, repeat no more herein.
Storage unit 606, is stored in system journal for the log information that described the second generation unit is generated.Its concrete implementation method can, referring to described in step 306 as shown in Figure 3, repeat no more herein.
The network element device that the embodiment of the present invention provides, for obtaining and preserve the event-identification number of father's event and the event-identification number of this current event of current event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, make Network Management Equipment to analyze accurately the correlation between this warning information and other warning information of Network Management Equipment reception according to described warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, the warning information that described Network Management Equipment reports according to described identity device carries out correlation analysis, can analyze accurately the root event that triggers alarm event, according to described root event, carry out the eliminating of network element device fault.
As shown in figure 10, the network element device that further embodiment of this invention provides, also comprises:
The first transmitting element 607, for the event-identification number that sends the current event that described acquiring unit obtains to the subevent of being triggered by current event.Its concrete implementation method can, referring to described in step 303 as shown in Figure 3, repeat no more herein.
In order to add the reliability of strong correlation, described network element device, also comprises:
Second acquisition unit 608, for obtaining the event-identification number of the root event that triggers this current event; Its concrete implementation method can, referring to described in step 401 as shown in Figure 7, repeat no more herein.
The second transmitting element 609, for the event-identification number that sends the source event that described second acquisition unit obtains to the subevent of being triggered by described current event.Its concrete implementation method can, referring to described in step 402 as shown in Figure 7, repeat no more herein.
In the present embodiment, when described current event is alarm event, the described warning information generating for this alarm event also comprises root event-identification number; When described current event is not alarm event, the described log information generating for described current event also comprises root event-identification number.
In order to prevent occurring loop situation between father's event of current event and described current event, cause current event perseveration, described network element device, also comprises:
The 3rd acquiring unit 610, for obtaining the transmission jumping figure to current event by root event; Its concrete implementation method can, referring to described in step 501 as shown in Figure 8, repeat no more herein.
The second judging unit 611, for judging whether the transmission jumping figure that described the 3rd acquiring unit obtains is greater than maximum delivered jumping figure; Its concrete implementation method can, referring to described in step 502 as shown in Figure 8, repeat no more herein.
Stop element 612, while being greater than maximum delivered jumping figure for obtaining described transmission jumping figure in described the second judging unit judgement, stops the action of described current event; Its concrete implementation method can, referring to described in step 503 as shown in Figure 8, repeat no more herein.
Allow unit 613, while being not more than maximum delivered jumping figure for obtaining described transmission jumping figure in described the second judging unit judgement, allow described the first judging unit to judge whether described current event is alarm event; Its concrete implementation method can, referring to described in step 504 as shown in Figure 8, repeat no more herein.
The 3rd transmitting element 614, for sending transmission jumping figure that described acquiring unit generates to the subevent of being triggered by described current event.Its concrete implementation method can, referring to described in step 505 as shown in Figure 8, repeat no more herein.
In the present embodiment, when described current event is alarm event, the described warning information generating for this alarm event also comprises the transmission jumping figure to current event by root event; When described current event is not alarm event, the described log information generating for described current event also comprises the transmission jumping figure to current event by root event.
The network element device that the embodiment of the present invention provides, for obtaining and preserve the event-identification number of father's event and the event-identification number of this current event of current event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, make Network Management Equipment to analyze accurately the correlation between this warning information and other warning information of Network Management Equipment reception according to described warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, the warning information that described Network Management Equipment reports according to described identity device carries out correlation analysis, can analyze accurately the root event that triggers alarm event, according to described root event, carry out the eliminating of network element device fault.
The correlativity analysis analysis apparatus that the embodiment of the present invention provides, as shown in figure 11, comprising:
Receiving element 701, for receiving more than two warning information of reported by network element equipment, described warning information comprises the event-identification number of the event-identification number of alarm event and father's event of this alarm event; Its concrete implementation method can, referring to described in step 307 as shown in Figure 3, repeat no more herein.
Search unit 702, for the event-identification number of alarm event of warning information that receives according to described receiving element and the event-identification number of father's event of this alarm event, search in described network element device the preservation log information relevant to described alarm thing information in advance, described log information comprise the event relevant to alarm event father's event event-identification number and with alarm event the event-identification number of relevant event; Its concrete implementation method can, referring to described in step 308 as shown in Figure 3, repeat no more herein.
Analytic unit 703, for the warning information that receives according to receiving element and described in search the log information that unit finds and analyze described more than two correlation between warning information.Its concrete implementation method can, referring to described in step 309 as shown in Figure 3, repeat no more herein.
Described analytic unit, as shown in figure 12, comprising:
Carry out subelement 7031, for the warning information that receives according to described receiving element and described in search warning information described in the flap-list completion that unit finds event chain; Its concrete implementation method can, referring to described in step 3091 as shown in Figure 5, repeat no more herein.
Generate subelement 7032, for generate described more than two relational tree between warning information according to the event chain analysis of described performance element completion.Its concrete implementation method can, referring to described in step 3092 as shown in Figure 5, repeat no more herein.
The correlativity analysis analysis apparatus that the embodiment of the present invention provides, for the plural warning information receiving, comprise the event-identification number of the event-identification number of alarm event and father's event of this alarm event, according to described warning information, can find out accurately the identification list of preserving in advance in network element device, according to described identification list, can analyze accurately the root event that triggers alarm event, and further analyze described more than two correlation between warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, described Network Management Equipment carries out correlation analysis according to described warning information, can analyze accurately the root event that triggers alarm event, according to described root event, carries out the eliminating of network element device fault.
The correlation analysis system that the embodiment of the present invention provides, as shown in figure 13, comprising:
Network element device 801, as shown in Fig. 9-10, for obtaining the event-identification number of father's event and the event-identification number of this current event of current event, the event-identification number of father's event of described current event and the event-identification number of this current event are kept in identification list, according to default alarm event list, judge whether described current event is alarm event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, described warning information comprises described event-identification number and described father's event-identification number, concrete structure function is substantially similar to the structure function of above-mentioned identity device embodiment, repeats no more herein.
Network Management Equipment 802, as shown in Figure 11-12, for receiving more than two warning information of described reported by network element equipment, according to described warning information, search the identification list of preserving in advance in described network element device, according to described warning information and described identification list, analyze described more than two correlation between warning information.Concrete structure function is substantially similar to the structure function of above-mentioned correlativity analysis analysis apparatus embodiment, repeats no more herein.
The correlation analysis system that the embodiment of the present invention provides, for obtaining and preserve the event-identification number of father's event and the event-identification number of this current event of current event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, make Network Management Equipment to analyze accurately the correlation between this warning information and other warning information of Network Management Equipment reception according to described warning information, solved in prior art and according to rule base, carried out the poor problem of alarm correlation analysis accuracy by expert system.The technical scheme that the embodiment of the present invention provides, described Network Management Equipment carries out correlation analysis according to described warning information, can analyze accurately the root event that triggers alarm event, according to described root event, carries out the eliminating of network element device fault.
The method of the correlation analysis that the embodiment of the present invention provides, Apparatus and system, can be applied to network equipment failure analysis.
One of ordinary skill in the art will appreciate that all or part of step realizing in above-described embodiment method is can carry out the hardware that instruction is relevant by program to complete, described program can be stored in a computer-readable recording medium, as ROM/RAM, magnetic disc or CD etc.
The above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited to this, any be familiar with those skilled in the art the present invention disclose technical scope in; can expect easily changing or replacing, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of described claim.

Claims (12)

1. a method for correlation analysis, is characterized in that, comprising:
Obtain the event-identification number of father's event and the event-identification number of this current event of current event;
According to default alarm event list, judge whether described current event is alarm event;
When described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, described warning information comprises event-identification number and described father's event-identification number of described current event;
When described current event is not alarm event, for described current event generating log information is also stored in this log information in system journal, described log information comprises the event-identification number of father's event and the event-identification number of this current event of current event;
The method also comprises:
Obtain the transmission jumping figure to current event by root event;
Judge whether described transmission jumping figure is greater than default maximum delivered jumping figure;
When described transmission jumping figure is greater than maximum delivered jumping figure, stop the action of described current event;
When described transmission jumping figure is not more than maximum delivered jumping figure, allow to judge whether described current event is alarm event;
When described current event is alarm event, the described warning information generating for this alarm event also comprises the transmission jumping figure to current event by root event; When described current event is not alarm event, the described log information generating for described current event also comprises the transmission jumping figure to current event by root event.
2. method according to claim 1, is characterized in that, also comprises:
Send the event-identification number of described current event to the subevent of being triggered by described current event.
3. method according to claim 1 and 2, is characterized in that, also comprises:
Obtain the event-identification number of the root event that triggers this current event;
When described current event is alarm event, the described warning information generating for this alarm event also comprises root event-identification number; When described current event is not alarm event, the described log information generating for described current event also comprises root event-identification number.
4. method according to claim 3, is characterized in that, also comprises:
Send the event-identification number of described root event to the subevent of being triggered by described current event.
5. a method for correlation analysis, is characterized in that, comprising:
More than two warning information that receives reported by network element equipment, described warning information comprises the event-identification number of alarm event, the event-identification number by root event to the transmission jumping figure of current alarm event and father's event of this alarm event;
According to the event-identification number of the alarm event in described warning information, search in described network element device and to preserve in advance the log information relevant to described alarm thing information to the event-identification number of the transmission jumping figure of current alarm event and father's event of this alarm event by root event, described log information comprise the event-identification number of father's event of the event relevant to alarm event, by root event to the transmission jumping figure of current alarm event and with alarm event the event-identification number of relevant event;
According to described warning information and described log information, analyze described more than two correlation between warning information.
6. a network element device, is characterized in that, comprising:
The first acquiring unit, for obtaining the event-identification number of father's event and the event-identification number of this current event of current event;
The first judging unit, for according to default alarm event list, judges whether described current event is alarm event;
The first generation unit, for when described the first judging unit judges that described current event is alarm event, for this alarm event generates warning information, described warning information comprises event-identification number and described father's event-identification number of described current event;
Report unit, for reporting the warning information of described the first generation unit generation to Network Management Equipment;
The second generation unit, for when described the first judging unit judges that described current event is not alarm event, for described current event generating log information, described log information comprises the event-identification number of father's event and the event-identification number of this current event of current event;
Storage unit, is stored in system journal for the log information that described the second generation unit is generated;
This equipment also comprises:
The 3rd acquiring unit, for obtaining the transmission jumping figure to current event by root event;
The second judging unit, for judging whether the transmission jumping figure that described the 3rd acquiring unit obtains is greater than maximum delivered jumping figure;
Stop element, while being greater than maximum delivered jumping figure for obtaining described transmission jumping figure in described the second judging unit judgement, stops the action of described current event;
Allow unit, while being not more than maximum delivered jumping figure for obtaining described transmission jumping figure in described the second judging unit judgement, allow described the first judging unit to judge whether described current event is alarm event;
When described current event is alarm event, the described warning information generating for this alarm event also comprises the transmission jumping figure to current event by root event; When described current event is not alarm event, the described log information generating for described current event also comprises the transmission jumping figure to current event by root event.
7. equipment according to claim 6, is characterized in that, also comprises:
The first transmitting element, for the event-identification number that sends the current event that described acquiring unit obtains to the subevent of being triggered by current event.
8. according to the equipment described in claim 6 or 7, it is characterized in that, also comprise:
Second acquisition unit, for obtaining the event-identification number of the root event that triggers this current event;
When described current event is alarm event, the described warning information generating for this alarm event also comprises root event-identification number; When described current event is not alarm event, the described log information generating for described current event also comprises root event-identification number.
9. equipment according to claim 8, is characterized in that, also comprises:
The second transmitting element, for the event-identification number that sends the source event that described second acquisition unit obtains to the subevent of being triggered by described current event.
10. equipment according to claim 6, is characterized in that, also comprises:
The 3rd transmitting element, for sending transmission jumping figure that described acquiring unit generates to the subevent of being triggered by described current event.
11. 1 kinds of correlativity analysis analysis apparatus, is characterized in that, comprising:
Receiving element, for receiving more than two warning information of reported by network element equipment, described warning information comprises the event-identification number of alarm event, the event-identification number by root event to the transmission jumping figure of current alarm event and father's event of this alarm event;
Search unit, for the event-identification number of the alarm event of the warning information that receives according to described receiving element, search and preserve in advance the log information relevant to described alarm thing information in described network element device to the event-identification number of the transmission jumping figure of current alarm event and father's event of this alarm event by root event, described log information comprise the event-identification number of father's event of the event relevant to alarm event, by root event to the transmission jumping figure of current alarm event and with alarm event the event-identification number of relevant event;
Analytic unit, for the warning information that receives according to receiving element and described in search the log information that unit finds and analyze described more than two correlation between warning information.
12. 1 kinds of correlation analysis systems, is characterized in that, comprising:
Network element device, for obtaining the transmission jumping figure to current event by root event, judge whether described transmission jumping figure is greater than default maximum delivered jumping figure, when described transmission jumping figure is greater than maximum delivered jumping figure, stop the action of described current event, when described transmission jumping figure is not more than maximum delivered jumping figure, allow to obtain the event-identification number of father's event and the event-identification number of this current event of current event, according to default alarm event list, judge whether described current event is alarm event, when described current event is alarm event, for this alarm event generates warning information and this warning information is reported to Network Management Equipment, described warning information comprises the event-identification number of described current event, transmission jumping figure and described father's event-identification number by root event to current event, when described current event is not alarm event, for described current event generating log information is also stored in this log information in system journal, described log information comprises the event-identification number of father's event of current event, by root event to the transmission jumping figure of current event and the event-identification number of this current event,
Network Management Equipment, for receiving more than two warning information of reported by network element equipment, according to the event-identification number of the alarm event in described warning information, search in described network element device and to preserve in advance the log information relevant to described alarm thing information to the event-identification number of the transmission jumping figure of current event and father's event of this alarm event by root event, according to described warning information and described log information, analyze described more than two correlation between warning information.
CN201010002626.8A 2010-01-22 2010-01-22 Correlation analysis method, equipment and system Expired - Fee Related CN102136922B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010002626.8A CN102136922B (en) 2010-01-22 2010-01-22 Correlation analysis method, equipment and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010002626.8A CN102136922B (en) 2010-01-22 2010-01-22 Correlation analysis method, equipment and system

Publications (2)

Publication Number Publication Date
CN102136922A CN102136922A (en) 2011-07-27
CN102136922B true CN102136922B (en) 2014-04-16

Family

ID=44296583

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010002626.8A Expired - Fee Related CN102136922B (en) 2010-01-22 2010-01-22 Correlation analysis method, equipment and system

Country Status (1)

Country Link
CN (1) CN102136922B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102664760A (en) * 2012-04-28 2012-09-12 华为技术有限公司 Alarming method for communication system, equipment and communication system
CN103580900B (en) * 2012-08-01 2016-12-21 上海宝信软件股份有限公司 A kind of correlation analysis system based on event chain
CN105391772B (en) * 2015-10-16 2019-02-22 百度在线网络技术(北京)有限公司 Service request processing method, log processing method and device
CN109510718B (en) * 2017-09-15 2020-09-11 华为技术有限公司 Alarm information processing method and device
US20210294682A1 (en) * 2020-03-18 2021-09-23 International Business Machines Corporation Predicting cost reduction of event correlation in fault event management

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1863080A (en) * 2005-10-20 2006-11-15 华为技术有限公司 Warning managing method and system
CN1874249A (en) * 2005-05-31 2006-12-06 华为技术有限公司 Method for treating relativity of alarm based on parent-child relationship
CN101414933A (en) * 2007-10-15 2009-04-22 中兴通讯股份有限公司 Method and apparatus for processing alarm correlation information

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1874249A (en) * 2005-05-31 2006-12-06 华为技术有限公司 Method for treating relativity of alarm based on parent-child relationship
CN1863080A (en) * 2005-10-20 2006-11-15 华为技术有限公司 Warning managing method and system
CN101414933A (en) * 2007-10-15 2009-04-22 中兴通讯股份有限公司 Method and apparatus for processing alarm correlation information

Also Published As

Publication number Publication date
CN102136922A (en) 2011-07-27

Similar Documents

Publication Publication Date Title
KR102483025B1 (en) Operational maintenance systems and methods
CN102136922B (en) Correlation analysis method, equipment and system
US11190390B2 (en) Alarm information processing method and apparatus, system, and computer storage medium
US20170317872A1 (en) Alarm Processing Method and Apparatus
CN103605722A (en) Method, device and equipment for database monitoring
US9729355B2 (en) Method, device and system for remote management of terminal peripheral
CN106034051A (en) Network monitoring data processing method and network monitoring data processing device
CN103986604A (en) Method and device for locating network fault
CN108259202A (en) A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems
CN106878038B (en) Fault positioning method and device in communication network
CN112764956B (en) Database exception handling system, database exception handling method and device
CN110875841A (en) Alarm information pushing method and device and readable storage medium
CN104243192B (en) Fault handling method and system
CN107995066A (en) A kind of method and apparatus of automatic test network interface card
CN106330535A (en) Train-ground communication data processing method and apparatus
CN104486113A (en) Fault link positioning method based on active greed and passive greed in sensor network
CN117312098B (en) Log abnormity alarm method and device
US9258287B2 (en) Secure active networks
CN110597226A (en) Abnormity early warning method and device for vehicle-mounted Ethernet
CN113411209A (en) Distributed password service full-link detection system and method
CN109699041B (en) RRU channel fault diagnosis processing method, device and computer storage medium
US20140003223A1 (en) Network communication apparatus, system and method
CN113807697B (en) Alarm association-based order sending method and device
CN113381884B (en) Full link monitoring method and device for monitoring alarm system
WO2017008197A1 (en) Alarm information reporting method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: SHENZHEN LIANCHUANG INTELLECTUAL PROPERTY SERVICE

Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO., LTD.

Effective date: 20150703

C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20150703

Address after: 518129 Nanshan District Nanshan digital cultural industry base, east block, Guangdong, Shenzhen 407

Patentee after: Shenzhen LIAN intellectual property service center

Address before: 518129 headquarters building of Bantian HUAWEI base, Longgang District, Guangdong, Shenzhen

Patentee before: Huawei Technologies Co., Ltd.

C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20160414

Address after: Binhai County, Jiangsu province 224500 Century Avenue No. 01 Nanshan Chi Park Innovation Building Room 505

Patentee after: Jiangsu wisdom Technology Service Co., Ltd.

Address before: 518129 Nanshan District Nanshan digital cultural industry base, east block, Guangdong, Shenzhen 407

Patentee before: Shenzhen LIAN intellectual property service center

CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20140416

Termination date: 20180122

CF01 Termination of patent right due to non-payment of annual fee