JP2003141075A - Log information management device and log information management program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a log information management device capable of properly extracting optimum log information. SOLUTION: This log information management device comprises a means for receiving the system log data of an event generated from transmitter equipment connected through a network; a means for generating log information to be stored in a database on the basis of the received system log data, the receiving time added to the system log data and the data capable of specifying the transmitter equipment wherein the event is generated; a means for storing the generated log information in the database; and a means for extracting, according to the input of a required retrieval condition, the log information adapted to the retrieval condition from the database.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a log information management device and a log information management program for managing data relating to a system log mainly contributing to system management.

[0002]

2. Description of the Related Art A network server such as a UNIX server (UNIX is a registered trademark) or a router has a function called a system log (syslog) for recording an operation log in a file, and the system log manages the system. Is an important source of information for There are various logs recorded in the system log, for example, information output by the kernel, failure of login / logout / login to the system, start / end of communication session, and the like.

As a known technique related to the management of system logs and operation logs, there is a terminal adapter disclosed in Japanese Patent Laid-Open No. 6-216899. The terminal adapter is connected by a public line, and is configured to internally record normal call control information as a communication log. The terminal adapter determines whether a packet call for collecting a communication log from the D channel is received. A packet call processing means for rejecting an incoming call other than a packet call for collecting communication logs, and a log transmitting means for transmitting a communication log by using a D channel packet according to an instruction of a packet call for collecting communication logs. And
It is said that the communication log accumulated in the terminal adapter can be collected by the log collection host and the communication log can be centrally managed.

Another known technique is Japanese Patent Laid-Open No. 9-2.
There is a system log processing method of No. 12390. The system log processing method is a computer system that periodically collects checkpoints, restores the system to the state of the previous checkpoint when a failure occurs, and restarts data processing from that state. Equipped with a buffer memory for recording log information to be collected, system log information at the time of failure occurrence is collected in the above buffer in failure recovery processing after failure occurrence, and system log information collected after failure recovery is read from the above buffer memory It is written in the main storage device, and it is said that it is possible to realize a processing mechanism that can normally collect a system log while ensuring fault tolerance.

Another known technique is Japanese Patent Laid-Open No. 2000-2000.
There is a UNIX server failure detection system of No. 148541. The fault detection system monitors a software to be monitored and detects a fault in the software to be monitored, and a fault monitoring control that controls the fault based on a fault message including a fault content from the fault detection unit. And a notification means for notifying the occurrence of a failure to the outside according to the instruction of the failure monitoring control means, and it is possible to detect the failure of the UNIX server with high quality and flexibly respond to the system change. Has been done.

[0006]

By the way, for example, UN
The system log recorded in the IX server is an information collection source that is indispensable for system management work, and the cause of a trouble that has occurred in the system is often found by examining the system log. However, the system log stored in the UNIX server is not sufficient in terms of usability for checking the cause of trouble in system management. Therefore, for example, it is possible to search for information related to the system log based on keywords, and it is also possible to search based on the meaning contents thereof. A possible log information management device is required.

The present invention has been proposed in view of the above problems, and enables, for example, to search information related to a system log based on a keyword, and to search based on the meaning of the keyword, and to perform a plurality of searches. It is an object of the present invention to provide a log information management device and a log information management program capable of appropriately extracting optimum log information by enabling the system.

[0008]

A log information management apparatus of the present invention includes means for receiving syslog data of an event generated from a transmission source device connected via a network, the received syslog data and addition to the syslog data. Means for generating log information to be stored in a database based on the received time and data capable of specifying the transmission source device in which the event has occurred, means for storing the generated log information as a database, and a required search And a means for extracting log information matching the search condition from the database in response to the input of the condition. The log information is stored in the database for retrieval. Also, the log information is suitable because it can be used in other applications and is excellent in versatility if it is XML, for example, and can be appropriately used in the form of a tree structure that can logically retain the meaning. It may be the LISP language, or may be in the form of information other than the tree structure.

Further, the log information management apparatus of the present invention has means for receiving syslog data of an event generated from a transmission source device connected via a network, the received syslog data and a reception time added to the syslog data. And a basic item having data that can identify the reception time and the transmission source device, facility and priority, and an application name, process ID, and message based on the data that can identify the transmission source device in which the event has occurred. A means for generating log information in XML format having a tag name extracted from the message and target data of the tag name and a keyword extracted from the message; the basic matter and the operation related matter; A means for storing the keyword in association with the log ID and a required search In response to the input of matter, and having a means for extracting the basics of the log information having the basics or operation related matters or keywords or a combination thereof conforming to the search condition. Although log information in an appropriate format can be used for the log information in the present invention, if it is XML log information, it is possible to add semantic contents to each item or each item of log information and manage them in a unified manner. This is preferable because it is possible and various processing such as search is possible.

Further, the log information management device of the present invention stores the set detection condition, and recognizes the occurrence of a detection item corresponding to the detection condition based on the log information and executes a required process. And having. For example, when a detected item such as unauthorized access or log information expressing a failure that meets the detection conditions is detected, the required action such as sending an e-mail to the administrator terminal is automatically executed. It is possible to monitor unauthorized access, failure, etc.

Further, the log information management apparatus of the present invention is characterized in that at least a means for generating the log information and a means for storing the log information are connected via a network. The log information management device may be configured by a single computer, but may be constructed by connecting appropriate means via a network.

Further, the log information management program of the present invention is a means for receiving syslog data of an event generated from a transmission source device connected via a network, the received syslog data and a reception time added to the syslog data. And a means for generating log information to be stored in a database based on the data capable of identifying the transmission source device in which the event has occurred, a means for storing the generated log information as a database, and inputting required search conditions. Accordingly, a computer or a computer connected by a network is made to function as a unit for extracting log information matching the search condition from the database.

Further, the log information management program of the present invention is a means for receiving syslog data of an event generated from a transmission source device connected via a network, the received syslog data and a reception time added to the syslog data. And a basic item having data that can identify the reception time and the transmission source device, facility and priority, and an application name, process ID, and message based on the data that can identify the transmission source device in which the event has occurred. , An operation-related matter having a tag name extracted from the message and target data of the tag name, and a keyword having the keyword extracted from the message
A means for generating log information in ML format, a means for storing the basic matter, the operation-related matter, and the keyword in association with each other by a log ID, and a basic method that meets the search criteria in response to input of required search criteria. It is characterized in that a computer or a computer connected by a network is made to function as a means for extracting a basic item of log information having an item, an operation-related item, a keyword, or a combination thereof.

Further, the log information management program of the present invention stores the set detection condition, and means for recognizing the occurrence of a detection item corresponding to the detection condition based on the log information and executing a required process. As a computer or a computer connected by a network to function.

[0015]

BEST MODE FOR CARRYING OUT THE INVENTION The present invention will be described below based on specific embodiments. FIG. 1 is a block diagram showing a connection state between a log information management server and a connection device, and FIG. 2 is a block diagram showing a configuration of the log information management server.

In the overall configuration of the system of this embodiment, as shown in FIG. 1, a log information management server 1 is connected to one or a plurality of transmission source devices via a network, and in the illustrated example, a plurality of transmission source devices are used. Server 6a and multiple routers 6
b is connected to the log information management server 1, and the server 6a and the router 6b are set with a program for transmitting the system log syslog data to the log information management server 1.
Log information management server 1 for system log data of system log
Is ready to receive. Note that the server 6a and the router 6b transmit data that can identify the transmission source device such as the IP address or the server name and the transmission source name together with the syslog data, and the log information management server 1 transmits the data that can identify the transmission source device together with the syslog data. May be received.

Further, the log information management server 1 is connected to the administrator terminal 7 of the system administrator via a network, and when the log information management server 1 detects a failure, the log information management server 1 automatically detects it. Send information to the administrator terminal 3
A fault or the like can be recognized by displaying the detection information received by the display unit on the display unit. On the other hand, the administrator terminal 7 is connected to the log information management server 1 via a network so that the log information can be searched and tabulated. As the network, a network such as a wired or wireless network such as the Internet or a LAN that can appropriately connect a computer can be used, and, for example, between a log information generation device 1a and a log information storage device 1b described later. Appropriate data transmitted / received on each network may be encrypted by SSL etc., such as data encrypted transmitted / received on the network by SSL, and the network connection method is proper such as IP connection.

As shown in FIG. 2, the log information management server 1 has a central processing means 2 such as a CPU, a storage means 3 such as a ROM and a RAM, an input means 4 such as a keyboard and a mouse, and a communication control means 5. The storage unit 3 controls the overall operation of log information management processing such as log information generation and storage processing based on syslog data, log information search processing, aggregation processing, detection processing, and detection information transmission processing. A log information management program storage unit 301 that stores a management program, an act log file 302 that stores data in which the reception time and the sender name or IP address are added to the received syslog data, and an Act when a predetermined condition is satisfied It has an inact log file 303 that stores the data that is moved from the log file 302.

Further, the storage means 3 has an application identification table 304 in which required data for recognizing the application name and application ID of the syslog data is set, and a portion to be excluded from the syslog data message in order to extract the keyword. The exclusion word file 305 in which is set, the application operation identification table 306 in which necessary data for recognizing the application operation name and application operation ID of the syslog data is set, and the target for setting the tag of operation-related data An application tag extraction table 307 in which required data for extracting from a message is set, and a tag definition table 308 in which required data for extracting a tag name of syslog data is set.
A basic information storage unit 309 that stores basic information corresponding to basic data of log information, an operation related information storage unit 310 that stores operation related information corresponding to operation related data of log information, and index data of log information. Index information storage unit 31 for storing index information corresponding to
1, a detection condition file 312 in which detection conditions for extracting detection information are set, and a search and aggregation function setting file 313 in which data and programs necessary for search and aggregation are set, In addition, it has a storage unit for storing data and the like necessary for log information management processing, a backup file, and the like.

Next, a process of generating and storing XML log information in the log information management server 1 will be described. Figure 3
Is a flowchart showing a flow of generating and storing XML log information, FIGS. 4 to 7 are diagrams showing an application identification table, an application operation identification table, an application tag extraction table, and a tag definition table, respectively, and FIG. 8 is an XML log. It is a figure which shows the example of information.
9 to 11 are diagrams showing examples of a basic information table, an operation-related information table, and an index information table, respectively.

First, the server 6a or the router 6b of the transmission source device records the syslog data in response to the occurrence of a predetermined event to be recorded and, as shown in FIG. 3, cooperates with the transmission program that has been set. The log information management server 1 that operates and outputs the syslog data corresponding to the event.
Then, the log information management server 1 receives the transmitted syslog data via the network (S1).
In this example, as the syslog data, the syslog data of “<numerical value indicating facility and priority> application name [process number] message” is transmitted and received by the log information management server 1. As a specific example, <86> stelnetd [21420]: connect from fw. logstor
The syslog information of age.com is transmitted from the transmission source device and received by the log information management server 1. Note that the log information management server 1 may be configured to transmit data including data that can identify the transmission source device such as the log output date and time and the host name as the syslog data.

Since the data of the event occurrence time and the data which can identify the transmission source device are missing from the syslog data, the central processing means 2 of the log information management server 1 stores the log in the log information management program storage unit 301. In cooperation with the information management program, the communication occurrence time or the reception time and the stored sender name or IP address of the sender device are recognized, and the reception time and the sender name or IP address are added to the syslog data. , For example (time) (source name) <86> stelnetd [21420]: connect from fw.logstora
ge.com or, for example, (time) (IP address) <86> s
telnetd [21420]: connect from fw.logstorage.com (S2), and the syslog data to which the reception time and the sender name or IP address is added is stored in the act log file 302 for writing (S3). As a specific example, 1003720153127 kei <86> stelnetd [21420]: connect f
rom fw.logstorage.com or 1003720153127 192.168.2
54.111 <86> stelnetd [21420]: connect from fw. Logstor
Remember as age.com. Here, the IP address 192.16
8.254.111 corresponds to the sender name kei. The former example in which the sender name is added will be described below. It should be noted that an IP address may be added once to the syslog data, and this may be converted into a sender name corresponding to the IP address.

The central processing means 2 uses the act log file 3
The reception time and the transmission source name or IP address stored in 02 are stored in the act log file 302 when a predetermined time elapses from the time when the syslog data is stored in the act log file 302 for the first time. When the set predetermined condition is satisfied, such as when the data reaches a predetermined number of rows, the data is stored in the inact log file 303 for reading, deleted from the act log file 302, and deleted from the act log file 302. It moves to the log file 303 (S4). The data stored in the inact log file 303 is similar to the data stored in the act log file 302. For example, 1003720153127 kei <86> stelnetd [21420]: con
nect fromfw.logstorage.com. By separating the write-only act log file 302 and the read-only in act log file 303, an implementation advantage of preventing resource conflict can be obtained, and a data collection unit such as syslog data to be converted into XML can be set. The processing can be made efficient by storing them in the inact log file 303 according to a predetermined condition, and the processing amount can be drastically reduced by being read-only when converting to XML. You can

Then, the central processing means 2 of the log information management server 1 cooperates with the log information management program, and the reception time stored in the inact log file 303 and the syslog data to which the sender name or IP address is added. Are individually recognized, the application identification table 304 is read, the regular expression of the application set in the application identification table 304 is compared with the recognized syslog data, and the application name and application ID of the syslog data are recognized (S
5). Syslog data of the above example <86> stelnetd [21420]: co
By comparing nnect from fw. logstorage.com with the regular expression (app_reg) of the application identification table 304 of FIG. 4, and recognizing the application name (app_name) and application ID (app_id) of the matching regular expression (app_reg). 4, the application name (app_name): stelnetd and application ID (app_id): 2 of the second syslog data in FIG. 4 are recognized.

Further, the central processing means 2 has the reception time data set in a predetermined storage section of the storage means 3 as a basic item, the data of the transmission source name which is the data capable of specifying the transmission source device, or the IP address. , Facility and priority data, application name data, process ID data, and message data are acquired and extracted from the syslog data to which the reception time and the sender name or IP address are added (S6). In the above example,
1003720153127 is extracted as the data of the reception time (timestamp), kei is extracted as the data of the transmission source (host), the data of the facility (facility) and the priority (prior) are extracted.
As the data of (ity), from the numerical value <86> indicating the type of facility and priority, by recognizing the facility and priority corresponding to the numerical value stored in the storage unit, the auth of facility and the notice of priority are extracted, S as data of application name (application)
telnetd is extracted, and it is 21 as data of process ID (pid).
420 is extracted and conn is used as the message data.
Extract ect from fw.logstorage.com.

Further, the central processing means 2 recognizes the message by dividing it into words, refers to the exclusion word file 305, and excludes words or parts set in the exclusion word file 305 such as prepositions from the message, A keyword is extracted (S7). In the above example, the preposition from and period set in the exclusion word file 305.
Is excluded, and connect, fw, lo are used as keywords.
Extract four of gstorage and com.

Further, the central processing means 2 reads the application operation identification table 306, compares the application ID of the application operation identification table 306 with the recognized application ID of the syslog data, and corresponds to the application ID of the syslog data. Application operation identification table 30
The application operation name and the application operation ID that match the syslog data are recognized by comparing the regular expression of the application operation 6 and the message of the syslog data (S8). In the above example, for example, the application ID (app_id) of the application operation identification table 306 shown in FIG. 5 is compared with the application ID (app_id) of the syslog data recognized from the application identification table 304, and the application ID (app_id): 2 The regular expression (app_action_reg) of the matching application operation identification table 306 is compared with the message connect from fw.logstorage.com, and the matching application ID (app_id) and regular expression (app
_action_reg) application action name (app_action_na
me) and the application operation ID (app_action_id), the application operation name (app_action_name) of the second syslog data in FIG.
And application action ID (app_action_id): 2 are recognized.

After that, the central processing means 2 reads out the application tag extraction table 307, and extracts the application ID from the application tag extraction table 307.
And recognizes the location of the application tag whose application operation ID matches the application ID and application operation ID of the syslog data, compares the regular expression of the application tag at the location with the message of the system log, and The matching data is extracted from the message, and at the same time, the msgparam representing the name of the association of the regular expression and the tag ID are recognized (S9). In the above example, for example, application ID (app_id): 2 and application operation ID (app_app_
action_id): Recognizes the part of the application tag where 2 matches, and the regular expression of the application tag at the part
(app_tag_reg) and message connect from fw.logstora
ge.com or from excluding application behavior
Comparing fw.logstorage.com, fw.logstorag corresponding to (. *?) of the regular expression (app_tag_reg) shown in the second of FIG.
While extracting e.com, the from of msgparam is extracted and the tag ID (tag_id): 1 is extracted. When there are a plurality of application tag locations or lines in the application tag extraction table 307 that match the application ID and application operation ID of the syslog data, all are extracted by similar processing.

Further, the central processing means 2 reads the tag definition table 308 and recognizes and extracts the tag name whose tag ID matches the tag ID of the syslog data from the tag definition table 308 (S10). In the above example, for example, in the tag definition table 308 shown in FIG. 7, the tag ID (tag_i
d): The first tag definition location where the tag ID (tag_id) matches 1 is extracted, and the tag name (tag_name): from is recognized.

The central processing means 2 of the log information management server 1 cooperates with the log information management program to collect the required data in the extracted data and the data stored in a predetermined storage section of the storage means 3. XML log information including basic data, operation-related data, and index data is generated (S11). For example, Syslog data 100372015312 with the reception time and sender name in the above example added
7 kei <86> stelnetd [21420]: connect from fw. Logstor
XML log information shown in FIG. 8 is generated from age.com. The XML log information includes a timestamp tag at the reception time of the extracted basic items, a host tag at the transmission source, facility and priority tags at the facility and priority, an application tag as the application name, and a pid tag as the process ID. , Set the message tag to the message as the basic data, and keywor to each extracted keyword
Set the tag of d and index for the entire keyword
Set es tag and use as index data. Also,
The extracted application operation name connect is set in the attribute of the tag of application information, and <a
pp.info action = "connect"> is set and fw. logs extracted by the application tag extraction table 307
For torage.com and from, set the from tag and msgparam = "from" as an attribute in the from start tag.
And by setting <from msgparam = "from">,
Use as motion related data.

Further, the central processing means 2 of the log information management server 1 cooperates with the log information management program to store basic information or basic items corresponding to the basic data of the generated XML log information in the basic information storage unit 309. The action-related information or action-related information corresponding to the action-related data is stored in the action-related information storage unit 310, and the index information or keyword corresponding to the index data is stored in the index information storage unit 311 (S1).
2). In the example of FIG. 8, timestamp: 1003720153127, hos
t: kei, facility: auth, priority: notice, appli
cation: stelnetd, pid: 21420, message: connect
The basic information such as from fw.logstorage.com is stored in the basic information table of the basic information storage unit 309 shown in FIG. 9 in XML format as basic information, and the tag name (tag_name): from and the tag attribute (msgparam): Target data of from and tag (con
tent): fw.logstorage.com or the like as operation related information is stored in the operation related information table of the operation related information storage unit 310 shown in FIG.
The keywords such as connect, fw, logstorage, and com, which are the keywords, are stored in the index information table of the index information storage unit 311 shown in FIG. 11 in the XML format as index information.

The basic information storage unit 309 of the storage means 3,
Motion-related information storage unit 310, index information storage unit 3
The data stored in 11 or the like can be transferred to another secondary storage unit. For example, a record is read from each table according to a search result according to a period, restored to the XML format or the original syslog format, and archived. It is preferable to store the data after compressing it as necessary, and the time to execute the processing may be, for example, when the capacity of the storage unit that stores the data is insufficient, or according to predetermined conditions such as regular date and time. Good to run. Further, the method of interpreting the syslog data in the log information management server 1 can be freely set according to the input by the input means 4 of the log information management server 1 or the input means of the administrator terminal 7. For example, the target data of the tag (content): In addition to fw.logstorage.com, extract the data of only com and store it separately in the item of the operation related information table, or set it by adding the required tag, or the syslog data. A format for converting XML into XML is input and set by a regular expression, and changed or added.

Although not shown in FIG. 2, the log information management server 1 is provided with a timer for measuring the date and time, and the central processing means 2 cooperates with the log information management program, When the predetermined time set and stored by the timer measurement has come, the detection condition file 312 is read out, and the basic information table of the basic information storage unit 309, the operation related information table of the operation related information storage unit 310, and the index information storage The index information table of the unit 311 is read, and it is determined whether or not there is an item corresponding to the detection condition set in the detection condition file 312 with respect to the basic information of the log information, the operation-related information, or the index information. When an item of log information that represents a hardware failure is detected, the detected item of the detected item is automatically detected. Is generated and the detected information is transmitted to the administrator terminal 7 via the network, and the detected action execution information storage table stores that the detected information is generated and transmitted, and the detected information is transmitted to the administrator terminal 7 on the other hand. The detection information is displayed on the display means.

In addition to the transmission to the administrator terminal 7, the detection condition is displayed on the display means of the log information management server 1, the log information management server 1 executes a predetermined command, and the like, which corresponds to the detection condition. It is possible to perform appropriate processing such as warning according to the detection of items, and in addition to setting detection items for detection conditions, set specific syslog data or log information at the timing when syslog data occurs. Occurrence frequency, occurrence of combination of different types of specific syslog data or log information, predetermined number of times specific syslog data or log information occurs per unit time, etc. The conditions can be defined and set in other than the embodiment. In addition, the action executed by the log information management server 1 when the situation corresponding to the detection condition occurs is not limited to the above, and in this case, for example, after a predetermined time elapses from the occurrence of the situation corresponding to the detection condition, a specific action is taken. When the syslog data or log information is detected, the action may be canceled.

Next, a process of searching the log information or basic information of the syslog data stored in the log information management server 1 will be described. In the present embodiment, the log information management server 1 searches the log information management server 1 by accessing the log information management server 1 via a network, inputting search conditions with the input means of the manager terminal 7, and executing the search. The processing is executed and the search result is displayed on the display means of the administrator terminal 7. However, by providing the log information management server 1 with the display means and inputting and executing the search condition by the input means 4, The log information management server 1 executes the search process,
The search result may be displayed on the display means.

First, for example, a reception time (timestamp), a transmission source name (host), a facility (facility), a priority (priority), an application name (application),
Basic information storage unit 3 such as process ID (pid), message (message), application action name (app_action_name), etc.
To search for one or more types of basic information stored in the basic information table No. 09 as search conditions,
In response to the input of the search condition and the input of the execution of the search, the central processing means 2 of the log information management server 1 cooperates with the log information management program, the data of the search aggregation function setting file 313, and the like to refer to the basic information table. Then, all log information or basic information corresponding to the search condition is extracted, and the log information or basic information of the extracted syslog data is displayed. For example, when a period is input as the search condition and the search is executed, the log information or basic information of the syslog data within the period is extracted and displayed. In the example of the basic information table of FIG. 9, the reception time (timestamp): 1 within the search condition period
If 003720153127 is included, the log ID (log_id):
Extract the basic information of 1. In this example, the reception time is times
tamp format (UTC, January 1, 1970 0:00)
I am converting from minutes 0 seconds to counted milliseconds) and comparing,
Other than this, it is appropriate.

Secondly, when a keyword or a combination of keywords of the index information stored in the index information table of the index information storage unit 311 is searched as a search condition, the search condition is input and the search execution is input. Accordingly, the central processing means 2 of the log information management server 1 cooperates with the log information management program, the data of the search aggregation function setting file 313, etc., and refers to the index information table to find a keyword or a combination of keywords as a search condition. All the log IDs of the index information for which the matching keyword data is set are extracted, and the log information or the basic information of the syslog data corresponding to the extracted log ID is further referred to by referring to the basic information table of the basic information storage unit 309. Extract all of the extracted syslog data To display a grayed information or basic information.
For example, when logstorage is input as the keyword of the search condition and the search is executed, the index information table of FIG.
Log ID (log_id) of index information that is storage: 1
And the basic information of the syslog data corresponding to the extracted log ID (log_id): 1 is extracted with reference to the basic information table of FIG.

Thirdly, the tag name, the tag attribute, the target data of the tag stored in the operation related information table of the operation related information storage unit 310 and not stored in the basic information table, or an appropriate combination thereof is used. When performing a search as a search condition, the central processing means 2 of the log information management server 1 cooperates with the log information management program, the data of the search aggregation function setting file 313, and the like in response to the input of the search condition and the execution of the search. Works and refers to the operation related information table to extract all the log IDs of the operation related information in which the tag name, the tag attribute, the target data of the tag or an appropriate combination of these that matches the search condition are set, and By referring to the basic information table of the basic information storage unit 309, the log information of the syslog data corresponding to the extracted log ID or Is all extract the basic information, and displays the extracted syslog log information or the basic information of the data.
For example, when <from> fw.logstorage.com </ from> consisting of a tag name and tag target data is input as the search condition and the search is executed, the tag name is referenced by referring to the operation related information table of FIG. (tag_name): from and target data (conte
nt): Log ID of the operation related information that is fw.logstorage.com
(log_id): 1 is extracted, and the basic information of the syslog data corresponding to the extracted log ID (log_id): 1 is extracted with reference to the basic information table of FIG.

The log information or the basic information of the syslog data of the search result extracted by the above-mentioned search is converted into the normal time display, for example, the reception time, 2001-10-23 11:08:42 ke
i <86> stelnetd [21420]: connect from fw.logstorage.
Display in a format like com. Particularly, when a predetermined item of the log information or the basic information is clicked, it is preferable that the narrowed search is performed with the predetermined item.
For example, if you click fw.logstorage.com, fw.logsto
Extract basic information or log information of syslog data that has rage.com. In this case, any one of the first to third search methods is automatically selected according to the designation input by clicking a predetermined item, the search is executed, and the search result is displayed.

Further, the log information management server 1 cooperates with the log information management program and the data or program of the search and aggregation function setting file 313 to input and aggregate the aggregation conditions from the administrator terminal 7 or the log information management server 1. The basic information table, the operation-related information table, and the index information table are read according to the input of execution of, the log information or basic information of the syslog data corresponding to the aggregation condition is aggregated, and the aggregation result is transmitted. Then, it is displayed on the display means of the administrator terminal 7 or displayed on the display means of the log information management server 1. For example, when the log information of the syslog data having the application operation name (app_action_name): connect or the number of basic information items is set as the aggregation condition, the log information management server 1 reads the basic information table of the basic information storage unit 309 and outputs the application information. The number of log information or basic information of syslog data whose action name (app_action_name) is connect is counted and totaled. The totaling result may be displayed in a graph as necessary, and the totaling items can be appropriately set as necessary, such as the number of applications transferred and the total amount of transferred data.

In the above embodiment, the log information management server 1 is used.
Is configured to generate and store log information. However, as shown in FIG. 14, for example, a log information generation device that has central processing means, storage means, etc., and cooperates with a predetermined program to generate log information. 1a and a log information storage device 1b that stores log information, and is configured to transmit XML log information from the log information generation device 1a to the log information storage device 1b via a network, and preferably log information generation Device 1
Required data is added to the log information at a, the required data is verified at the log information storage device 1b, and if the verification is incorrect, the log information storage device 1b returns an error to the log information generation device 1a. Configuration and log information generation device 1
The log information storage device 1b determines whether or not the XML data transmitted from a is correct in XML format. If the XML data is not correct, the XML data is not processed and the log information is stored in error. It is preferable that the device 1b sends a reply to the log information generating device 1a.

For example, when XML log information is transmitted from the log information generating device 1a to the log information storing device 1b, the log information generating device 1a is used to detect falsification of the log information.
Is to calculate the digest of the log information according to the set and stored algorithm, add the attribute of the algorithm and the attribute of the digest calculated as the attribute of the log information to the log information, and send the added log information, on the other hand The log information storage device 1b that has received the added log information
Recognize an algorithm corresponding to the attribute of the algorithm of the log information from the stored algorithm, calculate the digest with a hash function according to the algorithm, verify by comparing the digest of the received log information and the calculated digest, If they are the same, they are accepted and stored as in the above embodiment. If they are different, it is determined that the log information has been tampered with, and a message to that effect is sent back to the log information generating device 1a. The basic information table of FIG. 12 shows an example in which log information or basic information in which the algorithm attribute of log information corresponds to md5 and the digest is XygekBjaorQc5XESwu521Q == is stored.
The digest is appropriately encoded and expressed.

Further, for example, when XML log information is transmitted from the log information generating device 1a to the log information storing device 1b, it is possible to detect alteration of the entire XML document including the XML log information and to correct the log information generating device 1a. In order to confirm that the log information is transmitted from the server, the log information generation device 1a uses the log information as a signature target and describes the signature algorithm attribute, the signature value, and the public key certificate in XML.
The log information storage device 1b which has transmitted the electronic signature in accordance with the format of the key created in advance and which has received the log information to which the electronic signature is attached on the other hand, selects the algorithm of the log information from the set and stored algorithms. Recognize the algorithm corresponding to the attribute of the log information, calculate the signature value of the log information according to the algorithm, compare the signature value of the received log information with the calculated signature value, and at the same time prove the public key of the received log information. The authenticity of the electronic signature is verified by a certificate, and if it is authenticated, it is accepted and stored as in the above embodiment, and if it is not authenticated, a reply to that effect is sent back to the log information generating device 1a. .

Note that there is a plurality of log information expressed between <log> and </ log> between <logs> and </ logs> shown in FIG. 8, and the plurality of log information is transmitted. If it is done, the calculation and comparison of the above digests can be done with all <log> and </ log>
The log value expressed between <log> and <log> is calculated and compared with the log value expressed between <log> and </ log>. Is performed on a set of data that is handled by Also, the method of verifying the log information to be transmitted is not limited to the above, and any suitable method can be adopted, or a single method can be adopted or a plurality of methods can be used in combination.

When the log information generator 1a transmits XML log information to the log information storage device 1b and the log information storage device 1b receives and stores the log information, the log information storage device 1b verifies the log information. The date and time (received_date) when the data is received from the log information generation device 1a is added to the subsequent log information, and the log information storage device 1b is written and stored in the reception log information storage table shown in FIG.
Is the data of the reception time when the log information generation device 1a of the written log information received the syslog data from the transmission source device.
(timestamp) is returned to the log information generation device 1a. In this case, for example, between <logs> and </ logs> shown in FIG.
If there is a plurality of log information represented between the log information and the </ log>, and the plurality of log information is transmitted, the log information storage device 1b stores the last log information of the plurality of received log information. The data (timestamp) of the reception time is used as the log information generation device 1a.
It is preferable to reply to. The basic table in FIG.
The case where the log information storage device 1b stores the data by adding the date and time (date_entry) when the data is received from the log information generation device 1a is shown.

In order to reliably transmit and store the log information, the same syslog data is received from the sender terminal,
A plurality of log information generation devices 1a capable of transmitting the same XML log information to the log information storage device 1b are provided by setting the order of the log information generation device 1a in the log information storage device 1b and storing the log information. When the device 1b receives and stores the log information, the high-rank log information generation device 1a transmits data when the high-rank log information generation device 1a establishes a connection to the log information storage device 1b. Storage device 1
If a problem occurs in the log information generating device 1a having a higher rank, such as the inability to establish a connection to the log information storage device 1b, the log information storage device 1b permits the log information generating device 1a having the next rank to establish a connection. It is preferable that the next-order log information generation device 1a establishes a connection to the log information storage device 1b and the next-order log information generation device 1a transmits data. For example, the log information storage device 1b uses the IP address or transmission source name of the log information generation device 1a, which is set and stored, and its rank, and the IP address or transmission source name of the log information generation device 1a recognized by the connection,
Recognizing the log information generating device 1a in the previous order, establishing the connection, not permitting the log information generating device 1a in the next order to establish a connection, and generating the log information in the next order recognized by the same method. The device 1a is allowed to establish a connection only when the defect information of the log information generating device 1a in the preceding order is recorded.

In addition to the regular log information generating apparatus 1a and the backup log information generating apparatus 1a, a plurality of regular log information generating apparatuses 1a for receiving different syslog data and transmitting different log information are provided, or A plurality of sets of regular and backup log information generation devices 1a for receiving different syslog data and transmitting different log information are provided, and one or more log information generation devices 1a transmit data to the log information storage device 1b. It is also possible. Further, the communication path through which the log information generation device 1a receives syslog data from the transmission source device and the communication path through which the log information generation device 1a transmits log information to the log information storage device 1b are distinguished by, for example, different port numbers. Then, data can be transmitted and received in parallel, which is preferable.

By providing the log information generation device 1a and the log information storage device 1b separately as described above, each device is more effective than the log information generation process and the log information storage process in the log information management server 1. It is possible to disperse the load on the storage capacity, processing capacity, etc., and to improve the resilience to a failure by providing the regular log information generating apparatus 1a and the backup log information generating apparatus 1a, for example. .

The configurations of the log information generation device 1a and the log information storage device 1b are appropriate within the scope of the present invention. For example, the log information generation device 1a is a central processing unit, and the log information in the log information management program is used. A log information generation program storage unit that stores the generation program, an act log file,
An inact log file, an application identification table, an exclusion word file, an application operation identification table, an application tag extraction table, a tag definition table, and other storage means, input means, communication control means, etc. A central processing means, a log information storage program storage unit for storing a log information storage program, a search program, etc. of the log information management program, a basic information storage unit, an operation related information storage unit,
A configuration including an index information storage unit, a detection condition file, a storage unit having a search aggregation function setting file, an input unit, a communication control unit, and the like can be used.

[0050]

By using the log information management device or the log information management program of the present invention, the optimum log information can be appropriately extracted. Unlike the case of artificially searching for necessary syslog data from a large amount of text files in the past, for example, it is possible to search information related to system logs based on keywords and also search based on the meaning content. Optimum log information can be appropriately extracted by enabling a plurality of search methods.

Further, even when the transmission source devices of the syslog data such as servers and routers are distributed, a large amount of distributed syslog data can be centrally managed by the database of the log information management device. In addition, it has a high-level search function / detection function / aggregation function for a centrally managed database, which enables dynamic tracking of information, detection of failures and unauthorized access, and prediction of failures.

Further, by storing the syslog data as log information or basic information in XML format, it becomes possible to process the log information in a unified manner, and various kinds of search processing, detection processing, tabulation processing, etc. Processing becomes possible. In addition, the configuration that allows you to freely set the interpretation method of syslog data and log information allows you to flexibly increase or change the processing such as search processing, detection processing, aggregation processing without changing the system itself. It has high versatility.

[Brief description of drawings]

FIG. 1 is a block diagram showing a connection state between a log information management server and a connection device according to an embodiment.

FIG. 2 is a block diagram showing the configuration of a log information management server according to the embodiment.

FIG. 3 is a flowchart showing a flow of generating and storing XML log information.

FIG. 4 is a diagram showing an application identification table.

FIG. 5 is a diagram showing an application operation identification table.

FIG. 6 is a diagram showing an application tag extraction table.

FIG. 7 is a diagram showing a tag definition table.

FIG. 8 is a diagram showing an example of XML log information.

FIG. 9 is a diagram showing an example of a basic information table.

FIG. 10 is a diagram showing an example of a motion related information table.

FIG. 11 is a diagram showing an example of an index information table.

FIG. 12 is a diagram showing another example of the basic information table.

FIG. 13 is a diagram showing an example of a reception log information storage table.

FIG. 14 is a block diagram showing a connection state of a connection device, a log information generation device, and a log information storage device according to another embodiment.

[Explanation of symbols]

1 Log information management server 1a Log information generation device 1b Log information storage device 2 Central processing means 3 storage means 301 Log information management program storage section 302 Act log file 303 Inact log file 304 Application identification table 305 Exclusion word file 306 Application operation identification table 307 Application tag extraction table 308 Tag definition table 309 Basic information storage 310 Operation-related information storage unit 311 Index information storage unit 312 Detection condition file 313 Search aggregation function setting file 4 input means 5 Communication control means 6a server 6b router 7 administrator terminal

   ─────────────────────────────────────────────────── ─── Continued front page    F term (reference) 5B042 GA12 HH30 MA08 MA11 MC12                       MC35 MC36 MC40                 5B075 KK07 ND03 ND23 UU40                 5B085 AC14 AC16                 5B089 GA01 GB02 JA36 JB02 KC44                       KC53 MC03

Claims (7)

[Claims] 1. A means for receiving syslog data of an event generated from a transmission source device connected through a network, the received syslog data, a reception time added to the syslog data, and a transmission source device in which the event occurred. Means for generating log information to be stored in the database based on the data that can specify the log information, a means for storing the generated log information as a database, and matching the search condition in response to input of required search conditions. A log information management device, comprising: means for extracting log information from the database. 2. A means for receiving syslog data of an event generated from a transmission source device connected via a network, the received syslog data, a reception time added to the syslog data, and a transmission source device where the event occurred. On the basis of the data that can identify the reception time and the transmission source device, the basic items including the facility, the priority, the application name, the process ID, and the message data, and the tag name extracted from the message, A means for generating log information in XML format having an operation-related item having tag name target data and a keyword extracted from the message, and storing the basic item, the operation-related item and the keyword in association with a log ID. And the input of the required search conditions. And a unit for extracting basic items of log information having matching basic items, operation-related items, keywords, or a combination thereof. 3. Means for storing the set detection conditions,
3. The log information management apparatus according to claim 1, further comprising means for recognizing occurrence of a detection item corresponding to the detection condition based on the log information and executing a required process. 4. The log information management device according to claim 1, wherein at least the means for generating the log information and the means for storing the log information are connected via a network. 5. A means for receiving syslog data of an event generated from a transmission source device connected through a network, the received syslog data, a reception time added to the syslog data, and a transmission source device in which the event occurred. Means for generating log information to be stored in the database based on the data that can specify the log information, a means for storing the generated log information as a database, and matching the search condition in response to input of required search conditions. A log information management program that causes a computer or a computer connected by a network to function as a means for extracting log information from the database. 6. A means for receiving syslog data of an event generated from a transmission source device connected via a network, the received syslog data, a reception time added to the syslog data, and a transmission source device in which the event occurred. On the basis of the data that can identify the reception time and the transmission source device, the basic items including the facility, the priority, the application name, the process ID, and the message data, and the tag name extracted from the message, A means for generating log information in XML format having an operation-related item having tag name target data and a keyword extracted from the message, and storing the basic item, the operation-related item and the keyword in association with a log ID. And the input of the required search conditions. A log information management program that causes a computer or a computer connected by a network to function as a means for extracting basic items of log information having matching basic items, operation-related items, keywords, or a combination thereof. 7. A means for storing the set detection condition,
3. The log according to claim 1, wherein a computer or a computer connected by a network is made to function as means for recognizing occurrence of a detection item corresponding to the detection condition based on the log information and executing a required process. Information management program.