JP2009253358A - Information processor and information processing method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information processor capable of forming a rule for deleting a fault message of low priority. <P>SOLUTION: The information processor comprises a memory and a control portion. The memory stores network configuration information indicative of a connection relation for a plurality of data transfer devices. The control portion receives fault messages from the plurality of data transfer devices and stores the fault messages in the memory. When a time of fault occurrence is within a predetermined time between two fault messages among these messages, the control portion gives a predetermined mark to the two fault messages. The control portion investigates a hop count between two devices being the transmission source of the two fault message with reference to the network configuration information, and adds a mark to the score of the two fault messages wherein the mark becomes larger as the hop count becomes smaller. It is decided that association is higher as the sum total value of the mark is larger. The control portion determines whether a rule of deleting a later message is generated or not, when a fault of type indicated by each of the two fault messages occurs in a fault generation sequence of the two fault messages within a predetermined time duration. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an information processing apparatus and an information processing method for monitoring a failure that occurs in a data transfer apparatus in a network.

  When a failure occurs, a network device such as a router or a switch connected to the network transmits a failure message, which is a message for notifying the occurrence of the failure, to the management device. When a failure occurs in another device due to the failure that occurred first, a failure message different from the main cause is transmitted from the device to the management device. As described above, even if there is only one cause of the failure, a plurality of failure messages may reach the administrator, and it may take time for the administrator to find the main cause of the failure.

  In order to reduce this effort, the administrator prepares a correlation rule indicating the relationship between multiple failures in advance, and applies the correlation rule when the management device receives multiple failure messages from multiple network devices. Then remove the extra fault message and reveal the main cause fault message.

In the method of Patent Literature 1, the alarms are distributed by defining in advance a method for distributing a main cause alarm having a high priority and an influence alarm having a low priority.
JP-A-8-251162

  When creating a correlation rule, the administrator performs rule design in advance by logically considering the relationship between the notified failure messages. However, it is difficult to predict what kind of failure is caused by the failure of an adjacent device. For this reason, rule creation requires careful setting after a thorough investigation in advance of the specifications of the network device and the configuration of the entire network, which is extremely laborious for the administrator. Similarly, when the alarm distribution method in the method of Patent Document 1 is defined, it takes time and effort. For this reason, even if a management apparatus is equipped with a correlation function for deleting a failure message having a low priority according to a preset rule, the management apparatus may not actually be used.

  The present invention has been made to solve the above-described problems of the technology, and provides an information processing apparatus and an information processing method for generating a rule for deleting a failure message having a low priority. Objective.

An information processing apparatus of the present invention for achieving the above object is an information processing apparatus connected via a network to a plurality of data transfer apparatuses to which different identifiers are assigned for each apparatus,
A storage unit storing network configuration information indicating a connection relationship between the plurality of data transfer devices;
When a failure message including information on the identifier, the date and time of failure occurrence and the type of failure is received from the plurality of data transfer devices, these messages are stored in the storage unit, and two failure messages of the plurality of failure messages are stored. If the failure occurrence date / time is within a predetermined time, a predetermined score is given to the two failure messages, and a hop between the two devices that are the transmission source of the two failure messages with reference to the network configuration information The smaller the number of hops, the larger the score is added to the score of the two failure messages. The larger the total score is, the higher the relevance of the two failure messages is determined. When a failure of the type indicated by each of the two failure messages occurs in the failure occurrence order of the two failure messages, A control unit for determining whether to generate rules to the effect to remove the di,
It is the structure which has.

An information processing method of the present invention is an information processing method for monitoring a plurality of data transfer devices provided in a network and assigned different identifiers for each device,
Holding network configuration information indicating a connection relationship of the plurality of data transfer devices;
When a failure message including information on the identifier, failure occurrence date and time, and failure type is received from the plurality of data transfer devices, these messages are recorded,
If the failure occurrence date and time of two failure messages among the plurality of recorded failure messages is within a predetermined time, a predetermined score is given to the two failure messages,
Referring to the network configuration information, the number of hops between the two devices that are the transmission sources of the two failure messages is examined, and the smaller the number of hops, the larger the score is added to the score of the two failure messages;
It is determined that the relationship between the two failure messages is higher as the total value of the points is larger, and the types of failures indicated by the two failure messages within the predetermined time are in the failure occurrence order of the two failure messages. When it occurs, it is determined whether or not to generate a rule to delete a message whose order is later.

  According to the present invention, since the importance level of the failure message sent from the data transfer apparatus is determined and a rule for deleting the low priority message is generated, the network administrator creates the rule. Saves time and effort.

  The information processing apparatus according to the present invention generates a correlation rule based on a failure occurrence date and time and a connection relationship between network devices related to the failure.

  The failure management apparatus of this embodiment will be described.

  FIG. 1 is a block diagram illustrating a configuration example of a failure management apparatus according to the present embodiment. FIG. 2 is a diagram illustrating an example of a configuration in which the failure management apparatus illustrated in FIG. 1 is connected to a network.

  As shown in FIG. 2, the failure management apparatus 1 is connected to the management target network apparatuses 10 a to 10 e via the network 100. The network devices 10a to 10e, like routers and switches, are data transfer devices that transfer received data to a transmission path in the direction of the destination terminal. Different identifiers are assigned to the network devices 10a to 10e, respectively.

  In the present embodiment, the network devices 10a to 10e are data transfer devices in IP (Internet Protocol) communication. The network devices 10a to 10e read the header information of the received packet and transfer the packet to the destination described in the header. When a failure occurs, the network devices 10 a to 10 e transmit a failure message including information indicating the failure occurrence date and time, the identifier of the own device, and the type of failure to the failure management device 1 via the network 100. In this embodiment, the network devices 10a to 10e are managed, but the number of managed devices is not limited to five.

  Next, the configuration of the failure management apparatus 1 will be described.

  The failure management apparatus 1 is an information processing apparatus such as a server and a workstation. As shown in FIG. 1, the failure management apparatus 1 includes a receiving unit 11 that receives a failure message from the network devices 10a to 10e, a storage unit 9 that stores the failure message, and a control unit 3 that controls each unit. .

  The control unit 3 includes a network configuration management unit 2, a score accumulation unit 5, a correlation rule generation unit 6, and a correlation rule application unit 7. The control unit 3 is provided with a CPU (Central Processing Unit) (not shown) that executes predetermined processing according to a program, and a memory (not shown) for storing the program. When the CPU executes the program, the network configuration management unit 2, the score accumulation unit 5, the correlation rule generation unit 6, and the correlation rule application unit 7 are virtually configured in the failure management apparatus.

  The storage unit 9 stores failure messages received from the network devices 10a to 10e. FIG. 3 is a table showing an example of a failure message stored in the storage unit. The number indicating the reception order of the failure messages is smaller as the failure occurrence date is older. Here, for the purpose of explanation, a number column is provided in the table so that the failure message can be distinguished, but the failure message may not include a number.

  In the table of FIG. 3, the number, the date and time of occurrence of the failure, the identifier of the device in which the failure has occurred, and the type of failure are shown for each failure message. “Device a” is an identifier of the network device 10a, and the identifiers of the other devices correspond to the Roman letters of the codes of the respective devices. The first failure message in the table indicates that a failure of the type of failure message A occurred in the network device 10a at 20:38:50 on December 11, 2007. In order to simplify the explanation, one message type is used for each device, but there may be a plurality of types of failure messages for each device.

  The storage unit 9 stores network configuration information that is information indicating how the plurality of network devices 10a to 10e to be monitored are connected to each other.

  In the configuration example shown in FIG. 2, the following information is stored in the storage unit 9 as network configuration information. The network device 10a is connected to the network device 10b, the network device 10b is connected to the network devices 10a, 10d, and 10e. The network device 10d is connected to the network devices 10b and 10c, and the network device 10e is connected to the network device. 10b and 10c. The network device 10c is connected to the network devices 10d and 10e. " As the device name, the identifiers of the network devices 10a to 10e are used.

  In this embodiment, the network configuration information is registered in advance in the storage unit 9 by the administrator. However, when the control unit 3 executes a program, a routing table stored in a router (not shown) in the network 100 is stored. Information may be collected, and network configuration information may be created based on the collected information and registered in the storage unit 9. The registration format of the network configuration information is not limited to the above description method.

  The receiving unit 11 transmits a failure message received from the network devices 10 a to 10 e to the control unit 3. The control unit 3 stores the failure message received from the reception unit 11 in the storage unit 9 and generates a correlation rule as follows.

  The score accumulating unit 5 of the control unit 3 periodically monitors the failure messages stored in the storage unit 9, and if a plurality of failure messages are recorded in the storage unit 9, the degree of relevance of these failures is determined. Scoring to investigate. Scoring is performed in two stages: time determination based on the date and time of failure occurrence and determination based on the connection relationship between the devices.

  First, a scoring method based on time determination will be described. The score accumulating unit 5 divides a plurality of failure messages to be determined into groups by dividing them at a predetermined time t1. Although the time t1 can take an arbitrary value, it is determined in advance by experiments or results. In the present embodiment, t1 = 10 seconds. A failure message with the first failure occurrence date and time in the same group is a parent message, and other failure messages are child messages. “1” is given as a point to the pair of these two messages. The score accumulating unit 5 records score information corresponding to the pair in a memory (not shown) in the control unit 3. Note that one failure message may belong to a plurality of groups depending on the grouping method. Detailed description in that case will be described later.

  The score integrating unit 5 performs the determination based on the connection relationship between the devices after scoring by time determination as follows. In order to inquire the network configuration management unit 2 how far the transmission source device of the child message is based on the transmission source device of the parent message if the transmission source devices of the two failure messages in the pair are different In addition, a pair configuration information request signal including information for inquiring the identifiers of the two devices to be paired and the distance between these devices is transmitted to the network configuration management unit 2.

  Here, instead of actually measuring the length of the transmission path between the devices, a unit called “hop” is used as a guide indicating the distance between the devices. The minimum value of 1 hop indicates a distance between devices when the two devices are directly connected via a transmission path. FIG. 4 is a diagram for explaining the inter-device distance in the configuration example shown in FIG. As shown in FIG. 4, for example, the distance between the network device 10a and the network device 10b is 1 hop, and the distance between the network device 10a and the network device 10c is 3 hops.

  When the score accumulating unit 5 receives a pair configuration information response signal including information on the identifiers of the two devices and the number of hops from the network configuration management unit 2, the score accumulating unit 5 adds the score to the score information of the child message based on the number of hops. To do. Points according to the number of hops are as follows.

  When the transmission source of the child message is one hop connected directly to the transmission source of the parent message, 3 points are added to the score information of the child message. When the child message transmission source is a two-hop relay connected to the parent message transmission source through another device, two points are added to the child message score information. When the distance between the two devices is 3 hops, 1 point is added to the score information of the child message, and when the distance between the 2 devices is 4 hops or more, no point is added to the score information of the child message. The reason why the points to be added is larger as the number of hops between the devices is smaller in this way because the closer the two devices are, the more susceptible to the failure that has occurred in the other party.

  When the scoring for the failure message to be determined is completed, the score accumulating unit 5 sends the pair determination result information including the information of the type of each of the parent message and the child message of the pair and the score information to the correlation rule generating unit 6. Send to.

  When the network configuration management unit 2 receives the pair configuration information request signal from the score accumulating unit 5, the network configuration management unit 2 refers to the network configuration information registered in the storage unit 9, and between the two identifier devices included in the pair configuration information request signal Find the distance in hops. Then, a pair configuration information response signal including information on the obtained number of hops is transmitted to the point integration unit 5.

  When the correlation rule generation unit 6 receives the pair determination result information from the score accumulating unit 5, the correlation rule generation unit 6 generates a correlation rule based on the pair determination result information, and sends the generated correlation rule information to the correlation rule application unit 7. Send.

  When the correlation rule application unit 7 receives the correlation rule information from the correlation rule generation unit 6, the correlation rule application unit 7 applies the correlation rule to the failure messages sequentially stored in the storage unit 9 and applies the correlation rule after application. A failure message is transmitted to the display unit 8. The display unit 8 displays a failure message after the correlation rule is applied.

  Next, an operation procedure of the failure management apparatus according to this embodiment will be described.

  When a failure occurs, the network devices 10a to 10e transmit a failure message to the failure management device 1 via the network 100. When the failure management apparatus 1 receives the failure message via the reception unit 11, the failure management device 1 records the failure message in the storage unit 9. Here, it is assumed that the failure message shown in FIG.

  FIG. 5 is a flowchart showing an operation procedure of the score accumulating unit. For the plurality of failure messages recorded in the storage unit 9, the score accumulating unit 5 reads out information on the failure occurrence date and time from the information on the failure message that occurred first (step 101). Referring to FIG. 3, in the first failure message, a failure occurs at 20:38:50 on December 11, 2007. Subsequently, it is checked whether or not there is a failure that has occurred within t1 = 10 seconds from the failure occurrence date and time of the first failure message (step 102). Read the message and treat it as the same group as the first failure message.

  In the example shown in FIG. 3, the second failure message indicates that a failure has occurred at 20:38:52, and the third failure message indicates that a failure has occurred at 20:38:55. Therefore, the score accumulating unit 5 treats these two failure messages as the same group as the first failure message. If no other failure has occurred in step 102, the processing returns to step 101 for the next failure message (step 103).

  6 and 7 are diagrams for explaining the parent-child relationship of messages and the scoring method. In FIG. 6, it is assumed that the pair of failure message A and failure message B previously holds one point as score information by the past determination process.

  The score accumulating unit 5 uses the first failure message read first as a parent message and the second and third failure messages as child messages. A pair in which the parent message and the second failure message are paired and a pair in which the parent message and the third failure message are paired are created (step 104). Then, one point is added to the score information of each pair (step 105). As a result, as shown in FIG. 6, the score based on the failure occurrence date is 2 points for the pair including the 2nd failure message and 1 point for the pair including the 3rd failure message.

  Subsequently, the score accumulating unit 5 transmits a pair configuration information request signal for the two pairs to the network configuration management unit 2 and receives a pair configuration information response signal from the network configuration management unit 2 as information indicating the result. (Step 106). As shown in FIG. 2, since there is one hop between the network device 10a and the network device 10b, the score accumulating unit 5 adds 3 points to the score information of the pair including the second failure message. Further, since there are three hops between the network device 10a and the network device 10c, the score accumulating unit 5 adds one point to the pair score information including the third failure message (step 107).

  By performing the determination based on the connection relationship between devices, as shown in FIG. 6, the score information of the pair including the second failure message is 2 + 3 = 5, and the score information of the pair including the third failure message is 1 + 1. = 2 points. When the score accumulation unit 5 has performed the process so far, the score accumulation unit 5 determines whether or not there is an unprocessed message in the storage unit 9 (step 108). If there is an unprocessed message, the processing after step 101 is repeated for the next failure message. Hereinafter, a case where the second failure message, which is the next message, is used as a parent message will be described.

  In step 102, the score accumulating unit 5 checks whether there is a child message belonging to the same group by using the second failure message as the next message as a parent message. It can be seen from FIG. 3 that one group is formed by the second failure message and the third failure message.

  As shown in FIG. 7, the score accumulating unit 5 gives one point as a point according to the date and time when the failure occurred for a pair in which the second failure message is a parent message and the third failure message is a child message (step 104). (Step 105). Subsequently, the score accumulating unit 5 transmits a pair configuration information request signal for this pair to the network configuration management unit 2, and as a result, receives a pair configuration information response signal from the network configuration management unit 2 (step 106). .

  As shown in FIG. 2, since there are two hops between the network device 10b and the network device 10c, the score accumulating unit 5 assigns two points to the score information of the pair of the second failure message and the third failure message. Add (step 107). As shown in FIG. 7, the score information by the pair of the second failure message and the third failure message is 1 + 2 = 3 points.

  Thereafter, if there is no unprocessed message in step 108, the score integrating unit 5 ends the processing. After a certain time, the message recorded in the storage unit 9 is examined, and if there is a newly recorded failure message, the process shown in FIG. 5 is executed.

  The score accumulation unit 5 transmits pair determination result information to the correlation rule generation unit 6 when scoring is performed for each pair as described above. When the correlation rule generation unit 6 receives the pair determination result information from the score accumulating unit 5, the correlation rule generation unit 6 reads the score information for each pair, and determines whether the score is equal to or higher than a predetermined reference point. Determine whether there is a link between the parent message and the child message failure.

  Here, there are three pairs to be determined, including the two pairs shown in FIG. 6 and the one pair shown in FIG. Assuming that the predetermined reference points are three points, the correlation rule generation unit 6 sets “fault message A (parent message) having a total score of five points as a pair indicating the type of fault involved in the three pairs. ) -Failure message B (child message) "and" failure message B (parent message) -failure message C (child message) "having a total of 3 points.

  Then, the correlation rule generation unit 6 generates the following two rules. Rule 1 states that “when a failure of the failure message B occurs within a certain time t2 from the time when the failure of the failure message A occurs, the failure message for notifying that the failure of the failure message B has occurred” is deleted. That's it. Rule 2 states that “when a failure of the failure message C occurs within a certain time t2 from the time when the failure of the failure message B occurs, the failure message for notifying that the failure of the failure message C has occurred” is deleted. That's it. The fixed time t2 is set to a value determined in advance by experiments or results. It is good also as t1 = t2. FIG. 8 is a table that briefly describes the generated rules.

  The generated rule 1 is based on the determination that the failure of the failure message B occurring within the predetermined time t2 from the failure occurrence of the failure message A is mainly caused by the failure message A. Therefore, if the failure of the failure message A is solved, it is not necessary to deal with the failure of the failure message B. Rule 2 is based on the determination that the failure of the failure message B is caused mainly by the failure of the failure message C that occurs within a predetermined time t2 from the failure of the failure message B. Therefore, if the failure of the failure message B is solved, it is not necessary to deal with the failure of the failure message C.

  The correlation rule generation unit 6 transmits the generated rule to the correlation application unit 7. The correlation rule application unit 7 applies the correlation rules received from the correlation rule generation unit 6 to failure messages that are sequentially stored in the storage unit 9. As a result, the failure message for notifying the failure derived from the main cause is partially deleted.

  The correlation rule application unit 7 transmits the failure message after applying the correlation rule to the failure message accumulated in the storage unit 9 to the display unit 8. The display unit 8 displays a failure message received from the correlation rule application unit 7. The failure message displayed on the display unit 8 relates to the failure of the main cause, and the display of the message related to the failure derived from the main cause is reduced.

  When the information processing apparatus according to the present embodiment receives a plurality of failure messages from a plurality of network devices, the information processing apparatus extracts a failure type as a determination target of whether or not there is a relationship, A score corresponding to the connection relationship of the network device in which the error occurred and the date and time of failure occurrence is performed, and a correlation rule is generated based on the result. Since the correlation rule regarding the failure is generated from the information of the failure message, the administrator does not need to create the correlation rule manually, and the load of the rule creation operation is reduced.

  In addition, even if a failure that the administrator does not expect occurs, messages related to failures other than the main cause are reduced by the generated correlation rules, so the administrator must respond quickly to the main cause of the failure that has occurred. Is possible.

  In addition, as shown in FIG. 6, by recording pair information according to the type of failure, when there are three or more phenomena in which two types of failures occur within t1, the score becomes 3 points. It becomes possible to detect the relevance of. Since the number of hops between two devices is 4 or more, the score based on the determination of the connection relationship between the devices is zero, and even if no rules are generated by one execution of the procedure shown in FIG. A rule is generated that deletes the message of the derived failure for the failure that occurs in connection with the above.

  In the present embodiment, when the score accumulating unit 5 groups a plurality of failure messages in the storage unit 9, the failure messages within a predetermined time t1 from the failure occurrence date and time of the reference failure message are grouped into the same group. However, the method of dividing the time when grouping is not limited to this case. Failure messages within a predetermined time t1 before the failure occurrence date and time of the reference failure message may be combined into the same group. In this case, the message having the oldest failure date and time within the same group may be used as the parent message, and the process may be executed in the same manner as described above.

  Further, the correlation rule generation unit 6 selects a pair of reference points or more when generating the correlation rule, but the method of selecting a pair is not limited to this case. When the correlation generation unit 6 extracts a plurality of pairs from a plurality of failure messages recorded in a certain period, the correlation generation unit 6 sorts the plurality of pairs in the order of the total points, and starts from the top pair of the total points. A pair within a certain order may be selected.

It is a block diagram which shows the example of 1 structure of the failure management apparatus of this embodiment. It is a figure which shows an example of the structure by which the failure management apparatus shown in FIG. 1 was connected to the network. It is a table | surface which shows the example of a failure message. It is a figure for demonstrating the distance between apparatuses. It is a flowchart which shows the operation | movement procedure of a score integrating | accumulating part. It is a figure for demonstrating the parent-child relationship and scoring method of a message. It is another figure for demonstrating the parent-child relationship and scoring method of a message. It is a table | surface which shows an example of the produced | generated correlation rule.

Explanation of symbols

1 Failure management device 3 Control unit 9 Storage unit

Claims (8)

An information processing device connected via a network to a plurality of data transfer devices assigned different identifiers for each device,
A storage unit storing network configuration information indicating a connection relationship between the plurality of data transfer devices;
When a failure message including information on the identifier, the date and time of failure occurrence and the type of failure is received from the plurality of data transfer devices, these messages are stored in the storage unit, and two failure messages of the plurality of failure messages are stored. If the failure occurrence date / time is within a predetermined time, a predetermined score is given to the two failure messages, and a hop between the two devices that are the transmission source of the two failure messages with reference to the network configuration information The smaller the number of hops, the larger the score is added to the score of the two failure messages. The larger the total score is, the higher the relevance of the two failure messages is determined. When a failure of the type indicated by each of the two failure messages occurs in the failure occurrence order of the two failure messages, A control unit for determining whether to generate rules to the effect to remove the di,
An information processing apparatus. The controller is
The information processing apparatus according to claim 1, wherein the rule is generated when the total value is equal to or greater than a preset reference point, and the rule is not generated when the total value is smaller than the reference point. The controller is
When a plurality of pairs of the two failure messages are extracted for a plurality of failure messages recorded in the storage unit during a certain period, and the plurality of pairs are arranged in descending order of the total value, The information processing apparatus according to claim 1, wherein the rule is generated for two failure messages included in each upper pair. The controller is
The information processing according to any one of claims 1 to 3, wherein when the rule is not generated, information on the type of failure indicated by each of the two failure messages is paired and a score is recorded corresponding to the pair. apparatus. An information processing method for monitoring a plurality of data transfer devices provided in a network and assigned different identifiers for each device,
Holding network configuration information indicating a connection relationship of the plurality of data transfer devices;
When a failure message including information on the identifier, failure occurrence date and time, and failure type is received from the plurality of data transfer devices, these messages are recorded,
If the failure occurrence date and time of two failure messages among the plurality of recorded failure messages is within a predetermined time, a predetermined score is given to the two failure messages,
Referring to the network configuration information, the number of hops between the two devices that are the transmission sources of the two failure messages is examined, and the smaller the number of hops, the larger the score is added to the score of the two failure messages;
It is determined that the relationship between the two failure messages is higher as the total value of the points is larger, and the types of failures indicated by the two failure messages within the predetermined time are in the failure occurrence order of the two failure messages. An information processing method for determining whether or not to generate a rule to delete a message whose order is later when it occurs.   The information processing method according to claim 5, wherein the rule is generated when the total value is greater than or equal to a preset reference point, and the rule is not generated when the total value is smaller than the reference point.   When a plurality of pairs of the two failure messages are extracted for a plurality of failure messages recorded in the storage unit during a certain period, and the plurality of pairs are arranged in descending order of the total value, The information processing method according to claim 5, wherein the rule is generated for two failure messages included in each upper pair.   The information processing according to any one of claims 5 to 7, wherein when the rule is not generated, information on a type of failure indicated by each of the two failure messages is paired and a score is recorded corresponding to the pair. Method.

Images