JP2011128915A - Log collection device and log collection method thereof, log collection system and log collection method thereof - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To reduce a traffic load, etc., during log collection by improving log compression efficiency. <P>SOLUTION: A mask data generating part 220 generates mask data 103 representing a part that is common to a log record. A mask processing part 230 masks each log record in a log file 101 with the mask data 103 to generate a mask log file 104. A compression processing part 240 compresses the mask log file 104 to generate a compression log file 106. A log transmitting part 250 transmits the compression log file 106 and the mask data 103. A decompression processing part 320 decompresses the compression log file 106 to obtain the mask log file 104. A mask decompressing part 340 uses the mask data 103 to restore the log file 101 from the mask log file 104. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a log collection device for collecting logs, a log collection method for a log collection device, a log collection system, and a log collection method for a log collection system.

  In the conventional log collection method, there is a mechanism that improves the compression efficiency of the log by switching the compression method depending on the data format (format) of the log and reduces the traffic load at the time of log collection.

JP-A-10-84484

Since the conventional method switches the compression method according to the data format of the log, the compression method does not switch when the optimum compression method differs for each log even in the same data format.
Further, in order to obtain an optimal compression method for each log, it is necessary to select an optimal compression method after data analysis of the log every time, which causes CPU load and processing time due to analysis processing.

  An object of the present invention is, for example, to improve log compression efficiency and reduce traffic load and the like during log collection.

The log collection device of the present invention
A mask data storage unit for storing mask data indicating partial data common to a plurality of logs indicating processing performed by the computer;
A log input section for inputting logs;
And a mask log generation unit configured to generate, as a mask log, a log in which the partial data is omitted based on the log input to the log input unit and the mask data stored in the mask data storage unit.

  According to the present invention, for example, the compression efficiency of a log (mask log) can be increased and the traffic load at the time of log collection can be reduced.

1 is a configuration diagram of a log monitoring system 100 according to Embodiment 1. FIG. FIG. 3 is a diagram illustrating an example of hardware resources of the log monitoring system 100 according to the first embodiment. FIG. 3 is a sequence diagram showing a mask data generation process in the first embodiment. FIG. 4 is a diagram showing a data format of a log file in the first embodiment. FIG. 6 is a schematic diagram of mask data generation processing (S131) in the first embodiment. FIG. 4 is a sequence diagram showing a mask log generation process in the first embodiment. FIG. 5 is a schematic diagram of mask processing (S152) in the first embodiment. FIG. 4 is a sequence diagram illustrating a log restoration / analysis process according to the first embodiment. FIG. 3 is a schematic diagram of mask release processing (S181) in the first embodiment. 6 is a data flow between the log collection client device 200 and the log collection server device 300 according to the first embodiment. FIG. 9 is a sequence diagram showing a mask data generation process in the second embodiment. FIG. 10 is a schematic diagram of a multiple mask data generation process (S131B) in the second embodiment. FIG. 11 is a sequence diagram showing a mask log generation process in the second embodiment. Schematic diagram of mask processing by mask (S152B) in the second embodiment. FIG. 11 is a sequence diagram illustrating a log restoration / analysis process according to the second embodiment. FIG. 11 is a sequence diagram showing a mask data generation process in the third embodiment. FIG. 10 is a schematic diagram of mask data generation processing (S131C) in the third embodiment. FIG. 10 is a sequence diagram showing a mask log generation process in the third embodiment. FIG. 10 is a sequence diagram illustrating a log restoration / analysis process according to the third embodiment.

Embodiment 1 FIG.
A mode of reducing the log file data size by omitting the common part of the log will be described.

FIG. 1 is a configuration diagram of a log monitoring system 100 according to the first embodiment.
The configuration of the log monitoring system 100 according to the first embodiment will be described below with reference to FIG.

The log monitoring system 100 includes a log collection system 110, a monitoring target system 120, and a log monitoring device 130.
In the log monitoring system 100, the log collection system 110 collects logs of the monitoring target system 120, and the log monitoring apparatus 130 analyzes the logs collected by the log collection system 110 and monitors the monitoring target system 120.
The log collection system 110, the monitoring target system 120, and the log monitoring device 130 transmit and receive data to and from each other via a communication network.

The monitoring target system 120 is a computer system having one computer (computer) or a plurality of computers. The illustration of the computer is omitted.
Each computer includes a business application unit 121 that executes predetermined business processing (data processing, information processing).
The business application unit 121 executes the business process and records information about the executed business process (an example of a log) as a “log record 102”. For example, processing information such as processing time, processing data identification information, and processing content is set in the log record 102.

Hereinafter, a file in which a plurality of log records 102 (business process history) is recorded is referred to as a “log file”. In particular, a log file generated by the business application unit 121 is referred to as a “master log file 109”, and a log file including a part (or all) of the log records 102 included in the master log file 109 is referred to as “log file 101 "
The business application unit 121 records the log record 102 in the master log file 109. The master log file 109 is stored in a storage unit (not shown) of each computer.

  The log collection system 110 includes a log collection client device 200 and a log collection server device 300.

  The log collection client device 200 is a device that collects logs of the monitoring target system 120 and compresses the collected logs.

  The log collection client device 200 includes a log acquisition agent unit 210 (an example of a log input unit), a mask data generation unit 220 (an example of a mask data generation unit), a mask processing unit 230 (an example of a mask log generation unit), and a compression processing unit. 240 (an example of a mask log compression unit and a mask log selection unit), a log transmission unit 250 (an example of a mask log transmission unit), and a client storage unit (an example of a mask data storage unit) (not shown).

  The log acquisition agent unit 210 acquires the log file 101 from the log collection server device 300.

The mask data generation unit 220 extracts partial data common to the plurality of log records 102 from the plurality of log records 102 acquired by the log acquisition agent unit 210 and included in the log file 101.
For example, the mask data generation unit 220 includes the log record 102 included in the log file 101 newly acquired by the log acquisition agent unit 210 and the log record 102 included in the log file 101 previously acquired by the log acquisition agent unit 210. Common partial data is extracted from (an example of a plurality of logs).
The mask data generation unit 220 generates “mask data 103” indicating the extracted partial data.

Based on the log record 102 and the mask data 103 included in the log file 101, the mask processing unit 230 generates the log record 102 from which the partial data indicated by the mask data 103 is omitted as the “mask log record 105”.
For example, the mask processing unit 230 replaces the partial data with a predetermined value (for example, a null value or a space), or deletes the partial data and omits the partial data.
The mask processing unit 230 generates a file including a plurality of mask log records 105 as the “mask log file 104”.

The compression processing unit 240 compresses the mask log file 104 by a predetermined method.
Hereinafter, the compressed mask log file 104 is referred to as a “compressed log file 106”.

  The log transmission unit 250 transmits the mask data 103 and the compressed log file 106 to the log collection server device 300.

The client storage unit stores data used in the log collection client device 200. It is assumed that input data and generated data of each “˜unit” of the log collection client device 200 are stored in the client storage unit.
The log file 101, the mask data 103, the mask log file 104, and the compressed log file 106 are examples of data stored in the client storage unit.

  The log collection server device 300 is a device that manages the log (compressed log file 106) compressed by the log collection client device 200 and decompresses the log.

  The log collection server device 300 includes a log reception unit 310 (an example of a mask log reception unit), a decompression processing unit 320 (an example of a mask log decompression unit), a mask data management unit 330, and a mask release unit 340 (an example of a log restoration unit). And a log providing agent unit 350 and a server storage unit (not shown).

  The log receiving unit 310 receives the mask data 103 and the compressed log file 106 from the log collection client device 200.

  The decompression processing unit 320 obtains the mask log file 104 by decompressing the compressed log file 106 by a predetermined method.

  The mask data management unit 330 manages the mask data 103 using the server storage unit.

  The mask release unit 340 restores the log file 101 by setting partial data indicated by the mask data 103 in each of the plurality of mask log records 105 included in the mask log file 104.

  The log providing agent unit 350 provides the log file 101 to the log monitoring device 130.

The server storage unit stores data used in the log collection server device 300. It is assumed that input data and generated data of each “˜unit” of the log collection server device 300 are stored in the server storage unit.
The mask data 103, the compressed log file 106, the mask log file 104, and the log file 101 are examples of data stored in the server storage unit.

  The log monitoring device 130 includes a log analysis unit 131.

  The log analysis unit 131 acquires the log file 101 from the log collection server device 300, analyzes the log file 101 by a predetermined method, and outputs an analysis result.

The configuration of the log monitoring system 100 is not limited to the configuration shown in FIG. For example, the log monitoring system 100 may be configured as follows.
A plurality of monitoring target systems 120 may exist.
When there are a plurality of monitoring target systems 120, the log collection client device 200 may be provided for each monitoring target system 120.
The log collection client device 200 and the log collection server device 300 may be a single device (log collection device).
The log monitoring device 130 and the log collection server device 300 may be a single device.

  In the following description, it is assumed that there are a plurality of monitoring target systems 120 in the log monitoring system 100 and the log collection client device 200 exists for each monitoring target system 120.

FIG. 2 is a diagram illustrating an example of hardware resources of the log monitoring system 100 according to the first embodiment.
2, the computer of the log collection client device 200, the log collection server device 300, the log monitoring device 130, and the monitoring target system 120 includes a CPU 911 (Central Processing Unit) (also referred to as a microprocessor or a microcomputer). . The CPU 911 is connected to the ROM 913, the RAM 914, the communication board 915, the display device 901, the keyboard 902, the mouse 903, the drive device 904, and the magnetic disk device 920 via the bus 912, and controls these hardware devices. The drive device 904 is a device that reads and writes a storage medium such as an FD (Flexible Disk Drive), a CD (Compact Disc), and a DVD (Digital Versatile Disc).

  The communication board 915 is wired or wirelessly connected to a communication network such as a LAN (Local Area Network), the Internet, or a telephone line.

  The magnetic disk device 920 stores an OS 921 (operating system), a window system 922, a program group 923, and a file group 924.

  The program group 923 includes programs that execute the functions described as “units” in the embodiment. The program is read and executed by the CPU 911. That is, the program causes the computer to function as “to part”, and causes the computer to execute the procedures and methods of “to part”.

  The file group 924 includes various data (input, output, determination result, calculation result, processing result, etc.) used in “˜part” described in the embodiment.

  In the embodiment, arrows included in the configuration diagrams, sequence diagrams, and flowcharts mainly indicate input and output of data and signals.

  In the embodiment, what is described as “to part” may be “to circuit”, “to apparatus”, and “to device”, and “to step”, “to procedure”, and “to processing”. May be. That is, what is described as “to part” may be implemented by any of firmware, software, hardware, or a combination thereof.

  Next, the log monitoring method (log collection method) of the log monitoring system 100 will be described by dividing it into a mask data generation process, a mask log generation process, and a log restoration / analysis process.

First, the outline of each process will be described.
In the mask data generation step, the log collection client device 200 generates mask data 103 that masks the log records 102 included in the log file 101 of the monitoring target system 120. Then, the mask data 103 generated by the log collection client device 200 is notified to the log collection server device 300.
In the mask log generation process, the log collection client device 200 masks the log record 102 included in the log file 101 of the monitoring target system 120 with the mask data 103. Further, the log collection client device 200 compresses the log file 101 (mask log file 104) including the masked log record 102. Then, the log collection client device 200 notifies the log collection server device 300 of the mask log file 104 compressed as the compressed log file 106.
In the log restoration / analysis process, the log collection server device 300 decompresses the compressed log file 106 to obtain the mask log file 104. Further, the log collection server device 300 restores the log file 101 from the mask log file 104 using the mask data 103. Then, the log collection server device 300 notifies the log monitoring device 130 of the log file 101, and the log monitoring device 130 analyzes the log file 101.

  Next, details of each step will be described.

FIG. 3 is a sequence diagram showing a mask data generation process in the first embodiment.
The process flow of the mask data generation process in the first embodiment will be described below with reference to FIG.

In S110, the business application unit 121 of the monitoring target system 120 executes a business process requested by the user or a business process scheduled in advance.
Further, each time the business application unit 121 executes a business process, the business application unit 121 records a log record 102 indicating the executed business process in the master log file 109. The business application unit 121 generates a new master log file 109 when the log records 102 of a predefined size or number of records are recorded in the master log file 109. The business application unit 121 performs generation management for each generated master log file 109.

FIG. 4 is a diagram illustrating a data format of the log file according to the first embodiment.
The master log file 109 (and log file 101) in the first embodiment will be described below with reference to FIG.

The master log file 109 includes a plurality of log records 102, and “date”, “time”, “class name”, and “message” are set in each log record 102.
“Date” and “Time” indicate the execution date and time of the business process, “Class name” indicates the identification name of the business process, and “Message” indicates the progress and result of the business process.
However, the data format (also referred to as format) of the master log file 109 is not limited to the format shown in FIG.

  Returning to FIG. 3, the description of the mask data generation process will be continued.

  After S110, the process proceeds to S120.

In S120, the log acquisition agent unit 210 of the log collection client device 200 acquires the log file 101 from the monitoring target system 120 at an interval scheduled in advance. The log file 101 includes log records 102 recorded after the previous log file acquisition among a plurality of log records 102 recorded in the master log file 109.
After S120, the process proceeds to S130.

In S <b> 130, the log acquisition agent unit 210 delivers the acquired log file 101 to the mask data generation unit 220.
After S130, the process proceeds to S131.

  In S131, the mask data generation unit 220 acquires the log file 101 from the log acquisition agent unit 210, and stores the acquired log file 101 in the client storage unit. In addition to the newly stored log file 101, the log file 101 stored in the past is stored in the client storage unit. The mask data generation unit 220 may delete unnecessary generation log files 101 from the client storage unit.

Further, the mask data generation unit 220 generates new mask data 103 at a predetermined timing as follows.
For example, the mask data generation unit 220 generates the mask data 103 every time the log file 101 is acquired from the log acquisition agent unit 210.
Further, for example, the mask data generation unit 220 periodically generates the mask data 103.
Further, for example, the mask data generation unit 220 generates the mask data 103 when receiving a request from the system administrator.
Further, for example, the mask data generation unit 220 refers to the schedule information of the business process and generates the mask data 103 when the business process is switched. It is assumed that business process schedule information is stored in the client storage unit in advance.

  The mask data generation unit 220 generates new mask data 103 as follows.

The mask data generation unit 220 extracts the log record 102 a from the latest generation log file 101 and extracts the log record 102 b from the old generation log file 101.
For example, the mask data generation unit 220 extracts the first record from the latest generation log file 101 as the log record 102a. Also, the mask data generation unit 220 refers to the business process schedule information, and extracts the log record 102b indicating the same business process as the log record 102a from the log file 101 of the previous generation.

  Next, the mask data generation unit 220 identifies a portion common to the latest generation log record 102a and the old generation log record 102b.

Then, the mask data generation unit 220 extracts the specified common part from the latest generation or old generation log record 102, and generates mask data 103 indicating the extracted common part. The mask data 103 represents the data format of the log record 102 and the common part of the log record 102.
The mask data generation unit 220 stores the mask data 103 in the client storage unit.

FIG. 5 is a schematic diagram of the mask data generation process (S131) in the first embodiment.
The mask data generation process (S131) in the first embodiment will be described below based on FIG.

In the latest generation log record 102a and the old generation log record 102b, the date and time colon “:” and the front part “jp...” Of the class name match (common). Also, the hour, minute, second “hh _x ”, “mm _x ”, “ss _x ”, the rear part “class _x ” of the class name, and the message “message _x ” do not match.

The mask data generation unit 220 sets data obtained by logical product of the log record 102 a and the log record 102 b as mask data 103. In the first embodiment, the logical product of the matching part is “true”, and the logical product of the mismatching part is “false”.
In the mask data 103, the data of the log record 102a (and the log record 102b) is set in a portion corresponding to a portion where the logical product is “true” (date, time colon, and front portion of the class name). In the mask data 103, empty data (for example, NULL) is set in a portion corresponding to a portion in which the logical product is “false” (hour hour minute minute second, class name rear portion, message).

  Generally, the same type of business processing is executed collectively. That is, a specific type of business process is often executed in a specific time zone. Also, the same type of business process is recorded in the log record 102 having the same pattern. For this reason, it is considered that the data set in the mask data 103 (excluding empty data) is common to other log records 102 of the latest generation. That is, the mask data 103 is data representing a fixed pattern of the log record 102 in the time zone.

  Returning to FIG. 3, the description of the mask data generation process will be continued.

  After the new mask data 103 is generated in S131, the process proceeds to S132.

In S <b> 132, the mask data generation unit 220 delivers the newly generated mask data 103 to the log transmission unit 250.
After S132, the process proceeds to S133.

In S133, the log transmission unit 250 acquires the mask data 103 from the mask data generation unit 220, and transmits the acquired mask data 103 to the log collection server device 300.
After S133, the process proceeds to S140.

In S <b> 140, the log receiving unit 310 of the log collection server device 300 receives the mask data 103 from the log collection client device 200, and transfers the received mask data 103 to the mask data management unit 330.
Further, the log receiving unit 310 passes the identifier of the log collection client device 200 that has transmitted the mask data 103 to the mask data management unit 330. The identifier of the log collection client device 200 may be transmitted by the log transmission unit 250 together with the mask data generation unit 220, or may be generated by the log reception unit 310 for each log collection client device 200. Further, the identifier of the log collection client device 200 included in the session information (for example, Cookie) exchanged when starting communication between the log transmission unit 250 and the log reception unit 310 may be used.
Hereinafter, the identifier of the log collection client device 200 is referred to as “client identifier”.
After S140, the process proceeds to S141.

In S141, the mask data management unit 330 acquires the mask data 103 and the client identifier from the log receiving unit 310, and stores the mask data 103 and the client identifier in the server storage unit in association with each other. At this time, if the mask data 103 of the log collection client device 200 is already stored, the mask data management unit 330 updates (replaces) the stored mask data 103 with the newly acquired mask data 103.
By S141, the mask data generation process ends.

FIG. 6 is a sequence diagram showing a mask log generation step in the first embodiment.
The process flow of the mask log generation process in the first embodiment will be described below with reference to FIG.

  S110 and S120 are the same as the mask data generation step (see FIG. 3).

In S150, the log acquisition agent unit 210 of the log collection client device 200 passes the log file 101 acquired from the monitoring target system 120 to the mask processing unit 230.
After S150, the process proceeds to S151.

In S151, the mask processing unit 230 acquires the log file 101 from the log acquisition agent unit 210.
Further, the mask processing unit 230 acquires the mask data 103 generated by the mask data generation unit 220 from the client storage unit.
After S151, the process proceeds to S152.

In S <b> 152, the mask processing unit 230 masks (omits) the common portion indicated by the mask data 103 in each log record 102 included in the log file 101.
Hereinafter, the log record 102 with the common part masked is referred to as “mask log record 105”, and the log file composed of the plurality of mask log records 105 is referred to as “mask log file 104”.

FIG. 7 is a schematic diagram of mask processing (S152) in the first embodiment.
The mask process (S152) in the first embodiment will be described below with reference to FIG.

As shown in FIG. 5, the log record 102a includes a common part (part which is not empty data) shown in the mask data 103.
The mask processing unit 230 performs exclusive OR of the log record 102a and the mask data 103. A record obtained by taking an exclusive OR of the log record 102a and the mask data 103 is a mask log record 105a corresponding to the log record 102a. In the first embodiment, the exclusive OR of matching parts is “false”, and the logical product of mismatching parts is “true”.
In the mask log record 105a, empty data is set in a portion where the exclusive OR is “false” (date, time colon, class name front). Further, in the mask log record 105a, the data of the log record 102a is set in a portion where the exclusive OR is “true” (time hour minute minute second, class name rear part, message).

The mask processing unit 230 generates a mask log record 105 for each of the plurality of log records 102 in the log file 101.
When the log record 102 and the common part indicated by the mask data 103 do not match, the exclusive OR of the part is “true”, and the data of the log record 102 is set in the part of the mask log record 105. .

  Returning to FIG. 6, the description of the mask log generation process will be continued.

  After S152, the process proceeds to S153.

In S153, the mask processing unit 230 transfers the mask log file 104 to the compression processing unit 240.
After S153, the process proceeds to S160.

In S160, the compression processing unit 240 acquires the mask log file 104 from the mask processing unit 230, and compresses the acquired mask log file 104 using a predetermined compression algorithm (processing procedure). The existing compression algorithm may be used.
Since the mask log file 104 is a file in which the common part of the log record 102 is omitted, the mask log file 104 is compressed to a data size smaller than that of the log file 101.
Hereinafter, a file obtained by compressing the mask log file 104 is referred to as a “compressed log file 106”.
After S160, the process proceeds to S161.

In S <b> 161, the compression processing unit 240 transfers the compressed log file 106 to the log transmission unit 250.
After S161, the process proceeds to S162.

In S <b> 162, the log transmission unit 250 acquires the compressed log file 106 from the compression processing unit 240 and transmits the acquired compressed log file 106 to the log collection server device 300.
After S162, the process proceeds to a log restoration / analysis process.

FIG. 8 is a sequence diagram illustrating a log restoration / analysis process according to the first embodiment.
A flow of processing of the log restoration / analysis process in the first embodiment will be described below with reference to FIG.

In S <b> 170, the log receiving unit 310 of the log collection server device 300 receives the compressed log file 106 from the log collection client device 200, and decompresses the received compressed log file 106 and the client identifier of the log collection client device 200. Pass to.
After S170, the process proceeds to S171.

In S171, the decompression processing unit 320 acquires the compressed log file 106 and the client identifier from the log receiving unit 310, and decompresses the acquired compressed log file 106 using a predetermined decompression algorithm. The decompression algorithm is an algorithm corresponding to the compression algorithm of the compression log file 106. For example, it is assumed that the compression algorithm and the decompression algorithm are determined in advance. Also, a plurality of decompression algorithms are prepared in the log collection server device 300, the compression algorithm used by the log collection client device 200 is notified to the log collection server device 300, and the log collection server device 300 is notified of the compression algorithm notified. A corresponding decompression algorithm may be selected.
The mask log file 104 is obtained by decompressing the compressed log file 106.
After S171, the process proceeds to S172.

In S <b> 172, the decompression processing unit 320 passes the mask log file 104 obtained by decompressing the compressed log file 106 and the client identifier acquired from the log receiving unit 310 to the mask release unit 340.
After S172, the process proceeds to S180.

In S180, the mask canceling unit 340 acquires the mask log file 104 and the client identifier from the decompression processing unit 320.
Then, the mask release unit 340 requests the mask data management unit 330 for the mask data 103 corresponding to the acquired client identifier. The mask data management unit 330 acquires the requested mask data 103 from the server storage unit, and transfers the acquired mask data 103 to the mask release unit 340.
After S180, the process proceeds to S181.

In S <b> 181, the mask release unit 340 uses the mask data 103 to release the mask of the mask log file 104.
The log file 101 is restored by releasing the mask of the mask log file 104.

FIG. 9 is a schematic diagram of mask release processing (S181) in the first embodiment.
The mask release process (S181) in the first embodiment will be described below with reference to FIG.

The mask release unit 340 performs an exclusive OR of the mask log record 105a and the mask data 103. A record obtained by taking an exclusive OR of the mask log record 105a and the mask data 103 is a log record 102a corresponding to the mask log record 105a.
In the log record 102a, the data value of the mask log record 105a (excluding empty data) and the data value of the mask data 103 (excluding empty data) are set.

The mask release unit 340 restores the log record 102 for each of the plurality of mask log records 105 in the mask log file 104.
When the data setting part (part other than empty data) of the mask log record 105 and the data setting part of the mask data 103 overlap, the data of the mask log record 105 is set in the part of the log record 102.

  Returning to FIG. 8, the description of the log restoration / analysis process is continued.

  After S181, the process proceeds to S182.

In S <b> 182, the mask release unit 340 delivers the log file 101 and the client identifier to the log providing agent unit 350.
After S182, the process proceeds to S183.

In step S183, the log providing agent unit 350 acquires the log file 101 and the client identifier from the mask release unit 340, and transmits the log file 101 and the client identifier to the log monitoring apparatus 130.
For example, the log providing agent unit 350 transmits the log file 101 and the client identifier to the log monitoring device 130 at the following timing.
Every time the log file 101 and the client identifier are acquired from the mask release unit 340.
The log file 101 acquired from the mask release unit 340 is accumulated, and the accumulated log file 101 is periodically transmitted in association with the client identifier.
The log monitoring device 130 requests the log file 101 from the log providing agent unit 350 when receiving a request from the administrator, and the log providing agent unit 350 receives the log file 101 and the client identifier when receiving a request from the log monitoring device 130. And send.
After S183, the process proceeds to S190.

In S190, the log analysis unit 131 of the log monitoring device 130 receives the log file 101 and the client identifier from the log collection server device 300, analyzes the received log file 101 with a predetermined algorithm, and outputs an analysis result.
For example, the log analysis unit 131 extracts the log record 102 in which the abnormal message is set from the log file 101, and displays the extracted log record 102 and the client identifier as failure information.
Through S190, the log restoration / analysis process ends.

FIG. 10 is a data flow between the log collection client device 200 and the log collection server device 300 according to the first embodiment.
The data flow between the log collection client device 200 and the log collection server device 300 will be described below with reference to FIG.

  As described above, the log collection client device 200 updates the mask data 103 at a predetermined timing (S131), and notifies the log collection server device 300 of the updated mask data 103 (S133).

The log collection server device 300 restores the compressed log files 106b to 106d transmitted from when the mask data 103a is notified until the next mask data 103b is notified using the mask data 103a.
Further, the log collection server device 300 restores the compressed log file 106e transmitted after the notification of the mask data 103b using the mask data 103b.

  In the first embodiment, for example, the following log collection system 110 has been described.

  The first embodiment is a technique related to system operation management monitoring, and particularly relates to a system that collects log information for the purpose of identifying and detecting a failure of a system / business application / service and analyzes the collected log information. .

  The log collection system 110 utilizes the feature that information of a fixed pattern is output over a certain period as a feature of the log, improves log compression efficiency, and reduces traffic load at the time of log collection.

The log collection system 110 extracts the common part of the log that does not change over a certain period from the log information of the monitoring target application, and creates log mask data. The log monitoring system 100 increases the log compression efficiency by masking the common part of the log.
The log collection system 110 is characterized by acquiring original log information by compressing and decompressing collected log information and restoring the information by mask data.
The log collection system 110 reduces the data transfer amount at the time of log collection by exchanging mask data between the client side and the server side only at the time of switching the mask data.

The log collection client device 200 includes a log acquisition agent unit 210, a mask data generation unit 220, a mask processing unit 230, a compression processing unit 240, and a log transmission unit 250.
The log acquisition agent unit 210 monitors the log (log file 101) output from the business application unit 121.
The mask data generation unit 220 extracts a fixed pattern from the log information and creates mask data.
The mask processing unit 230 performs a mask process on the log information.
The compression processing unit 240 performs a compression process on the log information (mask log file 104) after masking.
The log transmission unit 250 transmits mask data and compressed log information.

The log collection server device 300 includes a log receiving unit 310, a decompression processing unit 320, a mask release unit 340, and a log providing agent unit 350.
The log receiving unit 310 receives mask data and compressed log information.
The decompression processing unit 320 decompresses the compressed log information.
The mask release unit 340 restores the original log information using the mask data.
The log providing agent unit 350 outputs the restored log information.

The log monitoring device 130 includes a log analysis unit 131.
The log analysis unit 131 inputs log information and analyzes the input log information to detect whether an abnormality or the like has occurred.

  By reviewing the mask data for each specific period, it is possible to increase the compression efficiency of log data and reduce the traffic load during log collection.

The mask data generation unit 220 may generate mask data 103 indicating a portion common to a plurality of log records 102 included in the same log file 101 instead of the multiple generation log records 102.
The mask data generation unit 220 may generate mask data 103 indicating a portion common to three or more log records 102 instead of the two log records 102.
The mask data 103 may be defined by an administrator (user).

Embodiment 2. FIG.
A mode will be described in which a plurality of types of mask data are prepared, a plurality of compressed log files are generated using the plurality of types of mask data, and a compressed log file having a small data size is employed.
Hereinafter, items different from the first embodiment will be mainly described. Matters whose description is omitted are the same as those in the first embodiment.

  The configuration of the log monitoring system 100 is the same as that of the first embodiment (see FIG. 1).

The mask data generation unit 220 groups a plurality of log records 102 in the log file 101 into a plurality of groups based on a predetermined condition, and generates mask data 103 for each group.
The mask processing unit 230 generates a file including a plurality of mask log records 105 corresponding to the plurality of log records 102 as the mask log file 104 for each of a plurality of mask data generated by the mask data generation unit 220.
The compression processing unit 240 compresses the plurality of mask log files 104 generated by the mask processing unit 230 by a predetermined method.
The compression processing unit 240 selects the mask log file 104 based on the data size of each of the compressed mask log files 104.

The decompression processing unit 320 decompresses the mask log file 104 selected by the compression processing unit 240 by a predetermined method.
The mask release unit 340 sets a plurality of pieces of partial data indicated by the mask data 103 corresponding to the mask log file 104 in each of the plurality of mask log records 105 in the mask log file 104 decompressed by the decompression processing unit 320. The log record 102 is restored.

FIG. 11 is a sequence diagram showing a mask data generation step in the second embodiment.
The process flow of the mask data generation process in the second embodiment will be described below with reference to FIG.

S110 to S130 are the same as those in the first embodiment (see FIG. 3).
S131B to S141B are processes corresponding to S131 to S141 described in the first embodiment.
Hereinafter, items different from S131 to S141 of the first embodiment will be mainly described with respect to S131B to S141B.

In S131B, the mask data generation unit 220 acquires the log file 101 from the log acquisition agent unit 210, and stores the acquired log file 101 in the client storage unit.
The mask data generation unit 220 groups the plurality of log records 102 in the acquired log file 101 according to a predetermined rule. For example, the mask data generation unit 220 groups a plurality of log records 102 for each value set in a predetermined part.
The mask data generation unit 220 generates mask data 103 for each group of the log records 102 and sets a mask data identifier for each mask data 103.
The mask data generation unit 220 stores the mask data 103 of each group in the client storage unit.
The generation timing and generation method of the mask data 103 are the same as those in the first embodiment (S131).

FIG. 12 is a schematic diagram of the multiple mask data generation process (S131B) in the second embodiment.
The multiple mask data generation process (S131B) in the second embodiment will be described below with reference to FIG.

The mask data generation unit 220 groups a plurality of log records 102 included in the log file 101 by class name “jp.co.MElectric.App.xxx”. As a result, the plurality of log records 102 are divided into a group A in which the last class name (“xxx” portion) is “Nagokoi” and a group B in which the last class name is “Redblack”.
The mask data generation unit 220 generates mask data 103 </ b> A representing the group A fixed pattern and mask data 103 </ b> B representing the group B fixed pattern. The last class name of the mask data 103A is “Nogokoi”, and the last class name of the mask data 103B is “Redblack”.

  Returning to FIG. 11, the description of the mask data generation process will be continued.

  After S131B, the process proceeds to S132B.

In S <b> 132 </ b> B, the mask data generation unit 220 delivers the plurality of mask data 103 to the log transmission unit 250.
In S133B, the log transmission unit 250 transmits the plurality of mask data 103 to the log collection server device 300.
In S140B, the log reception unit 310 of the log collection server device 300 notifies the mask data management unit 330 of the plurality of mask data 103 and the client identifier.
In S141B, the mask data management unit 330 stores the plurality of mask data 103 and the client identifier in association with each other in the server storage unit. Each of the plurality of mask data 103 is identified by a mask data identifier.

FIG. 13 is a sequence diagram illustrating a mask log generation process according to the second embodiment.
The flow of the process of the mask log generation process in the second embodiment will be described below based on FIG.

S110, S120, and S150 are the same as those in the first embodiment (see FIG. 6).
S151B to S162B are processes corresponding to S151 to S162 described in the first embodiment.
Hereinafter, matters different from S151 to S162 of the first embodiment will be mainly described with respect to S151B to S162B.

In S151B, the mask processing unit 230 acquires a plurality of mask data 103 generated by the mask data generation unit 220 from the client storage unit.
After S151B, the process proceeds to S152B.

In S <b> 152 </ b> B, the mask processing unit 230 generates a mask log file 104 for each mask data 103.
For example, when the mask data 103A and the mask data 103B exist, the mask processing unit 230 generates the mask log file 104A by masking the log file 101 with the mask data 103A, and masks the log file 101 with the mask data 103B. The mask log file 104B is generated.

FIG. 14 is a schematic diagram of mask processing for each mask (S152B) in the second embodiment.
The mask processing for each mask (S152B) in the second embodiment will be described below with reference to FIG.

It is assumed that the log file 102 includes a log record 102 a whose class name is “jp... Nagakoi”.
In addition, the class name of the mask data 103A is “jp... Nagakoi”, and the class name of the mask data 103B is “jp... Redblack”.

The mask processing unit 230 takes the exclusive OR of the log record 102a and the mask data 103A to generate the mask log record 105A. Since the class name of the log record 102a matches the class name of the mask data 103A, empty data is set in the class name of the mask log record 105A.
Further, the mask processing unit 230 generates the mask log record 105B by taking the exclusive OR of the log record 102a and the mask data 103B. Since the end part “Nagokoi” of the class name of the log record 102a does not match the end part “Redblack” of the class name of the mask data 103B, the value “ “Nagokoi” is set.

  The mask processing unit 230 generates a mask log record 105A and a mask log record 105B for each of the plurality of log records 102 included in the log file 101.

  Returning to FIG. 13, the description of the mask log generation process will be continued.

  After S152B, the process proceeds to S153B.

In S153B, the mask processing unit 230 delivers the plurality of mask log files 104 and the mask identifier of the mask data 103 used for generating each mask log file 104 to the compression processing unit 240.
After S153B, the process proceeds to S160B1.

In S160B1, the compression processing unit 240 generates a plurality of compressed log files 106 by compressing each of the plurality of mask log files 104.
After S160B1, the process proceeds to S160B2.

In S160B2, the compression processing unit 240 compares the data sizes of the plurality of compressed log files 106.
Then, the compressed log file 106 having the smallest data size is selected.
After S160B2, the process proceeds to S161B.

In S161B, the compression processing unit 240 passes the selected compressed log file 106 and the mask data identifier corresponding to the selected compressed log file 106 to the mask processing unit 230.
After S161B, the process proceeds to S162B.

In S <b> 162 </ b> B, the log transmission unit 250 transmits the compressed log file 106 and the mask data identifier to the log collection server device 300.
After S162B, the process proceeds to a log restoration / analysis process.

FIG. 15 is a sequence diagram illustrating a log restoration / analysis process according to the second embodiment.
The flow of the log restoration / analysis process in the second embodiment will be described below with reference to FIG.

S170B to S180B are processes corresponding to S170 to S180 described in the first embodiment.
S181 to S190 are the same as those in the first embodiment (see FIG. 8).
Hereinafter, matters different from S170 to S180 of the first embodiment will be mainly described with respect to S170B to S180B.

In S170B, the log receiving unit 310 of the log collection server device 300 receives the compressed log file 106 and the mask data identifier from the log collection client device 200.
Then, the log receiving unit 310 passes the compressed log file 106, the mask data identifier, and the client identifier to the decompression processing unit 320.
After S170B, the process proceeds to S171B.

In S171B, the decompression processing unit 320 obtains the compressed log file 106, the mask data identifier, and the client identifier from the log receiving unit 310.
Then, the decompression processing unit 320 decompresses the acquired compressed log file 106 to obtain the mask log file 104.
After S171B, the process proceeds to S172B.

In S172B, the decompression processing unit 320 transfers the mask log file 104, the mask data identifier, and the client identifier to the mask release unit 340.
After S172B, the process proceeds to S180B.

In 180B, the mask release unit 340 requests the mask data management unit 330 for the mask data 103 corresponding to the client identifier and the mask data identifier. The mask data management unit 330 delivers the mask data 103 identified by the mask data identifier among the plurality of mask data 103 corresponding to the client identifier to the mask release unit 340.
After S180B, the process proceeds to S181.

In step S <b> 181, the mask release unit 340 uses the mask data 103 to release the mask of the mask log file 104 to obtain the log file 101.
In S <b> 182, the mask release unit 340 delivers the log file 101 and the client identifier to the log providing agent unit 350.
In S183, the log providing agent unit 350 transmits the log file 101 and the client identifier to the log monitoring apparatus 130.
In S190, the log analysis unit 131 of the log monitoring device 130 analyzes the log file 101 and outputs an analysis result.

  In the second embodiment, for example, the following log collection system 110 has been described.

A plurality of mask data is created, and the mask data is exchanged between the client and the server in pairs with identifiers at the stage of initial processing (mask data generation step).
Then, optimal mask data with high compression efficiency is selected from the plurality of mask data, and log information is collected.

Embodiment 3 FIG.
A mode in which mask data is prepared for each time zone and the log file is masked using the mask data of the corresponding time zone will be described.
Hereinafter, items different from the embodiment 1-2 will be mainly described. Matters whose description is omitted are the same as in Embodiment 1-2.

  The configuration of the log monitoring system 100 is the same as that of the first embodiment (see FIG. 1).

The client storage unit stores a plurality of mask data 103 in association with time.
The mask processing unit 230 generates the mask log file 104 using the mask data 103 corresponding to the time among the plurality of mask data 103 stored in the client storage unit.

  The mask release unit 340 restores the log file 101 from the mask log file 104 using the mask data 103 corresponding to the mask log file 104.

FIG. 16 is a sequence diagram showing a mask data generation process in the third embodiment.
The process flow of the mask data generation process in the third embodiment will be described below with reference to FIG.

S110 to S130 are the same as those in the first embodiment (see FIG. 3).
S131C to S141C are processes corresponding to S131 to S141 described in the first embodiment.
Hereinafter, items different from S131 to S141 of the first embodiment will be mainly described with respect to S131C to S141C.

In S131C, the mask data generation unit 220 acquires the log file 101 from the log acquisition agent unit 210, and stores the acquired log file 101 in the client storage unit.
The mask data generation unit 220 generates the mask data 103 for each time period based on the log file 101 stored in the client storage unit.
For example, the mask data generation unit 220 divides the plurality of log records 102 included in the log file 101 for each of the multiple generation log files 101 by time zone. Then, the mask data generation unit 220 generates the mask data 103 for each time zone based on the log records 102 having the same time zone and different generations.
The mask data generation unit 220 stores the mask data 103 for each time period in the client storage unit.
The generation timing and generation method of the mask data 103 are the same as those in the first embodiment (S131).

FIG. 17 is a schematic diagram of mask data generation processing (S131C) in the third embodiment.
The mask data generation process (S131C) in the third embodiment will be described below with reference to FIG.

The mask data generation unit 220 uses the first time zone based on the log record 102c1 recorded in the first time zone (12:00) and the log record 102c2 recorded in the first time zone on the previous day. Mask data 103c is generated.
Similarly, the mask data generation unit 220 generates the mask data 103 for the time zone based on the log record 102 of the same time zone on the current day and the previous day for time zones other than the first time zone.

  Returning to FIG. 16, the description of the mask data generation process will be continued.

  After S131C, the process proceeds to S132C.

In S132C, the mask data generation unit 220 delivers the mask data 103 for each time period to the log transmission unit 250.
In S <b> 133 </ b> C, the log transmission unit 250 transmits the mask data 103 for each time period to the log collection server device 300.
In S <b> 140 </ b> C, the log receiving unit 310 of the log collection server device 300 delivers the mask data 103 for each time period to the mask data management unit 330.
In S141C, the mask data management unit 330 manages the mask data 103 for each time period.

FIG. 18 is a sequence diagram illustrating a mask log generation process according to the third embodiment.
The flow of the process of the mask log generation process in the third embodiment will be described below based on FIG.

  Processes other than S151C are the same as those in the first embodiment (see FIG. 6).

In S151C, the mask processing unit 230 acquires the mask data 103 for the time period in which the log file 101 was generated from the client storage unit.
For example, the mask processing unit 230 refers to the log record 102 included in the log file 101. When the log record 102 indicates the time of 12:00, the mask processing unit 230 acquires the mask data 103 for 12:00.

  Then, the mask processing unit 230 generates the mask log file 104 using the acquired mask data 103. At this time, the time (hour minute second) is not masked (S152).

FIG. 19 is a sequence diagram illustrating a log restoration / analysis process according to the third embodiment.
The processing flow of the log restoration / analysis process in the third embodiment will be described below with reference to FIG.

  Processes other than S180C are the same as those in the first embodiment (see FIG. 8).

In S180C, the mask release unit 340 acquires the mask data 103 corresponding to the mask log file 104 from the mask data management unit 330.
For example, the mask release unit 340 refers to the mask log record 105 in the mask log file 104. When the mask log record 105 indicates a time in the 12 o'clock range, the mask release unit 340 acquires the mask data 103 for the 12 o'clock range.

  Then, the mask release unit 340 restores the log file 101 using the acquired mask data 103 (S181).

  As in the second embodiment, a plurality of mask data 103 are prepared for each time zone, a plurality of compressed log files 106 are generated using the plurality of mask data 103 for the time zone, and a compressed log with a small data size is generated. The file 106 may be adopted.

  100 log monitoring system, 101 log file, 102 log record, 103 mask data, 104 mask log file, 105 mask log record, 106 compressed log file, 109 master log file, 110 log collection system, 120 monitored system, 121 business application Unit, 130 log monitoring device, 131 log analysis unit, 200 log collection client device, 210 log acquisition agent unit, 220 mask data generation unit, 230 mask processing unit, 240 compression processing unit, 250 log transmission unit, 300 log collection server device 310 log receiving unit, 320 decompression processing unit, 330 mask data management unit, 340 mask release unit, 350 log providing agent unit, 901 display device, 902 keyboard, 903 macro Scan, 904 drive, 911 CPU, 912 Bus, 913 ROM, 914 RAM, 915 communication board, 920 a magnetic disk device, 921 OS, 922 Window system, 923 Program group, 924 File group.

Claims (11)

A mask data storage unit for storing mask data indicating partial data common to a plurality of logs indicating processing performed by the computer;
A log input section for inputting logs;
A mask log generation unit configured to generate a log without the partial data as a mask log based on the log input to the log input unit and the mask data stored in the mask data storage unit; Log collector. The log collection device further includes:
A mask data generation unit that extracts partial data common to a plurality of logs from a plurality of logs input to the log input unit, and generates mask data indicating the extracted partial data,
The log collection device according to claim 1, wherein the mask data storage unit stores the mask data generated by the mask data generation unit. The mask data generation unit extracts common partial data from a log newly input to the log input unit and a log previously input to the log input unit, and generates mask data indicating the extracted partial data The log collection device according to claim 2, wherein: The log input unit inputs a plurality of logs,
The mask data generation unit divides a plurality of logs input to the log input unit into a plurality of groups based on a predetermined condition, generates mask data for each group,
The mask log generation unit generates a file including a plurality of mask logs corresponding to the plurality of logs as a mask log file for each of a plurality of mask data generated by the mask data generation unit,
The log collection device further includes:
A mask log compression unit that compresses a plurality of mask log files generated by the mask log generation unit by a predetermined method;
The log collection according to claim 2, further comprising: a mask log selection unit that selects a mask log file based on a data size of each of the plurality of mask log files compressed by the mask log compression unit. apparatus. The log collection device further includes:
A mask log decompression unit for decompressing the mask log file selected by the mask log selection unit by a predetermined method;
A log restoration unit that restores the plurality of logs by setting partial data indicated by mask data corresponding to the mask log file in each of a plurality of mask logs included in the mask log file decompressed by the mask log decompression unit The log collection device according to claim 4, further comprising: The mask data storage unit stores a plurality of mask data in association with time,
The mask log generation unit generates a mask log using mask data corresponding to a time at which the log was recorded among a plurality of mask data stored in the mask data storage unit. The log collector described. The log collection device further includes:
The log according to claim 6, further comprising: a log restoration unit that restores the log by setting partial data indicated by mask data corresponding to the mask log in the mask log generated by the mask log generation unit. Collection device. A log collection method of a log collection device including a mask data storage unit that stores mask data indicating partial data common to a plurality of logs indicating processing performed by a computer,
The log input part inputs the log,
The mask log generation unit generates a log from which the partial data is omitted as a mask log based on the log input to the log input unit and the mask data stored in the mask data storage unit. Log collection method for the log collector. A mask data storage unit for storing mask data indicating partial data common to a plurality of logs indicating processing performed by the computer;
A log input section for inputting logs;
A mask log generation unit that generates a log without the partial data as a mask log based on the log input to the log input unit and the mask data stored in the mask data storage unit;
A log collection client device comprising: a mask log transmission unit configured to transmit mask data stored in the mask data storage unit and a mask log generated by the mask log generation unit;
A mask log receiving unit for receiving the mask data and the mask log;
A log collection server device comprising: a log restoration unit that restores a log by setting partial data indicated by mask data received by the mask log reception unit in a mask log received by the mask log reception unit Log collection system characterized by that. The log collection client device further includes:
A mask data generation unit that extracts partial data common to a plurality of logs from a plurality of logs input to the log input unit, and generates mask data indicating the extracted partial data at a predetermined timing,
The mask log transmission unit transmits mask data newly generated by the mask data generation unit,
The log collection system according to claim 9, wherein the log restoration unit restores a log using new mask data transmitted by the mask log transmission unit. A log collection client device including a mask data storage unit that stores mask data indicating partial data common to a plurality of logs indicating processing performed by a computer,
The log input part inputs the log,
A mask log generation unit generates a log with the partial data omitted as a mask log based on the log input to the log input unit and the mask data stored in the mask data storage unit,
The mask log transmission unit transmits the mask data stored in the mask data storage unit and the mask log generated by the mask log generation unit,
On the log collection server device,
A mask log receiving unit receives the mask data and the mask log;
A log collecting system, wherein a log restoring unit restores a log by setting partial data indicated by mask data received by the mask log receiving unit in a mask log received by the mask log receiving unit Log collection method.

Images