JP2011176554A - Monitoring device, monitoring method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a monitoring device whose processing time is shorter than that of the conventional technology, and which does not require "rules" or the like to be preliminarily created by an experienced person. <P>SOLUTION: The monitoring device obtains alarms or warning messages from the respective devices, and includes: a grouping means for storing the obtained messages in message tables for each transmission source address of the messages; a compression means for consolidating duplicated messages in the message tables into one; a clustering means for determining messages relevant to one another in the respective message tables based on content information included in the messages to group a series of the determined messages relevant to one another into clusters; and a cause analysis means for determining a warning message in the lowest order layer as a cause warning among the warning messages included in the respective clusters. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a network monitoring technique, and more specifically, identifies a message notifying the cause of a failure by determining a correlation between a number of messages acquired from each component device of the network, and further, alerting the cause of the failure. The present invention relates to a monitoring device that predicts the occurrence of a failure based on a warning message accompanying a message.

  As the managed network size increases, the number of warning messages and warning messages received by each monitoring device from each device in the network when a failure occurs increases. In this case, it is necessary to determine the mutual relationship between the received messages and determine the message indicating the root cause of the failure, and various methods for this have been proposed (for example, Non-Patent Document 1). ~ 11.).

Hanemann A, et al. "Algorithm Design and Application of Service-oriented Event Correlation", 3rd IEEE / IFIP International Workshop, April 2008, pp. 196 61-70 Risto, et al. , “Tools and Technologies for Event Log Analysis”, PhD thesis, Tallin University of Technology, Department of Computer Engineering, May Banerjee D, et al. , “A Framework for Distributed Monitoring and Root Cause Analysis for Large IP Networks”, 28th IEEE International Symposium on Reliable 9 Months. 246-255 White Paper, “Automating Root-Cause Analysis: EMC Ionix Codebook Correlation Technology vs. Rules-based Analysis”, November 2000 Qiuhua Zheng et al. , “An Event Correlation Approach Based on the Combination of IHU and Codebook”, Lecture Notes in Computer Science, 2005, Vol. 3802, pp. 757-763 M.M. Steinder et al. , “A Survey of Fault Localization Technologies in Computer Networks”, Science of Computer Programming, Special Edition on Topic, 4th Month 53, pp. 165-194 AL-MAMORY Safaa O, et al. "Intrusion Detection Alarms Reduction Usage Root Cause Analysis and Clustering", Journal of Computer Communications, February 2009, Vol. 32, no. 2, pp. 419-430 Jukic et al. , “Logical Inventory Database Integration into Network Problems Frequency Detection Process”, ConTEL 2009, June 2009, pp. 199-201. 361-365 Wu Jian, et al, “A Novel Algorithm for Dynamic Mining of Association Rules”, International Workshop on Knowledge Discovery and Data Mining, 2008. 94-99 Qingguo Zheng, et al. "Intelligent Search of Correlated Alarms From Database Containing Noise Data", Network Operations and Management Symposium, April 2002, pp. 405-419 Risto Varandi, “A Data Clustering Algorithm for Mining Patterns from Event Logs”, IPOM 2003, October 2003, pp. 119-126

  Non-patent documents 1, 2, 3, and 6 determine the correlation between messages based on a predetermined “rule”. Non-patent documents 1, 4, 5, and 6 include a predetermined “codebook”. "Determining the correlation between messages based on", and Non-Patent Documents 1 and 6 describe determining the correlation between messages based on "example". However, the creation of “rules”, “codebooks”, and “examples” largely depends on the experience and ability of those who create them, and the accuracy of judgment varies greatly depending on the created “rules”, etc. There is a problem of doing.

  Non-Patent Documents 7 to 11 describe a configuration for determining a message indicating a fundamental cause of failure using data mining technology. However, all of the proposed data mining algorithms have a problem that the processing takes time, and the cause of the failure cannot be immediately determined from a large number of received messages.

  Therefore, an object of the present invention is to provide a monitoring device, a monitoring method, and a program that have a shorter processing time than the prior art and do not require “rules” or the like created in advance by an experienced person.

According to the monitoring device of the present invention,
A monitoring device that acquires alarm and warning messages from each device, the grouping means for classifying the acquired messages based on the source address of the messages and storing them in a message table for each source address, and in the message table A clustering unit that aggregates a plurality of duplicate messages into one, and determines a message related to each other in each message table based on content information included in the message, and groups the determined series of messages related to each other into a cluster And a cause analysis means for determining the alarm message of the lowest layer among the messages included in each cluster as a cause alarm.

According to another embodiment of the monitoring device of the present invention,
Based on the warning content of the warning message that the difference between the warning content of the warning message determined as the cause warning and the warning message of the same cluster as the warning message and the occurrence time of the warning message is within a predetermined time, And a pattern analysis means for creating a frequent event table showing a combination of warning contents that are likely to occur when a failure specified by the warning contents occurs, the compression means comprising: If the warning content of the warning message included in the message table matches a predetermined number or more of the warning content combinations in the frequent event table, the warning content corresponding to the combination of warning contents in the frequent event table that matches the predetermined number or more It is also preferable to output a preliminary warning that warns of the occurrence of the failure indicated by.

According to another embodiment of the monitoring device of the present invention,
It is also preferable that the clustering unit aggregates messages included in the same cluster but having different source addresses but the same content information into one.

According to the monitoring method of the present invention,
A first step in which the grouping unit classifies the messages acquired from each device by the source address, and stores the message in a message table for each source address, and the compression unit includes duplicate messages in the message table. And the clustering unit determines messages related to each other in each message table based on the content information included in the message, and groups the determined series of messages related to each other into a cluster And a cause analysis unit includes a fourth step of outputting an alarm message of the lowest layer among the messages included in each cluster as a cause alarm.

  According to the program of the present invention, a computer is caused to function as the monitoring device.

  The monitoring device according to the present invention does not need to create “rules”, “codebooks”, “examples”, etc. in advance, and does not use a complicated algorithm. it can.

It is a schematic block diagram of the monitoring apparatus by this invention. It is a figure which shows a message table. It is a figure which shows the message table after compression. It is a figure explaining conversion to a cluster table. It is a figure which shows a cluster table. It is a figure which shows the cluster table after compression. It is a system block diagram which performs the monitoring method by this invention. It is a figure which shows the message which generate | occur | produces in the structure of FIG. It is a figure which shows the message table at the time of the message acquisition shown in FIG. It is a figure which shows the cluster table at the time of the message acquisition shown in FIG. It is a figure which shows the cluster table after the compression at the time of message acquisition shown in FIG. It is a figure which shows the cause alarm list | wrist at the time of the message acquisition shown in FIG. It is a figure which shows the event set at the time of the message acquisition shown in FIG.

  EMBODIMENT OF THE INVENTION The form for implementing this invention is demonstrated in detail below using drawing. In the present invention, an alarm message is a message notifying that an end point or function that is a monitoring target of a network is stopped, and an alert message is an end point or function that is an object to be monitored of a network. Although it is not a translation, it is a message notifying that there is an unstable situation or an abnormal condition, and when there is no need to distinguish between an alarm message and a warning message, it is simply called a message. In addition to the IP address of the device that generated the message, the message indicates the time (time stamp) at which the message was generated, alarm content (in the case of an alarm message), or warning content (in the case of a warning message). It is assumed that content information is included, and the monitoring device can determine a layer in which a failure / abnormal state has occurred from the content information.

  The content information includes counter device information indicating the other device when the other device is related to the warning or alarm content. For example, when a Port 80 Down alarm occurs in a certain Web server, other node devices communicating with this Web server generate a message having the content of Web Error. The content information of this message includes Opposite device information indicating the Web server is included. In the present embodiment, there are five layers in order from the lower side: system, link, network, transport, and application. The system layer refers to a common part of the device such as a CPU and a memory.

  FIG. 1 is a schematic configuration diagram of a monitoring apparatus according to the present invention. As shown in FIG. 1, the monitoring apparatus includes a grouping unit 1, a compression unit 2, a clustering unit 3, a cause analysis unit 4, a notification unit 5, a pattern analysis unit 6, and a storage unit 7. ing. In addition, the storage unit 7 stores a message table 71, a cluster table 72, a cause alarm list 73, and a frequent event table (FET) 74.

  The grouping unit 1 acquires a message from each device in the network, classifies the acquired message based on the source IP address and the layer, and stores the acquired message in a message table 71 corresponding to the source IP address. FIG. 2 is a diagram showing the message table 71. FIG. 2 shows that messages ML1 and ML2 are received once and four times, respectively, in the link layer from a device whose IP address is A, for example.

  The compression unit 2 aggregates messages that are exactly the same except for the time stamp in the message into one message. In other words, duplicate received messages are consolidated into one. FIG. 3 shows a state in which the message table 71 of FIG. For example, in the transport layer, the message MT1 has been received three times and the message MT2 has been received twice, but each is consolidated into one.

  The FET 74 is a table showing combinations of warning contents of warning messages that are likely to be issued when an alarm message indicating a certain alarm content is issued. The compression unit 2 is held by the FET 74. If there is a combination of warning contents that is highly correlated with the combination of warning contents of the warning messages in the message table 71 after aggregation, there is a possibility that a failure indicated by the warning contents corresponding to the combination with high correlation may occur. It is determined that the value is high, and a preliminary warning is output to a display unit (not shown) and / or a network management device.

  The clustering unit 3 determines messages related to each other based on the network configuration from each message in the message table 71 after aggregation provided for each IP address, and groups a series of related messages as a cluster. For example, as shown in FIG. 4, when the link # 2 is disconnected, not only the router connected to the link # 2, but also the network layer and the devices at both ends performing communication via the link # 2. , The failure of the transport layer is detected and the message is transmitted to the monitoring device. The clustering unit 3 uses, for example, the network from the devices at both ends of FIG. 2 based on the message content information and / or the network configuration. The layer and transport layer messages are determined to belong to the same cluster as the message indicating the failure of the link # 2 from the router. It is assumed that information regarding the configuration of the network monitored by the monitoring device is known in the network, and the clustering unit 3 of the monitoring device accesses, for example, a device holding information regarding the configuration of the network. To get.

  The clustering unit 3 stores the message group determined to belong to the same cluster as the cluster table 72. Note that the notified content information is the same, but messages with different IP addresses of the transmission sources are combined into one. For example, it is assumed that messages related to each other are extracted from each message table and the cluster table shown in FIG. 5 is created. As shown in FIG. 5, the application layer includes a message MA1 received from the device having the IP address A and a message MA5 received from each of the devices having the IP addresses B, C, and D. Although the contents of the messages are the same although the transmission source apparatuses are different, they are collected into one as shown in FIG.

  The cause analysis unit 4 outputs the alarm message in the lowest layer in each cluster table as the root cause, and outputs these to the storage unit 7 as the cause alarm list 73, and the notification unit 5 displays the cause alarm list 73 not shown. Output to the network and / or transmitted to the network management device or the like. The cause analysis unit 4 outputs the warning content of the warning message in the cluster table and the warning content of the warning message selected as the root cause of the cluster to the pattern analysis unit 6 as an event set. The FET 74 is updated from the created FET 74 and a new event set using, for example, an a priori algorithm. It should be noted that the event set includes only the content of the warning message whose time difference from the time stamp of the alarm message selected as the root cause is within a predetermined value.

  Then, the specific example of the monitoring method by this invention is demonstrated below. FIG. 7 is a system configuration diagram used for the following description. Routers #A, #B, and #C are connected to each other, Web servers #D and #E are connected to router #B, and nodes # 1 and #C are connected to each other. # 2 is connected to router #C. The probe device is a device that repeatedly accesses each other device and acquires a message regarding a failure or a state of each device. In this example, it is assumed that the monitoring device according to the present invention is realized on the same computer as the probe device, but is an example, the monitoring device according to the present invention is realized as a device different from the probe device, The message may be received from each device of the network including the probe device.

  In the configuration shown in FIG. 7, it is assumed that the server #A itself and the server function of the Web server #D are stopped due to a failure, and the monitoring apparatus acquires the message shown in FIG. 8. Note that the probe device repeatedly monitors the state of each device. For example, the monitoring device also acquires messages before the router #A is stopped, such as CPU Warning of the router #A. In FIG. 8, for example, “Web Error (#D)” is content information, and (#D) of the content information is counter device information.

  FIG. 9 shows a message table after aggregation by the grouping unit 1 and the compression unit 2 when the message shown in FIG. 8 is acquired. FIG. 9 shows the messages shown in FIG. 8 categorized by device based on the IP address of the transmission source, and further recorded by layer determined from the content information. Subsequently, the clustering unit 3 creates a cluster table shown in FIG. 10 from the message table shown in FIG. For example, since the Web Error (#D) message of the node # 1 and the node # 2 is determined to be for the Web server #D from the content information of the message, the Port 80 Down message of the Web server #D and the Web Error (#D) Messages can be determined to belong to the same cluster. The relationship between the link layer and the network layer is determined by referring to the network configuration information as described above.

  In the cluster table shown in FIG. 10, for example, Device Unreachable (#A) messages for router #A of cluster # 1 are notified from routers #B and #C, respectively, but the transmission sources are different. Since the messages have the same content information, the clustering unit 3 aggregates them into one. Therefore, the clustering unit 3 finally outputs the clustering table shown in FIG.

  The cause analysis unit 4 extracts, as a root cause, alarm messages in the lowest layer among alarm messages of each cluster. Therefore, the cause alarm list 73 shown in FIG. In addition, the cause analysis unit 4 includes, as an event set, the warning contents of the warning message generated at a predetermined time difference with respect to the generation time of the cause alarm of the cluster, together with the warning contents of the cause alarm. Output to the pattern analysis unit 6. FIG. 13 shows an event set output by the cause analysis unit 4 in this example.

  Finally, preliminary warning output in the compression unit 2 will be described. For example, it is assumed that M warning contents are specified for the alarm contents X in the FET 74. In this case, if there is a warning message whose warning content matches a predetermined rate or number in the message table corresponding to a certain device (IP address), the compression unit 2 will select the content corresponding to the rate or number. A preliminary warning is output.

  Specifically, the warning contents W1 to W6 are specified in the FET 74 as corresponding to the warning contents X, and Warning is output with three matches, and Critical is output with four or more matches. In this case, even if a warning message in a certain message table indicates warning contents W1, W2, W7, W9, and W10, the number of matching warning contents is two, W1 and W2, and no preliminary warning is issued. . On the other hand, when the warning message in the message table indicates the warning contents W1, W2, W3, W7, and W9, the three warning contents of W1, W2, and W3 match. A Warning message is output to warn of the possibility that a failure identified by X occurs in the device corresponding to the IP address in the message table. Furthermore, when the warning message in the message table indicates warning contents W1, W2, W3, W4, W5, W7, W9, W10, the four warning contents W1, W2, W3, and W4 match. Therefore, a Critical message is output that warns that a failure identified by the alarm content X may occur in a device corresponding to the IP address of the message table.

  As described above, the monitoring apparatus according to the present invention does not need to create “rules”, “codebooks”, “examples” or the like in advance, and does not use a complicated algorithm, and thus quickly determines the cause of failure. be able to.

  In the above-described embodiment, the present invention is applied to a TCP / IP network. However, the present invention is not limited to the above-described embodiment, and includes a sensor network, a home network, and a cloud. The present invention can be applied to all networks having a layer structure such as a network.

  The monitoring apparatus according to the present invention can be realized by a program that causes a computer to function as each unit in FIG. These computer programs can be stored in a computer-readable storage medium or distributed via a network. Furthermore, the present invention can be realized by a combination of hardware and software.

DESCRIPTION OF SYMBOLS 1 Grouping part 2 Compression part 3 Clustering part 4 Cause analysis part 5 Notification part 6 Pattern analysis part 7 Storage part 71 Message table 72 Cluster table 73 Cause alarm list 74 Multiple event table

Claims (5)

A monitoring device that acquires alarm and warning messages from each device,
Grouping means for classifying the acquired message based on the source address of the message and storing it in a message table for each source address;
Compression means for aggregating duplicate messages in the message table into one;
Clustering means for determining messages related to each other in each message table based on content information included in the messages, and grouping the determined series of messages related to each other into clusters;
Among the messages included in each cluster, cause analysis means for determining the alarm message of the lowest layer as a cause alarm,
Monitoring device. Based on the warning content of the warning message that the difference between the warning content of the warning message determined as the cause warning and the warning message of the same cluster as the warning message and the occurrence time of the warning message is within a predetermined time, A pattern analysis means for creating a frequent event table indicating a combination of warning contents that are likely to occur accompanying the occurrence of a failure specified by the warning contents,
When the warning content of the warning message included in the message table matches a predetermined number or more of the warning content combinations in the frequent event table, the compression means converts the warning content in the frequent event table to match the predetermined number or more. Output a preliminary warning that warns of the occurrence of the failure indicated by the corresponding alarm content.
The monitoring apparatus according to claim 1. The clustering means aggregates messages that are included in the same cluster but have different source addresses but the same content information into one.
The monitoring device according to claim 1 or 2. A first step in which the grouping unit classifies the messages acquired from each device according to a source address, and stores the message in a message table for each source address;
A second step in which the compression unit aggregates duplicate messages in the message table into one;
A third step in which the clustering unit determines messages related to each other in each message table based on content information included in the message, and groups the determined series of messages related to each other into a cluster;
A fourth step in which the cause analysis unit outputs an alarm message of the lowest layer among the messages included in each cluster as a cause alarm;
Monitoring method.   The program which makes a computer function as a monitoring apparatus of any one of Claim 1 to 3.

Images