JP2011215783A - Apparatus, method and program for managing extraction of log information difference - Google Patents

Abstract

PROBLEM TO BE SOLVED: To properly extract and store difference of log information regardless of a log format specific to equipment which outputs log information from log files whose rotation and generations are managed.SOLUTION: A log information difference extraction management device 1 is configured to detect that a log file 71 is stored, and to read target equipment information by using the location of temporary log information as a key ([3]), and to, on the basis of the read target equipment information, read the temporarily stored log files for processing in ascending order generation ([4]), and to read end position information N(t0) at the time t0 of previous collection ([5]) and a hash value "hash(t0)" ([6]), and to, when the hash value "hash(A)" of log information A from the beginning to N(t0) in the log file read by [4] is coincident with a hash value "hash (0)", determine to collect the log files of the generations following the above log file.

Description

  The present invention relates to log information difference extraction management for extracting and managing a difference of log information generation-managed by log file rotation.

  An example of a related technology log management system is described in Patent Document 1. The system of Patent Document 1 stores in advance a means for investigating, acquiring, and storing information (hereinafter referred to as “invariant information”) that is given to a log file and is not changed by rotation, a means for processing the log file, Means for determining whether or not the acquired invariant information (hereinafter referred to as “first invariant information”) and the acquired invariant information (hereinafter referred to as “second invariant information”) are the same, and the generation of the log file It comprises means for investigating and acquiring information, means for processing the next generation log file based on the acquired generation information, and means for storing the log file.

  As the processing, the invariant information given to the log file is stored as the first invariant information, and the invariant information given to the log of the log file name to be monitored is stored in the state where the first invariant information is stored. If the first invariant information stored and the obtained second invariant information are the same, the log file rotation is determined when the determination results are not the same. The generation information that reaches the log file is examined and acquired based on the log file name change rule applied in Step 1, and the next generation log file is sequentially processed from the log file based on the acquired generation information. As a result, log file monitoring is realized in response to log file rotation. Here, as the invariant information, an inode number that is a value unique to a Unix system (Unix is a registered trademark) is used.

  However, this method targets only the log file of the Unix system having the inode number, and cannot be applied universally to the log file managed by rotation.

JP 2005-293016 A

  Log information storage in devices such as network devices is often controlled so as not to exceed the upper limit of the storage amount by log file rotation and generation management. In this case, when the upper limit of the set storage amount is exceeded, old data is sequentially deleted, and long-term trail storage is impossible. This problem has been solved by a method in which a log file is transmitted from each device to an external log management system, and trail management is performed centrally.

  However, in the related art log management system, there is a case where the log file transmitted from the device is managed using the log file name. In this case, when only the added log information (difference from the previous transmission) is extracted and stored from the transmitted log file, the log file is specified and the additional log information is extracted by the occurrence of rotation. It may not be possible. As a result, log information is lost or duplicated for management.

  Also, since the latest log file on the device side is basically the target of the log information writing process, it cannot be sent to the log management system side. For example, when the upper limit of the file size and the number of files are set in the rotation of the log file on the device side, the latest log file is not transmitted to the log management system side until the set file size is reached. Therefore, since the log management system always manages up to one generation before the latest log file, there is a delay in collecting log information.

  In solving these problems, the need for trail management is increasing due to recent laws and regulations, etc., and should be implemented regardless of the log information or values specific to log files in various devices. As an existing log management technique, there is known a log file monitoring method that enables a log file to be specified even when rotation occurs, but values specific to the log format of each device are used. For this reason, it has not been realized as general-purpose log information difference extraction that does not depend on a device-specific log format.

  Therefore, an object of the present invention is to provide a log information difference that can appropriately extract and store a difference in log information from a log file that is rotated and generation-managed, regardless of the log format specific to the device that outputs the log information. It is to provide an extraction management device and the like.

The log information difference extraction management device of the present invention is
A storage unit for storing a reference end and a reference hash value;
One log file is input from the log file group that is rotation and generation managed, a hash value from the head of this one log file to the reference end is obtained, and the hash value is compared with the reference hash value, If the two match, the log file of the generation after the one log file is extracted as a log information difference, and if both do not match, the other log file is input from the log file group and the one log file is extracted. A processing unit that repeats the operation after input,
It is provided with.

The log information difference extraction management method of the present invention includes:
Remember the reference end and the reference hash value,
One log file is input from the log file group that is rotation and generation managed, a hash value from the head of this one log file to the reference end is obtained, and the hash value is compared with the reference hash value, If the two match, the log file of the generation after the one log file is extracted as a log information difference, and if both do not match, the other log file is input from the log file group and the one log file is extracted. Repeat the operation after input,
It is characterized by that.

The log information difference extraction management program of the present invention is
A log information difference extraction management program used in an apparatus including a storage unit for storing a reference end and a reference hash value, and a computer,
A procedure for inputting one log file from a group of log files that are rotation and generation managed, a procedure for obtaining a hash value from the beginning of the one log file to the reference end, and the hash value and the reference hash value , A procedure for extracting log files of generations after the first log file as log information differences if they match, and another log file from the log file group if they do not match And repeating the operation after inputting the one log file,
Is executed by the computer.

  According to the present invention, it is possible to specify the end of the log file when the previous log information difference is extracted by using the reference end, and the log when the previous log information difference is extracted by using the reference hash value Since the file can be specified, it is possible to appropriately extract the log information difference from the log file whose rotation and generation are managed regardless of the log format unique to the device.

It is a conceptual diagram which shows the whole operation | movement in embodiment. It is a block diagram which shows the structure in embodiment. It is a flowchart which shows the collection object registration process in embodiment. It is a flowchart which shows the collection start process in embodiment. It is a flowchart which shows the collection target determination process in embodiment. It is a flowchart which shows the collection process in embodiment. It is a flowchart which shows the collection end process in embodiment. It is a chart which shows the collection object information table in an embodiment. It is a chart which shows the tail position information table in an embodiment. It is a graph which shows the temporary log information table in embodiment. It is a chart which shows the hash value information table in an embodiment. It is a chart which shows the log information table in an embodiment.

  First, an outline of the present invention will be described. In addition, the code | symbol in the parenthesis attached | subjected to the following component is a code | symbol of the component of FIG. 2 corresponded to the component.

  The log information difference extraction management device (1) of the present invention basically includes a storage unit (53, 55) and a processing unit (51, 54). The storage units (53, 55) store the reference end and the reference hash value. The processing units (51, 54) input one log file from the rotation and generation-managed log file group, obtain a hash value from the beginning of the one log file to the reference end, The reference hash value is compared, and if both match, the log file of the generation after the one log file is extracted as a log information difference, and if both do not match, another log file is extracted from the log file group. The operation after inputting and inputting the one log file is repeated. Here, “reference end” corresponds to N (t0) in FIG. 1, and “reference hash value” corresponds to hash (t0).

  According to the log information difference extraction management device (1) of the present invention, the end of the log file when the previous log information difference is extracted can be specified by using the reference end, and the previous time can be determined by using the reference hash value. Since the log file when the log information difference is extracted can be identified, the log information difference can be appropriately extracted from the rotation and generation managed log file regardless of the log format unique to the device.

  Further, the log information difference extraction management device (1) of the present invention may further include an update unit (51, 54). The update unit (51, 54) obtains a hash value from the beginning to the end of the log information difference, stores the hash value in the storage unit (55) as the reference hash value, and sets the end of the log information difference to the end It memorize | stores in a memory | storage part (53) as a reference | standard end. When the update unit (51, 54) is provided, the log information difference can be extracted continuously by updating the reference end and the reference hash value each time the log information difference is extracted.

  Furthermore, when inputting the one log file from the log file group, the processing unit (51) inputs the one log file in order of oldest generation, and generates log files of generations after the one log file. When extracting as a log information difference, it is possible to extract from immediately after the reference end of the one log file to the end of the newest log file of the latest generation.

  The log information difference extraction management method of the present invention is realized as an operation of the log information difference extraction management apparatus (1) of the present invention. That is, the log information difference extraction management method of the present invention stores the reference end and the reference hash value, inputs one log file from the log file group that is rotation and generation managed, Find the hash value from the beginning to the reference end, compare this hash value and the reference hash value, if both match, extract the log file of the generation after the one log file as a log information difference, If they do not match, another log file is input from the log file group and the operation after the one log file is input is repeated.

  It may further include obtaining a hash value from the beginning to the end of the log information difference, updating the hash value as the reference hash value, and updating the end of the log information difference as the reference end. .

  Further, when inputting the one log file from the log file group, the one log file is input in the order of oldest generation, and the log files of the generations after the one log file are extracted as log information differences. In this case, it is possible to extract from the immediately after the reference end of the one log file to the end of the newest log file of the latest generation.

  The processing units (51, 54) of the log information difference extraction management device (1) may be realized by a computer and a log information difference extraction management program of the present invention. That is, the log information difference extraction management program of the present invention is used in an apparatus including a storage unit (53, 55) for storing a reference end and a reference hash value, and a computer. That is, the log information difference extraction management program according to the present invention includes a procedure for inputting one log file from a log file group that is rotation and generation managed, and a hash value from the beginning of the one log file to the reference end. The procedure for obtaining, the procedure for comparing the hash value with the reference hash value, and the procedure for extracting the log file of the generation after the one log file as the log information difference when they match do not match. In this case, a procedure for repeating the operation after inputting another log file from the log file group and inputting the one log file is executed by the computer. The computer may be a general computer having a CPU, a memory (ROM and RAM), an input / output interface, and the like. At this time, the CPU reads, interprets, and executes the log information difference extraction management program of the present invention stored in the memory.

  Also, a procedure for obtaining a hash value from the beginning to the end of the log information difference, a procedure for storing the hash value in the storage unit (55) as the reference hash value, and a tail of the log information difference as the reference end It is good also as making the said computer perform further the procedure memorize | stored in a memory | storage part (53).

  Furthermore, in the procedure of inputting the one log file from the log file group, the one log file is input in the order of the oldest generation, and the log files of the generations after the one log file are extracted as log information differences. In the procedure, it is possible to extract from immediately after the reference end of the one log file to the end of the newest generation log file.

  The log information difference extraction management method and information difference extraction management program of the present invention also exhibit the same operations and effects as the log information difference extraction management apparatus of the present invention described above.

  DESCRIPTION OF EMBODIMENTS Hereinafter, embodiments for carrying out the present invention (hereinafter referred to as “embodiments”) will be described with reference to the accompanying drawings. First, an outline of the present embodiment will be described.

  The log information difference extraction management device (hereinafter referred to as “this device”) according to the present embodiment collects log information of a device that is a log information collection target (hereinafter referred to as “collection target device”) by the following means. Thus, the above-described problem is solved.

  As shown in FIG. 1, information necessary for the collection processing related to the collection target device 7 such as information that can uniquely identify the collection target device 7 and log file generation management information (hereinafter referred to as target device information) as a preliminary preparation. Is registered ([0] target device information in FIG. 1).

  The collection process starts when a log file 71 is transmitted from the collection target device 7 at a certain time t1 ([1] time t1) and temporarily stored on the apparatus 1 side ([2] temporary log information). To do. The apparatus 1 detects the storage of the log file, and reads the target device information registered in advance using the temporary log information storage destination as a key ([3]). Subsequently, based on the target device information read in [3], the temporarily stored log file is read as a processing target in order of oldest generation ([4]). Further, based on the target device information, the tail position information N (t0) and ([5]) and the hash value hash (t0) at the time t0 when the previous collection processing was performed are read ([6]), and the subsequent processing is performed. .

  The log information A from the beginning to N (t0) in the log file read in [4] is extracted ([7]), and the hash value hash (A) of the log information is calculated ([8]). . The calculated hash value hash (A) is compared with the hash value hash (0) read in [6] ([9]). If the two values are different, the log file is not to be collected. If not, the procedure of [7]-[9] is repeated ([10] hash (A) ≠ hash (t0)). If both values match, it is determined that the log file of the generation after the log file is to be collected, and the log from immediately after N (t0) of the log file to the end of the newest log file of the generation Information is extracted ([11] hash (A) = hash (t0)). The extracted log information is additionally written and stored in a predetermined storage location as log information collected at time t1 ([12] log information).

  After the storage of the log information is completed, a process for holding the information of the newest log file among the log files collected at t1 is performed. That is, the end position of the log file is extracted as the end position information N (t1) at the time of the current collection t1 ([13] N (t1)), and the retained end position information is changed from N (t0) to N (t update to t1) ([14] tail position information). Similarly, log information from the beginning to the end of the log file is extracted ([15]). A hash value is calculated from the extracted log information to obtain a hash value hash (t1) at the time of current collection ([16] hash (t1)), and the stored hash value is updated from hash (t0) to hash (t1). ([17] End position information). By updating and holding the tail position information and hash value at N (t1) and hash (t1), comparison with the hash value calculated at the next collection and determination of the log file to be collected are continued. It becomes possible.

  Next, the configuration of the present embodiment will be described in detail with reference to the drawings.

  Referring to the configuration diagram of FIG. 2, the apparatus 1 includes an input unit 2, an output unit 3, a collection processing management unit 4, a collection target determination processing unit 5, and a log information storage unit 6. .

  The input unit 2 is for inputting information to be collected and refers to an interface device such as a keyboard that realizes input from an administrator.

  The output unit 3 outputs a registration result of the collection target information input from the input unit 2 and indicates an interface device such as a display.

  The collection processing management unit 4 manages collection target information, and includes a collection target registration unit 41, a collection target information storage unit 42, and a collection processing management unit 43.

  The collection target registration unit 41 receives the collection target information input from the input unit 2 and performs a collection target information registration process. Specifically, the input collection target information is written into the collection target information storage unit 42. Further, based on the input collection target information, it is confirmed whether an area for storing log information of the collection target device 7 (hereinafter referred to as a log information storage destination) is secured on the log information storage unit 61. If not secured, the log information storage unit 61 stores the log information storage destination, and the temporary log information storage unit 52 writes the log file 71 in an area for temporary collection of the log file 71 (hereinafter referred to as “temporary log information”). "Storage location").

  The collection target information storage unit 42 receives the writing from the collection target registration unit 41, and stores and stores the collection target information.

  The collection processing management unit 43 receives information on the temporary log information storage destination as a collection target determination processing start notification from the log file processing unit 51. Further, using this temporary log information storage destination information as a key, the collection target information is read from the collection target information storage unit 42 and transmitted to the log file processing unit 51.

  The collection target determination processing unit 5 receives the transmission of the log file 71 from the collection target device 7 and performs determination of log files to be collected and collection processing of log information. A log information storage unit 52, a tail position information storage unit 53, a hash processing unit 54, and a hash value storage unit 55 are included.

  The log file processing unit 51 detects writing from the collection target device 7 to the temporary log information storage unit 52 and performs log information collection start processing. Specifically, the writing of the log file 71 from the collection target device 7 to the temporary log information storage destination on the temporary log information storage unit 52 is detected, and the temporary log is sent to the collection processing management unit 43 as the collection target determination process starts. Notify the information storage location information. Also, the collection target information read from the collection processing management unit 43 using the temporary log information storage destination information as a key is received.

  Subsequently, the log file processing unit 51 performs a collection target determination process. Specifically, based on the collection target information received from the collection processing management unit 43, the tail position at the time of the previous collection of the collection target device 7 is read from the tail position information storage unit 53. Further, the log file 71 of the collection target device 7 is read from the temporary log information storage unit 52 in the order of generation, and the log information is extracted from the read log file based on the end position at the time of the previous collection, and is combined with the collection target information. To the hash processing unit 54. Alternatively, the hash value comparison result from the hash processing unit 54 is received, and the collection target determination process is continued or the collection process is started.

  Further, the log file processing unit 51 performs collection processing. Specifically, when the comparison result of the hash value from the hash processing unit 54 is “match”, the log information to be collected this time included from the matched log file to the latest log file is extracted, and the log The information is stored in the information storage unit 61.

  Finally, after all the log information to be collected is stored in the log information storage unit 61, the collection end process is performed. Specifically, the end position of the latest log file that has been collected last is extracted. In addition, for the collection target determination process at the next collection, the end position of the collection target device 7 on the end position information storage unit 53 is updated to the extracted end position information. Further, the log information from the beginning to the end in the log file that has been collected last is extracted and transmitted to the hash processing unit 54 together with the collection target information.

  The temporary log information storage unit 52 temporarily stores the log file 71 transmitted from the collection target device 7. Specifically, the log file 71 is written from the collection target device 7 to the temporary log information storage area on the temporary log information storage unit 52, and the temporary log information of the collection target device 7 is stored and stored. Further, the log file (temporary log information) that is no longer needed is deleted by the processing from the log file processing unit 51.

  The tail position information storage unit 53 receives the writing from the log file processing unit 51 and stores and stores the tail position at the time of the previous collection in the log file 71 of the collection target device 7.

  The hash processing unit 54 calculates and compares hash values to determine log files to be collected in the collection target determination process. Specifically, the log file processing unit 51 receives log information and collection target device information extracted from the log file, and calculates a hash value of the log information. Further, based on the collection target information received from the log file processing unit 51, the hash value at the previous collection time of the collection target device 7 is read from the hash value storage unit 55 and compared with the calculated hash value. The comparison result is transmitted to the log file processing unit 51.

  Further, in the collection end process, the hash processing unit 54 receives the log information extracted from the log file that was last collected by the log file processing unit 51 and the collection target device information, and receives the received log information. Calculate the hash value of. Also, the hash value of the collection target device 7 on the hash value storage unit 55 is updated to the calculated hash value based on the collection target information received from the log file processing unit 51 for the collection target determination process at the next collection. To do.

  The hash value storage unit 55 receives the writing from the hash processing unit 54, and stores and stores the hash value of the log information in the log file that was last collected at the time of the previous collection of the collection target device.

  The log information storage unit 6 stores log information of the collection target device 7 and includes a log information storage unit 61.

  The log information storage unit 61 receives the writing from the log file processing unit 51 and stores and stores the log information of the collection target device 7.

  Next, the operation of the present embodiment will be described in detail with reference to the configuration diagram of FIG. 2, the flowcharts of FIGS. 3 to 7, and the information format examples of FIGS. 8 to 12. As a format example of each information, FIG. 8 shows a collection target information table, FIG. 9 shows a tail position information table, FIG. 10 shows a temporary log information table, FIG. 11 shows a hash value information table, and FIG. .

  First, the collection target registration process will be described with reference to FIG.

  First, the input unit 2 receives input of collection target information by an administrator or the like (S01 in FIG. 3). As illustrated in FIG. 8, the collection target information includes information that can uniquely identify the collection target device 7 (hereinafter referred to as “collection target device ID”), a temporary log information storage destination, a log information storage destination, And information such as generation management rules or conditional expressions (hereinafter referred to as “generation management information”) in the rotation of the log file 71 group transmitted from the collection target device 7. The temporary log information storage destination and the log information storage destination are information uniquely associated with the collection target device ID, the temporary log information storage destination is on the temporary log information storage unit 52, and the log information storage destination is log information. This is ensured on the storage unit 61. The generation management information is information for the log file processing unit 51 to determine the generation of the log file stored on the temporary log information storage unit 52 based on the contents of the generation management information.

  The input collection target information is notified to the collection target registration unit 41 via the input unit 2 (S02). The collection target registration unit 41 stores the notified collection target information in the collection target information storage unit 42 (S03). Also, it is confirmed whether the log information storage destination of the collection target information is secured on the temporary log information storage unit 52 (S04). If it is secured, the collection target registration unit 41 notifies the output unit 3 of the completion of registration processing (S07), and the output unit 3 outputs the registration result (S08). If not secured, the collection target registration unit 41 secures an area on the log information storage unit 61 based on the log information storage destination of the input collection target information (S05). Similarly, an area is secured on the temporary log information storage unit 52 based on the temporary log information storage destination of the input collection target information (S06). When securing of each area is completed, the collection target registration unit 41 notifies the output unit 3 of the completion of registration processing (S07), and the output unit 3 outputs the registration result (S08).

  Next, the collection start process will be described with reference to FIG.

  First, writing of the log file 71 from the collection target device 7 to the temporary log information storage destination in the temporary log information storage unit 52 is detected by the log file processing unit 51 (S09 in FIG. 4). The log file processing unit 51 transmits the temporary log information storage destination on the temporary log information storage unit 52 where writing has occurred to the collection processing management unit 43 as a collection target determination processing start notification (S10). The collection processing management unit 43 receives the notification from the log file processing unit 51, and reads out the corresponding collection target information from the collection target information storage unit 42 using the temporary log information storage destination information as a key (S11). The read collection target information is transmitted from the collection processing management unit 43 to the log file processing unit 51 (S12).

  Next, the collection target determination process will be described with reference to FIG.

  First, the log file processing unit 51 reads the log file of the oldest generation from the log file of the collection target device stored on the temporary log information storage unit 52 based on the collection target information received in S12 (see FIG. 5 S13). Further, the end position at the time of the previous collection of the collection target device is read from the end position information storage unit 53 based on the collection target information in the same manner (S14). As illustrated in FIG. 9, the end position is a value managed in the end position information table in association with the collection target device ID, and is indicated by a data size (number of bytes) or a line number. This value indicates the position of the end of the log information in the log file that was last collected at the time of the previous collection.

  Subsequently, based on the last position at the time of the previous collection read in S14, the log file processing unit 51 extracts log information from the start position of the log file read in S13 to the read end position (S15). For example, when the read end position is “1,234,567 bytes”, the data from 0 to 1,234,567 bytes in the log information in the log file is extracted. The log information extracted here is hereinafter referred to as temporary log information. Note that the temporary log information is managed by a temporary log information table including only temporary log information as illustrated in FIG. In FIG. 10, the temporary log information is illustrated in a text format for convenience, but in the application of the present invention, the binary format or text format of the temporary log information may be used.

  After extracting the temporary log information, the log file processing unit 51 transmits the collection target device ID of the collection target information and the extracted temporary log information to the hash processing unit 54 (S16). The hash processing unit 54 calculates a hash value based on the received temporary log information (S17). Further, based on the collection target device ID of the collection target information received in S16, the hash value of the collection target device 7 is read from the hash value storage unit 55 (S18). As illustrated in FIG. 11, the hash value stored in the hash value storage unit 55 is a value managed in the hash value information table in association with the collection target device ID, and is finally processed at the time of the previous collection. This is a hash value calculated from the log information in the log file.

  Further, the hash value calculated this time in S17 is compared with the hash value at the previous collection read in S18 (S19). When the comparison result is “mismatch”, the log file that has undergone the collection target determination process is not the log file that has been collected last in the previous collection. That is, it is determined that the log file has already collected all the log information in the log file before the previous collection process and is not the current collection target. In this case, the continuation of the determination process is notified from the hash processing unit 54 to the log file processing unit 51 as the determination result “mismatch” (S20). Upon receiving the notification in S20, the log file processing unit 51 reads the next generation log file from the temporary log information storage unit 52 (S21), and continues the processing from S15 onward. When the comparison result is “match”, the log file that has undergone the collection target determination process is the log file that has undergone the last collection process at the time of the previous collection. That is, it is determined that the log information to be collected this time is from immediately after the end position at the time of the previous collection in the log file to the end of the newest generation log file stored in the temporary log information storage unit 52 this time. To do. In this case, the hash processing unit 54 notifies the log file processing unit 51 of the determination result “match” as the start of the collection process (S22).

  Next, the collection process will be described with reference to FIG.

  First, the log file processing unit 51 receives the determination result received in S22, and extracts log information from immediately after the end position at the time of the previous collection to the end in the log file processed in S15 (FIG. 6). S23). For example, when the end position information is “1, 234, 567 bytes”, the data from 1, 234, 568 to the last byte of the log file is extracted. The log information extracted in S23 is stored in the log information storage unit 61 by the log file processing unit 51 (S24). The log information stored in the log information storage unit 61 is managed in the log information table in association with the collection target device ID as illustrated in FIG. In addition, the log information collected from the collection target device associated with the collection target device ID is accumulated. 12 exemplifies the log information in a text format for convenience as in FIG. 10, the log information may be in any format such as binary or text in the application of the present invention.

  Subsequently, the log file processing unit 51 confirms the log file of the collection target device on the temporary log information storage unit 52 (S25), and if there is a next-generation log file, the file is stored in the temporary log information. Read from the unit 52 (S26). For the log file read in S26, all the log information from the beginning to the end is extracted (S27), and the log information is added to the log information storage unit 61 by continuing the processing after S24 repeatedly. . In the log file confirmation on the temporary log information storage unit 52 implemented in S25, if there is no next-generation log file, the log information stored in the immediately preceding S24 is the last log information in the collection target this time judge. In this case, since the log file containing the log information becomes the log file last processed in the current collection process, the collection end process is performed based on the log file.

  Finally, the collection end process will be described with reference to FIG.

  First, the collection target device ID and the log information in the log file last processed in the current collection process (the log information extracted in S23 or S27 immediately before) are transmitted from the log file processing unit 51 to the hash processing unit 54. (S28 in FIG. 7). The hash processing unit 54 calculates a hash value based on the log information received in S28 (S29). Subsequently, for the collection target determination process at the next collection, the hash value associated with the collection target device ID received in S28 on the hash value storage unit 55 is updated with the hash value calculated in S29 (S30). ). After the update is completed, the hash processing unit 54 notifies the log file processing unit 51 of the collection target device ID as a hash value update completion report (S31).

  In addition, the log file processing unit 51 extracts the end position of the log file that was last processed at the time of the current collection (S32). Here, for example, when the log information in the log file exists from 0 to 987,654 bytes, the extracted end position is “987,654 bytes”. The log file processing unit 51 updates the tail position information extracted from the tail position information associated with the collection target device ID in the tail position information storage unit 53 for the collection target determination process at the next collection (S33).

  Upon completion of the hash value update and the end position update, the log file processing unit 51 ends the collection by deleting the log file (temporary log information) of the collection target device on the temporary log information storage unit 52. (S34).

  Next, the effect of this embodiment will be described.

  The first effect is that the log file of the collection target device managed by the rotation can be obtained from the log information in the log file without using a value specific to the log file of the collection target device or a parameter included in the log information. The log file to be collected can be specified using the calculated hash value. As a result, the present invention can be applied to log collection of various devices without depending on the operating system used in the collection target device or the format (binary format, text format) of the output log file. Can do.

  The second effect is that the last (latest) log file and the end position at the time of the previous collection can be specified. As a result, it is possible to collect the difference of the log information added from the previous collection without duplication or omission.

  A third effect is that collection processing is possible even for the latest log file that is the target of write processing on the collection target device. As a result, the latest log information can always be collected, and the log information collection time lag can be reduced.

  The fourth effect is that it is not necessary to incorporate a device dedicated to this patent system such as an agent into the collection target device. As a result, log information can be collected regardless of the configuration within the collection target device and without affecting the device.

  The present invention has been described above with reference to the above embodiment, but the present invention is not limited to the above embodiment. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention.

  Although a part or all of the above embodiments can be described as the following supplementary notes, the present invention is not limited to the following configurations.

(Supplementary Note 1) A storage unit that stores a reference end and a reference hash value;
One log file is input from the log file group that is rotation and generation managed, a hash value from the head of this one log file to the reference end is obtained, and the hash value is compared with the reference hash value, If the two match, the log file of the generation after the one log file is extracted as a log information difference, and if both do not match, the other log file is input from the log file group and the one log file is extracted. A processing unit that repeats the operation after input,
A log information difference extraction management apparatus comprising:

(Appendix 2) In the log information difference extraction management device described in appendix 1,
An update unit that obtains a hash value from the beginning to the end of the log information difference, stores the hash value as the reference hash value in the storage unit, and stores the end of the log information difference as the reference end in the storage unit The
A log information difference extraction management apparatus, further comprising:

(Supplementary Note 3) In the log information difference extraction management device according to Supplementary Note 1 or 2,
The processor is
When inputting the one log file from the log file group, input the one log file in the order of generation,
When extracting the log file of the generation after the one log file as the log information difference, from the immediately after the reference end of the one log file to the end of the newest log file of the most generation,
The log information difference extraction management device characterized by the above.

(Supplementary note 4) The reference end and the reference hash value are stored,
One log file is input from the log file group that is rotation and generation managed, a hash value from the head of this one log file to the reference end is obtained, and the hash value is compared with the reference hash value, If the two match, the log file of the generation after the one log file is extracted as a log information difference, and if both do not match, the other log file is input from the log file group and the one log file is extracted. Repeat the operation after input,
And a log information difference extraction management method.

(Appendix 5) In the log information difference extraction management method described in Appendix 4,
Obtain a hash value from the beginning to the end of the log information difference, update the hash value as the reference hash value, and update the end of the log information difference as the reference end,
A log information difference extraction management method, further comprising:

(Supplementary note 6) In the log information difference extraction management method according to supplementary note 4 or 5,
When inputting the one log file from the log file group, enter the one log file in order of the generation,
When extracting the log file of the generation after the one log file as the log information difference, it is extracted from immediately after the reference end of the one log file to the end of the newest log file of the most generation,
And a log information difference extraction management method.

(Supplementary Note 7) A log information difference extraction management program used in an apparatus including a storage unit that stores a reference end and a reference hash value, and a computer,
A procedure for inputting one log file from a group of log files that are rotation and generation managed, a procedure for obtaining a hash value from the beginning of the one log file to the reference end, and the hash value and the reference hash value , A procedure for extracting log files of generations after the first log file as log information differences if they match, and another log file from the log file group if they do not match And repeating the operation after inputting the one log file,
Log information difference extraction management program for causing the computer to execute.

(Supplementary note 8) In the log information difference extraction management program according to supplementary note 7,
A procedure for obtaining a hash value from the beginning to the end of the log information difference, a procedure for storing the hash value in the storage unit as the reference hash value, and an end of the log information difference as the reference end in the storage unit The procedure to memorize,
Log information difference extraction management program for causing the computer to further execute

(Supplementary note 9) In the log information difference extraction management program according to supplementary note 7 or 8,
In the procedure of inputting the one log file from the log file group, the one log file is input in order of oldest generation,
In the procedure of extracting the log file of the generation after the one log file as the difference of the log information, from the immediately after the reference end of the one log file to the end of the newest log file of the latest generation,
A log information difference extraction management program characterized by that.

  The present invention is an apparatus, method, program, or the like for managing log information that is generation-managed by a log file rotation alone or in an integrated manner in devices that perform information processing such as personal computers, servers, and network devices. Applicable to.

DESCRIPTION OF SYMBOLS 1 Log information difference extraction management apparatus 2 Input means 3 Output means 4 Collection processing management means 41 Collection target registration part 42 Collection target information storage part 43 Collection process management part 5 Collection target judgment processing means 51 Log file processing part 52 Temporary log information storage Unit 53 tail position information storage unit 54 hash processing unit 55 hash value storage unit 6 log information storage unit 61 log information storage unit 7 collection target device 71 log file

Claims (9)

A storage unit for storing a reference end and a reference hash value;
One log file is input from the log file group that is rotation and generation managed, a hash value from the head of this one log file to the reference end is obtained, and the hash value is compared with the reference hash value, If the two match, the log file of the generation after the one log file is extracted as a log information difference, and if both do not match, the other log file is input from the log file group and the one log file is extracted. A processing unit that repeats the operation after input,
A log information difference extraction management apparatus comprising: In the log information difference extraction management device according to claim 1,
An update unit that obtains a hash value from the beginning to the end of the log information difference, stores the hash value as the reference hash value in the storage unit, and stores the end of the log information difference as the reference end in the storage unit The
A log information difference extraction management apparatus, further comprising: In the log information difference extraction management device according to claim 1 or 2,
The processor is
When inputting the one log file from the log file group, input the one log file in the order of generation,
When extracting the log file of the generation after the one log file as the log information difference, from the immediately after the reference end of the one log file to the end of the newest log file of the most generation,
The log information difference extraction management device characterized by the above. Remember the reference end and the reference hash value,
One log file is input from the log file group that is rotation and generation managed, a hash value from the head of this one log file to the reference end is obtained, and the hash value is compared with the reference hash value, If the two match, the log file of the generation after the one log file is extracted as a log information difference, and if both do not match, the other log file is input from the log file group and the one log file is extracted. Repeat the operation after input,
And a log information difference extraction management method. In the log information difference extraction management method according to claim 4,
Obtain a hash value from the beginning to the end of the log information difference, update the hash value as the reference hash value, and update the end of the log information difference as the reference end,
A log information difference extraction management method, further comprising: In the log information difference extraction management method according to claim 4 or 5,
When inputting the one log file from the log file group, enter the one log file in order of the generation,
When extracting the log file of the generation after the one log file as the log information difference, it is extracted from immediately after the reference end of the one log file to the end of the newest log file of the most generation,
And a log information difference extraction management method. A log information difference extraction management program used in an apparatus including a storage unit for storing a reference end and a reference hash value, and a computer,
A procedure for inputting one log file from a group of log files that are rotation and generation managed, a procedure for obtaining a hash value from the beginning of the one log file to the reference end, and the hash value and the reference hash value , A procedure for extracting log files of generations after the first log file as log information differences if they match, and another log file from the log file group if they do not match And repeating the operation after inputting the one log file,
Log information difference extraction management program for causing the computer to execute. In the log information difference extraction management program according to claim 7,
A procedure for obtaining a hash value from the beginning to the end of the log information difference, a procedure for storing the hash value in the storage unit as the reference hash value, and an end of the log information difference as the reference end in the storage unit The procedure to memorize,
Log information difference extraction management program for causing the computer to further execute In the log information difference extraction management program according to claim 7 or 8,
In the procedure of inputting the one log file from the log file group, the one log file is input in order of oldest generation,
In the procedure of extracting the log file of the generation after the one log file as the difference of the log information, from the immediately after the reference end of the one log file to the end of the newest log file of the latest generation,
A log information difference extraction management program characterized by that.

Images