JP2013030826A - Network monitoring system and network monitoring method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a network monitoring system which can notify an appropriate responsible person of failure occurrence at appropriate timing according to a failure level.SOLUTION: A network monitoring system comprises: failure detection means 12 for detecting a failure in an apparatus and/or a line; a failure determination table 18; an influence range determination table 20; a failure level table 19; a user table 24 with which notification destination users to be notified of failure states are registered in association with failure levels; influence range determination means 15 which determines each state of factors by referring to the failure determination table, then determines an influence range by referring to the influence range determination table on the basis of combination of states of factors; failure level determination means 16 for determining a failure level by referring to the failure level table on the basis of the influence range and an elapsed time; and electronic mail transmission means 22 for transmitting an electronic mail reporting a failure details to a notification destination user associated with the failure level in the user table.

Description

  The present invention relates to a network monitoring system for monitoring a failure of a device or a line constituting a network and notifying a network user of the failure state.

  When a network failure occurs, business operations such as business establishments are hindered. Therefore, a network monitoring system capable of quickly responding to the occurrence of a network failure is desired. Faults that occur in the network include faults in network devices such as servers and routers, line troubles, excessive network loads, etc., but monitoring devices connected to the network should be able to Monitoring is performed (see, for example, Patent Document 1). Patent Document 1 discloses an electronic mail between a monitoring device that executes processing according to information signals from a plurality of monitored devices and generates an alarm electronic mail according to the information signals, and a plurality of electronic mail transmitting / receiving terminals. An alarm monitoring system is disclosed that includes an e-mail server that transmits and receives e-mails.

  The mail that the monitoring device detects and issues a failure alert is sent to an appropriate contact (person in charge to management). This is because the handling method and the person in charge differ depending on the location of the failure, the time zone where the failure occurred, and the importance of the failure (failure level).

  Here, since the failure level changes depending on the time during which the failure continues, it is conceivable that the administrator measures the failure duration time until failure recovery and raises the failure level every time the threshold is exceeded. By raising the failure level, the monitoring device can add a contact address corresponding to the failure level and send the mail.

  Conventionally, however, there has been no clear provision in determining the failure level and measuring the elapsed time of failure, and the relationship between the degree of failure and the failure level has been ambiguous. Also, the failure elapsed time and the level-up timing were not uniform. For this reason, there is a problem that even when the failure level is the same, there is a variation in the timing at which the failure notification by e-mail is transmitted to an appropriate person in charge, and the response may be delayed.

  In view of the above problems, an object of the present invention is to provide a network monitoring system capable of notifying an appropriate person in charge of occurrence of a failure at an appropriate timing according to the degree of the failure.

  The present invention is a network monitoring system for monitoring a failure of a device or a line constituting a network and notifying a network user of the state of the failure, wherein the device or the line connecting the bases provided with a local communication network is provided. Failure detection means for detecting failure information including failure, detection date and time, and device or line status; name of the site; importance of the site; business hours of the site; failure content of the device or line And a failure determination table that associates a determination criterion for availability of the device or a determination criterion for determining the extent of failure, and whether the importance and the detection date of the failure are within or outside the business hours, the device or Effect of registering the size of the range of influence of the failure of the device or line based on the combination of the availability of the line or the state of each element of the wide and narrow A failure determination table, a failure level table in which a failure level is registered in association with the size of the affected range and an elapsed time from the detection of the failure, and a notification destination user in the failure state in association with the failure level Influence range determination means for determining the state of each of the elements by referring to the user table and the failure determination table, and determining the range of influence by referring to the influence range determination table based on the combination of the states of the elements Failure level determination means for determining the failure level by referring to the failure level table based on the influence range and the elapsed time, and failure to the notification destination user associated with the failure level in the user table E-mail transmitting means for transmitting an e-mail informing the contents of the e-mail.

  It is possible to provide a network monitoring system capable of notifying an appropriate person in charge of occurrence of a failure at an appropriate timing according to the failure level.

It is a figure which shows an example of a schematic structure of a network monitoring system. An example of the hardware block diagram of a monitoring apparatus, a failure management server, or a mail server is shown. It is an example of a functional block diagram of a network monitoring system. It is an example of the figure explaining the outline of a network monitoring system. It is a figure which shows an example of a base identification table. It is an example of the figure which shows the log which a monitoring apparatus detects. It is an example of the figure which visualized the log which a monitoring apparatus detects. It is an example of the figure explaining the influence range determined based on four elements. It is an example of the figure which illustrates the influence range at the time of provisional decision typically. It is an example of the figure which illustrates typically the influence range at the time of provisional determination of a wide area fault. It is a figure which shows an example of the range determination table. It is an example of a failure level table. It is an example of the figure explaining the production | generation of the mail for recording. It is a figure which shows an example of the mail for recording. It is an example of the figure explaining the relationship between a failure level and a contact address. It is an example of the figure explaining the mail which a mail server transmits. It is an example of the flowchart figure explaining the procedure in which a network monitoring system monitors a failure of a network.

Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings.
FIG. 1 is a diagram illustrating an example of a schematic configuration of a network monitoring system according to the present embodiment. The monitoring device 100 monitors the network for any failure. When the monitoring apparatus 100 detects a failure, the failure management server 200 analyzes the content of the failure and identifies the “influence range”. The influence range is, for example, enormous, large, medium, or small.

  Further, the failure management server 200 determines an initial “failure level” according to the influence range. In the example of the figure, the initial failure level is 3 if the affected range is large or large, the initial failure level is 2 if the affected range is medium, and the initial failure level is 1 if the affected range is small. Become.

  When the initial failure level is determined, the failure management server 200 notifies the mail server 300 of the failure status and failure level, so that the mail server 300 sends a mail to a predetermined contact address according to the failure level. Send.

  Further, the failure management server 200 measures the failure duration when the failure continues. Each time the duration exceeds the threshold, the failure level is increased. Each time the failure level transitions, the failure management server 200 notifies the mail server 300 of the failure level, so that the mail server 300 transmits an email to a contact address that is predetermined according to the failure level.

  As described above, the network monitoring system 500 according to the present embodiment analyzes the influence range and determines the failure level, so that the correspondence between the failure level and the failure level can be unified. Further, since the failure level increases every time the failure duration exceeds the threshold, the correspondence between the failure duration and the failure level can be unified. Therefore, it is possible to unify the mail address for the failure, and it is possible for companies and the like to take an appropriate response to the failure.

[Configuration example]
As illustrated in FIG. 1, the network monitoring system 500 includes a monitoring device 100, a failure management server 200, and a mail server 300. These are functional classifications, and it is sufficient that the function of each device is mounted on one or more computers.

  There are various network devices (monitored devices in the figure) in the network. The network device is necessary for providing services such as data communication, but does not have to be a component of the network monitoring system 500. The network device is, for example, a router, an L3 switch, or a server. A port to which a cable is connected to these network devices and an IP address is assigned is sometimes called an interface because it is a connection port with another network.

  FIG. 2 shows an example of a hardware configuration diagram of the monitoring device 100, the failure management server 200, or the mail server 300. Since all of the monitoring device 100, the failure management server 200, and the mail server 300 may function as a computer, the configuration of the monitoring device 100 will be described below.

  The monitoring device 100 is a form of a computer. The monitoring device 100 includes a CPU 101, a RAM 102, a ROM 103, a storage medium mounting unit 104, a communication device 105, an input device 106, a drawing control unit 107, and an HDD 108 that are mutually connected by a bus. The CPU 101 provides various functions by reading an OS (Operating System) and a program from the HDD 108 and executing them, and comprehensively controls processing performed by the monitoring apparatus 100.

  The RAM 102 is a working memory (main storage memory) that temporarily stores data necessary for the CPU 101 to execute the program. The ROM 103 stores a program (static input data) for starting up a BIOS (Basic Input Output System) and the OS. It is remembered.

  A storage medium 110 can be attached to and detached from the storage medium mounting unit 104, and a program recorded in the storage medium 110 is read and stored in the HDD 108. Further, the storage medium mounting unit 104 can also write data stored in the HDD 108 into the storage medium 110. The storage medium 110 is, for example, a USD memory or an SD card.

  The input device 106 is a keyboard, a mouse, a trackball, or the like, and accepts various operation instructions from a manufacturing manager of the monitoring device 100.

  The HDD 108 may be a nonvolatile memory such as an SSD, and stores various data such as an OS, a program, and a standard value. The monitoring device 100 includes a program 111 that detects a failure and notifies failure information, issues a failure alert, and visualizes the failure status. The failure management server 200 has a program 111 for determining an influence range and a failure level. The mail server 300 has a program 111 for sending mail to a contact address corresponding to the failure level.

  The communication device 105 is a NIC (Network Interface Card) for connecting to a network 301 such as the Internet, and is, for example, an Ethernet (registered trademark) card.

  The drawing control unit 107 interprets a drawing command written in the graphic memory by the CPU 101 executing the program 111, generates a screen, and draws it on the display 109.

  FIG. 3 shows an example of a functional block diagram of the network monitoring system 500. All of the monitoring device 100, the failure management server 200, and the mail server 300 are realized by the CPU executing a program and the cooperation of hardware such as a memory.

  The monitored device 400 is a resource necessary for providing a service using a network, such as a network device or a line monitored by the monitoring device 100. All devices that make up the network are included. For example, a router, a server, a layer 3 switch, a load distribution device, a security device, and the like. These have an IP address for each interface with the network, and faults are monitored on an interface basis. Since a network device usually has a plurality of interfaces, a plurality of failures may be detected from one network device.

  The monitoring device 100 includes a device monitoring unit 12, a site identification table 11, and a transmission / reception unit 13. The device monitoring unit 12 detects the occurrence of a failure in the monitored device 400. The base identification table 11 is a table in which a faulty device or line is associated with base identification information. There are various methods for detecting the occurrence of a failure, but the network monitoring system 500 of this embodiment does not matter. Specific methods and bases will be described later.

  The failure management server 200 includes a range analysis unit 15, a failure level determination unit 16, a mail generation unit 17, a transmission / reception unit 14, a range determination table 18, and a failure level table 19. The range analysis unit 15 determines the influence range of the failure using the range determination table 18. The failure level determination unit 16 refers to the failure level table 19 and determines a failure level from the influence range and the duration of the failure. Details of these will be described later. The mail generation unit 17 receives input of failure information and mail information by the administrator, and generates a recording mail.

  The mail server 300 includes a mail transmission unit 22, a transmission / reception unit 21, an incident management DB 23, a contact table 24, and a mail template 25. The mail transmission unit 22 transmits a mail reporting a failure to a contact address corresponding to the failure level. The incident management DB 23 is a database for recording the progress of failures and the history of failures. Although the incident management DB 23 is included in the mail server 300, it may be installed in an independent device such as NAS (Network Attached Storage) or another server. The mail server 300 may be mounted on the same computer as the failure management server 200.

[Outline]
FIG. 4 is an example for explaining an outline of the network monitoring system 500. The network monitoring system 500 includes the monitoring device 100, the failure management server 200, and the mail server 300 described above.
(1) First, the monitoring apparatus 100 monitors a failure of a network device or a line, and issues a failure alert when a failure is detected. The failure alert includes, for example, various information such as the location of the failure, the date and time of detection, and the device status such as whether communication is possible. Hereinafter, this is referred to as failure information. When a failure occurs, the monitoring apparatus 100 turns on the patrol light and outputs an alarm sound.
(2) The failure management server 200 obtains failure information, determines whether the base importance, the failure detection date / time is within or outside the business hours of the base, network device / line availability, The influence range of the failure is determined based on the combination of the range of the range affected by the line failure. The failure management server 200 can also be configured integrally with the monitoring device 100.

The failure management server 200 determines an initial failure level based on the influence range. If the failure continues for a long time, it is considered that the failure becomes large. Therefore, the failure management server 200 increases the failure level as time passes.
(3) The failure management server 200 receives an input of information necessary for sending an email from the administrator, and generates a recording email using the failure information. This recording mail is stored in the incident management DB 23 for fault management.
(4) The mail server 300 determines the contact address based on the failure level and transmits an e-mail for notifying the status of the failure. An e-mail is sent each time the failure level increases.

  Hereinafter, the monitoring device 100, the failure management server 200, and the mail server 300 will be described in detail.

[Monitoring by monitoring equipment, etc.]
The monitored device 400 has a network device and a line. However, if there is a failure in the line, the monitoring device 100 cannot communicate with the network device. However, the monitoring device 100 can detect that communication cannot be performed by monitoring the voltage level (L1, L2 level) of the line.

  In order to monitor an IP level failure of a network device, the device monitoring unit 12 transmits a Ping command to, for example, a router, and monitors whether or not a failure has occurred based on the presence or absence of a timeout, the number of times of timeout, and the like. In order to monitor a failure in a higher layer of a network device, the device monitoring unit 12 tries to connect to a TCP port, for example. If the network device is a Web server, the TCP port 80 is specified to generate a TCP packet and send it to the network device. Similarly, whether or not a failure has occurred is monitored based on the presence or absence of a timeout, the number of times of timeout, and the like. Depending on the type of server, monitoring according to the server is possible by changing the TCP port number.

  When monitoring a failure in an upper layer than TCP, the device monitoring unit 12 generates a pseudo transaction according to an application level protocol such as HTTP, Simple Mail Transfer Protocol (SMTP), FTP, or POP3, and transmits the pseudo transaction to each server. In this case, not only the presence / absence of timeout, but also high-level monitoring is possible from the response code.

  The device monitoring unit 12 may monitor network devices using SNMP. The device monitoring unit 12 is an SNMP manager, and a network device is an agent. The SNMP manager inquires about the contents of MIB (Management Information Base) managed by the network device. Further, when the network device detects a predetermined event, the network device notifies the monitoring device 100 of an event notification called an SNMP trap. Therefore, the device monitoring unit 12 can detect a failure that has occurred in the network device from the event content.

  As described above, the device monitoring unit 12 collects IP addresses having a large relationship with the failure. If the IP address is known, the base can be determined.

  FIG. 5 is a diagram illustrating an example of the site identification table 11. The site identification table 11 has fields for source, interface, and line. The source is base identification information. A base is a department, business office, sales office, data center, or the like. The base is a small-scale network that has a LAN (private communication network) connected to a wide-area network and is classified by a network address when viewed from the communication network. The bases are distinguished from the Internet side, other bases, etc. by, for example, routers and L3 switches. The bases are connected by a line. The base identification information (source) is often the identification information of a router or L3 switch. In addition, (latitude, longitude) is given to the source, and the physical position is clarified.

  The interface is an IP address of an interface on the LAN side of the base or an interface on the Internet side. The line is an identification name, a product name, or a service name of the line connected to the interface.

  According to such a base identification table 11, the base that is affected by the interface or the line where the fault has occurred is clarified. If the source is known, the general base name (such as the name of the establishment) will also be clarified.

[Example of alerts generated by monitoring devices]
FIG. 6 is an example of a diagram illustrating a log detected by the monitoring apparatus 100. In FIG. 6, one line log describes the operation state of one interface. The importance, date and time, source, and message are described in one line of log.

There are logs that describe normal operations and logs that describe fault alerts. The failure alert is further classified into an attention state, an alert state, an important alert state, and a dangerous state according to the importance. The state into which a certain failure alert is classified is set in the monitoring apparatus 100 in association with the detected interface and its state.
Critical interface has stopped: Critical alert state Normal interface has stopped: Alert state In the “importance”, the monitoring device 100 determines the normal state, the alert state, and the important state based on the content of the failure alert as described above. A warning status distinction is described. “Date / time” describes date / time information obtained from a time server (not shown) when a failure is detected. In “Source”, the source name read from the network device or the source read from the site identification table 11 based on the IP address of the interface is described. The “message” describes the IP address, interface name, and interface status of the interface. In addition, the monitoring result of the monitoring apparatus 100 such as the trap content of the SNMP trap is described in the log.

  FIG. 7 is an example of a diagram visualizing a log detected by the monitoring apparatus 100. The region name and the line name (service name) of the line connecting the regions are displayed on the map of Japan. This area name represents one base included in each area for the convenience of the display area. For example, the area name Kanto includes a plurality of bases in the Kanto region.

  When the administrator clicks a region name on the map of Japan with the mouse, the prefectures included in the region name are displayed. In the figure, the area name Kanto region is clicked, and the prefecture names such as Tokyo, Ibaraki, Tochigi, and Chiba are displayed.

  Then, when the administrator clicks the name of the prefecture on the map of Japan with the mouse, the names of the bases included in the clicked prefecture are displayed.

  The base name or the icon indicating the base is displayed in red when an alert of an important alert state or higher is detected, for example. As will be described later, when there are five or more red bases, for example, the target range of the failure is determined to be “wide”.

  For this reason, when the number of red bases is five or more, an icon indicating one prefecture name or prefecture on the map of the prefecture is displayed in red. When one or more prefectures are red, the region name on the Japan map or an icon indicating the region name is displayed in red.

  In the figure, Japan is taken as an example, but the network of each country can be displayed in the same manner, and the network can also be displayed on the world map.

[Fault management server 200]
〔Impact range〕
First, the idea of the range of influence will be described. The following four elements are used to determine the impact range.
1. Target importance 2. 2. Business hours Provided service status Scope 1. Target Importance The target importance is the degree of influence on other devices when a failure occurs in a monitored network device or line. In this embodiment, it is divided into high, medium and low.
High: Network equipment that has a major impact on the business activities of the entire company due to outages Medium: Network equipment that has more than a predetermined number of operations and personnel affected by the outage Low: Others Network equipment with high target importance is, for example, the main server (Mail, DB, HUB, etc.), common domain server, middle network devices are backup servers, pass-through servers, and network devices with low target importance are other servers.

2. It is considered that the impact is great when the detection time of the business time failure is a time zone in which the employee conducts business. Therefore, whether it is within business hours or outside business hours is the determining factor of the influence range. Business hours vary depending on the company, but for example, there are the following patterns.
Pattern 1: 24h (365 days)
Pattern 2: 7:00 to 22:00 (Monday to Saturday)
Pattern 3: 8:00 to 20:00 (Monday to Friday excluding holidays)
The business hours may be changed only at the end of the month, the closing date (50th day), or the daylight saving time may be reflected.

3. Provided service state The provided service state is, for example, a state of whether or not the provided service can be used. The provided service status is largely classified into a line status and a server status.

<Service provided by line>
-Unusable: A fault has occurred and both duplexed lines are unusable.
A single line is unavailable due to a failure
An instantaneous interruption occurred on the line, and the condition recurred within 10 minutes
The service from the initial detection to the recovery of the re-detection is not available due to unstable communication.
Applicable even when there are multiple disconnections of 1 minute or less on the duplexed line and the path switching occurs frequently. ・ Available (partial disconnection): One of the duplexed line or device can be used. , The service provided by using the other is available <Service provided by server>
・ Unusable: Failure to access the server
System DB corruption failure
Failure to stop mail delivery
Failures that can not be used for servers (mirroring, primary and secondary failures) / available: various resources (disk, memory) notification
Failures in which the mail delivery status is abnormal and retention has occurred
Failure to re-acquire backup
A failure has occurred but the server is operational
3. When an access failure to the server occurs, but is recovered by automatic restart processing. Scope If there are many failures simultaneously due to one cause and the number of targets is large (multiple stops), it is estimated that the impact on business is large. For this reason, in the present embodiment, the target range is taken as an element for determining the influence range. For the determination of the target range, the number of faults detected simultaneously (for example, within a few minutes, a time difference that can be regarded as almost simultaneous) is used. The simultaneous definition is determined for each base or line because there is a difference in detection timing for each provided service.

For example, when a failure occurs in a single base, the monitoring apparatus 100 detects about 1 to 5 alerts. For this reason, the scope of the target range cannot be measured with a simple number of failures.
Therefore, in the present embodiment, the number of failure bases is counted as the number of failure occurrences, and the target range is expressed by a wide area (failure base distribution range). A wide area is defined as a case where the bases are spread over prefectures, or a case where a failure is detected in many bases within each individual prefecture. For example, it is assumed that the number of bases connected to each prefecture is five or more. In this case, when simultaneous failures occur at five or more bases, it is considered that many connection bases in each prefecture are affected by the faults, and can be regarded as a wide-area fault.
・ Hiro: More than 5 bases
・ Narrow: 4 bases or less Assumed failures are wide, regional disasters, carrier network failures, relay base failures, relay station failures, and in narrow cases, faults that affect a certain ward due to containment station failures, access lines It is assumed that there is a failure that affects individual sites due to a failure.

FIG. 8 is an example of a diagram illustrating an influence range determined based on four elements. This figure is an example of the influence range determination table 20 described later. The range analysis unit 15 of the failure management server 200 determines the influence range as follows according to the determination result of the target importance, the business time, the provided service state, and the target range.
Target Importance: High Business Hours: Inside or Outside Provided Service Status: Unusable Target Range: When narrow or wide, the impact range is enormous.
Target Importance: Medium Business Hours: Within Service Status: Unusable Target Range: If narrow, the impact range will be large.
Target Importance: High Business Hours: Inside and Outside Provided Service Status: Available Coverage: When narrow and wide, the impact range is medium.
Target Importance: Medium Business Hours: Inside and Outside Provided Service Status: Unusable Target Range: When narrow and wide, the impact range is small.

<Provisional impact range>
More specifically, the range analysis unit 15 examines alerts for each base and each interface to obtain each element. However, when the target range of failure is wide (in the case of a wide area), it may take time to determine the provided service state.

  For this reason, it is also effective to temporarily determine the influence range by limiting the elements to the target importance level, the business time, and the provided service status, and to make the final determination after a certain amount of time has passed.

  FIG. 9 is an example of a diagram schematically illustrating the influence range at the time of provisional determination. There are three elements: target importance, business hours, and provided service status.

  In FIG. 9, the impact range (Large, Large, Medium, and Small) is determined from the target importance, business hours, and service status. For example, if the service provided at Kansai DC (Data Center) becomes unavailable at 9:00 am on weekdays, the impact is enormous because the target importance is high and it is within business hours. Further, for example, when the service becomes unavailable at 15:00 on a holiday at the service center (SS), since the target importance is low and it is out of business hours, the influence range is low.

  Further, in the case of a wide area failure, it is expected that it takes time to determine the provided service state. However, in order to maintain quality assurance of services such as SLA (Service Level Agreement), it is not necessary to wait until it is determined whether there is a wide area failure. Therefore, in the case of a wide-area failure, it is also effective to tentatively determine the influence range based only on the target importance and the business hours.

  FIG. 10A is an example of a diagram for schematically explaining the influence range at the time of provisional determination of a wide area fault. There are two elements: target importance and business hours. For example, if the target importance includes high, and the business importance is within or outside of business hours, the range of influence becomes enormous. In addition, when the target importance is low and it is out of business hours, the influence range is low. When the influence range is tentatively determined, if there are two or more options for each element, the highest element found when the influence range is determined is valid. In this way, the failure level can be biased to a larger level, so that missing reports can be prevented.

  When the provided service state is determined, the range analysis unit 15 corrects the influence range. In FIG. 10B, a provided service state is added. If the range of influence changes due to the addition of the provided service status, the range of influence is re-determined at the stage where it is found. In addition, when the cause of a new failure is found, the affected range is redetermined.

[Determination of the scope of impact]
The range analysis unit 15 determines the influence range (for example, large, large, medium, and small) of the failure based on the above concept.

  FIG. 11 is a diagram illustrating an example of the range determination table 18. The range determination table 18 is a table for determining the influence range based on the concept of the influence range described so far. First, in FIG. 11A, for each base, a base name, a source, an interface, a target importance, a business time, an availability determination criterion, and a target range broadness criterion are registered. The site name is a general name.

  The source is an identification name of various network devices used at the base as described above. Although one or more routers and layer 3 switches are used at a single site, it is difficult to name each of them, so they have been given a uniform name as a source.

  The interface is the same as described above, and in order to identify the interface, for example, a router uses an IP address at a boundary connecting to the WAN, the Internet, or the like. For example, when there is a LAN in the base and the LAN of another base is formed, the IP address on the LAN side and the IP address on the WAN side of the router at the base are registered.

  The target importance level is the importance level of the base, and is registered in advance based on the above concept. As for the business hours, some patterns of business hours patterned in advance are registered. In the availability determination criterion, link information with a table for determining availability of a source (network device or line) at the time of occurrence of a failure is registered.

  FIG.11 (b) is a figure which shows an example of the usability determination criteria of Kawasaki CC (MZR009A). In the usability judgment criterion, the judgment of usability is registered according to the alive state of the interface or a combination thereof. For example, in the case of Kawasaki CC (MZR009A), it is registered that when all three interfaces Fa1, Tu1, and Tu2 are stopped, it is determined that they cannot be used.

  In addition, it is registered that when only the interface Tu1 that is an interface on the WAN side is stopped, it is determined that it can be used (partly).

  The target range broadness criterion is a criterion for determining whether the target range of an obstacle is wide or narrow. In the figure, 5 or more are “wide” and 4 or less are “narrow”. In the present embodiment, the number of bases exceeding the critical alert state is counted. Thus, for example, when the device monitoring unit 12 detects an interface in an important alert state, the range analysis unit 15 identifies the name of the site associated with the interface in the important alert state from the site identification table 11 and counts the number of the sites. To do. Then, this number is compared with a determination criterion to determine whether the target range is wide or narrow. The number of bases is revealed by counting the sources that are in critical alert so as not to overlap.

  Further, it is possible to determine whether the target range of the failure is “wide” or “narrow” based not only on the number of bases but also on the number of network devices in which the failure is detected. When an environmental failure such as a power supply abnormality or an air conditioning abnormality occurs, there is a possibility that a plurality of network devices may fail. For example, when a failure occurs in a server that is one of network devices, many users are affected. For this reason, it is also effective to determine whether the target range of the failure is “wide” or “narrow” from the number of network devices in which the failure is detected. In this case, the “wide / narrow reference for the target range” may be the same as or different from the wide / narrow reference for the number of bases.

  For example, a wide area is defined as a range of business that is affected. In this case, what kind of work is affected when a failure occurs in a server at a certain site differs depending on the server. For example, the scope of work that the user is influenced by differs when the server includes only a personnel system and when the server includes a personnel system and a sales system. Therefore, it can be determined that a wide-area failure has occurred when the number of network devices in which a failure has occurred is large as well as the number of locations.

  The range analysis unit 15 refers to a table in which the source of the critical alert state and the business type (personnel, sales, production, etc.) are associated with each other, and determines whether or not a failure has occurred in the source that affects the business. Then, the number of sources that have an influence on the business is counted so as not to overlap, and it is determined whether the target range of failure is “wide” or “narrow” by comparing with the wide and narrow criteria.

  The range analysis unit 15 refers to the range determination table 18 from the failure information and determines the state of each of the four elements. Then, with reference to the above-described influence range determination table 20, an influence range (large, large, medium, and small) in which the states of the four elements are matched is determined.

<Determination of failure level>
The failure level determination unit 16 refers to the failure level table 19 and determines an initial failure level from the affected range.
FIG. 12A shows an example of the failure level table 19. The failure level table 19 associates the affected range with the failure level. One of the features is that the failure level increases with the elapsed time of the failure.

The meaning of the failure level is, for example, as follows.
・ Disability level 5: Level that requires risk management as management ・ Disability level 4: Level that requires progress management of operational impact ・ Disability level 3: Level that requires consideration of work alternatives ・ Disability level 2: Inquiries Necessary level / failure level 1: Minimum level that needs to be managed as a failure.
・ Failure level 5: Failures that are expected to lead to serious damage in the service provided by important areas or multiple (or wide-area) services that have been extended for a long time. ・ Failure level 4: Important areas or multiple (or wide-area) ) Failure / failure level 2 that affects the service provided and has passed for a certain period of time: Failure / failure level 2 that has some impact on the business, is noticed by the user, and is detected systematically : It is limited to a specific area with low importance, and it is difficult for the user to notice it physically, but the failure / failure level detected systematically 1: There is no substantial damage to the business, but it is detected systematically Failure (redundancy function is working, etc.)
If the failure lasts for a long period of time, the damage will be great. Therefore, the failure level determination unit 16 changes the failure level in consideration of the elapsed time. Here, the threshold time for the failure level to be increased by one is not uniform. For example, the threshold time for changing from failure level 1 to failure level 2 is not necessarily the same as the threshold time for changing from failure level 2 to failure level 3 (may be the same). ). In addition, the threshold time is appropriately set for each provided service.

  FIG. 12B is a diagram illustrating an example of the relationship between the elapsed time and the failure level.

The elapsed time is, for example, based on the following, and the failure level is changed on the basis of the following.
・ 1 minute ・ ・ ・ Time instantly detected by system ・ 10 minutes ・ ・ ・ Estimated time for local users to notice sensation ・ 60 minutes Time that can be determined: 240 minutes ... Time when recovery time (service level) cannot be maintained Note that it is preferable to consider business hours when counting elapsed time. In determining the influence range, whether or not the failure detection date / time is within business hours or outside is used as a determination factor, but this only looks at the detection date / time. However, the failure level should be considered large if the failure duration is long and the real time is the business time. For this reason, the failure level determination unit 16 increases the failure level by one step if, for example, the actual time is the business time. Also, during business hours, the threshold level is multiplied by a constant such as 0.8 so that the failure level becomes larger earlier than outside business hours.

  Further, when the scheduled recovery time is determined and the failure continuation time is known in advance, even if the elapsed time is zero, the failure level is determined when the scheduled recovery time is determined. Thereby, the failure level can be determined early.

  FIG. 12C is an example for explaining the transition of the failure level when the provided service is an ADSL line. Since the ADSL line is a best-effort type, the scope of influence is different. That is, the failure level starts from 1, and after 10 minutes, the failure level becomes 2. After that, the failure level 2 is maintained regardless of the elapsed time.

<Generate email>
The mail generation unit 17 of the failure management server 200 receives failure information, target importance, inside / outside business hours, provided service status, target range, and information input by the administrator, and generates a recording mail. The recording mail is different from the mail transmitted to the user.

FIG. 13 is an example of a diagram illustrating generation of a recording mail. The information input for generating the recording mail is, for example, the following.
Serial number, date / time, source information, message (IP address)
The serial number is assigned a serial number that does not overlap by adding 1 to the last serial number generated by the mail generation unit 17. The date and time are automatically input when the administrator presses a predetermined key (for example, “ctrl” key + “:” key). The date and time of failure detection included in the failure information is also taken in the date and time. The source information is the source name of the base that is apparent when the target importance or target range is determined.

  The message is input by the administrator selecting an IP address. Since the mail generation unit 17 displays the IP address associated with the source in the range determination table 18, the administrator selects the IP address of the device in which the failure has occurred. From this IP address, failure phenomena on the LAN side, WAN side, etc. can be described in the recording mail.

  FIG. 14 is a diagram illustrating an example of a recording mail. The recording mail includes 1 failure discovery destination, 2 failure occurrence point, 3 failure date and time, 4 customer staff, 5 failure phenomenon, 6 failure cause, 7 treatment, 8 primary classification result, 9 remarks, and the like. In addition, the target importance and internal / external business hours are included.

  One failure discovery destination is the name of the device that detected the failure. 2 The point of failure is the base name. The three failure dates and times are the occurrence date and time of the failure, the recovery date and time (when recovered), and the completion date and time (for example, when returning from the backup state by the redundant configuration to the state before the failure). 4. The customer contact person is the name of the customer contact person when the customer uses the location where the failure has occurred. The 5 failure phenomenon is a failure state that can be read from the alert message. 6 The cause of failure is the cause of failure. Seven treatments are treatments for the disorder. 8 The primary separation result is a situation caused by disconnecting a router having a failure.

  Of these, 4, 6, 7, 8, and 9 can be input by the administrator. The failure phenomenon 5 is apparent from the failure alert and range determination table 18, but may be added by the administrator. The line and device name are read from the site identification table 11 and a database (not shown).

  The mail generation unit 17 registers the created recording mail in the incident management DB 23. The incident management DB 23 is a database for managing failure progress and history. Further, the failure level determined by the failure level determination unit 16 is notified to the mail server 300.

[Mail server]
The mail transmission unit 22 of the mail server 300 determines a contact address according to the failure level, and generates and transmits a mail conveying the content of the failure. In the contact table 24, users who belong to each contact and their mail addresses are registered. The mail template 25 is registered with mail text and format templates.

<Disability level and contact information>
FIG. 15 is an example of a diagram for explaining the relationship between the failure level and the contact information. In the figure, the contact information is divided into the user side and the service side. The user side is a person who uses the network system, and includes, for example, a management layer, each company responsibility ward, a LAN management ward (responsible person), a LAN management ward (person in charge), and a base (person in charge). The service side is a person who provides the service, for example, a management layer, a responsible district, a project manager, or a project manager. The service area is the service management department, and the supervision area is the management department on the service provider side.

Failure level 1: User site (person in charge)
Failure level 2: LAN management zone and project manager Fault level 3: LAN management zone (responsible person), project manager Fault level 4: LAN management zone and responsibility zone Failure level 5: Management layer Includes subordinate contacts. That is, in the case of failure level 1, the mail is transmitted to the contact of failure level 1. In the case of failure level 2, the mail is transmitted to the contacts of failure levels 1 and 2. In the case of the failure level 3, the mail is transmitted to the contacts having the failure levels 1 to 3. In the case of the failure level 4, the mail is transmitted to the contacts having the failure levels 1 to 4. In the case of failure level 5, the mail is transmitted to the contacts of failure levels 1-5.

  When the contact is determined, the mail transmission unit 22 reads the mail address of the contact user from the contact table and sets it as the e-mail contact.

<Example of email contents>
FIG. 16 is an example of a diagram for explaining a mail transmitted by the mail server 300. The reason why the mail server 300 transmits mail instead of the mail transmitted by the fault management server 200 is to convey the fault contents to the user in an appropriate expression. The mail transmitting unit 22 has several mail templates 25 and generates mail by filling in necessary items in the mail template 25.

  In the mail template 25, the message “Subject” “I am always indebted to you. This is a monitoring center. I have confirmed the alert notification from the monitoring system and will contact you as soon as possible.” "R-WAN domestic service failure communication form" is prepared.

  In addition, the item name “1. Failure occurrence location 2. Failure date and time 3. Failure effect 4. Connection network 5. Failure cause 6. Response” is prepared. Also, “Details are currently under investigation and will be reported later. Thank you for your cooperation.” “<Monitoring Center-Person in charge>: XX (xx-xxxx-xxxx)” Is prepared.

  The mail transmitting unit 22 completes the mail by adding and describing the above items, the site name, the incident number, and the failure status to the mail template 25. “1. Failure occurrence location” is the failure occurrence location of the recording mail. “2. Failure date and time” is the failure date and time of the recording mail. “3. Effect of failure” is the content generated from the failure phenomenon of the recording mail, the action, the result of the primary separation, or the same content. “4. Connection network” is a recording mail line. “5. Cause of failure” is a cause of failure in the recording mail. “6. Response” is being handled if the failure has not been recovered, and has been handled when the failure has been recovered.

The base name is the base where the failure occurred in the recording mail, and the incident number is the report number generated by the mail generation unit 17. The failure status is selected from, for example, “occurrence, occurrence / recovery, relapse, relapse / recovery, occurrence / recovery / complete, relapse / recovery / complete”. The administrator knows at least whether or not the failure has been recovered. If it has not been recovered, it will be “occurrence”, if it has been recovered, “occurrence / recovery”. "Relapse" if there is a failure at the same location, "Relapse / recovery" if it is recurred but recovered, "Occurrence / recovery / complete" or "Reoccurrence / recovery / complete" when returning to the original state instead of backup etc. It becomes.
With such an email, the received user can easily grasp the failure status.

[Operation procedure]
FIG. 17 is an example of a flowchart illustrating a procedure for the network monitoring system 500 to monitor a network failure. The procedure of FIG. 17 is repeatedly executed while the monitoring apparatus 100 is involved in a failure.

  First, the device monitoring unit 12 detects a failure and issues a failure alert (S10). The device monitoring unit 12 notifies the failure management server 200 of the failure information.

  Next, the range analysis unit 15 of the failure management server 200 analyzes the influence range, and the failure level determination unit 16 determines an initial failure level (S20). Since the mail generation unit 17 transmits the recording mail to the mail server 300, the transmission / reception unit 21 of the mail server 300 stores the recording mail in the incident management DB 23.

  Then, the mail generation unit 17 transmits a mail to a contact corresponding to the failure level (S30).

  Since the device monitoring unit 12 continues to monitor the failure, the device monitoring unit 12 determines whether the failure has been recovered based on the monitoring result (S40).

In the case of recovery (Yes in S40), the mail transmission unit 22 notifies the contact person of the recovery by mail (S50).
When not recovering (No in S40), the failure level determination unit 16 determines whether or not to increase the failure based on whether or not the threshold time has elapsed (S60). If it does not level up, it waits for recovery.

  When the failure level is increased (Yes in S60), the failure level determination unit 16 increases the failure level by one (S70).

  Then, the mail generation unit 17 transmits the mail to the contact address corresponding to the failure level (S80). At this time, it is preferable to send the mail to the contact already sent. Thereby, it can be notified that the failure level has increased. On the other hand, the e-mail may not be transmitted to the contact already sent. This is because the occurrence of a failure has already been notified.

  As described above, the network monitoring system 500 according to the present embodiment determines a failure level based on failure information notified from the monitoring apparatus 100 when a network failure occurs, and determines a contact to be contacted according to the failure level. Can do. Since the failure level is increased with the failure duration, the contact can be controlled according to the importance of the failure.

DESCRIPTION OF SYMBOLS 11 Base identification table 12 Equipment monitoring part 13, 14, 21 Transmission / reception part 15 Range analysis part 16 Failure level determination part 17 Mail generation part 18 Range determination table 19 Failure level table 20 Influence range determination table 22 Mail transmission part 23 Incident management DB
24 Contact Table 25 Mail Template 100 Monitoring Device 200 Fault Management Server 300 Mail Server 500 Network Monitoring System

JP 2004-206598 A

Claims (7)

A network monitoring system for monitoring a failure of a device or a line constituting a network and notifying a network user of the failure state,
Failure detection means for detecting failure information including failure of the device or the line connecting between bases equipped with a local communication network, detection date and time, and state of the device or line;
The base name of the base, the importance of the base, the business hours of the base, the contents of failure of the device or the line, and the criteria for determining whether or not the device can be used, or the criteria for determining the extent of the failure A failure determination table;
The influence of the failure of the device or line based on the combination of the status of each element of the importance, failure detection date or time within or outside the business hours, availability of the device or line, or the state of the wide or narrow An influence range determination table in which the size of the range is registered;
A failure level table in which a failure level is registered in association with the size of the influence range and the elapsed time from the failure detection;
A user table in which failure-state notification destination users are registered in association with the failure level;
Referring to the failure determination table, determine the state of the element based on the failure information, and refer to the influence range determination table based on the combination of the state of the element to determine the influence range Means,
Failure level determination means for determining the failure level by referring to the failure level table based on the influence range and the elapsed time;
An e-mail transmitting means for transmitting an e-mail notifying the content of the failure to the notification destination user associated with the failure level in the user table;
A network monitoring system. The failure level determination means increases the failure level by one step every time the elapsed time exceeds a threshold,
The e-mail transmission means transmits an e-mail informing the notification destination user of the content of the failure associated with the new failure level;
The network monitoring system according to claim 1. In the failure level table, a threshold for increasing the failure level by one level is registered for each level.
The network monitoring system according to claim 2, wherein: The influence range determining means determines two or more states of the element, preliminarily determines the influence range based on a combination of the two states of the element, and a timing at which the remaining state of the element is determined And update the affected range,
The network monitoring system according to any one of claims 1 to 3. A site identification table that associates one or more IP addresses assigned to the device, the line to which the device is connected, and site identification information of a site affected by the failure of the device or the line; Have
The influence range determining means counts the number of bases associated with the IP address of the device in which a failure is detected or the IP address of the device to which the line is connected from the base identification table so as not to overlap. ,
If the number of bases is greater than or equal to the criterion, it is determined that the failure is in a wide area,
The network monitoring system according to claim 1, wherein: The influence range determination means counts the number of the devices in which a failure is detected so as not to overlap,
If the number of the devices is equal to or greater than the criterion, determine that the failure is in a wide area,
The network monitoring system according to claim 1, wherein: A network monitoring method in which a network monitoring system monitors a failure of a device or a line constituting a network and notifies a network user of the failure state,
A step of detecting a failure information including a failure of the device or the line connecting between the bases provided with the local communication network, a detection date and time, and a state of the device or the line,
The base name of the base, the importance of the base, the business hours of the base, the contents of failure of the device or the line, the determination criteria for the availability of the device, and the determination criteria for determining the extent of the failure Refer to the failure judgment table,
The influence range determining means determines the state of each of the elements, and further, each of the importance level, whether the date and time of failure detection is within or outside the business hours, the availability state of the device or line, and the width Based on the combination of element states, the influence range determination table in which the size of the influence range affected by the failure of the device or the line is registered, the state of the element is determined based on the failure information, respectively. Determining a range of influence based on a combination of states;
The failure level determination means determines the failure level based on the influence range and the elapsed time with reference to the failure level table in which the failure level is registered in association with the size of the influence range and the elapsed time from the detection of the failure. Steps,
The electronic mail transmitting means refers to a user table in which a failure state notification destination user is registered in association with the failure level, and notifies the notification destination user associated with the failure level of the content of the failure. Sending an email;
A network monitoring method.

Images