JP2013041367A - Operation management device, operation management method, and operation management program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect an error in a management target node without collecting performance information on the management target node.SOLUTION: In an operation management device 21, a message acquisition unit 201 acquires messages output by management target nodes and records them in a message DB 202. A learning information generation unit 204 calculates maximum values or minimum values of the numbers of messages by management target node, by message identification information, and by unit time in a specified period, and records the values in a learning result information DB 205. An analysis information generation unit 206 calculates the numbers of messages output by target node, by message identification information, and by unit time, and records them in an analysis result information DB 207. An analysis determination unit 208 determines whether or not each management target node to be analyzed is normal on the basis of the maximum/minimum value information recorded in the learning result information DB 205 and analysis data information read out from the analysis result information DB 207, records determination results in the analysis result information DB 207, and outputs them to an output unit 209.

Description

  The present invention relates to an operation management apparatus, an operation management method, and an operation management program.

In order to operate an information system stably and efficiently, there is known an operation management system that centrally monitors and controls a group of managed nodes constituting the information system. The operation management system acquires and accumulates various information related to hardware and software such as “hardware failure occurrence” and “software processing error occurrence” from the managed node, and displays them on the operation management terminal. Then, the administrator monitors and controls the managed node group based on the content of the message displayed on the operation management terminal.
However, as the information system becomes larger and more complex, the burden on the knowledge of managers has increased dramatically, and as a result, there have been situations such as prolonged service outages due to misjudgment.
On the other hand, there is a technique described in Patent Document 1.

JP 2009-199533 A

  However, in the technique described in Patent Document 1, the operation management system performs operation management using performance information of the management target node such as the CPU usage rate and the remaining memory capacity. Therefore, there is a problem that the performance information cannot be acquired unless the operator performs settings for collecting and transmitting performance information to the managed node. In addition, there is a problem that an abnormality of a managed node cannot be detected unless a processing load for collecting performance information or a network load for transmitting performance information from the managed node to the operation management system is imposed.

  The present invention has been made in view of the above points, and provides an operation management apparatus, an operation management method, and an operation management program capable of easily detecting an abnormality of a managed node.

(1) The present invention has been made to solve the above problems, and one aspect of the present invention is a message acquisition unit that acquires a message output by a managed node, and the message acquisition unit that acquires the message. And an analysis determination unit that detects the state of the managed node based on the number of messages.

(2) Further, according to one aspect of the present invention, in the above-described operation management apparatus, the learning management unit includes a learning information generation unit that calculates the number of messages, and the analysis determination unit includes the learning information generation unit that calculates the number of messages. The state of the managed node is detected based on a history of numbers and a current number of messages.

(3) Further, according to one aspect of the present invention, in the above-described operation management apparatus, the learning information generation unit may calculate the number of messages for each managed node, for each message identification information, and for each unit time within a specified period. The maximum value or the minimum value is calculated, and the analysis determination unit determines the state of the managed node based on whether or not the current number of messages is a value between the maximum value and the minimum value. It is characterized by detecting.

(4) According to another aspect of the present invention, in the operation management apparatus, the analysis determination unit determines that the current message output number is not a value between the maximum value and the minimum value. A diagnostic program for diagnosing the state of the managed node is started, and the diagnosis result is displayed.

(5) Further, according to one aspect of the present invention, in the operation management apparatus, the analysis determination unit corrects the maximum value or the minimum value based on a state diagnosed by the diagnosis program, and the corrected maximum The state of the managed node is detected based on the value or the corrected minimum value.

(6) Moreover, according to one aspect of the present invention, the message acquisition unit acquires a message output by the managed node, and the analysis determination unit determines the number of messages acquired by the message acquisition unit. And an analysis determination process for detecting the state of the managed node.

(7) Further, according to one aspect of the present invention, a message acquisition procedure for acquiring information output from a management target node to a computer of an operation management apparatus, and the management target node based on the number of messages acquired in the message acquisition procedure This is an operation management program for executing an analysis / judgment procedure for detecting the state of a problem.

  According to the present invention, it is possible to easily detect an abnormality of a management target node.

It is a conceptual diagram of the operation management system which concerns on the 1st Embodiment of this invention. It is a schematic block diagram which shows an example of the operation management apparatus which concerns on this embodiment. It is the schematic explaining an example of the acquisition message information table which concerns on this embodiment. It is the schematic explaining an example of the learning result information table which concerns on this embodiment. It is the schematic explaining an example of the maximum and minimum value table which concerns on this embodiment. It is the schematic which shows an example of the analysis information table which concerns on this embodiment. It is the block diagram which showed an example of the learning information generation part which concerns on this embodiment. It is the block diagram which showed an example of the analysis information generation part which concerns on this embodiment. It is the block diagram which showed an example of the analysis determination part which concerns on this embodiment. It is a flowchart which shows an example of operation | movement of the operation management system which concerns on this embodiment. It is a flowchart which shows an example of operation | movement of the learning process which concerns on this embodiment. It is a flowchart which shows an example of the operation | movement of the total process which concerns on this embodiment. It is a flowchart which shows an example of the operation | movement of the analysis process which concerns on this embodiment. It is explanatory drawing which shows an example of the condition input screen for displaying the learning result which concerns on this embodiment. It is explanatory drawing which shows an example of the learning result display which concerns on this embodiment. It is explanatory drawing which shows an example of the condition input screen for displaying the analysis result which concerns on this embodiment. It is explanatory drawing which shows an example of the learning result display which concerns on this embodiment. It is a schematic block diagram which shows an example of the operation management apparatus which concerns on the 2nd Embodiment of this invention. It is the block diagram which showed an example of the learning information generation part which concerns on this embodiment. It is the block diagram which showed an example of the analysis information generation part which concerns on this embodiment. It is the block diagram which showed an example of the analysis determination part which concerns on this embodiment. It is the schematic explaining an example of the acquisition message information table which concerns on this embodiment. It is a flowchart which shows an example of a process of the operation management system which concerns on this embodiment. It is a flowchart which shows an example of the process which concerns on this embodiment. It is a flowchart which shows an example of the process which concerns on this embodiment. It is a flowchart which shows an example of the process which concerns on this embodiment.

Hereinafter, a first embodiment of the present invention will be described in detail with reference to the drawings.
FIG. 1 is a conceptual diagram showing a relationship between a management target system 10 and an operation management system 20 according to the first embodiment of the present invention.
The management target system 10 includes a management target network 100 and management target nodes 101 to 103.
The management target network 100 is a target network on which the operation management apparatus 21 performs operation management. The management target network 100 includes a local area network (LAN), a wide area network (WAN), and the like.
The managed nodes 101 to 103 are electronic devices connected to the managed network 100 via a network interface. The managed nodes 101 to 103 are, for example, a computer, a home appliance provided with a network interface, a hub, a router, a switch, and the like.

The operation management system 20 includes an operation management device 21 and an operation management terminal 22.
The operation management apparatus 21 is connected to the management target network 100. The operation management apparatus 21 acquires messages from the managed nodes 101 to 103 via the managed network 100. The operation management device 21 detects the state of the managed node based on the number of acquired messages.

  An outline of processing for detecting an abnormality of a managed node by the operation management apparatus 21 will be described. A screen image of the operation management terminal 22 is denoted by reference symbol A. In this screen image, the horizontal axis represents time and the vertical axis represents the number of messages. The lines with the symbols a and b represent the minimum value and the maximum value for each learning total unit time for the history of the number of message outputs for each measurement time (referred to as learning total unit time). When the number of message outputs in the measurement time to be analyzed (referred to as analysis total unit time) deviates from the range surrounded by the minimum and maximum values of the number of message outputs, as shown by the line with the symbol c, Detects that the managed node is abnormal. Thereby, the operation management apparatus 21 can easily detect the abnormality of the management target node without adding a new setting change or information collection load to the management target system.

  The operation management terminal 22 is a terminal through which a user inputs and outputs information with the operation management apparatus 21. The operation management terminal 22 displays a screen or the like with the symbol A, provides information to the user, and receives a command for the operation management device 21 from the user.

  FIG. 2 is a schematic block diagram showing the configuration of the operation management apparatus 21 of the present invention. In the illustrated example, the operation management apparatus 21 includes a message acquisition unit 201, a message DB (message storage unit) 202, an input unit 203, a learning information generation unit 204, a learning result information DB (learning result information storage unit) 205, and analysis information. A generation unit 206, an analysis result information DB (analysis result information storage unit) 207, an analysis determination unit 208, and an output unit 209 are configured.

The message acquisition unit 201 is connected to the management target network 100. The message acquisition unit 201 acquires the transmitted message. Here, the message is information output from the managed nodes 101 to 103 to the managed network 100 when an event such as completion of call data transfer, occurrence of an authentication error, occurrence of a package reset, or the like occurs. The message acquisition unit 201 generates acquisition message information based on the messages acquired from each of the management target nodes 101 to 103.
Here, the acquired message information is information including a message ID, a time stamp, a node name, a message body, and the like (see FIG. 3). The message ID is message identification information. The time stamp is the time (year, month, day, hour, minute, second) when the managed nodes 101 to 103 generate a message. The node name is an identification number that uniquely indicates the managed node that has transmitted the message. Information related to the message is input in the message body. The message acquisition unit 201 records the generated acquired message information in the message DB 202.
Details of the acquired message information recorded by the message DB 202 will be described later.

The input unit 203 receives information from the user via the operation management terminal 22. For example, the input unit 203 receives learning condition information from a user. Here, the learning condition information means a message learning target period that is a period for performing message learning, a learning total unit time that is a unit of a period for totaling the number of messages (learning by combining the message learning target period and the learning total unit time) Information). The input unit 203 outputs the input learning condition information to the learning information generation unit 204.
For example, the input unit 203 receives analysis condition information from a user. Here, the analysis condition information is a message analysis target period that is a period for performing message analysis, an analysis total unit time that is a unit of time for totaling the number of messages (a combination of the message analysis target period and the analysis total unit time) Information). The input unit 203 outputs the input analysis condition information to the analysis information generation unit 206.

The learning information generation unit 204 extracts acquired message information that matches the learning condition indicated by the learning condition information input from the input unit 203 from the acquired message information recorded in the message DB 202. The learning information generation unit 204 generates learning data information indicating the node name, the message ID, and the number of message outputs per learning count unit time based on the acquired message information. The learning information generation unit 204 records the generated learning data information in the learning result information DB 205.
The learning information generation unit 204 calculates the maximum value and the minimum value of the number of messages per node name, message ID, and learning total unit time based on the generated learning data information, and the maximum indicating the calculated maximum value and minimum value. Generate minimum value information. The learning information generation unit 204 records the generated maximum / minimum value information in the learning result information DB 205. Here, the process of generating learning data information and the process of generating maximum / minimum value information are collectively referred to as a learning process. The learning information generation unit 204 outputs learning data information and maximum / minimum value information read from the learning result information DB 205 to the output unit 209. Details of the learning information generation unit 204 and the learning result information DB 205 will be described later.

The analysis information generation unit 206 extracts acquired message information that matches the analysis condition indicated by the analysis condition information input from the input unit 203 from the acquired message information recorded in the message DB 202. The analysis information generation unit 206 calculates the number of message outputs per node name, message ID, and analysis total unit time based on the extracted acquired message information, and generates analysis data information indicating the calculated number of messages. The analysis information generation unit 206 records the generated analysis data information in the analysis result information DB 207. Details of the analysis information generation unit 206 will be described later.
Details of the information stored in the analysis result information DB 207 will be described later.

Based on the maximum / minimum value information recorded in the learning result information DB 205 and the analysis data information read from the analysis result information DB 207, the analysis determination unit 208 determines whether or not each management target node to be analyzed is normal. judge. The analysis determination unit 207 records the determination result in the analysis result information DB 207 and outputs it to the output unit 209. Details of the analysis determination unit 208 will be described later.
The output unit 209 outputs information input from the learning information generation unit 204 and the analysis determination unit 208 to the operation management terminal 22.

FIG. 3 is a schematic diagram illustrating an example of the acquired message information table recorded in the message DB 202.
As shown in the figure, the message information table has columns of items of time stamp, message ID, node name, and message body. The message information table is two-dimensional tabular data composed of rows and columns in which a message ID, a node name, and a message body are stored for each time stamp.

  For example, the message information with the reference numeral 3a includes a message with a time stamp “July 15, 2007, 7:51:11” and a message ID “0.10.10.10.10”. It is transmitted from the management target node having the address “192.168.11.30”, and the message body indicates “call data transfer end”.

FIG. 4 is a schematic diagram illustrating an example of a learning result information table. As shown in the drawing, the learning result information table has columns of items of node name, message ID, learning total unit time, and total value. The learning result information table is data in a two-dimensional tabular format composed of rows and columns in which aggregate values are stored for each node name, message ID, and learning aggregation unit time.
For example, in the learning data information with the reference numeral 4a, the node name is “192.168.11.30”, the message ID is “0.10.10.10.10”, and the learning count unit time is “July 15, 2007”. This indicates that the date is 7: 59: 59: 59 "and the total value is" 312 ".

FIG. 5 is a schematic diagram illustrating an example of the maximum / minimum value table. As shown in the figure, the maximum / minimum value table is composed of N managed object node-specific data tables denoted by reference numerals 51 to 5N. Here, N is the number of management target nodes connected to the operation management target network 10. The management target node-specific data table denoted by reference numeral 51 is composed of message ID-specific data tables denoted by reference numerals 511 to 51M. Here, M is the number of message ID types. The message-specific data table denoted by reference numeral 511 has columns for each item of learning count unit time, maximum value, and minimum value. The message-specific data table is two-dimensional tabular data composed of rows and columns in which the maximum value and the minimum value are stored for each learning aggregation unit time.
For example, the maximum / minimum value information denoted by reference numeral 511a has a node name “192.168.11.30”, a message ID “0.10.10.10.10”, and a learning total unit time “July 2007”. 15th 7 to 7:59:59 ", the maximum value is" 232 ", and the minimum value is" 181 ".

  FIG. 6 is a schematic diagram illustrating an example of the analysis information table. As shown in the drawing, the analysis information table has columns of items of node name, message ID, analysis total unit time, total value, and analysis result information. The analysis information table is data in a two-dimensional tabular format consisting of rows and columns storing node names, message IDs, aggregate values and analysis result information for each analysis aggregation unit time.

  For example, the analysis information with the symbol 6a has a node name of “192.168.1.30”, a message ID of “0.10.10.10.10”, and an analysis count unit time of “July 15, 2007”. The analysis result information is “normal” at 7 o'clock to 7:59:59 ”on the day. The analysis information to which reference numeral 6a is attached is that the node name is “192.168.1.30”, the message ID is “0.10.10.10.10”, and the analysis count unit time is “July 15, 2007 8 "Time to 8:59:59", the analysis result information indicates "abnormal".

FIG. 7 is a schematic block diagram illustrating a configuration of the learning information generation unit 204.
The learning information generating unit 204 includes a learning message information extracting unit 2040, a learning output number totaling unit 2041, and a maximum / minimum value extracting unit 2042.
The learning message information extraction unit 2040 determines whether the time stamp included in the acquired message information recorded in the message DB 202 is included in the message learning target period indicated by the learning condition information input from the input unit 203. The analysis message information extraction unit 2060 sequentially outputs the acquired message information determined to be included in the message learning target period to the learning output number aggregation unit 2041. The learning message information extraction unit 2040 outputs maximum / minimum value extraction information to the maximum / minimum value extraction unit 2042 when learning aggregation end information described later is input from the learning output number aggregation unit 2041. Here, the maximum / minimum value extraction information is information that causes the minimum value extraction unit 2042 to extract the maximum value and the minimum value of the number of message information.

  The learning output number totaling unit 2041 totals the number of acquired message information for each node name, message ID, and learning total unit time (referred to as total processing). The learning output count totaling unit 2041 records information (learning data information) in which the learning total value information indicating the total value, the node name, the message ID, and the learning total unit time are associated with each other in the learning result information DB 205. . The learning output number totaling unit 2041 outputs learning totaling end information to the learning message information extracting unit 2040 when the totaling is completed.

  When the maximum / minimum value extraction information is input from the learning message information extraction unit 2040, the maximum / minimum value extraction unit 2042 receives the node name, message ID, and learning count based on the learning data information recorded in the learning result information DB 205. The maximum value and the minimum value of the total number of messages are extracted every unit time. The maximum / minimum value extraction unit 2042 records the maximum / minimum value information in the learning result information DB 205.

FIG. 8 is a schematic block diagram illustrating a configuration of the analysis information generation unit 206.
The analysis information generation unit 206 includes an analysis message information extraction unit 2060 and an analysis output number totaling unit 2061.
The analysis message information extraction unit 2060 determines whether or not the time stamp included in the acquired message information recorded in the message DB 202 (FIG. 2) is included in the message analysis target period indicated by the analysis condition information input from the input unit 203. Determine. The analysis message information extraction unit 2060 sequentially outputs the acquired message information determined to be included in the message analysis target period to the analysis output number aggregation unit 2061.
The analysis message information extraction unit 2060 outputs analysis start information indicating that the analysis is started to the analysis determination unit 208 when analysis aggregation end information described later is input.

  The analysis output number totaling unit 2061 totals the number of acquired message information for each node name, message ID, and analysis total unit time (referred to as total processing). The analysis output number totaling unit 2061 analyzes the analysis result information DB 207 (FIG. 2) by associating the analysis total value information indicating the totaled value, the node name, the message ID, and the analysis total unit time (analysis data information). ). The analysis output number totaling unit 2061 outputs the analysis totaling end information to the analysis message information extracting unit 2060 when the totaling is completed. Here, the analysis aggregation end information is information indicating to the analysis message information extraction unit 2060 that the analysis output number aggregation unit 2061 has completed the output number aggregation.

FIG. 9 is a schematic block diagram illustrating the configuration of the analysis determination unit 208.
The analysis determination unit 208 includes a learning analysis comparison unit 2080. Based on the maximum / minimum value information read from the learning result information DB 205 and the analysis data information read from the analysis result information DB, the analysis determination unit 208 sets the analysis aggregate value to the maximum value and minimum value indicated by the maximum / minimum value information. It is determined whether it is included.
The learning analysis comparison unit 2080 compares the maximum / minimum value information read from the learning result information DB 205 and the analysis data information read from the analysis result information DB 207 for each node name, message ID, and analysis unit time.
Specifically, the learning analysis comparison unit 2080 determines whether or not the analysis total value indicated by the analysis total value information is included between the maximum value and the minimum value indicated by the maximum / minimum value information. If it is determined that the analysis aggregate value is not included between the maximum value and the minimum value indicated by the maximum / minimum value information, the learning analysis comparison unit 2080 indicates that the analysis aggregation value is not included between the maximum value and the minimum value. The determination failure information which shows is produced | generated. If it is determined that the maximum / minimum value information is included between the maximum value and the minimum value, the learning analysis comparison unit 2080 includes determination pass information indicating that the analysis aggregate value is included between the maximum value and the minimum value. Generate. The learning analysis comparison unit 2080 records the analysis result information in the analysis result information DB 207. Here, the analysis result information includes a node name, a message ID, an analysis count unit time, and determination failure information or determination pass information.

FIG. 10 is a flowchart showing an example of the operation of the operation management system 20 according to the present embodiment.
(Step S101) The message acquisition unit 201 acquires a message transmitted from the management target nodes 101 to 103. The message acquisition unit 201 generates acquired message information based on the acquired message and records it in the message DB 202. Thereafter, the process proceeds to step S102.
(Step S102) The input unit 203 determines whether or not learning condition information has been input from the user. If it is determined that the learning condition information has been input (Yes), the process proceeds to step S103. If it is not determined that the learning condition information has been input (No), the process proceeds to step S104.

(Step S103) The learning information generation unit 204 performs a learning process. Details of the learning process in step S103 will be described later.
(Step S104) The input unit 203 determines whether or not analysis condition information is input from the user. If it is determined that the analysis condition information has been input (Yes), the process proceeds to step S105. If it is not determined that the analysis condition information has been input (No), the process proceeds to step S101.

(Step S105) The analysis information generation unit 206 performs an analysis process. Details of the analysis processing in step S105 will be described later. Thereafter, the process proceeds to step S101.

FIG. 11 is a flowchart illustrating an example of the operation of the learning process according to the present embodiment. FIG. 11 is a flowchart showing the learning process in step S103 in FIG.
(Step S201) The learning information generation unit 204, based on the learning condition information and the acquired message information determined to have been input in Step S102, the number of learning nodes Ln, the number of learning message IDs Lm, and the learning unit count within the message learning target period The number of hours Lt and the number of learning days Ld are calculated. Here, the learning node number Ln is the number of management target nodes that have transmitted a message within the message learning target period. The learning message ID number Lm is the number of types of message IDs received within the message learning target period. The learning unit count time number Lt is the number of learning count unit times per day. The learning days Ld is the number of days in the message learning target period. Thereafter, the process proceeds to step S202.

(Step S202) The learning information generation unit 204 assigns “0” to the learning node number counter Lnc, the learning message ID number counter Lmc, the learning unit total time counter Ltc, and the learning days counter Ldc. Thereafter, the process proceeds to step S203.
(Step S203) The learning information generation unit 204 determines whether or not an unlearned management target node remains within the message learning period. That is, it is determined whether Lnc <Ln. If it is determined that Lnc <Ln (Yes), the process proceeds to step S204. When it is determined that Lnc ≧ Ln (No), the process proceeds to step S213.
(Step S204) The learning information generation unit 204 determines whether or not an unlearned message ID remains for the management target node (target node) determined to be unlearned in step S203. That is, it is determined whether Lmc <Lm. When it is determined that Lmc <Lm (Yes), the process proceeds to step S205. When it is determined that Lnc ≧ Ln (No), the process proceeds to step S206.

(Step S205) The learning information generation unit 204 determines whether or not an unlearned learning total unit time (target learning total unit time) remains for the message ID (target message ID) determined to be unlearned in step S204. judge. That is, it is determined whether Ltc <Lt. When it is determined that Ltc <Lt (Yes), the process proceeds to step S206. When it is determined that Lnc ≧ Ln (No), the process proceeds to step S208.
(Step S206) The learning information generation unit 204 adds “1” to Ltc. Thereafter, the process proceeds to step S207.
(Step S207) The learning output number totaling unit 2041 calculates the number of acquired message information within the learning total unit time for the target node and the target message ID (referred to as total processing). Details of the aggregation processing in step S207 will be described later. Thereafter, the process proceeds to step S205.

(Step S208) The learning information generation unit 204 determines whether or not an unlearned learning target day remains for the target message identification information. That is, it is determined whether Ldc <Ld. If it is determined that Ldc <Ld (Yes), the process proceeds to step S209. When it is determined that Ldc ≧ Ld (No), the process proceeds to step S210.
(Step S209) The learning information generation unit 204 adds “1” to Ldc. Thereafter, the process proceeds to step S205.

(Step S210) The maximum / minimum value extraction unit 2042 calculates a maximum output number and a minimum output number for each target node, target message ID, and target learning count unit time based on the maximum / minimum value extraction information. The maximum / minimum value extraction unit 2042 records the calculated maximum output number and maximum / minimum value information indicating the minimum output number in the learning result information DB 205. Thereafter, the process proceeds to step S211.
(Step S211) The learning information generation unit 204 adds “1” to Lmc. Thereafter, the process proceeds to step S204.
(Step S212) The learning information generation unit 204 adds “1” to Lnc. Thereafter, the process proceeds to step S203.
(Step S213) The output unit 209 displays the learning information and the maximum / minimum value information input from the learning information generation unit 204.

FIG. 12 is a flowchart illustrating an example of the aggregation process according to the present embodiment. FIG. 12 is a flowchart showing the counting process in step S207 in FIG.
(Step S301) The learning output number totaling unit 2041 substitutes “0” for the total value. Thereafter, the process proceeds to step S302.
(Step S302) The learning output number totaling unit 2041 determines whether or not there is an unaggregated message within the target aggregation unit time for the target node and the target message. If it is determined that there is an unaggregated message (Yes), the process proceeds to step S303. If it is determined that there are no unaggregated messages (No), the process proceeds to step S304.
(Step S303) The learning output number totaling unit 2041 adds “1” to the total value. Thereafter, the process proceeds to step S302.
(Step S304) The learning output number totaling unit 2041 records the total value (learning data information) in the learning result information DB 205. Thereafter, the process proceeds to an end process.

FIG. 13 is a flowchart illustrating an example of the operation of the analysis processing according to the present embodiment.
(Step S401) Based on the analysis condition information and the acquired message information input from the input unit 203, the analysis information generation unit 206 analyzes the number of analysis nodes An, the number of analysis message IDs Am, and the analysis unit tabulation time within the message analysis target period. The number At and the analysis days Ad are calculated. Here, the analysis node number An is the number of management target nodes that have transmitted a message within the message analysis target period. The analysis message identification information number Am is the number of message types received within the message analysis target period. The analysis unit count time At is the number of analysis count unit hours per day. The analysis days Ad is the number of days in the message analysis target period. Thereafter, the process proceeds to step S402.

(Step S402) The analysis information generation unit 204 assigns “0” to the analysis node number counter Anc, the analysis message identification information number counter Amc, the analysis unit aggregation time number counter Atc, and the analysis day number counter Adc. Thereafter, the process proceeds to step S403.
(Step S403) The analysis information generation unit 204 determines whether or not an unanalyzed management target node remains within the message analysis period. That is, it is determined whether Anc <An. If it is determined that Anc <An (Yes), the process proceeds to step S404. When it is determined that Anc ≧ An (No), the process proceeds to step S415.
(Step S404) The analysis information generation unit 204 determines whether or not the identification information of the unanalyzed message remains for the management target node (target node) determined to be unanalyzed in step S403. That is, it is determined whether Amc <Am. If it is determined that Amc <Am (Yes), the process proceeds to step S405. If it is determined that Anc ≧ An (No), the process proceeds to step S406.

(Step S405) Whether the analysis information generation unit 204 still has unanalyzed analysis count unit time (target analysis count unit time) for the identification information (target message identification information) of the message determined to be unanalyzed in step S404 Determine whether or not. That is, it is determined whether Atc <At. If it is determined that Atc <At (Yes), the process proceeds to step S406. If it is determined that Atc ≧ At (No), the process proceeds to step S408.
(Step S406) The analysis information generation unit 204 adds “1” to Atc. Thereafter, the process proceeds to step S407.
(Step S407) The analysis output number totaling unit 2041 calculates the number of acquired message information within the analysis total unit time for the target node and the target message (referred to as total processing). Details of the aggregation processing in step S407 will be described later. Thereafter, the process proceeds to step S205.

(Step S408) The analysis information generation unit 204 determines whether or not an unanalyzed analysis target date remains for the target message identification information. That is, it is determined whether or not Adc <Ad. If it is determined that Adc <Ad (Yes), the process proceeds to step S409. When it is determined that Adc ≧ Ad (No), the process proceeds to step S410.
(Step S409) The analysis information generation unit 204 adds “1” to Adc. Thereafter, the process proceeds to step S405.

(Step S410) The analysis determination unit 208 reads the maximum / minimum value information from the learning result information DB 205. The analysis determination unit 208 includes the maximum value indicated by the maximum / minimum value information, the number of analysis total values indicated by the analysis total value information within the target analysis total unit time for the target node and target message ID calculated in step S407, Compare When it determines with an analysis total value being larger than the maximum value (Yes), it progresses to step S412. When it determines with an analysis total value not being larger than the maximum value (No), it progresses to step S411.
(Step S411) The analysis determination unit 208 analyzes the total value indicated by the analysis total value information within the target analysis total unit time for the minimum value indicated by the maximum / minimum value information, the target node and the target message ID calculated in step S407. Compare the number of When it determines with an analysis total value being smaller than the minimum value (Yes), it progresses to step S412. When it determines with the analysis total value not being smaller than the minimum value (No), it progresses to step S413.

(Step S412) The analysis determination unit 208 generates determination failure information indicating that the analysis total value is not included between the maximum value and the minimum value. The analysis determination unit 208 records analysis result information including determination failure information in the analysis result information DB 207.
(Step S413) The analysis determination unit 208 generates determination pass information indicating that the analysis total value is included between the maximum value and the minimum value. The analysis determination unit 208 records analysis result information including determination pass information in the analysis result information DB 207.

(Step S414) The analysis information generation unit 204 adds “1” to Amc. Thereafter, the process proceeds to step S404.
(Step S415) The analysis information generation unit 204 adds “1” to Anc. Thereafter, the process proceeds to step S415.
(Step S416) The output unit 209 receives the learning data information and the maximum / minimum value information recorded in the learning result information DB 205 from the learning information generation unit 204. The output unit 209 receives the analysis result information recorded in the analysis result information DB 207 from the analysis determination unit 208. The output unit 209 displays learning data information, maximum / minimum value information, and analysis result information. Thereafter, the process proceeds to an end process.

  FIG. 14 is an explanatory diagram illustrating an example of a condition input screen for displaying a learning result output from the output unit 209. The display with the symbol 14a indicates that the message learning target period is from July 1, 2011 to July 10, 2011. The display with reference numeral 14b indicates that the node name to be learned is “node01”. The display with the reference numeral 14c indicates that the message ID to be learned is “0.20.20.20.20”. The display with reference numeral 14d indicates that the message body is “authentication error occurred”. That is, the message ID “0.20.20.20.20” corresponds to “authentication error occurred”. The display with reference numeral 14e indicates that the learning result is displayed in units of 24 hours.

  FIG. 15 is an explanatory diagram illustrating an example of a learning result display output from the output unit 209. The display with reference numeral 15a indicates that the message learning target period is from July 1, 2011 to July 10, 2011. The display with reference numeral 15b indicates that the node name to be learned is “node01”. The display with reference numeral 15c indicates that the message ID to be learned is “0.20.20.20.20”. The display with reference numeral 15d indicates that the message body is “authentication error occurred”. The point with the symbol 15e is that the node name between 1 o'clock and 2 o'clock on July 3 was “node01” and the message ID was “0.20.20.20.20” and the number of messages was “23”. Is shown. The point with the symbol 15f is that the node name between 7 and 8 o'clock on July 10 was “node01”, and the message number was “19.20.20.20.20”. Is shown. A line denoted by reference numeral 15g indicates a line connecting the management target node within the message learning target period and the maximum number of messages for each message ID. A line denoted by reference numeral 15h indicates a line connecting the management target node within the message learning target period and the minimum value of the number of messages for each message.

  FIG. 16 is an explanatory diagram illustrating an example of a condition input screen for displaying the analysis result output by the output unit 209. The display with the symbol 14a indicates that the message analysis target period is from July 1, 2011 to July 10, 2011. The display with the reference numeral 14b indicates that the node name to be analyzed is “node01”. The display with reference numeral 14c indicates that the message ID to be analyzed is “0.20.20.20.20”. The display with reference numeral 14d indicates that the message body is “authentication error occurred”. That is, the message ID “0.20.20.20.20” corresponds to “authentication error occurred”. The display with the symbol 14e indicates that the analysis result is displayed in units of 24 hours.

  FIG. 17 is an explanatory diagram illustrating an example of an analysis result display output by the output unit 209. The display denoted by reference numeral 17a indicates that the message learning target period is from July 1, 2011 to July 10, 2011. The display with the reference numeral 17b indicates that the node name to be learned is “node01”. The display with the reference numeral 17c indicates that the message ID to be learned is “0.20.20.20.20”. The display with the reference numeral 17d indicates that the message body is “authentication error occurred”. Reference numeral 17e indicates that the node name between “1 to 2 o'clock on July 3” is “node01”, the message ID is “0.20.20.20.20”, and the number of messages is “23”. It was shown that. The point denoted by reference numeral 17f is that the node name between 7 o'clock and 8 o'clock on July 10 was “node01”, and the message number was “19.20.20.20.20”. Is shown. A line denoted by reference numeral 17g indicates a line connecting the management target node within the message learning target period and the maximum number of messages for each message. A line denoted by reference numeral 17h indicates a line connecting the management target node within the message learning target period and the minimum number of messages for each message.

  The display with the reference numeral 17i indicates that the date of analysis is “July 11”. Reference numeral 17j indicates that the analysis target date is “July 11”, the node name is “node01”, the message ID is “0.20.20.20.20”, and the total value is “25”. Show. The point denoted by reference numeral 17k indicates that the maximum value of the number of messages for each managed node and each message within the message learning target period is “24”. The display with the reference numeral 17l indicates that the analysis target day has a total value exceeding the maximum value of the number of messages to be managed and the number of messages for each message in the message learning target period, so that “analysis result: unusual behavior detected. Is displayed. " As a result, the user can know that the total value is larger than the maximum value learned during the message learning period for the specified analysis target date, node name, and message ID.

  Thus, according to this embodiment, the message acquisition unit 201 acquires information output from the management target nodes 11 to 13. The analysis determination unit 208 detects an abnormality in the managed nodes 11 to 13 based on the number of messages acquired by the message acquisition unit 201. According to this configuration, the operation management system 20 detects the abnormality of the managed nodes 11 to 13 based on the message originally generated by the managed nodes 11 to 13. As a result, it is possible to easily detect an abnormality in the management target node without adding a new setting change or information collection load to the management target system.

  Further, according to the present embodiment, the learning information generation unit 204 stores the number of messages. The analysis determination unit 208 detects an abnormality in the managed nodes 11 to 13 based on the history of the number of messages calculated by the learning information generation unit 204 and the current number of messages. Thereby, since it detects whether the management object nodes 11-13 are abnormal based on the log | history of the number of messages, the detection accuracy of abnormality improves.

  Further, according to the present embodiment, the learning information generation unit 204 calculates the maximum value or the minimum value of the number of messages for each managed node, for each message identification information, and for each unit learning count time within a specified period. To do. The analysis determination unit 208 detects an abnormality in the managed nodes 11 to 13 based on whether or not the current number of messages is a value between the maximum value and the minimum value. Accordingly, in order to detect whether or not the managed nodes 11 to 13 are abnormal based on whether or not the current number of messages deviates from the maximum value and the minimum value of the number of messages in the learning period, Detection accuracy is improved.

The analysis determination unit 208 determines whether the analysis target is normal based on the maximum / minimum value information read from the learning result information DB 205 and the analysis data information generated by the analysis information generation unit 206. However, the method of determination is not limited to the above. For example, it may be determined whether the analysis data information is normal based on whether the analysis data information is larger than a predetermined threshold or smaller than a predetermined threshold. Good.
The time stamp is not limited to the time when the managed nodes 11 to 13 generate a message, and may be the time when the managed nodes 11 to 13 transmit the message or the time when the operation management system 20 acquires the message.

The learning information generation unit 204 and the analysis information generation unit 206 calculate the number of outputs for each message identification information. However, the learning information generation unit 204 and the analysis information generation unit 206 generate a message based on the information indicated by the message identification information and the message content described in the message body. You may identify and calculate the number of outputs.
In the present embodiment, message information is accumulated and learning and analysis using the accumulated information are performed by the same operation management apparatus 20, but each may be performed by a different terminal apparatus. In this case, a server that stores message information and a terminal that performs learning and analysis may be connected by a network.

(Second Embodiment)
Hereinafter, a second embodiment of the present invention will be described in detail with reference to the drawings.
In the present embodiment, a case will be described in which the operation management apparatus executes a determination program during analysis processing and does not reflect a message acquired at a time determined to be abnormal by the determination program in the learning result information. .
FIG. 18 is a schematic block diagram showing the configuration of the operation management apparatus 21a according to this embodiment.
The operation management apparatus 21a is different from the operation management apparatus 21 in the first embodiment in a message DB 202a, a learning information generation unit 204a, a learning information generation unit 206a, and an analysis determination unit 208a. However, the other configuration is the same as that of the operation management apparatus 21 in the first embodiment, and thus the description thereof is omitted.

  The message DB 202a records the acquired message information input from the message acquisition unit 201. When message abnormality information indicating that the acquired message information is abnormal is input from the analysis determination unit 208a, the message DB 202a adds a message abnormality flag to the corresponding acquired message information. The message abnormality information will be described later. Information that associates the acquired message information with the message abnormality flag is called message information. Details of the message information recorded by the message DB 202 will be described later.

The learning information generation unit 204a is different from the first embodiment in the configuration of the learning output number totaling unit 2041a. Details of the learning information generation unit 204a will be described later.
The analysis information generation unit 206a is different from the first embodiment in the configuration of the analysis output number aggregation unit 2061a. Details of the analysis information generation unit 206a will be described later.

The analysis determination unit 208a includes a learning analysis comparison unit 2080 and a diagnostic program execution unit 2081a.
The analysis determination unit 208a determines whether or not the analysis data information is normal. The analysis determination unit 208a determines whether or not the analysis target is normal based on the maximum / minimum value information recorded in the learning result information DB 205 and the analysis data information read from the analysis result information DB 207.
The analysis determination unit 208a executes a diagnostic program when it is determined that the analysis data information is abnormal. The analysis determination unit 208a records message abnormality information in the message DB 202a when the diagnosis result diagnosed by the diagnosis program is determined to be abnormal. The analysis determination unit 208a corrects the maximum / minimum value information based on the diagnosis result diagnosed by the diagnosis program. The analysis determination unit 208 a records the analysis result in the analysis result information DB 207 and outputs it to the output unit 209.
Details of the analysis determination unit 208a will be described later.

FIG. 19 is a block diagram illustrating an example of the configuration of the learning information generation unit 204a. The learning information generation unit 204a in the present embodiment is the same as the learning information generation unit 204 in the first embodiment except that the learning output number counting unit 2041a is different. A description of the same parts as those in the first embodiment will be omitted.
The learning output number totaling unit 2041a totals the number of message information collected for each specific management target node, specific message, and specific learning total unit time input from the learning message information extraction unit 2040. At this time, the message information with the message abnormality flag is not added to the aggregation. The learning output number totaling unit 2041 records information (learning data information) in which the total value information indicating the totaled value, the node ID, and the message identification information are associated with each other in the learning result information DB 205. The learning output number totaling unit 2041a outputs the totaling end information to the learning message information extracting unit 2040.

FIG. 20 is a block diagram illustrating an example of the configuration of the analysis information generation unit 206a. The analysis information generation unit 206a in the present embodiment is the same as the learning information generation unit 204 in the first embodiment except that the analysis output number counting unit 2061a is different. A description of the same parts as those in the first embodiment will be omitted.
The analysis output number counting unit 2061a totals the number of message information collected in a specific managed node, a specific message, and a specific learning total unit time input from the analysis message information extraction unit 2060. At this time, the message information with the message abnormality flag is not added to the aggregation. The analysis output number totaling unit 2061 records information (analysis data information) in which the total value information indicating the total value, the node name, the message ID, and the learning total unit time are associated with each other in the analysis result information DB 207a. .

FIG. 21 is a block diagram illustrating an example of the configuration of the analysis determination unit 208a.
The analysis determination unit 208a includes a learning analysis comparison unit 2080a and a diagnostic program execution unit 2081a.
The learning analysis comparison unit 2080a reads the maximum / minimum value information from the learning result information DB 205. The learning analysis comparison unit 2080a reads analysis data information from the analysis result information DB 207. The learning analysis comparison unit 2080a compares the learning message total value information indicated by the maximum / minimum value information with the analysis message total value information for each node name, message ID, and analysis unit time.
The learning analysis comparison unit 2080 determines whether the analysis total value indicated by the analysis total value information is included between the maximum value and the minimum value indicated by the maximum / minimum value information. If it is determined that the analysis total value is not included between the maximum value and the minimum value indicated by the maximum / minimum value information, deviation information that causes the diagnostic program execution unit 2081a to execute the diagnostic program is output. The deviation information includes a node name, a message ID, and analysis unit time information.

  When the deviation information is input from the learning analysis comparison unit 2080a, the diagnosis program execution unit 2081a executes the diagnosis program for the management target node indicated by the deviation information. The diagnosis program execution unit 2081a performs diagnosis using, for example, a Ping program. That is, the diagnostic program execution unit 2081a transmits a response request packet to the management target node indicated by the deviation information. The diagnostic program execution unit 2081a receives the response packet from the target managed node, confirms arrival at the managed node, and determines whether the managed node indicated by the deviation information is operating normally. judge. If it is determined that the managed node is not operating normally, the diagnostic program execution unit 2081 records message abnormality information indicating that the managed node is abnormal in the message DB 202.

FIG. 22 is a schematic diagram illustrating an example of the acquired message information table recorded in the message DB 202a. The acquired message information input from the message acquisition unit 201 and the message abnormality information input from the diagnostic program execution unit 2081 are recorded in the message information table.
As shown in the figure, the message information table has columns of items of time stamp, message ID, node name, message body, and message abnormality flag. The message information table is two-dimensional tabular data composed of rows and columns in which a message ID, a node name, a message body, and a message abnormality flag are stored for each time stamp.

The message information with the reference numeral 22a includes a message with a time stamp “July 15, 2007, 7:51:11” and a message ID “0.10.10.10.10” with an IP address “ 192.168.11.30 ”is transmitted from the management target node, and the message body indicates“ call data transfer end ”. The message abnormality flag indicates that the message information is normal.
The message information with the reference numeral 22b includes a message with a time stamp “July 16, 2007 22:34:13” and a message ID “0.20.20.20” with an IP address “ 192.168.11.50 ”is transmitted from the management target node, and the message body indicates that“ authentication error has occurred ”. The message abnormality flag indicates that this message information is abnormal.

  FIG. 23 is a flowchart illustrating an example of processing of the operation management system 20a according to the present embodiment. The processing of the operation management system 20a according to the present embodiment is the same as the processing (FIG. 10) of the operation management system 20 in the first embodiment, except for step S103a and step S105a, and thus description thereof is omitted. Steps S103a and S105a will be described later.

  FIG. 24 is a flowchart showing an example of the process of step S103a in FIG. Since the process of step S103a according to the present embodiment is the same as the process of step S103 (FIG. 11) in the first embodiment, except for step S207a, description thereof will be omitted. The process of step S207a will be described later.

FIG. 25 is a flowchart showing an example of the process of step S105a in FIG. The process of step S103a according to the present embodiment is the same as the process of step S103 (FIG. 11) in the first embodiment except for step S407a, step S410a, step S411a, step S4111a, step S4112a, and step S412a. is there. Step S407a is the same as the process of step S207a in FIG.
(Step S410a) The analysis determination unit 208 compares the maximum value indicated by the maximum / minimum value information with the total value calculated in step S407. When it determines with a total value being larger than the maximum value (Yes), it progresses to step S4111a. When it determines with a total value not being larger than the maximum value (No), it progresses to step S411a.

(Step S411a) The analysis determination unit 208 compares the minimum value with the number of total values calculated in step S407. When it determines with a total value being smaller than the minimum value (Yes), it progresses to step S4111a. When it determines with the analysis total value not being smaller than the maximum value (No), it progresses to step S413.
(Step S4111a) The learning analysis comparison unit 2080a outputs deviation information to the diagnostic program execution unit 2081a. The diagnostic program execution unit 2081a executes the Ping program for the management target node indicated by the input deviation information. The diagnostic program execution unit 2081a determines whether or not a response packet for the Ping program has been received within a predetermined time. If it is received within a predetermined time (Yes), the process proceeds to step S412. If not received within the predetermined time (No), the process proceeds to step S4112a.
(Step S4112a) The analysis determination unit 208a records, in the message DB 202a, message abnormality information indicating that all messages output on the analysis target date indicated by the deviation information are abnormal. Thereafter, the process proceeds to step S414.

FIG. 26 is a flowchart showing the processing (aggregation processing) of step S207a in FIG. 24 and step S407a in FIG.
The processing in steps S301 to S304 is the same as that in steps S301 to S304 in FIG.
(Step S3011a) The learning output number totaling unit 2041 determines whether or not a message abnormality flag is set in the message information. If the message abnormality flag is set (Yes), the process proceeds to step S3011c. If the message abnormality flag is not set (No), the process proceeds to step S303.
(Step S3011b) The learning output number totaling unit 2041 determines whether the total value is larger than the maximum value indicated by the maximum / minimum value information. When the total value is larger than the maximum value (Yes), the process proceeds to step S3011c. If the maximum value is less than or equal to the total value (No), the process proceeds to step S3011d.
(Step S3011c) The learning output number totaling unit 2041 changes the maximum value. Specifically, the total value is substituted into the corresponding node name, message ID, and maximum value provided for each learning total unit time. Thereafter, the process proceeds to step S302.
(Step S3011d) The learning output number totaling unit 2041 reads the maximum / minimum value information from the learning result information DB 205. The learning output number totaling unit 2041 determines whether or not the learning total value is larger than the maximum value indicated by the maximum / minimum value information. If the total value is smaller than the maximum value (Yes), the process proceeds to step S3011e. If the maximum value is less than or equal to the total value (No), the process proceeds to step S303.
(Step S3011e) The learning output number totaling unit 2041 changes the minimum value. Specifically, the total value is substituted for the corresponding node name, message ID, and minimum value provided for each learning total unit time. Thereafter, the process proceeds to step S303.

  As described above, according to the present embodiment, when the analysis determination unit 208a determines that the current message output number is not a value between the maximum value and the minimum value, the analysis determination unit 208a diagnoses an abnormality in the managed nodes 11 to 13. The diagnostic program is automatically started and the diagnosis result is displayed. Thereby, even when the analysis determination unit 208a determines that the current message output number is not a value between the maximum value and the minimum value, the administrator determines that the diagnostic program is normal. Notify that there is no abnormality. Therefore, it is possible to detect an abnormality of the managed node without depending on the knowledge and experience of the administrator.

  Further, according to the present embodiment, the analysis determination unit 208a corrects the maximum value or the minimum value based on the result diagnosed by the diagnosis program. The analysis determination unit 208a diagnoses the abnormality of the management target nodes 11 to 13 based on the corrected maximum value or the corrected minimum value. This makes it possible to perform more reliable determination.

  The analysis determination unit 208a corrects the maximum value or the minimum value based on the state diagnosed by the diagnostic program, and detects the state of the management target node based on the corrected maximum value or the corrected minimum value. . As a result, even if the current aggregated value is greater than the maximum value or smaller than the minimum value, if it is determined as a result of diagnosis that the managed node is normal, the maximum value Or replace the minimum value with the aggregate value. This makes it possible to perform more reliable determination thereafter.

  In this embodiment, it is determined that all the messages output on the analysis date indicated by the deviation information are abnormal and the message abnormality flag of the message information recorded in the message DB 202a is abnormal. The message abnormality flag of message information within a predetermined time before and after the time indicated by the information may be abnormal. Further, the message abnormality flag of the message information may be abnormal only for the identification information of the message that is actually determined to be abnormal.

  Note that the message abnormality information may be information that makes all acquired data on the analysis execution date when the abnormality occurred abnormal. Moreover, the acquired data from the management target node where the abnormality occurred on the analysis execution date when the abnormality occurred may be regarded as abnormal. Alternatively, only the message in which an abnormality has occurred from the managed node on which the abnormality on the analysis execution date on which the abnormality has occurred may be regarded as abnormal. In addition, the message from the managed node on which the abnormality occurred on the analysis execution date on which the abnormality has occurred is determined in advance from a certain time before or after the time at which the abnormality has occurred, or from the time at which the abnormality has occurred. Only acquired data acquired at a certain time may be abnormal. Moreover, these combinations may be sufficient.

Note that when an analysis instruction is input, the learning process may be performed first, and then the analysis process may be performed. By performing the learning process immediately before the analysis process, the analysis process can be performed based on the latest learning result, and the determination reliability is increased.
In this embodiment, when the aggregate value deviates from the normal range, only the maximum and minimum values of the learning aggregation unit time are changed. However, when the aggregate value deviates from the normal range, all the analysis target days are changed. The maximum value and the minimum value of the learning total unit time may be changed.

The analysis total unit time may be longer than the time specified as the analysis total unit time. In that case, a temporally overlapping portion is generated between the temporally continuous analysis total unit times. As a result, messages that occur at the moment when the analysis aggregation unit time is switched (the next analysis principal time starts) are aggregated in the previous analysis aggregation unit time, if any, and in other cases, the subsequent analysis aggregation unit time is accumulated. It is possible to prevent the learning data information from becoming inaccurate by being aggregated.
Note that the program executed by the diagnostic program execution unit 2081a may be a program for executing the self-diagnosis program of the managed nodes 101 to 103 or a program for acquiring the core file generated by the managed nodes 101 to 103.

  DESCRIPTION OF SYMBOLS 10 ... Management object system, 20 ... Operation management system, 11-13 ... Management object node, 21, 21a ... Operation management apparatus, 22 ... Operation management terminal, 201 ... Message acquisition , 202, 202a ... message storage unit, 203 ... input unit, 204, 204a ... learning information generation unit, 205 ... learning result information storage unit, 206, 206a ... analysis information generation unit 207 ... analysis result information storage unit 208, 208a ... analysis determination unit 209 ... output unit 2040 ... learning message information extraction unit 2041,2041a ... learning output number totaling unit, 2042... Maximum and minimum value extraction unit, 2060... Analysis message information extraction unit, 2061 and 2061a... Analytical output number totaling unit, 2080 and 2080a. , 2081a ··· diagnostic program execution unit

Claims (7)

A message acquisition unit for acquiring a message output by the managed node;
An analysis determination unit that detects the state of the managed node based on the number of messages acquired by the message acquisition unit;
An operation management apparatus comprising: A learning information generation unit for calculating the number of messages;
The said analysis determination part detects the state of the said management object node based on the log | history of the number of the said messages which the said learning information generation part calculated, and the number of the present messages. Operation management device. The learning information generation unit calculates a maximum value or a minimum value of the number of messages for each managed node, for each message identification information, and for each unit time within a specified period,
The analysis determination unit detects the state of the managed node based on whether or not the number of the current messages is a value between the maximum value and the minimum value. The operation management device described in 1. When the analysis determination unit determines that the current message output number is not a value between the maximum value and the minimum value, the analysis determination unit starts a diagnosis program for diagnosing the state of the managed node, and results of the diagnosis The operation management apparatus according to claim 3, wherein: The analysis determination unit corrects the maximum value or the minimum value based on a state diagnosed by the diagnosis program, and detects the state of the management target node based on the corrected maximum value or the corrected minimum value. The operation management apparatus according to claim 4. A message acquisition process in which the message acquisition unit acquires the message output by the managed node;
An analysis determination process in which the analysis determination unit detects the state of the managed node based on the number of messages acquired by the message acquisition unit;
An operation management method. Message acquisition procedure for acquiring information output by the managed node to the computer of the operation management device,
An operation management program for executing an analysis determination procedure for detecting the state of the managed node based on the number of messages acquired in the message acquisition procedure.

Images