JP2014036310A - Apparatus and method for evaluating effect - Google Patents

Abstract

PROBLEM TO BE SOLVED: To easily evaluate effects on a network or services by events.SOLUTION: An acquisition unit acquires log information of network equipment and configuration information of a network included in the network. An estimation unit estimates a range and a service affected by the event which has occurred in the network on the basis of the log information and the configuration information of the network acquired by the acquisition unit. An inspection unit inspects a content of the effect, by the event occurred in the network, on the service in the range on the network estimated by the estimation unit. A notification unit notifies a network administrator of an inspection result from the inspection unit.

Description

  The present invention relates to an influence evaluation apparatus and an influence evaluation method.

  2. Description of the Related Art Conventionally, NW device management information is used as information for a network (NW) system administrator to detect an event such as a failure or a sign of an event and estimate the cause of the event. For example, a system administrator acquires and manages MIB (Management Information Base) information standardized by RFC1156 and RFC1213 via NW by SNMP (Simple Network Management Protocol), thereby managing events and events. Detect the signs of, and estimate the cause. Here, many tools for acquiring and managing MIB information are known, for example, TWSNMP Manager is known.

  In addition, for example, the system administrator uses an Syslog collector that collects and manages logs of each NW device to detect an event or an event precursor and estimate the cause. Here, the Syslog collector uses a log transmission / reception function provided in Syslog, which is generally used as a program for recording logs such as system operation statuses and messages. For example, Kiwi Syslog Server is known. ing. Note that the protocol of the log transmission / reception function is standardized by RFC5424.

  Furthermore, a technique for automatically executing a preset action using the management information acquired by the SNMP manager or the Syslog collector as a trigger has been put into practical use. For example, when a certain Syslog message is observed or when the value of the monitored MIB object exceeds a threshold value, a Show command is transmitted and additional information is acquired. Thereby, when a trigger occurs, supplementary information for automatically knowing the status of the target device in more detail is acquired. As such a technique, for example, EEM (Embedded Event Manager) installed in Cisco IOS (registered trademark), JUNOScript installed in JUNOS, and the like are known.

J. Case et al, "A Simple Network Management Protocol (SNMP)", Network Working Group, RFC1157, May 1990, [online], [searched June 26, 2012], Internet <http: //tools.ietf .org / html / rfc1157> twise labo., "TWSNMP Manager", [online], [Search June 26, 2012] Internet <http://www.twise.co.jp/twsnmp.html> R. Gerhards, "The Syslog Protocol", Network Working Group, RFC5424, March 2009, [online], [searched June 26, 2012], Internet <http://tools.ietf.org/html/rfc5424> CISCO, "EEM (Embedded Event Manager) Function", [online], [Search June 26, 2012] Internet <http://www.cisco.com/cisco/web/support/JP/102/1020/ 1020031_eem.html> JUNIPER NETWORKS, "Junos XML Management Protocol (Junoscript) Download Software", [online], [Search June 26, 2012] Internet <http://www.juniper.net/support/xml/junoscript/index.html >

  However, with the above-described conventional technology, it has been difficult to evaluate the influence of an event on a network or a service. For example, in the above-described conventional technology, in order to evaluate the influence of an event, the NW administrator estimates the range of influence on the NW based on the detailed information of the event, and selects and evaluates an appropriate evaluation means. It was difficult to assess the impact of events on networks and services. In addition, for example, in the above-described conventional technology, it is necessary for an administrator to grasp not only information related to an event but also information on the physical configuration and logical configuration of the NW, which requires advanced knowledge for the NW administrator. Many operations were required, and it was difficult to evaluate the impact of events on networks and services.

  Therefore, the technology according to the present application has been made in view of the above-described problems of the prior art, and an impact evaluation device and an impact evaluation method that enable an event to easily evaluate the impact on a network or service. The purpose is to provide.

  In order to solve the above-described problems and achieve the object, the impact evaluation apparatus according to the present application acquires log information regarding a plurality of network devices included in a network and configuration information indicating configurations of the plurality of network devices in the network. An estimation unit that estimates a range and a service on the network affected by a failure that has occurred in the network based on the log information and the configuration information of the network acquired by the acquisition unit, and the estimation An inspection unit that inspects the content of the influence of the failure that has occurred on the network for the service in the range on the network estimated by the unit, and the inspection result by the inspection unit to the administrator of the network And a notification unit for notifying.

  The apparatus according to the present application makes it possible to easily evaluate the influence of an event on a network or a service.

FIG. 1 is a diagram illustrating an example of a network configuration according to the first embodiment. FIG. 2 is a diagram illustrating an example of the configuration of the impact evaluation apparatus according to the first embodiment. FIG. 3 is a diagram illustrating an example of information stored by the log information storage unit according to the first embodiment. FIG. 4 is a diagram illustrating an example of information stored by the configuration information storage unit according to the first embodiment. FIG. 5 is a diagram illustrating an example of information stored by the rule information storage unit according to the first embodiment. FIG. 6 is a diagram illustrating an example of information stored by the test information storage unit according to the first embodiment. FIG. 7 is a schematic diagram for explaining the flow of processing in the network including the impact evaluation apparatus according to the first embodiment. FIG. 8 is a diagram illustrating an example of an event report notified by the notification unit according to the first embodiment. FIG. 9 is a flowchart illustrating a procedure of processing performed by the impact evaluation apparatus according to the first embodiment.

  Exemplary embodiments of an impact evaluation apparatus and an impact evaluation method disclosed in the present application will be described below in detail with reference to the accompanying drawings. In addition, the impact evaluation apparatus and the impact evaluation method which this application discloses are not limited by the following embodiment.

[First Embodiment]
[Network configuration]
First, an example of a network configuration to which the impact evaluation apparatus according to the first embodiment is applied will be described. FIG. 1 is a diagram illustrating an example of a configuration of a network 10 according to the first embodiment. As shown in FIG. 1, the network 10 includes a relay network 11, a user segment 12a, a user segment 12b, a server segment 13a, and a server segment 13b. The network 10 is connected to a CMDB (Configuration Management DataBase) 20, an EM (Event Manager) 30, and an impact assessment apparatus 100. The configuration of the network 10 is not limited to the example shown in FIG. For example, the number of user segments and server segments is not limited to the illustrated number, and a large number of user segments and server segments may be connected to the relay network 11.

  For example, as shown in FIG. 1, the relay network 11 includes routers R1 to R4, and performs communication performed between the user segment 12a, the user segment 12b, the server segment 13a, and the server segment 13b. Relay. The relay network 11 shown in FIG. 1 is merely an example, and is not limited to the example shown in FIG.

  The user segment 12a and the user segment 12b have user terminals that communicate with the servers included in the server segment 13a and the server segment 13b via the relay network 11, respectively. Moreover, the user segment 12a and the user segment 12b respectively have a reference site RS1 and a reference site RS2 that are used by the impact evaluation apparatus 100.

  The reference site RS1 and the reference site RS2 receive the test command transmitted by the impact evaluation apparatus 100 and execute a program corresponding to the received test command. Specifically, the reference site RS1 and the reference site RS2 test the quality of services affected by an event such as a failure based on the test command transmitted by the impact evaluation apparatus 100. For example, the reference site RS1 and the reference site RS2 perform delay or communication by executing measurement using Ping or Trace Route using the Internet Control Message Protocol (ICMP), HTTP (HyperText Transfer Protocol), or the like. Test sex and more. Reference site RS1 and reference site RS2 are a segment, a server, etc., for example.

  The server segment 13a and the server segment 13b respectively have a service providing server S1 and a service providing server S2 that provide various services. The service providing server S1 and the service providing server S2 provide various services to the user terminals included in the user segment 12a and the user segment 12b.

  Here, the relay network 11 and each segment (user segments 12a and 12b and server segments 13a and 13b) included in the network 10 are a set of networks “AS (Autonomous System) that are operated under common management. Is.

  In addition, each network device included in the network 10 (for example, routers R1 to R4 included in the relay network 11, routers connecting the segments to the relay network 11, and the like; hereinafter may be referred to as NW devices), respectively, When the Syslog protocol is applied and a predetermined event occurs, a Syslog message is output, and the output Syslog message is transmitted to the EM 30. For example, each network device has a data relay process, a link down that is an event that a link between ports goes down, or a link up that is an event that forms a link between ports. If it occurs, a Syslog message is output.

  At this time, each NW device outputs a Syslog message including “time stamp”, “location where the event has occurred”, and “content of the event that has occurred”. Here, the “time stamp” indicates, for example, the time when the Syslog message is output or the time when the event occurs. Further, “location where an event has occurred” indicates, for example, a router, a component constituting the router, or the like. Examples of router components include ports, line cards having a plurality of ports, and the like.

  For example, it is assumed that the router R1 has the port 1a, the router R2 has the port 2a, and the port 1a and the port 2a are connected, but a link down occurs between the port 1a and the port 2a. . In such a case, the router R1 outputs a Syslog message such as “July 15, 2011 10:30:10 router R1 port 1a link down”. Router R2 also outputs a similar Syslog message.

  Each NW device has MIB information (Management Information Base). For example, each NW device has the resource status of its own device defined by RFC 1213 and management information for each port. For example, each NW device manages MIB information having a plurality of objects for each monitoring target group such as a system or an interface. Here, the MIB information is updated as appropriate.

  Furthermore, each NW device has a script (Event Trigger Script: hereinafter sometimes referred to as ETS) for executing a command for examining the state of the own device in detail using a Syslog message or MIB information as a trigger. . For example, CISCO EEM, Juniper script, etc. are mounted on each NW device. For example, each NW device uses a predetermined Syslog message (for example, link down) or MIB information (for example, the number of received packets discarded for a reason other than an error exceeds a predetermined threshold) as a trigger. , The Show command is executed to collect detailed information on the status of the device itself.

  The CMDB 20 acquires and manages setting information set in each NW device from each NW device. As a result, the CMDB 20 can acquire information regarding the connection relationship between the ports of each NW device as the configuration information of the network 10. For example, the CMDB 20 can acquire information indicating that the port 1a of the router R1 and the port 2a of the router R2 are connected as the configuration information of the network 10.

  The EM 30 has a Syslog message collection function, a system log collection function other than the Syslog message, and an event management function. Specifically, the EM 30 has a Syslog collector and collects Syslog messages from each NW device. Further, the EM 30 collects MIB information, ETS results (detailed information collected by the Show command), and the like as system log information that is log information other than the Syslog message. For example, the EM 30 implements an SNMP manager, and collects MIB information by issuing a request command to an SNMP agent installed in each NW device. Further, for example, the EM 30 is mounted with a TFTP (Trivial File Transfer Protocol), and collects ETS results and the like by transmitting a TFTP request message to each NW device.

  Then, the EM 30 integrates the collected Syslog messages and system log information, and organizes and holds them as event detailed information. For example, the EM 30 holds detailed event information indicating “when” and “which NW device” is “what state”.

  The impact evaluation apparatus 100 analyzes the range and service on the network affected by the event using the configuration information of the network 10 collected by the CMDB 20 and the log information collected by the EM 30.

[Configuration of impact assessment equipment]
Hereinafter, the configuration of the impact evaluation apparatus 100 according to the first embodiment will be described with reference to FIG. FIG. 2 is a diagram illustrating an example of the configuration of the impact evaluation apparatus 100 according to the first embodiment. As illustrated in FIG. 2, the impact evaluation apparatus 100 includes an I / F (Interface) unit 110, an input unit 120, a display unit 130, a communication unit 140, a storage unit 150, and a control unit 160. The I / F unit 110 controls the exchange of various types of information between the input unit 120, the display unit 130, the communication unit 140, and the control unit 160. The input unit 120 receives various information input operations from the administrator of the impact assessment apparatus 100. For example, the input unit 120 accepts an input operation of rule information used for selecting a reference site execution program by the control unit 160 described later. The rule information will be described later in detail. The display unit 130 is a display device that displays various types of information, such as a liquid crystal display.

  As illustrated in FIG. 2, the storage unit 150 includes a log information storage unit 151, a configuration information storage unit 152, a rule information storage unit 153, and test information 154. The storage unit 150 is, for example, a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk.

  The log information storage unit 151 stores log information of NW devices included in the network 10. Specifically, the log information storage unit 151 stores detailed event information acquired from the EM 30 by the control unit 160 described later. FIG. 3 is a diagram illustrating an example of information stored by the log information storage unit 151 according to the first embodiment. For example, as illustrated in FIG. 3, the log information storage unit 151 stores detailed event information in which “date”, “time”, “NW device”, and “state” are associated with each other.

  Here, “date” indicates the date on which an event occurred in the network 10. “Time” indicates the time at which an event occurred in the network 10. The “NW device” indicates the NW device in which an event has occurred. The “state” indicates the content of the event. That is, the log information stored by the log information storage unit 151 is information indicating “what” and “what event” has occurred in “which device”.

  Returning to FIG. 2, the configuration information storage unit 152 stores configuration information indicating the configuration of the network 10. Specifically, the configuration information storage unit 152 stores configuration information acquired from the CMDB 20 by the control unit 160 described later. FIG. 4 is a diagram illustrating an example of information stored in the configuration information storage unit 152 according to the first embodiment. For example, as illustrated in FIG. 4, the configuration information storage unit 152 stores configuration information in which “NW device”, “component”, “connection destination NW device”, and “component” are associated with each other.

  For example, in the configuration information storage unit 152, as shown in FIG. 4, “NW device: R1, component: port 1a” is associated with “connection destination NW device: R2, component: port 2a”. Stored configuration information. That is, the above-described configuration information means that “port 2a” of “router R2” is connected to “port 1a” of “router R1” in network 10.

  Returning to FIG. 2, the rule information storage unit 153 stores rule information used for selecting an execution program for a reference site executed by the control unit 160 described later. Specifically, the rule information storage unit 153 stores rule information set in advance in order to determine the test content executed by the reference site. FIG. 5 is a diagram illustrating an example of information stored by the rule information storage unit 153 according to the first embodiment. For example, as illustrated in FIG. 5, the rule information storage unit 153 stores rule information in which “event”, “range”, “service”, and “test content” are associated with each other.

  Here, the “event” indicates the content of an event that can occur in the network 10. The “range” indicates a range in which an event occurring in the network 10 affects. The “service” indicates a service affected by an event occurring in the network 10. “Test content” indicates the content of a test to be executed by the reference site. That is, the rule information stored by the rule information storage unit 151 is information indicating what tests are to be executed by the reference site for each combination of the event content, the range affected by the event, and the service content. is there. Examples of the test contents include a delay test and a communication test.

  Returning to FIG. 2, the test information storage unit 154 stores information on the test program specified in the test execution command transmitted to the reference site by the control unit 160 described later. FIG. 6 is a diagram illustrating an example of information stored by the rule information storage unit 154 according to the first embodiment. For example, as illustrated in FIG. 6, the test information storage unit 154 stores test information in which “program” is associated with “test content”. Here, “test content” indicates the content of a test to be executed by the reference site. The “program” indicates program information corresponding to the test content.

  Returning to FIG. 2, the control unit 160 includes an acquisition unit 161, an estimation unit 162, an inspection unit 163, an analysis unit 164, and a notification unit 165. Here, the control unit 160 is an electronic circuit such as a CPU (Central Processing Unit) or an MPU (Micro Processing Unit), or an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array).

  The acquisition unit 161 acquires log information regarding a plurality of network devices included in the network 10 and configuration information indicating configurations of the plurality of network devices in the network 10. Specifically, the acquisition unit 161 acquires information including Syslog information, MIB information, and output information of a Show command as log information. For example, the acquisition unit 161 acquires configuration information from the CMDB 20. The acquisition unit 161 acquires event detailed information from the EM 30. Here, the acquisition unit 161 acquires configuration information and event detailed information using, for example, a TFTP request. Then, the acquisition unit 161 stores the acquired event detailed information in the log information storage unit 151 and stores the configuration information in the configuration information storage unit 152.

  Based on the log information acquired by the acquisition unit 161 and the configuration information of the network 10, the estimation unit 162 estimates the range and service on the network 10 that are affected by the failure that has occurred in the network 10. Specifically, the estimation unit 162 includes a plurality of service providing servers that provide services on the network and a plurality of users that receive services from the plurality of service providing servers, based on log information and network configuration information. Among the terminals, a service providing server and a user terminal that are affected by a failure occurring in the network 10 are estimated.

  For example, the estimation unit 162 identifies an event that has occurred in the network 10 with reference to the event detailed information stored by the log information storage unit 151. Then, the estimation unit 162 refers to the network configuration information stored in the configuration information storage unit 152, and for each identified event, the range that is affected by the event and the event among the services provided by the service providing server Estimate the services affected by

  The inspecting unit 163 inspects the content of the influence of the failure that has occurred in the network 10 on the service in the range on the network 10 estimated by the estimating unit 162. Specifically, the inspection unit 163 determines and determines the inspection contents to be executed by the reference site based on the combination of the failure that has occurred in the network 10 and the range on the network 10 estimated by the estimation unit 162. By causing the reference site to execute the inspection content execution command, the content of the effect of the failure on the service is inspected.

  For example, the inspection unit 163 refers to the rule information stored in the rule information storage unit 153 and the test information stored in the test information storage unit 154, and the event whose influence range and service are estimated by the estimation unit 162 Each time, the test content and program are selected. Then, the inspection unit 163 transmits a test execution command for executing the selected program to the reference site RS1 and / or the reference site RS2 to execute the test.

  Based on the inspection result by the inspection unit 163, the analysis unit 164 analyzes the content of the influence of the failure occurring in the network on the service in the network range estimated by the estimation unit 162. Specifically, the analysis unit 164 acquires the test result of the reference site RS1 and / or the reference site RS2, and analyzes the acquired result to evaluate the influence of the event on the service.

  The notification unit 165 notifies the network administrator of the inspection result by the inspection unit 163. Specifically, the notification unit 165 generates an event report that combines the analysis result of the analysis unit 164 and the event, and notifies the administrator of the network 10 of the generated event report. For example, the notification unit 165 notifies the administrator of the network 10 of the inspection result by causing the display unit 130 to display an event report generated for each event.

  The configuration of the impact evaluation apparatus 100 according to the first embodiment has been described above. Hereinafter, the flow of processing in the network including the above-described impact evaluation apparatus 100 will be described with reference to FIG. FIG. 7 is a schematic diagram for explaining the flow of processing in the network 10 including the impact evaluation apparatus 100 according to the first embodiment.

  For example, as shown in FIG. 7, when an event occurs in the network (NW) in step 1, the EM 30 collects MIB information, Show command output information, and the like by the system log collection function. Similarly, the EM 30 collects Syslog messages using the Syslog collection function. Then, in step 2, the EM 30 integrates the collected system log information and the Syslog message information by the event management function, and the event details indicating “when” and “which device” is “what state”. Generate and maintain information.

  Thereafter, the acquisition unit 161 of the impact evaluation apparatus 100 acquires network configuration information from the CMDB 20 and event detailed information from the EM 30. In step 3, the estimation unit 162 of the impact evaluation apparatus 100 estimates which device and which service are affected from the network configuration information acquired by the acquisition unit 161 and the event detailed information. .

  In step 4, the inspection unit 163 of the impact evaluation apparatus 100 uses the estimation result of the estimation unit 162 and the rule information to determine “which reference site”, “to which part of the NW”, “which test Decide whether or not to implement. Then, the inspection unit 163 transmits a test execution command to the reference site.

  In step 5, the reference site that has received the test execution command executes tests such as Ping, Trace Route, and Capture for the range designated by the test execution command. Then, the reference site transmits the test result to the impact evaluation apparatus 100.

  In step 6, when the impact evaluation apparatus 100 receives the test result, the analysis unit 164 analyzes the influence of the event on the service based on the test result. For example, the analysis unit 164 analyzes “delay”, “communication”, and the like.

  In step 7, the notification unit 165 creates an event report including information such as “event name”, “event details”, and “impact assessment” based on the analysis result of the analysis unit 164, and creates the event The report is notified to the NW administrator.

  The flow of processing in the network including the impact evaluation apparatus 100 has been described above. Hereinafter, an example when a link failure occurs between the router R3 and the router R4 of the network 10 illustrated in FIG. 1 will be described.

  In the case described above, the estimation unit 162 extracts detailed information on the link failure from the event detailed information acquired by the acquisition unit 161. For example, the estimation unit 162 extracts information indicating that “the port of the router 4 of the relay network 11 is down” included in the event detailed information. Then, the estimation unit 162 refers to the configuration information of the network 10 and since each NW device of the relay network 11 belongs to the same AS, “the route is recalculated in each NW device of the relay network 11”. It is possible to determine.

  Further, the estimation unit 162 refers to the configuration information, and since the communication of the user segments 12a and 12b and the server segments 13a and 13b is via the relay network 11, the “service server for the user segment 12a and for the user segment 12b” It is estimated that the service of S1 is affected. Similarly, the estimation unit 162 estimates that “the service of the service server S2 for the user segment 12a and the user segment 12b is affected”.

  Then, the inspection unit 163 determines that “the port of the router R4 is down and the link between the router R3 is broken” and “the service of the service server S1 for the user segment 12a and the user segment 12b is affected. The contents of the test are determined using the rule information from “Receiving” and “Service server S2 service to user segment 12a and user segment 12b is affected”.

  For example, the inspection unit 163 verifies the “communication from the service server S1 to the user segment 12a and the user segment 12b” and the “communication from the service server S2 to the user segment 12a and the user segment 12b”. It is decided to execute the test and the test for verifying the “service response time from the service server S2 to the user segment 12b”.

  Then, the verification unit 163 determines a program corresponding to each test content with reference to the test information, and transmits the determined test execution command to the corresponding reference site. For example, the inspection unit 163 transmits a test execution command “Ping to the service server S1 to record the presence / absence of a response” to the reference site RS1. In addition, the inspection unit 163 transmits a test execution command “Ping to the service server S1 to record presence / absence of a response” to the reference site RS2. In addition, the inspection unit 163 transmits a test execution command of “Ping to the service server S2 to record presence / absence of response and response time” to the reference site RS2.

  And the analysis part 163 analyzes the test result received from each reference site, and evaluates the influence of the event with respect to each service. For example, the test results are “a response from the service server S1 to the reference site RS1”, “a response from the service server S1 to the reference site RS2”, “a response from the service server S2 to the reference site RS2”, “service When the response time from the server S2 to the reference site RS2 is longer than a predetermined time, the analyzing unit 163 indicates that “the communication of the service provided from the server S2 to the user terminal included in the user segment 12b is delayed. Analyzes.

  Then, the notification unit 165 generates an event report from the analysis result by the analysis unit 164 and the event detailed information, and notifies the administrator of the network 10. FIG. 8 is a diagram illustrating an example of an event report notified by the notification unit 165 according to the first embodiment. For example, as shown in FIG. 8, the notification unit 165 displays “event name: link failure” and “event details: the port of the router R4 of the relay network 11 goes down, and the link failure between the router R3 and the router R4. And “Influence: Delay in communication of service provided by server S2 to user terminals included in user segment 12b” is generated. Then, the notification unit 165 causes the display unit 130 to display the generated event report.

[Procedure for processing by impact assessment device]
Next, a processing procedure performed by the impact evaluation apparatus 100 according to the first embodiment will be described with reference to FIG. FIG. 9 is a flowchart illustrating a procedure of processing performed by the impact evaluation apparatus 100 according to the first embodiment. FIG. 9 shows processing after an event occurs in the network 10 and the EM 30 generates event detailed information.

  As shown in FIG. 9, in the impact evaluation apparatus 100 according to the first embodiment, when an event occurs in the network 10, the acquisition unit 161 acquires event detailed information and configuration information of the network 10 (step S101). . Then, the estimation unit 162 estimates the NW device and service affected by the event using the event detailed information and the network configuration information acquired by the acquisition unit 161 (step S102).

  Then, the inspection unit 163 selects a reference site and a test program to be tested based on the rule information from the NW device and service estimated by the estimation unit 162 and the content of the event (step S103). Then, the inspection unit 163 transmits a test execution command to the selected reference site (step S104).

  When the test result is received from the reference site (Yes at Step S105), the analysis unit 164 analyzes the influence of the event on the service (Step S106). And the notification part 165 produces | generates an event report from the analysis result by the analysis part 164, notifies an NW administrator (step S107), and complete | finishes a process. In step S105, the impact evaluation apparatus 100 is in a standby state until a test result from the reference site is received (No in step S105).

[Effect of the first embodiment]
As described above, according to the first embodiment, the acquisition unit 161 acquires log information of network devices included in the network 10 and configuration information of the network 10. Based on the log information acquired by the acquisition unit 161 and the configuration information of the network 10, the estimation unit 162 estimates the range and service on the network 10 that are affected by the event that has occurred in the network 10. Then, the inspection unit 163 inspects the content of the influence of the event occurring in the network 10 on the service in the range on the network 10 estimated by the estimation unit 162. And then. The notification unit 165 notifies the administrator of the network 10 of the inspection result by the inspection unit 163. Therefore, the influence evaluation apparatus 100 according to the first embodiment makes it possible to easily evaluate the influence of an event on a network or a service.

  For example, in the prior art, in order to evaluate the influence of an event, the NW administrator estimates the range of influence on the NW based on the detailed information of the event, and selects and evaluates an appropriate evaluation means. However, the influence evaluation apparatus 100 according to the first embodiment can perform an appropriate evaluation according to the event, and can easily evaluate the influence of the event on the network and the service.

  In addition, for example, in the prior art, it is necessary for an administrator to grasp not only information related to an event but also information on the physical configuration and logical configuration of the NW, which requires a high level of knowledge for the NW administrator. However, the impact evaluation apparatus 100 according to the first embodiment can automatically perform the event detection to the impact assessment, and easily influence the event on the network and the service. Make it possible to evaluate.

  Further, according to the first embodiment, the estimation unit 162 is configured to provide services from a plurality of service providing servers and a plurality of service providing servers that provide services on the network 10 based on the log information and the configuration information of the network 10. A service providing server and user terminals that are affected by a failure occurring in the network are estimated from among a plurality of user terminals to be provided. Therefore, the influence evaluation apparatus 100 according to the first embodiment makes it possible to estimate in detail the range of influence caused by an event.

  In addition, according to the first embodiment, the inspection unit 163 causes the reference site to perform inspection contents based on the combination of the failure that has occurred in the network 10 and the range on the network 10 estimated by the estimation unit 162. And the execution of the determined inspection contents is executed by the reference site, thereby inspecting the contents of the influence of the failure on the service. Therefore, the influence evaluation apparatus 100 according to the first embodiment makes it possible to execute appropriate inspections corresponding to various events.

  Further, according to the first embodiment, the analysis unit 164 causes a failure that has occurred in the network 10 to a service in the range on the network 10 estimated by the estimation unit 162 based on the inspection result by the inspection unit 163. Analyze the content of the impact of. Then, the notification unit 165 generates a report that combines the analysis result by the analysis unit 164 and the failure, and notifies the generated report to the administrator of the network 10. Therefore, the impact evaluation apparatus 100 according to the first embodiment can provide details of the impact of the event on the service to the network administrator, and enables the network administrator to take appropriate and prompt actions. .

  Further, according to the first embodiment, the acquisition unit 161 acquires information including Syslog information, MIB information, and output information of the Show command as log information. Therefore, the impact evaluation apparatus 100 according to the first embodiment can acquire various information regarding the state of the network device, and can detect various events.

[Second Embodiment]
Although the first embodiment has been described so far, the technology according to the present application is not limited to the first embodiment. That is, the first embodiment can be implemented in various other forms, and various omissions, replacements, and changes can be made.

  In the first embodiment described above, the case where the event report is notified to the administrator of the network 10 has been described. However, the embodiment is not limited to this. For example, the event report may be notified to each of a plurality of network administrators. For example, the event report may be notified to the managers of the user segment 12a and the user segment 12b shown in FIG. Thereby, for example, the impact evaluation apparatus 100 according to the second embodiment can quickly notify the user who is affected by the event. Further, for example, the impact evaluation apparatus 100 according to the second embodiment enables each network administrator to more appropriately perform network design, server configuration, and the like.

[System configuration, etc.]
For example, the specific form of distribution / integration of each device (for example, the form shown in FIG. 2) is not limited to the one shown in the figure, and all or a part thereof can be changed in arbitrary units according to various loads and usage conditions. Functionally or physically distributed and integrated. For example, the acquisition unit 161 and the estimation unit 162 may be integrated as one processing unit, while the inspection unit 163 includes a reference site and a determination unit that determines the inspection content, and the determined inspection content. You may distribute to the execution control part performed by the determined reference site.

  Further, the Syslog collection function, the system log collection function other than Syslog, and the event detailed information management function provided in the EM 30 may be executed by the same device, or may be executed by different devices. It may be the case.

  These embodiments and modifications thereof are also included in the invention according to the claims and equivalents thereof, if included in the technology according to the present application.

10 network 11 relay network 12a, 12b user segment 13a, 13b server segment 20 CMDB
30 EM
DESCRIPTION OF SYMBOLS 100 Impact evaluation apparatus 161 Acquisition part 162 Estimation part 163 Inspection part 164 Analysis part 165 Notification part

Claims (6)

An acquisition unit that acquires log information about a plurality of network devices included in a network and configuration information indicating a configuration of the plurality of network devices in the network;
Based on the log information acquired by the acquisition unit and the configuration information of the network, an estimation unit that estimates a range and service on the network affected by a failure that has occurred in the network;
An inspection unit that inspects the content of the influence of a failure that has occurred in the network on the service in the range on the network estimated by the estimation unit;
A notification unit for notifying the network administrator of the inspection result by the inspection unit;
An impact evaluation apparatus comprising:   The estimation unit is based on the log information and the configuration information of the network, among a plurality of service providing servers that provide services on the network and a plurality of user terminals that receive services from the plurality of service providing servers, The impact evaluation apparatus according to claim 1, wherein a service providing server and a user terminal that are affected by a failure occurring in the network are estimated.   The inspection unit determines an inspection content to be executed by a reference site based on a combination of a failure occurring in the network and a range on the network estimated by the estimation unit, and executes an execution command of the determined inspection content. The influence evaluation apparatus according to claim 1, wherein the influence evaluation apparatus inspects the content of the influence of the failure on the service by being executed by the reference site. Based on the inspection result by the inspection unit, the service unit in the range estimated on the network by the estimation unit, further comprising an analysis unit for analyzing the content of the effect of the failure that has occurred in the network,
The said notification part produces | generates the report which combined the analysis result by the said analysis part, and the said failure, and notifies the produced | generated report with respect to the administrator of the said network. The impact evaluation apparatus according to one.   The impact evaluation apparatus according to claim 1, wherein the acquisition unit acquires information including Syslog information, MIB information, and output information of a Show command as the log information. An impact assessment method executed by an impact assessment device that assesses the impact of a failure occurring in a network,
An acquisition step of acquiring log information regarding a plurality of network devices included in the network and configuration information indicating a configuration of the plurality of network devices in the network;
Based on the log information acquired by the acquisition step and the configuration information of the network, an estimation step of estimating a range and a service on the network affected by a failure that has occurred in the network;
An inspection step of inspecting the contents of the influence of a failure occurring in the network with respect to the service in the range on the network estimated by the estimation step;
A notification step of notifying an inspection result of the inspection step to an administrator of the network;
An impact assessment method characterized by including

Images