JP2014239315A - Network fault analyzing system and network fault analyzing program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make it possible to estimate and narrow down suspected places of fault occurrence on a network on the basis of information on a utilization situation and fault situation at a business application or the like regardless whether a fault is detected or not on a network level.SOLUTION: A network fault analyzing system for analyzing a fault in a network system holds information on a communication requirement to identify communication used by each business application, and information on a communication path, which is information on nodes made up of network devices on a path of communication related to each communication requirement; identifies information on a communication requirement used by a business application and information on a first communication path related to the communication requirement on the basis of contents of notification if it is notified that a fault has been detected during execution of the business application; and if there is a node that exists on both the first communication path and a second communication path related to one or more faults already having occurred, estimates the node as a suspected place of fault occurrence.

Description

  The present invention relates to a network fault monitoring technique, and more particularly to a technique effective when applied to a network fault analysis system and a network fault analysis program for estimating a fault location on a network based on a fault detection status in the system.

  In the operation and management of an information processing system, a mechanism for monitoring various devices such as server devices and network devices, and functions and services provided by these devices is usually constructed.

  In a network fault monitoring apparatus or a system for identifying a faulty part, generally, for example, the fourth layer of seven layers of the so-called OSI reference model, such as a response packet disconnection or a packet response decrease. Are collected, and the site of failure is identified or estimated based on the information.

  As a technology related to this, for example, Japanese Patent Laid-Open No. 2002-271328 (Patent Document 1) detects a failure information in a network system and hierarchically defines a network element constituting the network system and the database A technique for extracting a network element that is presumed to be the cause of a failure from the network elements based on the failure information is described.

  Japanese Unexamined Patent Application Publication No. 2007-189615 (Patent Document 2) discloses a device monitoring unit that collects information on a faulty device as faulty device information, and a diagnosis having fault cause information indicating the cause of the fault corresponding to the faulty device information. A diagnostic file storage unit for storing a file, a failure cause analysis unit for diagnosing the cause of the failure by acquiring the failure cause information from the diagnostic file based on the failed device information, and a failure based on the failed device information and the network topology information A network monitoring support apparatus is provided that includes a failure influence range analysis unit that identifies an influence range of a failure, and a failure recovery unit that calculates an avoidance route that is a communication route that avoids the influence range of the failure based on device load information Yes.

  Japanese Patent Laid-Open No. 2012-213057 (Patent Document 3) discloses a failure analysis device that periodically collects connection information from each device constituting a video provider facility and each device constituting a communication network facility. If an error occurs when receiving and decoding the video signal from the video server and it is determined that the evaluation criterion indicated by the evaluation criterion data acquired in advance is exceeded, an evaluation criterion excess notification is sent to the failure analysis device. A failure analysis system having a video receiving device is described. In the system, the failure analysis apparatus reads the distribution route of the video reception device specified by the node identification information indicated by the received evaluation criterion excess notification from the connection information, and the device on the read distribution route or the evaluation criterion excess notification is received. The failure location is identified from the commonality of the indicated channels.

JP 2002-271328 A JP 2007-189615 A JP 2012-213057 A

  In the conventional technology as described above, it is possible to specify or estimate the location of a failure based on failure information in the network system, network configuration information, route information, and the like. However, in these technologies, when a clear failure is detected at the network level (for example, up to the fourth layer of the OSI reference model), or when an event that causes a failure such as a communication delay occurs. It only works for me.

  On the other hand, for example, in the case of a “half-dead” state where an operational failure has occurred in a business application but the failure has not been clearly detected at the network level, identification and estimation of the suspected portion of the failure, It was difficult to narrow down. For this reason, despite the troubles for the users, the system operators and operators have not grasped it as abnormal, and the situation where the troubles for the users are continued for a long time. There was a case. If this situation is not adequately handled, customer satisfaction with the operator or operator may be reduced, and subsequent business opportunities may be lost.

  Accordingly, an object of the present invention is to enable estimation and narrowing down of suspected sites of failure occurrence on the network based on the usage status and failure status information in business applications, etc., regardless of whether or not a failure is detected at the network level. Another object is to provide a network failure analysis system and a network failure analysis program.

  The above and other objects and novel features of the present invention will be apparent from the description of this specification and the accompanying drawings.

  Of the inventions disclosed in this application, the outline of typical ones will be briefly described as follows.

  A network failure analysis system according to a representative embodiment of the present invention is a network failure analysis system for analyzing a failure in a network system having an information processing apparatus on which a business application operates, and specifies communication used by each business application Information on communication requirements for communication and information on communication paths, which are information on nodes composed of network devices on the communication paths related to each communication requirement, are stored.

  When notified that a failure has been detected during execution of a business application, the communication requirement information used by the business application and the first communication path information related to the communication requirement are specified based on the content of the notification. When there is an overlapping node between the first communication path and the second communication path related to one or more faults that have already occurred, the node is estimated as a suspected part of the fault occurrence. Is.

  The present invention can also be applied to a program that causes a computer to operate as a network failure analysis system as described above.

  Among the inventions disclosed in the present application, effects obtained by typical ones will be briefly described as follows.

  That is, according to the representative embodiment of the present invention, regardless of whether or not a failure has been detected at the network level, the suspected occurrence of a failure on the network is determined based on the usage status or failure status information in a business application or the like. It is possible to estimate and narrow down the parts.

It is the figure which showed the outline | summary about the structural example of the application monitoring server which has the network failure analysis system which is one embodiment of this invention. It is the figure which showed the outline | summary about the structural example of the network of the information processing system which the business application in one embodiment of this invention operates. It is the figure which showed the outline | summary about the example which estimates a failure site | part when a failure is detected with the business application in one embodiment of this invention. It is the figure which showed the outline | summary about the data structure of the communication requirement table in one embodiment of this invention, and the example of concrete data. It is the figure which showed the outline | summary about the data structure of the path | route information table in one embodiment of this invention, and the example of concrete data. It is the figure which showed the outline | summary about the data structure of the job table and specific example of data in one embodiment of this invention. It is the figure which showed the outline | summary about the data structure of the application path | route information table in one embodiment of this invention, and the example of concrete data. It is the figure which showed the outline | summary about the example of the flow of a process of estimation / narrowing down of the suspected site | part of failure occurrence in one embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiment, and the repetitive description thereof will be omitted.

<Overview>
A network failure analysis system according to an embodiment of the present invention is an information processing system including information processing apparatuses such as one or more server devices and network devices. By monitoring whether it is normal and analyzing the result, it is possible to narrow down or estimate the suspected location of the failure on the network configuration of the information processing system regardless of whether or not a failure has been detected at the network level. It is a system that makes it possible.

  More specifically, for communication performed when each business application executes a process, information on the IP address of the transmission source and the transmission destination, and information on the communication path (node through) between them is registered in advance. When an abnormality or failure is detected in business application monitoring or the like, it is estimated that there is a suspicious part of the failure on the node on the communication path used by the business application in which the failure is detected, and this is narrowed down.

  For example, if a failure is detected in multiple business applications, and there are duplicate nodes in the communication path used by each business application, the probability that these duplicate nodes are causing the failure is high. From these, we narrow down these as suspected parts. If there is no overlapping node (or there is only one business application in which a failure is detected), each node on the communication path overlaps with any of the communication paths used by all other business applications If not, that is, if the node is used only for communication in the business application, it is highly likely that the node is the cause of the failure, so these nodes are narrowed down as suspected parts.

  FIG. 2 is a diagram showing an overview of a configuration example of a network of an information processing system in which a business application according to the present embodiment operates. In the example of FIG. 2, a plurality of business servers (business server A (2a) to business server D (2d)) that operate a business application cooperate with each other to provide a service. It is configured to be connected by network devices (node A (3a) to node E (3e) and others) such as routers and layer 3 switches. In addition, an application monitoring server 1 that monitors a failure or abnormality in a business application running on each business server is connected.

  Here, for example, regarding the processing performed in cooperation between the business application on the business server A (2a) and the business server C (2c), as a communication requirement, node A (3a) → node B (3b) → node C (3c) ) Indicates that communication is performed through the route. Similarly, for example, the processing performed in cooperation between the business server B (2b) and the business application on the business server D (2d), as a communication requirement, node D (3d) → node B (3b) → node E (3e) ) Indicates that communication is performed through the route. There may be other communication paths used in the business application, but description thereof is omitted here.

  In the example of FIG. 2, business applications such as the business server A (2 a) and the business server C (2 c) that operate in cooperation with both ends of the communication path are configured to operate. A configuration in which a business application runs only on a server and communication via a plurality of nodes is thereby performed may be employed. In addition, both ends of the communication path are not limited to server devices such as business servers, for example, network devices, client terminals such as PCs (Personal Computers) on which programs such as Web browsers operate, bank ATM machines (automatic cash deposits) An information processing device other than a narrowly-defined server device may be used.

  FIG. 3 is a diagram showing an outline of an example of estimating a faulty part when a fault is detected by the business application in the present embodiment. Here, in the system configuration and network configuration similar to FIG. 2, for example, the application monitoring server 1 indicates that a failure has occurred in each of the business applications running on the business server C (2c) and the business server D (2d). It shows that it was detected at the same time or in close time.

  At this time, even if a clear failure event is not detected in the network monitoring, there is a problem with one of the nodes or devices in the network configuration and it is in a “half-dead” state. Assume that a failure has occurred. Then, it is inferred that the problematic node will be present in any node on the communication path used by the business application in which the failure has occurred. Therefore, when a failure occurs at the same time in a plurality of business applications, a problem occurs in the overlapping part (node B (3b) in the example of FIG. 3) in the communication path used by these business applications. It is estimated that there is a high possibility that

  On the other hand, for example, when a failure is detected in only one business application instead of detecting a failure in a plurality of business applications as in the example of FIG. 3, the business application is contrary to the above estimation. Of the nodes on the communication path used by, those that do not overlap with any of the communication paths used by other business applications (not limited to those that detect a failure) (or that have a small number of overlapping paths) ) Is likely to have a problem. On the other hand, it is estimated that there is a low possibility that a node that overlaps with a communication path used by another business application (or a node with a large number of overlapping paths) has a problem. The

  If the node where the problem occurs overlaps with the communication path used by another business application, it is highly probable that a failure will occur in that business application. Is possible. Such a guess can be applied in the same way even when a failure is detected by a plurality of business applications, but there is no overlapping portion in the communication path.

  In the network failure analysis system of the present embodiment, by taking the above-described method, for example, in a network monitoring device or the like, information on a physical failure such as a network device, a line, or a cable, a communication delay, Even if information that could be a sign of failure such as packet loss cannot be detected, if an event such as failure or deterioration occurs in the usage status of business applications, It is possible to estimate or narrow down and take appropriate measures to promptly recover or avoid failures.

<System configuration>
FIG. 1 is a diagram showing an outline of a configuration example of an application monitoring server having a network failure analysis system according to an embodiment of the present invention. As shown in FIG. 1, the network failure analysis system according to the present embodiment is implemented as a network failure analysis unit 20 on the application monitoring server 1, for example. On the application monitoring server 1, for example, a business application monitoring unit 10 that monitors failures and abnormalities of business applications respectively running on one or more business servers 2 is mounted. In addition, a network failure monitoring system (not shown) for monitoring a network failure or abnormality may be implemented. Of course, these systems can be configured as independent server systems.

  As shown in FIGS. 2 and 3, the application monitoring server 1 monitors a failure or abnormality of a business application (not shown) running on one or more business servers 2, and if a failure is detected, a failure occurs. It is a server system having a function of estimating or narrowing down the suspicious part of the output. The application monitoring server 1 includes, for example, a server device, a virtual server in a cloud computing environment, and the like as a software program that runs on middleware such as an OS (Operating System) and a DBMS (DataBase Management System) (not shown). Each unit (subsystem) such as the business application monitoring unit 10 and the network failure analysis unit 20 is mounted.

  The business application monitoring unit 10 has a function of monitoring a failure or abnormality of a business application running on each business server 2 and outputting a notification or the like when these are detected. The determination as to whether a failure or abnormality has occurred in the business application can be made based on, for example, obtaining a predetermined error message or warning message output when the business application is executed.

  Since the purpose of this embodiment is to estimate the suspected faulty part of the network, the predetermined error message and warning message are, for example, purely business / application errors (inappropriate input) Data, operations, business application program defects, etc.) are excluded. As the business application monitoring unit 10, existing or commercially available operation monitoring tools, solutions, package programs, and the like can be used as appropriate.

  The network failure analysis unit 20 uses the above-described method based on the information on the monitoring result of the business application failure or abnormality by the business application monitoring unit 10 to use a node (in the communication path used by each business application in which a failure is detected) It has a function of estimating or narrowing down one or more nodes from a network device) as suspected sites of failure occurrence, and functions as a network failure analysis system. The network failure analysis unit 20 includes, for example, a failure site estimation unit 21 implemented as a software program, and a communication requirement table 22 and a route information table 23 configured by a database, a file table, and the like. Further, each data of the suspected path information 24 and suspected node information 25 output as the processing result of the faulty part estimation unit 21 is stored in a file or memory.

  The failure site estimation unit 21 has a function of estimating or narrowing down one or more nodes as suspected sites of failure occurrence from the nodes on the communication path used by each business application in which a failure is detected by the above-described method. . Therefore, in the network failure analysis unit 20, information related to communication requirements for specifying communication used by each business application (for example, IP addresses of transmission sources and transmission destinations, information of each node on the communication path, etc.) Is acquired automatically or manually and stored in the communication requirement table 22 and the route information table 23 in advance.

  In the failure part estimation unit 21, when a failure is detected by the business application monitoring unit 10, information on the communication path in which the failure has occurred is based on the contents of the communication requirement table 22 and the route information table 23 based on the failure notification message. To identify. Further, from each node on the communication path, a node that is a suspected site of failure occurrence is estimated or narrowed down by the above-described method, and the contents are notified by displaying a list on a screen of a monitoring client terminal or the like.

  At this time, information on the communication path in which the failure is newly detected is recorded in the failure suspected path information 24, and information on each node on the communication path is recorded in the suspected node information 25. The communication path and node entry information recorded in the failure suspected path information 24 and the suspected failure node information 25 are automatically or manually erased at the timing of the corresponding failure recovery, the passage of a certain time, etc. It is assumed that information is updated based on the latest failure status.

<Data structure>
FIG. 4 is a diagram showing an outline of the data configuration of the communication requirement table 22 and specific data examples in the present embodiment. The communication requirement table 22 is a table that holds information on requirements for communication used by each business application. Each item includes a source address, a destination address, a protocol, and a port number.

  No. This item holds information such as a sequence number uniquely assigned to each communication requirement entry. Each item of the transmission source address and the transmission destination address holds information on the IP address of each business server 2 that is the transmission source and the transmission destination in the target communication requirement. Each item of the protocol and the port number holds information on the protocol and the port number used in the target communication requirement. As shown in the figure, the protocol can include information such as “tcp” and “udp”, for example. The above items in the communication requirement table 22 are manually registered in advance by, for example, an administrator.

  In the example of FIG. 4, the two communication paths indicated by arrows in the example of FIG. 2 (between business server A (2a) and business server C (2c), and between business server B (2b) and business server D (2d)). ), No. In this example, specific data is registered in entries whose items are “1” and “7”.

  FIG. 5 is a diagram showing an overview of the data configuration of the route information table 23 and specific data examples in the present embodiment. The path information table 23 is a table that holds information on nodes belonging to communication paths corresponding to each communication requirement registered in the communication requirement table 22. , The transmission source address, the transmission destination address, the node number, the node, the previous node, and the subsequent node.

  No. This item holds information such as a sequence number uniquely assigned to each node entry. Each item of the transmission source address and the transmission destination address is information on the IP address of each business server 2 that is the transmission source and the transmission destination in the communication path to which the target node belongs, and the communication requirement table shown in FIG. This corresponds to 22 items of source address and destination address.

  The item of node number holds information such as a sequence number uniquely assigned to each node in the communication path to which the target node belongs. In the example of FIG. 5, “1”, “2”,... Are assigned in order from the node closest to the transmission source, but this is not a limitation. The node item holds information such as a machine name that identifies a network device or the like constituting the target node. In the present embodiment, the names such as “node A” and “node B” are specified in correspondence with the nodes A (3a) and B (3b) in the example of FIG. Each item of the previous node and the subsequent node holds information such as a machine name that identifies a node one hop ahead and behind the target node in the communication path to which the target node belongs.

  In the example of FIG. 5, as in the case of FIG. 4, the two communication paths (between business server A (2a) and business server C (2c) and business server B (2b) indicated by arrows in the example of FIG. For each node on the business server D (2d). In this example, specific data is registered in entries “1” to “3” and “13” to “14”.

  For example, nodes (No. items “1” to “3”) on a communication path having a source address “192.168.1.1” and a destination address “192.168.11.2”. Entry), the node with the node number item “1” (“node A”) is the first node on the communication path, as shown in the configuration example of FIG. This indicates that the value of the item of the previous node is not set. Similarly, nodes (No. items “13” to “15” on the communication path with the source address “192.168.10.1” and the destination address “192.168.29.2”). In the entry), the node having the node number item “3” (“node C”) is the last node on the communication path, so there is no rear node, and the value of the rear node item is not set. It is shown that.

  The information on the nodes on each communication path registered in the path information table 23 can be manually registered. For example, the routing table set for each node is acquired, collected, and analyzed. It is also possible to appropriately use a known technique for automatically calculating communication path information on the network. In addition, such calculation processing is periodically performed at a daily timing and / or timely triggered by a network configuration change or the like, so-called dynamic routing is used, and a communication path is automatically set. Even if the configuration is changed or optimized, the information of each node in the route information table 23 can be appropriately updated to appropriately cope with it.

  In the example of FIGS. 4 and 5, in order to specify the communication path, the communication requirement specified by the IP address of the transmission source and the transmission destination is registered in the communication requirement table 22 as shown in FIG. However, the specific method of the communication path is not limited to this. For example, it is also possible to manage information by directly associating communication path information with identification information such as jobs and processes of business applications to be monitored by the business application monitoring unit 10.

  FIG. 6 is a diagram showing an overview of the data configuration of the job table 22 ′ and specific data examples in the present embodiment. The job table 22 ′ is a table that holds information on jobs executed as business applications on each business server 2, and includes items such as a job ID and an application identification ID. The job ID item holds information such as an ID and a number for uniquely identifying each job. The item of application identification ID holds information such as an ID for identifying an application program or module executed in the target job. A plurality of application programs may be executed in one job.

  FIG. 7 is a diagram showing an overview of the data configuration of the application route information table 23 ′ and specific data examples in the present embodiment. Here, instead of the items of the transmission source address and the transmission destination address in the example of the route information table 23 shown in FIG. This item is information for specifying a business application that uses the communication path to which the target node belongs, and corresponds to the application identification ID item in the job table 22 ′ shown in FIG. 6.

  By using tables having configurations such as the job table 22 ′ shown in FIG. 6 and the application route information table 23 ′ shown in FIG. 7, the communication used from the identification information of the job executed on the business server 2 It becomes possible to directly acquire information of each node on the route. In the case of a job in which a failure is actually detected, the failure may be ignored if it is insignificant based on the content of the failure, the importance of work, and the scope of influence. If the job is normally completed when the job is rerun or the like, the failure may be ignored.

  Note that the data configuration (items) of each table shown in FIGS. 4 to 7 is merely an example, and other table configurations and data configurations are possible as long as similar data can be held and managed. It may be.

<Process flow>
FIG. 8 is a diagram showing an outline of an example of a flow of processing for estimating and narrowing down a suspected site where a failure has occurred in the network failure analysis unit 20 of the present embodiment. In the network failure analysis unit 20, it is assumed that the communication requirements of each business application and the node information on the communication path corresponding to each communication requirement are registered in advance in the communication requirement table 22 and the route information table 23. .

  When the process is started, the failure part estimation unit 21 first repeats the process of determining whether a failure or abnormality is detected in the monitoring result of each business application by the business application monitoring unit 10 until a failure is detected (S01). ). When a failure is detected, the communication requirement corresponding to the failure is identified among the communication requirements registered in the communication requirement table 22 based on the content of the failure notification message and the like, and the source and destination of the communication requirement are identified. IP address information is acquired (S02). Furthermore, information on each node (network device, etc.) on the communication path is acquired from the path information table 23 as information on the communication path corresponding to the communication requirement (S03).

  Furthermore, the failure suspected route information 24 is referred to, and information on the communication route related to the existing failure held here is acquired (S04). As described above, the information registered in the failure suspected route information 24 is retained only for a predetermined period after the failure is detected, and is deleted or invalidated after the period. That is, only those related to the failure detected in the adjacent time zone are registered, and it is estimated that these are related to the newly detected failure.

  Next, as a processing result of step S04, it is determined whether or not an existing failure has been registered (S05), and if registered, on the communication path on which a new failure has been detected, acquired in step S03. A loop process for repeating the process is started for all the nodes (S06). In the loop processing, first, whether the target node is included in any of the communication paths related to the existing failure acquired in step S04, that is, the communication path that newly detected the failure and the existing failure It is confirmed whether or not such communication paths overlap in the target node (S07, S08).

  If there is no overlap in step S08, the process for the target node is terminated and the process proceeds to the next node (S10, S06). On the other hand, if they overlap, the target node is extracted as a suspected part (S09). This is because, when a plurality of failures are detected, nodes that overlap in the communication paths used by the business applications related to these failures are considered to have a high probability of causing the failure. At this time, for example, the number of overlaps with the communication path related to the existing failure may be counted and used as one of the parameters representing the estimated strength. The node information extracted as the suspected part is registered in the failure suspected node information 25. Thereafter, the process for the target node is terminated, and the process proceeds to the next node (S10, S06).

  When the loop processing for all the nodes on the communication path in which a failure is newly detected is completed, it is determined whether there is a node extracted as a suspected part with reference to the suspected node information 25 (S11). If there is a node extracted as the suspected part, this is output (S17), and the process is terminated.

  On the other hand, if the node extracted as the suspected part does not exist, and if the existing failure is not registered in step S05 (if it is the first detected failure), it is acquired in step S03. Another loop process for repeating the process is started for all nodes on the communication path in which a failure is newly detected (S12). In the loop process, first, the target node may be limited to all other communication paths registered in the communication requirement table 22 and the path information table 23 (for which the failure is not detected in terms of processing efficiency). ) That is included in any of the above, that is, whether or not the communication path in which the failure is newly detected overlaps with another communication path in the target node (S13, S14).

  If there is an overlap in step S14, the process for the target node is terminated and the process proceeds to the next node (S16, S12). On the other hand, if there is no overlap, the target node is extracted as a suspected part (S15). If there is only one business application in which a failure has been detected, or if there is no overlap with the communication path related to the existing failure, it will overlap with other communication paths including those in the normal state. This is because a node that has not been considered is considered to have a high probability of causing a failure alone.

  Not only when there is no duplication, but also when there are few duplications, there is a possibility that it may cause a failure alone. Therefore, even if there are duplications in step S14, the number of duplications is a predetermined number. A predetermined upper number of nodes may be extracted as suspected sites in order from a smaller number of nodes or a smaller number of duplicated nodes. At this time, for example, the small number of duplicates may be used as one of the parameters representing the estimated strength. In this case, the greater the number of duplicates, the weaker the estimation strength as the suspected part.

  The node information extracted as the suspected part is registered in the failure suspected node information 25. Thereafter, the process for the target node is terminated, and the process proceeds to the next node (S16, S12). When the loop processing for all the nodes on the communication path in which a failure is newly detected is completed, the node registered in the failure suspected node information 25 is output as the estimated suspected portion (S17), and the processing is terminated. Before the process is completed, the information related to the communication path that has newly detected the failure acquired in steps S02 and S03 is registered in the failure suspected path information 24 as information on the communication path related to the existing failure. deep.

  As described above, according to the network failure analysis system according to an embodiment of the present invention, when an operation of a business application running on each business server 2 is monitored in the information processing system and a failure is detected, By analyzing the presence or absence of duplication between the communication path used by the business application that detected the fault and the communication path related to the existing fault or other normal communication path, whether or not the fault has been detected at the network level. First, it becomes possible to estimate or narrow down the nodes that are suspected of occurrence of failure in the network configuration.

  As a result, for example, when a network monitoring device or the like cannot detect information on a physical failure such as a network device, a line, or a cable, or information that may indicate a failure such as a communication delay or a packet loss. However, if an event such as a failure or deterioration occurs in the usage status of a business application, the suspected location of the failure in the network configuration is estimated and appropriate measures are taken to quickly recover or avoid the failure. It becomes possible.

  As mentioned above, the invention made by the present inventor has been specifically described based on the embodiments. However, the present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the scope of the invention. Needless to say. For example, the above-described embodiment has been described in detail for easy understanding of the present invention, and is not necessarily limited to the one having all the configurations described. In addition, it is possible to add, delete, and replace other configurations for a part of the configuration of the above-described embodiment.

  Moreover, in each said figure, the control line and the information line have shown what is considered necessary for description, and do not necessarily show all the control lines and information lines on mounting. Actually, it may be considered that almost all the components are connected to each other.

  The present invention is applicable to a network failure analysis system and a failure analysis program for estimating a failure site on a network based on a failure detection situation in the system.

DESCRIPTION OF SYMBOLS 1 ... Application monitoring server, 2 ... Business server, 2a-2d ... Business server A-Business server D, 3a-3e ... Node A-Node E,
10: Business application monitoring unit,
DESCRIPTION OF SYMBOLS 20 ... Network fault analysis part, 21 ... Fault site | part estimation part, 22 ... Communication requirement table, 22 '... Job table, 23 ... Path information table, 23' ... Application path information table, 24 ... Fault suspected path information, 25 ... Fault Suspect node information.

Claims (5)

A network failure analysis system for analyzing a failure in a network system having an information processing apparatus on which a business application operates,
Holds communication requirement information for identifying the communication used by each business application, and communication path information that is node information consisting of network devices on the communication path related to each communication requirement,
When notified that a failure has been detected during execution of a business application, the communication requirement information used by the business application and the first communication path information related to the communication requirement are specified based on the content of the notification. When there is an overlapping node between the first communication path and the second communication path related to one or more faults that have already occurred, the node is estimated as a suspected part of the fault occurrence. , Network failure analysis system. The network failure analysis system according to claim 1,
A network failure analysis system that estimates a suspected portion having a higher suspected degree as a node having a larger number of overlapping between the first communication path and one or more second communication paths. In the network failure analysis system according to claim 1 or 2,
When there is no overlapping node between the first communication path and one or more second communication paths, or when the second communication path does not exist, each of the first communication paths Network failure in which, when there is a node that does not overlap with one or more third communication paths that are used by all other business applications, the node is estimated as a suspected site of failure Analysis system. The network failure analysis system according to claim 3,
A network failure analysis system that estimates a suspected portion having a higher degree of suspicion as a node having a smaller number of overlaps with one or more third communication routes among the nodes in the first communication route. A network failure analysis program for operating a computer as a network failure analysis system for analyzing a failure in a network system having an information processing apparatus on which a business application operates,
When notified that a failure has been detected in the execution of a business application, based on the content of the notification, information on communication requirements for identifying the content of communication used by the business application and the communication requirements Information on the first communication path, which is information of nodes composed of network devices on the communication path, is specified, and the first communication path and the second communication path related to one or more faults that have already occurred A network failure analysis program that executes a process of estimating a node that is suspected of causing a failure when there is a node that overlaps with the node.

Images