JP4819014B2 - Log analysis method, log storage device, and program - Google Patents

Description

  The present invention relates to a log analysis technique for realizing abnormality detection or abnormality prediction in order to realize a highly reliable computer system.

  Computer systems are used in various fields of society and are indispensable for social activities. Along with this, the demand for high reliability of computer systems is also increasing. However, in a complex system composed of a plurality of computers, such as a Web three-layer system (business system), it is difficult to realize system abnormality detection and prediction, which are indispensable for achieving high reliability. Recently, this trend has been further strengthened due to the multi-vendor of hardware and software constituting the system such as the Web 3-layer and the distribution of processing.

  In order to detect and predict a system abnormality, a basic measure is to embed a probe for detecting an abnormality in the system or prepare a rule for detecting an abnormality from a log output from the system. However, due to the complexity of the system and the black box as described above, such countermeasures cannot be taken against all abnormalities. In some cases, it is also difficult to enumerate what anomalies can occur. However, the importance of computer systems as a social infrastructure is increasing, and it is necessary to detect and predict abnormalities quickly and accurately.

  Therefore, a statistical method for comparing the log output from the system with the log output during normal operation and determining that a system abnormality has occurred or is likely to occur when there is a change. There is a movement to use the log analysis technology used to detect and predict abnormalities. For example, in Non-Patent Document 1 and Non-Patent Document 2, it is possible to detect and predict the occurrence of an abnormality in the Web system by comparing the normal log and the current log against the access log of the Web system. It is disclosed.

As pointed out in Non-Patent Document 1 and Non-Patent Document 2, in the detection and prediction of abnormality of a computer system using such log analysis technology, false positives (hereinafter, misinformation and false positives are synonymous) ) Is known to be a problem. The false positive is a phenomenon in which no abnormality actually occurs, but the occurrence of abnormality is detected or predicted from the log analysis result. The reason for the occurrence of false positives varies depending on the configuration of the computer system, the characteristics of the log used for log analysis, the algorithm used for the log analysis technology, and the like, but there are three main categories.
(A) When a false positive occurs due to a non-abnormal event that appears occasionally (B) When a false positive occurs due to noise included in input data (log) used in log analysis (C) Used in log analysis When false positives occur due to improper algorithms or preprocessing of data, against these, partial solutions are provided by the prior art. Patent Document 1 and Patent Document 2 for (A), Patent Document 3 for (B), and Patent Document 4, Patent Document 5 and Patent Document 6 for (C), respectively. Has given a solution.

  With respect to the above-mentioned (A) problem that “false positive occurs due to an event that does not appear abnormal”, as disclosed in “Time-series data search system” (Japanese Patent Application Laid-Open No. 2003-132808) in Patent Document 1, A partial solution can be realized by extracting features of a log of events that do not appear abnormal from time to time by using a time-series data search system that stores and retrieves data waveform features using wavelet transform. Further, as disclosed in “Failure Cause Detecting Device, Failure Cause Countermeasure Device, and Their Methods” (Japanese Patent Laid-Open No. 7-311691) in Patent Document 2, changes in environmental information, occurrence of abnormality, and information on countermeasures are disclosed. By preparing a group and registering it as a normal event for the cause of the abnormality in the method of detecting abnormality and taking countermeasures from changes in environmental information, false positives due to non-abnormal events appearing from time to time Generation can be reduced.

  With respect to the problem “False positive occurs due to noise included in input data (log) used in log analysis” in (B) above, the “state change detection device” disclosed in Japanese Patent Application Laid-Open No. HEI 7-7 As disclosed in US Pat. No. 301544), if a change in state is detected in two consecutive sampling intervals for acquiring a log, the occurrence of false positives due to noise is reduced by determining the influence of noise and adjusting the sampling interval. be able to.

The above-mentioned (C) “algorithm used in log analysis and improper data pre-processing includes false positives” problem is disclosed in Patent Document 4 “Abnormality diagnosis device, abnormal sign diagnosis” Device and Unnecessary Event Detection Device ”(Japanese Patent Application Laid-Open No. 2003-271239), remembering the normal pattern of the system, if the deviation from normal exceeds a certain amount, it is determined as abnormal, By not storing the pattern at the time of determination, it is possible to reduce the occurrence of false positives by preventing the learning algorithm for determining abnormality of the computer system from learning the log at the time of abnormality. Further, the method disclosed in “Abnormality Detection Device” (Japanese Patent Laid-Open No. 2001-74799) of Patent Document 5 uses a Fourier transform to detect a change in the frequency component of data and determine the presence or absence of an abnormality. Abnormalities that do not appear in the components can be detected, the detection algorithm is improved, and the occurrence of false positives can be reduced. Further, as disclosed in “Network Monitoring System and Method and Program” of Patent Document 6 (Japanese Patent Laid-Open No. 2005-285040), when an abnormality of the system is predicted by monitoring to detect a sign of abnormality, the content is determined according to the content. By collecting detailed information according to the rules and determining that there is no abnormality as a result, the monitoring is stopped and multiple monitoring levels are provided to determine in detail whether an abnormality has actually occurred. The occurrence of positives can be reduced.
JP 2003-13088 A JP 7-311691 A JP-A-7-301544 JP 2003-271239 A JP 2001-74799 A JP 2005-285040 A P. Bodik, G. Friedman, L. Biewald, H. Levine, G. Candea, K. Patel, G. Tolle, J. Hui, A. Fox, MI Jordan and D. Patterson, ”Combining Visualization and Statistical Analysis to Improve Operator Confidence and Efficiency for Failure Detection and Localization '', The 2nd IEEE International Conference on Autonomic Computing (ICAC '05), Seattle, June 2005. Tomohiro Nakamura, “Proposal of“ Access Time Analysis Method ”to Predict Web Application Failures”, IPSJ Transactions, IPSJ, September 2006, Computing System, Vol. 47, No. SIG12 (ACS15), pp. 349-357

  In the detection / prediction of abnormality by log analysis technology for the purpose of increasing the reliability of a computer system targeted by the present invention, how to balance the sensitivity and accuracy of detection / prediction of abnormality is an issue. In general, if the sensitivity of detection / prediction is increased in order to detect / predict without missing the occurrence of an abnormality, false positives will be detected / predicted even when no abnormality actually occurs. There is a trade-off in which occurrence increases and detection / prediction accuracy decreases. As false positives increase, confidence in the detection and prediction of abnormalities using log analysis technology is lost, so it is necessary to reduce false positives. However, a state in which abnormality is not detected / predicted even though an abnormality has actually occurred is called a false negative, but it is assumed that no false negative is generated. In other words, the issue is how to reduce the occurrence of false positives without generating false negatives.

As described in the background art section, the causes of false positives are roughly divided into the following three.
(A) When a false positive occurs due to a non-abnormal event that appears from time to time (B) When a false positive occurs due to noise included in the input data (log) used in log analysis (C) Used in log analysis When false positives occur due to improper algorithms or preprocessing of data, among these, (B) and (C) are mostly solved by the prior art shown in the background art. With regard to (A), the conventional technology alone is not sufficient solution.

  Therefore, an object of the present invention is to reduce false positives caused by non-abnormal events that appear from time to time, and to increase the reliability of abnormality detection / prediction.

  The present invention is a method and apparatus for reducing the occurrence of false positives in computer system abnormality detection / prediction utilizing log analysis technology, and is realized in addition to the conventional abnormality detection / prediction method and apparatus.

  In other words, in the log analysis method for analyzing or outputting the log output from the computer to detect or predict the abnormality of the computer, the log was received from the computer, the received log was analyzed, and the abnormality occurred in the computer Or the occurrence of an abnormality in the computer is predicted, the log is compared with a preset false alarm rule, the occurrence of an erroneous alarm is determined in the detection of an abnormality of the computer or the prediction of an abnormality, and the erroneous alarm is detected. When it is determined that an error has occurred, the occurrence of false alarms is reduced in detecting the occurrence of an abnormality in the computer or predicting the occurrence of an abnormality in the computer.

  That is, the abnormality detection / prediction method and apparatus realization method itself may be a conventional technique, and basically the abnormality detection / prediction method using any log analysis technique is used. Can reduce the occurrence of false positives.

  According to the present invention, the part added to the abnormality detection / prediction method and apparatus realized in the prior art is roughly divided into five steps. Not all of the five steps are necessarily required, and only a part can solve some of the problems to be solved by the present invention. The five steps are shown below.

  [Step 1] Notification of false positive occurrence or registration of false positive occurrence pattern. When the abnormality detection / prediction result is false positive, the occurrence of false positive is notified and the registration of when the false positive occurs is registered. Alternatively, for example, when it is known that false positives occur periodically, the cycle is registered.

  [Step 2] Registration of a state that causes false positives. Register a log when a false positive occurs. What is registered is not the log itself, but may be information such as a difference from a normal log and the frequency of occurrence of the log. The generation conditions such as the false positive generation cycle shown in step 1 may be used.

  [Step 3] Detection of a state that causes false positives. The occurrence of false positives is detected and predicted by comparing the current log and state with the log and occurrence conditions at the time of false positive occurrence.

  [Step 4] Processing to reduce the possibility of false positives. For example, when occurrence of a false positive is detected / predicted, the result of log analysis is invalidated or a log that may cause a false positive is deleted.

  [Step 5] Notification of processing results. Notify that processing that reduces the possibility of false positives has been performed. Alternatively, the log analysis result is notified both when the processing for reducing the possibility of occurrence of false positives is performed and when the processing is not performed.

  Therefore, according to the five steps shown in the means for solving the problem, for example, when a false positive occurs, the log that generated the false positive is registered, and if a similar log is output after that, It is possible to prevent the log analysis result from becoming false positive by detecting the log and deleting the log. That is, according to the present invention, it is possible to improve the detection accuracy or prediction accuracy of anomalies by reducing the occurrence of false positives and detecting and predicting anomalies in computer systems using log analysis technology realized in the prior art. There is an effect that the reliability of the detection and prediction of abnormality by the analysis technology can be increased and the reliability of the computer system can be increased.

  Furthermore, since the accuracy of abnormality detection / prediction by the log analysis technology can be fully automated or semi-automated, the cost required for the operation management of the computer system can be reduced as compared with the prior art.

  Hereinafter, an embodiment of the present invention will be described with reference to the accompanying drawings.

  An example of log analysis processing for reducing the occurrence of false alarms (false positives) in abnormality detection of a computer system according to the present invention will be described with reference to FIGS.

  FIG. 1 is a block diagram showing a basic configuration of a computer system to which the present invention is applied. The computer system 101 is a computer system that is a target for detecting and predicting an abnormality. The computer system 101 includes one or more computers 102. The computer 102 includes a CPU that performs arithmetic processing and a memory that stores programs and data, and executes processing for realizing a service provided by the computer system 101. Each computer 102 has one or more log generation units 103. Each log generation unit 103 generates, as a log, an execution history of hardware and software constituting each computer 102, an event history such as an executed process and an error that has occurred. The log generated by the log generation unit 103 is recorded inside and outside each computer 102 and the computer system 101. This log recording can be realized, for example, by appropriately writing to a storage device of each computer 102, a storage device in the computer system 101, or a storage device on a network connected to the computer system 101.

  The log analysis unit 105 acquires the log generated by the log generation unit 103 via the network 104 and analyzes or analyzes the log, thereby detecting or predicting the occurrence of an abnormality in the computer system 101. The log analysis unit 105 detects an abnormality of the computer system 101 from the acquired log or predicts the occurrence of the abnormality, and a result display unit 111 that outputs the abnormality detection result or the abnormality prediction result of the computer system. Composed. The detection of an abnormality of the computer system 101 is, for example, detection of a hardware stop or malfunction, a software stop or malfunction, and the prediction of an abnormality is, for example, a lack of hardware resources (storage device or memory). In such a case, the computer system 101 may be stopped or malfunctioned, such as a storage area shortage), CPU or network overload, or execution of processing different from normal.

  Furthermore, the abnormality detection / prediction unit 106 includes a log collection unit 107, an abnormality determination unit 108, and a result output unit 109. The log collection unit 107 collects logs generated by the log generation unit 103 of each computer 102 of the computer system 101 via the network 104. The abnormality determination unit 108 determines whether an abnormality has occurred in the computer system 101 from the logs collected by the log collection unit 107. As a method for determining the occurrence of abnormality, there is a method for determining based on an abnormality determination rule in addition to the known or well-known methods described in Non-Patent Document 1, Non-Patent Document 2, and the like. However, the method for determining the occurrence of abnormality is not limited to these.

  The determination result of the abnormality determination unit 108 is transmitted from the result output unit 109 to the result display unit 111 via the result output path 110. The result display unit 111 displays an abnormality determination result or an abnormality prediction result.

  The configuration shown in FIG. 1 is a basic configuration diagram relating to a log analysis method for detecting and predicting an abnormality in the computer system 101, but the log analysis method targeted by the present invention is limited to this configuration. Instead, all methods for analyzing and analyzing the log generated in the computer system 101 to detect and predict the occurrence of an abnormality are targeted. The log analysis unit 105 shown in FIG. 1 is configured by a computer as shown in FIG.

  FIG. 2 is a block diagram showing an example of a computer system to which the method for detecting the possibility of misreporting using the log at the time of misreporting according to the first embodiment of the present invention is applied.

  2, the computer system 101 is the same as the computer system 101 described in FIG. 1, but the computer 102 and the log generation unit 103 included in the computer system 101 are omitted in FIG. 2. Similarly in the following drawings, it is assumed that the computer system 101 includes the computer 102 and the log generation unit 103 as shown in FIG.

  In FIG. 2, the misinformation detection unit 201 acquires a log generated in the computer system 101 via the network 104 and collates it with a log at the time of the misreport occurrence recorded in the misinformation log storage unit 202 in advance. Thus, the possibility that the analysis result of the abnormality detection / prediction unit 207 that detects and predicts the abnormality of the computer system 101 is a false alarm is detected.

  More specifically, the false alarm detection unit 201 includes a comparator 205, which compares the current log of the computer system 101 input from the network 104 and the false alarm log storage unit 202 via the false alarm log path 203. The logs at the time of misreporting are compared, and if both match or are similar, the possibility of misreporting is output to the misreport detection result path 204. Note that the similarity between the current log and the log at the time of misreporting is, for example, comparing the occurrence pattern of the current log with the occurrence pattern of the log at the time of misreporting, and both logs are similar when the patterns match. Can be determined. The anomaly detection / prediction unit 207 obtains information on the possibility of occurrence of false alarms from the false alarm detection result path 204 and suppresses the occurrence of false alarms or notifies the result display part 111 of the possibility of misreporting. . An example of how to use the false alarm detection result will be described later.

  Also, the log analysis unit 206 shown in FIG. 2 can be composed of a plurality of computers as shown in FIG. Then, the log analysis unit 206 may make the computer that executes the false alarm detection unit and the computer that executes the abnormality detection / prediction unit independent of each other as shown in FIG. 20, or these two functions are executed by the same computer. You may do it. In addition, a misreporting log used in the comparator 205 may use a preset misreporting rule. Further, the misreport log storage unit 202 may be stored in a storage device of a computer that executes the misreport detection unit 202.

  FIGS. 3A and 3B are diagrams showing a specific example of a method for comparing a log at the time of occurrence of a false alarm (or a rule for false alarm) and a current log in the method shown in FIG. 2 according to the present invention. is there. First, a method for generating the misreporting log examples 303 to 306 recorded in the misreporting log storage unit 202 will be described with reference to FIG.

  The normal log 301 is an example of a log in a case where the computer system 101 is operating normally and the abnormality determination result in the abnormality detection / prediction unit 207 does not become false information. In this example, the log shows a combination of a time stamp and an event name in one line, and in the normal time log 301, event A and event B are alternated from 9:00 to 9:00:12 in total 7 This shows the case where the error occurred. On the other hand, the log 302 at the time of misreporting is an example of a log when the computer system 101 is operating normally, but the occurrence of abnormality is detected or predicted from the abnormality determination result in the abnormality detection / prediction unit 207. . That is, it is a log when a false alarm occurs. In this example, three types of events, event A, event B, and event C, occur sequentially from 9:30: 00 to 9:30: 12.

  In the misreporting log storage unit 202, misreporting logs 303 to 306 as shown in (Example 1) to (Example 4) in the figure are registered from the normal log 301 and the misreporting log 302, for example.

  (Example 1) The misreporting log 303 indicates that the log of the event C at a specific time is a log that causes misreporting. In the example of FIG. 3A, when the event C occurring at 30 minutes per hour is the cause of the false alarm, it is registered as XX = * (arbitrary), YY = 30, and ZZ = * (arbitrary). XX indicates “hour”, YY indicates “minute”, and “ZZ” indicates second.

  (Example 2) The misreporting log 304 is a registration method when a misreport occurs when an event C occurs at intervals of 4 seconds.

  (Example 3) The false alarm time log 305 indicates that the event A, the event B, and the event C are in order, and the time interval is the event C when the event B is 2 seconds after the event A and the event C is 1 second after the event B. This is a registration method when misinformation occurs due to In FIG. 3A, the symbol # indicates that an event with a # causes a false alarm.

  (Example 4) The misreporting log 306 indicates that a misreporting occurs when the ratio of event A, event B, and event C included in the log is not 1: 1, but 1: 1: 1. Here, the ratio of the events may be, for example, the ratio of the appearance frequencies of the events A to C.

  Next, a specific example of a false alarm detection method in the false alarm detection unit 201 will be described with reference to FIG. 3B. The current log 307 input from the network 104 is a log from 10:20:30 to 10:20:38 in FIG. 3B and includes seven events. On the other hand, the misreporting log 304 input from the misreporting log storage unit 202 via the misreporting log path 203 indicates that a misreporting occurs when the event C occurs at intervals of 4 seconds. In the misreport detection unit 201, as shown in the misreport detection time log 308, the log of event C arranged at intervals of 4 seconds from the current log is detected by the comparator 205, and 10:20:33 and 10:20: 37, the possibility of occurrence of false alarm 204 is output to the abnormality detection / prediction unit 207. The abnormality detection / prediction unit 207 that has received the possibility of occurrence of misinformation 204 performs log analysis after invalidating the log, and detects and predicts the abnormality of the computer system 101, thereby detecting accuracy and prediction. Accuracy can be improved.

  The examples of the misreporting log and the misreporting detection log shown in FIGS. 3A and 3B are merely examples. For example, a method of registering a log when a misreport occurs as it is in the misreport log storage unit 202 may be considered.

  FIG. 4 is a flowchart illustrating an example of processing performed by the log analysis unit 206.

  First, the error detection unit 201 receives a log from the computer system 101 (step 2302). The false alarm detection unit 201 compares the false alarm log recorded in the false alarm log storage unit 202 with the log received in step 2302 to detect the possibility of the false alarm (step 2303).

  Processing branches depending on whether or not the possibility of occurrence of a false alarm has been detected (step 2304). When the possibility of occurrence of false alarms is not detected, the abnormality detection / prediction unit 207 receives a log from the computer system 101 by the log collection unit 107 (step 2305). Next, the abnormality detection / prediction unit 207 detects and predicts the occurrence of abnormality in the abnormality determination unit 108 (step 2306). The abnormality detection / prediction unit 207 transmits the detection / prediction result of occurrence of abnormality in the result output unit 109 (step 2307). Then, the detection / prediction result of occurrence of abnormality is displayed on the result display unit 111 (step 2308).

  On the other hand, if it is determined in step 2304 that the possibility of misreporting has been detected, step 2309 is executed following step 2304. That is, the false alarm detection unit 201 transmits the false alarm detection result 204 to the abnormality detection / prediction unit 207 (step 2309). The abnormality detection / prediction unit 207 invalidates the output of the abnormality determination result, stops the processing, or the like according to the false alarm detection result (step 2310). With the above processing flow, it is possible to reduce the occurrence of false alarms using the false alarm detection unit 201. Thereby, it is possible to improve the accuracy of abnormality detection and the accuracy of abnormality prediction.

  FIG. 5 is a block diagram of a computer system to which the method for detecting the possibility of occurrence of false alarms using the false alarm occurrence conditions according to the present invention is applied. Although this is a different method from the false alarm detection method shown in FIG. 2, the methods shown in FIGS. 2 and 5 can be used simultaneously. The main difference from the method shown in FIG. 2 is an error report detection unit 401 and an error report occurrence condition storage unit 402 which is one of the inputs to the error report detection unit 401.

  In FIG. 5, the misinformation detection unit 401 obtains a log generated in the computer system 101 via the network 104 and collates it with the misreporting conditions recorded in the misreporting condition storage unit 402, so that the computer system 101 abnormality detection / prediction is performed. More specifically, the false alarm detection unit 401 includes a comparator 408, which compares the current log of the computer system 101 input from the network 104 and the false alarm occurrence condition path 403 from the false alarm occurrence condition storage unit 402. The conditions for generating false alarms are input. However, for the current log, there is a log input switch 406 on the path to be input to the comparator 408 via the comparator input path 407, and the comparator 408 is currently informed by information on the false alarm occurrence period included in the false alarm occurrence condition. Log 104 can be input or not.

  The false alarm occurrence period is, for example, when the computer system's regular maintenance time is between midnight and 1:00 am in the day, and when it is desired to detect false alarms only for the time other than this one hour. Set and use. As a result, when it is not necessary to detect the possibility of occurrence of a false alarm, it is possible to prevent detection. The other parts in FIG. 5 are the same as those in FIG.

  FIGS. 6A and 6B are diagrams showing a specific example of a method of comparing a false alarm occurrence condition and a current log in the method shown in FIG. 5 according to the present invention. First, a method of generating examples 503 to 506 of the false alarm occurrence conditions recorded in the false alarm occurrence condition storage unit 402 will be described with reference to FIG. A periodically generated log 501 shows an example in which an event C occurs only every hour at 00 minutes. A log 502 generated only for a predetermined time shows an example in which an event C occurs only between midnight and 1 am. In any example, since the event C occurs only in a limited number of times or time zones, the normal log and the current log as described in Non-Patent Document 1 and Non-Patent Document 2 are compared. In the method of detecting and predicting the occurrence of an abnormality when the deviation is large, the occurrence of the abnormality may be detected or predicted by the event C. However, events that occur only at the hour of the hour, such as the log 501 that occurs regularly, are often seen when, for example, periodic data backup or cache clearing occurs, and occur only for a certain period of time. The log 502 to be executed is also a common case such as periodic maintenance executed every night and start / end processing executed every morning / evening. In this way, although an abnormality does not actually occur, a condition that may be determined to be abnormal in the detection / prediction of the occurrence of abnormality by log analysis is recorded. It is.

  (Example 1) The false alarm occurrence condition 503 is an example in which an event C that occurs at a specific time is registered as an erroneous alarm occurrence condition.

  (Example 2) The false alarm occurrence condition 504 is an example in which the event C that occurs before and after the event B is registered as the false alarm occurrence condition.

  (Example 3) The false alarm occurrence condition 505 is an example in which an event C in a specific time zone (here, 1 hour) is registered as an erroneous alarm occurrence condition.

  (Example 4) The false alarm generation condition 506 is an example of registering, as an erroneous alarm generation condition, that an event C may generate an erroneous alarm if the number of occurrences of the event C with respect to the event A is less than 1%.

  A symbol # shown in FIG. 6A indicates that an event with # causes a false alarm. Next, a specific example of a false alarm detection method in the false alarm detection unit 401 will be described with reference to FIG.

  A current log 507 input from the network 104 is a log from 23:59:59 to 00:00:05, and includes seven events. On the other hand, according to the false alarm occurrence condition 508 input from the false alarm occurrence condition storage unit 402 via the false alarm occurrence condition path 403, an event C that occurs in the time zone from midnight to 1:00 am may cause false alarms. It is shown that. Conversely, it is not necessary to detect the occurrence of false alarms outside of this time period. Therefore, the log input switch 406 is set to pass the log only from 0:00 am to 1:00 am through the false alarm generation cycle path 405. Then, the selected log 509 input to the false alarm detection unit 401 has only six events. The false alarm detection unit 401 detects an event C registered as an event that may cause a false alarm in the false alarm occurrence condition 508. The false alarm detection unit 401 outputs the misreporting possibility 404 to the abnormality detection / prediction unit 410. The abnormality detection / prediction unit 410 that has received the possibility of occurrence of false alarm 404 performs log analysis after invalidating the log, and detects and predicts abnormality of the computer system 101, thereby detecting accuracy and prediction. Accuracy can be improved.

  Alternatively, the log input switch 406 may be omitted, and the misreport detection unit 401 may detect only the log between midnight and 1:00 am.

  FIG. 7 is a flowchart illustrating an example of processing performed by the log analysis unit 409.

  First, the error detection unit 401 receives a log from the computer system 101 (step 2402). The false alarm detection unit 401 compares the false alarm occurrence condition (false alarm occurrence cycle) recorded in the false alarm occurrence condition storage unit 402 with the log received in step 2402, and detects the possibility of misreporting (step 2403). If the received log matches the false alarm occurrence condition 403, the process proceeds to step 2404. If not, the process proceeds to step 2406.

  When the possibility of occurrence of the false alarm is not detected, the abnormality detection / prediction unit 410 receives the log from the computer system 101 by the log collection unit 107 (step 2406). Next, the abnormality detection / prediction unit 410 detects and predicts the occurrence of abnormality in the abnormality determination unit 108 (step 2407). The abnormality detection / prediction unit 410 transmits the detection / prediction result of occurrence of abnormality in the result output unit 109 (step 2408). Then, the result display unit 111 displays the detection / prediction result of occurrence of abnormality (step 2409).

  On the other hand, if it is determined in step 2403 that the possibility of false alarms is detected, step 2404 is executed following step 2403. In step 2404, the false alarm detection unit 401 compares the false alarm occurrence condition (false alarm occurrence period) recorded in the false alarm occurrence condition storage unit 402 with the log received in step 2402, and detects the possibility of misreporting. If there is a possibility that a false alarm will occur, the process proceeds to step 2410; otherwise, the process proceeds to step 2406.

  In step 2410, the false alarm detection unit 401 transmits the false alarm detection result 404 to the abnormality detection / prediction unit 410 (step 2410). The abnormality detection / prediction unit 410 invalidates the output of the abnormality determination result, stops the processing, or the like according to the false alarm detection result (step 2411). With the above processing flow, it is possible to reduce the occurrence of false alarms using the false alarm detection unit 401. Thereby, it is possible to improve the accuracy of abnormality detection and the accuracy of abnormality prediction.

  FIG. 8 is a block diagram showing a computer system to which a method for invalidating abnormality detection / prediction processing when the possibility of occurrence of false alarms is detected is applied. In FIG. 8, a false alarm detection unit 601 detects the possibility of false alarms by the same method as the false alarm detection unit 201 of FIG. 2 and the false alarm detection unit 401 of FIG. Further, the misreporting log / misreporting condition storage unit 602 is also a combination of the misreporting log storage unit 202 of FIG. 2 and the misreporting condition storage unit 402 of FIG. 5, and stores the misreporting log and misreporting conditions. Is. The log at the time of misreporting and the condition for generating misreports can be a rule for detecting misreports.

  When the misreport detection unit 601 detects the possibility of misreporting, the misreport detection result is notified to the control unit 605 included in the abnormality detection / prediction unit 613 via the misreport detection result path 604. The control unit 605 cancels the processing or invalidates the processing result based on the false alarm detection result for all or a part of the log collection unit 107, the abnormality determination unit 108, and the result output unit 109 of the abnormality detection / prediction unit 613. Do. When the possibility of occurrence of a false alarm is detected, the control unit 605 instructs the log collection unit 107 to, for example, stop the log collection process or discard the collected log. In addition, the control unit 605 instructs the abnormality determination unit 108 to invalidate the abnormality determination result, for example. If the result to be output indicates detection or prediction that an abnormality has occurred, the control unit 605 invalidates the result output unit 109, for example. Even if the abnormality detection / prediction unit 613 detects or predicts the occurrence of an abnormality when the possibility of occurrence of a false alarm is detected by the above method, the result display unit detects the occurrence of the abnormality. Or, it is not displayed as predicted, and the occurrence of false alarms can be suppressed. In addition to the method of notifying that the possibility of the occurrence of a false alarm is detected at a certain time, the false alarm detection result 609 notified from the false alarm detector 601 to the controller 605 via the false alarm detection result path 604 is shown in FIG. An instruction to stop the abnormality determination process in the abnormality detection / prediction unit 613 may be notified for one hour from a certain time point, as shown in the false alarm detection result (example 1) 610 shown. In addition, as in the false alarm detection result (example 2) 611, for one hour from a certain point in time, notification of support for halving the degree of abnormality determined by the abnormality detection / prediction unit 613 increases the sensitivity of abnormality detection / prediction. A method of reducing the occurrence of false alarms is also included.

  FIG. 9 is a process flow showing a method of invalidating the abnormality detection / prediction process when the possibility of occurrence of false alarms is detected in the method shown in FIG. First, the error detection unit 601 receives a log from the computer system 101 (step 702). The false alarm detection unit 601 compares the false alarm log / false alarm occurrence condition recorded in the false alarm log / false alarm generation condition storage unit 602 with the log received in step 702 to detect the possibility of misreporting (step 702). 703). Processing branches depending on whether or not the possibility of occurrence of a false alarm has been detected (step 704). When the possibility of occurrence of the false alarm is not detected, the abnormality detection / prediction unit 613 receives a log from the computer system by the log collection unit 107 (step 705).

  Next, the abnormality detection / prediction unit 613 detects and predicts the occurrence of abnormality in the abnormality determination unit 108 (step 706). The abnormality detection / prediction unit 613 transmits the detection / prediction result of occurrence of abnormality in the result output unit 109 (step 707). Then, the result display unit 111 displays the detection / prediction result of occurrence of abnormality (step 708). If the possibility of occurrence of a false alarm is detected, step 709 is executed following step 704. That is, the false alarm detection unit 601 transmits the false alarm detection result to the abnormality detection / prediction unit 613 (step 709). The control unit 605 of the abnormality detection / prediction unit 613 invalidates the output of the abnormality determination result, stops the processing, or the like according to the erroneous report detection result (step 710). With the above processing flow, reduction of the occurrence of false alarms using the false alarm detector 601 is realized.

  FIG. 10 is a block diagram showing a computer system to which a method of deleting a log that may cause a false alarm when a possibility of a false alarm is detected is applied.

  FIG. 10 is a method for achieving the object by another method, although the object is the same as that shown in FIG. In FIG. 10, the false alarm detection unit 801 detects the possibility of false alarms in the same manner as the false alarm detection unit 201 of FIG. 2 and the false alarm detection unit 401 of FIG. 5, and the false alarm log / false alarm occurrence condition storage unit 802 is also shown in FIG. 2 is stored in the same manner as the error report log storage unit 202 in FIG. 2 and the error report generation condition storage unit 402 in FIG. 5.

  When the misreport detection unit 801 detects the possibility of misreporting, the miscorrection detection result is notified to the log correction unit 804 via the misreport detection result path 805. The log correction unit 804 receives the log generated in the computer system 101 via the network 104, and corrects or deletes the log based on the false alarm detection result. For example, the fact that a specific event included in a log is a cause of generating a false alarm is recorded in the false alarm log / false alarm occurrence condition storage unit 802, and when the erroneous alarm detection unit 801 detects the occurrence of the log, The false alarm detection unit 801 instructs the log correction unit 804 to delete the log, and the log correction unit 804 executes deletion of the corresponding log. The corrected log is transmitted to the log collection unit 107 of the abnormality detection / prediction unit 807. As a result, the abnormality detection / prediction unit 807 does not generate a false alarm, and it is possible to improve the accuracy of abnormality detection and the accuracy of abnormality prediction.

  In FIG. 10, the log collection unit 107 combines two paths, that is, a path that can directly receive a log from the computer system 101 via the network 104 and a path that can receive a corrected log from the log correction unit 804. Although described, there is no problem even if the two paths are separate, and only the path for receiving the corrected log from the log correcting unit 804 may be used. The processing methods of the abnormality detection / prediction unit 807 and the result display unit 111 are the same as the methods shown in FIGS. When the possibility of misreporting is detected by the method as described above, the log correcting unit 804 can correct / delete logs that may cause misreporting, so that the occurrence of misreporting can be suppressed. .

  FIG. 11 is a processing flow showing a method of deleting a log that may cause a false alarm when the possibility of a false alarm is detected in the method shown in FIG. First, the error detection unit 801 receives a log from the computer system 101 (step 902). The false alarm detection unit 801 compares the false alarm log / false alarm occurrence condition recorded in the false alarm log / false alarm occurrence condition storage unit 802 with the log received in step 902 to detect the possibility of the false alarm (step 903).

  The process branches depending on whether or not a possibility of occurrence of a false alarm is detected (step 904). When the possibility of occurrence of false alarms is not detected, the abnormality detection / prediction unit 807 receives a log from the computer system by the log collection unit 107 (step 905). In step 905, a log may be received from the log correction unit 804. This is because step 905 is a case where the possibility of occurrence of false alarms has not been detected. Therefore, even if a log is received from the log correction unit 804 or a log is directly received from the computer system 101 via the network 104. This is because there is no difference in the logs. Next, the abnormality detection / prediction unit 807 detects and predicts the occurrence of abnormality in the abnormality determination unit 108 (step 906). The abnormality detection / prediction unit 807 transmits the detection / prediction result of occurrence of abnormality in the result output unit 109 (step 907). Then, the result display unit 111 displays the detection / prediction result of occurrence of abnormality (step 908).

  If the possibility of occurrence of false alarms is detected, step 909 is executed following step 904. That is, the false alarm detection unit 601 transmits the false alarm detection result to the log correction unit 804 (step 909). The log correcting unit 804 receives the log from the computer system 101, and corrects and deletes the log according to the false alarm detection result (step 910). The log collection unit 107 of the abnormality detection / prediction unit 807 receives the log from the log correction unit 804 (step 911). In step 911, the log may also be received from the computer system 101 via the network 104. Subsequently, in step 912 to step 914, the abnormality detection prediction unit 807 and the result display unit 111 detect and predict the occurrence of the abnormality and display the result. Steps 912 to 914 are the same as steps 906 to 908.

  With the above processing flow, it is possible to reduce the occurrence of false alarms using the false alarm detection unit 801 and the log correction unit 804.

  FIG. 12 is a block diagram illustrating an example of a computer system to which a method of marking a log that may cause a misreport when a misreport occurrence possibility is detected and changing the abnormality detection / prediction process is applied. FIG. 12 is a method for achieving the object by another method, although the object is the same as that shown in FIG.

  12, the false alarm detection unit 1001 is the same method as the false alarm detection unit 201 of FIG. 2 and the false alarm detection unit 401 of FIG. 5, and the false alarm log / false alarm occurrence condition storage unit 1002 is also the erroneous alarm log storage unit 202 of FIG. And the same method as the false alarm occurrence condition storage unit 402 of FIG. When the misreport detection unit 1001 detects the possibility of misreporting, the log correction unit 1004 is notified of the misreport detection result via the misreport detection result path 1005.

  The log correction unit 1004 receives the log generated in the computer system 101 via the network 104, but marks the log based on the false alarm detection result. For example, if there is a high possibility that a log of a certain time zone will generate a false alarm, the false alarm detector 1001 detects that the time zone has been entered, and the log corrector detects that the misreport detector 1001 marks the log. Instructed to 1004, the log correcting unit 1004 marks the corresponding log. The mark need not be one type, and may be a plurality of types.

  The log corrected by the log correcting unit 1004 is transmitted to the log switch 1007. The log switch 1007 determines which of the plurality of log collection units 107 included in the abnormality detection / prediction unit 1010 is to transfer the log depending on whether or not the log is marked. In order to determine which log collection unit 107 to transfer to according to the mark added to the log, the false alarm detection unit 1001 connects the log to the log switch 1007 via the false alarm detection result path 1006 and the relationship between the log collection unit 107 of the transfer destination. Send information about. As a result, the abnormality detection / prediction unit 1010 can change the method of abnormality detection / prediction in a log that may cause a false alarm and other logs, or output the results separately, and may cause a false alarm. You can change the sensitivity of the detection and prediction of abnormalities according to the characteristics, and change the display method of results according to the possibility of the occurrence of false alarms. You can be notified of a possibility.

  The abnormality detection / prediction unit 1010 includes a plurality of log collection units 107, an abnormality determination unit 108, and a result output unit 109. Some of these may be shared. The processing method in each log collection unit 107, abnormality determination unit 108, and result output unit 109 is the same as the method shown in FIG. 2 or FIG.

  When the possibility of misreporting is detected by the above method, the abnormality detection / prediction method in the abnormality detection / prediction unit 1010 is changed by the log correction unit 1004 and the log switch 1007, or the result output method The occurrence of false alarms can be suppressed. Note that only one of the methods shown in FIGS. 8, 10, and 12 may be used, or a plurality of methods may be used in combination.

  FIG. 13 is a process flow showing a method of changing the abnormality detection / prediction process by marking a log that may cause a false alarm when the possibility of a false alarm is detected in the method shown in FIG. .

  First, the error detection unit 1001 receives a log from the computer system 101 (step 1102). The false alarm detection unit 1001 compares the false alarm log and the false alarm occurrence condition recorded in the false alarm log / false alarm occurrence condition storage unit 1002 with the log received in step 1102 to detect the possibility of misreporting ( Step 1103). The process branches depending on whether or not a possibility of occurrence of a false alarm is detected (step 1104). When the possibility of occurrence of misreporting is not detected, the abnormality detection / prediction unit 1010 receives a log from the computer system 101 by the log collection unit 107 (step 1105). Next, the abnormality detection / prediction unit 1010 detects and predicts the occurrence of abnormality in the abnormality determination unit 108 (step 1106). The abnormality detection / prediction unit 1010 transmits the detection / prediction result of occurrence of abnormality in the result output unit 109 (step 1107). Then, the result display unit 111 displays the detection / prediction result of occurrence of abnormality (step 1108).

  If the possibility of occurrence of false alarms is detected, step 1109 is executed following step 1104. That is, the false alarm detection unit 1001 transmits the false alarm detection result to the log correction unit 1004 and the log switch 1007 (step 1109). The log correction unit 1004 receives the log from the computer system 101, and marks the log according to the false alarm detection result (step 1110). The log switch 1007 receives the logs from the computer system 101 and the log correction unit 1004, and transfers the logs to any one of the plurality of log collection units 107 in accordance with the erroneous report detection result and the mark attached to the log (step 1111). Steps 1112 to 1114 are the same as Steps 1106 to 1108.

  With the above processing flow, the occurrence of false alarms using the false alarm detection unit 1001, the log correction unit 1004, and the log switch 1007 is reduced.

  FIG. 14 is a block diagram showing a computer system to which a process for notifying that an abnormality detection / prediction result is a false report and a method of recording a log when a false report occurs is applied.

  In FIG. 14, a misreport notification unit 1201 is means for notifying the misreport recording unit 1203 of the occurrence of a misreport when a misreport occurs. For example, there is a method of notifying the time when the misreporting occurred and the time when the misreporting ended. The misreport notification unit 1201 may include the misreport information in the notification content. This can be used to collectively record a log at the time of false alarms regarding false alarms generated for the same reason.

  The false alarm recording unit 1203 receives a log generated in the computer system 101 via the network 104. Furthermore, a misreport occurrence notification is received from the misreport notification section 1201 via the misreport notification path 1202, and when a misreport occurs, a log at the time of misreport occurrence is transmitted via the misreport recording path 1204 using the received log. Log in error report / error report occurrence condition storage unit 602.

  The process of the misreport recording unit 1203 is, for example, the misreporting log generation method described in the description of FIG. In FIG. 14, the processes of the false alarm detection unit 601, the abnormality detection prediction unit 613, and the result display unit 111 are the same as the method illustrated in FIG. 8. In FIG. 14, the error notification unit 1201 and the error report recording unit 1203 are added to the method of FIG. 8, but not limited to FIG. 8, the method of FIGS. 10 and 12 is used. A configuration in which a misreport notification unit 1201, a misreport recording unit 1203, and the like are added is also possible.

  FIG. 15 is a processing flow showing a means for notifying that the abnormality detection / prediction result is a false report and a method for recording a log when a false report occurs in the method shown in FIG.

  First, the misreport notification unit 1201 notifies the occurrence of misreport (step 1302). When receiving the notification of the occurrence of the false alarm from the false alarm notifying part 1201, the false alarm recording part 1203 records the log at the time of the false alarm occurrence in the false alarm log / misreporting condition storage part 602 (step 1303). Next, a log is received from the computer system 101 by the false alarm detection unit 601 (step 1304). The false alarm detection unit 601 compares the false alarm log and the false alarm occurrence condition recorded in the false alarm log / false alarm occurrence condition storage unit 602 with the log received in step 1304 to detect the possibility of misreporting (step 1305). The process branches depending on whether or not the possibility of occurrence of a false alarm is detected (step 1306).

  When the possibility of occurrence of false alarms is not detected, the abnormality detection / prediction unit 613 receives a log from the computer system by the log collection unit 107 (step 1307). Next, the abnormality detection / prediction unit 613 detects and predicts the occurrence of abnormality in the abnormality determination unit 108 (step 1308). The abnormality detection / prediction unit 613 transmits the detection / prediction result of occurrence of abnormality in the result output unit 109 (step 1309). Then, the detection / prediction result of occurrence of abnormality is displayed on the result display unit 111 (step 1310).

  If the possibility of occurrence of a false alarm is detected, step 1311 is executed following step 1306. That is, the false alarm detection unit 601 transmits the false alarm detection result to the abnormality detection / prediction unit 613 (step 1311). The control unit 605 of the abnormality detection / prediction unit 613 invalidates the output of the abnormality determination result, stops the processing, or the like according to the false alarm detection result (step 1312).

  With the above processing flow, reduction of the occurrence of false alarms using the false alarm detector 601 is realized.

  FIG. 16 is a block diagram showing a computer system to which a log analysis method including processing for setting a condition that may cause a false alarm in abnormality detection / prediction is applied.

  In FIG. 16, the misreport occurrence condition registration unit 1401 is a process of notifying the misreport occurrence condition to the misreport occurrence condition recording unit 1403 when the misreport occurs or when the misreport occurrence condition is known. For example, when the regular maintenance of the computer system 101 is performed in a specific time zone, there is a method of registering that there is a high possibility that a false alarm will occur in that time zone. The false alarm occurrence condition registration unit 1401 may include what kind of misinformation is in the notification content. This can be used to collectively record misreporting conditions regarding misinformation that occurs for the same reason.

  The misreport occurrence condition recording unit 1403 receives the misreport occurrence condition from the misreport occurrence condition registration unit 1401 via the misreport occurrence condition notification path 1402, and the misreport occurrence log / misreport occurrence condition storage unit via the misreport occurrence condition record path 1404. Record at 602. The processing of the misreport occurrence condition registration unit 1401 and the misreport occurrence condition recording unit 1403 is, for example, the generation method of the misreport occurrence condition described in the explanation of FIG. The processing of the false alarm detection unit 601, the abnormality detection prediction unit 613, and the result display unit 111 illustrated in FIG. 16 is the same as the method illustrated in FIG. 8. In FIG. 16, the error report generation condition registration unit 1401 and the error report generation condition recording unit 1403 are added to the method of FIG. 8. However, the present invention is not limited to FIG. A configuration in which an error report occurrence condition registration unit 1401, an error report occurrence condition recording unit 1403, and the like are added to the method of FIG. 14 is also possible.

  FIG. 17 is a processing flow showing a log analysis method including means for setting conditions that may cause a false alarm in abnormality detection / prediction in the method shown in FIG.

  First, a false alarm generation condition registration unit 1401 registers a false alarm generation condition (step 1502). When receiving the error report occurrence condition from the error report occurrence condition registration unit 1401, the error report occurrence condition recording unit 1403 records the error report occurrence condition in the error report log / error report occurrence condition storage unit 602 (step 1503). Next, the error detection unit 601 receives a log from the computer system 101 (step 1504). The false alarm detection unit 601 compares the false alarm log and the false alarm occurrence condition recorded in the false alarm log / false alarm occurrence condition storage unit 602 with the log received in step 1504 to detect the possibility of an erroneous alarm (step 1505). Processing branches depending on whether or not the possibility of occurrence of a false alarm has been detected (step 1506).

  When the possibility of occurrence of the false alarm is not detected, the abnormality detection / prediction unit 613 receives a log from the computer system by the log collection unit 107 (step 1507). Next, the abnormality detection / prediction unit 613 detects and predicts the occurrence of abnormality in the abnormality determination unit 108 (step 1508). The abnormality detection / prediction unit 613 transmits the detection / prediction result of the occurrence of abnormality to the result display unit 111 in the result output unit 109 (step 1509). Then, the result display unit 111 displays the detection / prediction result of occurrence of abnormality (step 1510).

  If the possibility of occurrence of a false alarm is detected, step 1511 is executed following step 1506. That is, the false alarm detection unit 601 transmits the false alarm detection result to the abnormality detection / prediction unit 613 (step 1511). The control unit 605 of the abnormality detection / prediction unit 613 invalidates the output of the abnormality determination result, stops the processing, or the like according to the false alarm detection result (step 1512).

  With the above processing flow, reduction of the occurrence of false alarms using the false alarm detector 601 is realized.

  FIG. 18 is a block diagram showing a computer system to which a log analysis method including processing for adding information indicating that a log correction is performed by detecting the possibility of occurrence of a false alarm to an abnormality detection / prediction result is applied.

  In FIG. 18, the misinformation detection unit 801 notifies the result output unit 1602 of the abnormality detection / prediction unit 807 of the possibility of misreporting via the misreport detection result path 1601. When the result output unit 1602 receives the possibility of the occurrence of the false alarm, the result output path 1603 indicates that the log correction part 804 has corrected the log for the corresponding log analysis result, for example, when there is a possibility of the false alarm. Are included in the abnormality determination result 1605 to be output. The result display unit 1604 displays that the abnormality determination result is the result after the log correction, that is, after the processing for reducing the occurrence of false alarms. With the above method, it is possible to confirm on the result display unit 1604 that the occurrence of the misreport has been reduced by the misreport detection unit 801 and the log correction unit 804. As a result, it is possible to confirm the validity of the process for reducing the occurrence of false alarms and to further increase the accuracy of the abnormality determination result. The processes of the false alarm detection unit 801 and the log correction unit 804 shown in FIG. 18 are the same as the method shown in FIG. In FIG. 18, the error output detection result path is connected to the result output unit 1602 in the method of FIG. 10, but not limited to FIG. 10, the method of FIGS. 8, 12, and 14 is used. A configuration in which changes are made is also possible.

  FIG. 19 shows a log analysis method including an abnormality detection / prediction result including a process of correcting a log by detecting the possibility of occurrence of a false alarm, and a process of displaying both an abnormality detection / prediction result as a result without performing log correction. It is a block diagram which shows the applied computer system. In FIG. 19, the abnormality detection / prediction unit 1010 has at least two detection units 1702 and 1703 to detect and predict an abnormality by log analysis, and the false alarm detection unit 1001 connects to one detection unit 1702 via the network 104. The log generated in the computer system 101 is directly input via the log, and the log corrected by the log correction unit 1004 is input to the other detection unit 1703 via the correction log input path 1701.

  Result output paths 1704 and 1705 are connected to the result output unit 1706 for each of the detection units 1702 and 1703, and the abnormality determination results of both the detection units 1702 and 1703 can be displayed. By the above method, it becomes possible to confirm the difference in the abnormality determination result depending on the presence / absence of the process for reducing the occurrence of the false alarm by the false alarm detection unit 1001 and the log correction unit 1004.

  As a result, it is possible to confirm the validity of the process for reducing the occurrence of false alarms and to further increase the accuracy of the abnormality determination result.

  The processes of the false alarm detection unit 1001 and the log correction unit 1004 shown in FIG. 19 are the same as the method shown in FIG. In FIG. 19, a plurality of result output paths are connected to the method of FIG. 12, but the method is not limited to FIG. 12, but is changed to the methods of FIGS. 8, 10, and 14. It is also possible to add a configuration.

  Although the first embodiment has been described so far with reference to FIGS. 1 to 19, the method of the present invention does not need to perform all the methods shown in FIGS. 1 to 19 at the same time. For example, as for the method of detecting a false alarm, either one of the methods shown in FIGS. 2 and 5 may be performed at the same time. The process of reducing the occurrence of false alarms using the false alarm detection results may be performed simultaneously with any one or two of the methods shown in FIG. 8, FIG. 10, and FIG. As for the method of registering the log at the time of misreporting or the condition for generating misreporting, either one of the methods shown in FIGS. 14 and 16 may be performed at the same time. Further, a method of registering a log at the time of misreporting or an occurrence condition of misreporting in advance and not registering later, that is, a method not including the method shown in FIG. 14 or the method shown in FIG. The method for outputting / displaying the abnormality determination result may be either one of the methods shown in FIGS. 18 and 19 or both. The present invention also includes a method based on the above combination.

Second Embodiment
A second embodiment of a log analysis apparatus for reducing the occurrence of false alarms in the detection of abnormality in a computer system according to the present invention will be described with reference to FIGS. Since the processing method inside the log analysis apparatus can be implemented by the method shown in the first embodiment, the external specification of the apparatus will be mainly described.

  FIG. 20 is a block diagram showing a basic system configuration relating to the log analysis apparatus of the present invention. The log generated by the computer 1801 is sent to the log analysis device 1805 via the network paths 1802 and 1804 and the network device 1803. The computer 1801 is a device that includes hardware components such as a CPU, a memory, and a disk device, and software components such as an OS, middleware, and application software. The computer 1801 provides various types of services by combining hardware components and software components. The network device 1803 is a device that exchanges data and commands between connected network paths. For example, a log output from a computer is transferred to the false alarm detection device 1806.

  The log analysis device 1805 includes an error report detection device 1806, an abnormality detection / prediction device 1808, an abnormality detection / prediction result output device 1810, and an error notification / registration interface device 1811. The false alarm detection device 1806 is a device having the same configuration as the computer 1801. The false alarm detection software 1817 and the log correction software 1818 are operating on the CPU, the memory 1815 and the OS 1816. Log, error report occurrence condition, etc., or output false alarm detection result and corrected log. Also included is a storage device 1814 that stores a log at the time of misreporting and conditions for the occurrence of misreporting.

  The false alarm detection software 1817 is, for example, software that realizes the method shown in the false alarm detection unit 1001 in FIG. The log correction software 1818 is, for example, software that implements the method shown in the log correction unit 1004 in FIG. The storage device 1814 is, for example, a device that implements the false alarm log / false alarm occurrence condition storage unit 1002 of FIG. The log switch 1007 of FIG. 12 may be realized by being included in the log correction software 1818 in FIG. 20 or may be realized by software on the abnormality detection / prediction device 1808.

  Similar to the false alarm detection device 1806, the abnormality detection / prediction device 1808 includes a CPU, a memory, an OS, an input / output interface, a storage device, and the like. For example, the abnormality detection / prediction software operates on the OS. The abnormality detection / prediction software is, for example, software that implements the abnormality detection / prediction unit 1010 of FIG.

  The abnormality detection / prediction result output device 1810 is a device that receives an output of the result of log analysis performed by the abnormality detection / prediction device 1808 and displays an outline or detailed status of the abnormality notification. For example, it is a device that implements the result display unit 111 of FIG. Although not described in FIG. 20, it also includes adding an input / output device to the abnormality detection / prediction result output device 1810 so as to change the result display method.

  The misreport notification / registration interface device 1811 is used to register a misreport log or misreport occurrence conditions in the misreport detection device 1806. For example, it is a device that realizes the false alarm notification unit 1201 of FIG. 14 and the false alarm occurrence condition registration unit 1401 of FIG. The error report recording unit 1203 in FIG. 14 and the error report occurrence condition recording unit 1403 in FIG. 16 may be realized by software on the error notification / registration interface device 1811 in FIG. Good.

  In FIG. 20, the false alarm detection device 1806, the anomaly detection / prediction device 1808, etc. are each realized by one computer, but these may be realized by one computer, and conversely each of a plurality of computers. You may implement | achieve with a computer. Similarly, the abnormality detection / prediction result output device 1810 and the false alarm notification / registration interface device 1811 may be realized by a single device.

  The data communicated by the path between each device is as follows. In the network paths 1802 and 1804, log data generated by the computer 1801 is communicated. In the false alarm detection result network path 1807, the false alarm detection result detected by the false alarm detection software 1817 of the false alarm detection device 1806 and the log data corrected by the log correction software 1818 are communicated. As an example of the false alarm detection result, the false alarm detection result 609 shown in FIG. In the abnormality determination result network path 1809, an abnormality determination result that is a result of log analysis performed by the abnormality detection / prediction device 1808 is communicated. Examples of the abnormality determination result include the abnormality determination result 1605 shown in FIG. In the misreport notification / registration network path 1812, data for notifying the occurrence of misreport and the misreport occurrence conditions are communicated. The data for notifying the occurrence of false alarms is the time when the false alarms occurred and the contents thereof, and examples of the false alarm occurrence conditions include the false alarm occurrence conditions 503 to 506 shown in FIGS. 6 (A) and 6 (B). Can be mentioned.

  The contents described above are merely one implementation example, and the connection method between the computer 1801 and the network device 1803, the configuration of the devices in the log analysis device 1805, and the like are not limited to the configuration shown in FIG.

  FIG. 21 is a diagram showing an embodiment of a user interface of the log analysis apparatus including a false alarm occurrence notification interface. In the configuration of the log analysis device 1805 of the present invention shown in FIG. 20, the abnormality detection / prediction result output device 1810 and the false alarm notification / registration interface device 1811 are realized by one device.

  FIG. 21 shows an example in which the following four interfaces are displayed on a display screen 1901 such as a liquid crystal display with a touch panel function. The abnormality report summary window 1902 displays whether or not an abnormality has occurred in the computer system based on the abnormality determination result output from the abnormality detection / prediction device 1808. Further, the abnormality report detail window 1903 displays detailed information regarding the abnormality such as what kind of abnormality is based on the abnormality determination result. The false alarm occurrence notification button 1904 is an input interface for notifying that the displayed abnormality is false alarm.

  The misinformation information input box 1905 is an input interface used to input the contents of misinformation. When monitoring the occurrence of an abnormality in the computer system, first, the detection / prediction of the occurrence of the abnormality is confirmed in the abnormality report summary window 1902 and the content is confirmed in the abnormality report details window 1903. If the displayed anomaly is a false alarm, the error report input box 1905 is filled with the false alarm content, and a false alarm occurrence notification button 1904 is pressed. it can.

  FIG. 22 is a diagram showing an embodiment of a user interface of the log analysis apparatus including an interface for registering false alarm occurrence conditions. FIG. 22 shows an example in which a window 2002 for registering a false alarm condition is displayed on an input interface 2001 such as a notebook PC. As an interface for inputting a false alarm occurrence condition, there are the following three windows in FIG. The time designation window 2003 is an input interface for registering the time at which a false alarm occurs and the generation cycle. The occurrence condition window 2004 is an input for registering a log condition that causes a false alarm, a log order condition when a false alarm occurs due to the log generation order, and a log ratio condition when a false alarm occurs due to the occurrence ratio of events included in the log. Interface. The operation target log window 2005 is an input interface for registering a log type to be corrected or deleted when the possibility of occurrence of a false alarm is detected.

  As these input interfaces, there are an input box 2006 in which conditions, values, character strings, and the like can be directly input, and a reference button 2007 for specifying and reading a file in which conditions, values, character strings, etc. are written.

  FIG. 23 is a diagram showing an example of a user interface of a log analysis apparatus 1805 including means for adding and displaying information indicating that a log is corrected by detecting a possibility of occurrence of a false alarm in an abnormality detection / prediction result. is there.

  FIG. 23 shows an example in which the following four interfaces are displayed on a display screen 2101 such as a liquid crystal display. These interfaces are examples including the interface shown in FIG. 18 that indicates that the possibility of the occurrence of the false alarm is detected and the log is corrected. In the example of FIG. 23, in the abnormality report summary window 2102, an abnormality is detected in the computer system between 10:00 and 10:02:59 based on the abnormality determination result output from the abnormality detection / prediction device 1808. Whether or not it has occurred is displayed. In this example, no abnormality occurs. Further, in the abnormality report detail window 2103, detailed information regarding the abnormality such as what kind of abnormality is displayed based on the abnormality determination result.

  This example shows a graph in which the degree of abnormality of the computer system is quantified and displayed in time series. The misreport occurrence possibility detection result window 2104 displays whether or not the misreport occurrence device 1806 has detected the possibility of misreport occurrence. In this example, it is shown that the possibility of occurrence of false alarms was detected from 10:02:00 to 10:02:59. In the log correction window 2105 due to the possibility of erroneous report occurrence, it is displayed whether or not log correction is executed by the erroneous report detection apparatus 1806. In this example, it is displayed that the log of the log type X generated by periodic cache clearing is deleted.

  With the display interface as shown in FIG. 23, there is no abnormality, but it is detected and predicted that no abnormality has occurred as a result of correcting the log by detecting the possibility of misreporting during the display period. I can confirm that.

  FIG. 24 is a diagram of a log analyzing apparatus including a means for displaying both an abnormality detection / prediction result including a means for correcting a log by detecting a possibility of occurrence of a false alarm and an abnormality detection / prediction result without performing log correction. It is a figure which shows the Example of a user interface. FIG. 24 shows an example in which the following two interfaces are displayed roughly on a display screen 2201 such as a liquid crystal display. These interfaces are examples including an interface showing both abnormality determination results in the case where the possibility of causing the false alarm occurrence shown in FIG. 19 is detected and the log is corrected or not. In the example of FIG. 24, a window 2202 showing an abnormality determination result when log correction is not performed on the upper side, and a window 2203 indicating an abnormality determination result when log correction is performed when the possibility of occurrence of a false alarm is detected on the lower side. Is displayed. This window 2203 includes the four interfaces shown in FIG. 23. In this example, the possibility of a false alarm is detected from 10:02:00 to 10:02:59, and is generated by periodic cache clearing. It is displayed that the log of the log type X has been deleted, and as a result, it has been determined that no abnormality has occurred in the computer system between 10:00:00 and 10:02:59. On the other hand, in the upper window 2202 displaying the abnormality determination result when the log correction is not performed, it is displayed that the occurrence of abnormality is detected at 10:02:00. Although the occurrence of an abnormality is detected and predicted by the display interface as shown in FIG. 24, the detection result may be a false alarm, and it is determined that no abnormality has occurred by the process of reducing the occurrence of the false alarm. And understand what caused the false alarm.

<Supplement>
14. The log analysis device according to claim 11, wherein when the erroneous report detection unit determines the occurrence of the erroneous report, the log analysis unit stops the analysis or invalidates the analysis result. A log analysis device characterized by:

  According to the present invention, it is possible to reduce the occurrence of false positives that detect and predict abnormalities, even though no abnormalities actually occur, with regard to detection and prediction of abnormalities in computer systems using log analysis technology. Therefore, the scope of application of log analysis technology to computer system abnormality detection / prediction is expanded, and as a result, the reliability of the computer system is improved. This technology can be used as a basic technology for system operation management tools.

It is a block diagram which shows the fundamental structure regarding the computer system using the log analysis method made into the application object of this invention. 1 is a block diagram of a computer system showing a first embodiment of the present invention and detecting the possibility of occurrence of a false alarm using a log when a false alarm occurs. FIG. It is explanatory drawing which shows the example of the comparison method of the log at the time of misreporting, and the current log, (A) shows the contents of the log and the contents of the log at the time of misreporting, (B) is the present using the log at the time of misreporting An example of detecting the possibility of the occurrence of false alarms from the log will be shown. It is a flowchart which shows an example of the process which notifies the possibility of a misreport generation to an abnormality detection and prediction part, when the possibility of a misreport generation | occurrence | production is detected. It is a block diagram of the computer system which shows the other example of 1st Embodiment of this invention, and detects the possibility of generation | occurrence | production of a misreport using a misreport generation condition. It is explanatory drawing which shows the example of the comparison method with the present log using false alarm generation conditions, (A) shows the contents of the log and the contents of the log at the time of false alarm, (B) shows the present using the log at the time of false alarm An example of detecting the possibility of the occurrence of false alarms from the log will be shown. It is a flowchart which shows an example of the process which notifies the possibility of a misreport generation | occurrence | production to an abnormality detection and prediction part, when a misreport generation possibility is detected using a misreport generation condition. It is a block diagram of the computer system which shows the other example of 1st Embodiment of this invention, and invalidates an abnormality detection and prediction part, when the possibility of misreporting is detected. It is a flowchart which shows an example of a process in the case of invalidating an abnormality detection and prediction part, when the possibility of misreport generation | occurrence | production is detected. It is a block diagram of the computer system which shows the other example of 1st Embodiment of this invention, and deletes the log which may raise | generate a false alarm generation | occurrence | production when the possibility of a false alarm occurrence is detected. It is a flowchart which shows an example of a process in the case of deleting the log which may raise | generate an erroneous report generation | occurrence | production when the possibility of an erroneous report generation | occurrence | production is detected. Another example of the computer system according to the first embodiment of the present invention, in which a log that may cause a false alarm when a false alarm occurrence is detected is marked and the abnormality detection / prediction unit is changed. It is a block diagram. It is a flowchart which shows an example of a process in the case of marking the log which may generate | occur | produce a misreport when the misreport generation possibility is detected, and changing an abnormality detection and prediction part. It is a block diagram which shows the other example of 1st Embodiment of this invention, notifies that an abnormality detection and prediction result is a misinformation, and applies the method of recording the log at the time of misreport occurrence. It is a flowchart which shows an example of a process in the case of marking the log which may generate | occur | produce a misreport when the misreport generation possibility is detected, and changing an abnormality detection and prediction part. It is a block diagram which shows the other example of 1st Embodiment of this invention, and shows the computer system to which the method of setting the condition which may generate | occur | produce a false alarm in abnormality detection and prediction is applied. It is a flowchart which shows an example of a process in the case of setting the conditions which may generate | occur | produce a misreport in abnormality detection and prediction. It is a block diagram which shows the other example of 1st Embodiment of this invention, and shows the computer system which instruct | indicates the correction | amendment of a log by detecting the possibility of causing misreporting to an abnormality detection and prediction result. What we did It is a block diagram showing a log analysis method when displaying both an abnormality detection / prediction result including means for correcting a log by detecting the possibility of occurrence of a false alarm and an abnormality detection / prediction result not including log correction . It is a block diagram which shows the 2nd Embodiment of this invention and shows the fundamental structure regarding the system of a log analyzer. It is a figure which shows the Example of the user interface of the log analysis apparatus containing a misreport generation notification interface. It is explanatory drawing which shows the Example of the user interface of the log analysis apparatus containing the interface which registers a false alarm generation condition. It is a figure which shows the Example of the user interface of the log analysis apparatus containing the means which adds the information which detects the possibility that a misreport generation | occurrence | production generate | occur | produces to an abnormality detection and prediction result, and performs log repair, and displays it. The figure which shows the Example of the user interface of the log analysis apparatus containing the means to display both the abnormality detection / prediction result including the means for correcting the log by detecting the possibility of occurrence of the false alarm and the abnormality detection / prediction result not included It is.

Explanation of symbols

101 Computer system 102 Computer 103 Log generation unit 105, 206, 409, 612, 806, 1009, 1205, 1405, 1606, 1707 Log analysis unit 106, 207, 410, 613, 807, 1010 Abnormality detection / prediction unit 107 Log collection Unit 108 abnormality determination unit 109, 1602 result output unit 111, 1604, 1706 result display unit 201, 401, 601, 801, 1001 error report detection unit 202 error report log storage unit 203 error report log path 204, 404, 604, 805, 1005 , 1006, 1601 False alarm detection result path 205, 408 Comparator 301 Normal log 302 False alarm log 307, 507 Current log 308, 510 False alarm log 402 False alarm condition storage unit 403 False alarm condition path 405 False alarm cycle 405 06 log input switch

Claims (7)

It is a log analysis method that analyzes the event occurrence log output from a computer and detects or predicts an abnormality in the computer,
Holding the event identification information for identifying the event and the event occurrence time, which is the time at which the event occurs, in association with each other as at least a part of the log;
A comparison of the event identification information and a comparison of the event occurrence time for a plurality of the events including at least one first event that is the event when a false alarm occurs in the detection of abnormality of the computer or prediction of abnormality And generating regularity information indicating regularity related to the event occurrence time of the first event, and
Receiving a new log from the computer;
Analyzing the newly received log, detecting that an abnormality has occurred in the computer, or predicting that an abnormality has occurred in the computer;
Extracting the event identification information and the event occurrence time included in a log in which the abnormality of the newly received computer is detected or the abnormality is predicted;
If the extracted event identification information is the same as the identification information of the first event with reference to the regularity information, and the extracted event occurrence time has the regularity, the abnormality of the computer Determining the occurrence of false alarms in detecting or predicting anomalies;
When it is determined that the misinformation has occurred, the step of reducing the occurrence of misinformation in the detection of the occurrence of abnormality of the computer or the prediction of the occurrence of abnormality of the computer;
A log analysis method comprising:   The log analysis method according to claim 1, wherein the regularity information is a preset generation condition including a generation cycle of a false alarm.   The log analysis method according to claim 1 or 2, wherein the step of reducing the occurrence of the false alarm includes:
  When the occurrence of the false alarm is determined, a log that reduces the occurrence of the false alarm by stopping the execution of the abnormality detection or prediction or invalidating the abnormality detection result or the prediction result analysis method.   The log analysis method according to claim 1 or 2, wherein the step of reducing the occurrence of the false alarm includes:
  A log analysis method characterized in that, when the occurrence of the false alarm is determined, the occurrence of the false alarm is reduced by excluding the log predicted to generate the false alarm from the analysis target of the log.   The log analysis method according to claim 1 or 2, wherein the step of reducing the occurrence of the false alarm includes:
  When the occurrence of the false alarm is determined, a mark is added to a log that may cause the false alarm, and the detection of the abnormality or the execution of the prediction is changed based on the mark to reduce the occurrence of the false alarm. A log analysis method characterized by:   A computer that outputs an event occurrence log;
  A log analysis unit comprising: a log analysis unit that analyzes a log output from the computer and detects or predicts an abnormality of the computer;
  Log generation means for associating and holding event identification information for identifying the event and an event occurrence time that is a time at which the event occurs as at least a part of the log;
  Analyzing the newly received log to detect that an abnormality has occurred in the computer, or to detect that an abnormality has occurred in the computer,
  A comparison of the event identification information and a comparison of the event occurrence time for a plurality of the events including at least one first event that is the event when a false alarm occurs in the detection of abnormality of the computer or prediction of abnormality And a false alarm log that records regularity information indicating regularity related to the event occurrence time of the first event, and
  A false alarm detection means for determining the occurrence of false alarms in the detection of abnormality of the computer or prediction of abnormality;
  The false alarm detection means includes
  Extracting the event identification information and the event occurrence time included in the log that has been detected or predicted abnormality of the newly received computer,
  If the extracted event identification information is the same as the identification information of the first event with reference to the regularity information, and the extracted event occurrence time has the regularity, the abnormality of the computer The occurrence of a false alarm is determined in the detection of an error or the prediction of an abnormality, and when the false alarm is determined to occur, the received log is corrected or the log analysis unit is controlled to reduce the occurrence of a false alarm. Log analysis device.   It is a program for analyzing the event occurrence log output from the computer and causing the log analysis computer to execute processing for detecting or predicting an abnormality in the computer.
  A procedure for associating event identification information for identifying the event with an event occurrence time, which is a time at which the event occurs, as at least part of the log; and
  A comparison of the event identification information and a comparison of the event occurrence time for a plurality of the events including at least one first event that is the event when a false alarm occurs in the detection of abnormality of the computer or prediction of abnormality And generating regularity information indicating regularity regarding the event occurrence time of the first event, and
  A procedure for newly receiving a log from the computer;
  Analyzing the newly received log, detecting that an abnormality has occurred in the computer, or predicting the occurrence of an abnormality in the computer;
  A procedure for extracting the event identification information and the event occurrence time included in the log in which the abnormality of the newly accepted computer is detected or the abnormality is predicted;
  If the extracted event identification information is the same as the identification information of the first event with reference to the regularity information, and the extracted event occurrence time has the regularity, the abnormality of the computer A procedure for determining the occurrence of false alarms in detecting or predicting anomalies,
  When the occurrence of the false alarm is determined, a procedure for reducing the occurrence of the false alarm in the detection of the abnormality occurrence of the computer or the prediction of the occurrence of the malfunction of the computer;
  Is a program for executing the log analysis computer.