JP4888425B2 - Message monitoring system and message filter optimization support method - Google Patents

Description

  The present invention relates to a message monitoring system and a message filter optimization method, and in particular, can be detected by an inappropriate definition of a message filter (hereinafter simply referred to as a “filter”) set in an operation management system or another filter. The present invention relates to a system and method capable of detecting and correcting a redundant filter that detects only a certain message.

  The operation management system is usually configured such that the monitoring server normally collects messages from a plurality of monitored servers and compares them with one or more preset filters. All messages are stored in the message log file of each monitored server and sent to the monitoring server for comparison with the filter. If the message matches all the filter conditions, it is detected and output to the monitoring screen. Otherwise, messages are not output to the monitoring screen.

  In a system including a plurality of monitored servers, the function and configuration of each server are different, and a situation where different applications are operating on each server is common. In such a case, the message filter is set by the administrator so as to correspond to the function, configuration, and application of each monitored server. Therefore, as the system becomes larger, various functions, configurations, and applications exist on the system, and the number of filters becomes enormous. However, since the administrator manually sets the filter, a filter that does not detect a message at all due to a setting error or a filter that detects only the same message as a filter that has already been set may be set. Conventionally, in order to find and modify such a filter, it is necessary to check not only the contents of all filters but also the functions, configurations, applications, and the like of each server, which is very troublesome.

In order to deal with such a situation, a method has been proposed in which the user is dealt with by detecting the presence of a plurality of similar filters or outdated filters and informing the user (for example, Patent Document 1). . In the conventional method, a filter that does not detect a message at all is deleted as a filter with an incorrect condition setting or an unnecessary filter, or the administrator is urged to correct it, or the conditions of one filter are compared by comparing the conditions of two filters. Such a filter that is included in the other filter is presented to the administrator as a redundant filter (unnecessary filter). FIG. 2 is a diagram showing a conventional system configuration example.
JP 2003-16094 A

  However, there is no information on how to modify the filter even if it can be proposed in the prior art, but it is immediately possible to see how the administrator can modify the filter to detect the message. In the end, the administrator had to check the functions and configurations of each server, and the burden was great. Further, in the method of detecting the redundant filter by comparing only the conditions, for example, the filter conditions themselves do not overlap, but in the actual operation environment, there are cases where one filter detects only a message that other filters can detect. Can occur. Such a redundant filter cannot be found by simply comparing the conditions of two filters, and it is necessary to compare all detected messages with the setting conditions of each filter, which requires a huge amount of work. It was not easy for administrators to find.

  Therefore, it is convenient if there is a system that provides an indication of how to correct a message filter. Also, it is convenient if a redundant filter that can detect only a message that is not the same as other filters but can be detected by the other filters can be easily extracted.

  In order to solve the above-described problems, the present invention relates to a filter storage unit in which a message filter including one or more conditions (hereinafter simply referred to as a “filter”) is stored, and the contents of a check target message are collated with the filter. And a message log accumulating unit for storing information detected by the analyzing unit and information of all filters detecting the message in a message monitoring system including an analyzing unit that detects a message that satisfies all the filter conditions; Redundant filter analysis means for extracting a filter that detects only messages that can be detected by other filters with reference to the message log storage unit.

  Further, the message monitoring system includes a similar message detection unit that detects a message that satisfies a part of the filter condition but not all of the filter conditions, and a similar message that stores the similar message detected by the similar message detection unit in association with the filter. An accumulation unit; and a filter update unit that accepts setting and change of the filter condition, wherein the redundant filter analysis unit obtains a similar message related to the filter extracted by the redundant filter analysis unit from the similar message accumulation unit It is desirable that the filter update means accepts a change in the filter condition while outputting the information together with the filter information.

  In another aspect of the present invention, a filter storage unit in which a message filter including one or more conditions (hereinafter simply referred to as “filter”) is stored, and the content of the message to be inspected is collated with the filter. A message monitoring system comprising: an analysis unit that detects a message that satisfies all of the filter conditions; and a similar message detection unit that detects a message that satisfies some but not all of the filter conditions, and the similar message detection unit detects A similar message storage unit that stores the similar message in association with the filter, and extracts a filter that does not detect a message from the filter storage unit, acquires a similar message related to the filter from the similar message storage unit, and Similar message output means for outputting together with filter information , Characterized in that it comprises a filter update unit for accepting setting or change of condition of the filter.

  In the present invention, the information detected by the analysis means and the information of all the filters that detected the message are accumulated, and for example, only the message that can be detected by another filter, such as a message that is not detected alone, is detected. Added filter detection. This makes it possible to extract redundant filters that can detect only messages that are not detected by other filters but can be detected only by filter conditions, and can delete unnecessary filters or prompt corrections. It becomes.

  Further, according to the present invention, messages that match some but not all of the filter conditions are stored in association with each other as messages that are similar to the filter. To present. As a result, the administrator can compare the filter and its similar message when the filter is corrected, and can know how the similar message is detected when the filter is corrected.

  In addition, by combining these operations, for example, not only discovering filters that do not detect messages at all, but redundant filters that detect only messages detected by other filters and presenting deletions, how to correct them It is possible to present whether the filter can detect the message, and it helps the administrator to easily understand deficiencies in conditions and correct them to more optimal conditions. Further, unnecessary or redundant filters can be arranged, and it is possible to improve the reliability of the filter in the operation management of the system, reduce the load of the ACK processing, and greatly reduce the management load.

  Best modes for carrying out the present invention will be described below in detail with reference to the accompanying drawings. FIG. 1 is a functional schematic diagram of a message monitoring system according to an embodiment of the present invention. Referring to FIG. 1, the embodiment of the present invention is roughly divided into a monitoring server 100 that analyzes and detects messages, one or more monitored servers 200 monitored by the monitoring server 100, and an administrator. The monitoring terminal 300 is operated. These are connected by a communication network such as a LAN or a dedicated line, and can send and receive information in real time.

  The monitoring server 100 includes a monitoring unit 101, a seating unit 102, a filter storage unit 103, a message log storage unit 104, a filter update unit 105, a similar message storage unit 107, and a hit count setting unit 108. A message display unit 109, a detection filter applying unit 110, and a redundant filter analyzing unit 111 are provided. Among these, the analysis unit 102 includes a similar message detection unit 106. Actually, the filter storage unit 103, the message log storage unit 104, and the similar message storage unit 107 each form part of the storage area of the monitoring server 100, and other means are stored in the storage device of the monitoring server 100. Although the functional elements are realized only when the program or the program module is expanded on the CPU or the memory, they are described as one means for convenience of explanation.

  Each of the one or more monitored servers 200 includes a message log file storage unit 211. One monitoring server 200 may be provided according to the embodiment, or a plurality of agent devices may be provided.

  The monitoring terminal 300 includes a message confirmation unit 301, a filter setting unit 302, a similar message confirmation unit 303, and a redundant filter confirmation unit 304. These are means realized by cooperation of software and hardware, like each means of the monitoring server 100. Although not particularly illustrated, the monitoring terminal 300 includes at least a display screen for presenting a message and a filter configuration to the administrator, and input means for receiving support from the administrator such as setting, correction, and deletion of the filter.

  Each of these elements generally operates as follows. The monitored server 200 registers a message generated in the server 200 in the message log file storage unit 201.

  The monitoring unit 101 of the monitoring server 100 monitors the monitored server 200, receives a message from the message log file storage unit 201, and passes the message to the analysis unit 102. The filter storage unit 103 stores message filters (hereinafter simply referred to as “filters”) preset by the administrator. The filter update unit 105 receives a filter correction, deletion, and addition request from the filter setting unit 302 of the monitoring terminal 300, and corrects, deletes, or adds a filter stored in the filter storage unit 103. The analysis unit 102 calls the filter from the filter storage unit 201 and collates it with the message received from the monitoring unit 101. One or more conditions are set in the filter, and when the message satisfies all the conditions, the message is detected as being matched with the filter, and the analysis unit 102 detects the message and the message in the detection filter providing unit 110. Pass the filter name. At this time, when a plurality of filters detect the message, a list of all filter names is passed instead of one of them. Further, the analysis unit 102 passes the detected filter name (a list of filter names in the case of a plurality) to the hit number setting unit 108. The hit number setting means 108 adds 1 to the number of hits of the corresponding filter stored in the filter storage unit 103 from the received filter name. On the other hand, the detection filter assigning means 110 assigns the received filter name to the message received from the analysis means 102 and stores it in the message log accumulation unit 104 (see FIG. 12).

  When receiving a request from the redundant filter confirmation unit 304 of the monitoring terminal 300, the redundant filter analysis unit 111 of the monitoring server 100 obtains a list of filter names that have detected the message from the message log storage unit 104, and will be described later. The process obtains a redundant filter, that is, a filter that detects only a message detected by another filter, and then obtains a similar message (described later) of the redundant filter from the similar message storage unit 107, and together with information on the redundant filter, It passes to the redundant filter confirmation means 304. The similar message detection means 106 of the analysis means 102 is the message that has not been detected by the analysis means 102, that is, the message that does not match all of the filter conditions. The similar message of the matched filter is stored in the similar message storage unit 107 together with the filter name. When the similar message display unit 109 receives a request from the similar message confirmation unit 303 of the monitoring terminal 300, the similar message display unit 109 acquires a filter name having a hit count of 0 from the filter storage unit 103 and displays the similar message of the filter as a similar message. Obtained from the storage unit 107 and passed to the similar message confirmation unit 303.

  The message confirmation unit 301 of the monitoring terminal 300 obtains the message detected by each filter from the message log storage unit 104 of the monitoring server 100 and presents it to the administrator. The filter setting unit 302 receives the input operation of the administrator, and causes the filter update unit 105 of the monitoring server 100 to add, update, and delete the filter. The similar message confirmation unit 303 sends a request to the similar message display unit 109 of the monitoring server 100 periodically or in response to a request from the administrator, and acquires information on a filter whose hit number is 0 and a similar message of the filter. Present it to the administrator. The redundant filter confirmation unit 304 periodically or in response to a request from the administrator, sends a request to the redundant filter analysis unit 111 of the monitoring server 100, acquires information on the redundant filter and a similar message of the filter, and presents it to the administrator. To do.

  In this embodiment, the monitoring terminal 300 operated by the administrator is provided separately from the monitoring server 100. However, each function of the monitoring terminal 300 may be provided in the monitoring server 100 and the monitoring terminal 300 may be omitted.

  The operation of the system of the present embodiment configured as described above will be described in detail below. As a premise, a plurality of message filters preset by the administrator are registered in the filter storage unit 103 of the monitoring server 100. This is set from the filter setting means 302 of the monitoring terminal 300. An example of the filter group is shown in FIG. As shown in the figure, importance, application, server, text, etc. are set as filter conditions in addition to the filter name for each filter.

  First, a message detection operation and a similar message extraction operation will be described with reference to FIG. When the analysis unit 102 (and similar message detection unit 106) of the monitoring server 100 receives a message from the monitoring unit 101, it obtains a list of filters (see FIG. 4) from the filter storage unit 103 and collates the message with the filter. In this process, the analysis unit 102 checks all the filters for one item of the message content, and excludes the filters that do not match (step S01). For example, as shown in FIG. 5, the message “importance” of the message “importance: ERROR, application: Web Server, server: Sv3, body: Shutdown now.” Shown in the filter group of FIG. A filter having a condition of “importance: ERROR” is extracted. When the filter list with the narrowed conditions is not empty (step S02), the filter list is temporarily stored (step S03).

  If the filter list is not empty and there are items not compared in the message (step S04), paying attention to the next item in the message, all the filters included in the currently temporarily saved filter list And a list of filters with further narrowed down conditions is created (return from step S05 to step S01). More specifically, the filter listed in FIG. 5 becomes the list of FIG. 6 when narrowed down by the condition of the next item “Application: Web Server” of the message, and further the next item “Server: Sv3”. If the condition is narrowed down, the list shown in FIG. 7 is obtained, and if the next item “text: Shutdown now.” Is narrowed down, the list becomes empty as shown in FIG.

  If there is no next item in step S04, the filters included in the currently temporarily saved filter list match all the conditions for the message, so that the message is detected in those filters. Then, the message is stored in the message log accumulating unit 104 from the detection filter adding unit 110 (step S06). This is presented to the administrator by the message confirmation unit 301 of the monitoring terminal 300. The analysis unit 102 passes the currently stored filter list to the hit number setting unit 108. The hit number setting means 108 accesses the filter storage unit 103 and adds 1 to the number of hits of each filter that has detected a message (step S07).

  On the other hand, if the filter list becomes empty during the condition comparison (step S02: N), that is, if there is no filter that matches the condition as shown in FIG. 8, the message is stored in the currently stored filter. The message similar to the list is stored in the similar message storage unit 107 together with the temporarily stored filter list (step S08). However, since the first item does not match in the comparison between the message and the filter, if there is no corresponding filter, the process ends without determining that the message is similar.

  In this way, 1 is added to the number of hits of the filter that detected the message, and a message that is not detected but matches many of the conditions is recognized as a message that is similar to the filter, and is stored in the similar message storage unit 107. The In this embodiment, a message that satisfies the most conditions is stored as a similar message. However, this may be determined by other criteria. For example, if a predetermined number of conditions or more match, it can be considered similar.

  Next, a process for confirming and correcting a filter that does not detect any message will be described. For example, when the administrator operates the similar message confirmation unit 303 of the monitoring terminal 300, the unit 303 sends a request to the similar message display unit 109 of the monitoring server 100. The similar message display unit 109 that has received the request refers to the filter storage unit 103 to extract a filter having a hit count of “0”, and refers to the similar message storage unit 107 from the information, thereby resembling a message similar to the filter. To extract. The filter and the similar message whose hit number is 0 are sent to the similar message confirmation means 303 of the monitoring terminal 300 and presented to the administrator. FIG. 10 is an example of a screen showing information on a filter whose hit count is 0. When any one of the filters is designated, as shown in FIG. 11, a filter with a hit count of 0 and its similar message are displayed simultaneously. Looking at this, the administrator can compare a filter condition that does not detect a message with a similar message having a condition close to this filter, and can modify the filter to detect this similar message. As shown in FIG. 11, a “filter correction” button is provided at the bottom of the screen, and the filter can be corrected from the filter setting means 302 by pressing this button. Note that the request from the similar message confirmation unit 303 may be configured to check a filter with a hit count of 0 every predetermined period and prompt the administrator to correct it other than when the administrator performs an input operation. In the above-described embodiment, a filter having a hit number “0” is extracted. However, a filter having a hit number other than 0 may be extracted instead of the hit number.

  Next, processing for detecting a filter (redundant filter) that detects only a message that does not match the condition itself but can be detected by another filter will be described with reference to the flowchart of FIG. When the analysis unit 102 of the monitoring server 100 compares the message with the filter and the message is detected, the analysis unit 102 passes the list of detected filter names together with the message to the detection filter providing unit 110. The detection filter adding unit 110 adds a list of filter names that have detected this to the received message, and registers the list in the message log storage unit 104. FIG. 12 is an example of data stored in the message log storage unit 104. As shown in the figure, the contents and the name of the filter that detects this are registered for each message.

  For example, when the administrator operates the redundant filter confirmation unit 304 of the monitoring terminal 300, a request is sent from the redundant filter confirmation unit 304 to the redundant filter analysis unit 111 of the monitoring server 100. The redundant filter analysis unit 111 acquires a list of filter names that have detected a message from the message log storage unit 104, and extracts a redundant filter that detects only a message detected by another filter. This method will be described with reference to the flowchart of FIG. In the following description, when there are two filters A and B, if filter B detects only a message that can be detected by filter A, filter A is said to include filter B, and filter B is included in filter A. Called to be.

  As shown in FIG. 13, the redundant filter analysis unit 111 first focuses on one filter in the filter storage unit 103 (step S10), and extracts a set including the filter from the message log storage unit 104 (step S11). The other filters included in this set are added to the inclusion filter list (steps S12 to S13). More specifically, assuming that there is the contents of the message log storage unit 104 in FIG. 12, first, focus on the filter F_1, and the values (F_1, F_3), (F_1) of the first, third and fourth messages from the top. , (F_1, F_3) are extracted, and another filter F_3 included in this set is added to the included filter list shown in FIG. 14 as a filter that may include F_1. As shown in FIG. 14, F_3 is registered as a filter that may be included in the filter F_1. In this process, if there is no set including the filter of interest, the process proceeds to step S14. If there is a filter that has not been noticed yet, the next filter is noticed, and similarly a list of filters that may be included is created (from steps S14 and S15 to step S11). In this way, the inclusion list shown in FIG. 14 is created from the message list shown in FIG.

  After obtaining a list of filters that may be included for all the filters registered in the filter storage unit 103, pay attention to the filters one by one (step S16), and include the filter from the list of FIG. Is extracted (step S17). If a filter that may contain the currently focused filter (F_3 when focusing on F_1 in FIG. 14) is included in all of them, the filter is currently focused on. If there is a set that is not included, the filter is excluded from the list as not including the currently focused filter (steps S18 to S19). This process is performed for all the filters (steps S20 and S21), the list of inclusion relations of the filters is completed, and redundant filters are extracted. FIG. 15 is a list of inclusion relations of the filters obtained by the above processing from the list of FIG. 12, and the filter F_3 is included in F_1 as shown in this figure, that is, F_3 is redundant with respect to F_1. It turns out.

  It should be noted that the process of extracting the redundant filter may be a little simpler, for example, by extracting a filter that does not detect a message alone in the list of FIG. That is, a case where a message detected by a certain filter is always detected by another filter is treated as being included in any filter, and a case where a message is detected alone is excluded. This is simple but can be executed with low load, although the detection accuracy is not certain.

  Next, confirmation, deletion, and correction processing of the redundant filter extracted in this way will be described. For example, when the administrator operates the redundant filter confirmation unit 304 of the monitoring terminal 300, the unit 304 sends a request to the redundant filter analysis unit 111 of the monitoring server 100. The redundant filter analysis unit 111 that has received the request extracts a redundant filter by the above processing, acquires a message similar to the redundant filter from the similar message storage unit 107, and sends the message to the monitoring terminal 300. The redundant filter confirmation means 304 of the monitoring terminal 300 displays the received information on the screen and presents it to the administrator. 16 and 17 are examples of screens for presenting redundant filters. A list of detected redundant filters is displayed on the screen of FIG. 16, and when any one of the filters is designated, detailed information of FIG. 17 is displayed. On this screen, the administrator confirms the existence of the redundant filter, sees the similar message provided, knows how to correct the redundant filter, and corrects the redundant filter. Can do. This filter deletion or correction is executed by the filter setting means 302 of the monitoring terminal 300.

  As described above in detail, according to the present invention, by accumulating messages similar to filters that have already been set, and presenting similar messages of the filter when a certain filter needs to be corrected, For example, an administrator can recognize a filter that does not detect a message at all, and can easily grasp how the filter will detect a message if it is corrected.

  In addition, a list of filters that have detected a message is stored together with the message, and by analyzing this list, redundant filters can be extracted, so a redundant filter that only detects messages detected by other filters can be found. In addition, since it is possible to prompt the administrator to delete or modify, it is possible to reduce unnecessary filters, and it is possible to reduce the processing load by reducing the number of comparisons between messages and filters.

  The present invention can be suitably used in the information processing industry including an operation management system.

It is the schematic which shows the structure of the message monitoring system concerning one Example of this invention. It is the schematic which shows the structure of the conventional message monitoring system. It is a flowchart which shows the process which extracts the message similar to each filter in the system of FIG. It is a figure which shows an example of the registration content of the filter storage part 103 shown in FIG. It is a figure for demonstrating the condition comparison process in the operation | movement of FIG. It is a figure for demonstrating the condition comparison process in the operation | movement of FIG. It is a figure for demonstrating the condition comparison process in the operation | movement of FIG. It is a figure for demonstrating the condition comparison process in the operation | movement of FIG. It is a figure which shows an example of the registration content of the similar message storage part 107 shown in FIG. It is a figure which shows the example of a screen shown by the similar message confirmation means 303 shown in FIG. It is a figure which shows the example of a screen shown by the similar message confirmation means 303 shown in FIG. It is a figure which shows an example of the registration content of the message log storage part 104 shown in FIG. It is a flowchart which shows the process which extracts a redundant filter in the system of FIG. It is an example of the list created by the process of FIG. It is an example of the list created by the process of FIG. It is a figure which shows the example of a screen shown by the redundant filter confirmation means 304 shown in FIG. It is a figure which shows the example of a screen shown by the redundant filter confirmation means 304 shown in FIG.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Monitoring server 101 Monitoring means 102 Analysis means 103 Filter storage part 104 Message log storage part 105 Filter update means 107 Similar message storage part 108 Hit number setting means 109 Similar message display means 110 Detection filter provision means 111 Redundant filter analysis means 200 Monitored Server 201 Message log file storage unit 300 Monitoring terminal 301 Message confirmation unit 302 Filter setting unit 303 Similar message confirmation unit 304 Redundant filter confirmation unit

Claims (6)

A filter storage unit that stores a message filter including one or more conditions (hereinafter simply referred to as a “filter”), and a message that satisfies all the filter conditions is detected by comparing the content of the message to be inspected with the filter. In a message monitoring system comprising an analysis means,
A message log accumulating unit for storing information of the message detected by the analyzing means and all filters for detecting the message, and a filter for detecting only messages that can be detected by other filters with reference to the message log accumulating unit A message monitoring system comprising: redundant filter analysis means for extracting. The message monitoring system according to claim 1, further comprising a similar message detection unit that detects a message that satisfies a part of the filter condition but not all of the filter conditions, and associates the similar message detected by the similar message detection unit with the filter. A similar message accumulating unit for storing, and a filter updating means for accepting setting and changing of the filter condition,
The redundant filter analysis unit acquires a similar message related to the filter extracted by the redundant filter analysis unit from the similar message storage unit and outputs the similar message together with the filter information, and the filter update unit changes the condition of the filter A message monitoring system characterized by accepting messages. A filter storage unit that stores a message filter including one or more conditions (hereinafter simply referred to as a “filter”), and a message that satisfies all the filter conditions is detected by comparing the content of the message to be inspected with the filter. In a message monitoring system comprising an analysis means,
Similar message detection means for detecting a message that satisfies some but not all of the filter conditions, a similar message storage section that stores the similar message detected by the similar message detection means in association with the filter, and the filter storage section A similar message output means for extracting a filter that has not detected a message from the message, obtaining a similar message related to the filter from the similar message storage unit, and outputting the similar message together with the filter information, and setting or changing the filter condition. A message monitoring system comprising: a filter update means for receiving. A filter storage unit that stores a message filter including one or more filter conditions (hereinafter simply referred to as a “filter”), and a message that satisfies all the filter conditions by checking the content of the message to be inspected against the filter. In a filter optimization support method in a system comprising an analyzing means for detecting,
The step of registering the message detected by the analysis means and the information of all the filters that have detected it in the message log storage section, and the redundant filter analysis means can be detected by other filters with reference to the message log storage section. A filter optimization support method comprising: extracting a redundant filter that detects only a certain message. 5. The method according to claim 4, further comprising a step of detecting, as a similar message, a message that satisfies a part but not all of the conditions of the filter as a similar message, and associating the detected similar message with the filter. Registering in the similar message accumulating unit, the redundant filter analyzing unit obtaining a similar message related to the redundant filter from the similar message accumulating unit and outputting the similar message together with information on the redundant filter, filter updating unit Receiving a condition change of the filter. A filter optimization support method comprising: A filter storage unit that stores a message filter including one or more filter conditions (hereinafter simply referred to as a “filter”), and a message that satisfies all the filter conditions by checking the content of the message to be inspected against the filter. In a filter optimization support method in a system comprising an analyzing means for detecting,
A step in which a similar message detection means detects a message that satisfies a part but not all of the filter condition and stores it in a similar message storage unit; and a similar message output type, but no message is detected from the filter storage unit Extracting a filter, obtaining a similar message related to the filter from the similar message storage unit and outputting the same together with the filter information, and a step of receiving a setting or change of the filter condition by the filter updating means. A filter optimization support method characterized by that.

Images