JP5484376B2 - Log collection automation device, log collection automation test system, and log collection control method - Google Patents

Description

  The present invention relates to a technique for collecting a test log from each device constituting a communication network in a communication network test.

In a communication network, various network devices use SNMP Traps and Syslogs as a means to communicate their own device status to the outside. In network maintenance operations, the device status and overall network information are also based on these SNMP Trap and Syslog information. The state is monitored (for example, Non-Patent Document 1).
In addition, in a communication network test configuration in which a test device or a packet capture device is used to test a test target device such as various application servers, each device such as a test device, a packet capture device, a test target device, or an IP network relay device Generates a test log in its own file format.

“SNMP to automate monitoring (1) Why network management?” [Online], 2003/2/19, [February 16, 2011 search], Internet <URL: http: // www.atmarkit.co.jp/fnetwork/rensai/snmp01/01.html>

  In a communication network test, it is desirable to acquire and analyze the log at the time of event occurrence as much as possible in order to prevent re-verification when an event requiring analysis occurs. However, there is a limit to the period for collecting and accumulating logs such as packet capture, and there is a problem that it is difficult to leave long-term logs. In addition, the analysis candidate events may include events caused by problems in the test environment, and in order to detect events that really need to be analyzed from a large amount of logs, there are many primary operations. There is also a problem that is necessary.

  The present invention has been made in view of the above points, and an object of the present invention is to provide a technique capable of reducing the operation amount necessary for the conventional test implementation and improving the efficiency of the communication network test. To do.

The present invention is a log collection automation device for collecting analysis logs from each device constituting a test system including a test target device in a communication network,
An event policy storage means for storing an event policy for detecting a specific event;
Analysis necessity determination condition policy storage means for storing a condition policy for determining whether log analysis is necessary;
Monitoring information acquisition means for acquiring monitoring information from each device constituting the test system;
When the occurrence of an event conforming to the event policy stored in the event policy storage unit is detected from the monitoring information acquired by the monitoring information acquisition unit, an analysis log is acquired from an apparatus constituting the test system. Analysis log acquisition means stored in the storage means;
Detecting means for detecting another event that occurs simultaneously with the event;
Based on a combination of the event and another event that has occurred at the same time, a determination unit that determines the necessity of detailed analysis according to a condition policy stored in the analysis necessity determination condition policy storage unit;
And a discarding unit that discards the analysis log stored in the storage unit when the determination unit determines that the detailed analysis is unnecessary. Good.

  The apparatus for which the analysis log acquisition means acquires the analysis log is set to always collect the analysis log, and the analysis log acquisition means is the analysis log already stored in the apparatus. You may comprise so that it may acquire.

  The analysis necessity determination condition policy storage means stores a combination of events that do not require detailed analysis as the condition policy, and a combination of the event and another event that occurs at the same time is the condition policy. If the event corresponds to a combination of events as a policy, the determination unit may determine that detailed analysis is not necessary.

  The present invention can also be configured as a log collection automation test system characterized in that the log collection automation device and each device constituting the test system are connected to a network. The present invention may be configured as a log collection control method executed by the log collection automation apparatus.

  According to the present invention, it is possible to reduce the amount of operation required for performing a conventional test and to improve the efficiency of a communication network test.

1 is a configuration diagram of a test system according to an embodiment of the present invention. 2 is a functional configuration diagram of a log collection automation device 10. FIG. It is a sequence diagram which shows the operation example 1 of a test system. It is a figure which shows the example of the analysis necessity judgment condition policy stored in the analysis necessity judgment condition policy storage part. It is a sequence diagram which shows the operation example 2 of a test system. It is a sequence diagram which shows the operation example 3 of a test system.

  Embodiments of the present invention will be described below with reference to the drawings.

(System configuration)
FIG. 1 shows a test system configuration diagram of a communication network test according to an embodiment of the present invention. Further, FIG. 1 shows that log monitoring, log collection, and the like are performed from each device by dotted lines.

  As shown in FIG. 1, the test system (referred to as a log collection automation test system) includes a test target device 1, a maintenance device 2 of the test target device 1, an IP network relay device 3, a test machine 4, a packet A capture device 5 and a log collection automation device 10 are provided, and each device is connected to a network so that it can communicate with other devices as shown in FIG. The log collection automation test system excluding the log collection automation apparatus 10 may be simply referred to as a test system.

  The test target device 1 is a test target device such as a SIP server or various network devices. Note that the test target device 1 is not limited to a specific type of device, and may be any device. The maintenance device 2 of the test target device 1 is a device that performs device information collection and configuration setting change of the test target device 1. The IP network relay device 3 is a router, a switch, or the like. The test machine 4 is a device that simulates a user terminal (mobile terminal or personal computer). The packet capture device 5 is a device that acquires (captures) and stores a packet flowing through the network under preset conditions.

  The log collection automation apparatus 10 is an apparatus according to the present invention, and includes a network monitoring server A, a log monitoring function / time synchronization function B, and a log collection / storage function C. Details of the functional configuration and operation of the log collection automation device 10 will be described later in detail.

  The network monitoring server A is a functional unit that supports network monitoring protocols such as SNMP Trap and Syslog. In the configuration shown in FIG. 1, as an example, the function of the network monitoring server A is provided in the log collection automation device 10. However, the network monitoring server A is provided outside the log collection automation device 10, and the log collection automation device 10 is provided. However, as with other devices, various types of information may be acquired from the network monitoring server A via the network. In the following apparatus configuration, it is assumed that the network monitoring server A is provided outside.

  FIG. 2 shows a functional configuration diagram of the log collection / automation apparatus 10 according to the embodiment of the present invention. As illustrated in FIG. 2, the log collection automation device 10 includes a policy setting unit 11, an event policy storage unit 12, an analysis necessity determination condition policy storage unit 13, a time synchronization unit 14, a periodic monitoring information acquisition unit 15, and periodic monitoring information. A storage unit 16, an analysis log collection unit 17, a log collection control unit 18, and an analysis log storage unit 19 are provided.

  The policy setting unit 11 is a functional unit that receives a policy input from a tester or the like and stores the input policy in the event policy storage unit 12 or the analysis necessity determination condition policy storage unit 13. The event policy storage unit 12 is an event that can be determined from the monitoring information acquired by the periodic monitoring information acquisition unit 15, and stores a policy of an event that triggers a concurrency check and an unexpected event determination described later. The analysis necessity determination condition policy storage unit 13 stores a policy as a condition for performing an unexpected event determination.

  The time synchronization unit 14 is a functional unit for synchronizing the time of each device constituting the test system. Various existing techniques can be used as the time synchronization method. With the function of the time synchronizer 14, each device constituting the system is synchronized with, for example, a log collection automation device. In the following description, it is assumed that the devices are synchronized. Instead of synchronizing each device, the time synchronization unit 14 may grasp the time lag of each device and correct the time of information acquired from each device according to the lag. Performing such correction is also a synchronization in a broad sense.

  In addition, when each apparatus which comprises a test system can be synchronized by means other than the log collection automation apparatus 10, it is not essential to provide the time synchronization part 14 in the log collection automation apparatus 10. FIG.

  The periodic monitoring information acquisition unit 15 is a functional unit that acquires information that can be periodically monitored from each device constituting the test system and stores the information in the periodic monitoring information storage unit 16. The information that can be periodically monitored is information that can identify an event stored in the event policy storage unit 12 and is, for example, CPU usage rate, packet loss, etc., but is not limited to specific information. Also, in this example, it is assumed that monitoring information is acquired from each device at “periodic” (predetermined time interval). However, if acquired simultaneously from each device, it is “periodic”. Not required. The monitoring information acquisition method includes a method of autonomously acquiring information notified from each device to the log collection / automation device 10 and a method of acquiring information from the log collection / automation device 10 to each device or an operation terminal of each device. The periodic monitoring information acquisition unit 15 according to the present embodiment is compatible with either method.

  The periodic monitoring information storage unit 16 is a buffer memory or the like that stores the monitoring information acquired by the periodic monitoring information acquisition unit 15. Information to be stored includes, for example, information for identifying a device to be acquired, a specific value such as a CPU usage rate, information indicating what the value represents, and the value acquired in the corresponding device. Includes time (time stamp).

  The analysis log collection unit 17 is a functional unit that acquires a log for detailed analysis from each device in accordance with an instruction from the log collection control unit 18 and stores it in the analysis log storage unit 19. The analysis log storage unit 19 stores the log of each device acquired by the analysis log collection unit 17.

  Based on various information stored in the periodic monitoring information storage unit 16, the event policy storage unit 12, and the analysis necessity determination condition policy storage unit 13, the log collection control unit 18 determines whether a specific event has occurred, concurrency check / assuming This is a functional unit that performs processing such as instructing analysis log collection to the analysis log collection unit 17 when an external event is determined and analysis log collection is determined to be necessary. The operation performed by the log collection control unit 18 will be described in more detail in the subsequent operation description.

  The log collection / automation apparatus 10 shown in FIG. 2 can be realized by causing a computer to execute a program describing the processing contents described in the present embodiment. That is, the function of each part of the log collection / automation apparatus 10 is a program corresponding to the processing executed by each part using hardware resources such as CPU and memory built in the computer constituting the log collection / automation apparatus 10. It can be realized by executing. Further, the program can be distributed to the market via a recording medium such as an FD, CD-ROM, or DVD in which the program is recorded, or a network such as the Internet.

  Hereinafter, each operation example of the test system (particularly the log collection automation device 10) will be described in detail.

(Test system operation example 1)
An operation example 1 of the test system will be described with reference to the sequence diagram of FIG.

  First, as a preliminary preparation, the tester inputs various policies to the log collection automation device 10 (step 1). The policy input by the policy setting unit 11 as an event policy is stored in the event policy storage unit 12, and the policy input as an analysis necessity determination condition policy is stored in the analysis necessity determination condition policy storage unit 13.

Examples (1) to (16) of event policies stored in the event policy storage unit 12 are shown below. The following is only an example, and the event policy is not limited to these examples.
(1) Threshold value of the number of packet loss at the interface implemented in the test target device (2) Threshold number of error regarding a specific error of the packet at the interface implemented in the test target device (3) Various types in the test target device In the protocol information, the threshold of the number of variations with respect to the number of session information and state information managed by the test target device (4) CPU usage rate or usage threshold of the test target device (5) Memory usage rate of the test target device Or the threshold of usage (6) The configuration setting of the test target device has been changed in the maintenance device of the test target device. (7) The configuration setting of the test target device can be saved in the maintenance device of the test target device. What has been done (8) The threshold of the number of packet losses at the interface implemented in the IP network relay device (9 Threshold number of errors for specific errors in packets at interfaces implemented in IP network relay devices (10) Session information and states managed by IP network relay devices in various protocol information in IP network relay devices Threshold of fluctuation number with respect to number of information (11) CPU usage rate or usage threshold of IP network relay device (12) Arbitrary value in memory usage or usage of IP network relay device is set as threshold (13) Threshold for packet loss at interface implemented in test machine (14) Threshold for number of errors for specific error of packet at interface implemented in test machine (15) Packet at interface implemented in test machine Delay amount threshold (16) in the network monitoring server, For example, with regard to (1), the number of packet losses acquired from the test target device 1 as the periodic monitoring information is greater than or equal to the threshold defined in (1). In this case, it is determined that an event that requires a concurrency check and an unexpected event determination occurs. For example, for (6), when periodic monitoring information is acquired from the maintenance device 2 of the test target device 1 indicating that the configuration change of the configuration of the test target device 1 has been performed, It is determined that an event requiring a sex check and an unexpected event determination has occurred.

  An example of the analysis necessity judgment condition policy stored in the analysis necessity judgment condition policy storage unit 13 is shown in FIG. The example shown in FIG. 4 is for explaining the analysis necessity judgment condition policy in an easy-to-understand manner, and the data structure of the analysis necessity judgment condition policy is not limited to the example shown in FIG.

  As shown in FIG. 4, the analysis necessity determination condition policy storage unit 13 includes a simultaneous event that is associated with the generated event and the combination with the generated event is a known event (= no detailed analysis is required). Stored. For example, when the occurrence of event 1 is detected, if event 6 or event 7 is detected as an event at the same time, detailed analysis is determined to be unnecessary. Also, for example, when the occurrence of event 1 is detected, and event 16 is detected as an event at the same time, event 16 is not set as a set of events that do not require analysis for event 1, so detailed analysis is performed. It is judged necessary.

  More specifically, for example, when an excess of the packet delay amount in the testing machine 4 is detected as an occurrence event that conforms to the event policy, the event that occurs at that time is the maintenance device of the test target apparatus 1. 2 in the case where only the configuration setting of the test target device 1 is stored, and the combination of the simultaneous occurrence of the event is set as analysis unnecessary in the analysis necessity determination condition policy, it is determined that analysis is not required. Is done. In this case, if the combination of the simultaneous occurrences of the event is not set as analysis unnecessary in the analysis necessity determination condition policy, it is determined that analysis is necessary.

  In the above example, a combination of events that do not require detailed analysis is stored in the analysis necessity determination condition policy storage unit 13. Conversely, a combination of events that require detailed analysis is stored in the analysis necessity determination condition policy storage unit. It is good also as storing in 13 and performing the judgment operation | movement according to the content.

  Returning to FIG. 3, after the policy is set in step 1, the periodic monitoring information acquisition unit of the log collection automation apparatus monitors information that can be periodically monitored of each apparatus (step 2). That is, the periodic monitoring information acquisition unit 15 acquires monitoring information from each device at a predetermined time interval, and stores the acquired information in the periodic monitoring information storage unit 16 (temporarily).

  In parallel with performing the above monitoring, the log collection control unit 18 in the log collection automation device 10 includes the event policy stored in the event policy storage unit 12 and the monitoring information stored in the periodic monitoring information storage unit 16. Based on the above, it is determined whether or not an event set as an event policy has occurred.

  In step 3, when the log collection control unit 18 detects the occurrence of an event, in step 4, the log collection control unit 18 determines whether another event has occurred at the same time based on the event policy and the monitoring information. Here, “simultaneous” includes not only the time (time stamp) of the monitoring information being exactly the same but also being within a predetermined short time.

  Subsequently, the log collection control unit 18 stores the analysis necessity judgment condition policy storage unit 13 based on the event generated in step 3 and the concurrency check result in step 4 (simultaneous event detection or no simultaneous event). The detailed analysis necessity is determined according to the stored analysis necessity determination condition policy. For example, when event 1 is detected in step 3 and event 6 is detected as a simultaneous event in step 4, it is determined that such a combination of events is a known event, and the subsequent detailed analysis is unnecessary. For example, if event 1 is detected in step 3 and event 16 is detected as a simultaneous event in step 4 or no simultaneous event is detected, such an event is determined as a new event (unexpected event), and Judge that detailed analysis is necessary.

  In step 6, based on the determination in step 5, the log collection control unit 18, when the event that has occurred is a new event, the analysis log collection unit 17 collects a new log for detailed analysis of various devices. To instruct. Upon receiving the instruction, the analysis log collection unit 17 sends a log acquisition command to each device, acquires the logs sequentially accumulated in the buffer in each device, and stores them in the analysis log storage unit 19.

  The analysis log collected in step 6 can be, for example, a log of a predetermined type according to the occurrence event, which is, for example, a communication message, a capture packet, a device system message, an operating state, or the like. , Not limited to specific ones. Further, the devices that are targets of log collection in step 6 may be all devices, or may be devices that are determined in advance according to the occurrence event.

(Test system operation example 2)
FIG. 5 shows an operation example 2 of the test system. Below, it demonstrates centering on a different part from the operation example 1. FIG.

  In the operation example 2, each device of the test system always collects an analysis log, and the log is set to be stored in the device itself (for example, in the device buffer) or in the operation terminal of the device. The operation based on this setting is performed. Note that the log collection target device and the log type that are always collected here may be appropriately determined according to the purpose. For example, a capture result by the packet capture device 5 between all devices is included. In addition, although logs are always collected here, it is not necessary to accumulate long-term logs. For example, it is only necessary to store the logs for a predetermined buffer size.

Steps 1 to 5 in FIG. 5 are the same as those in the first operation example. When it is determined in step 5 that the detailed analysis is necessary, in step 6, the log collection control unit 18 always collects the analysis log of each device collecting the log. 17 is instructed. In the operation example 2, since the analysis log is always collected and stored in each device, the analysis log collection unit 17 that has received the instruction acquires all the analysis logs already stored in each device, and analyzes them. Stored in the log storage unit 19.
(Test system operation example 3)
FIG. 6 shows an operation example 3 of the test system. Below, it demonstrates centering on a different part from the operation example 1. FIG.

  In Operation Example 3, as in Operation Example 2, each device of the test system always collects a log for analysis and stores the log in its own device (for example, a buffer in the device) or in the operation terminal of the device. The setting to save is made, and the operation based on this setting is performed. The log collection target device and the log type that are always collected here may be appropriately determined according to the purpose. For example, a capture result by a packet capture device between all devices is included. In addition, logs are always collected here, but it is not necessary to accumulate long-term logs. For example, it is only necessary to store only a predetermined buffer size.

  Steps 1 to 3 in FIG. 6 are the same as those in the first operation example. When an event occurrence is detected in step 3, the log collection control unit 18 instructs the analysis log collection unit 17 to collect the analysis log of each device that is always collecting logs in step 3-1. . In the operation example 3, since the analysis log is always collected and stored in each device, the analysis log collection unit 17 that has received the instruction acquires all the analysis logs that are already stored in each device and performs analysis. Stored in the log storage unit 19.

  Then, at the timing when all the analysis logs are collected in step 3-1, as steps 4 and 5, simultaneity check and unexpected event determination are performed. The processing contents of steps 4 and 5 are the same as those in the first operation example.

  When the event that occurred in step 5 is a known event and it is determined that detailed analysis is not necessary, the log collection control unit 18 discards (deletes) the analysis log saved in step 3-1. (Step 6). If it is determined in step 5 that detailed analysis is required, detailed analysis can be performed using the analysis log saved in step 3-1.

  In the above-described operation examples 2 and 3, when a predetermined event occurs, the analysis log is acquired from the target device that always collects the log and is stored in the analysis log storage unit 19. Instead of this, the log stored in the in-device buffer of each device that always collects the log may be stored in the non-volatile data storage area in the device. In this case, when performing a detailed analysis, an analysis log stored in a non-volatile data storage area in the apparatus can be used. In this case, when deleting in Step 6 of Operation Example 3, a deletion command is issued to the target device, and the analysis log stored in the nonvolatile data storage area is deleted by the device.

(Summary of the embodiment, effects)
As described above, according to the technology according to the present embodiment, the occurrence of an event that has been monitored as needed from a plurality of logs that can be periodically acquired, and determined that analysis may be necessary according to a preset policy. Occasionally, by checking the concurrency / non-simultaneity with other logs, it is possible to eliminate events that do not require analysis, and logs are saved / collected only when an event that needs to be analyzed occurs. In addition, the existing trap / syslog of the NW device is insufficient for verification because the log collection target is insufficient for verification. Carve / save / collect logs.

  Since information that requires log analysis is acquired in an event-driven manner when an event occurs, it is possible to reduce primary separation operation and repeated re-verification for log acquisition. That is, since the amount of operation required for the conventional test can be reduced, the efficiency of the test can be realized.

  The present invention is not limited to the above-described embodiments, and various modifications and applications are possible within the scope of the claims.

DESCRIPTION OF SYMBOLS 1 Test object apparatus 2 Maintenance apparatus of test object apparatus 1 IP network relay apparatus 4 Test machine 5 Packet capture apparatus 10 Log collection automation apparatus 10
11 Policy setting unit 12 Event policy storage unit 13 Analysis necessity determination condition policy storage unit 14 Time synchronization unit 15 Periodic monitoring information acquisition unit 16 Periodic monitoring information storage unit 17 Analysis log collection unit 18 Log collection control unit 19 Analysis log storage Part

Claims (7)

In a communication network, a log collection automation device for collecting an analysis log from each device constituting a test system including a test target device,
An event policy storage means for storing an event policy for detecting a specific event;
Analysis necessity determination condition policy storage means for storing a condition policy for determining whether log analysis is necessary;
Monitoring information acquisition means for acquiring monitoring information from each device constituting the test system;
When the occurrence of an event conforming to the event policy stored in the event policy storage unit is detected from the monitoring information acquired by the monitoring information acquisition unit, an analysis log is acquired from an apparatus constituting the test system. Analysis log acquisition means stored in the storage means;
Detecting means for detecting another event that occurs simultaneously with the event;
Based on a combination of the event and another event that has occurred at the same time, a determination unit that determines the necessity of detailed analysis according to a condition policy stored in the analysis necessity determination condition policy storage unit;
A log collection automation apparatus comprising: a discarding unit that discards the analysis log stored in the storage unit when the determination unit determines that detailed analysis is unnecessary. The apparatus for which the analysis log acquisition means acquires the analysis log is set to always collect the analysis log, and the analysis log acquisition means is the analysis log already stored in the apparatus. The log collection automation device according to claim 1, wherein the log collection automation device is acquired. The analysis necessity determination condition policy storage means stores a combination of events that do not require detailed analysis as the condition policy, and a combination of the event and another event that occurs at the same time is used as the condition policy. 3. The log collection automation device according to claim 1, wherein the determination unit determines that detailed analysis is not necessary when the combination of events is satisfied. Any one logging automated test system, characterized in that each device and is configured by a network connected to configure the log collecting automated apparatus as claimed, the test system in paragraph one of claims 1 to 3. In a communication network, a log collection control method executed by a log collection automation device for collecting an analysis log from each device constituting a test system including a test target device,
The log collection automation device includes an event policy storage unit that stores an event policy for detecting a specific event, and an analysis necessity determination condition policy storage unit that stores a condition policy for determining whether log analysis is necessary. Has
A monitoring information acquisition step of acquiring monitoring information from each device constituting the test system;
When the occurrence of an event that conforms to the event policy stored in the event policy storage means is detected from the monitoring information acquired by the monitoring information acquisition step, an analysis log is acquired from an apparatus constituting the test system. , An analysis log acquisition step to be stored in the storage means;
A detection step of detecting another event that occurs simultaneously with the event;
A determination step of determining whether or not a detailed analysis is necessary according to a condition policy stored in the analysis necessity determination condition policy storage unit based on a combination of the event and another event that occurs at the same time;
A log collection control method comprising: a discarding step of discarding the analysis log stored in the storage means when it is determined by the determination step that detailed analysis is not necessary. The device for which the analysis log is acquired in the analysis log acquisition step is set to always collect the analysis log, and the analysis log already stored in the analysis log acquisition step is stored in the analysis log acquisition step. The log collection control method according to claim 5 , wherein: The analysis necessity determination condition policy storage means stores a combination of events that do not require detailed analysis as the condition policy, and a combination of the event and another event that occurs at the same time is used as the condition policy. 7. The log collection control method according to claim 5 , wherein, in the case of a combination of events, it is determined that detailed analysis is unnecessary in the determination step.

Images