JP5501278B2 - Filtering device, filtering method, filtering program - Google Patents

Description

  The present invention relates to a technique for filtering a message indicating an abnormality in a virtual environment.

A data center, which is a facility for installing a computer device such as a server device or a router that performs information communication via a network and managing, maintaining, and operating the installed computer device, is used. FIG. 13 is a diagram illustrating an example of a computer device included in such a data center. Ping is periodically transmitted to each of a plurality of monitoring target systems 110 (monitoring target system 110-1, monitoring target system 110-2, monitoring target system 110-3,...) That are monitoring targets. The monitoring system 120 (monitoring system 120-1, monitoring system 120-2, monitoring system 120-3, monitoring system 120-1, which acquires a message indicating the content of the abnormality from the monitored system 110 when an abnormality occurs) ...) are connected. The message acquired from the monitoring target system 110 by the monitoring system 120 is filtered by the filtering device 160 based on a predetermined rule, and only the message that is determined to be required to be notified is the message notification device 130 (message notification device). 130-1, the message notification device 130-2, the message notification device 130-3,...), And the message determined not to be notified is discarded. The message notified to the message notification device 130 is stored in the message notification device 130 and the operator terminal 140 (operator terminal 140-1, operator terminal 140-2, operator terminal 140-3,...). Sent to and displayed. The operator confirms the message displayed on the operator terminal 140, and takes action according to the content of the message if necessary. Patent Document 1 describes a technique for performing such message filtering.
By the way, in response to a request from a user, a computer resource usage form in which a virtual machine is started by virtualizing a computer resource of a physical machine prepared in advance and the started virtual machine is used by a user via a network is common. It is becoming.

JP 2009-64098 A

  However, when operating a data center with a physical machine having a virtualization function as described above, it is necessary to monitor both the physical machine and the virtual machine activated by the computer resource of the physical machine. Diversify. In addition, messages indicating abnormalities to be monitored may be diversified and complicated. Here, filtering rules for extracting messages that need to be dealt with from messages sent from the monitoring target are predetermined by an administrator or the like. Among such diversified and complicated messages, Therefore, it is time-consuming and difficult to generate a rule for extracting a necessary message. Therefore, it is desirable to efficiently generate rules for filtering messages from such data center monitoring targets.

  The present invention has been made in view of such a situation, and provides a filtering device, a filtering method, and a filtering program that efficiently generate a rule for filtering a message indicating an abnormality in a virtual environment.

  In order to solve the above-described problems, the present invention provides a physical machine or virtual machine in which an abnormality has occurred when an abnormality occurs in a plurality of physical machines that activate the virtual machine in its own computer resource or a virtual machine that is activated in the physical machine. A rule storage unit that is connected to a monitoring device that acquires a message indicating the content of an abnormality from a machine, and that stores rules for determining whether the message indicates a predetermined content; A correspondence result storage unit that stores a message and a correspondence result indicating a correspondence performed according to the content indicated by the message, a reception unit that receives a message transmitted from the monitoring device, and a rule storage The rules stored in the receiver are read, and the message received by the receiver is determined based on the read rules. A filtering unit that determines whether or not the content is indicated, outputs a message when it is determined that the content is determined, and discards the message when it is determined that the content is not indicated, and filtering A correspondence result registration unit that accepts input of a correspondence result indicating correspondence performed in response to the message output by the unit, stores the inputted correspondence result in association with the message in the correspondence result storage unit, and a correspondence result storage unit A rule generation unit configured to generate a rule based on the read correspondence result and store the rule in a rule storage unit.

  In addition, the present invention includes a configuration information storage unit that stores configuration information indicating a relationship between a physical machine and a virtual machine activated by a computer resource of the physical machine, and the rule generation unit is included in the configuration information storage unit. The stored configuration information is read, and a rule is generated based on the read configuration information.

  In addition, according to the present invention, when the rule generation unit receives a message indicating an abnormality from a physical machine after receiving a message indicating an abnormality from the physical machine, the rule generation unit receives a message from the virtual machine. A rule for discarding a message is generated.

  Further, according to the present invention, a physical machine has a function of moving a virtual machine activated by its own computer resource to another physical machine, and the rule generation unit receives a message indicating an abnormality from the physical machine. Later, when a virtual machine started up on a physical machine moves to another physical machine, a rule for discarding a message indicating an abnormality from the virtual machine is generated.

  Further, according to the present invention, a physical machine has a function of moving a virtual machine activated by its own computer resource to another physical machine, and the rule generation unit performs a movement process while the physical machine is performing a movement process. When a message indicating that the processing load has increased from a physical machine is received, a rule for discarding the message is generated.

  Further, according to the present invention, the correspondence result storage unit stores a correspondence result in association with the reception time when the message is received, and the rule generation unit has a plurality of correspondence results associated with each other during a certain time. A rule for discarding a message received during a predetermined time is generated when it is indicated that no response corresponding to the corresponding message has been performed.

  In addition, when an abnormality occurs in a plurality of physical machines that start a virtual machine on its own computer resource or a virtual machine started on a physical machine, the present invention indicates the contents of the abnormality from the physical machine or virtual machine in which the abnormality occurred. A rule storage unit connected to a monitoring device for acquiring a message and storing a rule for determining whether or not the message indicates a predetermined content, a message, and a message and the content indicated by the message The filtering method of the filtering device includes a correspondence result storage unit that stores a correspondence result indicating correspondence with each other, the step of receiving a message transmitted from the monitoring device, and the rule storage unit The received message is read based on the read rule. A message is output when it is determined that the specified content is indicated, a message is discarded when it is determined that the predetermined content is not indicated, and the output message In response to the input of the correspondence result indicating the correspondence performed according to the step, the input correspondence result is associated with the message and stored in the correspondence result storage unit, and the correspondence result read from the correspondence result storage unit, Generating a rule and storing the rule in a rule storage unit.

  In addition, when an abnormality occurs in a plurality of physical machines that start a virtual machine on its own computer resource or a virtual machine started on a physical machine, the present invention indicates the contents of the abnormality from the physical machine or virtual machine in which the abnormality occurred. A rule storage unit connected to a monitoring device for acquiring a message and storing a rule for determining whether or not the message indicates a predetermined content, a message, and a message and the content indicated by the message A filtering device having a correspondence result storage unit that stores a correspondence result indicating correspondence is stored in the rule storage unit; a step of receiving a message transmitted from the monitoring device; A rule is read, and the received message indicates the specified content based on the read rule. A message is output when it is determined that the specified content is indicated, and a message is discarded when it is determined that the predetermined content is not indicated. A rule is generated based on the step of accepting the input of the correspondence result indicating the correspondence, the step of storing the inputted correspondence result in the correspondence result storage unit in association with the message, and the correspondence result read from the correspondence result storage unit And a step of storing in the rule storage unit.

  As described above, according to the present invention, a message transmitted from a monitoring device is received, and whether or not the received message indicates a predetermined content is determined based on a predetermined rule. If it is determined that the specified content is indicated, a message is output. If it is determined that the specified content is not indicated, the message is discarded, and the response result indicating the correspondence performed according to the output message is displayed. Accepting the input, storing the input correspondence result in association with the message, and generating and storing the rule based on the correspondence result, so the rule for filtering the message indicating abnormality in the virtual environment can be efficiently Can be generated.

It is a block diagram which shows the structural example of the computer apparatus with which the data center by one Embodiment of this invention is provided. It is a figure which shows the example of data memorize | stored in the response result memory | storage part by one Embodiment of this invention. It is a figure which shows the example of data memorize | stored in the structure information storage part by one Embodiment of this invention. It is a figure which shows an example of the response result by one Embodiment of this invention. It is a figure which shows an example of the response result by one Embodiment of this invention. It is a figure which shows an example of the response result by one Embodiment of this invention. It is a figure which shows an example of the response result by one Embodiment of this invention. It is a figure which shows an example of the response result by one Embodiment of this invention. It is a figure which shows an example of the response result by one Embodiment of this invention. It is a figure which shows an example of the process result by one Embodiment of this invention. It is a flowchart which shows the operation example of the filtering apparatus by one Embodiment of this invention. It is a flowchart which shows the operation example of the filtering apparatus by one Embodiment of this invention. It is a figure which shows the structural example of the computer apparatus with which the data center by a prior art is provided.

Hereinafter, an embodiment of the present invention will be described with reference to the drawings.
FIG. 1 is a block diagram showing a configuration of a computer device provided in the data center according to the present embodiment. The data center includes a plurality of physical machines 10 (physical machine 10-1, physical machine 10-2, physical machine 10-3,...), A monitoring system 20, a message notification device 30, and an operator terminal 40. The computer device includes an administrator terminal 50 and a filtering device 60. Here, since the plurality of physical machines 10 have the same configuration, the description of “−1”, “−2”, etc. is omitted as a physical machine 10 unless otherwise distinguished. Here, three physical machines 10 are shown, but the data center may include an arbitrary number of physical machines 10.

  The physical machine 10 is a computer device having a virtualization function that virtualizes its computer resources and activates a plurality of virtual machines. Further, the physical machine 10 has a migration function for moving a virtual machine activated by its own computer resource to another physical machine.

  When an abnormality occurs in a node such as a plurality of physical machines 10 or virtual machines activated on the physical machine 10, the monitoring system 20 acquires a message indicating the content of the abnormality from the physical machine 10 or virtual machine in which the abnormality has occurred, Transmit to the filtering device 60. Here, the monitoring target of the monitoring system 20 is called a node. For example, the monitoring system 20 performs a polling process for periodically transmitting a response request based on a Ping command based on ICMP (Internet Control Message Protocol) to the physical machine 10 and the virtual machine. When a response to the transmitted response request is not received from the transmission destination, it is determined that an abnormality has occurred in the transmission destination, and a message indicating ping down is transmitted to the filtering device 60. Further, when a response to the response request transmitted after ping down is received from the transmission destination, a message indicating ping up is transmitted to the filtering device 60. Alternatively, the monitoring system 20 performs communication based on the Simple Network Management Protocol (SNMP) between the physical machine 10 and the virtual machine, and the CPU (Central Processing Unit) load of the physical machine 10 and the virtual machine is increased or the process is reduced. Information indicating a state such as log detection is acquired, and a message indicating the content of the acquired state is transmitted to the filtering device 60.

  The message notification device 30 receives the message filtered by the filtering device 60 from the filtering device 60 and stores it in its storage area. Then, a message is transmitted to the operator terminal 40 in response to a request from the operator terminal 40, and the message is displayed on the operator terminal 40.

  The operator terminal 40 is an operator's computer device that responds according to the content of the abnormality when an abnormality occurs in the physical machine 10 or the virtual machine in the data center. The operator terminal 40 receives the message transmitted from the message notification device 30 and displays it on the display provided in the operator terminal 40. The operator responds according to the content of the message displayed on the operator terminal 40. Here, if the operator determines that no response is necessary based on the content of the message, the operator does not respond. For example, the operator may determine not to respond to the message when the message reception time is between 3:00 and 4:00. In this way, the operator terminal 40 receives an input of a correspondence result indicating whether or not a correspondence has been performed according to the message, and whether or not the correspondence has been performed (ignored), and the inputted correspondence result is input to the filtering device 60. Send.

  The administrator terminal 50 is a computer device of an administrator of a system configured by virtual machines activated on computer resources of the physical machine 10 in the data center. The administrator terminal 50 receives the new rule candidate generated by the filtering device 60, displays the new rule candidate on the display provided therein, and receives input of information for selecting whether or not to adopt the new rule candidate as a rule. The administrator terminal 50 transmits the input selection result to the filtering device 60.

  The filtering device 60 is a computer device that filters a message acquired by the monitoring system 20 based on a predetermined rule. The filtering device 60 includes a rule storage unit 61, a correspondence result storage unit 62, a communication unit 63, a filtering unit 64, a correspondence result registration unit 65, a configuration information storage unit 66, and a rule generation unit 67. Yes.

The rule storage unit 61 stores a rule for determining whether or not the message transmitted from the monitoring system 20 indicates a predetermined content. Such a rule is read by the filtering unit 64, and a message is output when it is determined that the message indicates a predetermined content, and a message is output when it is determined that the message does not indicate the predetermined content. Is destroyed. For example, the following rules can be considered.
(1) Monitor ignore filter: Discards messages that match the conditions.
(2) Repeat filter: Discards messages that occur repeatedly. Alternatively, if the same message is received a certain number of times within a certain time, it is output.
(3) Instantaneous resource excess filter: A message is output only when a resource such as a CPU exceeds a threshold for a certain time, and other resource excess messages are discarded.
(4) Important node filter: If the parent node is down based on the network topology set in advance, the message of the child node is discarded.
(5) Dependency filter: When a node goes down, discard messages such as process monitoring and port monitoring that operate on that node.

  The correspondence result storage unit 62 stores a message output to the message notification device 30 and a correspondence result indicating a correspondence performed by the operator according to the content indicated by the message in association with each other. Here, the reception result is stored in association with the reception time when the filtering device 60 receives the message from the monitoring system 20. FIG. 2 is a diagram illustrating a data example of the correspondence result stored in the correspondence result storage unit 62. The correspondence result storage unit 62 stores node names, message contents, reception times, correspondence times, correspondence results, system IDs, and worker information in association with each other. The node name is information to be monitored by the monitoring system 20 and identifies the transmission source of a message indicating an abnormality. The message content is information indicating the content of the abnormality that has occurred in the node. The reception time is information indicating the time when the filtering device 60 receives a message from the monitoring system 20. The response time is information indicating a time at which a response according to a message is performed by an operator or a time when it is determined not to be performed. The correspondence result is information indicating whether or not a correspondence has been performed. When it corresponds, “correspondence” is stored, and when it does not correspond, “ignore” is stored. The system ID is information for identifying a system in which a node is used. For example, a different system ID is assigned to a node activated in response to a request from a different user. For example, when a web server, an application server, a database server, and the like for operating the same system are activated as different virtual machines, the same system ID is assigned to these virtual machines and managed.

The communication unit 63 communicates with other connected computer devices. For example, the communication unit 63 receives a message transmitted from the monitoring system 20.
The filtering unit 64 reads out the rules stored in the rule storage unit 61, and determines whether the message received by the communication unit 63 indicates a predetermined content based on the read rules. A message is output when it is determined that the predetermined content is indicated, and the message is discarded when it is determined that the predetermined content is not indicated. Here, when the filtering unit 64 determines that the message indicates the determined content, the filtering unit 64 outputs the message by transmitting the message to the message notification device 30 via the communication unit 63.

  The response result registration unit 65 receives an input of a response result indicating the response performed by the operator in response to the message output from the filtering unit 64, and the response result storage unit correlates the input response result with the message. 62 is stored. For example, the correspondence result registration unit 65 stores the history of the message transmitted from the communication unit 63 to the message notification device 30 in its own storage area, and displays an input screen for inputting the correspondence result for each message on the operator terminal 40. Send. Then, the response result input by the operator terminal 40 is received, and the received response result is stored in the response result storage unit 62.

  The configuration information storage unit 66 stores configuration information indicating the relationship between a plurality of physical machines 10 and virtual machines activated by computer resources of the physical machines. FIG. 3 is a diagram illustrating a data example of configuration information stored in the configuration information storage unit 66. In the configuration information, information on a node name, a machine type, a parent node, a hypervisor, an OS (Operating System), and a system ID is associated. The items having the same names as the information stored in the correspondence result storage unit 62 are the same information. The type of machine is information indicating the type of the corresponding node, and for example, types such as “router”, “physical machine”, and “virtual machine” are associated. The parent node is information indicating a parent-child relationship in the network topology between nodes. Here, it is shown that the router with the node name “Node01” is the parent node, and the physical machine 10 with the node name “Node02” and the physical machine 10 with the node name “Node03” are connected. Has been. When the type of machine is a virtual machine, the hypervisor is associated with a node name indicating the physical machine 10 in which the virtual machine is activated. OS indicates the OS of the corresponding node.

  The rule generation unit 67 generates a rule based on the correspondence result read from the correspondence result storage unit 62 and stores the rule in the rule storage unit 61. Further, the rule generation unit 67 reads the configuration information stored in the configuration information storage unit 66, generates a rule based on the read configuration information, and stores the rule in the rule storage unit 61. Here, the rule generation processing performed by the rule generation unit 67 may be performed periodically, for example, at regular intervals, or may be performed in response to a request from the administrator. Alternatively, for example, it is performed when the data amount of the correspondence results stored in the correspondence result storage unit 62 exceeds a certain number or when the configuration information stored in the configuration information storage unit 66 is updated. May be.

  For example, the rule generation unit 67 refers to the configuration information and the correspondence history, and after receiving a message indicating an abnormality from the physical machine 10, the rule generation unit 67 detects an abnormality from the virtual machine activated by the computer resource of the physical machine 10. If a message is received, a rule for discarding the message from the virtual machine is generated. In this case, because an abnormality has occurred in the physical machine 10, it is considered that an abnormality has occurred in the virtual machine activated by the computer resource based on the abnormality in the physical machine 10.

  In addition, the rule generation unit 67 discards the message received during the certain time when the plurality of correspondence results associated during the certain time indicate that the correspondence according to the corresponding message has not been performed. Generate a rule to For example, as shown in FIG. 4, among messages received from a node whose node name is “Node01”, it is detected that all messages transmitted in the time zone from 3:00 to 4:00 are ignored. Then, a rule for discarding the message received during that time period (between 3:00 and 4:00) is generated. In such a case, for example, the time zone is a time zone during which maintenance by the administrator is performed, and it is considered that it is not necessary to cope with the occurrence of an abnormality.

  In addition, when the rule generation unit 67 indicates that a response corresponding to the message has been performed only when the response result has received a message of a certain number of times or more indicating the same content during a certain time, the rule generation unit 67 A rule for outputting a message is generated when a message indicating the same content is received a certain number of times or more during the time. For example, from the correspondence result as shown in FIG. 5, when the message content is “process down”, it can be detected that the correspondence has been made only when notified three times or more within 10 minutes.

  In addition, when the content of the message is specific, the rule generation unit 67 generates a rule for discarding the message when a message with a corresponding content is received within a certain time thereafter. For example, even if a ping-down message is transmitted from the correspondence result shown in FIG. 6, if the ping-up message is received within 5 minutes from the message, the message is ignored. Can be detected.

  Further, the rule generation unit 67 generates a rule for discarding the CPU usage rate excess message from the virtual machine when auto scaling is set for the virtual machine. The auto scale indicates that the computer resource is automatically added when the virtual machine CPU usage rate exceeds a certain level for a certain time or longer due to the virtualization function of the physical machine 10. In this case, the correspondence result stored in the correspondence result storage unit 62 stores information indicating whether or not autoscale is set for each node in association with each other. For example, from the correspondence result shown in FIG. 7, even when a message indicating that the CPU usage rate is exceeded is transmitted from a node, it is detected that the message is ignored if auto-scaling is set for that node. it can.

  Further, when the rule generation unit 67 receives a message indicating that the processing load has increased from the physical machine 10 while the physical machine 10 is performing migration (migration) processing, the rule generation unit 67 generates a rule for discarding the message. To do. In this case, when the message is received from the physical machine 10, the correspondence result storage unit 62 stores information indicating whether or not the physical machine 10 has performed the movement process in association with each other. For example, from the correspondence result shown in FIG. 8, even when a message is transmitted from the physical machine 10, the message is ignored if the physical machine 10 is performing the movement process. It can be detected.

  Further, when the rule generation unit 67 receives a ping-down message from a virtual machine started up by the physical machine 10 while the physical machine 10 is performing the migration process, the rule generation unit 67 generates a rule for discarding the message. For example, even if a message is transmitted from a virtual machine, it can be detected from the correspondence result shown in FIG. 9 that the message is ignored if the virtual machine is performing a migration process. . In this case, it is considered that a momentary interruption caused by the movement process has occurred.

  In addition, when the rule generation unit 67 receives a message indicating an abnormality from the physical machine 10 and the virtual machine started on the physical machine 10 moves to another physical machine 10, the rule generation unit 67 detects an abnormality from the virtual machine 10. Generate a rule to discard the message indicating. In this case, in this case from the physical machine 10, it is considered that an abnormality has occurred in the virtual machine due to an abnormality occurring in the physical machine 10, and the virtual machine has moved to another physical machine 10. This is because it is considered that no abnormality occurs.

In addition, the rule generation unit 67 does not immediately store the generated rule in the rule storage unit 61, but transmits the generated rule to the administrator terminal 50 as a new rule candidate, for example. Only the rule selected by the administrator among the generated new rules may be stored in the rule storage unit 61.
In addition, the rule generation unit 67 may transmit a list of messages discarded by the filtering system 60 from the monitoring system 20 to the administrator terminal 50 according to the filtering processing result. If the result is different from the processing result originally assumed by the administrator, it is possible to accept input of information indicating that and correct the rule. For example, as illustrated in FIG. 10, an input of information indicating that the originally assumed processing result is not a discard but a notification is accepted, and a rule for notifying the message is generated.

  Next, an operation example of the filtering device 60 according to the present embodiment will be described. FIG. 11 is a flowchart illustrating an operation example in which the filtering device 60 generates a rule based on the correspondence result. The rule generation unit 67 of the filtering device 60 reads out the correspondence result stored in the correspondence result storage unit 62 (step S1). Then, a new rule candidate is generated based on the correspondence result (step S2). And the rule production | generation part 67 transmits a new rule candidate to the administrator terminal 50 (step S3). The administrator terminal 50 displays the transmitted new rule candidate on the display, accepts selection of a rule to be adopted as a rule from the displayed new rule candidates, and transmits the selection result to the filtering device 60. The rule generation unit 67 of the filtering device 60 receives the selection result transmitted from the administrator terminal 50, and when the received selection result indicates that the adoption is selected (step S4: YES), the new result Rule candidates are stored in the rule storage unit 61 (step S5). On the other hand, when the received selection result indicates that adoption is not selected (step S4: NO), the new rule candidate is not stored in the rule storage unit 61, and the process ends.

  FIG. 12 is a flowchart illustrating an operation example in which the filtering device 60 generates a rule based on the configuration information. The rule generation unit 67 of the filtering device 60 reads the configuration information stored in the configuration information storage unit 66 (Step S11). Then, a new rule candidate is generated based on the configuration information (step S12). And the rule production | generation part 67 memorize | stores the produced | generated new rule candidate in the rule memory | storage part 61 (step S13).

As described above, according to the present embodiment, a rule is learned and automatically generated based on an operator response result to a message, configuration information indicating a relationship between a physical machine and a virtual machine, and the like. Therefore, it is not necessary for an administrator or the like to create a rule by himself / herself, and it is possible to efficiently generate a rule for filtering a message indicating an abnormality in the virtual environment. As a result, it is possible to save the administrator from creating rules, and to prevent generation of inappropriate rules due to human error.
Conventionally, physical hardware is divided for each monitored system, and an operation management system corresponding to each monitored system is provided, and an operator is assigned to each system. In the environment, since a plurality of virtual machines are started on one physical machine 10, one operator may monitor a plurality of systems. Even in such a case, since an optimum rule is created and the filtered message is displayed on the operator terminal 40, the operator can efficiently deal with the message. As a result, the burden on the operator is reduced and the cost for operation can be reduced.

  A program for realizing the function of the processing unit in the present invention is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into a computer system and executed to generate a rule. You may go. Here, the “computer system” includes an OS and hardware such as peripheral devices. The “computer system” includes a WWW system having a homepage providing environment (or display environment). The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, what is called a difference file (difference program) may be sufficient.

DESCRIPTION OF SYMBOLS 10 Physical machine 20 Monitoring system 30 Message notification apparatus 40 Operator terminal 50 Administrator terminal 60 Filtering apparatus 61 Rule storage part 62 Corresponding result storage part 63 Communication part 64 Filtering part 65 Corresponding result registration part 66 Configuration information storage part 67 Rule generation part

Claims (8)

When an error occurs in multiple physical machines that start a virtual machine on its own computer resource or the virtual machine started on the physical machine, a message indicating the content of the error is obtained from the physical machine or virtual machine where the error occurred A filtering device connected to the monitoring device,
A rule storage unit storing a rule for determining whether or not the message indicates a predetermined content;
A correspondence result storage unit in which the message and a correspondence result indicating correspondence performed according to the content indicated by the message are associated and stored;
A receiving unit for receiving the message transmitted from the monitoring device;
The rule stored in the rule storage unit is read, and based on the read rule, it is determined whether or not the message received by the receiving unit indicates a predetermined content. A filtering unit that outputs the message when it is determined that the content is determined, and discards the message when it is determined that the content is not determined,
A correspondence result registration unit that accepts input of a correspondence result indicating correspondence performed in response to the message output by the filtering unit, and stores the input correspondence result in association with the message in the correspondence result storage unit; ,
A rule generation unit that generates the rule based on the correspondence result read from the correspondence result storage unit and stores the rule in the rule storage unit;
A filtering device comprising: A configuration information storage unit that stores configuration information indicating a relationship between the physical machine and the virtual machine started by a computer resource of the physical machine;
The filtering device according to claim 1, wherein the rule generation unit reads the configuration information stored in the configuration information storage unit, and generates the rule based on the read configuration information. When the rule generation unit receives a message indicating an abnormality from the physical machine and then receives a message indicating an abnormality from the virtual machine activated on the computer resource of the physical machine, the rule generation unit receives a message from the virtual machine. The filtering apparatus according to claim 2, wherein a rule for discarding is generated. The physical machine has a function of moving a virtual machine started by its own computer resource to another physical machine,
When the rule generation unit receives a message indicating an abnormality from the physical machine, and the virtual machine started on the physical machine moves to another physical machine, the message indicating an abnormality from the virtual machine The filtering apparatus according to claim 2, wherein a rule for discarding the rule is generated. The physical machine has a function of moving a virtual machine started by its own computer resource to another physical machine,
The rule generation unit generates a rule for discarding the message when receiving a message indicating that the processing load has increased from the physical machine while the physical machine is performing the movement process. The filtering device according to any one of claims 1 to 4. The correspondence result storage unit stores the correspondence result in association with the reception time when the message is received,
When the plurality of correspondence results associated during a certain time indicate that the correspondence according to the corresponding message has not been performed, the rule generation unit may receive the message received during the certain time. The filtering device according to any one of claims 1 to 5, wherein a rule to be discarded is generated. When an error occurs in multiple physical machines that start a virtual machine on its own computer resource or the virtual machine started on the physical machine, a message indicating the content of the error is obtained from the physical machine or virtual machine where the error occurred Connected to a monitoring device, and a rule storage unit that stores a rule for determining whether or not the message indicates a predetermined content, the message, and the message and the content indicated by the message. A filtering method of a filtering device comprising a correspondence result storage unit that stores correspondence results indicating correspondences associated with each other,
Receiving the message transmitted from the monitoring device;
The rule stored in the rule storage unit is read, and based on the read rule, it is determined whether or not the received message indicates a predetermined content, and the predetermined content is indicated. Outputting the message when it is determined, and discarding the message when it is determined that the predetermined content is not indicated;
Receiving an input of a correspondence result indicating correspondence performed in response to the output message, and storing the input correspondence result in association with the message in the correspondence result storage unit;
Generating the rule based on the correspondence result read from the correspondence result storage unit and storing the rule in the rule storage unit;
A filtering method comprising: When an error occurs in multiple physical machines that start a virtual machine on its own computer resource or the virtual machine started on the physical machine, a message indicating the content of the error is obtained from the physical machine or virtual machine where the error occurred Connected to a monitoring device, and a rule storage unit that stores a rule for determining whether or not the message indicates a predetermined content, the message, and the message and the content indicated by the message. In the computer of the filtering device provided with a correspondence result storage unit in which correspondence results indicating correspondence are stored in association with each other,
Receiving the message transmitted from the monitoring device;
The rule stored in the rule storage unit is read, and based on the read rule, it is determined whether or not the received message indicates a predetermined content, and the predetermined content is indicated. Outputting the message when it is determined, and discarding the message when it is determined that the predetermined content is not indicated;
Receiving an input of a correspondence result indicating correspondence performed in response to the output message, and storing the input correspondence result in association with the message in the correspondence result storage unit;
Generating the rule based on the correspondence result read from the correspondence result storage unit and storing the rule in the rule storage unit;
Filtering program that executes

Images