JP5717600B2 - Alarm pattern analysis device, alarm pattern analysis program, and network monitoring system - Google Patents

Description

  The present invention relates to an alarm pattern analysis device, an alarm pattern analysis program, and a network monitoring system.

  In order to grasp a communication failure that has occurred in the network system, the communication carrier monitors the network monitoring system by detecting an alarm (failure alarm) generated by the network device. In this network system, an alarm (work alarm) is also generated when maintenance work such as replacement of a network device is performed. However, it cannot be distinguished from the alarm itself whether the cause of occurrence of the alarm is due to a failure or due to maintenance work, and a lot of labor is required for this distinction.

  On the other hand, based on the registered work information, the propagation information related to the maintenance work is read from the propagation information storage device, registered in the work management table in the management terminal, and the failure notified from each device according to the maintenance work execution A network failure management method for determining whether an alarm is a ripple alarm (working alarm) by referring to registered ripple information is known (for example, see Patent Document 1).

JP 7-87191 A

  However, a large number of network devices are connected to the network system, and the network device includes a plurality of devices. Depending on the operation procedure for each device, the status of the software version, etc., work alarms are generated in a complicated manner. Therefore, in the network failure management method described in Patent Document 1, it is difficult to correctly suppress work alarms.

  Also, the network system administrator needs to create an alarm pattern corresponding to the maintenance work in advance as a suppression pattern. However, when the connection configuration of the network device is changed, the generation pattern of the work alarm changes, so that the suppression pattern needs to be updated, and the number of work steps by the administrator increases.

  The present invention has been made to solve the above problems, and can reduce the number of work steps by an operator, and can correctly suppress a work alarm that occurs in a complicated manner. An object is to provide an analysis program and a network monitoring system.

[1] In order to solve the above-described problem, an alarm pattern analysis device according to an aspect of the present invention provides work application information including time information of work time for a network device that is a work target connected to a network to be monitored. A work application accepting unit to capture, an alarm information acquiring unit for capturing alarm information including information specifying whether an alarm has occurred and information indicating whether or not the state of the alarm has been restored, and the alarm information acquiring unit The alarm information storage unit that stores the alarm information captured by the computer and the work application information captured by the work application reception unit causes an alarm to be generated within the work time from the alarm information storage unit and the alarm Pattern generation that extracts alarm information whose status is restored as a work alarm and generates a suppression pattern Characterized in that it comprises a and.
[2] In the alarm pattern analysis device according to [1], network device configuration information indicating a configuration of each of a plurality of network devices connected to the network to be monitored and a connection relationship between the plurality of network devices is stored. A network device configuration information storage unit, wherein the work application information includes designation of the work target, the alarm information includes information identifying a source of the alarm, and the suppression pattern generation unit includes the work Based on the application information and the network device configuration information stored in the network device configuration information storage unit, a connection destination target that is a connection destination of the work target is specified, and the work alarm is extracted from the extracted work alarm. The alarm information in which the origin in the connection relation with the work target is the work alarm. And extracts.
[3] In order to solve the above-described problem, an alarm pattern analysis program according to an aspect of the present invention provides a computer including an alarm information storage unit that stores alarm information as a work target connected to a monitoring target network. A work application accepting unit that captures work application information including time information on work time for a network device, information that specifies when an alarm has occurred, and information that indicates whether or not the alarm state has been restored are associated with each other. The alarm information acquisition unit that captures the alarm information and stores the alarm information in the alarm information storage unit, and the work application information captured by the work application reception unit, from the alarm information storage unit within the work time. Alarm information that alarms have occurred and the alarm status has been recovered is extracted as a work alarm. And suppressing pattern generator for generating an inhibit pattern Te, to function as a.
[4] In the alarm pattern analysis program according to [3], network device configuration information indicating a configuration of each of a plurality of network devices connected to the network to be monitored and a connection relationship between the plurality of network devices is stored. The network apparatus configuration information storage unit is further provided in the computer, the work application information includes designation of the work target, the alarm information includes information for specifying a source of the alarm, and the suppression pattern generation The unit specifies a connection destination target that is a connection destination of the work target based on the work application information and the network device configuration information stored in the network device configuration information storage unit, and the extracted work alarm From the above, the source of the work alarm is connected to the work object And extracting the alarm information as a working alarm.
[5] In order to solve the above problem, a network monitoring system according to an aspect of the present invention is a network monitoring system in which an alarm pattern analysis device and a network monitoring device are connected via a network to be monitored, The alarm pattern analysis device includes a work application reception unit that captures work application information including time information of work time for a network device that is a work target connected to the network, information that specifies when an alarm is generated, and the alarm An alarm information acquisition unit that captures alarm information including information indicating whether or not the state has been restored, an alarm information storage unit that stores the alarm information captured by the alarm information acquisition unit, and the work application reception Using the work application information captured by the department, the alarm information storage section A suppression pattern generation unit that generates alarm patterns by extracting alarm information in which an alarm is generated within the work time and the alarm state is restored as a work alarm, and a suppression pattern generated by the suppression pattern generation unit A suppression pattern setting control unit for supplying the network monitoring device to the network monitoring device, wherein the network monitoring device takes in the suppression pattern supplied from the suppression pattern setting control unit of the alarm pattern analysis device and filters the suppression pattern Registering and monitoring the network.
[6] In the network monitoring system according to [5], the alarm pattern analysis device is a network showing a configuration of each of a plurality of network devices connected to the network to be monitored and a connection relationship between the plurality of network devices. A network device configuration information storage unit for storing device configuration information; wherein the work application information includes designation of the work target; the alarm information includes information identifying a source of the alarm; and the suppression pattern The generation unit specifies a connection destination target that is a connection destination of the work target based on the work application information and the network device configuration information stored in the network device configuration information storage unit, and the extracted work From the alarm, the source of the work alarm is connected to the work target. And extracting the alarm information as a working alarm.

  According to the present invention, it is possible to reduce the number of work man-hours by an operator and to correctly suppress a work alarm that occurs in a complicated manner.

1 is a block diagram illustrating an overall configuration of a network system to which an alarm pattern analysis apparatus according to an embodiment of the present invention is applied. It is the block diagram which showed typically the structure of the device with which each network apparatus in a network apparatus group is provided, and the connection relation between each device. It is a figure which shows the data structure of the network apparatus structure information memorize | stored in the network apparatus structure information storage part. It is a figure which shows the data structure of the alarm information memorize | stored in the alarm information storage part. It is a figure which shows the data structure of the work application information memorize | stored in the memory | storage part of the work application reception part. It is a figure which shows the data structure of the alarm information which generate | occur | produced in the working time memorize | stored in the memory | storage part of the suppression pattern production | generation part. It is a figure which shows the data structure of the suppression pattern selection information which a suppression pattern production | generation part produces | generates. It is a general | schematic flowchart which shows the procedure of the suppression pattern production | generation process by an alarm pattern analyzer.

Hereinafter, embodiments for carrying out the present invention will be described in detail with reference to the drawings.
FIG. 1 is a block diagram showing an overall configuration of a network system to which an alarm pattern analysis apparatus according to an embodiment of the present invention is applied.
As shown in the figure, the network system 1 has a configuration in which an alarm pattern analysis device 10, a network monitoring device 20, and a network device group 30 are connected via a network 40. The network monitoring system includes an alarm pattern analysis device 10 and a network monitoring device 20.

The network 40 is a telecommunication line such as a computer network. The network 40 may be connected to the Internet.
The network device group 30 refers to the entire network device connected to the network 40. In the present embodiment, the network device group 30 includes network devices 31 to 34.

The network devices 31 to 34 are network connection devices such as routers, switches, and servers, for example.
The network devices 31 to 34 generate alarm information when an operation abnormality or communication failure occurs during operation. This alarm information is called a failure alarm. In addition, the network devices 31 to 34 are started when work (maintenance work) such as version upgrade of software installed in the device, change of setting information (parameters, etc.), replacement or expansion of a built-in device is started. Also generate alarm information. This alarm information is called a work alarm. The alarm information does not include information for distinguishing between a failure alarm and a work alarm. For example, a failure alarm that occurs when the network device 31 is turned off due to a failure of the power supply device and a work alarm that occurs when the network device 31 is turned off by maintenance work are in a state where the power supply device is in a disconnected state. It includes an alarm code indicating that the error has occurred, and does not include information that distinguishes a failure alarm from a work alarm. The network devices 31 to 34 generate recovery information when the network device returns to normal operation after generating alarm information once. The recovery information is, for example, a recovery flag. Generating the recovery information is, for example, turning on the recovery flag (changing from “0 (zero)” to “1”). For example, the network devices 31 to 34 generate recovery information (turns on the recovery flag) when the maintenance work of the network device is completed.

The network monitoring device 20 takes in the suppression pattern supplied from the alarm pattern analysis device 10 and registers this suppression pattern as a filter.
The network monitoring device 20 in which the suppression pattern is registered takes in alarm information generated by the network device group 30 and monitors the operation of the network device group 30. Specifically, the network monitoring device 20 filters the work alarm in the acquired alarm information and presents information indicating that a failure has occurred for the failure alarm.

  The alarm pattern analysis device 10 stores alarm information generated in the past by the network device group 30, separates work alarms related to maintenance work from these alarm information (alarm information history), and applies these work alarms. A device that generates a suppression pattern for suppressing a work alarm by performing a suppression pattern generation process.

  Specifically, the alarm pattern analysis device 10 captures and stores alarm information generated by the network device group 30. Further, the alarm pattern analysis device 10 generates a suppression pattern for alarm information in the maintenance period (working time) based on the stored alarm information, work application information related to maintenance work, and network device configuration information related to the network device group 30. Execute the process to generate a work alarm pattern. The alarm pattern analysis apparatus 10 stores the work alarm pattern as a suppression pattern (alarm pattern).

  The alarm pattern analysis device 10 includes, as its functional configuration, a network device configuration information storage unit 11, an alarm information acquisition unit 12, an alarm information storage unit 13, a work application reception unit 14, a suppression pattern generation unit 15, and a suppression. A pattern storage unit 16 and a suppression pattern setting control unit 17 are provided.

  The network device configuration information storage unit 11 stores network device configuration information regarding the network device group 30. The network device configuration information is information indicating the configuration of each of the network devices 31 to 34 connected to the monitored network 40 and the connection relationship between the network devices 31 to 34. Specifically, the network device configuration information includes, for example, connection relationships between network devices in the network device group 30, device configurations included in the network devices 31 to 34, connection relationships between devices, and network devices 31. -34 is information in which the version of software installed in each of the network devices is summarized for each network device. Details of the network device configuration information will be described later.

  The alarm information acquisition unit 12 takes in alarm information (failure alarm or work alarm) generated by the network device group 30, that is, the network devices 31 to 34, and supplies this alarm information to the alarm information storage unit 13. The alarm information associates information identifying the time of occurrence of the alarm, information identifying the source of the alarm, information identifying the content of the alarm, and information indicating whether or not the alarm state has been restored. It is information to include. Specifically, the alarm information corresponds to, for example, information indicating the date and time when the alarm occurred, information identifying the network device and device that generated the alarm, an alarm code identifying the content of the alarm, and recovery information. This information is included. Details of the alarm information will be described later.

  The alarm information storage unit 13 stores the alarm information supplied from the alarm information acquisition unit 12.

  The work application receiving unit 14 receives and takes in a work application related to maintenance work of any network device in the network device group 30. The content of the work application consists of the work start date and time and the work end date and time (work time information), the specification of the network device and device that is the maintenance work target (referred to as the work target), and the work item for the work target. It is with specification. The work application is supplied from an input device such as a keyboard or a mouse. Alternatively, the work application may be supplied from an external terminal via the network 40.

  The work application reception unit 14 receives a work application, information indicating a work start date and time, a work end date and time, information specifying a network device and a device to be subjected to maintenance work, and information specifying a work item for the work target Are stored in an internal storage unit (not shown) in association with the work number for specifying the maintenance work. Information stored in the storage unit is referred to as work application information. In other words, the work application information is information indicating the work time, work object, and work item for the work object related to work (maintenance work or the like) for the network device group 30 connected to the network 40.

  After the maintenance work is completed, the suppression pattern generation unit 15 reads a record of work application information corresponding to the maintenance work from the work application information stored in the storage unit of the work application reception unit 14. Then, the suppression pattern generation unit 15 reads from the alarm information storage unit 13 a record of alarm information generated within the work time determined by the work start date and time and the work end date and time in the read record, and stores the information of the read record. It is stored in an internal storage unit (not shown) as alarm information generated during work hours. And the suppression pattern production | generation part 15 selects the alarm information by which restoration information was shown in the alarm information generated within work time as an estimated work alarm. That is, the suppression pattern generation unit 15 extracts the alarm information in which an alarm is generated within the work time and the alarm state is restored from the alarm information storage unit 13 as the estimated work alarm.

  The suppression pattern generation unit 15 reads network device configuration information from the network device configuration information storage unit 11. Then, based on the work application information record and the network device configuration information, the suppression pattern generation unit 15 determines the connection destination network device and the connection destination device that are the connection destinations of the network device and the device that are the objects of the maintenance work. Identify. Then, the suppression pattern generation unit 15 detects alarm information in which the network device and device in the estimated work alarm are network devices and devices that are connected to the maintenance work target in the alarm information generated within the work time, An extraction flag is added to the alarm information. That is, the suppression pattern generation unit 15 extracts only alarm information related to maintenance work from the estimated work alarm based on the network configuration.

  In the above, alarm information related to the maintenance work is extracted from the alarm information generated within the work time generated based on one maintenance work. In order to further improve the extraction accuracy, alarm information related to maintenance work may be extracted based on the result of performing the same work item for the same network device and the same device a plurality of times.

  That is, after the same work item for the same network device and the same device is repeated a plurality of times, the suppression pattern generation unit 15 performs work results for each combination of the network device, the device, and the alarm code in the alarm information generated within the work time. Are counted. This work record is the number of times maintenance work has been performed. And the suppression pattern production | generation part 15 calculates the frequency of work performance for every combination of a network apparatus, a device, and an alarm code, and produces | generates inhibition pattern selection information. And the suppression pattern production | generation part 15 selects the alarm code from which the frequency exceeds the predetermined threshold value from this suppression pattern selection information as a suppression pattern. There are two types of thresholds. The first threshold value α is applied to alarm information to which an extraction flag is added. α is, for example, “0.6”. The second threshold value β is applied to alarm information to which no extraction flag is added. β is, for example, “1”. The alarm information to which no extraction flag is added is alarm information for network devices and devices other than the connection destination network device and the connection destination device. That is, since the alarm information to which no extraction flag is added is alarm information that is not related to the maintenance target network device and device, the second threshold value β is set to a value larger than the first threshold value α. Further, although no extraction flag is added, it is assumed that alarm information that occurs at a relatively high frequency is related to maintenance work. Therefore, the second threshold value β is also applied to this alarm information.

The suppression pattern generation unit 15 supplies the selected suppression pattern to the suppression pattern storage unit 16.
The inhibition pattern storage unit 16 stores the inhibition pattern supplied from the inhibition pattern generation unit 15.
The inhibition pattern setting control unit 17 reads the inhibition pattern stored in the inhibition pattern storage unit 16 and supplies this inhibition pattern to the network monitoring device 20.

  The network device configuration information storage unit 11, the alarm information storage unit 13, and the suppression pattern storage unit 16 are realized by a storage device such as a magnetic hard disk device, a semiconductor disk device, or a memory.

FIG. 2 is a configuration diagram schematically illustrating the configuration of the devices included in each of the network devices 31 to 34 in the network device group 30 and the connection relationship between the devices.
As shown in the figure, the network 31 includes devices 31a, 31b, and 31c. The network device 32 includes devices 32a, 32b, and 32c, and the network device 33 includes devices 33a, 33b, and 33c. The network apparatus 34 includes devices 34a and 34b.

  In the network device group 30 of FIG. 2, the network device 31 and the network device 32 establish a connection when the device 31b and the device 32a are communicatively connected. In addition, the network device 32 and the network device 33 establish a connection by the communication connection between the device 32b and the device 33a. Further, the network device 32 and the network device 34 establish a connection by the communication connection between the device 32c and the device 34a.

  FIG. 3 is a diagram illustrating a data configuration of the network device configuration information stored in the network device configuration information storage unit 11. This network device configuration information is configuration information corresponding to the network device group 30 shown in FIG.

  As illustrated in FIG. 2, the network device configuration information includes items corresponding to “network device”, “version”, “device”, “connection destination device”, and “connection destination device”. The item “network device” is an item for storing information for specifying a network device included in the network device group 30. In the item “network device”, for example, identification information of the network device is stored. The item “version” is an item for storing the version number of the software installed in the network device. The item “version” stores, for example, version numbers of application software and firmware installed in the network device. The item “device” is an item for storing information for specifying a device included in the network device. For example, device identification information is stored in the item “device”. The item “connection destination device” is an item for storing information for specifying the network device of the connection destination. In the item “connection destination device”, for example, identification information of a network device that is a connection destination is stored. When not connected, for example, “null” is stored. In the figure, it is represented by “−”. The item “connection destination device” is an item for storing information for specifying a connection destination device. In the item “connection destination device”, for example, identification information of a device that is a connection destination is stored. When not connected, for example, “null” is stored. In the figure, it is represented by “−”.

FIG. 4 is a diagram illustrating a data configuration of alarm information stored in the alarm information storage unit 13.
As shown in the figure, the alarm information includes items of “date and time of occurrence”, “network apparatus”, “device”, “alarm code”, and “recovery flag” in association with each other. The item “occurrence date / time” is an item for storing information indicating the date / time when the alarm occurred. The item “occurrence date / time” stores, for example, information indicating “year / month / day / hour / minute / second” when a failure alarm or a work alarm occurs. The item “network device” is an item for storing information for specifying a network device in which an alarm has occurred. The item “network device” stores identification information of a network device in which a failure alarm or a work alarm has occurred. The item “device” is an item that stores information for specifying a device in which an alarm has occurred. The item “device” stores identification information of a device in which a failure alarm or a work alarm has occurred. The item “alarm code” stores a code for identifying the alarm that has occurred. The item “recovery flag” is an item for storing a flag indicating whether or not the state causing the alarm is recovered after the alarm is generated. In the item “recovery flag”, for example, “1” (ON) indicating that the recovery has been performed or “0 (zero)” (OFF) indicating that the recovery has not been performed is stored.

FIG. 5 is a diagram illustrating a data configuration of the work application information stored in the storage unit of the work application receiving unit 14.
As shown in the figure, the work application information includes “work number”, “work start date / time”, “work end date / time”, “target device”, “target device”, and “work item”. Each item is associated and included. The item “work number” is a number for specifying a maintenance work. In the item “work number”, for example, maintenance work identification information determined by the work application receiving unit 14 is stored. The item “work start date and time” is an item for storing information indicating the date and time when the maintenance work is started. In the item “work start date / time”, for example, information indicating “year / month / day / hour / minute / second” when the maintenance work is started is stored. The item “work end date and time” is an item for storing information indicating the date and time when the maintenance work is completed. In the item “work end date and time”, for example, information indicating “year / month / day / hour / minute / second” when the maintenance work is completed is stored. The item “target device” is an item that stores information for specifying a network device that is a target of maintenance work. In the item “target device”, for example, identification information of a network device that is a maintenance work target is stored. The item “target device” is an item that stores information for specifying a device that is a target of maintenance work. In the item “target device”, for example, identification information of a device that is a target of maintenance work is stored. The item “work item” stores maintenance work items, that is, information indicating operation contents. In the item “work item”, for example, information indicating a work (operation) such as “Down” is stored. “Down” is information indicating an operation to turn off the power of the target device.

FIG. 6 is a diagram illustrating a data configuration of the alarm information generated within the work time stored in the storage unit of the suppression pattern generation unit 15.
As shown in the figure, the alarm information generated in the work time is information in which alarm information generated in the work time according to one maintenance work is associated with the extraction flag. In the item “extraction flag”, the alarm information (estimated work alarm) in which the recovery flag is on is alarm information in which the network device and the device are connected to each other. This is an item for storing an OFF state value when the alarm information has no connection relationship. The item “extraction flag” includes, for example, “1” when the alarm information (estimated work alarm) in which the recovery flag is on (“1”) is alarm information in which the network device and the device are connected to each other. (ON) is stored. In addition, in the item “extraction flag”, for example, alarm information (estimated work alarm) in which the recovery flag is on (“1”) is alarm information in which the network device and the device have no connection relationship with each other. “0” (off) is stored in the.

  FIG. 7 is a diagram illustrating a data configuration of the suppression pattern selection information generated by the suppression pattern generation unit 15. As shown in the figure, the suppression pattern selection information includes items of “device”, “alarm code”, “extraction flag”, “work record”, and “occurrence frequency” in association with each other. The figure shows an example in which the number of implementations is three. In the item “work record”, “1” indicates that it has been performed, and “0 (zero)” indicates that it has not been performed. The item “occurrence frequency” is an item for storing the execution ratio in the work results.

Next, the operation of the alarm pattern analysis apparatus 10 that is an embodiment of the present invention will be described.
FIG. 8 is a schematic flowchart showing the procedure of the suppression pattern generation process by the alarm pattern analysis apparatus 10. Here, the process of this flowchart will be described on the assumption that the work application receiving unit 14 takes in the designation of the network device and device that is the object of the maintenance work and the designation of the work item and stores them in the internal storage unit. To do.

  In step S1, when the maintenance work by the worker is started, the work application receiving unit 14 registers the work start date and time in the work application information stored in the storage unit. For example, when the worker starts the maintenance work, the work application reception unit 14 is directly or remotely operated to register the work start date and time in the work application information.

  Next, in step S <b> 2, the alarm information acquisition unit 12 takes in alarm information generated by the network devices 31 to 34 and stores the alarm information in the alarm information storage unit 13. The alarm information captured here is a work alarm generated by a maintenance work performed by an operator or a failure alarm.

  Next, in step S3, when the maintenance work by the worker is finished, the work application receiving unit 14 registers the work end date and time in the work application information stored in the storage unit. For example, when the worker finishes the maintenance work, the work application reception unit 14 is directly or remotely operated to register the work end date and time in the work application information.

Next, in step S4, the suppression pattern generation unit 15 reads a record of work application information corresponding to the maintenance work from the work application information stored in the storage unit of the work application reception unit 14.
Next, the suppression pattern generation unit 15 calculates a work time based on the work start date and time and the work end date and time in the read record, and reads a record of alarm information generated within the work time from the alarm information storage unit 13.
Next, the suppression pattern generation unit 15 stores the read record information in the internal storage unit as alarm information generated during work hours.
Next, the suppression pattern generation unit 15 selects the alarm information in which the recovery information is indicated in the alarm information generated during work hours as the estimated work alarm.

Next, in step S <b> 5, the suppression pattern generation unit 15 reads network device configuration information from the network device configuration information storage unit 11.
Next, the suppression pattern generation unit 15 is a connection destination network device that is a connection destination of the network device and the device that is the target of the maintenance work, based on the work application information record that has already been captured and the network device configuration information. Identify the connected device.
Next, the suppression pattern generation unit 15 detects alarm information in which the network device and the device in the estimated work alarm are connected to each other in the alarm information generated within the work time, and the alarm information is included in the alarm information. Add an extraction flag.

Next, the suppression pattern generation unit 15 adds up the work results (the number of times maintenance work has been performed) for each combination of the device and the alarm code in the alarm information generated within the work time.
Next, the suppression pattern generation unit 15 calculates the frequency of work results for each combination of a device and an alarm code, and generates suppression pattern selection information.
Next, the suppression pattern generation unit 15 selects, from the suppression pattern selection information, a combination of a device and an alarm code whose frequency exceeds a predetermined threshold as a suppression pattern.

  Next, in step S <b> 6, the suppression pattern generation unit 15 supplies the selected suppression pattern to the suppression pattern storage unit 16.

  Next, the suppression pattern regeneration process by the alarm pattern analysis apparatus 10 will be described. When registering a suppression pattern in the suppression pattern storage unit 16, the alarm pattern analysis apparatus 10 executes a suppression pattern regeneration process when the same target suppression pattern is already registered. For example, there are the following two methods as the inhibition pattern regeneration process.

[1] First Method of Repression Pattern Regeneration Processing The first method stores the application frequency or the number of times of application and the last application date and time for each alarm information every time a suppression pattern is applied. For alarm information that is newly added in the re-creation pattern, this alarm information is added to the suppression pattern. For the alarm information reduced by the re-created pattern, refer to the above application frequency (number of applications) and the last application date and time, the application frequency is low (the number of applications is small), and the last application date and time is the suppression pattern last. If it is older than the referenced date, it is not included in the suppression pattern.

[2] Second Method of Inhibition Pattern Regeneration Processing The second method is a method that is executed in the same manner as the inhibition pattern generation processing. In the second method, all the alarm information extracted at the time of generating the existing suppression pattern and the new suppression pattern is counted, and the suppression pattern is regenerated by applying the threshold in the suppression pattern generation process.

Next, a filtering method using a suppression pattern in the network system 1 will be described.
When the maintenance work is started, the work application reception unit 14 performs registration for specifying the work start and the work end for the pre-registered work application information based on the operation by the worker. In the work start registration process, the suppression pattern stored in the suppression pattern storage unit 16 is searched using all the work application information stored in the storage unit of the work application reception unit 14. Based on the work target included in the work application information and the network device configuration information stored in the network device configuration information storage unit 11, information related to the network device and the device connected to the work target is referred to. Then, the network device and device identification information are added to the retrieved inhibition pattern and registered in the network monitoring device 20 as a filter. When there are a plurality of records in the work application information, the network monitoring apparatus 20 registers a suppression pattern group that is a logical sum of each suppression pattern as a filter. Similarly, during the work end registration process, the suppression pattern is deleted from the network monitoring apparatus 20 via the work application receiving unit 14.

  As described above in detail, the alarm pattern analysis apparatus 10 according to an embodiment of the present invention generates an alarm pattern (suppression pattern) for suppressing a work alarm in units of alarm occurrence factors. Since a work alarm is generated by a work action such as maintenance work, a complicated work alarm can be suppressed by generating a suppression pattern for each alarm generation factor. Since the alarm pattern analysis apparatus 10 refers to the network device configuration information for each generation process of the suppression pattern, the alarm pattern analysis apparatus 10 can generate an optimal suppression pattern even when the network configuration is changed, thereby greatly reducing the work amount of the network administrator. be able to.

  In addition, the alarm pattern analysis apparatus 10 performs work start and end registration for a work application that has been applied in advance, and acquires accurate work start time and work end time. Using these times, the alarm pattern analysis apparatus 10 extracts alarm information that has been recovered from an alarm generated within the working time from past alarm information stored in the alarm information storage unit 13 and uses it as an estimated work alarm. . In response to the extraction result, the alarm pattern analysis apparatus 10 adds information on a connection destination network apparatus and a connection destination device having a connection to the work target network apparatus and device based on the work application information and the network apparatus configuration information. Therefore, the alarm information that is the basis for generating the suppression pattern is only the work alarm, so that the accuracy of the suppression pattern can be kept high.

  Further, the alarm pattern analysis apparatus 10 expresses the work content as a set (work action) of a work target device and a work item for the work target device. The number of work applications for the same work action is greater than the number of work applications having the same work content. Therefore, by creating a deterrence pattern in units of work actions, it is possible to satisfy the number of operations that can quickly generate a deterrence pattern. Furthermore, by using work actions as units of deterrence patterns, the number of pattern generations can be reduced rather than generating deterrence patterns for each work content, and applications can be accepted flexibly for a large number of work contents. .

In addition, the alarm pattern analysis apparatus 10 performs work registration with respect to the work reception application unit 14 by remote operation such as the web. As a result, accurate work start time and work end time can be acquired, and the work of personnel who respond to contact can be reduced.
In addition, when the suppression pattern of the work action included in the work application is generated by the suppression pattern generation unit 15 at the time of work registration, it can be registered in the network monitoring apparatus 20 at the same time as the work registration of the worker. .

  Therefore, according to the present embodiment, it is possible to reduce the number of work man-hours by the worker, and to correctly suppress a work alarm that occurs in a complicated manner.

  Note that some functions of the alarm pattern analysis apparatus 10 according to the above-described embodiment may be realized by a computer. In this case, an alarm pattern analysis program for realizing the function is recorded on a computer-readable recording medium, the alarm pattern analysis program recorded on the recording medium is read into the computer system, and the computer system executes the alarm pattern analysis program. May be realized. This computer system includes an operating system (OS) and hardware of peripheral devices. The computer-readable recording medium is a portable recording medium such as a flexible disk, a magneto-optical disk, an optical disk, or a memory card, and a storage device such as a magnetic hard disk or a solid state drive provided in the computer system. Furthermore, a computer-readable recording medium dynamically holds a program for a short time, such as a computer network such as the Internet, and a communication line when transmitting a program via a telephone line or a cellular phone network. In addition, a server that holds a program for a certain period of time, such as a volatile memory inside a computer system serving as a server device or client in that case, may be included. Further, the alarm pattern analysis program may be for realizing a part of the above-described functions, and further for realizing the above-described functions by a combination with a program already recorded in the computer system. There may be.

  As mentioned above, although embodiment of this invention was explained in full detail with reference to drawings, the specific structure is not restricted to that embodiment, The design of the range which does not deviate from the summary of this invention, etc. are included.

DESCRIPTION OF SYMBOLS 1 Network system 10 Alarm pattern analysis apparatus 11 Network apparatus structure information storage part 12 Alarm information acquisition part 13 Alarm information storage part 14 Work application reception part 15 Suppression pattern generation part 16 Suppression pattern storage part 17 Suppression pattern setting control part 20 Network monitoring apparatus 30 Network Device Group 31-34 Network Device 31a, 31b, 31c Device 32a, 32b, 32c Device 33a, 33b, 33c Device 34a, 34b Device 40 Network

Claims (6)

A work application accepting unit that captures work application information including time information of work time for a network device that is a work target connected to the network to be monitored;
An alarm information acquisition unit that captures alarm information including information that specifies when an alarm has occurred and information that indicates whether or not the alarm state has been restored;
An alarm information storage unit for storing the alarm information captured by the alarm information acquisition unit;
Using the work application information captured by the work application reception unit, the alarm information is extracted from the alarm information storage unit as an operation alarm when an alarm is generated within the work time and the alarm state is restored. A deterrence pattern, and in this case, a deterrence pattern generation unit that generates the deterrence pattern by extracting the alarm information related to the content of the alarm in which the frequency of the number of work operations exceeds a predetermined threshold ;
An alarm pattern analyzing apparatus comprising: The suppression pattern generation unit is configured so that the alarm information related to the network device and the device having a connection relationship with the work target is more than the alarm information regarding the network device and the device not having a connection relationship with the work target. Use a small value as the threshold,
The alarm pattern analysis apparatus according to claim 1, wherein: A computer having an alarm information storage unit for storing alarm information,
A work application accepting unit that captures work application information including time information of work time for a network device that is a work target connected to the network to be monitored;
An alarm information acquisition unit that captures alarm information including information that specifies when an alarm has occurred and information indicating whether or not the alarm state has been restored, and stores the alarm information in the alarm information storage unit; ,
Using the work application information captured by the work application reception unit, the alarm information is extracted from the alarm information storage unit as an operation alarm when an alarm is generated within the work time and the alarm state is restored. A deterrence pattern, and in this case, a deterrence pattern generation unit that generates the deterrence pattern by extracting the alarm information related to the content of the alarm in which the frequency of the number of work operations exceeds a predetermined threshold ;
Alarm pattern analysis program to function as The suppression pattern generation unit is configured so that the alarm information related to the network device and the device having a connection relationship with the work target is more than the alarm information regarding the network device and the device not having a connection relationship with the work target. Use a small value as the threshold,
4. The alarm pattern analysis program according to claim 3, wherein: A network monitoring system in which an alarm pattern analysis device and a network monitoring device are connected via a monitored network,
The alarm pattern analyzer is
A work application accepting unit that captures work application information including time information of work time for a network device that is a work target connected to the network;
An alarm information acquisition unit that captures alarm information including information that specifies when an alarm has occurred and information that indicates whether or not the alarm state has been restored;
An alarm information storage unit for storing the alarm information captured by the alarm information acquisition unit;
Using the work application information captured by the work application reception unit, the alarm information is extracted from the alarm information storage unit as an operation alarm when an alarm is generated within the work time and the alarm state is restored. A deterrence pattern, and in this case, a deterrence pattern generation unit that generates the deterrence pattern by extracting the alarm information related to the content of the alarm in which the frequency of the number of work operations exceeds a predetermined threshold ;
A deterrence pattern setting control unit for supplying the deterrence pattern generated by the deterrence pattern generation unit to the network monitoring device;
With
The network monitoring device
A network monitoring system, which takes in the suppression pattern supplied from a suppression pattern setting control unit of the alarm pattern analysis device, monitors the network by registering the suppression pattern as a filter. The suppression pattern generation unit included in the alarm pattern analysis apparatus is configured to relate to the network apparatus and device that are not connected to the work target with respect to the alarm information related to the network apparatus and device connected to the work target. Use a smaller value as the threshold than for the alarm information.
6. The network monitoring system according to claim 5, wherein:

Images