JP5893513B2 - Monitoring device, monitoring method and monitoring program - Google Patents

Description

  Embodiments described herein relate generally to a monitoring device, a monitoring method, and a monitoring program.

  Server virtualization technology, such as cloud computing, is advancing the consolidation and scale of devices. As a result, IT resources are effectively utilized, but system operation management is complicated. For this reason, the system maintainer must select an appropriate response from a wide range of responses to failures related to a wide range of hardware and software.

  As an example of a technique for supporting the operation management of such a system, there is a technique for identifying the countermeasure from the contents of the fault by associating the fault with the countermeasure in advance. This aims to eliminate the need for manual search by maintenance personnel. As another example, there is a technique of automatically searching a manual using the content of a failure. This aims to reduce the labor of manual search by maintenance personnel.

Jan Goyvaerts, "Regular-Expressions.info", [online], [May 30, 2012 search], Internet <http://www.regular-expressions.info/index.html>

  However, the above-described prior art has a problem that it is not possible to reduce manual search effort without prior setting as described below.

  For example, in the case of the former technique, a great deal of labor is required to make a setting for associating a failure with a countermeasure in advance. In other words, when a failure occurs in the monitoring target of the system, a message describing the content of the failure is generated. In this message, in addition to the essence such as a keyword that can identify the failure, the failure can be identified. Information such as irrelevant date and time is also included. In order to extract the essence to be associated with the countermeasure from such messages, it is necessary for the setter to have knowledge and experience, and for each assumed message, an effort to associate a countermeasure appropriate for the message is required.

  In the case of the latter technique, the search is not necessarily narrowed down to one, so that there are cases where it takes time to re-search the manual when there are many search results. Furthermore, in the case of the latter technique, if key information such as keywords included in the failure message is not included in the manual, the search cannot be hit, and the situation where the automatic search can be applied is also limited. There is.

  Therefore, an embodiment of the present invention has been made in view of the above, and an object of the present invention is to provide a monitoring device, a monitoring method, and a monitoring program that can reduce manual search effort without prior setting.

  The monitoring device according to the embodiment includes a manual storage unit that stores a manual in which a failure classification of a monitoring target device connected via a network is associated with a countermeasure for the failure corresponding to the classification, and A history accumulation unit that accumulates history information in which failure information related to a failure of the monitoring target device is associated with a classification of a failure to which the failure information corresponds, and a failure included in each history information accumulated in the history accumulation unit A determination unit that determines a procedure for converting each piece of failure information into a data format represented by a vector using elements constituting information, and a history stored in the history storage unit according to the procedure determined by the determination unit A first conversion unit that converts the failure information included in the information into failure information in a data format of a vector representation, and the vector representation converted by the first conversion unit. A determination model to be applied to a determination process for determining the classification of the failure from the failure information input in the data format of the vector representation is generated using the failure information in the data format and the classification associated with the failure information as learning data. A generating unit; a monitoring unit that monitors a state of the monitoring target device; and a second unit that converts failure information generated by the monitoring unit when a failure occurs according to a procedure determined by the determining unit into a data format of vector representation A determination unit for determining a classification of a failure from the failure information converted into the data format of the vector representation by the second conversion unit using the determination model generated by the generation unit, and the manual storage Extracting a countermeasure from a manual associated with the failure classification determined by the determination unit among manuals stored in the unit With the door.

  According to one aspect of the monitoring apparatus according to the embodiment, there is an effect that it is possible to reduce manual search labor without prior setting.

FIG. 1 is a diagram illustrating a configuration of a monitoring system including a monitoring server according to the first embodiment. FIG. 2 is a diagram illustrating a configuration example of failure classification information. FIG. 3 is a diagram illustrating a configuration example of the handling information. FIG. 4 is a diagram illustrating an example of a history input screen displayed on the monitoring terminal. FIG. 5 is a diagram illustrating an example of a failure information conversion method. FIG. 6 is a flowchart illustrating a procedure of determination model generation processing according to the first embodiment. FIG. 7 is a flowchart illustrating a procedure of failure monitoring processing according to the first embodiment. FIG. 8 is a diagram illustrating that the information processing by the monitoring program according to the second embodiment is specifically realized using a computer.

  Hereinafter, a monitoring device, a monitoring method, and a monitoring program according to an embodiment of the present invention will be described in detail based on the drawings. Note that this embodiment does not limit the present invention. And each embodiment can be suitably combined in the range which does not contradict a processing content.

[First Embodiment]
[Configuration of monitoring system 1]
FIG. 1 is a diagram illustrating a configuration of a monitoring system including a monitoring server according to the first embodiment. The monitoring system 1 shown in FIG. 1 accommodates a monitoring server 10, monitoring target devices 30A and 30B, and a monitoring terminal 50. In the example of FIG. 1, two monitoring target devices and one monitoring terminal are illustrated, but this system is not limited to the illustrated configuration, and the monitoring system 1 includes an arbitrary number of monitoring target devices and monitoring terminals. Can be accommodated. Hereinafter, when the monitoring target devices 30A and 30B are collectively referred to without distinction, they are referred to as “monitoring target device 30”.

  The monitoring target device 30, the monitoring terminal 50, and the monitoring server 10 are connected to be communicable with each other via a network (not shown). Further, the monitoring target device 30 and the monitoring server 10 and the monitoring terminal 50 and the monitoring server 10 may be connected to each other via different types of communication networks. It should be noted that any type of communication network, such as the Internet (Internet), a LAN (Local Area Network), or a VPN (Virtual Private Network), can be adopted as the above-described network regardless of wired or wireless.

  Among these, the monitoring target device 30 is a device that is a target whose resource status is monitored by the monitoring server 10. Examples of the monitoring target device 30 include a server device such as a Web server that provides a Web service or a database server that includes a DBMS (DataBase Management System). These functions as a Web server and a database server can be implemented on-premises, or can be implemented as a cloud.

  The monitoring terminal 50 is a terminal device used by a maintenance person of the monitoring target device 30. As an example of the monitoring terminal 50, a mobile terminal such as a mobile phone, a PHS (Personal Handyphone System) or a PDA (Personal Digital Assistants) can be adopted as well as a fixed terminal such as a personal computer (PC). .

[Configuration of the monitoring server 10]
The monitoring server 10 is a server device that monitors the state of the monitoring target device 30 and notifies the monitoring terminal 50 of failure information related to the failure when a failure occurs. As shown in FIG. 1, the monitoring server 10 includes a monitoring unit 11, an output unit 12, a manual storage unit 13, a search unit 14, an acquisition unit 15a, a history storage unit 15b, and a conversion procedure determination unit 16a. A conversion procedure storage unit 16b, a first conversion unit 17a, a model generation unit 18a, a second conversion unit 17b, a determination unit 18b, and an extraction unit 19. Note that the monitoring server 10 may include various functional units included in a known server device, for example, functional units such as various input devices and audio output devices, in addition to the functional units illustrated in FIG.

  Among these, the monitoring unit 11 is a processing unit that monitors the state of the monitoring target device 30. Specifically, the monitoring unit 11 collects, as monitoring information, a log of an application operating on the monitoring target device 30 or a communication log in accordance with SNMP (Simple Network Management Protocol). Then, the monitoring unit 11 determines whether a failure has occurred in the monitoring target device 30 using the monitoring information collected from the monitoring target device 30. At this time, if a failure has occurred in the monitoring target device 30, the monitoring unit 11 generates failure information from the application log or communication log. Then, the monitoring unit 11 outputs the failure information generated as described above to the output unit 12 and the second conversion unit 17b.

  The output unit 12 is a processing unit that controls output of information to the monitoring terminal 50. Specifically, when the failure information is generated by the monitoring unit 11, the output unit 12 determines whether or not the learning regarding the association between the failure information and the failure classification has reached a certain learning level. That is, if the learning level has not reached a certain level, the correct answer can be obtained even if the determination unit 18b determines the classification of the failure from the failure information using the determination model generated by the model generation unit 18a. It is not always possible. For this reason, the output unit 12 has, for example, the number of learning data samples used for generating the determination model by the model generation unit 18a, that is, the number of failure handling history information acquired from the monitoring terminal 50 equal to or greater than a predetermined threshold. It is determined whether or not a certain learning level has been reached depending on whether or not there is. When the learning unit has reached a certain level of learning, the output unit 12 also outputs to the monitoring terminal 50 the failure classification and coping method output by the extraction unit 19 together with the failure information. If not reached, fault information is output to the monitoring terminal 50. In addition, when the search unit 14 performs a manual search, the output unit 12 outputs the search result to the monitoring terminal 50.

  The manual storage unit 13 is a storage unit that stores a manual including the failure of the monitoring target device 30 and the handling of the failure. The manual storage unit 13 stores failure classification information associated with a failure classification number, a failure classification, and a manual number, and handling information associated with a manual number and a handling method. Note that the above “failure classification number” refers to a number that identifies the classification of a failure that occurs in the monitoring target apparatus 30, and “manual number” refers to a number that identifies a manual.

  FIG. 2 is a diagram illustrating a configuration example of failure classification information. FIG. 3 is a diagram illustrating a configuration example of the handling information. As shown in FIG. 2, failures classified into CPU-related error “001”, MEMORY-related error “002”, and WEB application-related error “005” all correspond to the manual number “a”. As shown in FIG. 4, the manual number “a” is associated with a PC reboot. This is a common solution to failures classified into CPU-related error “001”, MEMORY-related error “002”, and WEB application-related error “005”, and can be handled by restarting the computer. It means that it should be established. Further, as shown in FIG. 2, a failure classified as DB related error “003” corresponds to manual number “b”, and as shown in FIG. 3, DB reboot is associated with manual number “b”. ing. This means that it is determined that DB related errors should be dealt with by restarting the database. Further, as shown in FIG. 2, a failure classified as HTTP related error “004” corresponds to manual number “c”, and as shown in FIG. 3, NW reboot is associated with manual number “c”. ing. This means that it has been determined that HTTP related errors should be dealt with by restarting the network.

  Here, in the example of FIG. 2 described above, the failure classification number and the failure classification are stored as the failure classification information. However, from the viewpoint of corresponding to the keyword search by the monitoring terminal 50, the actually generated failure It is assumed that elements constituting information, for example, a failure message or a keyword extracted from the failure message is stored together. In the example of FIGS. 2 and 3, the case where each of the failure classification information and the handling information included in the manual is configured as a separate table is illustrated, but the failure classification information and the handling information are configured as one table. You can also

  The search unit 14 is a processing unit that uses the manual storage unit 13 to search for a manual corresponding to the key information based on the designation of the key information from the monitoring terminal 50. Specifically, the search unit 14 receives a search request including designation of key information such as keywords from the monitoring terminal 50. Then, the search unit 14 searches the manual stored in the manual storage unit 13 for a manual containing a failure message that partially matches or completely matches the keyword specified in the search request or a keyword extracted from the failure message. . As a result, when the search is hit, the search unit 14 outputs the manual with the search hit to the output unit 12 as a search result.

  The acquisition unit 15 a is a processing unit that acquires failure handling history information from the monitoring terminal 50. Specifically, when the failure information is notified to the monitoring terminal 50, the acquisition unit 15a determines whether a manual search is being performed. At this time, when a manual search is being executed, the acquisition unit 15a outputs a history input screen that allows the user to select a manual for which a countermeasure has been selected from the manual search results, to the monitoring terminal 50. Then, the acquisition unit 15 a acquires history information input via the history input screen displayed on the monitoring terminal 50, for example, the failure information output by the output unit 12 together with the failure classification to which the failure information corresponds. On the other hand, when the countermeasure is performed without executing the manual search, the failure information output by the output unit 12, the classification of the failure, and the troubleshooting method are directly returned to the monitoring server 10 as history information. . At this time, instead of receiving the failure information, the failure classification, and the response method for the failure from the monitoring terminal 50, a failure handling completion notification is received. When the completion notification is received, the output unit 12 sends the notification to the monitoring terminal 50. The output failure information, failure classification, and troubleshooting method can be acquired as history information. After acquiring the history information in this way, the acquisition unit 15a stores the history information including the failure information and the failure classification acquired from the monitoring terminal 50 in the history storage unit 15b.

  FIG. 4 is a diagram illustrating an example of a history input screen displayed on the monitoring terminal 50. As shown in FIG. 4, the history input screen 200 displays a manual in which five classifications of fault classification numbers “001” to “005” are associated with the countermeasures. For example, when the execution button 200A is pressed in a state where a manual relating to an error related to the web application with the failure classification number “004” among radio buttons laid out on the left side of five manuals is selected, the history is input by the output unit 12 History information in which failure information notified separately from the screen 200 is associated with the failure classification number “004” input via the history input screen 200 is transmitted from the monitoring terminal 50 to the monitoring server 10. Thereby, the acquisition unit 15a can acquire the association between the failure information and the failure classification.

  The history accumulation unit 15b is a storage unit that accumulates failure handling history information. As an example, each time history information is acquired by the acquisition unit 15a, the history information is additionally registered in the history storage unit 15b. As another example, the history storage unit 15b is referred to by the conversion procedure determination unit 16a in order to generate a determination model for determining a classification of the failure information from elements constituting the failure information, for example, a failure message.

  The conversion procedure determination unit 16a is a processing unit that refers to the history storage unit 15b and determines a procedure for converting each failure information into a data format represented by a vector using elements constituting the failure information of each history information. is there.

  More specifically, the conversion procedure determination unit 16a performs the process when the newly registered history information is equal to or greater than a predetermined threshold after the previous learning about the association between the failure information and the failure classification. to start. That is, the conversion procedure determination unit 16a reads all the history information stored in the history storage unit 15b when the new history information is equal to or greater than the threshold value. As described above, when the learning data generated from the history information is not significantly different from the previous learning, the activation of the process is suppressed because the processing load of the monitoring server 10 is increased by performing the learning frequently. This is to suppress this. In addition, here, the case where the process is started when the new history information is equal to or greater than the threshold is illustrated, but the process may be started every time new history information is added, or batch processing may be performed. The process may be started by the process.

  Subsequently, the conversion procedure determining unit 16a determines the number of dimensions of the vector from the number of types of words included in the failure message of each history information, for example, the failure message, and then assigns a word to each component of the vector. . For example, the conversion procedure determination unit 16a searches for all words included in the failure message among the elements constituting each failure information read out by performing morphological analysis or the like, and searches for words that do not overlap between the failure messages. Extract. Thereafter, the conversion procedure determination unit 16a determines the total number of words that do not overlap between the failure messages as the number of dimensions of the vector. Subsequently, the conversion procedure determination unit 16a sequentially assigns words that do not overlap between the failure messages to the components of the vector. In addition, the conversion procedure determination unit 16a defines a procedure for deriving the value of each component of the vector depending on whether or not the word assigned to each component is included in the failure message. Hereinafter, the procedure for converting to a data format represented by a vector is referred to as a “conversion procedure”, and the process for converting to a data format represented by a vector may be referred to as “vectorization”. Thereafter, the conversion procedure determination unit 16a stores the conversion procedure defined as described above in the conversion procedure storage unit 16b.

  In this embodiment, the case where the conversion procedure is defined using a failure message among the elements constituting the failure information when converting the failure information into a data format represented by a vector is exemplified. The conversion procedure may be defined by using the host name, monitoring method, monitoring type, OS, server type, date / time, installed system name, monitoring port number, etc. of the monitoring target device 30, and a failure message and other elements The conversion procedure can also be defined by combining. Also, here, the case where non-overlapping words among all the words included in each failure message are assigned to the vector component is illustrated, but it is not always necessary to assign all the non-overlapping words between the failure messages. For example, among words included in the failure message, only words having an appearance frequency from the top to a predetermined rank can be assigned to the vector components. As a result, a word that causes noise in identifying a failure classification such as a date or Web service content can be excluded from the assignment. As a result, the learning accuracy regarding the association between the failure message and the failure classification can be improved.

  The conversion procedure storage unit 16b is a storage unit that stores a procedure for converting failure information into a data format represented by a vector. As an example, when the conversion procedure is determined by the conversion procedure determination unit 16a, the conversion procedure is updated and registered in the conversion procedure storage unit 16b. As another example, the conversion procedure storage unit 16b is referred to by the first conversion unit 17a when converting the failure information included in the history information into a data format of vector representation. As a further example, the conversion procedure storage unit 16b is referred to by the second conversion unit 17b when the failure information generated by the monitoring unit 11 is converted into a data format of vector representation.

  The first conversion unit 17a is a processing unit that converts failure information included in the history information stored in the history storage unit 15b into failure information in a data format of vector representation according to the conversion procedure stored in the conversion procedure storage unit 16b. It is.

  FIG. 5 is a diagram illustrating an example of a failure information conversion method. The upper part of FIG. 5 illustrates three pieces of history information, the middle part of FIG. 5 illustrates an example of a conversion procedure, and the lower part of FIG. 5 illustrates failure information after conversion into a vector representation data format. Show. In the example of FIG. 5, for the sake of convenience of explanation, the case where the conversion procedure is determined using words included in the failure message of three history information is illustrated, but the number of history information used for determining the conversion procedure is It can be any number.

  As shown in the upper part of FIG. 5, when three pieces of history information 1 to 3 are read from the history storage unit 15b, all of the failure messages included in the failure information included in each history information are included. Search for words and extract words that do not overlap between failure messages. In the example of FIG. 5, two of “error” and “apache” out of all nine words overlap between failure messages, so “postgres”, “error”, “xxxx”, “apache”, “yyyy” , “Warning” and “zzzz” are extracted. Thus, since the total number of non-overlapping words among the failure messages is 7, the number of vector dimensions is determined to be “7”. Subsequently, “postgres”, “error”, “xxxx”, “apache”, “yyyy”, “warning”, and “zzzz” are sequentially assigned to the components 1 to 7 of the vector. Then, a procedure for deriving a value of each component of the vector is defined depending on whether or not words assigned to the component 1 to the component 7 of the vector are included in the failure message. For example, in the case of the component 1 of the vector, the value “1” is assigned when “postgres” exists in the failure message, and the value “0” is assigned when “postgres” does not exist in the failure message. A procedure is defined. In this way, a conversion procedure for converting a failure message into a vector representation data format is defined.

  Under the situation where such a conversion procedure is defined, failure information of history information of history 1 to history 3 is vectorized. For example, in the case of history 1, since the failure message constituting the failure information is “postgres error xxxx”, a value “1” is assigned to the vector components 1 to 3 and the vector components 4 to 4 are added. The value “0” is assigned to the component 7. As a result, the failure information (1, 1, 1, 0, 0, 0, 0) after conversion of the history 1 is obtained. In the case of the history 2, since the failure message constituting the failure information is “apache error yyyy”, the vector component 2, the component 4 and the component 5 are assigned the value “1”, and other than that The value “0” is assigned to the vector component of. As a result, failure information (0, 1, 0, 1, 1, 0, 0) after conversion of the history 2 is obtained. In the case of the history 3, since the failure message constituting the failure information is “apache warning zzzz”, the vector component 4, the component 6 and the component 7 are assigned the value “1”, and other than that The value “0” is assigned to the vector component of. As a result, fault information (0, 0, 0, 1, 0, 1, 1) after conversion of the history 3 is obtained. The correspondence between the converted fault information and the fault classification number is used as learning data when the determination model is generated.

  The model generation unit 18a is a processing unit that generates a determination model to be applied to a determination process for determining a failure classification from failure information input in a vector representation data format. As one aspect, the model generation unit 18a uses the failure information in the data format of the vector representation converted by the first conversion unit 17a and the classification of the failure associated with the failure information as learning data, and the support vector machine And a determination model to be applied to a determiner realized by various machine learning algorithms such as the k-nearest neighbor method.

  The second conversion unit 17b is a processing unit that converts the failure information generated by the monitoring unit 11 when a failure occurs according to the conversion procedure stored in the conversion procedure storage unit 16b into the failure information in the data format of the vector representation. The second conversion unit 17b performs the same processing as the first conversion unit 17a except that the failure information to be converted is not included in the history information but is generated by the monitoring unit 11. Run.

  The determination unit 18b is a processing unit that determines the failure classification from the failure information in the data format of the vector representation converted by the second conversion unit 17b, using the determination model generated by the model generation unit 18a. As one aspect, the determination unit 18b includes a determination unit that returns an output of a classification of a failure corresponding to the failure information in response to the input of the failure information every time a new determination model is generated by the model generation unit 18a. Recreate it. Then, when the failure information in the data format of the vector representation is input by the second conversion unit 17b, the determination unit 18b outputs the failure classification determined by the determiner to the output unit 12. At this time, in the case where the determination unit 18b creates a determination unit that outputs the likelihood that the failure information corresponds to the failure classification together with the failure classification, the determination unit 18b is limited to the case where the likelihood is equal to or greater than a predetermined threshold. It is also possible to output the failure classification.

  The extraction unit 19 is a processing unit that extracts a coping method from a manual associated with the failure classification determined by the determination unit 18 b among the manuals stored in the manual storage unit 13. Specifically, when the determination unit 18b determines the failure classification, the extraction unit 19 extracts a manual number associated with the failure classification from the failure classification information stored in the manual storage unit 13. . Then, the extraction unit 19 extracts a coping method associated with the manual number from the coping information stored in the manual storage unit 13. After that, the extraction unit 19 outputs the failure classification and the coping method to the output unit 12.

  In addition, the monitoring unit 11, the output unit 12, the search unit 14, the acquisition unit 15a, the conversion procedure determination unit 16a, the first conversion unit 17a, the second conversion unit 17b, the model generation unit 18a, and the determination unit illustrated in FIG. Various integrated circuits and electronic circuits can be employed for various functional units such as 18b and the extraction unit 19. For example, examples of the integrated circuit include ASIC (Application Specific Integrated Circuit) and FPGA (Field Programmable Gate Array). Examples of the electronic circuit include a central processing unit (CPU) and a micro processing unit (MPU).

  In addition, the following devices may be employed for various storage units such as the manual storage unit 13, the history storage unit 15b, and the conversion procedure storage unit 16b illustrated in FIG. For example, a semiconductor memory element such as a random access memory (RAM), a read only memory (ROM), or a flash memory can be employed. A storage device such as a hard disk or an optical disk can also be employed.

[Process flow]
Next, the process flow of the monitoring server 10 according to the present embodiment will be described. Here, after (1) determination model generation processing executed by the monitoring server 10 is described, (2) failure monitoring processing is described.

(1) Determination Model Generation Processing FIG. 6 is a flowchart illustrating a determination model generation processing procedure according to the first embodiment. This generation process is a process that is repeatedly executed as long as the power of the monitoring server 10 is ON.

  As illustrated in FIG. 6, when the failure handling history information is acquired from the monitoring terminal 50 (Yes in step S <b> 101), the monitoring server 10 displays the failure information acquired from the monitoring terminal 50 and the history information including the failure classification. Store in the history storage unit 15b (step S102).

  Subsequently, until the newly registered history information becomes equal to or greater than a predetermined threshold after the previous learning about the association between the failure information and the failure classification (step S103, No), the monitoring server 10 Steps S101 to S102 are repeated.

  At this time, if the newly registered history information is equal to or greater than a predetermined threshold after the previous learning about the association between the failure information and the failure classification (step S103, Yes), the monitoring server 10 Then, all the history information stored in the history storage unit 15b is read (step S104).

  Subsequently, the monitoring server 10 determines a conversion procedure for converting each piece of failure information into a data format represented by a vector, using words included in the failure message constituting the failure information included in each history information (step) S105).

  Then, the monitoring server 10 converts the failure information included in the history information stored in the history storage unit 15b into the failure information in the data format of the vector representation according to the conversion procedure determined in step S105 (step S106).

  After that, the monitoring server 10 uses the failure information in the data format of the vector representation converted in step S106 and the failure classification associated with the failure information as learning data, such as a support vector machine and a k-nearest neighbor method. A determination model to be applied to a determiner realized by various machine learning algorithms is generated (step S107).

  Thereafter, the monitoring server 10 saves the conversion procedure determined in step S105 in the conversion procedure storage unit 16b (step S108), and proceeds to the process of step S101 described above.

  In the flowchart shown in FIG. 6, the case where the conversion procedure is registered in the conversion procedure storage unit 16b is exemplified in step S108. However, the present invention is not limited to this, and it is more than S105 in which the conversion procedure is determined. After that, the conversion procedure can be registered in the conversion procedure storage unit 16b at an arbitrary timing.

(2) Fault Monitoring Process FIG. 7 is a flowchart showing the procedure of the fault monitoring process according to the first embodiment. This process is started when the occurrence of a failure in the monitoring target device 30 is detected.

  As shown in FIG. 7, when the failure information is generated (step S301), the monitoring server 10 converts the failure information into the failure information in the vector representation data format according to the conversion procedure stored in the conversion procedure storage unit 16b. (Step S302).

  Subsequently, the monitoring server 10 uses the determination model to determine the failure classification from the failure information in the data format of the vector representation converted in step S302 (step S303). And the monitoring server 10 specifies the manual number with which the classification | category of the said failure was matched among the failure classification information memorize | stored in the manual memory | storage part 13 (step S304).

  And the monitoring server 10 extracts the coping method matched with the said manual number among the coping information memorize | stored in the manual memory | storage part 13 (step S305). Then, the monitoring server 10 outputs the failure information, the failure classification, and the coping method to the monitoring terminal 50 (Step S306), and ends the process.

[Effect of Example 1]
As described above, the monitoring server 10 according to the present embodiment uses the history information acquired from the monitoring terminal 50 to perform machine learning to associate the failure information and the failure classification after being converted into the data format of the vector representation. When a failure occurs in the monitoring target device 30 by using the determination model, the failure classification is determined from the failure information converted into the vector representation data format using the determination model. The coping method corresponding to the classification is output to the monitoring terminal 50.

  For this reason, in the monitoring server 10 according to the present embodiment, the failure information is configured by machine learning without performing complicated presetting to extract the essence such as a keyword that can identify the failure from the failure information and to correspond to the countermeasure. It is possible to extract a method for dealing with the failure from the failure element, for example, the failure message. Furthermore, since the monitoring server 10 according to the present embodiment extracts a method for dealing with a failure associated with the failure classification obtained by machine learning, the manual presented to the maintenance person is narrowed down to one. As a result, there is no need to re-search the manual when there are a large number of search results as in the above-described prior art.

  Therefore, according to the monitoring server 10 which concerns on this embodiment, the effort of a manual search can be reduced without a prior setting. Furthermore, in the monitoring server 10 according to the present embodiment, it is not necessary to perform a search using key information such as a keyword as in the above-described conventional technology, and the keyword included in the elements constituting the failure information is not included in the handling method. In both cases, since a method for dealing with a failure can be extracted through vectorization of failure information and determination based on machine learning, the scope of application can be expanded as compared with a case where a countermeasure is presented by automatic search.

  In addition, the monitoring server 10 according to the present embodiment determines the number of vector dimensions from the number of types of words included in the failure message among the elements constituting the failure information included in each history information, and then determines each vector component. After assigning words, a procedure for deriving the value of each component of the vector is defined depending on whether or not the word assigned to each component is included in the failure message. For this reason, in the monitoring server 10 according to the present embodiment, the failure information can be vectorized in a state including an essence such as a keyword that can identify the failure, so that the failure information can be categorized into an appropriate failure classification. The accuracy of determination by machine learning can be improved.

[Second Embodiment]
Although the embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the above-described embodiments. Therefore, in the following, other embodiments included in the present invention will be described.

[Add manual]
In the first embodiment, no special description is given, but the manual stored in the manual storage unit 13 can be arbitrarily added, updated, or deleted. For example, as the history information, in addition to the failure information and failure classification, a failure handling method is further acquired, and the failure handling method included in the acquired history information is not registered in the manual storage unit 13. Is added to the failure classification information stored in the manual storage unit 13 and the failure classification number included in the history information is added to the countermeasure information stored in the manual storage unit 13. A manual number and a coping method included in the history information can be added. Thereby, it is possible to automate the addition of the manual without maintaining the manual storage unit 13 by manual setting.

[Distribution and integration]
In addition, each component of each illustrated apparatus does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. For example, the monitoring unit 11, the output unit 12, the search unit 14, the acquisition unit 15a, the conversion procedure determination unit 16a, the first conversion unit 17a, the second conversion unit 17b, the model generation unit 18a, the determination unit 18b, or the extraction unit 19 A part of the functional units may be connected as an external device of the monitoring server 10 via a network. In addition, the monitoring unit 11, the output unit 12, the search unit 14, the acquisition unit 15a, the conversion procedure determination unit 16a, the first conversion unit 17a, the second conversion unit 17b, the model generation unit 18a, the determination unit 18b, or the extraction unit 19 Each of the other devices may be connected to a network and cooperate to realize the function of the monitoring server 10 described above. Moreover, the 1st conversion part 17a and the 2nd conversion part 17b which were shown in FIG. 1 can also be integrated into one function part as a conversion part.

[Monitoring program]
FIG. 8 is a diagram illustrating that the information processing by the monitoring program according to the second embodiment is specifically realized using a computer. As illustrated in FIG. 8, the computer includes, for example, a memory, a CPU, a hard disk drive interface, a disk drive interface, a serial port interface, a video adapter, and a network interface. Connected by.

  The memory includes a ROM and a RAM as illustrated in FIG. The ROM stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface is connected to the hard disk drive as illustrated in FIG. The disk drive interface is connected to the disk drive as illustrated in FIG. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive. The serial port interface is connected to, for example, a mouse and a keyboard as illustrated in FIG. The video adapter is connected to a display, for example, as illustrated in FIG.

  Here, as illustrated in FIG. 8, the hard disk drive stores, for example, an OS (Operating System), an application program, a program module, and program data. That is, the monitoring program according to the second embodiment is stored in, for example, a hard disk drive as a program module in which a command to be executed by a computer is described. Specifically, a program module describing a monitoring procedure for executing information processing similar to the various functional units of the monitoring server described in the above embodiment is stored in the hard disk drive. In addition, data used for information processing by the monitoring program, such as data stored in the various storage units described in the above embodiment, is stored as program data in, for example, a hard disk drive. Then, the CPU reads program modules and program data stored in the hard disk drive into the RAM as necessary, and executes a monitoring procedure.

  Note that the program module and program data relating to the monitoring program are not limited to being stored in the hard disk drive, but may be stored in a removable storage medium, for example, and read out by the CPU via the disk drive or the like. Alternatively, the program module and program data relating to the monitoring program may be stored in another computer connected via a LAN, WAN (Wide Area Network), etc., and read by the CPU via the network interface.

DESCRIPTION OF SYMBOLS 1 Monitoring system 10 Monitoring server 11 Monitoring part 12 Output part 13 Manual memory part 14 Search part 15a Acquisition part 15b History storage part 16a Conversion procedure determination part 16b Conversion procedure memory | storage part 17a 1st conversion part 17b 2nd conversion part 18a Model Generation unit 18b Determination unit 19 Extraction unit 30A, 30B Monitoring target device 50 Monitoring terminal

Claims (5)

A manual in which a failure classification of a monitoring target device connected via a network is associated with a countermeasure for a failure corresponding to the classification, and the same even if the failure classification is different A manual storage unit for storing a manual including a combination with which a coping method is associated ;
A history storage unit that stores history information in which failure information related to a failure of the monitoring target device is associated with a classification of a failure to which the failure information corresponds;
Extract all types of words included in each failure message constituting failure information included in each history information stored in the history storage unit, determine the total number of types as the number of vector dimensions, and each type of word Is a data that expresses each failure information as a vector, in accordance with the procedure of deriving the value of each component of the vector depending on whether or not the failure information includes the word assigned to each component. A deciding unit that decides as a procedure to convert to a format;
A first conversion unit that converts the failure information included in the history information stored in the history storage unit according to the procedure determined by the determination unit into failure information in a data format of vector representation;
Instead of using the failure information and the coping method as learning data, the failure information in the data format of the vector representation converted by the first conversion unit and the classification associated with the failure information are learned data. And a generation unit that generates a determination model to be applied to a determination process for determining the classification of the failure from the failure information input in a data format of a vector representation,
A monitoring unit for monitoring the state of the monitoring target device;
A second conversion unit that converts failure information generated by the monitoring unit upon occurrence of a failure into a vector representation data format according to the procedure determined by the determination unit;
A determination unit for determining a classification of a failure from the failure information converted into a data format of a vector representation by the second conversion unit using the determination model generated by the generation unit;
A monitoring apparatus, comprising: an extraction unit that extracts a coping method from a manual associated with a failure classification determined by the determination unit among manuals stored in the manual storage unit. The manual storage unit includes failure identification information associated with manual identification information identifying the manual and failure classification identification information identifying the failure classification, and handling associated with the manual identification information and the coping method. Memorize manual including information,
The extraction unit refers to the failure classification information stored in the manual storage unit, specifies manual identification information corresponding to failure classification identification information indicated by the failure classification determined by the determination unit, and then stores the manual storage The monitoring apparatus according to claim 1, wherein a handling method corresponding to the manual identification information is extracted with reference to handling information stored in the unit. An acquisition unit that acquires history information including the failure information, the failure classification identification information, and a method for dealing with the failure;
When a method for dealing with a failure included in the history information acquired by the acquisition unit is not registered in the manual storage unit, new manual identification information is generated, and the failure classification information stored in the manual storage unit The new manual identification information and the failure classification identification information included in the history information are added, and the new manual identification information and the handling method included in the history information are added to the handling information stored in the manual storage unit. The monitoring apparatus according to claim 2, further comprising an additional unit configured to perform the above operation. A monitoring method executed by a monitoring device,
Referring to a history storage unit that stores history information in which failure information related to a failure of a monitoring target device connected via a network is associated with a classification of a failure corresponding to the failure information, the history information is included in each history information Extract all types of words included in each failure message making up the failure information, determine the total number of types as the number of vector dimensions, assign each type of word to each component of the vector, and assign to each component A determination step of determining the procedure of deriving the value of each component of the vector as a procedure for converting each failure information into a data format represented by a vector, depending on whether or not the word is included in the failure information;
A first conversion step of converting the failure information included in the history information stored in the history storage unit into the failure information in the data format of vector representation according to the procedure determined in the determination step;
Instead of using the failure information and the coping method as learning data, the failure information in the data format of the vector representation converted by the first conversion step and the classification associated with the failure information are used as learning data. Generating a determination model to be applied to determination processing for determining the classification of the failure from failure information input in a data format of vector representation;
A monitoring step of monitoring a state of the monitoring target device;
A second conversion step of converting failure information generated at the time of failure occurrence by the monitoring step into a vector representation data format according to the procedure determined by the determination step;
A determination step of determining a classification of a failure from the failure information converted into the data format of the vector representation by the second conversion step using the determination model generated by the generation step;
A manual in which a failure classification of the monitoring target device is associated with a countermeasure for a failure corresponding to the classification, and the same countermeasure is associated even if the failure classification is different And an extraction step of extracting a coping method from a manual associated with the classification of the failure determined by the determination step with reference to a manual storage unit that stores a manual including a combination of Method. Referring to a history storage unit that stores history information in which failure information related to a failure of a monitoring target device connected via a network is associated with a classification of a failure corresponding to the failure information, the history information is included in each history information Extract all types of words included in each failure message making up the failure information, determine the total number of types as the number of vector dimensions, assign each type of word to each component of the vector, and assign to each component A determination step for determining a procedure for deriving the value of each component of the vector as a procedure for converting each failure information into a data format represented by a vector, depending on whether or not the word is included in the failure information;
A first conversion step of converting failure information included in the history information stored in the history storage unit according to the procedure determined in the determination step into failure information in a data format of vector representation;
Rather than using the failure information and the coping method as learning data, the failure information in the data format of the vector representation converted by the first conversion step and the classification associated with the failure information are used as learning data. Generating a determination model to be applied to determination processing for determining the classification of the failure from the failure information input in a data format of vector representation;
A monitoring step of monitoring a state of the monitoring target device;
A second conversion step of converting the failure information generated at the time of failure occurrence by the monitoring step into a data format of vector representation according to the procedure determined by the determination step;
A determination step of determining a failure classification from the failure information converted into the data format of the vector representation by the second conversion step using the determination model generated by the generation step;
A manual in which a failure classification of the monitoring target device is associated with a countermeasure for a failure corresponding to the classification, and the same countermeasure is associated even if the failure classification is different A monitoring program for causing a computer to execute an extraction step that refers to a manual storage unit that stores a manual including a combination that has been selected and extracts a countermeasure from a manual associated with the failure classification determined in the determination step .

Images