JP6438875B2 - Network monitoring apparatus and network monitoring method - Google Patents

Description

  The present invention relates to a network monitoring apparatus and a network monitoring method for monitoring a failure occurring in an apparatus constituting a network.

  Various devices such as a transfer device and a control device are used for a network of a communication carrier. One of the methods for displaying the network configuration is a method of drawing a device at a corresponding location on a map using the geographical position information of the device (see Non-Patent Document 1). This method has an advantage that it is easy to recognize the position of the device and the geographical range covered by the device. In this display method, when a network error occurs, it is easy to recognize the location and range of influence, and when an alarm is issued from a device or link, or there is an error such as no response from the device. If in doubt, add an additional symbol to the corresponding device or link on the configuration diagram, change the color of the device or link, etc. Explicitly. In the example shown in FIG. 7, devices and links are arranged on a map, and marks indicating abnormal places are superimposed and displayed.

  The network monitoring business uses such conventional technology to centrally monitor network device failures nationwide at a failure monitoring center that is centralized to some extent, and responds to the alarms for devices that have been notified of alarms. Promptly connect to appropriate repair work. For example, when a power failure alarm is notified from a device to be monitored, an on-site person (for example, in each data center) is instructed to replace the device with a new power supply package. Failure recovery work is executed. Note that failures that can be handled remotely are handled by the failure monitoring center, and there is a case where an onsite person in charge is not dispatched. By continuing such failure monitoring and repair operations, communication carriers maintain the quality of the network.

Naoki Tateishi and three others, “Examination of information visualization method for large-scale network”, The Institute of Electronics, Information and Communication Engineers, March 2013, IEICE Technical Report, Vol.112, No.492, ICM2012-74, pp. 89-94

  However, the technique described in Non-Patent Document 1 described above is effective when a failure occurs in the device itself that has notified the alarm, but the alarm information from the device that cannot notify the alarm or the device that has notified the alarm If the true cause of failure cannot be analyzed from the contents, there is a case that leads to an erroneous repair work. Specific examples will be described below.

(Case A)
Since an alarm notification of a memory error was received from a certain device, an onsite person in charge performed memory replacement for the device. However, a few days later, a situation in which a warning of a memory error was notified from the device continued several times. When the cause of the failure was analyzed, it was found that a memory error occurred due to a thermal runaway caused by an adjacent device in the same rack of the device. At this time, the warning of the thermal runaway of the adjacent device was notified, but since it did not occur continuously, the response was postponed.

(Case B)
Since there was an alarm notification of a power supply error from a certain device, an on-site person performed replacement of the power supply package for that device. However, a few days later, the device was informed of a power supply error alarm several times. When the cause of this failure was analyzed, it was found that the same power supply failure occurred several times in the past from the equipment on the same floor. Since a power failure alarm was notified from a plurality of devices on the same floor, it was found that the cause was a failure of the power supply device (distribution panel) on this floor. At this time, the power supply device (distribution panel) is a device that cannot notify an alarm.

In an event such as Case A or Case B, the failure was dealt with focusing only on the device that generated the alarm, so that the failure repair work corresponding to the true cause was not possible.
That is, in the case A, as shown in FIG. 8B, a memory error has occurred in the device 2 “A” of the same rack 5 due to the thermal runaway of the device 2 “D”. At this time, as shown in FIG. 8A, a thermal runaway alarm is notified from the device 2 “D” to the network monitoring device 1 a such as an OpS (Operation System), and a memory error is reported from the device 2 “A”. An alarm is notified to the network monitoring device 1a. However, in the network monitoring device 1a, the thermal runaway alarm of the device 2 “D” and the memory error alarm of the device 2 “A” are simply transmitted to the operator terminal 3 as alarm information. Since the operator terminal 3 simply recognizes that different alarm information has been transmitted from the device 2 “D” and the device 2 “A”, the memory error of the device 2 “A” is identified as the device 2 “of the same rack 5. D ”cannot be recognized as a result of thermal runaway, that is, the true cause of the failure cannot be directly recognized by the network administrator. As a result, there is a risk that the cause of the failure may be delayed, or an erroneous failure response different from the response to the true failure cause may be performed.

  In the case B, as shown in FIG. 9B, the power supply device (distribution panel) 4 becomes unstable, and as a result, the devices 2 “B” and 2 “C” on the same floor. ”Is notified to the network monitoring device 1a. However, as shown in FIG. 9A, in the network monitoring device 1a, the power error of the device 2 “B” and the notification of the power error of the device 2 “C” are directly transmitted to the operator terminal 3 as alarm information. Only. Here, since the power supply device (distribution panel) 4 cannot give an alarm notification, the network administrator cannot directly recognize the cause of the true failure, causing a delay in identifying the cause of the failure, There is a risk of wrong failure handling that is different from the handling.

  The present invention has been made in view of such a problem, and the present invention relates to the relationship between a plurality of alarms from physical position information such as the installation location of the device, and estimates the cause of the failure. It is an object of the present invention to provide a network monitoring apparatus and a network monitoring method that can quickly identify the cause of failure.

  In order to solve the above-described problem, the invention according to claim 1 is a network monitoring device that receives alarm information from each device configuring a network and monitors a failure, and corresponds to identification information of each of the devices. In addition, the facility information in which the physical location information where the device is arranged is stored, and the cause of the failure that takes into account the physical location information of the device that has transmitted the alarm information, other than the device A storage unit for storing a cause scenario indicating a condition to be identified based on physical location information of another device and an alarm content of the alarm information from the other device, and the device from which the alarm information is transmitted Each time the alarm information including device identification information is received, an alarm receiver that stores the alarm information in the storage unit, and the device identification information included in the received alarm information, the The physical location information of the device that transmitted the alarm information is detected with reference to the device information, and using the detected physical location information and the alarm content included in the received alarm information, the cause scenario It is determined whether or not the alarm information of the other device that matches the condition for specifying the presumed cause is stored in the storage unit, and if it is stored, the alarm included in the received alarm information A network monitoring apparatus comprising: a cause analysis unit that identifies a cause of content as an estimated cause indicated by the cause scenario.

  The invention according to claim 3 is a network monitoring method of a network monitoring device that receives alarm information from each device constituting a network and monitors a failure, wherein the network monitoring device is a device for each of the devices. In association with the identification information, facility information in which physical location information where the device is arranged is stored, and an estimated cause of the failure in consideration of the physical location information of the device that has transmitted the alarm information, A storage unit for storing a cause scenario indicating a condition to be identified based on physical position information of a device other than the device and alarm content of alarm information from the other device; Each time the warning information including the identification information of the device is received from the device that has transmitted the information, the step of storing the warning information in the storage unit and the received warning information The device identification information is used to refer to the facility information, detect the physical location information of the device that has transmitted the alarm information, and include the detected physical location information and the received alarm information. If the alarm information of the other device that matches the condition for specifying the estimated cause in the cause scenario is stored in the storage unit, and stored And a step of identifying that the cause of the alarm content included in the received alarm information is an estimated cause indicated by the cause scenario.

As described above, the network monitoring device stores the alarm information received from the devices constituting the network in the storage unit, and refers to the facility information stored in the storage unit using the identification information of the device included in the alarm information. Then, the physical position information of the device that sent the alarm information is detected. Then, the network monitoring device stores the alarm information of the other device that matches the condition for specifying the presumed cause in the storage unit using the detected physical position information and the alarm content included in the received alarm information. The cause of the alarm content included in the received alarm information is identified as the presumed cause indicated in the cause scenario.
As a result, the network monitoring device can estimate the cause of the failure by taking into account the physical location information of the device. Therefore, even if it is not possible to identify the true cause of failure only from the alarm content of the alarm information sent from the device, it is possible to quickly identify the true cause of the failure and eliminate the risk of performing an incorrect failure response. it can.

  According to a second aspect of the present invention, the physical location information at which the device is arranged includes at least data center and floor information, and when the alarm information is received, the cause analysis unit The alarm information transmitted from the device located on the same floor is extracted from the storage unit, and it is determined whether there is alarm information that matches the condition in the extracted alarm information, and the condition is met. 2. The network monitoring device according to claim 1, wherein when there is alarm information to be performed, the cause of the alarm content included in the received alarm information is identified as an estimated cause indicated in the cause scenario. .

  By doing so, the network monitoring device is transmitted from the devices located on the same data center and the same floor as the device that transmitted the received alarm information, out of all the alarm information stored in the storage unit. It is possible to extract only the alarm information and determine whether or not the cause scenario conditions are met. Therefore, it is possible to reduce the processing load on the network monitoring device and identify the estimated cause more quickly.

  According to the present invention, a network monitoring device that quickly identifies the cause of a failure by unraveling the relationship between a plurality of alarms from physical location information such as the installation location of the device and estimating the cause of the failure, and A network monitoring method can be provided.

It is a figure for demonstrating the outline | summary of the cause analysis process which the network monitoring apparatus which concerns on this embodiment performs in case A (memory error generate | occur | produces due to thermal runaway). It is a figure for demonstrating the outline | summary of the cause analysis process which the network monitoring apparatus which concerns on this embodiment performs in case B (power supply error generate | occur | produces by failure of a power supply device). It is a functional block diagram which shows the structure of the network monitoring apparatus which concerns on this embodiment. It is a figure which shows the data structural example of the equipment information stored in equipment information DB which concerns on this embodiment. It is a figure which shows the data structural example of the cause scenario information stored in cause scenario DB which concerns on this embodiment. It is a flowchart which shows the flow of the process which the network monitoring apparatus which concerns on this embodiment performs. It is a figure which shows the prior art example which arrange | positions an apparatus and a link on a map, and displays the mark which shows an abnormal location superimposed. It is a figure for demonstrating the case (Case A: A memory error generate | occur | produced due to thermal runaway) where a true failure cause cannot be analyzed from the content of alarm information. It is a figure for demonstrating the case (Case B: A power supply error generate | occur | produces by the failure of a power supply device) where a true failure cause cannot be analyzed from the content of alarm information.

  Next, the network monitoring device 1 and the network monitoring method in a mode for carrying out the present invention (hereinafter referred to as “the present embodiment”) will be described.

<Outline of the invention>
First, an outline of the present invention will be described.
The network monitoring device 1 according to the present embodiment receives alarm information from each device 2 constituting the network, analyzes the physical position information (data center, floor, rack, etc.) of each device 2, and then The cause of the failure 2 is identified and transmitted to the operator terminal 3.

  Specifically, in the case of (Case A), the network monitoring apparatus 1 receives the memory error alarm information from the apparatus 2 “A”, for example, as shown in FIG. The physical location information of “A” is detected, and the cause information is analyzed together with the alarm information of other devices 2 arranged in the same rack (here, the alarm information of thermal runaway from the device “D”) ( Cause analysis process), a cause alarm message indicating the presumed cause obtained by the cause analysis process is notified to the operator terminal 3. In (Case A), the cause alarm message that estimates that the cause of the memory error of the device “A” is caused by the thermal runaway of the device “D” is notified to the operator terminal 3.

  In the case of (Case B) described above, the network monitoring device 1 receives the power supply error alarm information from the device 2 “B”, for example, as shown in FIG. The physical location information is detected, the alarm information of the other device 2 arranged on the same floor (here, the power error alarm information from the device “C”) is executed together, and the cause analysis process is executed. A cause warning message indicating the estimated cause obtained as a result is notified to the operator terminal 3. In (Case B), the operator terminal 3 is notified of a cause alarm message that is presumed to be caused by a failure of the power supply device (distribution panel).

  Thus, according to the network monitoring device 1 according to the present embodiment, when alarm information is acquired from each device 2, the cause of the failure is estimated by taking into account the physical position information of the device 2 or the like. As a result, even when the true cause of failure cannot be identified only from the alarm content of the alarm information transmitted from the device, the network monitoring device 1 quickly identifies the true cause of failure and sends the cause alarm to the operator terminal 3. Can be notified.

<Configuration of network monitoring device>
Next, the configuration of the network monitoring device 1 according to the present embodiment will be described.
FIG. 3 is a functional block diagram showing the configuration of the network monitoring device 1 according to the present embodiment.
The network monitoring device 1 is connected to each device 2 (device “A”,..., Device “D”,...) And the operator terminal 3 constituting the network, receives alarm information such as the occurrence of a failure from each device 2, After executing the cause analysis process, the cause alarm message is notified to the operator terminal 3.
The device 2 is a general network device to be monitored by the network monitoring device 1, and is, for example, a processing server, a router, a switch, or the like. The operator terminal 3 is a terminal device that is operated by a network administrator to manage the network, and is configured by a general computer.

As shown in FIG. 3, the network monitoring device 1 according to the present embodiment includes a control unit 10, an input / output unit 20, and a storage unit 30.
The input / output unit 20 inputs and outputs information between each device 2 and the operator terminal 3 that are connected for communication. The input / output unit 20 performs input / output between a communication interface (not shown) that transmits and receives information via a communication line, and an input means such as a keyboard and an output means (not shown) such as a monitor. It consists of an input / output interface.

  The storage unit 30 includes storage means such as a hard disk, flash memory, and RAM (Random Access Memory), and includes an alarm information DB (DataBase) 31 in which alarm information received from each device 2 is accumulated, and an equipment information DB 32 (described later). 4), a scenario scenario DB 33 (see FIG. 5 described later) and the like are stored.

The control unit 10 controls the network monitoring device 1 as a whole, and includes an alarm reception unit 11, a cause analysis unit 12, and a cause alarm notification unit 13, as shown in FIG.
The control unit 10 is realized by, for example, a CPU (not shown) developing and executing a program stored in the storage unit 30 on a RAM.

The alarm receiver 11 receives alarm information from each device 2 and stores it in the alarm information DB 31 in the storage unit 30. This alarm information is information including the identification information (for example, the apparatus ID, the address (IP address) of the apparatus, etc.) of the apparatus 2 that transmitted the alarm information, and the alarm contents. When receiving the alarm information from the device 2, the alarm receiving unit 11 stores the received date and time in the alarm information DB 31 in association with each other. The alarm information stored in the alarm information DB 31 may be deleted by the alarm receiver 11 after a predetermined period has elapsed. As a result, it is possible to appropriately secure an available memory capacity.
In addition, the alarm receiver 11 outputs the received alarm information to the cause analyzer 12.

The cause analysis unit 12 detects the physical position of the device 2 that has transmitted the alarm information from the acquired alarm information, and executes a cause analysis process such as a failure in consideration of the physical position.
Specifically, when the cause analysis unit 12 acquires the alarm information from the alarm reception unit 11, the identification information (device ID, device address, etc.) of the device 2 that transmitted the alarm information included in the alarm information is included. The facility information DB 32 is used to detect the physical position of the device 2 and then acquire the identification information of the device on the same floor as the device 2.

FIG. 4 is a diagram illustrating a data configuration example of the facility information 320 stored in the facility information DB 32 according to the present embodiment.
The facility information 320 stores physical position information in which the device 2 is arranged in association with identification information (device ID, device address, etc.) of the device 2. Specifically, as shown in FIG. 4, each item of the data center 323, the floor 324, the rack 325, and the unit 326 is included in the facility information 320 as physical location information in association with the device ID 321 and the address 322. Is stored.
The device ID 321 is identification information unique to the device in the network system.
The address 322 is an address (for example, an IP address) of the device indicated by the device ID 321.
The data center 323 is identification information of a base (facility, building, etc.) where the apparatus 2 is installed.
The floor 324 is identification information indicating the floor of the base where the apparatus 2 is installed.
The rack 325 is identification information of the rack 5 arranged on the floor where the apparatus 2 is installed.
The unit 326 is a unit number in the rack 5 in which the apparatus 2 is installed (for example, information indicating the step number from the top of the rack 5).
The facility information 320 may be stored in the storage unit 30 of the network monitoring device 1 as in this embodiment, or may be stored in an external DB device that is connected to the network monitoring device 1 for communication. It may be.

  The cause analysis unit 12 refers to the facility information 320 using the identification information (device ID or device address) of the device 2, and the physical location (data center 323, floor 324, rack 325, Unit 326).

And the cause analysis part 12 identifies the apparatus 2 located on the same floor as the detected apparatus 2 using the information of the data center 323 and the floor 324 among the information which shows the physical position of the detected apparatus 2. Information (device ID 321 and address 322) is acquired.
The cause analysis unit 12 refers to the alarm information DB 31 in the storage unit 30 by using the acquired identification information of the device 2 located on the same floor, and extracts the alarm information transmitted from the device 2 located on the same floor. .

  Subsequently, the cause analysis unit 12 refers to the cause scenario DB 33 stored in the storage unit 30 using the alarm content included in the received alarm information, and specifies the estimated cause of the failure indicated in the alarm content. I do.

FIG. 5 is a diagram showing a data configuration example of the cause scenario information 330 stored in the cause scenario DB 33 according to the present embodiment.
The cause scenario information 330 stores a cause scenario indicating a condition for identifying an estimated cause of a failure in consideration of physical location information of the device 2 that has transmitted the alarm information. Specifically, as shown in FIG. 5, the cause scenario information 330 stores items of alarm contents 331, cause scenarios 332, and estimated causes 333.
The alarm content 331 stores the type of alarm content included in the alarm information received from each device 2 by the network monitoring device 1. For example, alarm contents such as “memory error” and “power supply error” are stored.

In the cause scenario 332, a scenario (condition for estimating the cause of the failure) for estimating the cause of the failure corresponding to the alarm content 331 is defined. In the cause scenario 332, in order to estimate the cause of the failure based on the physical position information of the device 2 other than the device 2 that transmitted the alarm information and the alarm content of the alarm information transmitted by the other device 2. The conditions are defined.
Specifically, in association with the case where the alarm content 331 is “memory error”, a cause scenario 332 of “there is a thermal runaway alarm from another device in the same data center, the same floor, the same rack, and an adjacent unit”. When there is alarm information from another device 2 that satisfies this condition, the content shown in the presumed cause 333 (here, “the thermal runaway of the adjacent device (cause of memory error)”) Identified.
Here, the adjacent device means, for example, a vertical relationship when units are installed vertically in each rack 5, that is, a device that is physically close and adjacent to each other.

  In addition, a cause scenario 332 of “There is a power error alarm from another device on the same data center and the same floor” is defined in association with the case where the alarm content 331 is “power error”. When the alarm information from the device 2 is present, it is specified as the content indicated by the estimated cause 333 (here, “cause of failure of the power supply device (distribution panel)”).

  The estimated cause 333 stores information indicating a cause that is estimated when the condition defined in the cause scenario 332 is satisfied.

  The cause analysis unit 12 identifies an estimated cause of a failure or the like by determining whether or not alarm information matching the condition of the cause scenario 332 is received using the alarm content of the received alarm information.

The cause alarm notification unit 13 generates a cause alarm message including information on the estimated cause identified by the cause analysis unit 12 and notifies the operator terminal 3 via the input / output unit 20.
If the cause alarm notification unit 13 cannot identify the cause of the failure or the like because the alarm information corresponding to the cause scenario 332 is not stored in the alarm information DB 31 as a result of the cause analysis process of the cause analysis unit 12 Alternatively, the alarm information received from each device 2 by the network monitoring device 1 may be transmitted to the operator terminal 3 as it is.

<Process flow>
Next, processing executed by the network monitoring device 1 will be described with reference to FIG.
FIG. 6 is a flowchart showing the flow of processing executed by the network monitoring apparatus 1 according to this embodiment.

  First, the alarm receiver 11 of the network monitoring device 1 receives alarm information from any of the devices 2 (step S1). The alarm receiving unit 11 stores the received alarm information in the alarm information DB 31 in the storage unit 30 and outputs the alarm information to the cause analysis unit 12.

  When the cause analysis unit 12 of the network monitoring device 1 acquires the alarm information, it uses the identification information (device ID, device address, etc.) of the device 2 that issued the alarm included in the alarm information, and the facility information DB 32 ( Referring to FIG. 4), the physical position (data center, floor, rack, unit, etc.) of the device is detected (step S2).

  Subsequently, the cause analysis unit 12 refers to the facility information DB 32 based on information indicating the physical position of the device 2 that issued the alarm, and identifies device identification information (device ID and device address) on the same floor as the device. Information, etc.) is acquired (step S3).

  Next, the cause analysis unit 12 refers to the alarm information DB 31 (FIG. 3) in the storage unit 30 using the acquired identification information of the device 2 located on the same floor, and transmits from the device 2 located on the same floor. The alarm information is extracted (step S4).

  Then, the cause analysis unit 12 refers to the cause scenario DB 33 (FIG. 5) in the storage unit 30, and causes corresponding to the alarm contents 331 (for example, “memory error”, “power supply error”, etc.) of the target alarm information. Based on the scenario 332, it is determined whether there is alarm information that satisfies the conditions of the cause scenario 332 among the alarm information extracted in step S4 (step S5).

  When alarm information corresponding to the condition of the cause scenario 332 is extracted in step S5 (step S5 → Yes), the cause analysis unit 12 includes the estimated cause 333 corresponding to the cause scenario 332 in the cause scenario information 330. Information is acquired and an estimated cause such as a failure is identified (step S6).

  And the cause alarm notification part 13 of the network monitoring apparatus 1 produces | generates the cause alarm message containing the information of the presumed cause specified in step S6, and notifies it to the operator terminal 3 (step S7). Then, the network monitoring device 1 ends the process.

  On the other hand, in step S5, when there is no alarm information corresponding to the condition of the cause scenario 332 (step S5 → No), the cause alarm notification unit 13 sends the alarm information received in step S1 to the operator terminal 3 as it is. Transmit (step S8). Then, the network monitoring device 1 ends the process.

In the description of the processing executed by the network monitoring device 1 shown in FIG. 6, in step S3, the cause analysis unit 12 uses the identification information (device ID, device address information, etc.) of the device on the “same floor”. It acquired, and it demonstrated as what extracts alarm information from the apparatus 2 located in "the same floor" with reference to alarm information DB31 in step S4.
However, the present embodiment is not limited to this processing flow, and may be as follows.
In step S3, the network monitoring device 1 converts the physical position range of the device identification information (device ID, device address information, etc.) acquired by the cause analysis unit 12 into the alarm content included in the acquired alarm information. It is set in advance in association with each other. For example, if the alarm content is “memory error”, the cause analysis unit 12 sets the identification information range of the other device 2 acquired in step S3 to the identification information of the device 2 of “same rack”. . In step S <b> 4, the cause analysis unit 12 refers to the alarm information DB 31 and extracts alarm information from the device 2 located in “same rack”. Further, if the alarm content is “power error”, the cause analysis unit 12 sets the identification information range of the other device acquired in step S3 to the identification information of the device 2 on the “same floor”. In step S4, the cause analysis unit 12 refers to the alarm information DB 31 and extracts the alarm information from the device 2 located on the “same floor”.

  By doing in this way, the network monitoring apparatus 1 is limited to the range that may be related to the cause analysis of the alarm information to be actually processed from all the alarm information stored in the alarm information DB 31. Information can be extracted. Therefore, it is possible to reduce the processing load of the network monitoring device 1 and specify the estimated cause more quickly.

  As described above, according to the network monitoring device 1 and the network monitoring method according to the present embodiment, when alarm information is acquired from each device 2, a failure occurs in consideration of physical location information of the device 2 or the like. Estimate the cause. Thereby, even when the true cause of the failure cannot be specified only from the alarm contents from the device that has notified the alarm, the true cause of the failure can be quickly identified and notified to the operator terminal 3.

1 Network monitoring device 2 Device 3 Operator terminal 4 Power supply device (distribution panel)
5 rack 10 control unit 11 alarm reception unit 12 cause analysis unit 13 cause alarm notification unit 20 input / output unit 30 storage unit 31 alarm information DB
32 Equipment information DB
33 Cause scenario DB
320 Equipment information 330 Cause scenario information

Claims (3)

A network monitoring device that receives alarm information from each device constituting a network and monitors a failure,
In association with the identification information of each of the devices, the facility information in which the physical location information where the device is arranged is stored, and the failure information that takes into account the physical location information of the device that has transmitted the alarm information A storage unit for storing a cause scenario indicating a condition for specifying an estimated cause based on physical position information of another device other than the device and an alarm content of alarm information from the other device;
Each time the alarm information including the identification information of the device is received from the device that has transmitted the alarm information, an alarm receiving unit that stores the alarm information in the storage unit,
Using the device identification information included in the received alarm information, referring to the facility information, detecting the physical location information of the device that has transmitted the alarm information, and detecting the detected physical location information and Using the alarm content included in the received alarm information, it is determined whether alarm information of the other device that matches the condition for specifying the estimated cause in the cause scenario is stored in the storage unit. And, if stored, a cause analysis unit that identifies that the cause of the alarm content included in the received alarm information is an estimated cause indicated in the cause scenario,
A network monitoring device comprising: The physical location information where the device is located includes at least data center and floor information;
When the alarm information is received, the cause analysis unit extracts the alarm information transmitted from the devices located on the same data center and the same floor from the storage unit, and in the extracted alarm information, the condition It is determined whether there is alarm information that matches the condition, and if there is alarm information that matches the condition, the cause of the alarm content included in the received alarm information is an estimated cause indicated in the cause scenario The network monitoring device according to claim 1, wherein the network monitoring device is specified. A network monitoring method of a network monitoring device that receives alarm information from each device constituting a network and monitors a failure,
The network monitoring device
In association with the identification information of each of the devices, the facility information in which the physical location information where the device is arranged is stored, and the failure information that takes into account the physical location information of the device that has transmitted the alarm information A storage unit for storing a cause scenario indicating a condition for specifying an estimated cause based on physical position information of a device other than the device and an alarm content of alarm information from the other device; And
Every time the alarm information including the identification information of the device is received from the device that has transmitted the alarm information, the step of storing the alarm information in the storage unit;
Using the device identification information included in the received alarm information, referring to the facility information, detecting the physical location information of the device that has transmitted the alarm information, and detecting the detected physical location information and Using the alarm content included in the received alarm information, it is determined whether alarm information of the other device that matches the condition for specifying the estimated cause in the cause scenario is stored in the storage unit. And, if stored, identifying the cause of the alarm content included in the received alarm information as the presumed cause indicated in the cause scenario,
The network monitoring method characterized by performing.