JP7208505B2 - Judgment method, information processing device, and judgment program - Google Patents

Description

The present invention relates to a determination method, an information processing apparatus, and a determination program.

An information processing system is provided with a management server, and the management server manages the operation of the entire system. Further, when each device in the information processing system individually detects some event, it transmits a message to notify the event to the management server. When the management server receives a message sent from each device, it analyzes the message and determines whether or not it is necessary to deal with the event that has occurred.

As a related technique, for example, a technique has been proposed for determining whether a failure message is serious or non-serious based on the appearance probability of words contained in the acquired failure message. Also, a technique has been proposed for extracting an event whose content is not included in the definition during message pattern matching and monitoring the occurrence of the event.

Furthermore, a technology has been proposed that compares driving status messages with individual patterns in a pattern file, distinguishes failure messages from other messages, and notifies the user of them. Furthermore, a technique has been proposed for extracting useful documents by text mining that sorts information documents into positive and negative examples.

JP 2017-142549 A JP 2012-234381 A Japanese Patent Application Laid-Open No. 2001-292143 JP 2017-107391 A

When the management server determines that the received message requires a countermeasure, the management server outputs the message to the screen and notifies the administrator. As a result, the administrator can perform maintenance work based on the notified message to eliminate events such as malfunctions that have occurred in the system.

However, in the judgment processing based on conventional message analysis, if a message sent from a device under the control of the management server is an unknown message or an undefined message that is received for the first time, even though it is an event that requires an operational response, There is a possibility of erroneously judging that it is unnecessary. In this case, the administrator is not notified of the message requiring action, and the occurrence of an event to be dealt with is not notified.

In one aspect, an object of the present invention is to provide a determination method, an information processing apparatus, and a determination program for suppressing omission of notification of the occurrence of an event to be dealt with.

A determination method is provided to solve the above problems. As a determination method, the computer performs a first determination process based on a message output from the device to determine whether or not the device indicated by the message needs to be dealt with. is specified, and based on the specified process content, a second determination process is performed to determine whether or not the device indicated by the message needs to be dealt with.

Further, in order to solve the above problems, an information processing apparatus is provided that executes control similar to the above determination method.
Furthermore, in order to solve the above problems, there is provided a determination program that causes a computer to perform control similar to the above determination method.

According to one aspect, it is possible to suppress omission of notification of the occurrence of an event to be dealt with.

It is a figure for demonstrating an example of an information processing apparatus. It is a figure which shows one structural example of an information processing system. It is a figure which shows one structural example of the hardware of an operation management server. It is a figure which shows an example of the functional block of an information processing system. 4 is a diagram showing an example of information stored in a configuration management DB; FIG. FIG. 10 is a diagram showing an example of information stored in a MW change operation command DB; FIG. 5 is a diagram showing an example of information stored in an OS change operation command DB; FIG. FIG. 10 is a diagram showing an example of information stored in a file change operation command DB; FIG. It is a figure which shows an example of the storage information of DB for a notification. 4 is a flow chart showing an example of the overall operation of an operation management server; FIG. 11 is a flowchart showing an operation example of detection processing of a message requiring handling based on presence/absence of a change operation; FIG. FIG. 11 is a flowchart showing an operation example of detection processing of a handling-required message based on the presence or absence of a performance abnormality; FIG. FIG. 10 is a flowchart showing an operation example when a related server is set as a monitoring target; FIG. It is a figure which shows an example of the storage state of DB for a notification. It is a figure which shows an example of the storage state of DB for a notification. It is a figure which shows an example of a message collection screen. FIG. 10 is a diagram showing an example of a command history table; FIG. It is a figure which shows an example of a performance state table.

Hereinafter, this embodiment will be described with reference to the drawings.
[First embodiment]
A first embodiment will be described with reference to FIG. FIG. 1 is a diagram for explaining an example of an information processing device. The information processing device 1 includes a control unit 1a and a storage unit 1b. A device 2 is connected to the information processing device 1 . The information processing device 1 corresponds to, for example, a management server, and the device 2 corresponds to, for example, a server under the control of the management server.

When some event is detected in device 2 , message m 1 is sent from device 2 to information processing device 1 . Control unit 1 a receives message m 1 output from device 2 . The storage unit 1b stores messages received by the control unit 1a.

When the control unit 1a receives the message m1, it performs determination processing for determining whether the message m1 is a message indicating that the event detected by the device 2 needs to be dealt with, or a message indicating that no action is required. .

This determination processing includes two stages of determination processing, a first determination processing and a second determination processing. The control unit 1a first performs the first determination process to determine whether the message m1 needs to be dealt with. If the message m1 is determined to require handling in the first determination process, the controller 1a notifies that handling is required. Further, when it is determined in the first determination process that no action is required, the second determination process is performed.

When the control unit 1a determines that the message m1 does not need to be dealt with by the first determination processing, the control unit 1a specifies the processing executed by the device 2 during the specific period before the message m1 is output from the device 2, and determines the specified processing. Based on the content, a second determination process is performed to determine whether or not the device 2 indicated by the message m1 needs to be dealt with. If the message m1 is determined to require handling in the second determination process, the control unit 1a notifies that handling is required.

The operation will be described using the example shown in FIG.
[Step S1] A message m1 is sent from the device 2 to the information processing device 1. FIG. The control unit 1a receives the message m1 and stores the message m1 in the storage unit 1b.

[Step S2] The control unit 1a executes the first determination process for the message m1. As the first determination process, for example, message analysis is performed. In the message analysis, a message pattern to be handled is registered in advance in a filter definition, and based on this filter definition, the message m1 is filtered and sorted into a message requiring handling or a message not requiring handling.

[Step S3] If the first determination process determines that the message m1 does not need to be dealt with, the process proceeds to step S4. If it is determined that the message m1 needs to be dealt with, the process proceeds to step S8.
[Step S4] The control unit 1a executes the second determination process for the message m1 for which it has been determined in the first determination process that no action is required. In the second determination process, the processing content executed by the device 2 during a specific period before the message m1 is output from the device 2 (before the control unit 1a receives the message m1) is specified, and the specified processing content Based on this, it is re-determined whether or not the device 2 indicated by the message m1 needs to be dealt with. Further, the second determination processing includes processing for detecting an action-required message based on the presence or absence of a change operation and performance abnormality, as shown in steps S5 and S6 below.

[Step S5] The control unit 1a pre-registers change operation details to be handled in the apparatus 2, and detects whether or not the specified process content exists among the registered change operation details. I do. If the specified processing content exists in the registered change operation content, the process proceeds to step S8, and if not, the process proceeds to step S6.

[Step S6] The control unit 1a performs a detection process to determine whether or not the identified processing content is a performance abnormality of the apparatus 2. FIG. If the identified processing content is the performance abnormality of the device 2, the process proceeds to step S8, and if not the performance abnormality, the process proceeds to step S7.

[Step S7] The control unit 1a determines that no action is required for the message m1, and notifies the message m1 of the determination result by means of display or the like.
[Step S8] The control unit 1a determines that the message m1 needs to be dealt with, and notifies the result of the determination that the message m1 needs to be dealt with by means of a display or the like.

In this way, when the information processing device 1 determines that the message m1 does not need to be dealt with by the first determination processing, the information processing device 1 identifies the processing executed by the device 2 during the specific period before receiving the message m1, and Based on the content, a second determination process is performed for re-determining whether or not the device 2 indicated by the message m1 needs to be dealt with.

As a result, it is possible to pick up, by the second determination process, a message that actually requires an operational response from among the messages that have been determined to require no handling by the first determination process. Therefore, even if a message not registered in the filter definition slips through the first determination process, the second determination process, which is different from the message analysis based on the filter definition, is used to re-determine, thereby preventing erroneous determination. In addition, it is possible to suppress omission of notification of the occurrence of an event to be dealt with.

[Second embodiment]
A second embodiment in which the functions of the present invention are applied to an information processing system will now be described in detail. FIG. 2 is a diagram illustrating a configuration example of an information processing system. The information processing system 1-1 includes an operation management server 10, a server to be monitored 20, related servers 30-1, . . . , 30-n, and a maintenance terminal . The operation management server 10 is connected via a network 110 to the monitored server 20 and related servers 30-1, .

The operation management server 10 performs operation management of the monitored server 20 and related servers 30-1, . . . , 30-n. The monitored server 20 is a server to be monitored by the operation management server 10, and corresponds to, for example, a business server that manages internal business data.

The related servers 30-1, . For example, the related servers 30-1, . do.

In the information processing system 1-1, when an event is detected in the monitored server 20 and the related servers 30-1, . The operation management server 10 has the functions of the information processing device 1 of FIG. The result is transmitted to maintenance terminal 40 .

<Hardware>
FIG. 3 is a diagram illustrating a configuration example of hardware of an operation management server. The operation management server 10 is entirely controlled by a processor 101 . That is, the processor 101 functions as a controller of the operation management server 10 . A memory 102 and a plurality of peripheral devices are connected to the processor 101 via a bus 109 . Processor 101 may be a multiprocessor.

The processor 101 is, for example, a CPU (Central Processing Unit), MPU (Micro Processing Unit), or DSP (Digital Signal Processor). At least part of the functions of the processor 101 may be realized by an electronic circuit such as an ASIC (Application Specific Integrated Circuit) or a PLD (Programmable Logic Device).

The memory 102 is used as the main storage device of the operation management server 10 . The memory 102 temporarily stores at least part of an OS (Operating System) program and application programs to be executed by the processor 101 . In addition, the memory 102 stores various data necessary for processing by the processor 101 . As the memory 102, for example, a volatile semiconductor memory device such as a RAM (Random Access Memory) is used.

Peripheral devices connected to the bus 109 include a HDD (Hard Disk Drive) 103 , a graphic processing device 104 , an input interface 105 , an optical drive device 106 , a device connection interface 107 and a network interface 108 .

The HDD 103 magnetically writes data to and reads data from an internal disk. The HDD 103 is used as an auxiliary storage device for the operation management server 10 . The HDD 103 stores OS programs, application programs, and various data. A non-volatile semiconductor storage device such as a flash memory can also be used as the auxiliary storage device.

A monitor 201 is connected to the graphics processing unit 104 . The graphics processing unit 104 displays an image on the screen of the monitor 201 according to instructions from the processor 101 . Examples of the monitor 201 include a display device using a CRT (Cathode Ray Tube), a liquid crystal display device, and the like.

A keyboard 202 and a mouse 203 are connected to the input interface 105 . The input interface 105 transmits signals sent from the keyboard 202 and mouse 203 to the processor 101 .

Note that the mouse 203 is an example of a pointing device, and other pointing devices can also be used. Other pointing devices include touch panels, tablets, touch pads, trackballs, and the like.

The optical drive device 106 uses laser light or the like to read data recorded on the optical disk 204 . The optical disc 204 is a portable recording medium on which data is recorded so as to be readable by light reflection. The optical disc 204 includes a DVD (Digital Versatile Disc), a DVD-RAM, a CD-ROM (Compact Disc Read Only Memory), a CD-R (Recordable)/RW (Re-Writable), and the like.

The device connection interface 107 is a communication interface for connecting peripheral devices to the operation management server 10 . For example, a memory device 205 and a memory reader/writer 206 can be connected to the device connection interface 107 . The memory device 205 is a recording medium equipped with a communication function with the device connection interface 107 . The memory reader/writer 206 is a device that writes data to the memory card 207 or reads data from the memory card 207 . The memory card 207 is a card-type recording medium.

Network interface 108 is connected to network 110 . The network interface 108 transmits/receives data to/from the monitored server 20, the related servers 30-1, .

With the hardware configuration as described above, the processing functions of the second embodiment can be realized. The information processing apparatus 1 shown in the first embodiment can also be realized by hardware similar to the operation management server 10 shown in FIG.

The operation management server 10 implements the processing functions of the second embodiment by executing a program recorded in a computer-readable recording medium, for example. A program describing the contents of processing to be executed by the operation management server 10 can be recorded in various recording media.

For example, a program to be executed by the operation management server 10 can be stored in the HDD 103 . Processor 101 loads at least part of the program in HDD 103 into memory 102 and executes the program. The program to be executed by the operation management server 10 can also be recorded in a portable recording medium such as the optical disk 204, memory device 205, memory card 207, or the like.

A program stored in a portable recording medium can be executed after being installed in the HDD 103 under the control of the processor 101, for example. Alternatively, the processor 101 can read and execute the program directly from the portable recording medium.

<Functional block>
FIG. 4 is a diagram illustrating an example of functional blocks of an information processing system. Illustration of the network 110 is omitted. Further, hereinafter, the related servers 30-1, . . . , 30-n are collectively referred to as related servers 30.

The monitored server 20 has a log manager 21 and a message transmitter 22 . The log management unit 21 manages logs (recorded information) of operations of the monitored server 20 . The log management unit 21 manages, for example, a system log 21a, an application log 21b, a MW (Middleware) log 21c, and a performance log 21d.

The system log 21a is a log based on the OS of the monitored server 20, and includes, for example, program activation and termination, administrator logon/logoff, hardware or software errors, and the like. The application log 21b is a log relating to the behavior of the application during operation, and includes, for example, the activation and termination of the process when the application is executed, the execution status of the application, the operation status of files, and the like.

The MW log 21c is a log related to middleware executed by the monitored server 20, and includes, for example, middleware command execution results and middleware errors. The performance log 21d is a log relating to the performance of the monitored server 20. For example, the usage rate of the CPU and storage devices, the connection status of the network with which the monitored server 20 communicates, the number of CPU accesses per unit time, the response time, and the like are recorded. be.

When the message transmission unit 22 detects the occurrence of some event from various logs managed by the log management unit 21, the message transmission unit 22 generates a message indicating the detected event and transmits the message to the upper operation management server 10. - 特許庁

The related server 30 has a log manager 31 and a message transmitter 32 . The log management unit 31 manages, for example, a system log 31a, an application log 31b, a MW log 31c, and a performance log 31d in the related server 30. FIG. Various logs managed by the log management unit 31 and operations of the message transmission unit 32 are the same as those of the above-described components of the monitored server 20, so description thereof will be omitted.

The operation management server 10 has a control section 11 , a storage section 12 , a message reception section 13 and an output display section 14 . The message receiving unit 13 receives messages transmitted from the monitored server 20 and related servers 30 and transmits the received messages to the control unit 11 .

The control unit 11 stores the attributes of the received message in the notification DB 12 a in the storage unit 12 . Further, the control unit 11 performs determination processing p1 (first determination processing) on the received message, and registers necessity of handling in the notification DB 12a. Furthermore, the control unit 11 transmits to the output display unit 14 a message determined to require handling in the determination process p1.

Message analysis is performed in the determination process p1. In the message analysis, based on a filter definition in which a message pattern requiring action is registered in advance, a process is performed in which a message that matches the filter definition is treated as needing action, and a message that does not match is judged as needing no action.

Note that the above message analysis can also be performed by machine learning. That is, it is also possible to find the regularity of the necessity of handling from the received message, and determine the necessity of handling the message by message analysis based on machine learning that automates the regularity.

On the other hand, the control unit 11 performs the determination process p2 (second determination process) on the message registered in the notification DB 12a as requiring no action by the determination process p1. In the determination process p2, for the message determined to require no action by the determination process p1, the details of the process executed by the monitored server 20 or the related server 30 during a specific period before the message is received are specified, and the specified process details are determined. Re-determine whether or not the message needs to be dealt with based on the above.

The determination process p2 includes a message detection process p21 based on the presence or absence of a change operation and a message detection process p22 based on the presence or absence of a performance abnormality (details of the determination process p2 will be described later). Then, the control unit 11 registers the necessity of handling in the notification DB 12a, and when detecting a message determined to require handling in the determination processing p2, transmits the message to the output display unit .

The output display unit 14 outputs and displays on the maintenance terminal 40 the operational status of the entire system and whether or not messages need to be dealt with. For example, the output display unit 14 performs display control for outputting the message transmitted from the control unit 11 to the console screen of the maintenance terminal 40, and notifies the administrator of the message requiring action.

In this way, the control unit 11 performs a two-stage determination process on the message that has been sent to the operation management server 10, thereby suppressing omission of notification of a message that requires handling. Note that the control unit 11 may execute the determination processes p1 and p2 upon receipt of the message, or may execute the determination processes p1 and p2 after receiving an execution instruction from the maintenance terminal 40. .

The storage unit 12 has a notification DB 12a and a reference DB 12b. The reference DB 12b includes a configuration management DB 12b1, a MW change operation command DB 12b2, an OS change operation command DB 12b3, and a file change operation command DB 12b4.

The notification DB 12a stores the message, the date and time when the message was received, and the originator of the message as attributes of the message. In addition, the notification DB 12a stores the command name when a change operation is performed on the monitored server 20 or the related server 30, the part where the performance abnormality occurs, and the necessity of countermeasures.

The configuration management DB 12b1 stores the relationships between the monitored servers 20 and the related servers 30. FIG. The MW change operation command DB 12b2 stores command names associated with change operations among MW commands. The OS change operation command DB 12b3 stores command names associated with change operations among OS commands. The file change operation command DB 12b4 stores a command name associated with a file change operation and an execution target of the file change operation. Examples of information stored in each DB will be described later with reference to FIGS. 5 to 9. FIG.

Note that the control unit 11 is realized by the processor 101 in FIG. 3, and the storage unit 12 is realized by the memory 102 in FIG. The message receiving unit 13 is realized by the network interface 108 in FIG. 3, and the output display unit 14 is realized by the graphic processing device 104 in FIG.

<DB storage information>
Next, examples of information stored in each DB in the storage unit 12 of the operation management server 10 will be described with reference to FIGS. 5 to 9. FIG. FIG. 5 is a diagram illustrating an example of information stored in a configuration management DB; The configuration management DB 12b1 has items of monitored servers and related servers, and stores related server information in which the identifier of a server to be monitored by the operation management server 10 and the identifier of a server related to the server are paired. It is a DB that is used.

In the example of FIG. 5, if the server to be monitored is the server SV0, its related servers are the servers SV1 and SV2. It also shows that when the server to be monitored becomes the server SV1, its related server is the server SV0, and when the server to be monitored becomes the server SV2, its related server is the server SV0.

FIG. 6 is a diagram showing an example of information stored in the MW change operation command DB. The MW change operation command DB 12b2 has items of MW change operation commands, and is a DB in which commands associated with middleware change operations are stored in advance. In the example of FIG. 6, /opt/FJSVfwsec/bin/mpsetmem*** is stored as the MW change operation command.

FIG. 7 is a diagram illustrating an example of information stored in an OS change operation command DB; The OS change operation command DB 12b3 is a DB that has an item of OS change operation commands and stores in advance commands associated with OS change operations. In the example of FIG. 7, the OS change operation command is /etc/rc. d/init. d/iptablesstart and kill (a command to terminate a running process) are stored.

FIG. 8 is a diagram showing an example of information stored in a file change operation command DB. The file change operation command DB 12b4 is a DB that has items for file change operation commands and file change operation execution targets, and stores commands accompanying file change operations in advance. In the example of FIG. 8, Linux (registered trademark) commands are shown, and cp, mv, chmod, rm, and vi commands are stored as file change operation commands.

cp is a command for copying files, mv is a command for moving files, and chmod is a command for changing file permissions. Also, rm is a command for deleting files, and vi is a command for activating a text editor.

Note that the file change operation execution object of the cp command is /etc/***, and the definition file of the cp command is shown in the /etc/*** directory. It is shown that the file change operation execution target of the mv command is /opt/###, and the definition file of the mv command is in the /opt/### directory. The file change operation execution object of the chmod command is 755, and it is indicated that the permission of the file 755 is changed by the chmod command.

FIG. 9 is a diagram showing an example of information stored in a notification DB. The notification DB 12a has items of date and time, message, sender, monitoring target server change operation, monitoring target server performance abnormality, related server, related server change operation, related server performance abnormality, and necessity of countermeasure.

In column CL1, the operation management server 10 receives the message abc at 09:33:12 on October 12, 2018, and the sender of the message abc is the middleware MpAosfv in the monitored server 20. Also, the kill 128 command is input to the monitored server 20 . Therefore, since the monitoring target server 20 has been changed by the command, it is determined that the message abc needs to be dealt with.

In column CL2, the operation management server 10 receives the message def at 10:00:12 on October 12, 2018, and the sender of the message def is the middleware MpAosfv in the monitored server 20. Also, a performance abnormality has occurred in the CPU of the monitored server 20 . Therefore, since the monitored server 20 has a performance abnormality, it is determined that the message def needs to be dealt with.

In column CL3, message ghi was received by operation management server 10 at 10:35:12 on October 12, 2018, and the source of message ghi is middleware APPMGR in related server SV1. Also, a command of vi*** is input to the related server SV1. Therefore, since the related server SV1 has performed the file change operation by the command, it is determined that the message ghi needs to be dealt with.

In column CL4, the message jkl was received by the operation management server 10 at 11:15:12 on October 12, 2018, and the sender of the message jkl is the middleware APPMGR in the related server SV2. Also, a performance abnormality has occurred in the CPU of the related server SV2. Therefore, since the related server SV2 has a performance abnormality, it is determined that the message jkl needs to be dealt with.

In column CL5, the message mno was received by the operation management server 10 at 12:25:12 on October 12, 2018, and the sender of the message mno is the middleware APPMGR in the monitored server 20. In addition, the monitoring target server 20 does not receive any input of a command for performing a change operation, nor does any performance abnormality occur. Therefore, message mno is determined to require no action.

<Flowchart>
Next, operations of the operation management server 10 will be described with reference to flowcharts of FIGS. 10 to 13. FIG. FIG. 10 is a flow chart showing an example of the overall operation of the operation management server.

[Step S10] When receiving a message, the control unit 11 stores the message, the date and time when the message was received, and the originator of the message as attributes of the message in the notification DB 12a.

[Step S11] The control unit 11 executes determination processing p1 on the message.
[Step S12] If the determination process p1 determines that the message does not require handling, the process proceeds to step S13. If the determination process p1 determines that the message requires handling, the process proceeds to step S18.

[Step S13] The control unit 11 executes determination processing p2 through steps S13 to S17 for messages determined to require no action in determination processing p1. The control unit 11 performs a detection process p21 of a message requiring handling based on the presence or absence of a change operation in the determination process p2 (details will be described later with reference to FIG. 11).

[Step S14] The control unit 11 executes the process p21 for detecting a message requiring action based on whether or not a change operation has been performed, thereby determining whether or not a change operation command has been stored in the monitoring target server change operation item of the notification DB 12a. to decide. If the change operation command is stored, the process proceeds to step S18, and if the change operation command is not stored, the process proceeds to step S15.

[Step S15] The control unit 11 performs a process p22 for detecting a message that requires handling based on the presence or absence of a performance abnormality in the determination process p2 (details will be described later with reference to FIG. 12).
[Step S16] The control unit 11 executes the processing p22 for detecting a message requiring action based on the presence or absence of a performance abnormality, thereby determining whether or not a performance abnormality point is stored in the monitored server performance abnormality item of the notification DB 12a. to decide. If the performance abnormality point is stored, the process proceeds to step S18, and if the performance abnormality point is not stored, the process proceeds to step S17.

[Step S17] Since the control unit 11 does not detect that the message needs to be dealt with from the processing contents of the monitored server 20, it executes the judgment processing p2 for the related server 30 (described later in FIG. 13).

[Step S18] The control unit 11 registers the need for action in the item indicating whether or not action is required for the message in the notification DB 12a.
[Step S19] The control section 11 transmits to the output display section 14 the message in which the need for action is registered in the notification DB 12a. The message determined to require handling is transmitted to the maintenance terminal 40 by the output display unit 14 and displayed.

FIG. 11 is a flow chart showing an operation example of detection processing of a message requiring handling based on the presence or absence of a change operation.
[Step S<b>13 a ] The control unit 11 collects a history of commands input to the monitored server 20 . That is, the control unit 11 collects command histories from each of the system log 21a, the application log 21b, and the MW log 21c managed by the log management unit 21 in the monitored server 20. FIG.

[Step S13b] From the command history, the control unit 11 acquires commands input during a specific period before receiving the message (for example, immediately before receiving the message).
[Step S13c] The control unit 11 determines whether or not there is one or more acquired commands. If one or more commands have been acquired, the process proceeds to step S13d, and if no commands have been acquired, the process proceeds to step S14 in FIG.

[Step S13d] The control unit 11 determines whether the command acquired in step S13b is among the commands stored in advance in the MW change operation command DB 12b2, the OS change operation command DB 12b3, and the file change operation command DB 12b4 in the reference DB 12b. Exists or not. The process of step S13d including steps S13d1 to 13d5 is repeated by the number of acquired commands.

[Step S13d1] The control unit 11 refers to the MW change operation command DB 12b2 and searches whether or not the acquired command exists among the commands stored in the MW change operation command DB 12b2. If the acquired command exists, the process proceeds to step S13d5, and if not, the process proceeds to step S13d2.

[Step S13d2] The control unit 11 refers to the OS change operation command DB 12b3, and determines whether or not the acquired command exists among the commands stored in the OS change operation command DB 12b3. If the acquired command exists, the process proceeds to step S13d5, and if not, the process proceeds to step S13d3.

[Step S13d3] The control unit 11 refers to the file change operation command DB 12b4, and determines whether or not the acquired command exists among the commands stored in the file change operation command DB 12b4. If the acquired command exists, the process proceeds to step S13d4, and if not, the process proceeds to step S14 in FIG.

[Step S13d4] The control unit 11 determines whether or not there is a file change operation execution target in the file change operation command DB 12b4 for the acquired command. If the file change operation execution target exists, the process proceeds to step S13d5, and if not, the process proceeds to step S14 in FIG.

[Step S13d5] The control unit 11 recognizes that the command acquired in step S13b is a command for changing the monitored server 20, and adds it to the monitoring target server change operation item of the notification DB 12a. , to store the obtained command. The process proceeds to step S14 in FIG.

FIG. 12 is a flow chart showing an operation example of detection processing of a message requiring handling based on the presence or absence of a performance abnormality.
[Step S15a] The control unit 11 acquires the performance log 21d managed by the log management unit 21 in the monitored server 20 for a specific period before receiving the message.

[Step S15b] The control unit 11 compares the CPU usage rate in the performance log 21d with a threshold value, and detects whether or not a CPU usage rate error has occurred in which the CPU usage rate exceeds the threshold value for a predetermined time. If a CPU utilization error is detected, the process proceeds to step S15f, and if not detected, the process proceeds to step S15c.

[Step S15c] The controller 11 compares the disk usage rate in the performance log 21d with a threshold value, and detects whether or not a disk usage error has occurred in which the disk usage rate exceeds the threshold value. If a disk usage error is detected, the process proceeds to step S15f, and if not detected, the process proceeds to step S15d.

[Step S15d] The control unit 11 compares the memory usage rate in the performance log 21d with a threshold value, and detects whether or not a memory usage error has occurred in which the memory usage rate exceeds the threshold value. If a memory usage error is detected, the process proceeds to step S15f, and if not detected, the process proceeds to step S15e.

[Step S15e] The control unit 11 determines whether or not a network error (for example, a connection error such as line disconnection) is detected from the communication network connection status in the performance log 21d. If a network error is detected, the process proceeds to step S15f, and if not detected, the process proceeds to step S16 in FIG.

[Step S15f] The control unit 11 recognizes that the monitored server 20 has experienced a performance abnormality, and stores the location of the performance abnormality in the monitoring target server performance abnormality item of the notification DB 12a. The process proceeds to step S16 in FIG.

In the above description, CPU usage errors, disk usage errors, memory usage errors, and network errors have been described as examples of performance anomalies, but other performance anomalies may be detected.

FIG. 13 is a flowchart showing an operation example when a related server is monitored.
[Step S17a] The control unit 11 refers to the configuration management DB 12b1 and acquires related server information from the configuration management DB 12b1.

[Step S17b] Based on the related server information, the control unit 11 determines whether or not the related server 30 related to the monitored server 20 exists. If the related server 30 exists, the process proceeds to step S17c. Also, if the related server 30 does not exist, the process ends. If it is detected that the related server does not exist, it will be determined that the message received in step S10 does not require any action.

[Step S17c] The control unit 11 executes determination processing on the related server 30. FIG. Note that the process of step S17c including steps S17c1 to 17c6 is repeated by the number of related servers 30 .

[Step S17c1] The control section 11 performs a process p21 for detecting a message requiring attention based on the presence or absence of a change operation in the determination process p2 (since it was described above with reference to FIG. 11, the description is omitted).
[Step S17c2] The control unit 11 determines whether or not a change operation command is stored in the relevant server change operation item of the notification DB 12a by executing the process p21 for detecting a message requiring action based on the presence or absence of a change operation. do. If the change operation command is stored, the process proceeds to step S17c5, and if the change operation command is not stored, the process proceeds to step S17c3.

[Step S17c3] The control section 11 performs a process p22 for detecting a message requiring action based on the presence or absence of a performance abnormality in the determination process p2 (since it has been described above with reference to FIG. 12, the description will be omitted).
[Step S17c4] The control unit 11 determines whether or not a performance abnormality point is stored in the related server performance abnormality item of the notification DB 12a by executing the processing p22 for detecting a message requiring action based on the presence or absence of a performance abnormality. do. If the performance abnormality location is stored, the process proceeds to step S17c5. Also, if the performance error point is not stored, the process ends. If it is detected that the performance abnormality point is not stored, it is determined that the message received in step S10 does not need to be dealt with.

[Step S17c5] The control unit 11 registers the action required in the item of the action necessity of the message in the notification DB 12a.
[Step S17c6] The control unit 11 transmits to the output display unit 14 the message in which the need to be dealt with is registered in the notification DB 12a. The message determined to require handling is transmitted to the maintenance terminal 40 by the output display unit 14 and displayed.

<Storage status of notification DB>
Next, the storage state of the notification DB 12a will be described with reference to FIGS. 14 and 15. FIG. 14 and 15 are diagrams showing an example of the storage state of the notification DB.

The notification DB 12a-1 shows an example of a storage state when a message is received by the control unit 11 and the attributes of the message are registered. The notification DB 12a-1 in which the attribute is registered stores the date and time of receipt of the message, Oct. 12, 2018 09:33:12, the message abc, and the source MpAosfv of the message. Other items are blank.

The notification DB 12a-2 shows an example of the storage state when the control unit 11 detects a change operation in the monitored server 20. FIG. If the control unit 11 detects a command associated with the change operation by performing the handling required message detection process p21 based on the presence or absence of the change operation, the control unit 11 registers the command associated with the change operation.

In the notification DB 12a-2, in which commands associated with change operations are registered, in addition to message attribute information, a kill 128 command is stored in the item of monitoring target server change operation, and in the item of whether or not action is required, action is required. stored. Other items are blank.

The notification DB 12a-3 shows an example of a storage state when the control unit 11 detects a performance abnormality in the monitored server 20. FIG. If the control unit 11 detects a performance abnormality by performing the handling required message detection process p22 based on the presence or absence of the performance abnormality, the control unit 11 registers the location of the performance abnormality.

In the notification DB 12a-3 in which the location of the performance abnormality is registered, in addition to the attribute information of the message, the CPU is stored in the item of the monitoring target server performance abnormality, and the item of the need for countermeasure is stored as the need for countermeasure. . Other items are blank.

The notification DB 12a-4 shows an example of the storage state when the control unit 11 detects a change operation in the related server 30. FIG. When the control unit 11 detects a change operation by performing the handling required message detection process p21 based on the presence or absence of the change operation, it registers a command for the change operation.

In the notification DB 12a-4 in which change operations are registered, in addition to message attribute information, SV1 is stored in the related server item, and vi/etc/*** commands are stored in the related server change operation item. The necessity of handling is stored in the item of whether or not to take action. Other items are blank.

The notification DB 12a-5 shows an example of the storage state when the control unit 11 detects a performance abnormality in the related server 30. FIG. If the control unit 11 detects a performance abnormality by performing the handling required message detection process p22 based on the presence or absence of the performance abnormality, the control unit 11 registers the location of the performance abnormality.

In the notification DB 12a-5 in which the location of the performance abnormality is registered, in addition to the message attribute information, SV2 is stored in the related server item, CPU is stored in the related server performance abnormality item, and the response necessity item is stored. required is stored. Other items are blank.

The notification DB 12a-6 shows the storage state when the control unit 11 detects neither change operation nor performance abnormality. When the change operation and performance abnormality are not detected, the control unit 11 determines that no action is required for the received message. Therefore, in the notification DB 12a-6, in addition to the attribute information of the message, "no action is required" is stored in the item of necessity of action. Other items are blank.

<Specific example of operation>
Next, a specific example of operation will be described with reference to FIGS. 16 to 18. FIG. FIG. 16 is a diagram showing an example of a message collection screen. A message collection screen g1 is displayed on the maintenance terminal 40 . The message collection screen g1 is a screen that displays messages collected by the operation management server 10 before the operation management server 10 performs the determination processes p1 and p2. The message collection screen g1 has items of handling status, number, date and time, display name, and message.

In column CL11, (process status, number, date and time, display name, message) = (processed, 5, 2019/02/04 11:30:00, operation management server 10, log collection failed Server name: Business server SV0) is displayed.

Column CL12 displays (response status, number, date and time, display name, message) = (unprocessed, 20, 2019/02/04 13:00:10, business server SV0, transaction timeout occurred). ing.

Column CL13 displays (response status, number, date and time, display name, message) = (unprocessed, 46, 2019/02/04 15:00:20, business server SV0, system A stopped). ing.

The message with number=5 has already been dealt with, but the message with number=20 and the message with number=46 have not been dealt with. Therefore, the maintenance terminal 40 transmits to the operation management server 10 an instruction to execute the process of determining the necessity of handling the messages with numbers=20 and 46. FIG.

Upon receiving the instruction from the maintenance terminal 40, the control unit 11 of the operation management server 10 first executes determination processing p1 for messages with numbers=20 and 46. FIG. Here, it is assumed that both the messages with numbers=20 and 46 are determined to require no action in the determination process p1.

FIG. 17 is a diagram showing an example of a command history table. The command history table 5 registers the history of commands executed in the business server SV0. The command history table 5 is generated by the control unit 11 based on system logs, application logs and MW logs collected from the business server SV0.

The control unit 11 executes the detection process p21 of the message requiring handling based on the presence/absence of a change operation in the determination process p2 for the message with number=20. The control unit 11 determines from the command history table 5 that at the time 2019/02/04 12:40:00 immediately before the reception of the message with number=20, the timeout value of the definition file was rewritten with the vi command. detect that Note that the vi command and the definition file are stored in advance in the file change operation command DB 12b4.

Therefore, since the detected vi command and execution target exist in the file change operation command DB 12b4, the control unit 11 recognizes that a change operation has been performed on the business server SV0, and determines that the message with number=20 needs to be dealt with. . Therefore, the number=20 message "Transaction timeout has occurred" is separately displayed on the maintenance terminal 40 as a message to be handled and notified to the administrator.

FIG. 18 is a diagram illustrating an example of a performance state table; The performance status table 6 registers the performance status detected from the performance log of the business server SV0. The performance state table 6 is generated by the control unit 11 based on performance logs collected from the business server SV0.

It is assumed that the control unit 11 executes the detection process p21 of the message requiring handling based on the presence or absence of the change operation in the determination process p2 for the message with number=46, but it is determined that no handling is required. Therefore, the control unit 11 executes the detection process p22 of the message requiring handling based on the presence or absence of the performance abnormality in the determination process p2 for the message with the number=46.

From the performance state table 6, it is detected that a CPU utilization error and a disk utilization error occur at the time 2019/02/04 14:59:00 immediately before the message with number=46 is received.

Therefore, the control unit 11 recognizes that there is a performance abnormality in the business server SV0, and determines that the message with number=46 needs to be dealt with. Therefore, the message with number=46, "System A has stopped", is separately displayed on the maintenance terminal 40 as a message requiring action and notified to the administrator.

As described above, according to the operation management server 10 of the present invention, when it is determined by the filter definition that a message sent from a subordinate server does not need to be dealt with, based on the change operation or performance abnormality of the server before receiving the message, and re-determine whether or not to take action.

As a result, it is possible to accurately pick up messages that require operational action from unknown messages and undefined messages that were not determined to require action by the filter definition, and to suppress the omission of notification of the occurrence of an event that requires action. become. In addition, by suppressing the omission of notifications, there will be no omissions in maintenance work, and the system can be operated safely.

Furthermore, for messages that were not determined to require action in the message analysis of the determination process p1, re-determination is performed in the determination process p2, which uses a different determination method from the message analysis. number can be reduced. Therefore, it is possible to reduce the workload of the administrator.

The processing functions of the information processing apparatus 1 and the operation management server 10 of the present invention described above can be realized by a computer. In this case, a program describing the processing contents of the functions that the information processing device 1 and the operation management server 10 should have is provided. By executing the program on a computer, the above processing functions are realized on the computer.

A program describing the processing content can be recorded in a computer-readable recording medium. Computer-readable recording media include magnetic storage devices, optical disks, magneto-optical recording media, semiconductor memories, and the like. Magnetic storage devices include hard disk devices (HDD), flexible disks (FD), magnetic tapes, and the like. Optical disks include CD-ROM/RW and the like. Magneto-optical recording media include MO (Magneto Optical disk) and the like.

When distributing a program, for example, portable recording media such as CD-ROMs on which the program is recorded are sold. It is also possible to store the program in the storage device of the server computer and transfer the program from the server computer to another computer via the network.

A computer that executes a program stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. The computer then reads the program from its own storage device and executes processing according to the program. The computer can also read the program directly from the portable recording medium and execute processing according to the program.

In addition, the computer can also execute processing according to the received program every time the program is transferred from a server computer connected via a network. At least part of the processing functions described above can also be realized by electronic circuits such as DSPs, ASICs, and PLDs.

Although the embodiment has been exemplified above, the configuration of each part shown in the embodiment can be replaced with another one having the same function. Also, any other components or steps may be added. Furthermore, any two or more configurations (features) of the above-described embodiments may be combined.

1 information processing device 1a control unit 1b storage unit 2 device m1 message

Claims (9)

the computer
Based on the message output from the device, performing a first determination process for determining whether or not the device indicated by the message needs to be dealt with,
If the first determination process determines that no action is required, specifying the processing executed by the device during a specific period before outputting the message;
Based on the identified processing content, perform a second determination process for determining whether the device indicated by the message needs to be dealt with;
judgment method. In the first determination process, based on a filter definition in which a message pattern to be handled is registered in advance, the message is filtered and sorted into a message requiring handling or a message not requiring handling, and message analysis is performed; 2. The determination method according to claim 1, wherein, in the determination process of (1), determination is made for the message determined by the message analysis that no action is required. In the second determination process, when it is detected that the change operation content to be dealt with is registered in the device, and the specified process content exists in the registered change operation content, 2. The determination method according to claim 1, wherein the message is determined to require handling. In the second determination process, a change operation command for changing at least one of middleware, an operating system (OS), and a file of the device is registered, and the specified process is included in the registered change operation commands. 4. The determination method according to claim 3, wherein when it is detected that a command having contents exists, the message is determined to require handling. 2. The determination method according to claim 1, wherein, in the second determination process, when the identified process content is a performance abnormality of the device, the message is determined to require handling. In the second determination process, when at least one performance abnormality of a processor utilization error of the device, a storage device utilization error of the device, and a communication network connection error of the device is detected, the message is output. 6. The determination method according to claim 5, wherein it is determined that a countermeasure is required. The computer further
When the device is subjected to the second determination process and it is determined that the message does not require handling, if there is a related device used in connection with the operation of the device, the second determination is performed on the related device. process,
The determination method according to claim 1. Based on the message output from the device, a first determination process is performed to determine whether or not the device indicated by the message needs to be dealt with, and if it is determined by the first determination process that no action is required, before the message is output. a control unit that identifies the processing content executed by the device during a specific period of and performs a second determination process that determines whether or not the device indicated by the message needs to be dealt with based on the identified processing content;
Information processing device having to the computer,
Based on the message output from the device, performing a first determination process for determining whether or not the device indicated by the message needs to be dealt with,
If the first determination process determines that no action is required, specifying the processing executed by the device during a specific period before outputting the message;
Based on the identified processing content, perform a second determination process for determining whether the device indicated by the message needs to be dealt with;
Judgment program that executes processing.

Images