WO2016199411A1 - Log display device, log display method and log display program - Google Patents

Log display device, log display method and log display program Download PDF

Info

Publication number
WO2016199411A1
WO2016199411A1 PCT/JP2016/002768 JP2016002768W WO2016199411A1 WO 2016199411 A1 WO2016199411 A1 WO 2016199411A1 JP 2016002768 W JP2016002768 W JP 2016002768W WO 2016199411 A1 WO2016199411 A1 WO 2016199411A1
Authority
WO
WIPO (PCT)
Prior art keywords
log
information
logs
time
display
Prior art date
Application number
PCT/JP2016/002768
Other languages
French (fr)
Japanese (ja)
Inventor
真二郎 八木
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Publication of WO2016199411A1 publication Critical patent/WO2016199411A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/32Monitoring with visual or acoustical indication of the functioning of the machine

Definitions

  • the present invention relates to a technique for displaying logs collected from devices.
  • Patent Documents 1 and 2 disclose techniques for effectively displaying collected logs.
  • the log visualization device of Patent Document 1 includes log information storage means, log template storage means, and log group storage means.
  • the log information storage unit stores log information including identification information for each target device and a device label given by an additional attribute of the device.
  • the log template storage means stores the template information to which the template label is given according to the usage status in the log template which is an important part extracted from the log information.
  • the log group storage means stores log groups that are grouped based on the co-occurrence of the template information and are assigned with template labels.
  • the log visualization device having the above configuration operates as follows. That is, a time series of log information to be visualized, a device label to be visualized, a template label that matches an arbitrary rule, a log template occurrence frequency, and a log template periodicity are received from the user. Based on these, the log information of the log information storage means is matched with the information of the log template storage means or the log group storage means, the log group and template label are plotted on the vertical axis, and the generation time of the log information is plotted on the horizontal axis. Generate and display a graph to plot.
  • the visualization device of Patent Document 2 includes a log extraction unit and a log information generation unit.
  • the log extraction unit extracts a log indicating communication between processes from logs output in the large-scale distributed processing system.
  • the log information generation unit is configured to execute a transmission source process and a transmission destination process, and a transmission source process and a transmission destination process, in which a processing request is transmitted and received in communication, from information included in the log extracted by the log extraction unit.
  • Log information indicating the origin server and destination server, the contents of the processing request, and the time when the communication occurred is generated.
  • the visualization device having the above configuration operates as follows. That is, based on the log information generated by the log information generation unit, processing request transmission / reception from the transmission source process of the transmission source server to the transmission destination process of the transmission destination server is drawn to indicate the content and time of the processing request. Generate and display the drawn data.
  • the log visualization devices of Patent Document 1 and Patent Document 2 have the following problems. That is, in the log visualization device of Patent Document 1, it is necessary to prepare log template information in advance. However, it is impossible to prepare all templates for various devices in advance. Moreover, in the visualization apparatus of patent document 2, the state where communication is not performed cannot be illustrated. The reason is that the method is illustrated with information specifying the source and destination of the process from the log.
  • the present invention has been made in view of the above problems, and its purpose is to display a log without preparing information such as a template in advance and irrespective of a specific state such as a communication state. Is to make it possible.
  • the log display device includes a log extraction unit that extracts logs to be excluded from aggregation targets, a log reading unit that clusters logs based on similarity, and a log obtained by removing the extracted logs from the clustered logs
  • a time totaling unit that counts based on time information, a space totaling unit that totals based on spatial information, and a generation unit that generates display information including the time information, the spatial information, and the totaling result.
  • logs are clustered based on similarity, logs not included in the aggregation target are extracted, and logs excluding the extracted logs from the clustered logs are aggregated based on time information. And summing up based on the spatial information, and generating and displaying display information including the time information, the spatial information, and the counting result.
  • the log display program includes a process for clustering logs based on similarity, a process for extracting logs that are not included in the aggregation target, and a log obtained by removing the extracted logs from the clustered logs as time information.
  • a process of summing up based on the spatial information, and a process of generating and displaying display information including the time information, the spatial information, and the result of the summation are executed.
  • the present invention it is possible to display a log without preparing information such as a template in advance and irrespective of a specific state such as a communication state.
  • FIG. 1 is a block diagram showing a configuration of a log display device according to an embodiment of the present invention.
  • the log display device 1 according to this embodiment includes a log extraction unit 11 that extracts logs to be excluded from aggregation targets.
  • a log reading unit 101 that clusters logs based on similarity
  • a time totaling unit 102 that totals logs based on time information, except for the extracted logs from the clustered logs
  • the display information generation unit 10 includes a space totaling unit 103 that performs totalization, and a generation unit 104 that generates display information including the time information, the spatial information, and the totalization result. Furthermore, it has the display part 12 which displays the said display information.
  • FIG. 2 is a block diagram showing the configuration of the log display device according to the embodiment of the present invention.
  • the log display device 2 of this embodiment includes a display information generation unit 20, a black list generation unit 21, a display unit 22, a storage unit 23, and an input unit 24.
  • the display information generation unit 20 includes a log reading unit 201, a time totaling unit 202, a space totaling unit 203, and a generation unit 204.
  • the black list generation unit 21 includes an ID (identification) extraction unit 211 and an ID deletion unit 212.
  • the storage unit 23 includes a log file storage unit 231, an ID table storage unit 232, a black list storage unit 233, an aggregation result table storage unit 234, and a spatial information storage unit 235.
  • the log file storage unit 231 stores the log file transmitted from the target device.
  • the ID table storage unit 232 stores the log file to which the ID is assigned.
  • the black list storage unit 233 stores the log file of the ID extracted as a black list.
  • the tabulation result table storage unit 234 stores a tabulation result table in which log files to which IDs are assigned are tabulated based on time information and space information.
  • the spatial information storage unit 235 stores spatial information having a log file name (ID), a device name, a system name, and a system number.
  • the log reading unit 201 reads a log file transmitted from each target device and stored in the log file storage unit 231, assigns an ID corresponding to a portion extracted from each log file to each log file, and adds the ID to the log
  • the file is stored in the ID table storage unit 232.
  • the log reading unit 201 classifies log files.
  • the log file includes information such as the log occurrence time, the details of the occurrence event, the generation device and the system.
  • the log reading unit 201 clusters each line of the log file and assigns a unique number (ID). For clustering, a hierarchical method such as the shortest distance method or a division optimization method such as the K-MEANS method can be used. Therefore, the same ID is assigned to log files with high similarity.
  • the log file to which the ID is assigned is stored in the ID table storage unit 232.
  • the log reading unit 201 also generates space information (topology information) having a log file name (ID), a device name, a system name, and a system number based on information such as a device and a system included in the log file.
  • Information can be registered in the information storage unit 235.
  • the spatial information may be created in advance and registered in the spatial information storage unit 235.
  • the time totaling unit 202 creates a totaling result table as shown in FIG. 3 and stores it in the totaling result table storage unit 234.
  • the time totaling unit 202 firstly, for each unit time designated by the user inputting from the input unit 24 the log file to which the ID stored in the ID table storage unit 232 is assigned. The number of appearances for each ID is totaled.
  • time may be given as an initial value, and the number of appearances per unit time may be totaled based on the initial value.
  • a unit time identifier is assigned to the count result for each unit time.
  • the unit time identifier a value obtained by adding 1 to the maximum value of the unit time identifiers in the total result table so far is used. For example, “1” can be assigned as the first unit time identifier.
  • the time counting unit 202 searches for unit time identifiers in which IDs have appeared in the past, and classifies the IDs according to the classification method shown in FIG.
  • five types are defined as examples of classification methods. That is, when it appears within the past 24 unit hours, it is classified as Category 1, when it appears within the past 24 unit hours and within 72 unit hours, it is classified as Category 2, and when it appears within the past 72 unit hours and within 168 unit hours, it is classified as Category 3.
  • the case where it has appeared in the past 168 unit times is classified as category 4, and the case where it does not exist in the past ID table is classified as category 5.
  • the ID of the category 5 may be an ID extracted in a black list described later.
  • the time totaling unit 202 classifies all IDs, and totals the total number of log files per unit time included in each class.
  • classification method list shown in FIG. 4 can be used in the time counting unit 202 in advance.
  • a list of classification methods can be stored in the storage unit 23 in advance, and can be read and used when the time counting unit 202 operates.
  • the blacklist generation unit 21 extracts IDs to be registered as a blacklist from the log files to which IDs are assigned and stored in the ID table storage unit 232 and totalized in the totaling result table.
  • the ID extraction unit 211 extracts an ID that does not exist in the past for the ID within the designated unit time. That is, when, for example, the time when a failure clearly occurs is input from the input unit 24, based on this, the ID extraction unit 211 totalizes a list of IDs included in the corresponding unit time from the input time. Get from the result table. Then, the ID of category 4 or 5 is extracted from the list of IDs.
  • the ID deletion unit 212 includes an ID log storage unit 232 that includes an ID log file that does not include an ID in a unit time before its own time and an ID log file of the category 5 among the IDs of the category 4. And the log file of the deleted ID is stored (registered) in the black list storage unit 233 as a black list. By doing so, a log file with an ID that is highly likely to indicate an abnormality is registered as a black list and deleted from the ID table storage unit 232. As a result, when a log file with the same ID is subsequently generated, it is possible to classify it into category 5 as an ID that does not exist in the ID table storage unit 232.
  • the time totaling unit 202 totals IDs, IDs included in the blacklist are excluded from the totalization, and when a log file having the same ID as the ID included in the blacklist occurs, the category 5 It can be classified as an ID that is highly likely to indicate an abnormality.
  • the space tabulation unit 203 classifies and tabulates the IDs tabulated in the tabulation result table based on the space information (topology information) stored in the space information storage unit 235.
  • FIG. 5 shows an example of spatial information, in which a log file name, a system number, a system name, and a server name as a totaling unit are registered. Based on this spatial information, it is possible to first aggregate the classification results of the log files for each server, and then aggregate the classification results for each system using the aggregation results for each server.
  • the totaling procedure by the time totaling unit 202 and the spatial totaling unit 203 is as described above. After the totaling by the time totaling unit 202, the totaling by the spatial totaling unit 203 is performed. Aggregation by the time aggregation unit 202 may be performed after the aggregation.
  • the generation unit 204 generates a screen based on the server unit or system unit classification specified in the spatial information, and displays the screen on the display unit 22. At this time, as shown in FIG. 6, the generation unit 204 can divide, for example, into groups of sections 1, 2, and 3 and groups of sections 4 and 5 for each ID. Then, as shown in FIG. 7, the screen for three-dimensional display with the time per unit time as the X-axis, the spatial information such as the system or server as the Y-axis, and the total number of each section in FIG. Generate for each.
  • the generation unit 204 uses space information such as a system or a server as the Z axis, and a circumferential direction of a circle centered on the Z axis as a time per unit time. It is also possible to generate a screen for three-dimensional display in which the radial direction of the circle centered at is the number of tabulations for each section.
  • the display unit 22 displays a screen generated by the generation unit 204.
  • the input unit 24 receives input of information such as time designation necessary for operating the log display device 2 by the user.
  • the display is divided into the groups 1, 2, and 3 and the groups 4 and 5 for the following reason. That is, in the classification method of FIG. 4, the categories 1, 2, and 3 are logs that occur in a short cycle within 168 hours (within one week). These are often logs that are inevitably generated if the device or system is operating normally. On the other hand, the category 4 is a log generated in a long cycle of a week unit or a month unit. These may include not only a log that is normally generated in a long cycle but also a log indicating an abnormality.
  • category 5 is a log that does not exist in the ID table, and this log may include the same log as the log registered as a black list. That is, the log classified into the category 5 is highly likely to be a log indicating an abnormality of the device or system.
  • the log display device 2 according to the present embodiment is characterized in that it is possible to distinguish and display logs that are highly likely to indicate this abnormality.
  • a feature of the log display device 2 of the present embodiment is that such a log can be displayed separately from a normal log.
  • the display is divided into the groups 1, 2, and 3 and the groups 4 and 5, but the display method is not limited to this.
  • Arbitrary division methods are possible, such as displaying the data in divisions 1, 2, 3, 4 and division 5.
  • it is effective to display the category 5 that has a high possibility of indicating an abnormality in an easily understandable manner.
  • the three categories 1, 2, and 3 are distinguished and displayed. However, since these are likely to be normal logs, the three are not distinguished and integrated. May be displayed.
  • the number of categories is not limited to 5, and at least two or more categories, a category indicating that there is a high probability of being a normal log and a category indicating a high possibility of being an abnormal log. I need it.
  • logs are clustered based on similarity. Furthermore, logs that are not included in the aggregation target are extracted. Furthermore, the log obtained by removing the extracted log from the clustered log is aggregated based on time information, aggregated based on spatial information, and display information including the temporal information, the spatial information, and the aggregated result is displayed. Generate and display.
  • an ID corresponding to the clustering is given to the log. Further, in the log ID corresponding to the specified time information, a log having an ID that does not exist at the time information time before the time of the specified time information is extracted, and the extracted log is Remove from clustered logs.
  • the time information includes information on a time interval for generating a log.
  • the spatial information includes the name of a system or device that generates a log.
  • the logs obtained by removing the extracted logs from the clustered logs are aggregated based on time information, and the logs aggregated based on the time information are aggregated based on spatial information.
  • logs obtained by removing the extracted logs from the clustered logs are aggregated based on spatial information, and the logs aggregated based on the spatial information are aggregated based on time information.
  • display information for generating a three-dimensional display of the time information, the spatial information, and the aggregation result is generated. The three-dimensional display is displayed in an XYZ coordinate system.
  • the extracted log is saved as a black list.
  • the log display program of the log display device 2 of the present embodiment causes the log to be clustered based on similarity. Furthermore, a process of extracting logs that are not included in the aggregation target is executed. Furthermore, a display including a process of adding the log obtained by removing the extracted log from the clustered log based on time information, and adding up based on spatial information, the time information, the spatial information, and the aggregation result A process for generating and displaying information is executed.
  • a process of giving an ID corresponding to the clustering to the log is executed.
  • the time information includes information on a time interval for generating a log.
  • the spatial information includes the name of a system or device that generates a log.
  • the log obtained by removing the extracted log from the clustered log is aggregated based on time information, and the log aggregated based on the time information is aggregated based on spatial information.
  • the log obtained by removing the extracted log from the clustered log is aggregated based on spatial information, and the log aggregated based on the spatial information is aggregated based on time information.
  • a process for generating display information for three-dimensionally displaying the time information, the spatial information, and the total result is executed.
  • processing for displaying the three-dimensional display in the XYZ coordinate system is executed.
  • the log display device 2 of the present embodiment can be an information processing device such as a PC (Personal Computer) or a server.
  • the display information generation unit 20 and the black list generation unit 21 can be realized by operating a log display program by a CPU using a CPU (Central Processing Unit) that is a calculation resource of the information device.
  • storage part 23 is realizable using the memory and HDD (Hard Disk Drive) which are the storage resources which information equipment has.
  • a log generated and transmitted by the target device can be received and stored in the log file storage unit 231 via the communication function of the information device.
  • the display unit 22 can be realized by a display or a printer included in the information device.
  • the input unit 24 can be realized by a keyboard, a mouse, a touch panel, or the like included in the information device.
  • a log extractor for extracting logs to be excluded from the aggregation target A log reading unit that clusters logs based on similarity, a time totaling unit that totals logs excluding the extracted logs from the clustered logs based on time information, and a spatial totaling that totals based on spatial information
  • a log display device comprising: a display unit configured to display the display information.
  • the log display device according to one of appendices 1 to 4, wherein the spatial information includes a system name or a device name for generating a log.
  • the time totaling unit totals logs obtained by removing the extracted logs from the clustered logs based on time information, and the space totaling unit totals logs collected by the time totaling unit based on spatial information.
  • the spatial totalization unit totalizes logs obtained by removing the extracted logs from the clustered logs based on spatial information, and the time totaling unit calculates the logs totaled by the spatial totalization unit based on time information. 6.
  • the log display device according to one of appendices 1 to 5, for counting.
  • Appendix 13 13.
  • Appendix 14 14.
  • Appendix 15 The log obtained by removing the extracted log from the clustered log is aggregated based on time information, and the log aggregated based on the time information is aggregated based on spatial information.
  • the logs obtained by removing the extracted logs from the clustered logs are aggregated based on spatial information, and the aggregated logs based on the spatial information are aggregated based on time information.
  • Log display method described in the section. (Appendix 16) 16. The log display method according to one of appendices 10 to 15, wherein display information for generating a three-dimensional display of the time information, the spatial information, and the aggregation result is generated.
  • Appendix 17 The log display method according to appendix 16, wherein the three-dimensional display is displayed in an XYZ coordinate system.
  • Appendix 18 18. The log display method according to one of appendices 10 to 17, wherein the extracted log is stored as a black list.
  • Appendix 21 A process of executing a process of extracting a log having an ID that does not exist at the time of the time information prior to the time of the specified time information in the ID of the log corresponding to the specified time information; 21.
  • Appendix 22 The log display program according to any one of appendices 19 to 21, wherein the time information includes information of a time interval for generating a log.
  • Appendix 23 23.
  • (Appendix 24) A process of totalizing logs based on time information, excluding the extracted logs from the clustered logs, and totaling logs based on the time information based on spatial information; Alternatively, the log obtained by removing the extracted log from the clustered log is aggregated based on spatial information, and the log aggregated based on the spatial information is aggregated based on time information. 24.

Abstract

The purpose of the present invention is to enable the displaying of a log, with no advance preparation of information such as a template and regardless of a particular state such as a communication state. This log display device comprises: a log extraction unit which extracts a log to be excluded from tabulation; a display information generation unit which includes a log reading unit which clusters logs on the basis of similarity, a time tabulation unit which tabulates, on the basis of time information, the clustered logs excluding the extracted log, a space tabulation unit which tabulates on the basis of space information, and a generation unit which generates display information including the time information, the space information and the tabulation results; and a display unit which displays the display information.

Description

ログ表示装置とログ表示方法およびログ表示プログラムLog display device, log display method, and log display program
 本発明は、機器から収集されたログを表示する技術に関する。 The present invention relates to a technique for displaying logs collected from devices.
 情報機器やネットワーク機器により構成されるデータセンターなどのシステムでは、各々の機器の動作に対応したログを収集し、異常状態の監視や省エネ対策等に活用している。収集したログを効果的に表示する技術が、特許文献1や特許文献2に開示されている。 In systems such as data centers composed of information devices and network devices, logs corresponding to the operation of each device are collected and used for monitoring abnormal conditions and energy saving measures. Patent Documents 1 and 2 disclose techniques for effectively displaying collected logs.
 特許文献1のログ可視化装置は、ログ情報記憶手段とログテンプレート記憶手段とロググループ記憶手段とを備えている。ログ情報記憶手段は、対象となる機器ごとの識別情報や機器の付加的属性によって付与された機器ラベルを含むログ情報を格納する。ログテンプレート記憶手段は、前記ログ情報から抽出された重要とされる部分であるログテンプレートに、利用状況に応じてテンプレートラベルが付与されたテンプレート情報を格納する。ロググループ記憶手段は、前記テンプレート情報の同時生起性に基づいてグルーピングされ、テンプレートラベルが付与されたロググループを格納する。 The log visualization device of Patent Document 1 includes log information storage means, log template storage means, and log group storage means. The log information storage unit stores log information including identification information for each target device and a device label given by an additional attribute of the device. The log template storage means stores the template information to which the template label is given according to the usage status in the log template which is an important part extracted from the log information. The log group storage means stores log groups that are grouped based on the co-occurrence of the template information and are assigned with template labels.
 以上の構成を有するログ可視化装置は、次のように動作する。すなわち、利用者から、可視化するログ情報の時系列、可視化対象の機器ラベル、任意の規則に合致したテンプレートラベル、ログテンプレートの発生頻度、ログテンプレートの周期性を受け付ける。これらに基づいて、ログ情報記憶手段のログ情報と、ログテンプレート記憶手段またはロググループ記憶手段の情報とのマッチングを行い、ロググループ、テンプレートラベルを縦軸に、ログ情報の発生時間を横軸にプロットするグラフを生成し表示する。 The log visualization device having the above configuration operates as follows. That is, a time series of log information to be visualized, a device label to be visualized, a template label that matches an arbitrary rule, a log template occurrence frequency, and a log template periodicity are received from the user. Based on these, the log information of the log information storage means is matched with the information of the log template storage means or the log group storage means, the log group and template label are plotted on the vertical axis, and the generation time of the log information is plotted on the horizontal axis. Generate and display a graph to plot.
 特許文献2の可視化装置は、ログ抽出部とログ情報生成部とを備えている。ログ抽出部は、大規模分散処理システム内で出力されたログのうち、プロセス間の通信を示すログを抽出する。ログ情報生成部は、ログ抽出部によって抽出されたログに含まれる情報から、通信において処理要求が送受信された送信元プロセス及び送信先プロセスと、送信元プロセス及び送信先プロセスがそれぞれ実行される送信元サーバ及び送信先サーバと、処理要求の内容と、前記通信が発生した時刻とを示すログ情報を生成する。 The visualization device of Patent Document 2 includes a log extraction unit and a log information generation unit. The log extraction unit extracts a log indicating communication between processes from logs output in the large-scale distributed processing system. The log information generation unit is configured to execute a transmission source process and a transmission destination process, and a transmission source process and a transmission destination process, in which a processing request is transmitted and received in communication, from information included in the log extracted by the log extraction unit. Log information indicating the origin server and destination server, the contents of the processing request, and the time when the communication occurred is generated.
 以上の構成を有する可視化装置は、次のように動作する。すなわち、ログ情報生成部によって生成されたログ情報に基づいて、送信元サーバの送信元プロセスから送信先サーバの送信先プロセスへの処理要求の送受信を、処理要求の内容及び時刻を示すように描画した描画データを生成し表示する。 The visualization device having the above configuration operates as follows. That is, based on the log information generated by the log information generation unit, processing request transmission / reception from the transmission source process of the transmission source server to the transmission destination process of the transmission destination server is drawn to indicate the content and time of the processing request. Generate and display the drawn data.
特開2014-153721号公報JP 2014-153721 A 特開2013-171541号公報JP 2013-171541 A
 しかしながら、特許文献1と特許文献2のログ可視化装置は、以下の課題を有している。すなわち、特許文献1のログ可視化装置では、ログテンプレートの情報を事前に用意しておく必要がある。しかしながら、多様な機器に対するテンプレートを事前に全て用意することは不可能である。また、特許文献2の可視化装置では、通信が行われない状態は図示できない。その理由は、ログからプロセスの送信元と送信先とを特定した情報で図示する方法であるためである。 However, the log visualization devices of Patent Document 1 and Patent Document 2 have the following problems. That is, in the log visualization device of Patent Document 1, it is necessary to prepare log template information in advance. However, it is impossible to prepare all templates for various devices in advance. Moreover, in the visualization apparatus of patent document 2, the state where communication is not performed cannot be illustrated. The reason is that the method is illustrated with information specifying the source and destination of the process from the log.
 本発明は、上記の課題に鑑みてなされたものであり、その目的は、テンプレート等の情報を事前に準備することなく、また、通信状態等の特定の状態にかかわりなく、ログを表示することを可能にすることにある。 The present invention has been made in view of the above problems, and its purpose is to display a log without preparing information such as a template in advance and irrespective of a specific state such as a communication state. Is to make it possible.
 本発明によるログ表示装置は、集計対象から除くログを抽出するログ抽出部を有し、ログを類似性に基づいてクラスタリングするログ読込部と、前記クラスタリングしたログから前記抽出したログを除いたログを、時間情報に基づいて集計する時間集計部と、空間情報に基づいて集計する空間集計部と、前記時間情報と前記空間情報と前記集計結果とを含む表示情報を生成する生成部と、を有する表示情報生成部を有し、前記表示情報を表示する表示部を有する。 The log display device according to the present invention includes a log extraction unit that extracts logs to be excluded from aggregation targets, a log reading unit that clusters logs based on similarity, and a log obtained by removing the extracted logs from the clustered logs A time totaling unit that counts based on time information, a space totaling unit that totals based on spatial information, and a generation unit that generates display information including the time information, the spatial information, and the totaling result. A display information generating unit, and a display unit for displaying the display information.
 本発明によるログ表示方法は、ログを類似性に基づいてクラスタリングし、集計対象に含めないログを抽出し、前記クラスタリングしたログから前記抽出したログを除いたログを、時間情報に基づいて集計し、空間情報に基づいて集計し、前記時間情報と前記空間情報と前記集計結果とを含む表示情報を生成して表示する。 In the log display method according to the present invention, logs are clustered based on similarity, logs not included in the aggregation target are extracted, and logs excluding the extracted logs from the clustered logs are aggregated based on time information. And summing up based on the spatial information, and generating and displaying display information including the time information, the spatial information, and the counting result.
 本発明によるログ表示プログラムは、ログを類似性に基づいてクラスタリングする処理と、集計対象に含めないログを抽出する処理と、前記クラスタリングしたログから前記抽出したログを除いたログを、時間情報に基づいて集計し、空間情報に基づいて集計する処理と、前記時間情報と前記空間情報と前記集計結果とを含む表示情報を生成し表示する処理と、を実行させる。 The log display program according to the present invention includes a process for clustering logs based on similarity, a process for extracting logs that are not included in the aggregation target, and a log obtained by removing the extracted logs from the clustered logs as time information. A process of summing up based on the spatial information, and a process of generating and displaying display information including the time information, the spatial information, and the result of the summation are executed.
 本発明によれば、テンプレート等の情報を事前に準備することなく、また、通信状態等の特定の状態にかかわりなく、ログを表示することが可能になる。 According to the present invention, it is possible to display a log without preparing information such as a template in advance and irrespective of a specific state such as a communication state.
本発明の第1の実施形態のログ表示装置の構成を示すブロック図である。It is a block diagram which shows the structure of the log display apparatus of the 1st Embodiment of this invention. 本発明の第2の実施形態のログ表示装置の構成を示すブロック図である。It is a block diagram which shows the structure of the log display apparatus of the 2nd Embodiment of this invention. 本発明の第2の実施形態のログ表示装置の集計結果テーブルの例を示す図である。It is a figure which shows the example of the total result table of the log display apparatus of the 2nd Embodiment of this invention. 本発明の第2の実施形態のログ表示装置の区分の例を示す図である。It is a figure which shows the example of the division | segmentation of the log display apparatus of the 2nd Embodiment of this invention. 本発明の第2の実施形態のログ表示装置の空間情報の例を示す図である。It is a figure which shows the example of the spatial information of the log display apparatus of the 2nd Embodiment of this invention. 本発明の第2の実施形態のログ表示装置の区分ごとの集計の例を示す図である。It is a figure which shows the example of the total for every division of the log display apparatus of the 2nd Embodiment of this invention. 本発明の第2の実施形態のログ表示装置の表示の例を示す図である。It is a figure which shows the example of a display of the log display apparatus of the 2nd Embodiment of this invention. 本発明の第2の実施形態のログ表示装置の表示の例を示す図である。It is a figure which shows the example of a display of the log display apparatus of the 2nd Embodiment of this invention.
 以下、図を参照しながら、本発明の実施形態を詳細に説明する。但し、以下に述べる実施形態には、本発明を実施するために技術的に好ましい限定がされているが、発明の範囲を以下に限定するものではない。
(第1の実施形態)
 図1は、本発明の実施形態のログ表示装置の構成を示すブロック図である。本実施形態のログ表示装置1は、集計対象から除くログを抽出するログ抽出部11を有する。さらに、ログを類似性に基づいてクラスタリングするログ読込部101と、前記クラスタリングしたログから前記抽出したログを除いたログを、時間情報に基づいて集計する時間集計部102と、空間情報に基づいて集計する空間集計部103と、前記時間情報と前記空間情報と前記集計結果とを含む表示情報を生成する生成部104と、を有する表示情報生成部10を有する。さらに、前記表示情報を表示する表示部12を有する。 Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. However, the preferred embodiments described below are technically preferable for carrying out the present invention, but the scope of the invention is not limited to the following.
(First embodiment)
FIG. 1 is a block diagram showing a configuration of a log display device according to an embodiment of the present invention. The log display device 1 according to this embodiment includes a log extraction unit 11 that extracts logs to be excluded from aggregation targets. In addition, a log reading unit 101 that clusters logs based on similarity, a time totaling unit 102 that totals logs based on time information, except for the extracted logs from the clustered logs, and a spatial information The display information generation unit 10 includes a space totaling unit 103 that performs totalization, and a generation unit 104 that generates display information including the time information, the spatial information, and the totalization result. Furthermore, it has the display part 12 which displays the said display information.
 本実施形態によれば、テンプレート等の情報を事前に準備することなく、また、通信状態等の特定の状態にかかわりなく、ログを表示することが可能になる。
(第2の実施形態)
 図2は、本発明の実施形態のログ表示装置の構成を示すブロック図である。本実施形態のログ表示装置2は、表示情報生成部20と、ブラックリスト生成部21と、表示部22と、記憶部23と、入力部24とを備えている。 According to the present embodiment, it is possible to display a log without preparing information such as a template in advance and regardless of a specific state such as a communication state.
(Second Embodiment)
FIG. 2 is a block diagram showing the configuration of the log display device according to the embodiment of the present invention. The log display device 2 of this embodiment includes a display information generation unit 20, a black list generation unit 21, a display unit 22, a storage unit 23, and an input unit 24.
 表示情報生成部20は、ログ読込部201と、時間集計部202と、空間集計部203と、生成部204とを備えている。ブラックリスト生成部21は、ID(identification)抽出部211と、ID削除部212とを備えている。記憶部23は、ログファイル保存部231と、IDテーブル保存部232と、ブラックリスト保存部233と、集計結果テーブル保存部234と、空間情報保存部235とを備えている。 The display information generation unit 20 includes a log reading unit 201, a time totaling unit 202, a space totaling unit 203, and a generation unit 204. The black list generation unit 21 includes an ID (identification) extraction unit 211 and an ID deletion unit 212. The storage unit 23 includes a log file storage unit 231, an ID table storage unit 232, a black list storage unit 233, an aggregation result table storage unit 234, and a spatial information storage unit 235.
 ログファイル保存部231は、対象機器から送信されたログファイルを保存する。IDテーブル保存部232は、IDを付与したログファイルを保存する。ブラックリスト保存部233は、ブラックリストとして抽出したIDのログファイルを保存する。集計結果テーブル保存部234は、IDを付与したログファイルを時間情報や空間情報に基づいて集計した集計結果テーブルを保存する。空間情報保存部235は、ログファイル名(ID)や装置名やシステム名やシステム番号を有する空間情報を保存する。 The log file storage unit 231 stores the log file transmitted from the target device. The ID table storage unit 232 stores the log file to which the ID is assigned. The black list storage unit 233 stores the log file of the ID extracted as a black list. The tabulation result table storage unit 234 stores a tabulation result table in which log files to which IDs are assigned are tabulated based on time information and space information. The spatial information storage unit 235 stores spatial information having a log file name (ID), a device name, a system name, and a system number.
 ログ読込部201は、各対象機器から送信されログファイル保存部231に保存されたログファイルを読み込み、各ログファイルから抽出した部分に対応したIDを各ログファイルに付与し、IDを付与したログファイルをIDテーブル保存部232に保存する。このためにログ読込部201は、ログファイルを分類する。ログファイルは、ログの生起時間や発生事象内容や発生装置やシステムなどの情報を含んでいる。ログ読込部201は、ログファイルの各行をクラスタリングして一意の番号(ID)を割り当てる。クラスタリングには、最短距離法などの階層的手法や、K-MEANS法などの分割最適化手法を使用することができる。そのため、類似性の高いログファイルには同一のIDが割り当てられる。IDを割り当てられたログファイルは、IDテーブル保存部232に保存される。 The log reading unit 201 reads a log file transmitted from each target device and stored in the log file storage unit 231, assigns an ID corresponding to a portion extracted from each log file to each log file, and adds the ID to the log The file is stored in the ID table storage unit 232. For this purpose, the log reading unit 201 classifies log files. The log file includes information such as the log occurrence time, the details of the occurrence event, the generation device and the system. The log reading unit 201 clusters each line of the log file and assigns a unique number (ID). For clustering, a hierarchical method such as the shortest distance method or a division optimization method such as the K-MEANS method can be used. Therefore, the same ID is assigned to log files with high similarity. The log file to which the ID is assigned is stored in the ID table storage unit 232.
 ログ読込部201は、また、ログファイルの有する装置やシステムなどの情報に基づいて、ログファイル名(ID)や装置名やシステム名やシステム番号を有する空間情報(トポロジ情報)を生成し、空間情報保存部235に登録することができる。また、空間情報は、あらかじめ作成して空間情報保存部235に登録しておいてもよい。 The log reading unit 201 also generates space information (topology information) having a log file name (ID), a device name, a system name, and a system number based on information such as a device and a system included in the log file. Information can be registered in the information storage unit 235. The spatial information may be created in advance and registered in the spatial information storage unit 235.
 時間集計部202は、図3に示す様な集計結果テーブルを作成し、集計結果テーブル保存部234に保存する。このために時間集計部202は、まず、IDテーブル保存部232に保存されているIDが付与されたログファイルに対して、入力部24から利用者が入力するなどして指定された単位時間ごとに、IDごとの出現数を集計する。また、単位時間の指定には、時刻を初期値として与え、初期値に基づいて単位時間ごとの出現数を集計してもよい。集計結果には、単位時間ごとに単位時間識別子を付与する。単位時間識別子には、これまでの集計結果テーブルの単位時間識別子の最大値に1を加算した値を用いる。また、最初の単位時間識別子としては、例えば「1」を割り当てることができる。 The time totaling unit 202 creates a totaling result table as shown in FIG. 3 and stores it in the totaling result table storage unit 234. For this purpose, the time totaling unit 202 firstly, for each unit time designated by the user inputting from the input unit 24 the log file to which the ID stored in the ID table storage unit 232 is assigned. The number of appearances for each ID is totaled. In addition, for designating unit time, time may be given as an initial value, and the number of appearances per unit time may be totaled based on the initial value. A unit time identifier is assigned to the count result for each unit time. As the unit time identifier, a value obtained by adding 1 to the maximum value of the unit time identifiers in the total result table so far is used. For example, “1” can be assigned as the first unit time identifier.
 次に、時間集計部202は、IDが過去に出現した単位時間識別子を検索し、図4に示す分類方法に沿ってIDを区分する。図4では、分類方法の例として5種類を定義している。すなわち、過去24単位時間以内に出現した場合を区分1、過去24単位時間超で72単位時間以内に出現した場合を区分2、過去72単位時間超で168単位時間以内に出現した場合を区分3、過去168単位時間超に出現した場合を区分4、過去のIDテーブルに存在しない場合を区分5とする。区分5のIDは、後述するブラックリストに抽出されたIDである場合もある。時間集計部202は、全てのIDについて区分を行い、各区分に含まれる単位時間ごとのログファイルの総数を集計する。 Next, the time counting unit 202 searches for unit time identifiers in which IDs have appeared in the past, and classifies the IDs according to the classification method shown in FIG. In FIG. 4, five types are defined as examples of classification methods. That is, when it appears within the past 24 unit hours, it is classified as Category 1, when it appears within the past 24 unit hours and within 72 unit hours, it is classified as Category 2, and when it appears within the past 72 unit hours and within 168 unit hours, it is classified as Category 3. The case where it has appeared in the past 168 unit times is classified as category 4, and the case where it does not exist in the past ID table is classified as category 5. The ID of the category 5 may be an ID extracted in a black list described later. The time totaling unit 202 classifies all IDs, and totals the total number of log files per unit time included in each class.
 なお、図4に示す分類方法のリストは、予め時間集計部202内に内蔵して使用するようにすることができる。また、分類方法のリストを予め記憶部23内に格納し、時間集計部202の動作時に読み出して使うようにすることもできる。 It should be noted that the classification method list shown in FIG. 4 can be used in the time counting unit 202 in advance. In addition, a list of classification methods can be stored in the storage unit 23 in advance, and can be read and used when the time counting unit 202 operates.
 ブラックリスト生成部21は、IDテーブル保存部232に保存され、集計結果テーブルに集計された、IDが付与されたログファイルから、ブラックリストとして登録するIDを以下の様にして抽出する。 The blacklist generation unit 21 extracts IDs to be registered as a blacklist from the log files to which IDs are assigned and stored in the ID table storage unit 232 and totalized in the totaling result table.
 まず、ID抽出部211は、指定された単位時間内のIDについて、過去に存在しないIDを抽出する。すなわち、入力部24から、例えば明確に障害が発生した時刻などが入力されると、これに基づいて、ID抽出部211は、入力された時刻から該当する単位時間に含まれるIDの一覧を集計結果テーブルより取得する。そして、このIDの一覧の内、区分4または5のIDを抽出する。 First, the ID extraction unit 211 extracts an ID that does not exist in the past for the ID within the designated unit time. That is, when, for example, the time when a failure clearly occurs is input from the input unit 24, based on this, the ID extraction unit 211 totalizes a list of IDs included in the corresponding unit time from the input time. Get from the result table. Then, the ID of category 4 or 5 is extracted from the list of IDs.
 ID削除部212は、区分4のIDの内で、自身の時刻より以前の単位時間にIDが含まれていないIDのログファイルと、区分5のIDのログファイルとを、IDテーブル保存部232から削除し、削除したIDのログファイルをブラックリストとしてブラックリスト保存部233に保存(登録)する。こうすることで、異常を示す可能性の高いIDのログファイルが、ブラックリストとして登録され、かつ、IDテーブル保存部232からは削除される。これにより、以降、同様のIDのログファイルが生起された場合、IDテーブル保存部232に存在しないIDとして区分5に分類することが可能となる。すなわち、時間集計部202がIDを集計する際には、ブラックリストに含まれるIDは集計から除外され、ブラックリストに含まれるIDと同様のIDのログファイルが生起した場合には、区分5の異常を示す可能性の高いIDとして分類することができる。 The ID deletion unit 212 includes an ID log storage unit 232 that includes an ID log file that does not include an ID in a unit time before its own time and an ID log file of the category 5 among the IDs of the category 4. And the log file of the deleted ID is stored (registered) in the black list storage unit 233 as a black list. By doing so, a log file with an ID that is highly likely to indicate an abnormality is registered as a black list and deleted from the ID table storage unit 232. As a result, when a log file with the same ID is subsequently generated, it is possible to classify it into category 5 as an ID that does not exist in the ID table storage unit 232. That is, when the time totaling unit 202 totals IDs, IDs included in the blacklist are excluded from the totalization, and when a log file having the same ID as the ID included in the blacklist occurs, the category 5 It can be classified as an ID that is highly likely to indicate an abnormality.
 空間集計部203は、空間情報保存部235に保存されている空間情報(トポロジ情報)に基づいて、集計結果テーブルに集計されたIDを分類して集計する。図5は、空間情報の例を示し、ログファイル名と、集計単位であるシステム番号やシステム名やサーバ名が登録されている。この空間情報により、まず、サーバごとにログファイルの単位時間の区分結果を集計し、次に、サーバごとの集計結果を用いてシステムごとに区分結果を集計する、などが可能である。 The space tabulation unit 203 classifies and tabulates the IDs tabulated in the tabulation result table based on the space information (topology information) stored in the space information storage unit 235. FIG. 5 shows an example of spatial information, in which a log file name, a system number, a system name, and a server name as a totaling unit are registered. Based on this spatial information, it is possible to first aggregate the classification results of the log files for each server, and then aggregate the classification results for each system using the aggregation results for each server.
 なお、時間集計部202と空間集計部203とによる集計の手順として、上記では、時間集計部202による集計を行った後に空間集計部203による集計を行ったが、逆に、空間集計部203による集計を行った後に時間集計部202による集計を行ってもよい。 In the above description, the totaling procedure by the time totaling unit 202 and the spatial totaling unit 203 is as described above. After the totaling by the time totaling unit 202, the totaling by the spatial totaling unit 203 is performed. Aggregation by the time aggregation unit 202 may be performed after the aggregation.
 生成部204は、空間情報に指定されたサーバ単位もしくはシステム単位の区分に基づいて画面を生成し、表示部22に表示する。この時、生成部204は、IDごとに、図6に示すように、例えば、区分1、2、3のグループと区分4、5のグループとに分けることができる。そして、図7に示すように、単位時間ごとの時刻をX軸、システムまたはサーバなどの空間情報をY軸、図6の各区分の集計数をZ軸とする3次元表示する画面を、IDごとに生成する。 The generation unit 204 generates a screen based on the server unit or system unit classification specified in the spatial information, and displays the screen on the display unit 22. At this time, as shown in FIG. 6, the generation unit 204 can divide, for example, into groups of sections 1, 2, and 3 and groups of sections 4 and 5 for each ID. Then, as shown in FIG. 7, the screen for three-dimensional display with the time per unit time as the X-axis, the spatial information such as the system or server as the Y-axis, and the total number of each section in FIG. Generate for each.
 生成部204はまた、IDごとに、図8に示すように、システムまたはサーバなどの空間情報をZ軸とし、Z軸を中心とする円の円周方向を単位時間ごとの時刻とし、Z軸を中心とする円の半径方向を区分ごとの集計数とする3次元表示する画面を生成することもできる。 For each ID, as shown in FIG. 8, the generation unit 204 uses space information such as a system or a server as the Z axis, and a circumferential direction of a circle centered on the Z axis as a time per unit time. It is also possible to generate a screen for three-dimensional display in which the radial direction of the circle centered at is the number of tabulations for each section.
 表示部22は、生成部204が生成する画面を表示する。 The display unit 22 displays a screen generated by the generation unit 204.
 入力部24は、利用者による、ログ表示装置2を動作させる際に必要な時間指定などの情報の入力を受け付ける。 The input unit 24 receives input of information such as time designation necessary for operating the log display device 2 by the user.
 本実施形態の例で、区分1、2、3のグループと区分4、5のグループとに分けて表示しているのは、以下の理由による。すなわち、図4の分類方法において、区分1、2、3は168時間以内(1週間以内)の短い周期で生じているログである。これらは、機器やシステムが正常に動作していれば必然的に生成されるログである場合が多い。それに対して、区分4は、週単位や月単位の長い周期で生じるログである。これらは、長い周期で正常に生じているログだけでなく、異常を示すログを含む場合もある。 In the example of this embodiment, the display is divided into the groups 1, 2, and 3 and the groups 4 and 5 for the following reason. That is, in the classification method of FIG. 4, the categories 1, 2, and 3 are logs that occur in a short cycle within 168 hours (within one week). These are often logs that are inevitably generated if the device or system is operating normally. On the other hand, the category 4 is a log generated in a long cycle of a week unit or a month unit. These may include not only a log that is normally generated in a long cycle but also a log indicating an abnormality.
 さらに、区分5は、IDテーブルに存在しないログであり、このログの中にはブラックリストとして登録されたログと同じログも含まれる場合がある。すなわち、区分5に分類されたログは、機器やシステムの異常を示すログである可能性が高い。本実施形態のログ表示装置2は、この異常を示す可能性の高いログを区別して表示できることを特徴としている。 Furthermore, category 5 is a log that does not exist in the ID table, and this log may include the same log as the log registered as a black list. That is, the log classified into the category 5 is highly likely to be a log indicating an abnormality of the device or system. The log display device 2 according to the present embodiment is characterized in that it is possible to distinguish and display logs that are highly likely to indicate this abnormality.
 すなわち、データセンターなどの膨大な数の機器が動作するシステムの場合、通常の動作時に生起されるログと同じIDのログであっても、ある機器やシステムから、通常の周期とは異なり突発的に生起される場合がある。このようなログは機器の異常を示している可能性が高い。このようなログを通常のログと区別して表示できることが、本実施形態のログ表示装置2の特徴である。 In other words, in the case of a system in which a large number of devices such as a data center operate, even if the log has the same ID as the log generated during normal operation, it is suddenly different from the normal cycle from a certain device or system. May occur. Such a log is likely to indicate a device malfunction. A feature of the log display device 2 of the present embodiment is that such a log can be displayed separately from a normal log.
 なお、図6、図7、図8では、区分1、2、3のグループと区分4、5のグループとに分けて表示しているが、この表示のし方には限定されず、例えば、区分1、2、3、4グループと区分5とに分けて表示するなど、任意の分け方が可能である。特に、異常を示している可能性の高い区分5を分かりやすく区別した表示のし方が有効である。また、図6、図7、図8では、区分1、2、3の3つを区別して表示しているが、これらは正常なログである可能性が高いため、3つを区別せず一体化して表示してもよい。また、区分の数は5には限定されず、少なくとも、正常なログである可能性の高いことを示す区分と、異常なログである可能性の高いことを示す区分との2以上の区分であれば良い。 6, 7, and 8, the display is divided into the groups 1, 2, and 3 and the groups 4 and 5, but the display method is not limited to this. For example, Arbitrary division methods are possible, such as displaying the data in divisions 1, 2, 3, 4 and division 5. In particular, it is effective to display the category 5 that has a high possibility of indicating an abnormality in an easily understandable manner. In addition, in FIGS. 6, 7, and 8, the three categories 1, 2, and 3 are distinguished and displayed. However, since these are likely to be normal logs, the three are not distinguished and integrated. May be displayed. In addition, the number of categories is not limited to 5, and at least two or more categories, a category indicating that there is a high probability of being a normal log and a category indicating a high possibility of being an abnormal log. I need it.
 本実施形態のログ表示装置2のログ表示方法は、ログを類似性に基づいてクラスタリングする。さらに、集計対象に含めないログを抽出する。さらに、前記クラスタリングしたログから前記抽出したログを除いたログを、時間情報に基づいて集計し、空間情報に基づいて集計し、前記時間情報と前記空間情報と前記集計結果とを含む表示情報を生成して表示する。 In the log display method of the log display device 2 according to the present embodiment, logs are clustered based on similarity. Furthermore, logs that are not included in the aggregation target are extracted. Furthermore, the log obtained by removing the extracted log from the clustered log is aggregated based on time information, aggregated based on spatial information, and display information including the temporal information, the spatial information, and the aggregated result is displayed. Generate and display.
 また、前記クラスタリングに対応するIDをログに付与する。また、指定された前記時間情報に対応するログのIDにおいて、前記指定された時間情報の時刻よりも前の時間情報の時刻には存在しないIDを有するログを抽出し、前記抽出したログを前記クラスタリングしたログから除く。 Also, an ID corresponding to the clustering is given to the log. Further, in the log ID corresponding to the specified time information, a log having an ID that does not exist at the time information time before the time of the specified time information is extracted, and the extracted log is Remove from clustered logs.
 また、前記時間情報は、ログを生成する時間間隔の情報を含む。また、前記空間情報は、ログを生成するシステム名もしくは機器名を含む。 The time information includes information on a time interval for generating a log. The spatial information includes the name of a system or device that generates a log.
 また、前記クラスタリングしたログから前記抽出したログを除いたログを時間情報に基づいて集計し、前記時間情報に基づいて集計したログを空間情報に基づいて集計する。もしくは、前記クラスタリングしたログから前記抽出したログを除いたログを空間情報に基づいて集計し、前記空間情報に基づいて集計したログを時間情報に基づいて集計する。また、前記時間情報と前記空間情報と前記集計結果とを3次元表示する表示情報を生成する。また、前記3次元表示をX-Y-Z座標系で表示する。 Also, the logs obtained by removing the extracted logs from the clustered logs are aggregated based on time information, and the logs aggregated based on the time information are aggregated based on spatial information. Alternatively, logs obtained by removing the extracted logs from the clustered logs are aggregated based on spatial information, and the logs aggregated based on the spatial information are aggregated based on time information. In addition, display information for generating a three-dimensional display of the time information, the spatial information, and the aggregation result is generated. The three-dimensional display is displayed in an XYZ coordinate system.
 また、前記抽出したログをブラックリストとして保存する。 Also, the extracted log is saved as a black list.
 本実施形態のログ表示装置2のログ表示プログラムは、ログを類似性に基づいてクラスタリングする処理を実行させる。さらに、集計対象に含めないログを抽出する処理を実行させる。さらに、前記クラスタリングしたログから前記抽出したログを除いたログを、時間情報に基づいて集計し、空間情報に基づいて集計する処理と、前記時間情報と前記空間情報と前記集計結果とを含む表示情報を生成し表示する処理を実行させる。 The log display program of the log display device 2 of the present embodiment causes the log to be clustered based on similarity. Furthermore, a process of extracting logs that are not included in the aggregation target is executed. Furthermore, a display including a process of adding the log obtained by removing the extracted log from the clustered log based on time information, and adding up based on spatial information, the time information, the spatial information, and the aggregation result A process for generating and displaying information is executed.
 また、前記クラスタリングに対応したIDをログに付与する処理を実行させる。また、指定された前記時間情報に対応するログのIDにおいて、前記指定された時間情報の時刻よりも前の時間情報の時刻には存在しないIDを有するログを抽出する処理を実行させる処理と、前記抽出したログを前記クラスタリングしたログから除く処理と、を実行させる。 Also, a process of giving an ID corresponding to the clustering to the log is executed. A process of executing a process of extracting a log having an ID that does not exist at a time of time information prior to the time of the specified time information in the ID of the log corresponding to the specified time information; A process of removing the extracted log from the clustered log.
 また、前記時間情報は、ログを生成する時間間隔の情報を含む。また、前記空間情報は、ログを生成するシステム名もしくは機器名を含む。 The time information includes information on a time interval for generating a log. The spatial information includes the name of a system or device that generates a log.
 また、前記クラスタリングしたログから前記抽出したログを除いたログを時間情報に基づいて集計し、前記時間情報に基づいて集計したログを空間情報に基づいて集計する処理を実行させる。もしくは、前記クラスタリングしたログから前記抽出したログを除いたログを空間情報に基づいて集計し、前記空間情報に基づいて集計したログを時間情報に基づいて集計する処理を実行させる。 In addition, the log obtained by removing the extracted log from the clustered log is aggregated based on time information, and the log aggregated based on the time information is aggregated based on spatial information. Alternatively, the log obtained by removing the extracted log from the clustered log is aggregated based on spatial information, and the log aggregated based on the spatial information is aggregated based on time information.
 また、前記時間情報と前記空間情報と前記集計結果とを3次元表示する表示情報を生成する処理を実行させる。また、前記3次元表示をX-Y-Z座標系で表示する処理を実行させる。 Also, a process for generating display information for three-dimensionally displaying the time information, the spatial information, and the total result is executed. In addition, processing for displaying the three-dimensional display in the XYZ coordinate system is executed.
 また、前記抽出したログをブラックリストとして保存する処理を実行させる。 Also, the process of saving the extracted log as a blacklist is executed.
 本実施形態のログ表示装置2は、PC(Personal Computer)やサーバなどの情報処理機器とすることができる。表示情報生成部20とブラックリスト生成部21とは、情報機器が有する演算資源であるCPU(Central Processing Unit)を用いて、CPUでログ表示プログラムを動作させることにより実現することができる。記憶部23は、情報機器が有する記憶資源であるメモリやHDD(Hard Disk Drive)を用いて実現することができる。また、情報機器が有する通信機能を介して、対象機器が生成し送信するログを受信し、ログファイル保存部231に保存することができる。表示部22は、情報機器が有するディスプレイやプリンタなどにより実現することができる。入力部24は、情報機器が有するキーボードやマウスやタッチパネルなどにより実現することができる。 The log display device 2 of the present embodiment can be an information processing device such as a PC (Personal Computer) or a server. The display information generation unit 20 and the black list generation unit 21 can be realized by operating a log display program by a CPU using a CPU (Central Processing Unit) that is a calculation resource of the information device. The memory | storage part 23 is realizable using the memory and HDD (Hard Disk Drive) which are the storage resources which information equipment has. In addition, a log generated and transmitted by the target device can be received and stored in the log file storage unit 231 via the communication function of the information device. The display unit 22 can be realized by a display or a printer included in the information device. The input unit 24 can be realized by a keyboard, a mouse, a touch panel, or the like included in the information device.
 本実施形態によれば、テンプレート等の情報を事前に準備することなく、また、通信状態等の特定の状態にかかわりなく、ログを表示することが可能になる。 According to this embodiment, it is possible to display a log without preparing information such as a template in advance and regardless of a specific state such as a communication state.
 本発明は上記実施形態に限定されることなく、請求の範囲に記載した発明の範囲内で種々の変形が可能であり、それらも本発明の範囲内に含まれるものである。 The present invention is not limited to the above-described embodiment, and various modifications are possible within the scope of the invention described in the claims, and these are also included in the scope of the present invention.
 また、上記の実施形態の一部又は全部は、以下の付記のようにも記載され得るが、以下には限られない。
(付記1)
集計対象から除くログを抽出するログ抽出部と、
ログを類似性に基づいてクラスタリングするログ読込部と、前記クラスタリングしたログから前記抽出したログを除いたログを、時間情報に基づいて集計する時間集計部と、空間情報に基づいて集計する空間集計部と、前記時間情報と前記空間情報と前記集計結果とを含む表示情報を生成する生成部と、を有する表示情報生成部と、
前記表示情報を表示する表示部と、を有するログ表示装置。
(付記2)
前記ログ読込部は、前記クラスタリングに対応するIDをログに付与する、付記1記載のログ表示装置。
(付記3)
前記ログ抽出部は、指定された前記時間情報に対応するログのIDにおいて、前記指定された時間情報の時刻よりも前の時間情報の時刻には存在しないIDを有するログを抽出し、前記抽出したログを前記クラスタリングしたログから除く、付記2記載のログ表示装置。
(付記4)
前記時間情報は、ログを生成する時間間隔の情報を含む、付記1から3の内の1項記載のログ表示装置。
(付記5)
前記空間情報は、ログを生成するシステム名もしくは機器名を含む、付記1から4の内の1項記載のログ表示装置。
(付記6)
前記時間集計部は、前記クラスタリングしたログから前記抽出したログを除いたログを時間情報に基づいて集計し、前記空間集計部は、前記時間集計部が集計したログを空間情報に基づいて集計する、
もしくは、前記空間集計部は、前記クラスタリングしたログから前記抽出したログを除いたログを空間情報に基づいて集計し、前記時間集計部は、前記空間集計部が集計したログを時間情報に基づいて集計する、付記1から5の内の1項記載のログ表示装置。
(付記7)
前記生成部は、前記時間情報と前記空間情報と前記集計結果とを3次元表示する表示情報を生成する、付記1から6の内の1項記載のログ表示装置。
(付記8)
前記3次元表示をX-Y-Z座標系で表示する、付記7記載のログ表示装置。
(付記9)
前記抽出したログをブラックリストとして保存する記憶部を有する、付記1から8の内の1項記載のログ表示装置。
(付記10)
ログを類似性に基づいてクラスタリングし、
集計対象に含めないログを抽出し、
前記クラスタリングしたログから前記抽出したログを除いたログを、時間情報に基づいて集計し、空間情報に基づいて集計し、
前記時間情報と前記空間情報と前記集計結果とを含む表示情報を生成して表示する、ログ表示方法。
(付記11)
前記クラスタリングに対応するIDをログに付与する、付記10記載のログ表示方法。
(付記12)
指定された前記時間情報に対応するログのIDにおいて、前記指定された時間情報の時刻よりも前の時間情報の時刻には存在しないIDを有するログを抽出し、前記抽出したログを前記クラスタリングしたログから除く、付記11記載のログ表示方法。
(付記13)
前記時間情報は、ログを生成する時間間隔の情報を含む、付記10から12の内の1項記載のログ表示方法。
(付記14)
前記空間情報は、ログを生成するシステム名もしくは機器名を含む、付記10から13の内の1項記載のログ表示方法。
(付記15)
前記クラスタリングしたログから前記抽出したログを除いたログを時間情報に基づいて集計し、前記時間情報に基づいて集計したログを空間情報に基づいて集計する、
もしくは、前記クラスタリングしたログから前記抽出したログを除いたログを空間情報に基づいて集計し、前記空間情報に基づいて集計したログを時間情報に基づいて集計する、付記10から14の内の1項記載のログ表示方法。
(付記16)
前記時間情報と前記空間情報と前記集計結果とを3次元表示する表示情報を生成する、付記10から15の内の1項記載のログ表示方法。
(付記17)
前記3次元表示をX-Y-Z座標系で表示する、付記16記載のログ表示方法。
(付記18)
前記抽出したログをブラックリストとして保存する、付記10から17の内の1項記載のログ表示方法。
(付記19)
ログを類似性に基づいてクラスタリングする処理と、
集計対象に含めないログを抽出する処理と、
前記クラスタリングしたログから前記抽出したログを除いたログを、時間情報に基づいて集計し、空間情報に基づいて集計する処理と、
前記時間情報と前記空間情報と前記集計結果とを含む表示情報を生成し表示する処理と、を実行させるログ表示プログラム。
(付記20)
前記クラスタリングに対応したIDをログに付与する処理を実行させる、付記19記載のログ表示プログラム。
(付記21)
指定された前記時間情報に対応するログのIDにおいて、前記指定された時間情報の時刻よりも前の時間情報の時刻には存在しないIDを有するログを抽出する処理を実行させる処理と、前記抽出したログを前記クラスタリングしたログから除く処理と、を実行させる、付記20記載のログ表示プログラム。
(付記22)
前記時間情報は、ログを生成する時間間隔の情報を含む、付記19から21の内の1項記載のログ表示プログラム。
(付記23)
前記空間情報は、ログを生成するシステム名もしくは機器名を含む、付記19から22の内の1項記載のログ表示プログラム。
(付記24)
前記クラスタリングしたログから前記抽出したログを除いたログを時間情報に基づいて集計し、前記時間情報に基づいて集計したログを空間情報に基づいて集計する処理、
もしくは、前記クラスタリングしたログから前記抽出したログを除いたログを空間情報に基づいて集計し、前記空間情報に基づいて集計したログを時間情報に基づいて集計する処理、を実行させる、付記19から23の内の1項記載のログ表示プログラム。
(付記25)
前記時間情報と前記空間情報と前記集計結果とを3次元表示する表示情報を生成する処理を実行させる、付記19から24の内の1項記載のログ表示プログラム。
(付記26)
前記3次元表示をX-Y-Z座標系で表示する処理を実行させる、付記25記載のログ表示プログラム。
(付記27)
前記抽出したログをブラックリストとして保存する処理を実行させる、付記19から26の内の1項記載のログ表示プログラム。 Moreover, although a part or all of said embodiment may be described also as the following additional remarks, it is not restricted to the following.
(Appendix 1)
A log extractor for extracting logs to be excluded from the aggregation target;
A log reading unit that clusters logs based on similarity, a time totaling unit that totals logs excluding the extracted logs from the clustered logs based on time information, and a spatial totaling that totals based on spatial information A display information generation unit, and a generation unit that generates display information including the time information, the spatial information, and the aggregation result;
A log display device comprising: a display unit configured to display the display information.
(Appendix 2)
The log display device according to appendix 1, wherein the log reading unit assigns an ID corresponding to the clustering to a log.
(Appendix 3)
The log extraction unit extracts a log having an ID that does not exist at a time information time earlier than a time of the specified time information in a log ID corresponding to the specified time information. The log display device according to appendix 2, wherein the processed log is removed from the clustered log.
(Appendix 4)
4. The log display device according to one of appendices 1 to 3, wherein the time information includes time interval information for generating a log.
(Appendix 5)
5. The log display device according to one of appendices 1 to 4, wherein the spatial information includes a system name or a device name for generating a log.
(Appendix 6)
The time totaling unit totals logs obtained by removing the extracted logs from the clustered logs based on time information, and the space totaling unit totals logs collected by the time totaling unit based on spatial information. ,
Alternatively, the spatial totalization unit totalizes logs obtained by removing the extracted logs from the clustered logs based on spatial information, and the time totaling unit calculates the logs totaled by the spatial totalization unit based on time information. 6. The log display device according to one of appendices 1 to 5, for counting.
(Appendix 7)
The log display device according to one of appendices 1 to 6, wherein the generation unit generates display information for three-dimensionally displaying the time information, the spatial information, and the aggregation result.
(Appendix 8)
The log display device according to appendix 7, wherein the three-dimensional display is displayed in an XYZ coordinate system.
(Appendix 9)
9. The log display device according to one of appendices 1 to 8, further comprising a storage unit that stores the extracted log as a black list.
(Appendix 10)
Cluster logs based on similarity,
Extract the logs that are not included in the aggregation target,
Logs excluding the extracted logs from the clustered logs are totaled based on time information, totaled based on spatial information,
A log display method for generating and displaying display information including the time information, the spatial information, and the aggregation result.
(Appendix 11)
The log display method according to appendix 10, wherein an ID corresponding to the clustering is given to the log.
(Appendix 12)
In the log ID corresponding to the specified time information, a log having an ID that does not exist at the time information time before the specified time information time is extracted, and the extracted logs are clustered. The log display method according to appendix 11, which is excluded from the log.
(Appendix 13)
13. The log display method according to one of appendices 10 to 12, wherein the time information includes information on a time interval for generating a log.
(Appendix 14)
14. The log display method according to any one of appendices 10 to 13, wherein the spatial information includes a system name or a device name that generates a log.
(Appendix 15)
The log obtained by removing the extracted log from the clustered log is aggregated based on time information, and the log aggregated based on the time information is aggregated based on spatial information.
Alternatively, the logs obtained by removing the extracted logs from the clustered logs are aggregated based on spatial information, and the aggregated logs based on the spatial information are aggregated based on time information. Log display method described in the section.
(Appendix 16)
16. The log display method according to one of appendices 10 to 15, wherein display information for generating a three-dimensional display of the time information, the spatial information, and the aggregation result is generated.
(Appendix 17)
The log display method according to appendix 16, wherein the three-dimensional display is displayed in an XYZ coordinate system.
(Appendix 18)
18. The log display method according to one of appendices 10 to 17, wherein the extracted log is stored as a black list.
(Appendix 19)
Clustering logs based on similarity,
A process of extracting logs that are not included in the aggregation target;
A process of summing up logs based on time information and summing up based on spatial information, excluding the extracted logs from the clustered logs;
The log display program which performs the process which produces | generates and displays the display information containing the said time information, the said spatial information, and the said total result.
(Appendix 20)
The log display program according to appendix 19, which executes a process of giving an ID corresponding to the clustering to a log.
(Appendix 21)
A process of executing a process of extracting a log having an ID that does not exist at the time of the time information prior to the time of the specified time information in the ID of the log corresponding to the specified time information; 21. The log display program according to appendix 20, wherein the log is deleted from the clustered log.
(Appendix 22)
The log display program according to any one of appendices 19 to 21, wherein the time information includes information of a time interval for generating a log.
(Appendix 23)
23. The log display program according to one of appendices 19 to 22, wherein the spatial information includes a system name or a device name for generating a log.
(Appendix 24)
A process of totalizing logs based on time information, excluding the extracted logs from the clustered logs, and totaling logs based on the time information based on spatial information;
Alternatively, the log obtained by removing the extracted log from the clustered log is aggregated based on spatial information, and the log aggregated based on the spatial information is aggregated based on time information. 24. The log display program according to one of 23.
(Appendix 25)
25. The log display program according to one of appendices 19 to 24, wherein a process for generating display information for three-dimensionally displaying the time information, the spatial information, and the total result is executed.
(Appendix 26)
26. The log display program according to appendix 25, wherein a process for displaying the three-dimensional display in an XYZ coordinate system is executed.
(Appendix 27)
27. A log display program according to any one of appendices 19 to 26, wherein a process for storing the extracted log as a black list is executed.
 この出願は、2015年6月11日に出願された日本出願特願2015-117901を基礎とする優先権を主張し、その開示の全てをここに取り込む。 This application claims priority based on Japanese Patent Application No. 2015-117901 filed on June 11, 2015, the entire disclosure of which is incorporated herein.
 1、2  ログ表示装置
 10、20  表示情報生成部
 11  ログ抽出部
 101、201  ログ読込部
 102、202  時間集計部
 103、203  空間集計部
 104、204  生成部
 21  ブラックリスト生成部
 211  ID抽出部
 212  ID削除部
 12、22  表示部
 23  記憶部
 231  ログファイル保存部
 232  IDテーブル保存部
 233  ブラックリスト保存部
 234  集計結果テーブル保存部
 235  空間情報保存部
 24  入力部 1, 2 Log display device 10, 20 Display information generation unit 11 Log extraction unit 101, 201 Log reading unit 102, 202 Time totaling unit 103, 203 Spatial totaling unit 104, 204 Generation unit 21 Blacklist generation unit 211 ID extraction unit 212 ID deletion unit 12, 22 Display unit 23 Storage unit 231 Log file storage unit 232 ID table storage unit 233 Blacklist storage unit 234 Total result table storage unit 235 Spatial information storage unit 24 Input unit

Claims (10)

  1. 集計対象から除くログを抽出するログ抽出手段と、
    ログを類似性に基づいてクラスタリングするログ読込手段と、前記クラスタリングしたログから前記抽出したログを除いたログを、時間情報に基づいて集計する時間集計手段と、空間情報に基づいて集計する空間集計手段と、前記時間情報と前記空間情報と前記集計結果とを含む表示情報を生成する生成手段と、を有する表示情報生成手段と、
    前記表示情報を表示する表示手段と、を有するログ表示装置。     A log extraction means for extracting logs to be excluded from the aggregation target;
    Log reading means for clustering logs based on similarity, time counting means for counting logs excluding the extracted logs from the clustered logs based on time information, and spatial counting for counting based on spatial information Display information generating means comprising: means; and generating means for generating display information including the time information, the spatial information, and the aggregation result;
    A log display device comprising: display means for displaying the display information.
  2. 前記ログ読込手段は、前記クラスタリングに対応するIDをログに付与する、請求項1記載のログ表示装置。 The log display device according to claim 1, wherein the log reading unit assigns an ID corresponding to the clustering to the log.
  3. 前記ログ抽出手段は、指定された前記時間情報に対応するログのIDにおいて、前記指定された時間情報の時刻よりも前の時間情報の時刻には存在しないIDを有するログを抽出し、前記抽出したログを前記クラスタリングしたログから除く、請求項2記載のログ表示装置。 The log extraction unit extracts a log having an ID that does not exist at a time information time earlier than a time of the specified time information in a log ID corresponding to the specified time information. The log display device according to claim 2, wherein the processed log is excluded from the clustered log.
  4. 前記時間情報は、ログを生成する時間間隔の情報を含む、請求項1から3の内の1項記載のログ表示装置。 The log display device according to claim 1, wherein the time information includes information of a time interval for generating a log.
  5. 前記空間情報は、ログを生成するシステム名もしくは機器名を含む、請求項1から4の内の1項記載のログ表示装置。 The log display device according to claim 1, wherein the spatial information includes a name of a system or a device that generates a log.
  6. 前記時間集計手段は、前記クラスタリングしたログから前記抽出したログを除いたログを時間情報に基づいて集計し、前記空間集計手段は、前記時間集計手段が集計したログを空間情報に基づいて集計する、
    もしくは、前記空間集計手段は、前記クラスタリングしたログから前記抽出したログを除いたログを空間情報に基づいて集計し、前記時間集計手段は、前記空間集計手段が集計したログを時間情報に基づいて集計する、請求項1から5の内の1項記載のログ表示装置。     The time totaling unit totals logs obtained by removing the extracted logs from the clustered logs based on time information, and the space totaling unit totals logs collected by the time totaling unit based on spatial information. ,
    Alternatively, the space counting means totals logs obtained by removing the extracted logs from the clustered logs based on spatial information, and the time counting means calculates the logs totaled by the space totaling means based on time information. The log display device according to claim 1, wherein the log display device performs aggregation.
  7. 前記生成手段は、前記時間情報と前記空間情報と前記集計結果とを3次元表示する表示情報を生成する、請求項1から6の内の1項記載のログ表示装置。 The log display device according to claim 1, wherein the generation unit generates display information for three-dimensionally displaying the time information, the spatial information, and the aggregation result.
  8. 前記抽出したログをブラックリストとして保存する記憶手段を有する、請求項1から7の内の1項記載のログ表示装置。 The log display device according to claim 1, further comprising storage means for storing the extracted log as a black list.
  9. ログを類似性に基づいてクラスタリングし、
    集計対象に含めないログを抽出し、
    前記クラスタリングしたログから前記抽出したログを除いたログを、時間情報に基づいて集計し、空間情報に基づいて集計し、
    前記時間情報と前記空間情報と前記集計結果とを含む表示情報を生成して表示する、ログ表示方法。     Cluster logs based on similarity,
    Extract the logs that are not included in the aggregation target,
    Logs excluding the extracted logs from the clustered logs are totaled based on time information, totaled based on spatial information,
    A log display method for generating and displaying display information including the time information, the spatial information, and the aggregation result.
  10. ログを類似性に基づいてクラスタリングする処理と、
    集計対象に含めないログを抽出する処理と、
    前記クラスタリングしたログから前記抽出したログを除いたログを、時間情報に基づいて集計し、空間情報に基づいて集計する処理と、
    前記時間情報と前記空間情報と前記集計結果とを含む表示情報を生成し表示する処理と、を実行させるログ表示プログラムを記憶する記憶媒体。     Clustering logs based on similarity,
    A process of extracting logs that are not included in the aggregation target;
    A process of summing up logs based on time information and summing up based on spatial information, excluding the extracted logs from the clustered logs;
    A storage medium for storing a log display program for executing a process of generating and displaying display information including the time information, the spatial information, and the aggregation result.
PCT/JP2016/002768 2015-06-11 2016-06-08 Log display device, log display method and log display program WO2016199411A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2015-117901 2015-06-11
JP2015117901 2015-06-11

Publications (1)

Publication Number Publication Date
WO2016199411A1 true WO2016199411A1 (en) 2016-12-15

Family

ID=57503546

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2016/002768 WO2016199411A1 (en) 2015-06-11 2016-06-08 Log display device, log display method and log display program

Country Status (1)

Country Link
WO (1) WO2016199411A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106909494A (en) * 2017-02-28 2017-06-30 郑州云海信息技术有限公司 A kind of method of the display BMC daily records in real time in the blade server based on LINUX platforms
CN108256808A (en) * 2016-12-28 2018-07-06 平安科技(深圳)有限公司 Information displaying method and device
CN113138971A (en) * 2021-04-30 2021-07-20 深圳市度申科技有限公司 Visual log analysis method, device and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012160637A1 (en) * 2011-05-23 2012-11-29 富士通株式会社 Message determination device and message determination program
WO2013035266A1 (en) * 2011-09-05 2013-03-14 日本電気株式会社 Monitoring device, monitoring method and program
JP2014153723A (en) * 2013-02-04 2014-08-25 Nippon Telegr & Teleph Corp <Ntt> Log origination abnormality detection device and method
JP2015095060A (en) * 2013-11-12 2015-05-18 日本電信電話株式会社 Log analysis device and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012160637A1 (en) * 2011-05-23 2012-11-29 富士通株式会社 Message determination device and message determination program
WO2013035266A1 (en) * 2011-09-05 2013-03-14 日本電気株式会社 Monitoring device, monitoring method and program
JP2014153723A (en) * 2013-02-04 2014-08-25 Nippon Telegr & Teleph Corp <Ntt> Log origination abnormality detection device and method
JP2015095060A (en) * 2013-11-12 2015-05-18 日本電信電話株式会社 Log analysis device and method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108256808A (en) * 2016-12-28 2018-07-06 平安科技(深圳)有限公司 Information displaying method and device
CN106909494A (en) * 2017-02-28 2017-06-30 郑州云海信息技术有限公司 A kind of method of the display BMC daily records in real time in the blade server based on LINUX platforms
CN113138971A (en) * 2021-04-30 2021-07-20 深圳市度申科技有限公司 Visual log analysis method, device and system

Similar Documents

Publication Publication Date Title
US20210342369A1 (en) Method and system for implementing efficient classification and exploration of data
US10237295B2 (en) Automated event ID field analysis on heterogeneous logs
US9237161B2 (en) Malware detection and identification
WO2016132717A1 (en) Log analysis system, log analysis method, and program recording medium
US20180357214A1 (en) Log analysis system, log analysis method, and storage medium
WO2016093836A1 (en) Interactive detection of system anomalies
Fu et al. Digging deeper into cluster system logs for failure prediction and root cause diagnosis
US20180285596A1 (en) System and method for managing sensitive data
JP5913145B2 (en) Log visualization device, method, and program
JP2016076075A (en) Filter rule creation device, method and program for creating filter rule
JP2022118108A (en) Log auditing method, device, electronic apparatus, medium and computer program
WO2020155651A1 (en) Method and device for storing and querying log information
JP2007242002A (en) Network management device and method, and program
WO2016199411A1 (en) Log display device, log display method and log display program
CN111339293A (en) Data processing method and device of alarm event and classification method of alarm event
WO2020012579A1 (en) Log analysis device, log analysis method, and program
Makanju et al. Fast entropy based alert detection in super computer logs
JP2014035749A (en) Log generation rule creation device and method
CN105069158A (en) Data mining method and system
US20180210942A1 (en) Anomaly classifier
CN110677271B (en) Big data alarm method, device, equipment and storage medium based on ELK
JP6340990B2 (en) Message display method, message display device, and message display program
CN107819601A (en) A kind of safe O&M service architecture quickly and efficiently based on Spark
Naukudkar et al. Enhancing performance of security log analysis using correlation-prediction technique
JPWO2018110327A1 (en) Anomaly identification system, method and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16807119

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16807119

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP