JP5258040B2 - Apparatus for supporting detection of failure event, method for supporting detection of failure event, and computer program - Google Patents

Description

  The present invention relates to an apparatus that supports detection of a fault event that can maintain high fault detection accuracy without excessively increasing the storage amount of symptom, a method that supports detection of a fault event, and a computer program.

  Due to the rapid development of computer technology in recent years, computer systems are naturally incorporated in core systems that build social infrastructure. In order to operate social infrastructure regularly and properly, considerable operational costs are incurred. An autonomic computing system has attracted attention as a technique for reducing such operation costs as much as possible and increasing the stability of the system.

 The autonomic computing system is a general term for all technologies for constructing a system-wide self-managed environment, and means an entire system that autonomously resolves problems and failures that occur in the system. Various methods have been disclosed for detecting problems, faults, etc. occurring in the system.

For example, in Patent Document 1, the root cause that has led to the state of a subject component including a fault is specified by scanning another component on which the subject component depends and a part of a relational model related to the component. A root cause identifying method for determining a state related to each component is disclosed. Patent Document 2 discloses a dependency management method for managing dependency relationship information between various components under a computing environment, in particular, dependency relationship at the time of execution.
JP 2005-538459 A JP 2004-103015 A

  However, in the root cause identification method disclosed in Patent Document 1, the root cause can be detected with high accuracy by scanning the dependency model from upstream to downstream, but the dependency model is complicated. However, there is a problem that the scanning itself takes a considerable time and the scanning order of the dependency model is not specified, so that the performance and usability may be deteriorated.

  In order to solve such a problem, it is conceivable to add system configuration information to the dependency relationship model disclosed in Patent Document 2, but it is possible to always add system configuration information at the time of model generation. Is not limited. Therefore, it is desirable to prevent a decrease in performance and usability even when there is a dependency model that does not have system configuration information.

  The present invention has been made in view of such circumstances, and even when system configuration information is not given to knowledge (hereinafter referred to as symptoms) such as logical expressions necessary for constructing a dependency model. An object of the present invention is to provide an apparatus for supporting the detection of a fault event that can improve the efficiency of applying symptom and maintain high detection accuracy of the event in which the fault has occurred, a method for supporting the detection of a fault event, and a computer program And

Device, the log information Homata of a system including at least a plurality of components failure information output from each component upon occurrence failure in the system to support the detection of a failure event according to the first invention to achieve the above object History information collecting means for collecting history information of the system including any of the above, and a symptom storage for storing a symptom in which predetermined additional information is added to a detection rule for detecting an event included in the component related to the fault that has occurred Means, an event group specifying means for specifying an event group that matches the symptom based on the collected history information and the stored symptom, and each event group is transmitted based on the specified event group System configuration information, including related information between the component and other components Extraction means for extracting partial configuration information, and correct / incorrect information acquisition means for acquiring whether or not an event in which a failure has occurred has been normally detected based on the identified event group and the extracted partial configuration information And updating means for updating the symptom that is the basis for specifying the event group based on the acquired correct / incorrect information and the extracted partial configuration information.

  According to a second aspect of the present invention, there is provided an apparatus for supporting the detection of a failure event according to the first aspect, further comprising system configuration information acquisition means for acquiring system configuration information that is configuration information of the system, wherein the symptom storage means is acquired. Among the system configuration information, the partial configuration information, which is the system configuration information related to the component that sent the event that is the basis of the stored symptom, is added to the symptom as additional information.

Next, a method for supporting the detection of the failure event according to a third invention for achieving the above object, the log information Homata of a system including at least a plurality of components is output from each component upon occurrence failure in the system Collecting history information of the system including any failure information , storing a symptom in which predetermined additional information is added to a detection rule for detecting an event included in the component related to the failure that has occurred, and A step of identifying an event group that matches the symptom based on the collected history information and the stored symptom, and a component that sent each of the event group based on the identified event group and other components Partial configuration information, which is system configuration information including information related to A step of acquiring, a step of acquiring correct / incorrect information on whether or not an event in which a failure has occurred has been normally detected based on the identified event group and the extracted partial configuration information, and the acquired correct / incorrect information and the extracted Updating the symptom that is the basis for identifying the event group based on partial configuration information.

Next, in order to achieve the above object, a computer program according to the fourth invention can be executed by a computer that supports detection of an event in which a failure has occurred in a system including a plurality of components. said component at least log information Homata of the system associated with the history information collecting means for collecting history information of the system, the failure that has occurred, including any of the failure information output from each component upon occurrence failure in the system Based on the symptom storage means for storing the symptom obtained by adding predetermined additional information to the detection rule for detecting the event included in the event, the collected history information, and the stored symptom, the event group that matches the symptom is specified. Event group identification means, based on the identified event group Extraction means for extracting partial configuration information, which is system configuration information including related information between the component that sent each event group and other components, a failure based on the identified event group and the extracted partial configuration information The correct / incorrect information acquisition means for acquiring correct / incorrect information regarding whether or not the event in which the event occurred has been normally detected, and the symptom that is the basis for specifying the event group based on the acquired correct / incorrect information and the extracted partial configuration information It functions as an updating means for updating.

The computer program according to a fifth aspect of the present invention is the computer program according to the fourth aspect , wherein the computer functions as system configuration information acquisition means for acquiring system configuration information that is configuration information of the system, and the symptom storage means is acquired. Of the system configuration information, the partial configuration information that is the system configuration information related to the component that has transmitted the event that is the basis of the stored symptom is caused to function as means for adding to the symptom as additional information.

Next, apparatus for supporting detection of a failure event according to the sixth invention to achieve the above object, the log information Homata of a system including at least a plurality of components is output from each component upon occurrence failure in the system History information collecting means for collecting history information of the system including any of the failure information , and a symptom in which predetermined additional information is added to a detection rule for detecting an event included in the component related to the failure that has occurred Symptom storage means, event group specifying means for specifying an event group matching the symptom based on collected history information and stored symptom, and each event group based on the specified event group System that contains relevant information between the component that sent the message and other components Extraction means for extracting partial configuration information as composition information, partial configuration information extracted by the extraction means, and a portion included in the symptom applied to specify the event group by the event group specification means The degree-of-fit calculation means for calculating the degree of fit with the configuration information, the judgment means for judging whether or not the calculated degree of fit is larger than a predetermined value, When it is determined that the normal detection configuration information obtained by adding information indicating normal detection to the partial configuration information extracted by the extraction unit is equal to or less than a predetermined value, the partial configuration information extracted by the extraction unit is And updating means for updating the symptom by adding erroneously detected configuration information to which information indicating that the error has been detected is added to the symptom.

  According to the present invention, even if the symptom does not hold the partial configuration information, the partial configuration information can be added to the symptom according to the detection result of the event in which the failure has occurred. Therefore, it is possible to easily determine which symptom should be preferentially applied based on the added partial configuration information, and it is possible to improve the detection accuracy of an event in which a failure has occurred. Also, by storing the partial configuration information when an event in which a fault has occurred in error is stored, the degree of conformity with the partial configuration information used at the time of erroneous detection can also be presented. Application ranking can be performed with higher accuracy.

  Hereinafter, an apparatus for supporting detection of a failure event according to an embodiment of the present invention will be specifically described with reference to the drawings. The following embodiments do not limit the invention described in the claims, and all combinations of characteristic items described in the embodiments are essential to the solution. It goes without saying that it is not limited.

  The present invention can be implemented in many different modes and should not be construed as being limited to the description of the embodiment. The same symbols are attached to the same elements throughout the embodiments.

  In the following embodiments, an apparatus for supporting the detection of a failure event in which a computer program is introduced into a computer system will be described. However, as will be apparent to those skilled in the art, the present invention can be partially executed by a computer. It can be implemented as a possible computer program. Therefore, the present invention can take a hardware embodiment of a device that supports detection of a failure event, a software embodiment, or a combination of software and hardware. The computer program can be recorded on any computer-readable recording medium such as a hard disk, DVD, CD, optical storage device, magnetic storage device or the like.

  In the embodiment of the present invention, even if the symptom does not hold the partial configuration information, the partial configuration information can be added to the symptom according to the detection result of the event in which the failure has occurred. Therefore, it is possible to easily determine which symptom should be preferentially applied based on the added partial configuration information, and it is possible to improve the detection accuracy of an event in which a failure has occurred. In addition, by adding and storing partial configuration information when an event in which a fault has occurred accidentally is detected, the degree of conformity with the partial configuration information used at the time of erroneous detection can be presented. It becomes possible to perform the ranking of the symptom application based on the above with higher accuracy. Here, “partial configuration information” means related information including dependency relationships between the component that sent the fault occurrence event that is the event in which the fault has occurred and the other components that constitute the system. To do. For example, information related to the application server as a component and a database, link information, and the like are included. Therefore, it is possible to accurately create a topology diagram between target components.

  Also includes not only information about dependency relationships between components, but also information that can be used to derive useful relationships for failure analysis, such as connection relationships in communications, information on operating subjects based on commands, instructions, etc., object relationships, etc. Can be added to the symptom, the root cause of the failure can be identified more accurately, and the conditions under which the failure event is detected can be more easily narrowed down. Is possible.

(Embodiment 1)
FIG. 1 is a block diagram illustrating a configuration example of a failure event detection apparatus including an apparatus that supports detection of a failure event according to Embodiment 1 of the present invention. The failure event detection apparatus 1 according to the first embodiment of the present invention includes at least a CPU (Central Processing Unit) 11, a memory 12, a storage device 13, an I / O interface 14, a communication interface 15, a video interface 16, and a portable disk drive. 17 and an internal bus 18 for connecting the hardware described above.

  The CPU 11 is connected to the above-described hardware units of the failure event detection apparatus 1 via the internal bus 18, controls the operation of the above-described hardware units, and stores the computer program stored in the storage device 13. According to 100, various software functions are performed. The memory 12 is composed of a volatile memory such as SRAM or SDRAM, and a load module is expanded when the computer program 100 is executed, and stores temporary data generated when the computer program 100 is executed.

  The storage device 13 includes a built-in fixed storage device (hard disk), a ROM, and the like. The computer program 100 stored in the storage device 13 is downloaded by a portable disk drive 17 from a portable recording medium 90 such as a DVD or CD-ROM in which information such as programs and data is recorded. To the memory 12 and executed. Of course, a computer program downloaded from an external computer connected to the network 2 via the communication interface 15 may be used.

  The storage device 13 includes a symptom database 131. In the symptom database 131, in addition to detection rules for detecting an event in which a failure has occurred, recommended actions, comments, and the like at the time of failure detection are added for each detection rule. When the user selects an event in which a failure has occurred and inputs information necessary for generating a detection rule such as a rule pattern, the detection rule is extracted according to the selected event, and the display device 23 together with the component topology diagram. Is displayed.

  In addition, the storage device 13 includes a configuration information storage unit 132 that stores system configuration information of a system to be monitored as to whether or not a failure has occurred, log information of the system to be monitored, and when a failure occurs in the system And a history information storage unit 133 for storing history information such as event information output to. The configuration information storage unit 132 is configured by a CCMDB (Change and Configuration Management DB) including dependency relationship information between components of the monitoring target system 200 to be monitored and related information of each component. Based on the system configuration information stored in the configuration information storage unit 132, the component topology diagram can be displayed. The configuration information storage unit 132 may be provided in the storage device 13, but is normally provided separately from the failure event detection device 1 according to the first embodiment, and is connected via the network 2, for example. It is equipped with an external computer etc.

  The communication interface 15 is connected to an internal bus 18 and is connected to an external network 2 such as the Internet, a LAN, or a WAN, thereby enabling data transmission / reception with an external computer or the like. The monitoring target system 200 is also connected via the network 2 and can acquire system configuration information, history information when a failure occurs, and the like.

  The I / O interface 14 is connected to a data input medium such as a keyboard 21 and a mouse 22 and receives data input. The video interface 16 is connected to a display device 23 such as a CRT monitor or LCD, and displays a predetermined image.

  FIG. 2 is a functional block diagram of the failure event detection apparatus 1 according to Embodiment 1 of the present invention. The configuration information extraction unit 201 extracts system configuration information including related information between components included in the monitoring target system 200 and stores the extracted system configuration information in the configuration information storage unit 132. The system configuration information including related information between components is, for example, connection relationship information in communication between components, link relationship information regarding a relationship between operation and non-operation, and the like. Note that the configuration information extraction unit 201 is not an essential configuration requirement of the present invention, and system configuration information may be generated in the configuration information storage unit 132 in advance, or may be built in the failure event detection apparatus 1. It is not necessary. That is, the configuration information extraction unit 201 and the configuration information storage unit 132 are not essential configuration requirements of the failure event detection apparatus 1 according to Embodiment 1 of the present invention.

  The configuration information acquisition unit 202 acquires system configuration information stored in the configuration information storage unit 132. The system configuration information is stored in the configuration information storage unit 132 in association with each monitoring target system 200, and corresponding system configuration information is acquired according to the monitoring target system 200.

  The history information collection unit 203 constantly monitors the monitoring target system 200, and includes history information including failure information such as log information output from each component included in the monitoring target system 200 and / or event information output when a failure occurs. Are collected and stored in the history information storage unit 133. The log information is not limited to a system log or the like that is always output, and may include message information or the like that is output by interrupt processing or the like when a failure occurs.

  Note that the history information collected by the history information collection unit 203 often has a different data format, and may not be used as basic information for identifying an event that is a candidate event that has failed. Can occur. Therefore, it is desirable to provide a data format conversion unit 212 and convert it into a standard unified data format and store it in the history information storage unit 133.

  The detection rule generation unit 204 generates a detection rule for detecting an event included in a component related to the occurred failure. The symptom storage unit 205 stores a symptom in which predetermined additional information is added to the generated detection rule. As additional information, information on recommended actions at the time of failure detection, message information including various comments, and the like are added.

  The event detection unit 206 detects an event in which a failure has occurred based on the stored symptoms. For example, when applying a symptom to which the system configuration information of the monitoring target system 200 is added as additional information, an event detection process considering the system configuration information can be executed.

  The event selection accepting unit 207 accepts selection of an event included in a component related to the occurred failure as a selection from an event list or the like, for example. The partial configuration information extraction unit 208 extracts, from the system configuration information acquired by the configuration information acquisition unit 202, partial configuration information that is system configuration information related to the component that has sent the event whose selection is received by the event selection reception unit 207. The extracted partial configuration information also includes related information including a dependency relationship between the component that sent the event that received the selection as a failure occurrence event and the other components among the components constituting the system. For example, information related to the application server as a component and database, link information, and the like are also included.

  FIG. 3 is an exemplary diagram of a symptom configuration including partial configuration information in the failure event detection apparatus 1 according to Embodiment 1 of the present invention. FIG. 3A is an exemplary diagram of a conventional symptom configuration, and the symptom has causal relationship information indicating that the error B is induced due to the error A as logical information.

  On the other hand, FIG. 3B is an exemplary diagram of a symptom configuration to which partial configuration information is added. The symptom adds to the causal relationship information as logical information that error B occurs in database B, which is a specific component, due to occurrence of error A in application server A, which is a specific component. ing. In other words, by adding information about the dependency relationship between the application server A and the database B, which are components, the dependency relationship between components can be taken into account as a symptom for detecting a failure occurrence event. Event detection accuracy can be increased.

  The symptom update unit 209 adds the partial configuration information extracted by the partial configuration information extraction unit 208 to the corresponding symptom and stores it. That is, the partial configuration information becomes additional information. The partial configuration information presentation unit 210 presents the partial configuration information extracted by the partial configuration information extraction unit 208 on the display device 23. The update reception unit 211 receives an update of the presented partial configuration information. Accordingly, the user can surely generate the adapted partial configuration information by changing the presented partial configuration information to a desired configuration.

  FIG. 4 is an exemplary view of a screen 40 presented on the display device 23 by the partial configuration information presentation unit 210. In the topology diagram display area 41, a topology diagram showing the dependency relationship of components included in the monitoring target system 200 is displayed. The event list display area 42 displays a list of events included in the monitoring target system 200. When the event selection receiving unit 207 receives a selection of an event included in a component related to the failure that has occurred from the event group displayed in the event list display area 42, the event selection and the dependency relationship are displayed. The event you have is highlighted. In FIG. 4, the display color of the event that has received the selection and the event having the dependency relationship is changed and displayed. The highlighting method is not particularly limited, and the luminance may be changed.

  In the partial configuration information display area 43, the partial configuration information presentation unit 210 partially displays the topology diagram of the component depending on the event for which the selection is accepted. The component display area 44 displays details of the components displayed in the partial configuration information display area 43. The partial configuration information can also be updated by receiving update information for the components displayed in the partial configuration information display area 43 by the update receiving unit 211. Specifically, it is updated by selecting an event again from the events listed in the event list display area 42 by operating the mouse or the like.

  The partial configuration information is stored in the symptom database 131 as information including dependency relationships for each component. FIG. 5 is an exemplary diagram of the stored partial configuration information. FIG. 5A is an exemplary diagram of the partial configuration information display area 43 and the component display area 44, and FIG. 5B is a data example of the stored partial configuration information. As shown in FIG. 5B, for each component extracted in the partial configuration information display area 43, the component type, the dependency relationship, and link information between the components are stored as code information. Of course, the data format to be stored is not limited to the data format shown in FIG.

  FIG. 6 is a flowchart showing a procedure of the partial configuration information addition processing of the CPU 11 of the failure event detection apparatus 1 according to Embodiment 1 of the present invention. First, the CPU 11 of the failure event detection apparatus 1 acquires system configuration information including related information between components included in the monitoring target system 200 (step S601). Of course, the system configuration information may be acquired in advance and stored in the configuration information storage unit 132.

  The CPU 11 collects history information including failure information such as log information output from each component included in the monitoring target system 200 and / or event information output when a failure occurs, and stores the collected history information in the history information storage unit 133. (Step S602). The log information is not limited to a system log or the like that is always output, and may include message information or the like that is output by interrupt processing or the like when a failure occurs.

  Note that the history information collected by the history information collection unit 203 often has a different data format, and may not be used as basic information for identifying an event that is a candidate event that has failed. Can occur. Therefore, it is desirable to convert the collected history information into a unified standard data format before storing it in the history information storage unit 133 in step S602. As a result, even history information that is different for each component can be collected in a unified standard data format, and all history information can be utilized when generating a detection rule.

  The CPU 11 presents all the events that are candidates for the failure occurrence event to the display device 23 (step S603), and accepts the selection of the event by the user (step S604). Specifically, it is accepted as a selection from an event list or the like, for example, by operating a mouse or the like.

  The CPU 11 extracts partial configuration information, which is system configuration information related to the component that has sent the selected event, based on the selected event and the acquired system configuration information (step S605). The extracted partial configuration information also includes related information including a dependency relationship between the component that sent the event that received the selection as a failure occurrence event and the other components among the components constituting the system. Information related to the application server and database as shown in FIG. 3 is also included.

  The CPU 11 adds the extracted partial configuration information as additional information to the corresponding symptom and stores it (step S606). By adding the partial configuration information to the symptom in this way, it is possible to generate a symptom that reflects the system configuration information of the monitoring target system 200 as a detection rule as well as a logical expression as in the past. Therefore, the possibility of erroneous detection can be significantly reduced, and it can be accurately determined whether or not it is a known failure.

  As described above, according to the first embodiment, by adding the partial configuration information to the symptom, it is possible to more accurately identify the root cause of the failure by confirming the contents of the stored symptom. It is possible to easily narrow down under what conditions the event in which the failure has occurred is detected.

(Embodiment 2)
Since the configuration of the fault event detection apparatus 1 including the apparatus that supports the detection of the fault event according to the second embodiment of the present invention is the same as that of the first embodiment, detailed description is given by attaching the same reference numerals. Is omitted. The second embodiment is different from the first embodiment in that, when partial configuration information is added to the symptom, priority is given to the symptom to be applied to the failure detection process.

  FIG. 7 is a functional block diagram of the failure event detection apparatus 1 according to Embodiment 2 of the present invention. The configuration information extraction unit 201 extracts system configuration information including related information between components included in the monitoring target system 200 and stores the extracted system configuration information in the configuration information storage unit 132. The system configuration information including related information between components is, for example, connection relationship information in communication between components, link relationship information regarding a relationship between operation and non-operation, and the like. Note that the configuration information extraction unit 201 is not an essential configuration requirement of the present invention, and system configuration information may be generated in the configuration information storage unit 132 in advance, or may be built in the failure event detection apparatus 1. It is not necessary. That is, the configuration information extraction unit 201 and the configuration information storage unit 132 are not essential configuration requirements of the failure event detection apparatus 1 according to Embodiment 2 of the present invention.

  The configuration information acquisition unit 202 acquires system configuration information stored in the configuration information storage unit 132. The system configuration information is stored in the configuration information storage unit 132 in association with each monitoring target system 200, and corresponding system configuration information is acquired according to the monitoring target system 200.

  The history information collection unit 203 constantly monitors the monitoring target system 200, and includes history information including failure information such as log information output from each component included in the monitoring target system 200 and / or event information output when a failure occurs. Are collected and stored in the history information storage unit 133. The log information is not limited to a system log or the like that is always output, and may include message information or the like that is output by interrupt processing or the like when a failure occurs.

  Note that the history information collected by the history information collection unit 203 often has a different data format, and may not be used as basic information for identifying an event that is a candidate event that has failed. Can occur. Therefore, it is desirable to provide a data format conversion unit 212 and convert it into a standard unified data format and store it in the history information storage unit 133.

  The detection rule generation unit 204 generates a detection rule for detecting an event included in a component related to the occurred failure. The symptom storage unit 205 stores a symptom in which predetermined additional information is added to the generated detection rule. As additional information, information on recommended actions at the time of failure detection, message information including various comments, and the like are added.

  The event selection accepting unit 207 accepts selection of an event included in a component related to the occurred failure as a selection from an event list or the like, for example. The partial configuration information extraction unit 208 extracts, from the system configuration information acquired by the configuration information acquisition unit 202, partial configuration information that is system configuration information related to the component that has sent the event whose selection is received by the event selection reception unit 207. The extracted partial configuration information also includes related information including a dependency relationship between the component that sent the event that received the selection as a failure occurrence event and the other components among the components constituting the system. For example, information related to the application server as a component and database, link information, and the like are also included.

  The configuration of the symptom including the partial configuration information in the failure event detection apparatus 1 according to the second embodiment of the present invention is the same as that of the first embodiment, and is the same as the configuration shown in FIG. That is, by adding information on the dependency relationship between the application server A and the database B, which are components, to the conventional symptom, the dependency relationship between components can be taken into account as a symptom for detecting a failure event. Therefore, the detection accuracy of the event where the failure has occurred can be improved.

  The symptom update unit 209 adds the partial configuration information extracted by the partial configuration information extraction unit 208 to the corresponding symptom and stores it. That is, the partial configuration information becomes additional information. The partial configuration information presentation unit 210 presents the partial configuration information extracted by the partial configuration information extraction unit 208 on the display device 23. The update reception unit 211 receives an update of the presented partial configuration information. Accordingly, the user can surely generate the adapted partial configuration information by changing the presented partial configuration information to a desired configuration.

  FIG. 8 is an exemplary diagram of a screen 80 presented on the display device 23 by the partial configuration information presentation unit 210. In the topology diagram display area 81, a topology diagram showing the dependency relationship of the components included in the monitored system 200 is displayed. The symptom list display area 82 displays a list of symptoms stored in the symptom database 131. For example, when the selection of a symptom to be applied to the detection of a failure event is received from the symptom group displayed in the symptom list display area 82, the partial configuration information added to the selected symptom is a partial configuration. It is displayed in the information display area 83.

  Among the components displayed in the topology diagram display area 81, the components that match the partial configuration information displayed in the partial configuration information display area 83 are highlighted when the selection of the symptom is accepted. In FIG. 8, the display color of the part corresponding to the symptom that has been selected and the partial configuration information added to the symptom is changed and displayed. The highlighting method is not particularly limited, and the luminance may be changed.

  The degree-of-match calculation unit 701 compares the system configuration information acquired by the configuration information acquisition unit 202 with the partial configuration information stored in the symptom update unit 209 and stored in the symptom database 131. The degree of coincidence of the two is calculated for each partial configuration information.

  The symptom extraction unit 702 extracts the symptom to be applied by the event detection unit 206 based on the coincidence degree calculated by the coincidence degree calculation unit 701. In other words, by increasing the application priority of a symptom having a high degree of coincidence, the detection accuracy of an event in which a failure has occurred is increased.

  The event detection unit 206 detects the event in which the failure has occurred by sequentially applying the symptom having a high degree of coincidence. It is possible to improve the detection accuracy of an event that has occurred.

  FIG. 9 is a flowchart showing a procedure of symptom extraction processing of the CPU 11 of the failure event detection apparatus 1 according to Embodiment 2 of the present invention. The CPU 11 of the failure event detection apparatus 1 acquires system configuration information including related information between components included in the monitoring target system 200 (step S901). Of course, the system configuration information may be acquired in advance and stored in the configuration information storage unit 132.

  The CPU 11 reads one symptom from the symptoms stored in the symptom database 131 (step S902), and calculates the degree of coincidence between the partial configuration information added to the read symptom and the system configuration information (step S903). . The method for calculating the degree of coincidence is not particularly limited, and one embodiment will be described later.

  The CPU 11 sorts the symptoms in ascending order of the calculated degree of coincidence (step S904), and determines whether all stored symptoms have been read (step S905). If the CPU 11 determines that there is a symptom that has not yet been read (step S905: NO), the CPU 11 reads the next symptom (step S906), returns the process to step S903, and repeats the above-described process. When the CPU 11 determines that all symptoms have been read (step S905: YES), the CPU 11 extracts the symptoms in descending order of coincidence (step S907) and applies them to the detection of the failure event.

  10 and 11 are flowcharts showing the procedure of the degree of coincidence calculation processing of the CPU 11 of the failure event detection apparatus 1 according to Embodiment 2 of the present invention. In FIG. 10, the CPU 11 of the failure event detection apparatus 1 initializes the maximum value Nmax and the minimum value Nmin of coincidence (step S1001). In the second embodiment, the maximum value Nmax is set to 100, and the minimum value Nmin is set to 0. The CPU 11 assigns the maximum value Nmax to the component and link included in the partial configuration information (step S1002). The importance of components and links can be weighted according to the allocation method.

  The CPU 11 determines whether there is a component that matches the component included in the partial configuration information added to the read symptom (step S1003). If it is determined that there is no matching component (step S1003: NO), the CPU 11 sets the minimum value Nmin as the matching degree (step S1004). That is, the coincidence degree N is 0 (zero).

  When the CPU 11 determines that there is a matching component (step S1003: YES), the CPU 11 selects one component (step S1005). The CPU 11 specifies a coefficient α to be multiplied by the component allocation value in accordance with the attribute of the selected component (step S1006). For example, α = 0.1 when the component types match, α = 0.6 when the component product names match, and α = 0.6 when the component version is upward compatible. If the versions match, it may be specified as α = 1.0.

  The CPU 11 multiplies the component allocation value by the coefficient α to calculate the component matching degree N1 (step S1007), and determines whether all matching components have been selected (step S1008). If the CPU 11 determines that there is a component that has not yet been selected (step S1008: NO), the CPU 11 selects the next component (step S1009), returns the process to step S1006, and repeats the above-described process.

  If the CPU 11 determines that all components have been selected (step S1008: YES), the CPU 11 determines whether there is a related link as shown in FIG. 11 (step S1101). When the CPU 11 determines that there is a related link (step S1101: YES), the CPU 11 selects one link (step S1102), and calculates a coefficient β by which the link allocation value is multiplied according to the attribute of the selected link. Specify (step S1103).

  For example, β = 1.0 when a link between components matches a mandatory link that must be present in order to detect the corresponding rule, and β = when a mandatory link exists indirectly. 0.6, β = 1.0 if an arbitrary link may or may not exist, β = 0.8 if an arbitrary link exists indirectly, prohibited that must not exist Β = 1.0 if no link exists, β = 0.1 if a forbidden link exists indirectly, β = 1.0 if the link types match, compatible If there is a property, it may be specified such as β = 0.8.

  The CPU 11 multiplies the link allocation value by the coefficient β to calculate the link matching degree N2 (step S1104), and determines whether or not all related links have been selected (step S1105). When the CPU 11 determines that there is an unselected link (step S1105: NO), the CPU 11 selects the next link (step S1106), returns the process to step S1103, and repeats the above-described process.

  When the CPU 11 determines that there is no related link (step S1101: NO), the CPU 11 sets the link coincidence degree N2 to 0 (zero) (step S1107), and advances the processing to step S1108. When the CPU 11 determines that all the links have been selected (step S1105: YES), the CPU 11 calculates the matching degree N of the entire partial configuration information as the sum of the matching degree N1 of the component and the matching degree N2 of the link. (Step S1108), it is determined whether or not there is a continuous link (Step S1109).

  When the CPU 11 determines that there is a continuous link (step S1109: YES), the CPU 11 adds a predetermined evaluation value N3 to the matching degree N of the entire partial configuration information (step S1110). When the CPU 11 determines that there is no continuous link (step S1109: NO), the CPU 11 skips step S1110 and ends the process.

  The above-described method for calculating the degree of coincidence will be described based on a specific example. The partial configuration information that is the basis for calculating the degree of coincidence includes two components, the application server A and the database B, and a link between the application server A and the database B. Similar to FIGS. 10 and 11, Nmax = 100 and Nmin = 0, and the importance is assumed to be application server A: database B: link = 1: 1: 3. Therefore, 20 is assigned to the application server A, 20 is assigned to the database B, and 60 is assigned to the link.

  FIG. 12 is a schematic diagram illustrating an example of calculating the degree of coincidence when the same configuration as the partial configuration information exists in the system configuration information. In the example of FIG. 12, since the application server A and the database B2 which are the same components exist, the degree of coincidence between the components is “20”, and there is also a link between the application server A and the database B. For this reason, the matching degree of the link is also “60”. Accordingly, the degree of coincidence N of the partial configuration information shown in FIG. 12 is 20 + 20 + 60 = 100.

  FIG. 13 is a schematic diagram illustrating an example of calculating the degree of coincidence when the link of the partial configuration information exists indirectly in the system configuration information. In the example of FIG. 13, since the application server A and the database B1 which are the same components exist, the degree of coincidence between the components is “20”, but the link between the application server A and the database B is the component. Since the link is an indirect link via K, the degree of matching N2 = 0.6 × 60 = 36. Accordingly, the coincidence degree N of the partial configuration information shown in FIG. 13 is 20 + 20 + 36 = 76.

  FIG. 14 is a schematic diagram illustrating an example of calculating the degree of coincidence when the same component as the partial configuration information exists but no link exists. In the example of FIG. 14, since the application server A and the database B1 which are the same components exist, the degree of coincidence of the components is “20”, but there is a link between the application server A and the database B1. As a result, the matching degree of the link is “0”. Accordingly, the degree of coincidence N of the partial configuration information shown in FIG. 14 is 20 + 20 + 0 = 40.

  FIG. 15 is a schematic diagram illustrating an example of calculating the coincidence when the same component as the partial configuration information does not exist. In the example of FIG. 15, since the same component does not exist, the degree of coincidence between the components is “0”. Naturally, there is no link between the application server A and the database B. The degree of coincidence is also “0”. Accordingly, the degree of coincidence N of the partial configuration information shown in FIG.

  As described above, according to the second embodiment, the symptom corresponding to the partial configuration information having a high degree of coincidence calculated by comparing the acquired system configuration information with the partial configuration information stored in addition to the symptom. Can be used to detect the event in which the failure has occurred, and the root cause of the failure can be identified efficiently without applying unnecessary symptoms.

(Embodiment 3)
Since the configuration of the fault event detection apparatus 1 including the apparatus that supports the detection of the fault event according to the third embodiment of the present invention is the same as that of the first and second embodiments, the same reference numerals are used for the details. The detailed explanation is omitted. In the third embodiment, the degree of matching between the extracted partial configuration information and the partial configuration information included in the symptom used to identify the event group is calculated, and the symptom detection result is evaluated. This is different from the first and second embodiments.

  FIG. 16 is a functional block diagram of the failure event detection apparatus 1 according to Embodiment 3 of the present invention. The configuration information extraction unit 201 extracts system configuration information including related information between components included in the monitoring target system 200 and stores the extracted system configuration information in the configuration information storage unit 132. The system configuration information including related information between components is, for example, connection relationship information in communication between components, link relationship information regarding a relationship between operation and non-operation, and the like. Note that the configuration information extraction unit 201 is not an essential configuration requirement of the present invention, and system configuration information may be generated in the configuration information storage unit 132 in advance, or may be built in the failure event detection apparatus 1. It is not necessary. That is, the configuration information extraction unit 201 and the configuration information storage unit 132 are not essential configuration requirements of the failure event detection apparatus 1 according to Embodiment 3 of the present invention.

  The configuration information acquisition unit 202 acquires system configuration information stored in the configuration information storage unit 132. The system configuration information is stored in the configuration information storage unit 132 in association with each monitoring target system 200, and corresponding system configuration information is acquired according to the monitoring target system 200.

  The history information collection unit 203 constantly monitors the monitoring target system 200, and includes history information including failure information such as log information output from each component included in the monitoring target system 200 and / or event information output when a failure occurs. Are collected and stored in the history information storage unit 133. The log information is not limited to a system log or the like that is always output, and may include message information or the like that is output by interrupt processing or the like when a failure occurs.

  Note that the history information collected by the history information collection unit 203 often has a different data format, and may not be used as basic information for identifying an event that is a candidate event that has failed. Can occur. Therefore, it is desirable to provide a data format conversion unit 212 and convert it into a standard unified data format and store it in the history information storage unit 133.

  The detection rule generation unit 204 generates a detection rule for detecting an event included in a component related to the occurred failure. The symptom storage unit 205 stores a symptom in which predetermined additional information is added to the generated detection rule. As additional information, information on recommended actions at the time of failure detection, message information including various comments, and the like are added.

  The event selection accepting unit 207 accepts selection of an event included in a component related to the occurred failure as a selection from an event list or the like, for example. The partial configuration information extraction unit 208 extracts, from the system configuration information acquired by the configuration information acquisition unit 202, partial configuration information that is system configuration information related to the component that has sent the event whose selection is received by the event selection reception unit 207. The extracted partial configuration information also includes related information including a dependency relationship between the component that sent the event that received the selection as a failure occurrence event and the other components among the components constituting the system. For example, information related to the application server as a component and database, link information, and the like are also included.

  The configuration of the symptom including the partial configuration information in the failure event detection apparatus 1 according to the third embodiment of the present invention is the same as that of the first embodiment, and is the same as the configuration shown in FIG. That is, by adding information on the dependency relationship between the application server A and the database B, which are components, to the conventional symptom, the dependency relationship between components can be taken into account as a symptom for detecting a failure event. Therefore, the detection accuracy of the event where the failure has occurred can be improved.

  The symptom update unit 209 adds the partial configuration information extracted by the partial configuration information extraction unit 208 to the corresponding symptom and stores it. That is, the partial configuration information becomes additional information. The partial configuration information presentation unit 210 presents the partial configuration information extracted by the partial configuration information extraction unit 208 on the display device 23. The update reception unit 211 receives an update of the presented partial configuration information. Accordingly, the user can surely generate the adapted partial configuration information by changing the presented partial configuration information to a desired configuration.

  Since the screen 80 presented to the display device 23 by the partial configuration information presentation unit 210 is the same as that in the second embodiment, detailed description thereof is omitted.

  The event group identification unit 1601 identifies an event group that matches a stored symptom based on the history information collected by the history information collection unit 203 and the symptom stored in the symptom database 131. The extraction unit 1602 extracts partial configuration information including related information between the component that transmitted each event group identified by the event group identification unit 1601 and other components.

  The fitness calculation unit 1603 includes the partial configuration information extracted by the extraction unit 1602 and the partial configuration included in the symptom stored in the symptom database 131 used to identify the event group by the event group identification unit 1601. The degree of fitness with information is calculated. If a symptom having a high fitness is detected, it can be determined that the possibility of erroneous detection of an event in which a failure has occurred is low. Further, it is possible to detect an event in which a failure has occurred with a certain degree of accuracy without depending on the skill level of symptom application by the user. In other words, the event detection unit 206 applies a symptom having a high degree of fitness to detect an event in which a failure has occurred, thereby reducing the possibility of erroneous detection of the event in which the failure has occurred, and detecting the failure occurrence event. Can be increased.

  The presenting unit 1604 presents the applied symptom, the partial configuration information added to the symptom, and the calculated fitness of the symptom to the display device 23. Thereby, by not only presenting the application results of symptoms in the order of application but also presenting them in the order of high fitness, it is possible to reduce the possibility that the erroneous detection result of the failure event is displayed on the display device 23, It is possible to display in order from the symptom with high event detection accuracy.

  FIG. 17 is an exemplary diagram of a screen 160 presented on the display device 23 by the presentation unit 1604. In the topology diagram display area 161, a topology diagram showing the dependency relationship of components included in the monitoring target system 200 is displayed. The event list display area 162 displays a list of events included in the monitoring target system 200. When the event selection accepting unit 207 accepts a selection of an event included in a component related to the failure that has occurred from the event group displayed in the event list display area 162, the event and the dependency relationship that received the selection are displayed. The event you have is highlighted. In FIG. 17, the display color of the event that has received the selection and the event having the dependency relationship is changed and displayed. The highlighting method is not particularly limited, and the luminance may be changed.

  The symptom list display area 163 displays a list of symptoms detected based on the detection rule, and the partial configuration information display area 164 displays partial configuration information added to the applied symptom. The degree of conformity is calculated by comparing the partial configuration information displayed in the partial configuration information display area 164 with the partial configuration information displayed in the topology diagram display area 161 upon acceptance of the selection of the event group. The calculated fitness is presented in the corresponding symptom column in the symptom list display area 163.

  FIG. 18 is a flowchart showing the procedure of the failure detection process of the CPU 11 of the failure event detection apparatus 1 according to the third embodiment of the present invention. The CPU 11 of the failure event detection apparatus 1 acquires system configuration information including related information between components included in the monitoring target system 200 (step S1801). Of course, the system configuration information may be acquired in advance and stored in the configuration information storage unit 132.

  The CPU 11 collects log information of the monitoring target system 200 and / or history information including failure information output from each component when a failure occurs (step S1802), and stores it in the history information storage unit 133 (step S1803). Based on the collected history information and the symptom stored in the symptom database 131, the CPU 11 identifies an event group that matches the stored symptom (step S1804).

  The CPU 11 extracts the partial configuration information including the related information between the component that sent each of the specified event group and the other component (step S1805), and specifies the extracted partial configuration information and the event group. The degree of matching with the partial configuration information added to the symptom stored in the symptom database 131 applied to is calculated (step S1806). The calculation method of the fitness is not particularly limited, and one embodiment will be described later.

  The CPU 11 presents the applied symptom, the partial configuration information added to the symptom, and the calculated fitness of the symptom to the display device 23 (step S1807). Thereby, the user can visually confirm the results presented in descending order of the symptom suitability.

  19 and 20 are flowcharts showing the procedure of the fitness level calculation processing of the CPU 11 of the failure event detection apparatus 1 according to Embodiment 3 of the present invention. In FIG. 19, the CPU 11 of the failure event detection apparatus 1 initializes the maximum value Pmax and the minimum value Pmin of the fitness (step S1901). In the third embodiment, the maximum value Pmax is set to 100 and the minimum value Pmin is set to 0. The CPU 11 assigns the maximum value Pmax to the components and links included in the partial configuration information (step S1902). The importance of components and links can be weighted according to the allocation method.

  The CPU 11 determines whether there is a component that matches the component included in the partial configuration information added to the read symptom (step S1903). When determining that there is no matching component (step S1903: NO), the CPU 11 sets the minimum value Pmin as the fitness (step S1904). That is, the fitness P is 0 (zero).

  If the CPU 11 determines that there is a matching component (step S1903: YES), the CPU 11 selects one component (step S1905). The CPU 11 specifies a coefficient α to be multiplied by the component allocation value in accordance with the attribute of the selected component (step S1906). For example, α = 0.1 when the component types match, α = 0.6 when the component product names match, and α = 0.6 when the component version is upward compatible. If the versions match, it may be specified as α = 1.0.

  The CPU 11 multiplies the component allocation value by the coefficient α to calculate the component suitability P1 (step S1907), and determines whether all matching components have been selected (step S1908). If the CPU 11 determines that there is a component that has not yet been selected (step S1908: NO), the CPU 11 selects the next component (step S1909), returns the process to step S1906, and repeats the above-described process.

  If the CPU 11 determines that all components have been selected (step S1908: YES), the CPU 11 determines whether there is a related link as shown in FIG. 20 (step S2001). When the CPU 11 determines that there is a related link (step S2001: YES), the CPU 11 selects one link (step S2002), and calculates the coefficient β by which the link allocation value is multiplied according to the attribute of the selected link. Specify (step S2003).

  For example, β = 1.0 when a link between components matches a mandatory link that must be present in order to detect the corresponding rule, and β = when a mandatory link exists indirectly. 0.6, β = 1.0 if an arbitrary link may or may not exist, β = 0.8 if an arbitrary link exists indirectly, prohibited that must not exist Β = 1.0 if no link exists, β = 0.1 if a forbidden link exists indirectly, β = 1.0 if the link types match, compatible If there is a property, it may be specified such as β = 0.8.

  The CPU 11 multiplies the link allocation value by the coefficient β to calculate the link fitness P2 (step S2004), and determines whether all related links have been selected (step S2005). When the CPU 11 determines that there is an unselected link (step S2005: NO), the CPU 11 selects the next link (step S2006), returns the process to step S2003, and repeats the above-described process.

  When the CPU 11 determines that there is no related link (step S2001: NO), the CPU 11 sets the link fitness P2 to 0 (zero) (step S2007), and advances the processing to step S2008. When the CPU 11 determines that all links have been selected (step S2005: YES), the CPU 11 calculates the fitness P of the entire partial configuration information as the sum of the component fitness P1 and the link fitness P2. (Step S2008), it is determined whether or not there is a continuous link (Step S2009).

  When the CPU 11 determines that there is a continuous link (step S2009: YES), the CPU 11 adds a predetermined evaluation value P3 to the matching degree P of the entire partial configuration information (step S2010). When the CPU 11 determines that there is no continuous link (step S2009: NO), the CPU 11 skips step S2010 and ends the process.

  The above-described method for calculating the fitness will be described based on a specific example. The partial configuration information added to the symptom that is the basis for calculating the fitness has two components, the application server A and the database B, and a link between the application server A and the database B. Similarly to FIGS. 19 and 20, Pmax = 100 and Pmin = 0, and the importance is set to application server A: database B: link = 1: 1: 3. Therefore, 20 is assigned to the application server A, 20 is assigned to the database B, 60 is assigned to the link, and Pmax is assigned.

  FIG. 21 is a schematic diagram for explaining the concept of the degree of matching between the partial configuration information added to the symptom and the system configuration information. In the system configuration information, there are two links, application server A1 and database B1, application server A2 and database B2, and it is assumed that the link attributes and attributes of application server A and database B are the same.

  In this case, it is determined that the link 2101 between the application server A1 and the database B1 and the link 2102 between the application server A2 and the database B2 are similar because the partial configuration information added at the time of symptom generation has the same attribute. Is done. Therefore, in this case, the fitness P is calculated as a large value.

  On the other hand, the link 2103 between the application server A1 and the database B2 and the link 2104 between the application server A2 and the database B1 have the same component attributes but are different from the partial configuration information added at the time of symptom generation. Therefore, in this case, the fitness P is calculated as a small value.

  FIG. 22 is a schematic diagram illustrating a fitness calculation example in the case where the same configuration as the partial configuration information added at the time of symptom generation exists in the system configuration information. In the example of FIG. 22, since the application server A1 and the database B1 and the application server A2 and the database B2 which are the same components exist, the compatibility of the components is “20”, and the application server A and the database B There is a link 2101 between the application server A1 and the database B1, which has the same attribute as the link between them. Therefore, since the link fitness is “60”, the fitness P of the partial configuration information shown in FIG. 22 is 20 + 20 + 60 = 100.

  FIG. 23 is a schematic diagram illustrating a fitness calculation example in a case where a link of partial configuration information added at the time of symptom generation indirectly exists in the system configuration information. In the example of FIG. 23, since the application server A1 and the database B1 and the application server A2 and the database B2 that are the same components exist, the fitness of the components is “20”. On the other hand, although there is no link having the same attribute as the link between the application server A and the database B, the application server A1 and the database B1 have a link 2301 through the other component C1. Therefore, the fitness P2 of these links is 0.6 × 60 = 36. Therefore, the fitness P of the partial configuration information shown in FIG. 23 is 20 + 20 + 36 = 76.

  FIG. 24 is a schematic diagram illustrating a fitness calculation example in the case where the same component as the partial configuration information added at the time of symptom generation exists but no link exists. In the example of FIG. 24, since the application server A1 and the database B1 and the application server A2 and the database B2 which are the same components exist, the compatibility of the components is “20”. On the other hand, there is no link having the same attribute as the link between the application server A and the database B, and there is a link 2103 between the application server A1 and the database B2. Accordingly, since the fitness P2 of these links is 0, the fitness P of the partial configuration information shown in FIG. 24 is 20 + 20 + 0 = 40.

  As described above, according to the third embodiment, by adding the partial configuration information to the symptom, the extracted partial configuration information and the event group are specified while maintaining high detection accuracy of the event in which the failure has occurred. Since the degree of matching with the partial configuration information included in the symptom applied to the above can be calculated, the objectively detected result can be evaluated without being influenced by the degree of skill of the user. Further, since the calculated fitness can be presented together with the partial configuration information, the detected result can be objectively evaluated without being influenced by the skill level of the user.

(Embodiment 4)
The configuration of the failure event detection apparatus 1 including the apparatus that supports the detection of the failure event according to the fourth embodiment of the present invention is the same as that of the first to third embodiments. The detailed explanation is omitted. The fourth embodiment is different from the first to third embodiments in that the partial configuration information is added to the symptom together with the information regarding the correctness of the detection result.

  FIG. 25 is a functional block diagram of the failure event detection apparatus 1 according to Embodiment 4 of the present invention. The configuration information extraction unit 201 extracts system configuration information including related information between components included in the monitoring target system 200 and stores the extracted system configuration information in the configuration information storage unit 132. The system configuration information including related information between components is, for example, connection relationship information in communication between components, link relationship information regarding a relationship between operation and non-operation, and the like. Note that the configuration information extraction unit 201 is not an essential configuration requirement of the present invention, and system configuration information may be generated in the configuration information storage unit 132 in advance, or may be built in the failure event detection apparatus 1. It is not necessary. That is, the configuration information extraction unit 201 and the configuration information storage unit 132 are not essential configuration requirements of the failure event detection apparatus 1 according to Embodiment 4 of the present invention.

  The configuration information acquisition unit 202 acquires system configuration information stored in the configuration information storage unit 132. The system configuration information is stored in the configuration information storage unit 132 in association with each monitoring target system 200, and corresponding system configuration information is acquired according to the monitoring target system 200.

  The history information collection unit 203 constantly monitors the monitoring target system 200, and includes history information including failure information such as log information output from each component included in the monitoring target system 200 and / or event information output when a failure occurs. Are collected and stored in the history information storage unit 133. The log information is not limited to a system log or the like that is always output, and may include message information or the like that is output by interrupt processing or the like when a failure occurs.

  Note that the history information collected by the history information collection unit 203 often has a different data format, and may not be used as basic information for identifying an event that is a candidate event that has failed. Can occur. Therefore, it is desirable to provide a data format conversion unit 212 and convert it into a standard unified data format and store it in the history information storage unit 133.

  The detection rule generation unit 204 generates a detection rule for detecting an event included in a component related to the occurred failure. The symptom storage unit 205 stores a symptom in which predetermined additional information is added to the generated detection rule. As additional information, information on recommended actions at the time of failure detection, message information including various comments, and the like are added.

  The event selection accepting unit 207 accepts selection of an event included in a component related to the occurred failure as a selection from an event list or the like, for example. The partial configuration information extraction unit 208 extracts, from the system configuration information acquired by the configuration information acquisition unit 202, partial configuration information that is system configuration information related to the component that has sent the event whose selection is received by the event selection reception unit 207. The extracted partial configuration information also includes related information including a dependency relationship between the component that sent the event that received the selection as a failure occurrence event and the other components among the components constituting the system. For example, information related to the application server as a component and database, link information, and the like are also included.

  The configuration of the symptom including the partial configuration information in the failure event detection apparatus 1 according to the fourth embodiment of the present invention is the same as that of the first embodiment, and is the same as the configuration shown in FIG. That is, by adding information on the dependency relationship between the application server A and the database B, which are components, to the conventional symptom, the dependency relationship between components can be taken into account as a symptom for detecting a failure event. Therefore, the detection accuracy of the event where the failure has occurred can be improved.

  The symptom update unit 209 adds the partial configuration information extracted by the partial configuration information extraction unit 208 to the corresponding symptom and stores it. That is, the partial configuration information becomes additional information. The partial configuration information presentation unit 210 presents the partial configuration information extracted by the partial configuration information extraction unit 208 on the display device 23. The update reception unit 211 receives an update of the presented partial configuration information. Accordingly, the user can surely generate the adapted partial configuration information by changing the presented partial configuration information to a desired configuration.

  Since the screen 80 presented to the display device 23 by the partial configuration information presentation unit 210 is the same as that in the second embodiment, detailed description thereof is omitted.

  In the fourth embodiment of the present invention, it is assumed that the symptom to which the partial configuration information is added and the symptom to which the partial configuration information is not added as in the past are stored in the symptom database 131 in a mixed manner. And Therefore, when applying a symptom to which partial configuration information is added, it goes without saying that an equivalent effect can be obtained by adopting the same configuration as in the first to third embodiments.

  Therefore, in the fourth embodiment, as in the third embodiment, the event group specifying unit 1601 is stored based on the history information collected by the history information collecting unit 203 and the symptom stored in the symptom database 131. The event group matching the symptom is identified, and the extraction unit 1602 extracts partial configuration information including related information between the component that transmitted each event group identified by the event group identification unit 1601 and other components. .

  Then, the event detection unit 206 detects the event in which the failure has occurred by applying the partial configuration information extracted by the extraction unit 1602 and the symptom that is the basis for specifying the event group. The correct / incorrect information acquisition unit 2501 acquires correct / incorrect information regarding whether or not the detection result in the event detection unit 206 is correct, that is, whether or not an event in which a failure has occurred is normally detected.

  The updating unit 2502 updates the symptom using the acquired correct / incorrect information and the extracted partial configuration information as additional information of the symptom that is the basis of event group identification. Thereby, partial configuration information can be added together with correct / incorrect information to a symptom having no partial configuration information.

  The correct / incorrect information acquisition unit 2501 may be the correct / incorrect information reception unit 2503 that receives an input of the correct / incorrect determination result by the user. In this case, the result of determining whether or not the failure occurrence event displayed on the screen is correct is received by a click operation using a mouse or the like such as a “confirm” button or a “correct” button.

  Alternatively, as in the third embodiment, the degree of conformity may be calculated and a correct / incorrect determination may be made according to whether the value is greater than a predetermined value. In this case, the fitness calculation unit 2504 is included in the partial configuration information extracted by the extraction unit 1602 and the symptom stored in the symptom database 131 used to identify the event group by the event group identification unit 1601. The degree of matching with the existing partial configuration information is calculated. When a symptom having a high fitness is detected, it can be determined that the possibility of erroneous detection in failure determination is low. In addition, it is possible to determine a failure with a certain accuracy without being influenced by the skill level of symptom application by the user. That is, the event detection unit 206 can reduce the possibility of erroneous detection and increase the detection accuracy of a failure occurrence event by detecting a failure occurrence event by applying a symptom having a high degree of fitness.

  The fitness level determination unit 2505 determines whether or not the calculated fitness level is greater than a predetermined value. If the fitness level determination unit 2505 determines that the fitness level is greater than the predetermined value, the update unit 2502 normally adds the partial configuration information extracted by the extraction unit 1602. When it is determined that the normal detection configuration information to which the information indicating detection is added is equal to or less than a predetermined value, the update unit 2502 indicates that the partial configuration information extracted by the extraction unit 1602 is erroneously detected. The symptom database 131 is updated by adding the misdetection configuration information to which the symptom is added to the symptom. Accordingly, the failure occurrence event can be detected with higher accuracy by preferentially applying the symptom having the partial configuration information to which the information indicating that the detection is normally performed is added.

  FIG. 26 is a flowchart showing a procedure of failure detection processing of the CPU 11 of the failure event detection apparatus 1 according to Embodiment 4 of the present invention. The CPU 11 of the failure event detection apparatus 1 acquires system configuration information including related information between components included in the monitoring target system 200 (step S2601). Of course, the system configuration information may be acquired in advance and stored in the configuration information storage unit 132.

  The CPU 11 collects log information of the monitoring target system 200 and / or history information including failure information output from each component when a failure occurs (step S2602) and stores the history information in the history information storage unit 133 (step S2603). Based on the collected history information and the symptom stored in the symptom database 131, the CPU 11 identifies an event group that matches the stored symptom (step S2604).

  The CPU 11 extracts the partial configuration information including the related information between the component that transmitted each of the identified event groups and the other components (step S2605), and the symptom that matches the failure that has occurred in the monitoring target system is normal. An input of a determination result as to whether or not it has been detected is received (step S2606). The CPU 11 determines whether or not the received determination result is a determination result indicating that it has been detected normally (step S2607).

  When the CPU 11 determines that the received determination result indicates that it has been detected normally (step S2607: YES), the CPU 11 adds information indicating that it has been detected normally to the partial configuration information. The symptom database 131 is updated by adding the information to the applied symptom (step S2608). When the CPU 11 determines that the received determination result indicates that it has not been detected normally (step S2607: NO), the CPU 11 adds an error detection information to the partial configuration information. The symptom database 131 is updated by adding information to the applied symptom (step S2609). Thereby, it is possible to generate a symptom to which partial configuration information is added together with information indicating whether or not the detection result is normally detected.

  Thus, even if a symptom is not added with partial configuration information at the time of symptom generation, when a normal detection configuration information is newly added, a fault occurrence event can be detected correctly by applying the symptom. Is guaranteed. In addition, when erroneous detection configuration information is newly added, the possibility of correctly detecting a failure event can be increased by reducing the possibility of applying the symptom.

  Similarly to the second embodiment, the acquired system configuration information is compared with normal detection configuration information or false detection configuration information added to the symptom, and the degree of coincidence between the two is stored for each stored partial configuration information. , It is possible to prioritize the symptom to be applied. In this case, as in the second embodiment, a coincidence degree calculation unit 701 and a symptom extraction unit 702 are provided, and the CPU 11 stores the system configuration information acquired by the configuration information acquisition unit 202 and the symptom added by the update unit 2502. The normal detection configuration information or the erroneous detection configuration information is compared, and the degree of coincidence between the two is calculated for each normal detection configuration information or erroneous detection configuration information.

  With respect to the normal detection configuration information, by applying the symptom by increasing the application priority of the symptom having a high degree of coincidence, the detection accuracy of the event in which the failure has occurred can be improved. For erroneous detection configuration information, the detection accuracy of an event in which a failure has occurred can be increased by lowering the application priority of a symptom having a high degree of coincidence. Further, for a symptom that is erroneous detection configuration information and has a high degree of coincidence, the detection result when applied as a symptom can be used as a detection result for erroneous detection.

  Further, when false detection configuration information is added, the suitability of the detection result can be reduced by calculating the fitness of the detection result as in the third embodiment. For example, the CPU 11 calculates the fitness between the partial configuration information extracted by the extraction unit 1602 and the partial configuration information included in the symptom applied to specify the event group by the event group specifying unit 1601. When the fitness level calculated by the unit 2504 and the fitness level calculated by the fitness level determination unit 2505 is determined to be larger than the predetermined value, it is determined as misdetected configuration information, for example, the evaluation value is subtracted, the priority is lowered, etc. By performing this process, it is possible to reliably remove a symptom having a high fitness from a symptom candidate to be applied for detecting a failure event. As a result, it is possible to improve the detection accuracy of the failure event.

  A plurality of normal detection configuration information and erroneous detection configuration information may be added to one symptom. FIG. 27 is a view showing an example of the data configuration of the symptom database 131 to which normal detection configuration information and erroneous detection configuration information are added. As shown in FIG. 27, a plurality of normal detection configuration information 271 and a plurality of erroneous detection configuration information 272 are added in association with one symptom 273, respectively.

  For example, when a plurality of normal detection configuration information 271, 271,... Are associated with one symptom, the count for counting the number of times added to each of the normal detection configuration information 271, 271,. A part (not shown) is provided, and partial configuration information with a large number of additions is preferentially applied. By doing so, it is possible to preferentially apply the partial configuration information that is determined to have been normally detected, and to improve the detection accuracy of the event in which the failure has occurred.

  On the other hand, when a plurality of erroneous detection configuration information 272, 272,... Is associated with one symptom, the number of times added to each of the erroneous detection configuration information 272, 272,. With a counting unit (not shown), partial configuration information with a large number of times determined to be erroneous detection is applied to partial configuration information with a large number of added times by performing processing such as lowering the application priority. The possibility of failure can be reduced, and the detection accuracy of an event in which a failure has occurred can be increased.

  As described above, according to the fourth embodiment, even when the symptom does not hold the partial configuration information, the partial configuration information can be added to the symptom according to the detection result of the failure occurrence event. Therefore, it is possible to easily determine which symptom should be preferentially used based on the added partial configuration information, and it is possible to improve the detection accuracy of the failure event. Also, by storing the partial configuration information when a fault occurrence event is detected by mistake, it is possible to present the degree of conformity with the partial configuration information used at the time of erroneous detection. Ranking can be performed with higher accuracy.

  The present invention is not limited to the above-described embodiments, and various changes and improvements can be made within the scope of the present invention. For example, a storage device of an external computer connected to the failure event detection device according to the present embodiment via a network includes a symptom database, a configuration information storage unit, and a history information storage unit, and various types of information are stored as necessary. You may make it read and write.

It is a block diagram which shows the structural example of the failure event detection apparatus which concerns on Embodiment 1 of this invention. It is a functional block diagram of the failure event detection apparatus according to Embodiment 1 of the present invention. It is an illustration figure of the structure of the symptom including the partial structure information in the failure event detection apparatus which concerns on Embodiment 1 of this invention. It is an illustration figure of the screen shown on a display apparatus by the partial structure information presentation part. It is an illustration figure of the partial structure information memorize | stored. It is a flowchart which shows the procedure of the addition process of the partial structure information of CPU of the failure event detection apparatus which concerns on Embodiment 1 of this invention. It is a functional block diagram of the failure event detection apparatus which concerns on Embodiment 2 of this invention. It is an illustration figure of the screen shown on a display apparatus by the partial structure information presentation part. It is a flowchart which shows the procedure of the symptom extraction process of CPU of the failure event detection apparatus which concerns on Embodiment 2 of this invention. It is a flowchart which shows the procedure of the calculation process of the matching degree of CPU of the failure event detection apparatus which concerns on Embodiment 2 of this invention. It is a flowchart which shows the procedure of the calculation process of the matching degree of CPU of the failure event detection apparatus which concerns on Embodiment 2 of this invention. It is a schematic diagram which shows the coincidence degree calculation example when the same configuration as the partial configuration information exists in the system configuration information. It is a schematic diagram which shows the example of a coincidence calculation when the link of partial structure information exists indirectly in system structure information. It is a schematic diagram which shows the example of a coincidence calculation when the component same as partial structure information exists, but a link does not exist. It is a schematic diagram which shows the coincidence degree calculation example when the component same as partial structure information does not exist. It is a functional block diagram of the failure event detection apparatus which concerns on Embodiment 3 of this invention. It is an illustration figure of the screen shown on a display apparatus by a presentation part. It is a flowchart which shows the procedure of the failure detection process of CPU of the failure event detection apparatus which concerns on Embodiment 3 of this invention. It is a flowchart which shows the procedure of the calculation process of the matching degree of CPU of the failure event detection apparatus which concerns on Embodiment 3 of this invention. It is a flowchart which shows the procedure of the calculation process of the matching degree of CPU of the failure event detection apparatus which concerns on Embodiment 3 of this invention. It is a schematic diagram explaining the concept of the adaptability of the partial configuration information added to the symptom and the system configuration information. It is a schematic diagram which shows the adaptation calculation example in case the same structure as the partial structure information added at the time of symptom production | generation exists in system structure information. It is a schematic diagram which shows the example of a fitness calculation in case the link of the partial structure information added at the time of symptom production | generation exists indirectly in system structure information. It is a schematic diagram which shows the example of a coincidence calculation when the component same as the partial structure information added at the time of symptom generation exists but a link does not exist. It is a functional block diagram of the failure event detection apparatus which concerns on Embodiment 4 of this invention. It is a flowchart which shows the procedure of the failure detection process of CPU of the failure event detection apparatus which concerns on Embodiment 4 of this invention. It is an illustration figure of the data structure of the symptom database to which normal detection structure information and false detection structure information were added.

Explanation of symbols

1 Failure Event Detection Device 11 CPU
12 memory 13 storage device 14 I / O interface 15 communication interface 16 video interface 17 portable disk drive 18 internal bus 23 display device 90 portable recording medium 100 computer program 131 symptom database 132 configuration information storage unit 133 history information storage unit

Claims (6)

A history information collection unit system log information Homata that collects historical information of the system including any of the failure information output from each component upon occurrence of a failure in the system that includes at least a plurality of components,
Symptom storage means for storing a symptom in which predetermined additional information is added to a detection rule for detecting an event included in the component related to the failure that has occurred,
An event group specifying means for specifying an event group that matches the symptom based on the collected history information and the stored symptom;
Extraction means for extracting partial configuration information, which is system configuration information including related information between the component that sent each of the event groups and other components, based on the identified event groups;
Correct / incorrect information acquisition means for acquiring correct / incorrect information regarding whether or not an event in which a failure has occurred has been normally detected based on the identified event group and the extracted partial configuration information;
An update unit that updates the symptom that is the basis for specifying the event group based on the acquired correct / incorrect information and the extracted partial configuration information. Comprising system configuration information acquisition means for acquiring system configuration information which is configuration information of the system;
The symptom storage means adds partial configuration information as additional information to the symptom, which is system configuration information related to a component that has transmitted the event that is the basis of the stored symptom among the acquired system configuration information. The apparatus of claim 1. Collecting history information of the system including either log information of a system including at least a plurality of components or failure information output from each component when a failure occurs in the system;
  Storing a symptom in which predetermined additional information is added to a detection rule for detecting an event included in the component related to the failure that has occurred;
  Identifying a group of events that match the symptom based on collected history information and stored symptoms;
  Extracting partial configuration information, which is system configuration information including related information between the component that sent each of the event groups and other components, based on the identified event groups;
  Acquiring correct / incorrect information regarding whether or not an event in which a failure has occurred has been normally detected based on the identified event group and the extracted partial configuration information;
  Updating the symptom that is the basis for the event group identification based on the acquired correct / incorrect information and the extracted partial configuration information;
  Including methods. It can be run on a computer that assists in detecting a failed event in a system with multiple components,
  The computer,
  History information collection means for collecting history information of the system including at least either log information of the system or failure information output from each component when a failure occurs in the system;
  Symptom storage means for storing a symptom in which predetermined additional information is added to a detection rule for detecting an event included in the component related to the failure that has occurred,
  An event group specifying means for specifying an event group matching the symptom based on the collected history information and the stored symptom;
  Extraction means for extracting partial configuration information, which is system configuration information including related information between a component that has transmitted each event group and another component, based on the identified event group;
  Correct / incorrect information acquisition means for acquiring correct / incorrect information regarding whether or not an event in which a failure has occurred is normally detected based on the identified event group and the extracted partial configuration information, and
  Updating means for updating the symptom that is the basis for the event group identification based on the acquired correct / incorrect information and the extracted partial configuration information
  A computer program that functions as a computer program. The computer,
  Function as system configuration information acquisition means for acquiring system configuration information which is configuration information of the system,
  The symptom storage means functions as means for adding, as additional information, partial configuration information, which is system configuration information related to a component that has transmitted a stored symptom-based event, among the acquired system configuration information. The computer program according to claim 4 to be caused. History information collection means for collecting history information of the system including either log information of a system including at least a plurality of components or failure information output from each component when a failure occurs in the system;
  Symptom storage means for storing a symptom in which predetermined additional information is added to a detection rule for detecting an event included in the component related to the failure that has occurred,
  An event group specifying means for specifying an event group that matches the symptom based on the collected history information and the stored symptom;
  Extraction means for extracting partial configuration information, which is system configuration information including related information between the component that sent each of the event groups and other components, based on the identified event groups;
  A fitness calculation means for calculating a fitness between the partial configuration information extracted by the extraction means and the partial configuration information included in the symptom applied to specify the event group by the event group specification means; ,
  Determining means for determining whether the calculated fitness is greater than a predetermined value;
  When the determination means determines that the detected value is larger than the predetermined value, the normal detection configuration information obtained by adding information indicating that the partial detection information is normally detected to the partial configuration information extracted by the extraction means is determined to be equal to or less than the predetermined value. Update means for updating the symptom by adding, to the sympton, erroneous detection configuration information to which information indicating that the partial detection information is erroneously detected is added to the partial configuration information extracted by the extraction unit.
  A device comprising:

Images