JP2005141663A - Event log analysis support device, event log display method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To support event log analysis by making it possible to easily set an event log search condition and displaying the event log in association with the search condition.
An event log display screen 300 includes a search tree 310, an event map 320, and a log view 330. The search tree 310 displays the search conditions set in the hierarchical structure in a tree structure. The event map 320 displays an icon at a position corresponding to the time stamp of the event log. The log view 330 displays log contents. By moving the pointer 321 as indicated by the arrow P, the time designation of the log view 330 is continuously performed. The log view 330 performs a re-search while switching the display of log details while synchronizing with such continuous time designation. By doing this, it is possible to check the search conditions, event log occurrence frequency, log details, and the like all at once.
[Selection] Figure 10

Description

  The present invention relates to event log search and display.

  In recent years, in a network system, when a failure or the like occurs, an administrator analyzes an event log, investigates the cause of the failure, and considers a recovery measure. The event log includes information, warnings, and errors. In event log analysis, in order to extract event logs related to the occurrence of failures from a large number of event logs, specify the search conditions according to the characteristics such as failures and perform necessary searches to obtain the necessary logs. ing.

  In order to analyze event logs collected from a plurality of devices to be monitored, a technology is disclosed in which event logs of all devices to be monitored are collected together by a management device and displayed in a list on a screen. For example, in Patent Document 1, an event analysis support apparatus that displays a screen used for analyzing an event that occurred in a batch process displays the event occurrence time detected in the batch process and the execution time of the batch process in comparison. ing.

JP 2001-296916 A JP 2001-188694 A

  However, in the conventional technology, since it is difficult to take a correspondence between a search condition and a search result, it is difficult for an administrator to create an appropriate search condition for searching an event log necessary for troubleshooting. there were. In addition, there are a large number of event logs, and the number increases as the number of devices to be managed increases. Therefore, the administrator needs to set search conditions for each device to search the required event log, which is likely to be a complicated description, and the search conditions created once should be used for other searches. It was difficult.

  Further, in the technique described in Patent Document 1, since multiple types of events from managed devices are displayed in the order of arrival, if there is an event type with a high event occurrence frequency, a large number of specific events are displayed and analyzed. May be difficult. In such a case, it is difficult to set appropriate search conditions for searching for important events.

  The present invention has been made in view of the above-described problems. The event log search condition can be easily set, and the event log is displayed by associating the event log with the search condition. The purpose is to support analysis.

  In order to solve at least a part of the problems described above, the present invention has the following configuration as the first configuration. That is, in the event log analysis support device, a predetermined event log is searched from an event log collection unit that collects event logs from monitored devices, an event log storage unit that stores collected event logs, and a collected event log In the search condition and the search condition, the search condition used for performing a search on the event log searched by the predetermined search condition is a search condition subordinate to the predetermined search condition. A search condition receiving unit that receives an input, a search condition setting unit that sets a search condition in a hierarchical structure based on the input relationship, and a search unit that executes an event log search based on the event log and the search condition This is the gist.

  By adopting such a configuration, the search conditions can be used in a state of being subdivided into a hierarchical structure, so the correspondence between the search conditions and the search results can be confirmed, and a part of the search conditions, Alternatively, the whole can be easily reused, the efficiency of setting search conditions can be improved, and convenience is improved.

Hereinafter, embodiments of the present invention will be described in the following items.
A. Example:
A1. System configuration:
A2. Functional block diagram:
A3. Search result display processing:
A4. Event log collection processing:
A5. Search tree creation process:
A6. Search condition display processing:
A6-1. Event map display processing:
A6-2. Log view display processing:
A6-2. Search result display screen:
A7. Search tree editing process:
B. Variation:

A. Example:
A1. System configuration:
FIG. 1 is an explanatory diagram illustrating a system configuration in the present embodiment. The event log collection system 10 includes hosts 2000, 210, and 220 connected via a local area network LAN and an event log analysis support apparatus 100. The hosts 200 and 210 are so-called personal computers, and the host 220 is a router. The event log analysis support apparatus 100 collects event logs generated in the hosts 200, 210, and 220 at predetermined intervals as shown by thick arrows in the figure. Hereinafter, the hosts 200, 210, and 220 are collectively referred to as “monitored devices”. On the display of the event log analysis support apparatus 100, an event log display screen 300 for displaying the collected event log in association with the search condition is displayed. The event log display screen 300 includes a search tree, an event map, and a log view. The event map displays a graphic such as an icon at a position corresponding to the event occurrence time, and represents the occurrence frequency. The log view displays the contents of the event log. These will be described later.

A2. Function block:
FIG. 2 is an explanatory diagram illustrating functional blocks of the event log analysis support apparatus 100. The event log analysis support apparatus 100 includes a main control unit 101, a communication unit 102, an event collection unit 103, an event storage unit 104, a search condition setting unit 105, a search condition storage unit 106, and a hierarchical structure setting unit 107. And a search unit 108, a display control unit 109, and an input unit 110. Each of these functional blocks is configured by software and is controlled by the main control unit 101. Each functional block may be configured in hardware.

  The main control unit 101 has a function of controlling other functional blocks. The communication unit 102 functions as a so-called network interface, and exchanges information with other devices.

  The event collection unit 103 collects event logs generated in the monitoring target devices connected to the local area network LAN at predetermined intervals and stores them in the event storage unit 104. An example of the event log stored in the event storage unit 104 is also shown in the figure. As shown in the figure, the event storage unit 104 stores an event log ID, a time stamp, an event source, and log details from the left, and the event IDs are assigned in the order of the time stamps of the collected event logs. The time stamp “2003030506 115644” of the event log ID “1” represents “May 6, 2003 11:56:44”. The event source indicates the type of collected event log. For example, “syslog” indicates a system log, and “snmpttrap” indicates an SNMP event log. The log details indicate the contents of each event log.

  The input unit 110 receives various inputs from the administrator. For such input, in addition to a search condition for searching an event log including a specified character string, a search condition for searching an event log of an arbitrary event source, etc., setting information such as a higher / lower relationship between search conditions And search condition editing instructions. As such setting information, a search condition used when performing a further narrowing search with respect to a search result searched with a higher-order search condition is represented as information set with a lower-order search condition of the higher-order search condition. Therefore, the search conditions can be subdivided and set. The search condition setting unit 105 stores the search condition input via the input unit 110 in the search condition storage unit 106. The search condition setting unit 105 also has a function of editing the search condition based on the above editing instruction. The search condition editing will be described later. FIG. 3 illustrates the input contents of the search condition.

  FIG. 3 is an explanatory diagram illustrating the contents of the search condition storage unit 106 in this embodiment. As shown in the figure, the search condition storage unit 106 includes five items: a search ID, a parent search ID, an event source, a search name, and a search condition. The search ID is a unique number assigned to each input search condition. The parent search ID indicates the designation of the search ID of the upper search condition, and the event source indicates the event source to be searched. The search name is a search name arbitrarily set for each search condition in order to display the search condition on the screen in a format that can be easily understood by the administrator. The search condition indicates a character string to be searched in the event log. As the search IDs “1”, “4”, “5” indicate, when the search string is not entered in the search condition, all event logs of the event source set in the search ID are searched. It shows that

  For example, in the present embodiment, the search ID “1” has no parent search ID entered, the search name is entered “Syslog”, and the search string is also entered in the search condition. Absent. This indicates that all event logs of the event source “syslog” are searched.

  In the search ID “2”, “1” is input as the parent search ID, the event source is “syslog”, the search name is “Host01”, and the search condition is “grep“ Host01 ””. Yes. “Grep“ Host01 ”” means that an event log including a character string “Host01” is searched. Here, since “1” is set in the parent search ID, the search ID “2” is further narrowed down to the event log searched by the search condition having the search ID indicated by the parent search ID. This indicates that the search condition is a search condition for searching an event log including the character string “Host01” from all event logs of “syslog” searched by the search ID “1”. Yes.

  The other search conditions are the same. For example, the search ID “9” has the search ID “8” as the parent search ID, and the search ID “8” has the search ID “6” as the parent search ID. Further, the search ID “6” has the search ID “5” as the parent search ID. That is, the search ID “9” searches the event log searched under the search condition of the search ID “5” using the search condition of the search ID “6”. This indicates that the search is performed with the search condition “8”, and the searched event log is searched with the search condition “grep“ book ”” with the search ID “9”.

  Returning to FIG. The hierarchical structure setting unit 107 has a function of setting the search conditions stored in the search condition storage unit 106 shown in FIG. 3 to a hierarchical structure based on the set vertical relationship. The search unit 108 has a function of executing event log search according to search conditions set in a hierarchical structure. The display control unit 109 performs control to display the search condition details stored in the search condition storage unit 106 and the event log as a search result in various modes. As shown in FIG. 3, the various modes may display a list of the search condition storage unit 106, or may display the search results and the search conditions together. The administrator can confirm the details of the search condition, the hierarchical structure, etc., and convenience is improved.

A3. Search result display processing:
FIG. 4 is a flowchart for explaining search result display processing in this embodiment. The event log analysis support apparatus 100 collects event logs from the monitoring target devices (step S10). The event log collection process will be described later. Next, the event log analysis support apparatus 100 accepts input of search conditions and vertical relationships between the search conditions (step S11), and sets the search conditions in a hierarchical structure based on the input contents and creates a search tree (step) S12).

  The event log analysis support apparatus 100 performs a search based on the search conditions set in the hierarchical structure (step 13), and accepts a selection of how to display the search result (step S14). In this embodiment, there are the following three display mode options. “0: Search tree + event map”, “1: Search tree + log view”, “2: Search tree + event map + log view”. The event log analysis support apparatus 100 selects any display mode and displays the search result (step S15). The display process of each display mode will be described later.

A4. Event log collection processing:
FIG. 5 is a flowchart for explaining event log collection processing in this embodiment. This process corresponds to step S10 in FIG.

  The event log analysis support apparatus 100 collects event logs at predetermined intervals, and first refers to the time stamp at the time of the previous event log collection (step S20). Specifically, the time stamp of the event log collected last is referred for each device among the event logs collected last time.

  Next, it is confirmed that the event log can be collected by communicating with the monitored device that should collect the event log (step S21), and the event log analysis support device 100 is held in the monitored device. Referring to the time stamp of the existing event log, it is determined whether it is an event log accumulated after the previous collection (step S22). The event log analysis support apparatus 100 stores the collected event log in the event storage unit 104 (step S23).

  Next, the event log analysis support apparatus 100 determines whether event logs have been collected for all monitored devices (step S24). If not, the process returns to step S20 to collect event logs. Refer to the time stamp of the previous device to be monitored and continue the process. When event logs are collected for all monitored devices, the event log collection process is terminated.

A5. Search tree creation process:
6 and 7 are flowcharts for explaining processing for creating a search tree in this embodiment. This process corresponds to step S12 in FIG.

  The event log analysis support apparatus 100 refers to the set search conditions in the order of search ID (step S30), and extracts a search ID having no parent search ID (step S31). As shown in the figure, in the search condition storage unit 106, search IDs that do not have a parent search ID are search IDs “1”, “4”, and “5” as indicated by arrows. These extracted search IDs are set as a root node in the search tree (step S32), and the minimum search ID is selected from the search IDs indicated by the root node (step S33). In this embodiment, first, the search ID “1” is selected.

  The event log analysis support apparatus 100 refers to the search condition storage unit 106 and extracts a search ID having the search ID selected in step S33 as a parent search ID. For example, in this embodiment, search IDs “2” and “3” are extracted as search IDs having the search ID “1” as a parent search ID. Next, the extracted search ID is set as a lower node of the node of the search ID indicated by the parent search ID (step S35). As shown in the figure, search IDs [2] and [3] are set as lower nodes of the search ID [1].

  The event log analysis support apparatus 100 determines whether or not the node setting has been completed for all search conditions (step S36). If the search has not been completed, the event log analysis support apparatus 100 determines the smallest of the search conditions not set for the node. A search ID having a parent search ID is extracted (step S37), and the process returns to step S35 to repeat the process. If all the nodes have been set, the process ends. In this embodiment, since the root node is set first and then the lower nodes are set, the search tree first has [1], [4], and [5] set as the root node. 2], [3], [6], [7], [8], [9], [10] are set in this order, but the order is not limited to this order, and other processing orders may be set. good.

A6. Search condition display processing:
In the present embodiment, as described in step S14 in FIG. 4, the screen for displaying the search result can be selected from three patterns. The search result screen display process for each pattern will be described below.

A6-1. Event map display processing:
FIG. 8 is a flowchart for explaining processing for displaying an event map in the present embodiment. FIG. 4 shows search result display processing when “0: search tree + event map” is selected in step S14 of FIG.

  When “0: search tree + event map” is selected as the screen display mode, the event log analysis support apparatus 100 accepts designation of a time range to be displayed (step S40). Next, the search conditions are referred to in the order of search ID (step S41), and an event log that matches each search condition set in the hierarchical structure and the specified time range is extracted (step S42).

  The time stamp of the extracted event log is acquired (step S43) and stored in the primary storage area in association with the search ID (step S44). The primary storage area is assumed to be configured as a part of the search unit 108 of the event log analysis support apparatus 100. The event log analysis support apparatus 100 determines whether or not the search is completed under all search conditions (step S45). If the search is not completed, the process returns to step S41 and repeats the process. When the search is completed, a rectangular icon is drawn on the event map for each search ID based on the time stamp stored in the primary storage area. A search result display screen 400 is also shown in the figure.

  In the search result display screen 400, a search tree in which search conditions set in a hierarchical structure are displayed in a tree structure is arranged on the left side, and a rectangular icon 421 is placed on the right side at a position corresponding to the time stamp of the searched event log. The drawn event map 420 is arranged. A time bar 430 indicating a specified time range is displayed below the event map 420. The mapping bar 422 indicates the occurrence time of the event log searched under the search condition indicated by “Syslog” of the search name 411. “Host 01” of the search name 412 indicates an occurrence time of the event log searched by the search condition indicated by “Host 01” among the event logs searched by “Syslog” of the search name 411. Therefore, at the time when the rectangular icon is drawn on the mapping bar 423 of “Host01”, the rectangular icon is drawn at the same time of the mapping bar 422 of “Syslog”.

  With such a display, it is easy for the administrator to visually recognize the search conditions set in the hierarchical structure, and convenience is improved. In addition, since each search condition and event log of the search result can be correlated and confirmed in time series, the event log generation time and frequency for each search condition can be ascertained at a time. Improves. In this embodiment, all the icons are displayed as rectangular icons. However, the present invention is not limited to this, and the color, shape, size, and the like may be changed according to the occurrence frequency and search conditions.

A6-2. Log view display processing:
FIG. 9 is a flowchart illustrating processing for displaying a log view in the present embodiment. FIG. 4 shows search result display processing when “1: search tree + log view” is selected in step S14 of FIG.

  When “1: search tree + log view” is selected as the screen display mode, the event log analysis support apparatus 100 designates a display time (step S50). Next, the search conditions are referred to in the order of search ID (step S51), and the log view having the time stamp closest to each search condition set in the hierarchical structure and the specified time is extracted (step S52).

  The log content of the extracted event log is acquired (step S53) and stored in the primary storage area in association with the search ID (step S54). The event log analysis support apparatus 100 determines whether or not the search is completed under all the search conditions (step S55). If the search is not completed, the process returns to step S51 and repeats the process. When the search has been completed, the log contents stored in the primary storage area are drawn in the log view in association with the search conditions. A search result display screen 500 is also shown in the figure.

  In the search result display screen 500, a search tree 510 in which search conditions set in a hierarchical structure are displayed in a tree structure is arranged on the left side, and a log view 520 in which the contents of the searched event log are drawn is arranged on the right side. It has a configuration. The display designated time 521 is “2003/05/06 14: 00: 00: 00”, and the log view 520 displays the log contents of the event log closest to the designated time for each search condition. The log view 520 displays a time stamp 522 on the left side and a log detail 523 on the right side across the partition line 530.

  With such a display, event logs narrowed down by search conditions can be crossed by time and compared on the screen, making it easier to check the relevance of multiple events that occurred near the specified time, Convenience is improved. In this embodiment, the log content of the event log closest to the specified time is displayed, but the latest event log before the specified time may be displayed. Also, for example, nothing may be displayed when there is no event log during a certain time near the specified time.

A6-3. Search result display screen:
FIG. 10 is an explanatory diagram illustrating a search result display screen in the present embodiment. FIG. 4 shows a search result display screen when “2: search tree + event map + log view” is selected in step S14 of FIG.

  The event log display screen 300 includes a search tree 310, an event map 320, and a log view 330 from the left side. The event map 320 and the log view 330 are as described with reference to FIGS.

In the event map 320, a pointer 321 is arranged on the time bar, and the time of the log view 330 is designated by dragging a pointing device such as a mouse. The pointer 321 is moved while being dragged as indicated by an arrow P, thereby continuously specifying the time of the log view 330. The log view 330 switches the display of log details while synchronizing with such continuous time designation. In this embodiment, by operating the pointer 321, the time is continuously specified and the log detail display is switched. However, the present invention is not limited to this, and the log detail display can be performed by inputting a predetermined specific condition. May be switched.
The predetermined specific condition is a condition that is commonly applied to all search results, such as time designation.

  By displaying in this way, it is possible to display the event log of the search results across multiple search conditions, so the search condition and event log occurrence frequency, occurrence trend, event log log details Etc. can be confirmed at a time. Therefore, the administrator can easily perform detailed analysis of the event log, and convenience is improved. In this embodiment, the time of the log view 330 is specified by dragging the pointer 321 arranged on the time bar. For example, a user interface such as a button or a slider is provided, and the time is set by operating these buttons. It is also possible to specify continuously and to change the contents of the displayed event log as the time changes.

A7. Search tree editing process:
11 and 12 are flowcharts for explaining search tree editing processing. Search conditions can be added and deleted by editing the search tree on the screen. This is a process performed by the search condition setting unit 105 in response to an instruction from the administrator. In the present embodiment, a process of adding a new event source and copying an existing search condition to a lower level of the newly added event source is exemplified.

  The event log analysis support apparatus 100 accepts selection of an edit mode in which the search tree can be edited (step S60), and accepts an input of an event source to be added from the administrator (step S61). As shown in the figure, when an event source is added, an input screen 600 is displayed, an event source name “JobSchedulerLog” to be added is entered in a text box 610, and a search name “arbitrarily set” is entered in a text box 620. Enter Schedule Job Execution. Upon receiving such input, the event log analysis support apparatus 100 reflects it in the search tree. It is good also as inputting directly into the search tree on a screen.

  Next, in the search tree that can be edited, the search condition is copied by drag and drop (step S62). The drawing also shows the search tree 630 in the edit mode. In the search tree 630, a search name and a search condition as shown by “[]” are displayed. The event source added in step S61 is added as the root node 631.

  Copy the search condition of the search name “Host01” set in the subordinate node of the search name “Syslog” by dragging and dropping it to the subordinate of the search name “execution of schedule job” as shown by a thick arrow in the figure. . The copied search condition becomes a lower node 633 of “execute schedule job” of the root node 631.

  When receiving a copy of the search condition on the screen by such drag and drop, the event log analysis support apparatus 100 edits the search condition in the search condition storage unit 106 (step S63). That is, since the search condition is added by copying, the addition of the search condition is reflected in the search condition storage unit 106, or the parent-child relationship between the nodes is reflected. As illustrated, the search condition storage unit 106 is added with search IDs “11” and “12”, and the search ID “11” is set as the parent search ID of the search ID “11”. The search condition of the search ID “12” is set as “grep“ Host01 ””.

  When the event log analysis support device 100 ends the search mode (step S64), the event log is re-searched with the edited search condition (step S65), and the search result is reflected in the event map and log view (step S65). Step S66).

  In this way, it is possible to easily add or change search conditions by moving or copying existing search conditions. In addition, since the change is reflected in the hierarchical structure, the search condition can be easily edited, and convenience is improved. In this embodiment, editing is performed by drag and drop on the screen. However, the present invention is not limited to this. For example, in the list of search conditions shown in FIG. 3, the parent search ID referenced by the lower node is changed. It is also possible to edit the parent node referenced in

  The event log analysis support apparatus 100 according to the present embodiment described above has the following advantages. Search conditions are set in a hierarchical structure, and the search conditions of the lower nodes are the event logs narrowed down by the upper node, and the search results and search results are associated with each other by associating the search conditions with the search results. Since it can be confirmed, the administrator can efficiently analyze the event log or edit the search condition while checking the search condition and the event log. Also, by editing the search tree, the search conditions can be changed directly on the screen, such as copying, and the search conditions that are subdivided in units of nodes can be diverted, and are reusable. . In other words, the administrator can use an appropriate search condition each time an event log is analyzed without creating a complicated search condition. In addition, since the event log re-searched with the edited search condition is immediately reflected on the screen, the event log can be analyzed efficiently.

  In this embodiment, the event logs searched according to each search condition are displayed side by side in each node of the search tree. However, by selecting any node in the search tree, the event log of the search result is displayed. It may be displayed. In any aspect, it is sufficient that the search condition and the event log of the search result are associated with each other.

B. Variations Various embodiments of the present invention have been described above, but the present invention is not limited to these embodiments, and it goes without saying that various configurations can be taken without departing from the spirit of the present invention. For example, the following modifications are possible.

B1. Modification 1:
For example, based on a list display of search conditions set in a hierarchical structure and event logs associated with such search conditions, a filter is created for the administrator to extract an event log that triggers the start of the policy of the managed device You may comprise as a method to do. The policy is a command for processing to be executed by the management target device. For example, the policy is a command for registering information such as when and what processing is executed. In this way, the event log occurrence frequency and event log contents can be checked in association with the search conditions, reducing the burden on the administrator to create an event log filter that triggers policy activation. Can improve convenience.

B2. Modification 2:
In the above-described embodiments, the computers and routers on the local area network are the monitoring target devices, but the present invention can also be configured with the monitoring target devices as a storage system. The hierarchical search conditions and event log display according to the present invention can be applied. FIG. 13 is an explanatory diagram illustrating an event log collection system 1000 according to a modification.

  The event log collection system 1000 is roughly composed of a SAN (Storage Area Network) and a local area network LAN. In the SAN, a host 720, a SAN switch 730, a storage subsystem 740, and a tape drive 750 are connected by a dedicated line 800, and each device has an FC (Fiber Channel) interface 722,732,742, 752 is connected. The storage subsystem 740 constitutes a RAID disk array. The tape drive 750 is a backup destination. The SAN switch 730 is a switch for connecting each device of the SAN.

  In addition to the FC interfaces 722, 732, 742, and 752, each device also includes a LAN interface, which is connected to the event log analysis support device 700 and the NAS 710 through a local area network LAN. The NAS 710 is a storage that is directly connected to the LAN and provides a file system.

  The event log analysis support apparatus 700 collects an event log such as a failure from a device constituting the SAN using the local area network LAN. For normal data transfer and the like, a dedicated line with high transfer efficiency is used. Therefore, the event log can be collected while avoiding network delay and congestion, which is preferable.

B3. Modification 3:
In the event collection process, an event log generated by the monitored device for a certain period of time may be periodically transmitted to the event log analysis support system, or may be transmitted every time an event occurs.

B4. Modification 4:
The present invention can be configured as an event log analysis support method and an event log display method in addition to the event log analysis support device described above. In addition, the computer program for realizing the above-described event log analysis support and event log display control, a recording medium storing the program, a data signal including the program and embodied in a carrier wave, and the like can be used in various modes. It is possible to realize. In each embodiment, the various additional elements shown above can be applied.

  When the present invention is configured as a computer program or a recording medium recording the program, the entire program for controlling the management apparatus may be configured, or only a part that performs the function of the present invention is configured. Also good. The recording medium includes a flexible disk, a CD-ROM, a DVD-ROM, a punched card, a printed matter on which a code such as a bar code is printed, an internal storage device of a computer (memory such as ROM or RAM), an external storage device, and the like. Various computer-readable recording media can be used.

It is explanatory drawing which illustrates the system configuration | structure in a present Example. 4 is an explanatory diagram illustrating functional blocks of an event log analysis support apparatus 100. FIG. It is explanatory drawing which illustrates the search conditions in a present Example. It is a flowchart explaining the search result display process in a present Example. It is a flowchart explaining the event log collection process in a present Example. It is a flowchart explaining the process which produces the search tree in a present Example. It is a flowchart explaining the process which produces the search tree in a present Example. It is a flowchart explaining the process which displays the event map in a present Example. It is a flowchart explaining the process which displays the log view in a present Example. It is explanatory drawing which illustrates the search result display screen in a present Example. It is a flowchart explaining the search tree edit process in a present Example. It is a flowchart explaining the search tree edit process in a present Example. It is explanatory drawing which illustrates the event log collection system 1000 in a modification.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Event log collection system 100 ... Event log analysis support apparatus 101 ... Main control part 102 ... Communication part 103 ... Event collection part 104 ... Event storage part 105 ... Search condition Setting unit 106 ... Search condition storage unit 107 ... Hierarchical structure setting unit 108 ... Search unit 109 ... Display control unit 110 ... Input unit 200, 210, 220 ... Host 300 ... Event log display screen 310 ... Search tree 320 ... Event map 321 ... Pointer 330 ... Log view

Claims (14)

An event log analysis support device,
An event log collection unit that collects event logs from monitored devices;
An event log storage unit for storing the collected event log;
A search condition for searching a predetermined event log from the collected event log is set as a high-order search condition, and a search condition used for searching the event log corresponding to the high-order search condition is set as a low-order search. As a condition, a search condition receiving unit that receives input of the search condition and an input of a relationship between the search conditions;
A search condition setting unit that sets the search condition in a hierarchical structure based on the input relationship;
An event log analysis support apparatus comprising: a search unit that executes a search for the event log based on the event log and the search condition. The event log analysis support device according to claim 1,
The upper search condition is a type of the event log,
The lower-order search condition is an event log analysis support device that is a character string included in the event log. The event log analysis support device according to claim 1,
An event log analysis support apparatus comprising a display control unit for displaying the search condition according to the hierarchical structure. The event log analysis support device according to claim 3,
The display control unit displays an event log analysis support as a tree structure in which the upper search condition among the search conditions is a parent node, and the lower search condition of the upper search condition is a child node in the parent node apparatus. The event log analysis support device according to any one of claims 1 to 4,
For any one of the search conditions, a designation accepting unit that accepts designation for changing the upper / lower relationship,
An event log analysis support apparatus comprising: an editing unit that edits the hierarchical structure based on the designation. The event log analysis support device according to any one of claims 2 to 5,
The display control unit is an event log analysis support device that further displays an event log searched by each search condition in a predetermined form associated with each search condition. The event log analysis support device according to claim 6,
As an attribute of the event log, an occurrence date and time of an event represented by the event log is included,
The predetermined form is an event log analysis support apparatus which is a form in which a predetermined display is performed in time series at a location corresponding to the date and time of occurrence of the event log. The event log analysis support device according to claim 6 or 7,
A condition input unit for inputting an extraction condition for extracting a predetermined event log for each search condition from the searched event log;
The display control unit is an event log analysis support device that displays contents of the extracted event log. An event log display device that displays event logs collected from monitored devices,
An input unit for inputting a plurality of search conditions for searching a predetermined event log from the event log collected from the monitored device,
Among the event logs searched for each search condition, a specific condition input unit for inputting a predetermined specific condition for specifying an event log to be displayed;
An event log display device comprising: a display unit that displays a list of the contents of the identified event log in association with the plurality of search conditions. An event log search method for searching a predetermined event log from event logs collected from monitored devices,
(A) collecting event logs from monitored devices;
(B) storing the collected event log;
(C) A search condition for searching for a predetermined event log from the collected event log is set as a high-order search condition, and a search condition used for searching for an event log corresponding to the high-order search condition is: Receiving the input of the search condition and the input of the relationship between the search conditions as subordinate search conditions;
(D) setting the search condition in a hierarchical structure based on the input relationship;
(E) An event log search method comprising a step of executing search of the event log based on the event log and the search condition. An event log display method for displaying event logs collected from monitored devices,
(A) inputting a plurality of search conditions for searching for a predetermined event log from the event log collected from the monitored device;
(B) inputting a predetermined specific condition for specifying an event log to be displayed among event logs searched for each of the search conditions;
(C) An event log display method comprising: displaying a list of the contents of the identified event log in association with the plurality of search conditions. A computer program that causes a computer to search for event logs of monitored devices,
A function to collect event logs from monitored devices,
A function for storing the collected event log;
A search condition for searching a predetermined event log from the collected event log is set as a high-order search condition, and a search condition used for searching the event log corresponding to the high-order search condition is set as a low-order search. As a condition, a function of accepting an input of the search condition and an input of a relationship between the search conditions;
A function of setting the search condition in a hierarchical structure based on the input relationship;
A computer program for causing a computer to realize a function of executing search of the event log based on the event log and the search condition. A computer program for displaying an event log collected from a monitored device on a computer,
A function of inputting a plurality of search conditions for searching a predetermined event log from the event log collected from the monitored device;
A function of inputting a predetermined specific condition for specifying an event log to be displayed among event logs searched for each search condition;
A computer program for causing a computer to realize a function of displaying a list of the contents of the specified event log in association with the plurality of search conditions.   A recording medium in which the computer program according to claim 12 or 13 is recorded so as to be readable by a computer.

Images