Conventionally, in an information processing apparatus, such as a server and the like, a log (or log message) has been recorded with each of components, such as the hardware and software of a computer constituting the system as a target. The log becomes information indicating the time transition of an event, such as the operation, state, operational state and the like. On the server constituting a system providing services via a communication network, various events of the system, such as log-on/log-off, warning, the state of occurrence abnormality or failure and the like of a registered user are recorded. Therefore, the log is used to investigate a cause at the time of failure or detect the traces of an unlawful access, and take the operational statistics of the system and so on.
FIG. 1 explains the operation of a conventional log management apparatus. The log management apparatus 110 is mounted on a server 100 for providing services via a communication network. For example, it can be realized by software mounting a function to enable it to operate as the log management apparatus 110.
A hardware group 101, such as a CPU (central processing unit), memory, a system controller, a hard disk device (HDD), a host bus adaptor and the like, which constitute the server 100 and software (application program, etc.) operating in an operating system (OS) 102 become monitor targets whose log is kept. The OS 102 monitors the operation of each piece of software, and when some kind of events occurred or its state changed, outputs a log indicating the contents to the log management apparatus 110. The OS 102 also monitors the operation of each piece of hardware constituting the hardware group 101, and when some abnormality seems to occur or actually occurred, notifies the event detection unit 103 of it (warning or abnormality). Then, in response to the notice, the event notification unit 103 outputs the occurred abnormality and a log indicating hardware in which the abnormality has occurred to the log management apparatus 110. Thus, the log management apparatus 110 stores logs outputted from the OS 102 or the event notification unit 103 in a log file 104.
The log file is stored in, for example, a non-volatile storage medium (for example, a hard disk device) mounted on the server 100 as one of the hardware group 101 or the like. The event detection unit 103 can be realized by, for example, one piece of software mounted on the OS 102.
FIG. 2 explains a log stored in the log file 104 by the conventional log management apparatus 110.
FIG. 2 illustrates an outputted log using a case where abnormality or a failure whose log to be outputted has occurred in components HA and HB constituting the hardware group 101 and abnormality or an event whose log to be outputted has occurred in software (described as “software” in FIG. 2) SA, SB and SC operating on the OS 102 as an example. For example, a log outputted to the log management apparatus 110 by the fact that abnormality has occurred in the software SA is described as “software SA abnormality”. The event detection unit 103 is not illustrated in FIG. 2 since it is assumed that it is part of the OS 102. As illustrated in FIG. 2, a log is outputted any time a monitor target enters a state where a log to be outputted. Thus, various types/monitor targets of logs are mixed in time sequence and stored in the log file 104.
FIG. 3 illustrates the contents of a log stored in the log file 104. As illustrated in FIG. 3, each log includes respective pieces of data of its outputted date, its time, its monitor target, its type and its factor. The type corresponds to a cause why a log to be outputted, more particularly, abnormality, an event, a failure or the like. The factor corresponds to a reason why it is determined that the cause being the type has occurred.
The logs are information useful for coping with the failure. However, the various types/monitor targets of logs are mixed in time sequence and stored in the log file 104. Therefore, the analysis of the log requires enormous time and labor.
Some conventional log management apparatus extracts a log meeting a retrieval condition from logs collected in a log file and outputs it (Japanese Laid-open Patent Publication No. 2005-141663).
A log management apparatus in which a retrieval condition can be set extracts a log preferable for analysis by setting an appropriate retrieval condition so that a log can be more easily analyzed. However, in this case, only a log preferable for analysis cannot always be extracted. It is common that a log unnecessary for analysis exists or a log preferable for analysis is lost. Furthermore, in order to set an appropriate retrieval condition, some degree of knowledge and experiences are preferable. Therefore, a method other than retrieval to be focused in order to assist maintenance personnel in such a way as to analyze a log more easily.
As technical reference documents, besides the above-described, there are Japanese Laid-open Patent Publication Nos. 2006-302170 and 2004-206166.