The present invention relates to a method for monitoring a computer system, and more particularly to a technology for handling a computer log.
Conventionally, methods for transferring various types of computer logs over a network for monitoring on another computer have been widely used. However, most of those methods transfer all logs, increasing the network load and sometimes developing a problem especially when the amount of log data produced by the sending computers exceeds the network transfer capacity. The processing load of the receiving computer also increases because it must analyze a large amount of log information. To solve this problem, some operating systems add a priority to each log message. This added information specifies whether to discard messages, whether to record messages in log files, or whether to transfer messages to another computer.
As described above, the conventional methods extract and transfer logs which are assumed to be important based on the criteria determined only by the log outputting computers. Thus, the load on the network or on the log receiving computer is not always reduced because whether or not logs are important are determined based on the criteria of the log outputting computers. In addition, a log message, once considered not very important by log outputting computers, is not sent to the monitoring computer which might consider the log message very important.
Furthermore, administrators must associate log messages sent from one computer with those sent from another computer or obtain more detailed information on the logs depending upon the output log.
Some conventional methods also indicate the importance of output information by color change although the color changes based only on the importance determined by the corresponding host.
Conventionally, log information has been written directly to non-volatile storage. Log information is also written via a network to non-volatile which is usually remote non-volatile storage.
However, generated operation history data may change or may be altered while it is sent to non-volatile storage, while it is processed in the computer, or while it is stored in main storage or non-volatile storage. In conventional methods, these changes and alterations cannot be detected. Therefore, the validity of log information, when read from non-volatile storage where it has been saved, can be guaranteed, nor the changed or altered log information can be restored to the original log information even if the change or alteration is detected.
It is an object of the present invention to provide a method of collecting an amount of log information enough to keep track of the status of agents without a heavy processing load on both the network and the manager computer.
It is another object of the present invention to provide a method of detecting an event which could not be identified by monitoring the status of only one computer.
It is still another object of the present invention to provide a method of representing the location of an error within the computer and the severity level of the error so that an operator can understand them easily the moment the operator views the monitoring screen.
It is still another object of the present invention to provide a method of automating the association of log information output by a plurality of computers and, depending upon the output information, the collection of more detailed information in order to reduce the load on an administrator.
It is still another object of the present invention to provide a method of preventing log information from being altered or wire-tapped or preventing false log information from being included and, even if log information is partially altered, a method of restoring the partially-altered information to the original information.
To achieve the above objects, the method according to the present invention concurrently monitors log information collected from a plurality of computers and integrally checks the validity and consistency of the log information to find an invalid action.
The method according to the present invention allows an alarm or log monitoring computer to assign a surveillance level to the computers which are monitored.
The method according to the present invention supposes the cause of an event from the contents output to a log, collects more detailed log information to prove the supposition, and determine the cause of the event.
The method according to the present invention informs an operator of a computer performing invalid behavior by changing colors on the monitor screen or by changing an alarm sound.
The computer monitoring method according to the present invention adds a digital signature before saving or transferring a log.
The computer monitoring method according to the present invention adds redundant information to a log to allow the original log data to be restored even when part of the log is lost or altered.
The computer monitoring method according to the present invention also divides a log and saves it on a plurality of computers to allow part of divided log data to be restored even if it is lost or altered.