Electronic computing has evolved from primitive, vacuum-tube-based computer systems, initially developed during the 1940s, to modern electronic computing systems in which large numbers of multi-processor computer systems, such as server computers, work stations, and other individual computing systems are networked together with large-capacity data-storage devices and other electronic devices to produce geographically distributed computing systems with hundreds of thousands, millions, or more components that provide enormous computational bandwidths and data-storage capacities. These large, distributed computing systems are made possible by advances in computer networking, distributed operating systems and applications, data-storage appliances, computer hardware, and software technologies.
In modern computing systems, individual computers, subsystems, and components generally output large volumes of status, informational, and error messages that are collectively referred to, in the current document, as “event messages.” In large, distributed computing systems, terabytes of event messages may be generated each day. The event messages are sent to a log management server that records the event messages in event logs that are in turn stored as files in data-storage appliances. Log management servers are typically used to determine the types of events recorded in the event messages, but log management servers currently lack the ability to detect anomalous behavior of an event source from the many thousands, if not millions, of event messages generated by the event source. System administrators seek methods and systems that automatically detect anomalous states of event sources based on the event messages generated by the event sources.