Heretofore, a technology has been available in which a monitoring apparatus (log-monitoring software) monitors a log of a processing system to be monitored and provides a service that notifies, upon occurrence of a certain level of anomaly (failure), the processing system of the anomaly. Details will now be described.
The processing system to be monitored includes a plurality of processing apparatuses. When operations occur in the processing apparatuses, the corresponding processing apparatuses associate operation data (messages) indicating the operations and data (time-point data) about the time points at which the operations occurred and transmit the associated data to the monitoring apparatus. Data including messages and time-point data are called log messages, such as those defined by syslog. The monitoring apparatus monitors the processing system, and determines (monitors) whether or not an anomaly is occurring in the processing apparatuses in the processing system, based on the log messages. Anomalies include low-level anomalies that are not severe enough to be reported to the processing system and high-level anomalies that are to be reported to the processing system because the levels of the anomalies are severe. Such high-level anomalies are called “failures”. When a failure occurs in any of the processing apparatuses in the processing system, the monitoring apparatus reports the occurrence of the failure.
Anomaly detection has been available as a method for detecting occurrence of anomalies. That is, the monitoring apparatus detects an anomaly, for example, by finding an abrupt change in certain performance data. Related art is disclosed in, for example, Japanese Laid-open Patent Publication No. 11-103302, Japanese Laid-open Patent Publication No. 2001-292143, and Japanese Laid-open Patent Publication No. 2006-318071.
Anomalies in the system include not only anomalies that appear in changes in one type of operation but also anomalies that appear in a relationship between multiple types of operation. In anomaly detection, since changes in one type of operation are extracted, it is difficult to detect an anomaly that appears in a relationship between different types of operation.