A person who operates and maintains an information processing system (hereinafter referred to as an administrator) analyzes a log output from the system and judges a state of the system. In a management of the information processing system so far, the administrator has generated rules for analyzing the log. However, since a size of log output from the recent information processing system becomes enormous and the administrator cannot check all the logs, it is difficult to comprehensively generate rules for analyzing logs. Therefore, a technique for analyzing the state of the system using analysis rules of logs automatically generated is proposed.
PTL 1 discloses an incident management system that shortens the time required for failure recovery work in incident management operation work. The system of PTL 1 determines similarity between a failure occurring in a monitor target device and a failure registered as an incident in the past and presents a similar incident. The system of PTL 1 calculates a match rate of characters included in a host name, an application name, and a message included in a log message output at the time of a failure, and presents a past incidence whose matching rate is equal to or more than a certain value as a similar incident.
When a general-available information processing apparatus executes certain processing, the general-available information processing apparatus outputs a plurality of messages corresponding to the execution of the processing in a predetermined chronological order. As described above, a plurality of messages to be output to in a predetermined chronological order when the information processing apparatus executes specification processing is referred to as “a series of messages”.
PTL 2 discloses a device failure analysis apparatus that can find a part of an event log that serves as a clue to specify the cause of failure in a short period of time. The apparatus of PTL 2 defines a series of message output at normal time as a pattern at normal time, calculates the degree of coincidence between the pattern at the normal time and an operation log of the device, and detects an operation log of which degree of coincidence is equal to or less than a threshold value as abnormal log. More specifically, the apparatus of PTL 2 analyzes a log based on “information for grouping a series of messages in processing units”.
PTL 3 discloses an abnormality diagnosis apparatus for detecting abnormality of a large scale system and identifying an abnormality occurrence location. In the apparatus of PTL 3, a normal model is generated in sub system units that constitute the system, and data not included in the normal model is detected as abnormality. The apparatus of PTL 3 specifies the abnormality location of the system based on the detected abnormality and the hierarchical dependency of the sub system.
Other than the above, several techniques concerning information analysis of log, pattern, failure analyze or the like are disclosed.
PTL 4 discloses an encryption communication apparatus that realizes encryption communication in which traffic within a communication system is reduced while securing the security of data in a packet transmitted within the communication system. The apparatus of PTL 4 extracts a data part whose data pattern matches data in a processing target packet and data in a sample packet, and creates matching data.
PTL 5 discloses an infection activity detection apparatus that detects with high certainty that a monitor target device is infected with a self-infection type malignant program. The apparatus of PTL 5 extracts log data constituted by a log record concerning access within a predetermined period of time.
PTL 6 discloses a remote maintenance system which copes with a failure occurring at a monitor target server from a remote place. The system of PTL 6 isolates the cause of a failure caused by the monitor target apparatus and selects, for each failure cause, appropriate information from failure messages and dealing information prepared in advance.
PTL 7 discloses an operation pattern generation apparatus that generates various motion patterns from a predetermined motion pattern. The apparatus of PTL 7 generates an operation pattern by generating time series data according to transition probability and output probability of hidden Markov model.
PTL 8 discloses a log analyze apparatus which collects a log file group designated by a server and converts the collected log file group into intermediate format log information in a common format. The apparatus of PTL 8 applies a conversion rule to the intermediate format log information and generates an integrated log which is easy to analyze.
PTL 9 discloses a communication state display method suitable for communication support via a network. In the method of PTL 9, a source and a destination, a date and time, and a subject are acquired with respect to a message such as an e-mail, a unique identifier is given to each piece of data, and these pieces of data are managed using an accumulated data management table in a data server.