There is a known detection apparatus that detects occurrence of an event or a sign of occurrence of the event based on a log of messages (message log) generated in various systems, such as an information technology (IT) system.
For example, the detection apparatus extracts messages from the message log. Then, the detection apparatus classifies the extracted messages according to message types. Subsequently, the detection apparatus refers to a first database (DB), in which a type of a failure in a system and a date and time of occurrence of the failure are registered in an associated manner, and calculates probability as described below based on a pattern of the types of one or more messages and based on a type of a failure corresponding to the date and time of occurrence of the pattern. Specifically, the detection apparatus calculates the probability of an event that occurs when a message in the pattern occurs, for each of the patterns of the types of messages. Subsequently, the detection apparatus registers the pattern of the types of the messages, the event, and the probability in a second DB in an associated manner. In this manner, the detection apparatus learns the probability of an event for each of the patterns of the types of the messages. Then, if one or more messages occur in the system, the detection apparatus refers to the second DB, and if the probability corresponding to a pattern of the types of the messages is equal to or greater than a threshold, detects occurrence of an event corresponding to the pattern. Then, the detection apparatus sends a result of the detection to a terminal used by a user, such as an administrator, who manages the system.
Incidentally, as a related technology, there is a known device that handles multiple errors as a single error when a number of errors (burst error) occur in the network.
Furthermore, as another related technology, there is a known computer system that modifies already-learned failure detection rules according to a policy, evaluates a false detection rate or a non-detection rate based on the modified failure detection rules, and employs a failure detection rule based on which a preferable evaluation result is obtained. With regard to the technologies as described above, refer to Japanese Laid-open Patent Publication No. H9-219720, Japanese Laid-open Patent Publication No. 2009-157830, and “Trouble Detection with Message Pattern Learning” Yukihiro Watanabe, Yasuhide Matsumoto, International Processing Society of Japan Journal, Dec. 10, 2009, for example.
However, in the detection apparatus as described above, it is difficult to detect occurrence of an event with high accuracy immediately after operation of the system is started or a configuration of the system is changed by addition of a server or by a change or addition of an application executed on the server.
For example, a new type of a message may occur immediately after the configuration of the system is changed. In this case, the detection apparatus learns the probability of an event or the like based on a pattern containing the new type of the message that has not been learned. However, because the number of learnings is small, the accuracy of a result of the learning is not always high. For example, if an event irrelevant to the message occurs at the same time as the occurrence of the new type of the message, the detection apparatus obtains a result of learning as described below. Specifically, the detection apparatus learns that the probability of the event that occurs with the pattern containing the new type of the message is 100%. Therefore, the accuracy of the result of the learning performed by the detection apparatus immediately after the change in the configuration of the system may be low. Consequently, the detection apparatus sometimes does not detect occurrence of an event with high accuracy immediately after the change in the configuration of the system.
Furthermore, even immediately after the start of the operation of the system, because the number of learnings is low, the accuracy of a result of learning performed by the detection apparatus may be low similarly to the above. Therefore, the detection apparatus sometimes does not detect occurrence of an event with high accuracy immediately after the start of the operation of the system.