LOG COLLECTION, STRUCTURING AND PROCESSING
First Claim
1. A method for use in monitoring one or more platforms of a data system, comprising the steps of:
- establishing a number of log processing rules for selectively processing logs based on a content of one or more data fields of the said logs;
identifying a log message associated with a monitored platform;
parsing said log message into a number of data fields and determining a field content of at least one of said fields; and
based on said field content, processing said log message using said processing rules.
6 Assignments
0 Petitions
Accused Products
Abstract
The present invention generally relates to log message processing such that events can be detected and alarms can be generated. For example, log messages are generated by a variety of network platforms (e.g., Windows servers, Linux servers, UNIX servers, databases, workstations, etc.). Often, relatively large numbers of logs are generated from these platforms in different formats. A log manager described herein collects such log data using various protocols (e.g., Syslog, SNMP, SMTP, etc.) to determine events. That is, the log manager may communicate with the network platforms using appropriate protocols to collect log messages therefrom. The log manager may then determine events (e.g., unauthorized access, logins, etc.) from the log data and transfer the events to an event manager. The event manager may analyze the events and determine whether alarms should be generated therefrom.
277 Citations
18 Claims
-
1. A method for use in monitoring one or more platforms of a data system, comprising the steps of:
-
establishing a number of log processing rules for selectively processing logs based on a content of one or more data fields of the said logs;
identifying a log message associated with a monitored platform;
parsing said log message into a number of data fields and determining a field content of at least one of said fields; and
based on said field content, processing said log message using said processing rules. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for use in monitoring one or more platforms of a data system, comprising the steps of:
-
identifying a log message to be archived;
associating metadata with the said identified log message to be archived, wherein said metadata includes information to assist in restoring said message; and
archiving said log message together with said metadata in a data structure for enabling restoration of said log message using said metadata.
-
-
8. A method for use in processing logs in a data system, comprising the steps of:
-
providing a tool for use in accessing archived logs based on metadata describing the logs;
first operating said tool to receive restoration information associated with one or more fields of said metadata; and
second operating said tool to restore one or more logs based on said received restoration information.
-
-
9. A method for use in monitoring one or more platforms of a data system, comprising the steps of:
-
establishing an agent protocol defining communications between an agent for acquiring log messages and a processor for processing log messages;
providing an agent for monitoring log messages associated with a monitored platform; and
operating said agent to identify a log message of interest, process said log message to parse said message and associate metadata with parsed portions of said message, and provide an output in accordance with said agent protocol, wherein said output includes substantially an entirety of a content of said message together with said metadata.
-
-
10. A method for use in monitoring one or more platforms of a data system, comprising the steps of:
-
establishing an agent protocol defining communications between an agent for acquiring log messages and a processor for processing log messages;
receiving, at said processor, a pre-processed log message in accordance with said protocol, where said pre-processed log message includes parsed portions of a raw log message, collectively including substantially an entirety of a content of said raw message, together with metadata defining said parsed portions; and
operating said processor to use said metadata to further process said preprocessed log message.
-
-
11. A method for use in processing textual messages in a data system, comprising the steps of:
-
establishing a tagging notation in relation to a subject matter area of a textual message, said tagging notation including a metadata model for describing parsed portions of said textual message; and
establishing rules operative for converting said tagging notation into regular expression notation. - View Dependent Claims (12)
-
-
13. A method for use in monitoring one or more platforms in a data system, comprising the steps of:
-
accessing a Windows event log from a monitored platform;
identifying a time stamp associated with the Windows event log; and
normalizing the time stamp such that the time stamp is substantially independent of a processing environment of the monitored platform. - View Dependent Claims (14)
-
-
15. A method for use in monitoring one or more platforms in a data system, comprising the steps of:
-
providing a log manager for processing log information from one or more monitored platforms;
operating the log manager to remotely access a Windows event log, including a first time stamp, from a monitored platform; and
processing the first time stamp such that the first time stamp is substantially independent of a processing environment of a monitored platform. - View Dependent Claims (16, 17)
-
-
18. A method for use in monitoring one or more platforms in a data system, comprising the steps of:
-
providing a storage for storing a local copy of log message strings for a predetermined length of time; and
in connection with processing a log, determining whether a log message string is in said cache and, if not, obtaining the message string from a remote system.
-
Specification