LOG COLLECTION, STRUCTURING AND PROCESSING
8 Assignments
0 Petitions
Accused Products
Abstract
The present invention generally relates to log message processing such that events can be detected and alarms can be generated. For example, log messages are generated by a variety of network platforms (e.g., Windows servers, Linux servers, UNIX servers, databases, workstations, etc.). Often, relatively large numbers of logs are generated from these platforms in different formats. A log manager described herein collects such log data using various protocols (e.g., Syslog, SNMP, SMTP, etc.) to determine events. That is, the log manager may communicate with the network platforms using appropriate protocols to collect log messages therefrom. The log manager may then determine events (e.g., unauthorized access, logins, etc.) from the log data and transfer the events to an event manager. The event manager may analyze the events and determine whether alarms should be generated therefrom.
-
Citations
46 Claims
-
1-18. -18. (canceled)
-
19. A method of determining a source of a log message from one or more platforms of a data system, comprising the steps of:
-
receiving, at a log agent, a log message from the one or more platforms of the data system; parsing an identifier out of the log message; and determining, at the log agent, if a source for the identifier is known. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A method of determining a source of a log message from one or more platforms of a data system, comprising the steps of:
-
receiving, at a log manager from an agent for acquiring log messages associated with the one or more platforms, a request for information related to a source for an identifier of a log message from the agent; and determining, at the log manager, whether the identifier is assigned to a source in a database. - View Dependent Claims (34, 35, 36)
-
-
37. A method for use in monitoring one or more platforms of a data system, comprising the steps of:
-
establishing an agent protocol defining communications between an agent for acquiring log messages and a processor for processing log messages; receiving, at the processor and in accordance with the agent protocol, a plurality of log messages; identifying, from the plurality of received log messages, at least one event for further processing; and promoting the at least one event to an alarm status. - View Dependent Claims (38)
-
-
39. A method for use in monitoring one or more platforms of a data system, comprising the steps of:
-
establishing, at an agent for acquiring log messages of a monitored platform, a number of log processing rules for selectively processing logs based on a content of one or more data fields of the log messages; receiving, at the agent, a plurality of log messages; operating the agent to process the plurality of received log messages using the log processing rules; and forwarding information related to a first group of the plurality of processed log messages to a log manager for further processing. - View Dependent Claims (40, 41, 42, 43)
-
-
44. A method for use in monitoring one or more platforms of a data system, comprising the steps of:
-
receiving, at a log manager for processing log messages from the one or more platforms, a second group of log messages that is a subset of a first group of log messages received at an agent for acquiring log messages of the one or more platforms; operating the processor to further process the second group of log messages. - View Dependent Claims (45, 46)
-
Specification