Log Analysis Based on User Activity Volume

US 20170013003A1
Filed: 12/14/2013
Published: 01/12/2017
Est. Priority Date: 12/14/2013
Status: Active Grant

First Claim

Patent Images

1. A log analysis system comprising:

an activity engine to monitor user activity of a computer system;

a baseline engine to generate an expected baseline of a log based on historical log activity; and

an abnormality engine to;

compare the log to the expected baseline to identify an abnormality;

compare the abnormality to a user activity volume based on a correlation between the user activity volume and the log activity; and

classify the log based on the abnormality, the correlation, and the user activity volume.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one example implementation, a log analysis system can comprise an activity engine to monitor user activity of a computer system, a baseline engine to generate an expected baseline of a log, and an abnormality engine to compare the log to the expected baseline to identify an abnormality, compare the abnormality to a user activity volume based on a correlation between the user activity volume and the log activity, and classify the log.

42 Citations

View as Search Results

15 Claims

1. A log analysis system comprising:
- an activity engine to monitor user activity of a computer system;
  
  a baseline engine to generate an expected baseline of a log based on historical log activity; and
  
  an abnormality engine to;
  
  compare the log to the expected baseline to identify an abnormality;
  
  compare the abnormality to a user activity volume based on a correlation between the user activity volume and the log activity; and
  
  classify the log based on the abnormality, the correlation, and the user activity volume.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The log analysis system of claim 1, wherein the baseline engine is to:
    - adjust the expected baseline based on the user activity volume.
  - 3. The log analysis system of claim 1, comprising a template engine to identify a log template based on a log entry of the log, wherein the expected baseline is based on a seasonal effect of the log and the log template.
  - 4. The log analysis system of claim 3, wherein the abnormality engine is to:
    - create a graph based on the log template, the graph to represent a number of log entries associated with the log template; and
      
      compare the graph to the expected baseline, the abnormality being the difference between the graph and the expected baseline.
  - 5. The log analysis system of claim 1, comprising:
    - a display engine to cause a display of the abnormality and a classification of the log.

6. A computer readable storage medium comprising a set of instructions executable by a processor resource to:
- generate a first graph, the first graph to represent an expected baseline of log activity of a computer system based on a log template of the log activity and a seasonal effect of the log activity;
  
  generate a second graph, the second graph to represent a user activity volume of the computer system;
  
  compare the first graph to the second graph to identify a correlation between the expected baseline and the user activity volume; and
  
  score the log activity based on the expected baseline, the correlation, and the user activity volume.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The medium of claim 6, wherein the expected baseline comprises:
    - a degree of relatedness among log activity based on a text template; and
      
      wherein the seasonal effect is based on a time-dependent pattern of the log template.
  - 8. The medium of claim 6, wherein the set of instructions executable to generate a second graph comprise instructions executable by the processor to:
    - monitor the user activity volume of the computer system; and
      
      wherein the set of instructions executable to generate a first graph comprise instructions executable by the processor to;
      
      normalize the seasonal effect of the expected baseline based on the user activity volume; and
      
      wherein the set of instructions to compare the first graph to the second graph includes using data provided by a real user monitor to determine the correlation between the user activity.
  - 9. The medium of claim 6, wherein the set of instructions is executable by the processor to:
    - cause a display of the log activity with an identifier associated with an abnormality of the log activity and the score of the log activity;
      
      wherein the set of instructions executable to compare the first graph and the second graph comprise instructions executable by the processor to;
      
      identify the abnormality based on the correlation and the difference between the first graph and the log activity.
  - 10. The medium of claim 9, wherein the identifier indicates the degree of abnormality based on a context of the log and a severity of the abnormality, the context of the log to include the correlation of the log based on a degree of user activity volume on the log.

11. A method for analyzing a log comprising:
- identifying a log template based on a set of entries of the log;
  
  generating a baseline graph associated with expected log activity based on the log template;
  
  generating a user activity graph associated with a volume of user activity;
  
  comparing the user activity graph to the baseline graph to identify a correlation between the log template and the volume of user activity;
  
  comparing a potential abnormality of the log to the volume of user activity associated with the log, the potential abnormality being a difference between the log and the baseline; and
  
  visually indicating a log status based on the correlation between the potential abnormality and the volume of user activity.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, comprising:
    - clustering a set of entries of the log based on a text template to identify the log template;
      
      identifying a seasonal effect of the log activity; and
      
      identifying a number of the set of entries associated with the log template.
  - 13. The method of claim 12, comprising:
    - mapping a log template count of the log to a log graph based on a number of the set of entries associated with the log template;
      
      comparing the log graph to the baseline to identify the potential abnormality; and
      
      causing to present the log as a node in a map, the map to contain nodes having a color based on the abnormality associated with the log template and the correlation.
  - 14. The method of claim 11, comprising at least one of:
    - identifying the log is impacted by the volume of user activity; and
      
      identifying the user activity to impact the log.
  - 15. The method of claim 11, comprising:
    - estimating the volume of log activity based on a degree of granularity; and
      
      providing a degree of abnormality of the log based on the volume of user activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
SAMUNI, Eran, ADRIAN, Daniel, GOLAN, Yohay

Granted Patent

US 11,457,029 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 11/0709   in a distributed system con...

G06F 11/079   Root cause analysis, i.e. e...

G06F 11/3438   monitoring of user actions ...

G06F 11/3476   Data logging G06F11/14, G06...

G06F 17/40   Data acquisition and loggin...

H04L 63/1425   Traffic logging, e.g. anoma...

Log Analysis Based on User Activity Volume

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Log Analysis Based on User Activity Volume

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links