EVENT LOG ANALYZER

US 20170063762A1
Filed: 09/01/2015
Published: 03/02/2017
Est. Priority Date: 09/01/2015
Status: Active Grant

First Claim

Patent Images

1. An event log analyzer comprising:

one or more computers; and

a computer-readable medium coupled to the one or more computers having instructions stored thereon which, when executed by the one or more computers, cause the one or more computers to perform operations comprising;

identifying log data associated with a set of log messages included in one or more logs, each log message associated with a timestamp;

identifying one or more occurrences of a first critical event and a time of each of the one or more occurrences;

identifying one or more candidate subsets of log messages, each log message in each candidate subset associated with a timestamp that is within a predefined time window prior to the time of a particular occurrence of the first critical event;

selecting a candidate subset of log messages as correlated to the first critical event; and

defining a rule using the selected candidate subset of log messages, the rule defining a second critical event corresponding to the selected candidate subset of log messages that correlates to the first critical event, wherein the rule is associated with one or more actions to perform when the second critical event occurs.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure involves systems, software, and computer implemented methods for correlating critical events to identified log data. An example event log analyzer can identify a set of log messages. One or more occurrences of a first critical event and a time of each of the occurrences are identified. One or more candidate subsets of log messages are identified. Each log message in each candidate subset is associated with a timestamp that is within a predefined time window prior to the time of an occurrence of the first critical event. A candidate subset of log messages is selected as a correlator of the first critical event. A rule is defined using the selected candidate subset of log messages. The rule defines a second critical event that correlates to the first critical event. The rule is associated with one or more actions to perform when the second critical event occurs.

39 Citations

View as Search Results

20 Claims

1. An event log analyzer comprising:
- one or more computers; and
  
  a computer-readable medium coupled to the one or more computers having instructions stored thereon which, when executed by the one or more computers, cause the one or more computers to perform operations comprising;
  
  identifying log data associated with a set of log messages included in one or more logs, each log message associated with a timestamp;
  
  identifying one or more occurrences of a first critical event and a time of each of the one or more occurrences;
  
  identifying one or more candidate subsets of log messages, each log message in each candidate subset associated with a timestamp that is within a predefined time window prior to the time of a particular occurrence of the first critical event;
  
  selecting a candidate subset of log messages as correlated to the first critical event; and
  
  defining a rule using the selected candidate subset of log messages, the rule defining a second critical event corresponding to the selected candidate subset of log messages that correlates to the first critical event, wherein the rule is associated with one or more actions to perform when the second critical event occurs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The event log analyzer of claim 1, wherein selecting the candidate subset of log messages as correlated to the first critical event comprises:
    - determining, for each of the one or more candidate subsets of log messages, a likelihood that a respective candidate subset of log messages correlates to the first critical event;
      
      selecting a candidate subset of log messages as correlated to the first critical event based on the determined likelihoods.
  - 3. The event log analyzer of claim 2, wherein the selected candidate subset of log messages is automatically selected, without human intervention, as correlated to the first critical event based on the determined likelihoods.
  - 4. The event log analyzer of claim 1, wherein selecting the candidate subset of log messages comprises:
    - presenting one or more of the candidate subsets of log messages to a user, each of the one or more candidate subsets associated with a score associated with a projected likelihood of critical event correlation;
      
      receiving, as the selected candidate subset of log messages, a user selection of a presented candidate subset of log messages.
  - 5. The event log analyzer of claim 4, wherein defining the rule comprises receiving, from the user, the definition of the rule and a definition of the one or more actions.
  - 6. The event log analyzer of claim 2, wherein the likelihood for a particular candidate subset of log messages is based on one or more of the log messages in the particular candidate subset of log messages including one or more keywords that match a keyword associated with the first critical event.
  - 7. The event log analyzer of claim 2, wherein the likelihood for a particular candidate subset of log messages is based on a number of times that each log message in the particular candidate subset of log messages occurs in the log data within the predetermined time window before one of the identified occurrences of the first critical event.
  - 8. The event log analyzer of claim 2, wherein the likelihood for a particular candidate subset of log messages is based on a log message level of one or more of the log messages in the particular candidate subset of log messages.
  - 9. The event log analyzer of claim 1, wherein the log data comprises meta-data associated with the set of log messages, including frequency and time of occurrence of each unique type of log message in the one or more logs.
  - 10. The event log analyzer of claim 2, wherein the likelihood for a particular candidate subset of log messages is based on a frequency of the type of one or more logs messages in the particular candidate subset of log messages.
  - 11. The event log analyzer of claim 1, wherein identifying a particular occurrence of the first critical event comprises identifying instances of each of one or more types of log messages in the one or more logs.
  - 12. The event log analyzer of claim 1, wherein a particular occurrence of the first critical event is not reflected in the one or more logs, and wherein identifying the particular occurrence of the first critical event comprises receiving a notification and the time of the particular occurrence of the first critical event.
  - 13. The event log analyzer of claim 1, the one or more computers further performing operations comprising:
    - identifying an occurrence of the second critical event associated with a satisfaction of the rule; and
      
      performing the set of actions based on identifying the occurrence of the second critical event.
  - 14. The event log analyzer of claim 1, wherein the actions include one or more actions to automatically prevent a future occurrence of the first critical event.
  - 15. The event log analyzer of claim 1, wherein the actions include one or more of changing environment settings, stopping an application, stopping a server, starting an application, starting a server, or increasing the log level of an application.
  - 16. The event log analyzer of claim 1, wherein the actions include one or more actions to prepare for and send a notification regarding an imminence of a future occurrence of the first critical event.
  - 17. The event log analyzer of claim 3, wherein the selection of the correlator of the first critical event is automatically performed in response to the identifying of the one or more occurrences of the first critical event.
  - 18. The event log analyzer of claim 1, the one or more computers further performing operations comprising:
    - determining that an absence of an expected set of one or more log messages is correlated to the first critical event; and
      
      wherein defining the rule comprises specifying that the absence of the expected set of one or more log messages correlates to the first critical event.

19. A method of correlating log data to critical events, comprising:
- identifying log data associated with a set of log messages included in one or more logs, each log message associated with a timestamp;
  
  identifying one or more occurrences of a first critical event and a time of each of the one or more occurrences;
  
  identifying one or more candidate subsets of log messages, each log message in each candidate subset associated with a timestamp that is within a predefined time window prior to the time of a particular occurrence of the first critical event;
  
  selecting a candidate subset of log messages as correlated to the first critical event; and
  
  defining a rule using the selected candidate subset of log messages, the rule defining a second critical event corresponding to the selected candidate subset of log messages correlated to the first critical event, wherein the rule is associated with one or more actions to perform when the second critical event occurs.

20. A computer program product encoded on a non-transitory storage medium, the product comprising non-transitory, computer readable instructions for causing one or more processors to perform operations comprising:
- identifying log data associated with a set of log messages included in one or more logs, each log message associated with a timestamp;
  
  identifying one or more occurrences of a first critical event and a time of each of the one or more occurrences;
  
  identifying one or more candidate subsets of log messages, each log message in each candidate subset associated with a timestamp that is within a predefined time window prior to the time of a particular occurrence of the first critical event;
  
  selecting a candidate subset of log messages as correlated to the first critical event; and
  
  defining a rule using the selected candidate subset of log messages, the rule defining a second critical event corresponding to the selected candidate subset of log messages correlates to the first critical event, wherein the rule is associated with one or more actions to perform when the second critical event occurs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sap Portals Israel Ltd (SAP SE)
Original Assignee
Sap Portals Israel Ltd (SAP SE)
Inventors
Bruner, Asaf, Fishman, Roy, Lavie, Sarah, Milstein, Tahel, Shapiro, Dany, Machol, Gary

Granted Patent

US 10,587,555 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 51/18 Commands or executable codes

H04L 51/56 Unified messaging, e.g. int...

EVENT LOG ANALYZER

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

EVENT LOG ANALYZER

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links