Method for monitoring abnormal behavior in a computer system
First Claim
Patent Images
1. A method for monitoring a computer system in which a manager computer and a plurality of agent computers are connected over a network, comprising:
- in response to an abnormal state occurring on one of said plurality of agent computers, presuming on said manager computer a first cause of said abnormal state;
sending a request from said manager computer to said plurality of agent computers, said request requesting to collect logs to prove said presumed first cause;
collecting a log to prove said presumed first cause on each of said plurality of agent computers;
sending said collected log from each of said plurality of agent computers to said manager computer;
comparing on said manager computer said collected logs with each other to presume, as a result of comparison thereof, a second cause which caused the first cause; and
sending a request from said manager computer to said plurality of agent computers, said request requesting to collect logs to prove said presumed second cause.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to a method for monitoring a computer system in which one manager computer is connected to a plurality of agent computers over a network. The manager computer sends information on the types of log to be collected to the plurality of agent computers. In response, the plurality of agent computers collect the specified types of log. Then, the plurality of agent computers send the collected logs to the manager computer. Thus, the plurality of agent computers are able to collect the types of log specified by the manager computer.
57 Citations
11 Claims
-
1. A method for monitoring a computer system in which a manager computer and a plurality of agent computers are connected over a network, comprising:
-
in response to an abnormal state occurring on one of said plurality of agent computers, presuming on said manager computer a first cause of said abnormal state;
sending a request from said manager computer to said plurality of agent computers, said request requesting to collect logs to prove said presumed first cause;
collecting a log to prove said presumed first cause on each of said plurality of agent computers;
sending said collected log from each of said plurality of agent computers to said manager computer;
comparing on said manager computer said collected logs with each other to presume, as a result of comparison thereof, a second cause which caused the first cause; and
sending a request from said manager computer to said plurality of agent computers, said request requesting to collect logs to prove said presumed second cause. - View Dependent Claims (2)
-
-
3. A method for monitoring a computer system in which a manager computer and (n+1) agent computers are connected over a network, comprising:
-
dividing a log collected on said manager computer into n pieces of log information;
on said manager computer, generating appendage information which recovers said log based on pieces of log information less than n;
distributing said n pieces of information and said appendage information to said (n+1) agent computers, respectively; and
on each of said (n+1) agent computers, encrypting and memorizing respective one of said distributed log information and said appendage information.
-
-
4. A method for monitoring a computer system in which a plurality of computers to be managed and a manager computer are connected to a network, comprising:
-
monitoring, by said manager computer, logs collected from said plurality of computers to be managed; and
detecting, by said manager computer, suspicious behavior by comparing said logs or checking inconsistency of said logs. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11)
storing logs;
reporting to said manager computer an alarm or a log more significant than a management level; and
changing said management level in response to an instruction from said manager computer, said manager computer setting said management level in each of said computers to be managed.
-
-
7. The method according to claim 6, each of said computers to be managed reporting to said manager computer an alarm or a log requested by said manager computer, said manager computer:
-
presuming, from contents of the reported alarm or log, causes resulting in the contents;
collecting a more detailed log to prove the presumption; and
narrowing down said presumed causes.
-
-
8. The method according to claim 4, wherein said manager computer comprises:
-
displaying icons of said computers to be managed on a monitor screen; and
changing an alarm sound or a color on said monitor screen according to a degree of suspicion for a computer performing suspicious behavior or a range of a display section showing possibility of existence of a computer performing suspicious behavior.
-
-
9. The method according to claim 4, further comprising:
-
adding a digital signature before storing or transferring a log;
adding redundant data to the log; and
recovering data of said log by using said redundant data when a part of said log is lost or altered.
-
-
10. The method according to claim 4, further comprising:
-
dividing a log into divided logs and storing the divided logs in computers to be managed; and
recovering data of said log by using the stored divided logs when a part of the divided logs is lost or altered.
-
-
11. The method according to claim 9, further comprising:
-
dividing a log into divided logs and storing the divided logs in computers to be managed; and
recovering data of said log by using the stored divided logs when a part of the divided logs is lost or altered.
-
Specification