Apparatus for and method of implementing system log message ranking via system behavior analysis

US 8,452,761 B2
Filed: 10/24/2007
Issued: 05/28/2013
Est. Priority Date: 10/24/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A method of analyzing system logs, said method comprising the steps of:

creating, on a computer in a preprocessing training phase, at least one system profile representing a type of system based on an expected frequency each message type appears in a training set of system logs derived from a plurality of computers;

matching, in an operation phase, a new input system log from a computer to be analyzed to the most similar system profile created previously based on determination of a vector representing an observed frequency each message type in said new input system log appears therein;

calculating, in said operation phase, a score for each system log message in said new input system log that is related to the probability that a corresponding message type would appear in said system profile, wherein said score represents a measure of deviation of said observed frequency from said expected frequency; and

ranking, in said operation phase, said plurality of scored system log message types in order to identify atypical deviations of observed frequency from expected frequency for system log messages, whereby higher ranked message types have higher observed frequencies in said system log as compared to expected frequencies in said system profile generated during said preprocessing training phase.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A novel and useful method for enabling system logs to be effectively and efficiently monitored by ranking the system log messages by their estimated value to administrators and generating a log view that displays the most important messages. The ranking process uses a dataset of system logs from many computer systems to score messages. For better scoring, unsupervised clustering is used to identify sets of systems that behave similarly. The expected distribution of messages in a given system is estimated using the resulting clusters, and log messages are scored using this estimation.

Citations

20 Claims

1. A method of analyzing system logs, said method comprising the steps of:
- creating, on a computer in a preprocessing training phase, at least one system profile representing a type of system based on an expected frequency each message type appears in a training set of system logs derived from a plurality of computers;
  
  matching, in an operation phase, a new input system log from a computer to be analyzed to the most similar system profile created previously based on determination of a vector representing an observed frequency each message type in said new input system log appears therein;
  
  calculating, in said operation phase, a score for each system log message in said new input system log that is related to the probability that a corresponding message type would appear in said system profile, wherein said score represents a measure of deviation of said observed frequency from said expected frequency; and
  
  ranking, in said operation phase, said plurality of scored system log message types in order to identify atypical deviations of observed frequency from expected frequency for system log messages, whereby higher ranked message types have higher observed frequencies in said system log as compared to expected frequencies in said system profile generated during said preprocessing training phase.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, wherein said analysis is performed at a centralized help desk responsible for supporting one or more systems.
  - 3. The method according to claim 1, wherein said system log analysis is performed at a remote system to be analyzed.
  - 4. The method according to claim 1, wherein said step of creating at least one system profile comprises the steps of:
    - collecting a plurality of training system logs from said plurality of computers;
      
      preprocessing messages from said training system logs into a canonical form;
      
      creating a vector for each input system log representing the observed frequency that each said preprocessed message type appears in a particular training system log;
      
      clustering said vectors into said one or more system profiles; and
      
      calculating an average vector for said one or more system profiles representing the average observed frequency that each said preprocessed message type appears in said one or more system profiles.
  - 5. The method according to claim 2, wherein said step of clustering comprises calculating a correlation coefficient adapted to measure the degree of similarity between each pair of said vectors.
  - 6. The method according to claim 1, wherein said step of matching said input system log to the most similar system profile comprises the steps of:
    - preprocessing said new input system log messages into a canonical form;
      
      creating a vector for said new input system log representing the observed frequency that each said preprocessed message type appears therein;
      
      identifying the system profile most similar to said new input system log vector; and
      
      scoring said vector based on the probability that a message type would appear in said system profile.
  - 7. The method according to claim 6, wherein said step of identifying comprises calculating a correlation coefficient adapted to measure the degree of similarity between said vector of said new input system log and said average vector of said system profile.
  - 8. The method according to claim 1, wherein said score represents a relationship between said number representing the observed frequency of said preprocessed message type from said new input system log and said number representing the observed frequency of said preprocessed message types from said system profile.

9. A method of defining one or more system profiles for use in the analysis of new input system logs, said method comprising the steps of:
- collecting a plurality of training system logs derived from a plurality of computers;
  
  preprocessing during a training phase, on a computer, messages from said plurality of training system logs into a canonical form;
  
  creating a vector for each training system log representing a frequency that each said preprocessed message type appears therein;
  
  clustering said vectors into said one or more system profiles;
  
  calculating an average vector for said one or more system profiles representing an expected frequency that each said preprocessed message type appears in said one or more system profiles; and
  
  wherein said one or more system profiles are used during an operation phase to score and rank system log messages in a new input system log to be analyzed, whereby said ranking is carried out utilizing a score representing for a particular message type a measure of deviation of an observed frequency from said expected frequency in accordance with a corresponding system profile.
- View Dependent Claims (10)
- - 10. The method according to claim 9, wherein said step of clustering comprises calculating a correlation coefficient adapted to measure the degree of similarity between each pair of said vectors.

11. A method of ranking new input system log messages, said method comprising the steps of:
- processing during an operational phase, on a computer, said new input system log messages generated by a computer into a canonical form;
  
  creating a vector from said preprocessed new input system log messages in canonical form representing an observed frequency that each said preprocessed message type appears therein;
  
  matching said vector to a system profile created a priori during a preprocessing training phase representing an expected frequency that each message type appears in a set of training system logs; and
  
  calculating, during said operational phase, a score for each system log message type based on the probability that a corresponding message type would appear in said system profile, wherein said score represents a measure of deviation of observed frequency from expected frequency, whereby rankings of message types are determined based on said scores, higher ranked message types having higher observed frequencies in said system log as compared to expected frequencies in said system profile generated during said preprocessing training phase.
- View Dependent Claims (12, 13, 14)
- - 12. The method according to claim 11, wherein said system profile comprises an average vector representing the expected frequency of each said preprocessed message type.
  - 13. The method according to claim 11, wherein said step of matching comprises calculating a correlation coefficient adapted to measure the degree of similarity between said vector and said system profile.
  - 14. The method according to claim 11, wherein said score represents a relationship between said number representing the observed frequency of said preprocessed messages from said new input system log and said number representing the observed frequency of said preprocessed messages from said system profile.

15. A computer program product, comprising:
- a non-transitory computer usable machine-readable data storage medium having computer usable program code embodied therein for analyzing system log messages;
  
  said computer program product including;
  
  computer usable program code for creating, in a preprocessing training phase, at least one system profile representing a type of system based on an expected frequency each message type appears in a training set of system logs derived from a plurality of computers;
  
  computer usable program code for matching, in an operation phase, a new input system log, generated by a computer, to be analyzed to the most similar system profile created previously based on determination of a vector representing an observed frequency each message type in said new input system log appears therein;
  
  computer usable program code for calculating, in an operation phase, a score for each system log message from said new input system log that is related to the probability that a corresponding message type would appear in said system profile, wherein said score represents a measure of deviation of said observed frequency from said expected frequency; and
  
  computer usable program code for ranking, in said operation phase, said scored system log message types to identify any atypical deviations of observed frequency from expected frequency for system log messages, whereby higher ranked message types have higher observed frequencies in said new input system log as compared to expected frequencies in said system profile generated during said preprocessing training phase.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product according to claim 15, wherein said step of creating at least one system profile comprises the steps of:
    - collecting a plurality of training system logs from said plurality of computers;
      
      preprocessing messages from said training system logs into a canonical form;
      
      creating a vector for each input system log representing the observed frequency that each said preprocessed message type appears in a corresponding training system log;
      
      clustering said vectors into said one or more system profiles; and
      
      calculating an average vector for said one or more system profiles representing the average observed frequency that each preprocessed message type appears in said one or more system profiles.
  - 17. The computer program product according to claim 15, wherein said step of clustering comprises calculating a correlation coefficient adapted to measure the degree of similarity between each pair of said vectors.
  - 18. The computer program product according to claim 15, wherein said step of matching said new input system log to the most similar system profile comprises the steps of:
    - preprocessing said input system log messages into a canonical form;
      
      creating a vector for said system log representing the observed frequency that each said preprocessed message type appears in said input system log;
      
      identifying the system profile most similar to said new input system log vector; and
      
      scoring said vector based on the probability that a message type would appear in said system profile.
  - 19. The computer program product according to claim 15, wherein said step of identifying comprises calculating a correlation coefficient adapted to measure the degree of similarity between said vector of said new input system log and said average vector of said system profile.
  - 20. The computer program product according to claim 15, wherein said score represents a relationship between said number representing the observed frequency of said preprocessed message type from said new input system log and said number representing the observed frequency of said preprocessed message type from said system profile.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Sabato, Sivan, Tsherniak, Aviad, Yom-Tov, Elad
Primary Examiner(s)
Hwa, Shyue Jiunn
Assistant Examiner(s)
PHAN, TUANKHANH D

Application Number

US11/877,679
Publication Number

US 20090113246A1
Time in Patent Office

2,043 Days
Field of Search

707/723
US Class Current

707/723
CPC Class Codes

G06F 11/0706   the processing taking place...

G06F 11/0769   Readable error formats, e.g...

G06F 11/0781   Error filtering or prioriti...

G06F 11/328   Computer systems status dis...

G06F 11/3476   Data logging G06F11/14, G06...

G06F 2201/88   Monitoring involving counting

Apparatus for and method of implementing system log message ranking via system behavior analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus for and method of implementing system log message ranking via system behavior analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links