Log message anomaly detection
First Claim
Patent Images
1. A computer-based method for detecting one or more anomalies in a message log, comprising:
- grouping one or more structured log messages comprising a same value of a same program variable into a group, the grouping comprising;
determining whether a first log parameter of a first structured log message and a second log parameter of a second structured log message are cogenetic, comprising determining at least one of;
whether a value range of the first log parameter and a value range of the second log parameter are equivalent;
orwhether the value range of the first log parameter is a subset of the value range of the second log parameter;
identifying one or more invariants for the group; and
applying at least some of the one or more invariants to one or more log sequences to detect one or more anomalies, at least some of at least one of the grouping, the identifying, or the applying implemented at least in part using a computer-based processor.
2 Assignments
0 Petitions
Accused Products
Abstract
One or more techniques and/or systems are disclosed for detecting anomalies in a message log. A log message is parsed from an unstructured text string to a structured form, comprising messages signature and parameter values. Structured log messages that contain a same parameter value of a same program variable are grouped together. One or more invariants for are identified from respective types of log message groups. Invariants are applied to log sequences of respective log types.
-
Citations
20 Claims
-
1. A computer-based method for detecting one or more anomalies in a message log, comprising:
-
grouping one or more structured log messages comprising a same value of a same program variable into a group, the grouping comprising; determining whether a first log parameter of a first structured log message and a second log parameter of a second structured log message are cogenetic, comprising determining at least one of; whether a value range of the first log parameter and a value range of the second log parameter are equivalent;
orwhether the value range of the first log parameter is a subset of the value range of the second log parameter; identifying one or more invariants for the group; and applying at least some of the one or more invariants to one or more log sequences to detect one or more anomalies, at least some of at least one of the grouping, the identifying, or the applying implemented at least in part using a computer-based processor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for detecting one or more anomalies in a message log, comprising:
-
a grouping component configured to group one or more structured log messages comprising a same value of a same program variable into a group, the grouping component comprising; a parameter comparison component configured to compare one or more log value ranges of a plurality of log parameters of at least some of the one or more structured log messages to determine if at least some of the plurality of log parameters can be grouped; an invariant identification component configured to identify one or more invariants for the group; and an anomaly detection component configured to apply at least some of the one or more invariants to one or more log sequences to detect one or more anomalies, at least some of at least one of the grouping component, the invariant identification component, or the anomaly detection component implemented at least in part via a processor. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A tangible computer-readable storage device comprising instructions that when executed by a processor perform a method for detecting one or more anomalies in a message log, comprising:
-
grouping one or more structured log messages comprising a same value of a same program variable into one or more groups; identifying one or more invariants for at least some of the one or more groups, the identifying comprising; extracting a set of one or more message count vectors for at least some of the one or more groups related to a same target program variable; forming a count matrix based at least in part on at least some of the set of one or more message count vectors; and identifying an invariant space of the count matrix; and applying at least some of the one or more invariants to one or more log sequences to detect one or more anomalies.
-
Specification