Log data analysis
First Claim
Patent Images
1. A system, comprising:
- a first interface configured to receive log data;
a set of one or more processors;
a memory coupled with the set of one or more processors, wherein the memory is configured to provide the set of one or more processors with instructions which when executed cause the set of one or more processors to;
analyze the received log data at least in part by;
clustering portions of the log data into clusters of similar data portions; and
subsequent to the clustering, dynamically generating a signature for each cluster, wherein comparison of subsequent log data with the signature indicates whether the subsequent log data belongs in the cluster; and
cause information associated with the analysis to be displayed to a user;
a storage configured to store a plurality of signatures including the dynamically generated signature in a signature library, wherein the library is accessible by a first and second user, and wherein the first user can use the plurality of signatures in conjunction with data that is not accessible to the second user; and
a second interface configured to receive user input associated with taking action with respect to the displayed information.
3 Assignments
0 Petitions
Accused Products
Abstract
Analyzing log data, such as security log data and event data, is disclosed. Log data is received. Portions of the log data are clustered into clusters of similar data portions. A signature for each cluster is generated. Comparison of subsequent log data with the signature indicates whether the subsequent log data belongs in the cluster.
137 Citations
52 Claims
-
1. A system, comprising:
-
a first interface configured to receive log data; a set of one or more processors; a memory coupled with the set of one or more processors, wherein the memory is configured to provide the set of one or more processors with instructions which when executed cause the set of one or more processors to; analyze the received log data at least in part by; clustering portions of the log data into clusters of similar data portions; and subsequent to the clustering, dynamically generating a signature for each cluster, wherein comparison of subsequent log data with the signature indicates whether the subsequent log data belongs in the cluster; and cause information associated with the analysis to be displayed to a user; a storage configured to store a plurality of signatures including the dynamically generated signature in a signature library, wherein the library is accessible by a first and second user, and wherein the first user can use the plurality of signatures in conjunction with data that is not accessible to the second user; and a second interface configured to receive user input associated with taking action with respect to the displayed information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method, comprising:
-
receiving, via a first interface, log data; analyzing, using a set of one or more processors, the received log data at least in part by; clustering portions of the log data into clusters of similar data portions; and subsequent to the clustering, dynamically generating a signature for each cluster, wherein comparison of subsequent log data with the signature indicates whether the subsequent log data belongs in the cluster; causing, using the set of one or more processors, information associated with the analysis to be displayed to a user; storing a plurality of signatures including the dynamically generated signature in a signature library, wherein the library is accessible by a first and second user, and wherein the first user can use the plurality of signatures in conjunction with data that is not accessible to the second user; and receiving, via a second interface, user input associated with taking action with respect to the displayed information. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A system, comprising:
-
a first interface configured to receive log data; a set of one or more processors; a memory coupled with the set of one or more processors, wherein the memory is configured to provide the set of one or more processors with instructions which when executed cause the set of one or more processors to; analyze the received log data at least in part by; clustering portions of the log data into clusters of similar data portions; and subsequent to the clustering, dynamically generating a signature for each cluster, wherein comparison of subsequent log data with the signature indicates whether the subsequent log data belongs in the cluster; and cause information associated with the analysis to be displayed to a user; a storage configured to store the dynamically generated signature, wherein the signature is stored as a result of actions taken by a first user, and wherein the stored signature is modified by a second user; and a second interface configured to receive user input associated with taking action with respect to the displayed information. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. A method, comprising:
-
receiving, via a first interface, log data; analyzing, using a set of one or more processors, the received log data at least in part by; clustering portions of the log data into clusters of similar data portions; and subsequent to the clustering, dynamically generating a signature for each cluster, wherein comparison of subsequent log data with the signature indicates whether the subsequent log data belongs in the cluster; causing, using the set of one or more processors, information associated with the analysis to be displayed to a user; storing the dynamically generated signature, wherein the signature is stored as a result of actions taken by a first user, and wherein the stored signature is modified by a second user; and receiving, via a second interface, user input associated with taking action with respect to the displayed information. - View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
-
Specification