Event correlation
First Claim
Patent Images
1. An event correlation system comprising:
- at least one processor;
a feature identification module, executed by the at least one processor, to identify a feature set for each log file of a plurality of log files;
a feature extraction module, executed by the at least one processor, to extract the feature set for each event of a plurality of events in each log file of the plurality of log files;
a trace event pairs linkage strength determination module, executed by the at least one processor, to determine a plurality of trace event pairs linkage strength values for at least one event from a first log file of the plurality of log files and a plurality of events from a second log file of the plurality of log files, whereinthe plurality of trace event pairs linkage strength values represent an overlap of the feature set for the at least one event from the first log file and the feature set for each of the plurality of events from the second log file, wherein each linkage strength value increases as the overlap of the feature set increases; and
a trace event pairs link time strength determination module, executed by the at least one processor, to determine trace event pairs link time strength values between the at least one event from the first log file of the plurality of log files and each of the plurality of events from the second log file of the plurality of log files,whereinthe trace event pairs link time strength values represent a strength of time difference between the at least one event from the first log file of the plurality of log files and each of the plurality of events from the second log file of the plurality of log files,the trace event pairs link time strength values are based on a time difference between the at least one event from the first log file of the plurality of log files and each of the plurality of events from the second log file of the plurality of log files, and a highest absolute difference of all timestamp pairs between the at least one event from the first log file of the plurality of log files and each of the plurality of events from the second log file of the plurality of log files,an event correlation between the at least one event from the first log file of the plurality of log files and at least one event of the plurality of events from the second log file of the plurality of log files is identified based on the plurality of trace event pairs linkage strength values and the trace event pairs link time strength values,the at least one event of the plurality of events from the second log file of the plurality of log files represents an anomaly associated with the second log file of the plurality of log files, andthe anomaly associated with the second log file of the plurality of log files is related to the at least one event from the first log file of the plurality of log files.
1 Assignment
0 Petitions
Accused Products
Abstract
Event correlation may include identifying a feature set for each log file of a plurality of log files, and extracting the feature set for each event of a plurality of events in each log file of the plurality of log files. Event correlation may further include determining a plurality of trace event pairs linkage strength values for an event from a first log file of the plurality of log files and a plurality of events from a second log file of the plurality of log files. The trace event pairs linkage strength values may represent an overlap of the feature set for the event from the first log file and the feature set for each of the plurality of events from the second log file.
-
Citations
20 Claims
-
1. An event correlation system comprising:
-
at least one processor; a feature identification module, executed by the at least one processor, to identify a feature set for each log file of a plurality of log files; a feature extraction module, executed by the at least one processor, to extract the feature set for each event of a plurality of events in each log file of the plurality of log files; a trace event pairs linkage strength determination module, executed by the at least one processor, to determine a plurality of trace event pairs linkage strength values for at least one event from a first log file of the plurality of log files and a plurality of events from a second log file of the plurality of log files, wherein the plurality of trace event pairs linkage strength values represent an overlap of the feature set for the at least one event from the first log file and the feature set for each of the plurality of events from the second log file, wherein each linkage strength value increases as the overlap of the feature set increases; and a trace event pairs link time strength determination module, executed by the at least one processor, to determine trace event pairs link time strength values between the at least one event from the first log file of the plurality of log files and each of the plurality of events from the second log file of the plurality of log files, wherein the trace event pairs link time strength values represent a strength of time difference between the at least one event from the first log file of the plurality of log files and each of the plurality of events from the second log file of the plurality of log files, the trace event pairs link time strength values are based on a time difference between the at least one event from the first log file of the plurality of log files and each of the plurality of events from the second log file of the plurality of log files, and a highest absolute difference of all timestamp pairs between the at least one event from the first log file of the plurality of log files and each of the plurality of events from the second log file of the plurality of log files, an event correlation between the at least one event from the first log file of the plurality of log files and at least one event of the plurality of events from the second log file of the plurality of log files is identified based on the plurality of trace event pairs linkage strength values and the trace event pairs link time strength values, the at least one event of the plurality of events from the second log file of the plurality of log files represents an anomaly associated with the second log file of the plurality of log files, and the anomaly associated with the second log file of the plurality of log files is related to the at least one event from the first log file of the plurality of log files. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for event correlation, the method comprising:
-
identifying, by a processor, a feature set for each log file of a plurality of log files; extracting the feature set for each event of a plurality of events in each log file of the plurality of log files; determining a timestamp for each event of the plurality of events in each log file of the plurality of log files; determining a plurality of trace event pairs linkage strength values for at least one event from a first log file of the plurality of log files and a plurality of events from a second log file of the plurality of log files, wherein the plurality of trace event pairs linkage strength values represent an overlap of the feature set for the at least one event from the first log file and the feature set for each of the plurality of events from the second log file, wherein each linkage strength value increases as the overlap of the feature set increases, the trace event pairs linkage strength values are based on an intersection of the feature set for the at least one event from the first log file of the plurality of log files and the feature set for each of the plurality of events from the second log file of the plurality of log files, and a union of the feature set for the at least one event from the first log file of the plurality of log files and the feature set for each of the plurality of events from the second log file of the plurality of log files, an event correlation between the at least one event from the first log file of the plurality of log files and at least one event of the plurality of events from the second log file of the plurality of log files is identified based on the plurality of trace event pairs linkage strength values, the at least one event of the plurality of events from the second log file of the plurality of log files represents an anomaly associated with the second log file of the plurality of log files, and the anomaly associated with the second log file of the plurality of log files is related to the at least one event from the first log file of the plurality of log files; and determining trace event pairs link time strength values between the at least one event from the first log file of the plurality of log files and each of the plurality of events from the second log file of the plurality of log files, wherein the trace event pairs link time strength values are based on a time difference between the at least one event from the first log file of the plurality of log files and each of the plurality of events from the second log file of the plurality of log files, and a highest absolute difference of all timestamp pairs between the at least one event from the first log file of the plurality of log files and each of the plurality of events from the second log file of the plurality of log files. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer readable medium having stored thereon machine readable instructions for event correlation, the machine readable instructions when executed cause a processor to:
-
identify a feature set for each log file of a plurality of log files; extract the feature set for each event of a plurality of events in each log file of the plurality of log files; determine a timestamp for each event of the plurality of events in each log file of the plurality of log files; determine a plurality of trace event pairs linkage strength values for at least one event from a first log file of the plurality of log files and a plurality of events from a second log file of the plurality of log files, wherein the plurality of trace event pairs linkage strength values represent an overlap of the feature set for the at least one event from the first log file and the feature set for each of the plurality of events from the second log file, wherein each linkage strength value increases as the overlap of the feature set increases; and determine trace event pairs link time strength values between the at least one event from the first log file of the plurality of log files and each of the plurality of events from the second log file of the plurality of log files, wherein the trace event pairs link time strength values represent a strength of time difference between the at least one event from the first log file of the plurality of log files and each of the plurality of events from the second log file of the plurality of log files, and the trace event pairs link time strength values are based on a time difference between the at least one event from the first log file of the plurality of log files and each of the plurality of events from the second log file of the plurality of log files, and a highest absolute difference of all timestamp pairs between the at least one event from the first log file of the plurality of log files and each of the plurality of events from the second log file of the plurality of log files, an event correlation between the at least one event from the first log file of the plurality of log files and at least one event of the plurality of events from the second log file of the plurality of log files is identified based on the plurality of trace event pairs linkage strength values, and the trace event pairs link time strength values, the at least one event of the plurality of events from the second log file of the plurality of log files represents an anomaly associated with the second log file of the plurality of log files, and the anomaly associated with the second log file of the plurality of log files is related to the at least one event from the first log file of the plurality of log files. - View Dependent Claims (19, 20)
-
Specification