Logging incident manager

US 9,742,624 B2
Filed: 01/21/2014
Issued: 08/22/2017
Est. Priority Date: 01/21/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method associated with processing log messages from a plurality of handlers that are distributed among a plurality of hosts in an application cluster, the method comprising:

by one or more handlers of the plurality of handlers;

(i) collecting a first set of log messages that include a coarse granularity level of detail regarding events that occur on one or more of the plurality of hosts, and storing the first set of log messages in a first buffer;

(ii) collecting a second set of log messages that include a fine granularity level of detail regarding the events, and storing the second set of log messages in a second buffer;

wherein the second buffer is configured as a circular buffer that includes a set number of storage slots and recycles the storage slots when full;

wherein storing in the circular buffer includes overwriting an oldest log message in the circular buffer with a new log message when the circular buffer is full to recycle the storage slots;

periodically transmitting to a logging appliance that includes at least a processor, the first set of log messages collected at the coarse granularity level from one or more of the plurality of handlers;

analyzing the first set of log messages having the coarse granularity level to determine whether an error has been encountered;

in response to detecting the error in the first set of log messages;

freezing the circular buffers in the plurality of handlers to preserve the second set of log messages stored therein and to stop storing new log messages in the circular buffers;

selecting a subset of the plurality of handlers to provide reports that include the second set of log messages collected at the fine granularity level from the circular buffers; and

scheduling the subset of the plurality of handlers to separately transmit the reports to the logging appliance;

in response to receiving the reports, combining the second set of log messages having the fine granularity level from the reports into a formal log.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and other embodiments associated with intelligently processing log messages are described. In one embodiment, a computer-implemented method includes analyzing, by a logging appliance that includes at least hardware, communications received from a plurality of handlers to determine whether at least one of the communications indicates an error has been encountered by one of a plurality of components associated with the plurality of handlers. The method includes scheduling a subset of the plurality of handlers to provide reports that include a detailed set of log messages in response to detecting the error. The subset of the plurality of handlers includes handlers that are associated with the error.

Citations

26 Claims

1. A computer-implemented method associated with processing log messages from a plurality of handlers that are distributed among a plurality of hosts in an application cluster, the method comprising:
- by one or more handlers of the plurality of handlers;
  
  (i) collecting a first set of log messages that include a coarse granularity level of detail regarding events that occur on one or more of the plurality of hosts, and storing the first set of log messages in a first buffer;
  
  (ii) collecting a second set of log messages that include a fine granularity level of detail regarding the events, and storing the second set of log messages in a second buffer;
  
  wherein the second buffer is configured as a circular buffer that includes a set number of storage slots and recycles the storage slots when full;
  
  wherein storing in the circular buffer includes overwriting an oldest log message in the circular buffer with a new log message when the circular buffer is full to recycle the storage slots;
  
  periodically transmitting to a logging appliance that includes at least a processor, the first set of log messages collected at the coarse granularity level from one or more of the plurality of handlers;
  
  analyzing the first set of log messages having the coarse granularity level to determine whether an error has been encountered;
  
  in response to detecting the error in the first set of log messages;
  
  freezing the circular buffers in the plurality of handlers to preserve the second set of log messages stored therein and to stop storing new log messages in the circular buffers;
  
  selecting a subset of the plurality of handlers to provide reports that include the second set of log messages collected at the fine granularity level from the circular buffers; and
  
  scheduling the subset of the plurality of handlers to separately transmit the reports to the logging appliance;
  
  in response to receiving the reports, combining the second set of log messages having the fine granularity level from the reports into a formal log.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein the error is a fault condition in one of a plurality of components that has been registered in a log message by one of the plurality of handlers,wherein selecting the handlers for the subset is based, at least in part, on a relationship of one or more of the plurality of handlers to one of the plurality of hosts that generated the error, andwherein selecting the handlers is based, at least in part, on whether a handler of the plurality of handlers reported a secondary error proximate to the error and whether the handler has log messages with time stamps proximate to a timestamp of the error.
  - 3. The computer-implemented method of claim 2, wherein the second set of log messages included with each of the reports is a batch of log messages gathered according to the fine granularity level of logging at a time that is proximate to the error, andwherein scheduling the subset of the plurality of handlers to provide the reports includes specifying a time for each handler of the subset to transmit a report to the logging appliance.
  - 4. The computer-implemented method of claim 1, wherein periodically transmitting the first set of log messages includes transmitting a batch of log messages collected according to the coarse granularity level of logging, and wherein the batch serves as heartbeat communications from the plurality of handlers that are communicated at a regular interval.
  - 5. The computer-implemented method of claim 1, further comprising:
    - prior to scheduling the subset of the plurality of handlers to provide reports, waiting a defined period of time to ensure communications from the plurality of handlers with log messages that have timestamps from prior to the error have been received.
  - 6. The computer-implemented method of claim 1, further comprising:
    - generating a summary of the error from at least the reports received from the subset of the plurality of handlers, wherein generating the summary is triggered after expiration of a waiting period for receiving the reports that accounts for time skew between the plurality of handlers and delays in receiving the reports, and wherein the summary is generated from one or more of the reports and communications received proximate to a time of the error.
  - 7. The computer-implemented method of claim 1, further comprising:
    - clearing the error from a state of the application cluster and returning the application cluster to a clear operating state after a defined period of time elapses without additional errors occurring, wherein the state of the application cluster indicates an operating condition for a plurality of components and whether one or more of the plurality of components has recently encountered an error.
  - 8. The computer-implemented method of claim 1, further comprising:
    - storing the second set of log messages collected at the fine granularity level from the reports in a distributed memory associated with the logging appliance, wherein the storing includes sorting and collating the second set of log messages according to timestamps assigned to the log messages.
  - 9. The computer-implemented method of claim 1, wherein freezing the circular buffers in the plurality of handlers is performed after scheduling the subset of the plurality of handlers to provide the reports, wherein the scheduling includes requesting the subset of the plurality of handlers to freeze the circular buffers.

10. A computing system for processing log messages the contain data on events that occur on one or more of a plurality of host devices that execute a plurality of applications in an application cluster, comprising:
- a plurality of handlers where each handler includes a first buffer and a second buffer, wherein the second buffer is configured as a circular buffer that includes a set number of storage slots and recycles the storage slots when the circular buffer is full;
  
  wherein each handler is configured to operate with one or more processors to;
  
  (i) collect a first set of log messages that include a coarse granularity level of detail regarding events that occur on one or more of the plurality of hosts, and store the first set of log messages in the first buffer;
  
  (ii) collect a second set of log messages that include a fine granularity level of detail regarding the events, and store the second set of log messages in the second buffer;
  
  wherein storing in the circular buffer includes overwriting an oldest log message in the circular buffer with a new log message when the circular buffer is full;
  
  wherein the plurality of handlers are configured to periodically transmit, to a logging appliance that includes at least a processor, the first set of log messages collected at the coarse granularity level from one or more of the plurality of handlers;
  
  incident manager logic stored in a non-transitory computer-readable medium as part of the logging appliance and including instructions that when executed by one or more processors of the logging appliance cause the one or more processors to analyze the first set of log messages having the coarse granularity level to determine whether at least one of the log messages indicates an error has been encountered; and
  
  wherein the incident management logic includes instructions that when executed by the one or more processors cause the one or more processors to, in response to detecting the error in the first set of log messages;
  
  (i) select a subset of the plurality of handlers to provide reports that include the second set of log messages collected at the fine granularity level from the circular buffers;
  
  (ii) freeze the circular buffers in the subset of the plurality of handlers to preserve the second set of log messages stored therein and to stop storing new log messages in the circular buffers;
  
  (iii) schedule the subset of the plurality of handlers to separately transmit the reports to the logging appliance; and
  
  (iv) in response to receiving the reports, combine the second set of log messages having the fine granularity level from the reports into a formal log.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computing system of claim 10, wherein the incident manager logic includes instructions that cause the one or more processors to schedule the subset of the plurality handlers to provide the reports by selecting handlers from the plurality of handlers that are likely to have information that is relevant to the error,wherein the incident manager logic includes instructions that cause the one or more processors to select the handlers based, at least in part, on a relationship of one or more of the plurality of handlers to a component of the plurality of hosts that generated the error, andwherein the incident manager logic includes instructions that cause the one or more processors to select the handlers according to whether a handler reported log messages with a secondary error proximate to the error and whether the handler has log messages with time stamps proximate to a timestamp of the error.
  - 12. The computing system of claim 10, wherein the second set of log messages included with each of the reports is a batch of log messages collected according to the fine granularity level of logging at a time that is proximate to the error, wherein the communications include batches of log messages gathered according to the coarse granularity level, andwherein the incident manager logic includes instructions that cause the one or more processors to schedule the subset of the plurality of handlers to provide the reports according to a time specified for each handler of the subset to communicate a report to the incident manager logic as specified in a control communication provided by the incident manager logic.
  - 13. The computing system of claim 10, wherein each of the plurality of handlers is configured to periodically transmit a batch of log messages collected according to the coarse granularity level, and wherein the are batch of log messages function as heartbeat communications from the plurality of handlers that are communicated at a regular interval.
  - 14. The computing system of claim 10, wherein the incident manager logic includes instructions that cause the one or more processors to, prior to scheduling the subset of the plurality of handlers to provide reports, wait a defined period of time to ensure the first set of log messages have been received from the plurality of handlers where the first set of log messages have timestamps that are prior to a time of the error.
  - 15. The computing system of claim 10, wherein the incident manager logic includes instructions that cause the one or more processors to generate a summary of the error from at least the reports received from the subset of the plurality of handlers,wherein the incident manager logic includes instructions that cause the one or more processors to generate the summary after expiration of a waiting period for receiving the reports, wherein the waiting period accounts for time skew between the plurality of handlers and delays in receiving the reports,wherein the summary is generated from the reports and communications received proximate to a time of the error, and wherein the reports include log messages collected at the fine granularity level and the log messages collected at the coarse granularity level.
  - 16. The computing system of claim 10, wherein the incident manager logic includes instructions that cause the one or more processors to clear the error from a state of the application cluster and return the application cluster to a clear operating state after a predetermined period of time elapses without additional errors occurring,wherein the state of the application cluster indicates an operating condition for the plurality of hosts and whether one or more of the plurality of hosts have recently encountered an error.
  - 17. The computing system of claim 10, wherein the incident manager logic includes instructions that cause the one or more processors to store the first set of log messages and the second set of log messages in a distributed memory, and wherein the incident manager logic is configured to sort and collate the log messages according to timestamps after storing the log messages in the distributed memory.
  - 18. The computing system of claim 10, wherein the incident manager includes instructions that cause the one or more processors to schedule the subset of the plurality of handlers to provide reports by requesting the subset to freeze the circular buffers that include second set of log messages collected at the fine granularity level by preventing the log messages in the circular buffers from being overwritten and requesting the subset to communicate the log messages from the circular buffers at a scheduled time.

19. A non-transitory computer-storage medium storing instructions that when executed, by one or more processors of a plurality of handlers that are computing devices for processing log messages from a plurality of hosts that are part of an application cluster, cause the one or more processors to:
- collect a first set of log messages that include a coarse granularity level of detail regarding events that occur on one or more of the plurality of hosts, and store the first set of log messages in a first buffer;
  
  collect a second set of log messages that include a fine granularity level of detail regarding the events, and store the second set of log messages in a second buffer;
  
  wherein the second buffer is configured as a circular buffer that stores a set number of log messages and recycles storage slots by overwriting an oldest log message in the second buffer with a new log message when the second buffer is full;
  
  periodically transmit, to a logging appliance that includes at least a processor, the first set of log messages collected at the coarse granularity level from one or more of the plurality of handlers;
  
  analyze, by a processor of the logging appliance, the first set of log messages having the coarse granularity level to determine whether an error has been encountered;
  
  in response to detecting the error in the first set of log messages;
  
  (i) freeze the circular buffers in the plurality of handlers to preserve the second set of log messages stored therein and to stop storing new log messages in the circular buffers;
  
  (ii) select a subset of the plurality of handlers to provide reports that include the second set of log messages collected at the fine granularity level from the circular buffers;
  
  (iii) schedule the subset of the plurality of handlers to separately transmit the reports to the logging appliance; and
  
  (iv) in response to receiving the reports, combine the second set of log messages having the fine granularity level from the reports into a formal log.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The non-transitory computer-storage medium of claim 19, wherein the instructions for periodically transmitting the first set of log messages collected at the coarse granularity level further include instructions that when executed cause at least one processor to transmit the first set of log messages in batches of log messages.
  - 21. The non-transitory computer-storage medium of claim 19, wherein the instructions include instructions that when executed cause the one or more processors to collect the second set of log messages included with each of the reports as a batch of log messages collected according to the fine granularity level of logging at a time that is proximate to the error, wherein the communications include batches of log messages gathered according to the coarse granularity level.
  - 22. The non-transitory computer-storage medium of claim 19, wherein the instructions include instructions that when executed cause the one or more processors to periodically transmit a batch of log messages collected according to the coarse granularity level, and wherein the batch of log messages function as heartbeat communications from the plurality of handlers that are communicated at a regular interval.
  - 23. The non-transitory computer-storage medium of claim 19, wherein the instructions include instructions that when executed cause the one or more processors to:
    - prior to scheduling the subset of the plurality of handlers to transmit the reports, wait a defined period of time to ensure the first set of log messages have been received from the plurality of handlers where the first set of log messages that have timestamps that are prior to a time of the error.
  - 24. The non-transitory computer-storage medium of claim 19, wherein the instructions include instructions that when executed cause the one or more processors to:
    - generate a summary of the error from at least the reports received from the subset of the plurality of handlers,generate the summary after expiration of a waiting period for receiving the reports, wherein the waiting period accounts for time skew between the plurality of handlers and delays in receiving the reports,wherein the summary is generated from the reports and communications received proximate to a time of the error, and wherein the reports include log messages collected at the fine granularity level and the log messages collected at the coarse granularity level.
  - 25. The non-transitory computer-storage medium of claim 19, wherein the instructions include instructions that when executed cause the one or more processors to:
    - clear the error from a state of the application cluster and return the application cluster to a clear operating state after a predetermined period of time elapses without additional errors occurring, andwherein the state of the application cluster indicates an operating condition for the plurality of hosts and whether one or more of the plurality of hosts have recently encountered an error.
  - 26. The non-transitory computer-storage medium of claim 19, wherein the instructions include instructions that when executed cause the one or more processors to:
    - store the first set of log messages and the second set of log messages in a distributed memory, andsort and collate the log messages according to timestamps after storing the log messages in the distributed memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Hanckel, Robert, Thilagar, Parthiban
Primary Examiner(s)
Bengzon, Greg C

Application Number

US14/159,554
Publication Number

US 20150207709A1
Time in Patent Office

1,309 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 41/0609   based on severity or priority

H04L 41/0618   based on the physical or lo...

H04L 41/0622   based on time

H04L 41/069   using logs of notifications...

Logging incident manager

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Logging incident manager

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links