Method and system for implementing an operating system hook in a log analytics system
First Claim
Patent Images
1. A method implemented with a processor, comprising:
- to monitor for changes to one or more log files, configuring an operating system (OS) module to generate an event within an event log when any of a target set of operating-system-level system calls is made;
loading the OS module into an operating system of a host computing system;
operating the OS module within the operating system of the host computing system to detect an invocation of the any of the target set of operating-system-level system calls and to execute the invocation of the any of the target set of operating-system-level system calls, wherein the OS module does not detect invocation of untargeted operating-system-level system calls, and wherein the one or more log files are changed by one or more processes associated with one or more particular calls in the target set of operating-system-level system calls; and
identifying one or more events corresponding to the one or more log files changed by invocation of the any of the target set of operating-system-level system calls, wherein the one or more events correspond to a filtered subset of all log files that are changed by invocation of the any of the target set of operating-system-level system calls, and the one or more events are reviewable by a log collector to collect the one or more log files for a log analytics system.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed is a system, method, and computer program product for implementing a log analytics method and system that can configure, collect, and analyze log records in an efficient manner. An improved approach is provided for identifying log files that have undergone a change in status that would require retrieve of its log data, by including a module directly into the operating system that allows the log collection component to be reactively notified of any changes to pertinent log files.
-
Citations
21 Claims
-
1. A method implemented with a processor, comprising:
-
to monitor for changes to one or more log files, configuring an operating system (OS) module to generate an event within an event log when any of a target set of operating-system-level system calls is made; loading the OS module into an operating system of a host computing system; operating the OS module within the operating system of the host computing system to detect an invocation of the any of the target set of operating-system-level system calls and to execute the invocation of the any of the target set of operating-system-level system calls, wherein the OS module does not detect invocation of untargeted operating-system-level system calls, and wherein the one or more log files are changed by one or more processes associated with one or more particular calls in the target set of operating-system-level system calls; and identifying one or more events corresponding to the one or more log files changed by invocation of the any of the target set of operating-system-level system calls, wherein the one or more events correspond to a filtered subset of all log files that are changed by invocation of the any of the target set of operating-system-level system calls, and the one or more events are reviewable by a log collector to collect the one or more log files for a log analytics system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer readable medium having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute a method, the method comprising:
-
to monitor for changes to one or more log files, configuring an operating system (OS) module to generate an event within an event log when any of a target set of operating-system-level system calls is made; loading the OS module into an operating system of a host computing system; operating the OS module within the operating system of the host computing system to detect an invocation of the any of the target set of operating-system-level system calls and to execute the invocation of the any of the target set of operating-system-level system calls, wherein the OS module does not detect invocation of untargeted operating-system-level system calls, and wherein the one or more log files are changed by one or more processes associated with one or more particular calls in the target set of operating-system-level system calls; and identifying one or more events corresponding to the one or more log files changed by invocation of the any of the target set of operating-system-level system calls, wherein the one or more events correspond to a filtered subset of all log files that are changed by invocation of the any of the target set of operating-system-level system calls, and the one or more events are reviewable by a log collector to collect the one or more log files for a log analytics system. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A system, comprising:
-
a processor; a memory having stored thereon a sequence of instructions which, when executed by the processor causes the processor to execute operations comprising; to monitor for changes to one or more log files, configuring an operating system (OS) module to generate an event within an event log when any of a target set of operating-system-level system calls is made; loading the OS module into an operating system of a host computing system; operating the OS module within the operating system of the host computing system to detect an invocation of the any of the target set of operating-system-level system calls and to execute the invocation of the any of the target set of operating-system-level system calls, wherein the OS module does not detect invocation of untargeted operating-system-level system calls, and wherein the one or more log files are changed by one or more processes associated with one or more particular calls in the target set of operating-system-level system calls; and identifying one or more events corresponding to the one or more log files changed by invocation of the any of the target set of operating-system-level system calls, wherein the one or more events correspond to a filtered subset of all log files that are changed by invocation of the any of the target set of operating-system-level system calls, and the one or more events are reviewable by a log collector to collect the one or more log files for a log analytics system. - View Dependent Claims (20, 21)
-
Specification