JP2009282707A - Network log acquisition and analysis system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a network log analysis system for quickly displaying overall failure content by using a message included in a network log file. <P>SOLUTION: In a network log acquisition and analysis system, a plurality of terminals 300 are connected through a repeater 200 to a host computer 100, the log information of the terminals is obtained and analyzed by a host computer, and the analytic result is displayed at the display of the host computer or the repeater system. The repeater system 200 is provided with: a command input means for accepting a command input; and a transmission means for acquiring the log information of the terminal designated by a command accepted by the command input means, and for transmitting the obtained log information to the host computer. When an ICMP message is included in the obtained log information, corresponding failure information is displayed at the display based on the ICMP type value or message code of the ICMP message. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a network log acquisition and analysis system, and more particularly to a network log acquisition and analysis system that acquires a network log and analyzes the cause of a failure when a network failure occurs.

  When a failure occurs in the network, a network log is acquired for investigating the cause. A typical technique for acquiring a network log is a Linux (registered trademark) tcpdump command for displaying an IP packet or the like entering a host. This command is often used by maintenance personnel when dealing with network failures. However, in order to transmit the network log acquired by this command to a computer at another point, manual operation such as transmission using the ftp command is required. For this reason, it takes some time and effort.

  FIG. 2 is a diagram illustrating a method for acquiring a network log using the relay device 20. In this example, the relay device 20 includes seven ports 50 (eth1 to eth7) to which hosts and terminals are connected. The maintenance staff connects the analysis notebook PC 40 to each port 50 of the relay apparatus 20 via the hub 60, and acquires network logs using, for example, general network log acquisition software.

With this method, if the number of relay devices 20 to be analyzed is small, the burden is light. However, when the relay devices are distributed over a wide range, the work load increases, and transportation costs to the distributed devices are also increased, which increases costs. A method of specifying a log file storing desired log information and receiving the file is known. In this method, the maintenance staff operates the host computer to input a log information collection command, collects log information stored in the storage device of the specified relay device, and transfers the collected information to the host computer . As a result, the host computer can analyze the transferred log information (see Patent Document 1).
Japanese Patent Laid-Open No. 11-85572

  By the way, in the case of the conventional method in which maintenance information such as log information is collected by remote operation, even if a file storing log information or the like exists in the relay device, the file is analyzed on the side of a network failure. It may not be transferred to the host. In such a case, necessary information cannot be acquired, resulting in a serious situation.

  The present invention has been made in view of these problems, and provides a network log analysis system that can promptly display the contents of the entire failure by using messages included in a network log file.

  In order to solve the above problems, the present invention employs the following means.

  Network log acquisition analysis in which a plurality of terminals are connected to a host computer via a relay device, log information of the terminal is acquired and analyzed by the host computer, and the analysis result is displayed on the display device of the host computer or the relay device In the system, the relay device includes command input means for receiving a command input, acquiring log information of a terminal specified by a command received by the command input means, and transmitting means for transmitting the acquired log information to a host computer, Further, when an ICMP message is included in the acquired log information, corresponding failure information is displayed on the display device based on the ICMP type value or message code of the ICMP message.

  Since the present invention has the above-described configuration, it is possible to provide a network log analysis system that can promptly display the contents of the entire failure using messages included in the network log file.

  Hereinafter, the best embodiment will be described with reference to the accompanying drawings. FIG. 1 is a diagram illustrating an outline of a network to which the network log analysis system according to the present embodiment is applied. This system includes a host 100, a plurality of relay devices 200 connected to the host 100, and a plurality of terminal devices 300 connected to the relay device 200. As will be described later, the relay device 200 receives command input means for receiving command input, transmission means for acquiring log information of a terminal specified by the command received by the command input means, and transmitting the acquired log information to the host computer, When the acquired log information includes an ICMP (Internet Control Message Protocol) message, a display device 900 is provided that displays corresponding failure information on the display screen based on the ICMP type value or message code of the ICMP message.

  Since the ICMP message included in the log information is displayed on the display screen in this way, the maintenance staff can grasp the contents of the failure only by referring to the message, that is, without waiting for the analysis of the log information by the host.

FIG. 3 is a diagram for explaining a method of acquiring a network log using the relay device 200. In the example of this figure, the relay device 200 includes seven ports 500 (eth1 to eth7) to which the host 100 and a plurality of terminals 300 are connected.
The relay apparatus 200 includes command input means for receiving command input, and transmission means for acquiring log information of the terminal 300 designated by the command received by the command input means and transmitting the acquired log information to the host computer 100. In addition, when the acquired log information includes an ICMP message, a display device 900 is provided that displays corresponding failure information on the display screen based on the ICMP type value or message code of the ICMP message.

  The above means can be realized by a program stored in the magnetic disk HDD of the relay device.

  As a result, for example, the maintenance staff operates the host computer 100, logs in to the relay apparatus 200 by remote operation, and automatically transmits the network log file 700 to the host 100 by using the function displayed on the menu screen. The host 100 can analyze a failure based on the transmitted network log file.

  Further, the maintenance staff goes to the relay apparatus 200, logs into the relay apparatus 200 in the same manner as described above, and automatically transmits the network log file 700 to the host 100 by using the function displayed on the menu screen. Enables failure analysis based on the transmitted network log file.

  In automatic file transmission, the network log file 700 acquired in the specific folder by the relay device 200 can be automatically transmitted by general-purpose middleware stored in the relay device. When the network log file 700 includes an ICMP message, the failure content included in the message is displayed on the screen of the relay device. As a result, the maintenance staff can quickly grasp the contents of the failure.

  When analyzing the network log (failure content analysis), it is possible to determine the content of the failure immediately by just looking at the content of the network log, and even if the content of the network log itself is normal (a normal message is described) However, there are two types of cases that must be judged as abnormal from the situation on the spot. For this reason, it is difficult to automatically analyze the failure contents from the network log.

  Therefore, in this system, the contents of the ICMP message that can be clearly determined to be abnormal from the contents of the network log are automatically displayed. On the other hand, for failure analysis in which the cause of failure must be identified while considering the background of the system configuration and the like, the network log file 700 is automatically transmitted to the host 100, and analysis is performed on the host 100 side.

  FIG. 4 is a diagram for explaining processing of the relay device (processing of a program constituting the network log acquisition / analysis system). First, when the system is started, a menu screen indicating “Start Network Log Acquisition”, “End Network Log Acquisition”, and “System Stop” is displayed on the startup screen of the display device. ) Is urged to select one (step S1).

  When the maintenance staff selects “start network log acquisition”, the port from which the network log can be acquired is displayed and the user is prompted to select it (step S2). When the user makes a selection, the result of the selection is displayed on the screen, and the user is asked for final confirmation as to whether or not the execution can be performed (step S3). Thereafter, the network log acquisition start command is executed to start acquisition of the network log (step S4).

  Immediately after executing the network log acquisition start command, the startup process number is acquired in a temporary file. Thus, by referring to the temporary file at the time of “end of network log acquisition” to be described later, a list that is the target of “end of network log acquisition” can be displayed on the screen.

  Here, as a method of displaying the target list of “Network log acquisition end”, instead of simply displaying the process of the acquisition start command that is running when network log acquisition ends, immediately after executing the acquisition start command The temporary file from which the process number was acquired is referred to even if the acquisition start command is executed by means other than this system, such as manual or remote operation, even if the “Network log acquisition end” screen is displayed. This is because it is not displayed on the screen. That is, in order to avoid confusion between the process of executing the acquisition start command using this system and the process of executing the acquisition start command using another means (step S5).

  Next, it is determined whether or not acquisition of all network logs of the port selected by the user has been started. If acquisition of all network logs has not been started, the process proceeds to step S4 to acquire all network logs. When the start is completed, the process returns to step 1.

  Subsequently, when “end network log acquisition” is selected on the menu screen immediately after system startup in step 1, there is a process corresponding to the network log acquisition start command that is first read from the temporary file and started using this system. Check whether or not. If there is no process corresponding to the acquisition start command using this system, the screen returns to the menu screen (step S1) immediately after the system is started. On the other hand, if there is a process corresponding to the acquisition start command using this system, the process proceeds to the port selection screen (step S9) (step S8).

  The user selects a port for which acquisition of the network log is to be ended (step S9), and subsequently performs final confirmation of execution of the acquisition end command (step S10). When the acquisition of the network log is completed as a result of the final confirmation, the acquisition of the network log is terminated (step S11), and the network log file 700 that has been acquired immediately after that is transmitted to the host 100 (step S12).

  When it is determined whether or not acquisition of all network logs of the port selected by the user has been completed, and if acquisition of all network logs has not been completed, the process proceeds to step S11, and acquisition of all network logs has been completed Returns to step 1.

  In step S1, when “system stop” is selected, the processing is stopped.

  FIG. 5 is a diagram showing an example of a user interface displayed on the display screen of the relay apparatus 200 or the host computer 100 in the process shown in FIG. In this example, the relay apparatus 200 includes three ports eth1, eth2, and eth3. Further, in the figure, the part of “Select NO. =” Is a part input by the user.

  In FIG. 5, in the state where the screen of (1) is displayed, 1 <Enter> is pressed to start acquiring the network log. In the following screen (2), the user selects a port for which a network log is to be acquired. Here, eth2 and eth3 are selected and 23 <Enter> is pressed. On the screen of (3), confirmation is requested as to whether or not the input item is really good. If it is correct, y <Enter> is pressed, and if it is incorrect, n <Enter> is pressed (y: Yes, n: No). On the screen (4), a message indicating that the network log is being acquired is displayed.

  When the <Enter> key is pressed on the screen (4), the screen (5) (screen (1)) is displayed. At this time, when 2 <Enter> is pressed to stop the acquisition of the network log, the screen shown in (6) (the screen displaying eth2 and eth3 that started the network log acquisition) is displayed.

  Here, only one port for which acquisition of the network log is to be finished is selected, and 2 <Enter> is pressed. In the screen shown in (7), confirmation is requested as to whether or not the input item is really good. If it is correct, y <Enter> is pressed, and if it is incorrect, n <Enter> is pressed. Confirm the network log acquisition completion message on the screen shown in (8).

  At this stage, the network log file stored in a specific folder on the disk is automatically transmitted to the host. Next, when <Enter> is pressed when the message shown in (8) is displayed, the screen shown in (9) (screen shown in (1)) is displayed.

  The relay device sorts network log files acquired from the terminal by date, compresses the commands for each date, and sends the network log file stored on the relay device disk so that it can be sent to the host. By preparing item numbers such as a delete command for deleting or a process number display command for checking the network log acquisition status as needed, it becomes easier for the user to use.

  FIG. 6 is a diagram for explaining marks used in FIGS. 7 to 10 described later. The ICMP message display mark is displayed on the screen of the computer operated by the user at that time regardless of whether the relay device is directly operated or the relay device is operated remotely. It is. In addition, the degree of security is not limited to displaying a standard for making the explanation in FIGS. 7 to 10 easy to understand.

  FIG. 7 is a diagram for explaining a case where the network between the host 100 and the relay device 200 connected to the host is normal, and the user acquires a network log in the relay device 200.

  In the case of this example, the maintenance person 800 who operates the relay device 200 can grasp the outline of the failure because the ICMP message is displayed on the screen when the acquired network log file 700 includes the ICMP message. Further, the network log file 700 is automatically transmitted to the host 100 simultaneously with the completion of the network log acquisition. When the host 100 receives the network log file 700, the host 100 displays an ICMP message included in the log file on the screen of the host 100 side. For this reason, the maintenance person 800 on the host 100 side can grasp the rough contents of the failure based on the ICMP message before analyzing the network log.

  In the case of this example, the maintenance person 800 of the relay apparatus 200 can grasp the outline of the network. Further, the maintenance staff 800 of the host 100 can immediately recognize the cause of the failure.

  FIG. 8 is a diagram illustrating a case where the network between the host 100 and the relay device 200 connected to the host is normal, and the maintenance person 800 acquires a network log from the host 100 by remote operation. In this case, the maintenance staff of the host 100 can easily acquire the network log by system operation. Further, when the ICMP message is included in the network log, the failure content is displayed on the screen, so that the failure content can be grasped immediately.

  As described above, even in the remote operation method, the maintenance staff 800 can quickly grasp the failure content as compared with the conventional method.

  FIG. 9 is a diagram illustrating a case where the network between the host 100 and the relay device 200 connected to the host is abnormal, and the maintenance person 800 acquires a network log in the relay device 200. In this case, the maintenance person 800 of the relay device 200 cannot transmit the network log to the host 100.

  However, when an ICMP message is included in the network log, the content of the failure included in the ICMP message is displayed on the display screen of the relay apparatus 200. For this reason, the maintenance staff 800 of the relay apparatus 200 can grasp the content of the failure and implement the countermeasure against the failure. In this way, it is possible to grasp the failure content from the ICMP message and implement the failure countermeasure. That is, the advantage of this method is remarkable compared to the conventional method in which the failure content is not known at all and nothing can be done.

  FIG. 10 is a diagram illustrating a case where the network between the host 100 and the relay device 200 connected to the host is abnormal, and the maintenance person 800 acquires a network log from the host 100 by remote operation.

  As shown on the left side of the broken line in FIG. 10, the contents of the failure cannot be grasped when remote login from the host 100 is not possible. This is the same even when the conventional method is applied.

  However, as shown on the right side of the broken line, the network log file 700 cannot be transmitted from the relay device 200 to the host 100. However, when remote login can be performed from the host 100 to the relay device, both the conventional method and this method fail. The contents can be grasped. In this case as well, as described with reference to FIG. 8, the maintenance staff of the host 100 can easily acquire the network log by the system operation. Further, when an ICMP message is included in the network log, it is displayed on the screen of the failure content, so that the failure content can be grasped immediately.

  In this way, even in the remote operation method, the maintenance staff 800 can grasp the contents of the failure more quickly than in the conventional method.

  FIG. 11 is a table summarizing errors and control states reported and reported by ICMP. When the ICMP type value is described in the acquired network log file 700, the message described in the explanation is displayed on the screen.

  12 to 15 show the messages shown in FIG. 11 further classified. When the code value is described in the acquired network log file 700, the message described in the explanation is displayed on the screen.

  12 shows a detailed message when the ICMP type value is 3, FIG. 13 shows a detailed message when the ICMP type value is 5, and FIG. 14 shows details when the ICMP type value is 11. FIG. 15 shows a detailed message when the ICMP type value is 12. FIG.

  As described above, according to the present embodiment, even if the maintenance person 800 directly acquires the network log using the relay device 200 that is the target of network log acquisition, the relay device 200 is transmitted from the host 100 using a Telnet command or the like. The network log file 700 can be transmitted to the host 100 even if the network log is acquired in the state of remote login to the host 100. At this time, if the ICMP message is included in the network log file 700, the failure content can be displayed on the screen of the host 100 or the relay apparatus 200 that has operated the system.

  In particular, when the system is operated by the relay device 200, not only the screen of the relay device 200 but also the acquired network log file 700 is transmitted to the host 100, and when the host 100 receives it, the failure content is displayed on the display screen of the host 100. Will be.

  Therefore, when an ICMP message is included in the acquired network log file 700, the maintenance person 800 on the host 100 side can grasp the entire failure content before starting to analyze the network log.

  Further, when the maintenance person 800 of the relay apparatus 200 has acquired the network log, but the network log file 700 cannot be transmitted to the host 100 due to a network failure, and the ICMP message is included in the log file, the relay apparatus 200 The failure details can be displayed on the screen. Therefore, the maintenance staff 800 can easily grasp the cause of the network failure. As described above, since the maintenance staff of the relay apparatus can handle the failure, even when the host 100 cannot acquire the log information in an emergency, it is possible to avoid a serious situation of the network. Even if the network log file 700 cannot be sent to the host 100 due to a network failure, or even if the host 100 takes time to analyze the network log, the maintenance person 800 who has operated the system immediately sends an ICMP message. It is possible to grasp and trouble countermeasures can be implemented. Further, when the host 100 receives the network log file 700 including the ICMP message, the maintenance person 800 on the host 100 side can immediately grasp the rough failure contents immediately before starting the analysis of the network log. Become.

  Note that there are several softwares that acquire network logs, but there is no software that acquires network logs for a plurality of ports 500 at the same time. Although it may be realized by starting the application multiple times, there is a time difference between the start and end of acquisition, which is not efficient. However, according to this embodiment, acquisition of network logs for a plurality of ports can be started almost simultaneously with a single key input by previously inputting the desired numbered port 500 to the system screen. The same applies to the end of acquisition.

  In addition, by continuously executing the network log acquisition start command by loop processing, it is possible to start the network log acquisition start of a plurality of ports with a single key input as a trigger. Also, by continually executing the network log acquisition end command by loop processing, the end of network log acquisition for a plurality of ports can be realized with a single key input as a trigger.

  Further, the acquired network log file 700 can be transmitted to the host 100 at the same time as the acquisition of the network log. When the ICMP message is included in the network log file 700 acquired as described above, the failure content can be displayed on the screen of the device (host or relay device) that performed the system operation. In particular, when the computer that performed the system operation is the relay apparatus 200 and the host 100 receives the network log file 700, the contents of the failure are also displayed on the screen of the host 100, so that the maintenance personnel 800 that performed the system operation, The maintenance person 800 on the host 100 side who acquired the network log file 700 can easily grasp the contents of the failure.

It is a figure explaining the outline | summary of a network. It is a figure explaining the system which acquires a network log using the conventional relay apparatus. It is a figure explaining the system which acquires a network log using a relay apparatus. It is a figure explaining the process of a relay apparatus. It is a figure which shows the example of a user interface. It is a figure explaining the mark used in FIGS. 7-10. It is a figure explaining the case where a maintenance person acquires a network log in a relay apparatus. It is a figure explaining the case where a maintenance worker acquires a network log by remote operation from a host. It is a figure explaining the case where a maintenance person acquires a network log in a relay apparatus. It is a figure explaining the case where a maintenance worker acquires a network log by remote operation from a host. It is the figure which put together the error and control state which are notified and reported by ICMP. It is a figure explaining the message of FIG. 11 further classified. It is a figure explaining the message of FIG. 11 further classified. It is a figure explaining the message of FIG. 11 further classified. It is a figure explaining the message of FIG. 11 further classified.

Explanation of symbols

100 Host 200 Relay device 300 Terminal 500 Port 700 Network log file 800 Maintenance staff 900 Display device

Claims (3)

Network log acquisition analysis in which a plurality of terminals are connected to a host computer via a relay device, log information of the terminal is acquired and analyzed by the host computer, and the analysis result is displayed on the display device of the host computer or the relay device In the system,
The relay apparatus includes command input means for receiving command input, transmission means for acquiring log information of a terminal specified by a command received by the command input means, and transmitting the acquired log information to a host computer, and further including the acquisition A network log acquisition and analysis system characterized in that, when an ICMP message is included in the log information, the corresponding failure information is displayed on a display device based on the ICMP type value or message code of the ICMP message. In the network log acquisition analysis system according to claim 1,
The command input means displays one or a plurality of terminals on the display screen, and displays a selection display screen that prompts selection of terminals that simultaneously acquire log information. In the network log acquisition analysis system according to claim 1,
The relay device is capable of responding to commands for network log acquisition start and network log acquisition end, and is a system in which a user inputs a desired number on a menu screen in which commands are numbered in an operation procedure and proceeds with processing. Yes,
When the start of network log acquisition is selected, it accepts the network log of which port is the target by the number indicating the port, and executes the process of network log acquisition when the execution confirmation key input is received last. And
In addition, when the end of network log acquisition is selected, the port number that is currently acquiring the network log is displayed on the screen using the system at that time, and the port number for which network log acquisition is to be ended is entered from that screen. A network log acquisition / analysis system characterized in that the network log acquisition process is terminated when the key input for reception confirmation is finally received and the acquired network log file is transmitted to the host computer.

Images