Event pattern prediction
US-2024202286-A1 · Jun 20, 2024 · US
Method and system for implementing an operating system hook in a log analytics system
US2016378577A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016378577-A1 |
| Application number | US-201615089049-A |
| Country | US |
| Kind code | A1 |
| Filing date | Apr 1, 2016 |
| Priority date | Apr 3, 2015 |
| Publication date | Dec 29, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Disclosed is a system, method, and computer program product for implementing a log analytics method and system that can configure, collect, and analyze log records in an efficient manner. An improved approach is provided for identifying log files that have undergone a change in status that would require retrieve of its log data, by including a module directly into the operating system that allows the log collection component to be reactively notified of any changes to pertinent log files.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method implemented with a processor, comprising: to monitor for changes to one or more log files, configuring an operating system (OS) module to generate an event within an event log when any of a target set of operating-system-level system calls is made; loading the OS module into an operating system of a host computing system; operating the OS module within the operating system of the host computing system to detect an invocation of any of the target set of operating-system-level system calls and to execute the invocation of the any of the operating-system-level system calls, wherein the OS module does not detect invocation of untargeted operating-system-level system calls, and wherein the one or more log files are changed by one or more processes associated with one or more particular calls in the target set of operating-system-level system calls; and identifying one or more events corresponding to the one or more log files changed by invocation of the any of the target set of operating-system-level system calls, wherein the one or more events correspond to a filtered subset of all log files that are changed by invocation of the any of the target set of operating-system-level system calls, and the one or more events are reviewable by a log collector to collect the one or more log files for a log analytics system. 2 . The method of claim 1 , wherein a filter is applied to generate the filtered subset that is recorded into an event log, the filtered subset identifiable based upon application of a filtering criteria to the invocation of the any of the target set of operating-system-level system calls. 3 . The method of claim 2 , wherein (a) the filter is applied before the one or more events are recorded into the event log, (b) the filter is applied asynchronously to remove filtered items from the event log, or (c) the filter is applied both before the one or more events are recorded into the event log and asynchronously to remove the filtered items from the event log. 4 . The method of claim 2 , wherein both a filtered event log and an unfiltered event log are maintained, the filtered event log storing events that meet the filtering criteria, and the unfiltered event log storing events regardless of whether the events meet the filtering criteria. 5 . The method of claim 2 , wherein the filtering criteria comprises at least one of a filename pattern, a pathname pattern, or an operation pattern. 6 . The method of claim 2 , wherein the event log corresponds to a named pipe. 7 . The method of claim 1 , wherein the OS module corresponds to a loadable kernel module, and the OS module is inserted within an operating system kernel. 8 . The method of claim 1 , further comprising determining whether the invocation of the any of the target set of operating-system-level system calls has successfully completed, and recording an event after determining successful completion. 9 . The method of claim 1 , wherein the one or more events are reviewed by the log collector on a periodic basis. 10 . The method of claim 1 , wherein the OS module is operated within the operating system of the host computing system to detect the change to the log file by: saving an original address of an operating system function; intercepting a call by an application to the operating system function; and calling the operating system function from the OS module, wherein a function call parameter from the application is passed to the operating system function. 11 . The method of claim 10 , wherein the operating system function comprises at least one of a write function, a rename function, a delete function, or a move function. 12 . The method of claim 1 , wherein the target set of operating-system-level system calls comprise one or more calls that indicate a possible change to the log file being monitored and exclude one or more calls that do not indicate a change to any file. 13 . A computer readable medium having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute a method, the method comprising: to monitor for changes to one or more log files, configuring an operating system (OS) module to generate an event within an event log when any of a target set of operating-system-level system calls is made; loading the OS module into an operating system of a host computing system; operating the OS module within the operating system of the host computing system to detect an invocation of any of the target set of operating-system-level system calls and to execute the invocation of the any of the operating-system-level system calls, wherein the OS module does not detect invocation of untargeted operating-system-level system calls, and wherein the one or more log files are changed by one or more processes associated with one or more particular calls in the target set of operating-system-level system calls; and identifying one or more events corresponding to the one or more log files changed by invocation of the any of the target set of operating-system-level system calls, wherein the one or more events correspond to a filtered subset of all log files that are changed by invocation of the any of the target set of operating-system-level system calls, and the one or more events are reviewable by a log collector to collect the one or more log files for a log analytics system. 14 . The computer readable medium of claim 13 , wherein a filter is applied to generate the filtered subset that is recorded into an event log, the filtered subset identifiable based upon application of a filtering criteria to the invocation of the any of the target set of operating-system-level system calls. 15 . The computer readable medium of claim 14 , wherein the filtering criteria comprises at least one of a filename pattern, a pathname pattern, or an operation pattern. 16 . The computer readable medium of claim 13 , wherein the OS module corresponds to a loadable kernel module, and the OS module is inserted within an operating system kernel. 17 . The computer readable medium of claim 13 , further comprising determining whether the invocation of the any of the target set of operating-system-level system calls has successfully completed, and recording an event after determining successful completion. 18 . The computer readable medium of claim 13 , wherein the OS module is operated within the operating system of the host computing system to detect the change to the log file by: saving an original address of an operating system function; intercepting a call by an application to the operating system function; and calling the operating system function from the OS module, wherein a function call parameter from the application is passed to the operating system function. 19 . A system, comprising: a processor; a memory having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute operations comprising: monitoring for changes to a log file by configuring an operating system (OS) module to generate an event within an event log when any of a target set of operating-system-level system calls is made; loading the OS module into an operating system of a host computing system; operating the OS module within the operating system of the host computing system to detect an invocation of any of the target set of operating-system-level system calls and to execute the invocation of the any of the operating-system-level system calls, wherein the OS module do
Assignees
Inventors
Classifications
Selection of displayed objects or displayed text elements (G06F3/0482 takes precedence) · CPC title
where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems (multiprogramming arrangements G06F9/46; allocation of resources G06F9/50) · CPC title
Processing captured monitoring data, e.g. for logfile generation · CPC title
Handling of user complaints or trouble tickets · CPC title
where the reporting involves the use of self describing data formats, i.e. metadata, markup languages, human readable formats · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016378577A1 cover?
- Disclosed is a system, method, and computer program product for implementing a log analytics method and system that can configure, collect, and analyze log records in an efficient manner. An improved approach is provided for identifying log files that have undergone a change in status that would require retrieve of its log data, by including a module directly into the operating system that allo…
- Who is the assignee on this patent?
- Oracle Int Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F11/3072. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Dec 29 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).