detecting large scale
play

Detecting Large-Scale System Problems by Mining Console Logs - PowerPoint PPT Presentation

Nov 29, 2023 •440 likes •935 views

Detecting Large-Scale System Problems by Mining Console Logs Author : Wei Xu, Ling Huang, Armando Fox, David Patterson, Michael Jordan Conference: ICML 2010 SOSP2009, ICDM 2009 Reporter: Zhe Fu Outline SOSP 09 ICML 10 Offline Analysis

  1. Detecting Large-Scale System Problems by Mining Console Logs Author : Wei Xu, Ling Huang, Armando Fox, David Patterson, Michael Jordan Conference: ICML 2010 SOSP2009, ICDM 2009 Reporter: Zhe Fu

  2. Outline SOSP 09 ICML 10 Offline Analysis ICDM 09 Invited Applications Paper Online Detection 2

  3. Outline • Introduction • Key Insights • Methodology • Evaluation • Online Detection • Conclusion 3

  4. Introduction Background of console logs • Console logs rarely help in large-scale datacenter services • Logs are too large to examine manually and too unstructured to analyze automatically • It’s difficult to write rules that pick out the most relevant sets of events for problem detection Anomaly detection • Unusual log messages often indicate the source of the problem 4

  5. Introduction Related work: • as a collection of English words • as a single sequence of repeating events Contributions: • A general methodology for automated console log processing • Online problem detection with message sequences • System implementation and evaluation on real world systems. 5

  6. Key Insights Insight 1: Source code is the “schema” of logs. • Logs are quite structured because generated entirely from a relatively small set of log printing statements in source code. • Our approach can accurately parse all possible log messages, even the ones rarely seen in actual logs. 6

  7. Key Insights Insight 2: Common log structures lead to useful features. • Message types: marked by constant strings in a log message • Message variables: • Identifiers: variables that identify an object manipulated by the program • state variables: labels that enumerate a set of possible states an object could have in program message types identifiers state variables 7

  8. Key Insights Insight 2: Common log structures lead to useful features. 8

  9. Key Insights Insight 3: Message sequences are important in problem detection. • Messages containing a certain file name are likely to be highly correlated because they are likely to come from logically related execution steps in the program. • Many anomalies are only indicated by incomplete message sequences. For example, if a write operation to a file fails silently (perhaps because the developers do not handle the error correctly), no single error message is likely to indicate the failure. 9

  10. Key Insights Insight 4: Logs contain strong patterns with lots of noise. • normal patterns — whether in terms of frequent individual messages or frequent message sequences — are very obvious fr frequent pattern min inin ing and Princ rincipal Co Component Analysis (P (PCA CA) • Two most notable kinds of noise • random interleaving of messages from multiple threads or processes • inaccuracy of message ordering) gr groupin ing meth thods 10

  11. Case Study 11

  12. Methodology Step 1: Log parsing • Convert a log message from unstructured text to a data structure Step 2: Feature creation • Constructing the state ratio vector and the message count vector features Step 3: Machine learning • Principal Component Analysis(PCA)-based anomaly detection method Step 4: Visualization • Decision tree 12

  13. Step 1: Log parsing message types identifiers state variables regular expression: starting: xact (. *) is (. *) • Challenge: Templatize automatically • C language • fprintf(LOG, "starting: xact %d is %s") • Java • CLog.info("starting: " + txn) • Difficulty in OO (object-oriented) language • We need to know that CLog identifies a logger object • OO idiom for printing is for an object to implement a toString() method that returns a printable representation of itself for interpolation into a string • Actual toString() method used in a particular call might be defined in a subclass rather than the base class of the logger object 13

  14. Step 1: Log parsing Parsing Approach - Source Code 14

  15. Step 1: Log parsing Parsing Approach - Source Code 15

  16. Step 1: Log parsing Parsing Approach - Logs • Apache Lucene reverse index • Implement as a Hadoop map-reduce job • Replicating the index to every node and partitioning • The map stage performs the reverse-index search • The reduce stage processing depends on the features to be constructed 16

  17. Step 2: Feature creation State ratio vector • Each state ratio vector: a group of state variables in a time window • Each vector dimension: a distinct state variable value • Value of the dimension: how many times this state value appears in the time window message types state variables identifiers choose state variables that were reported at least 0 . . 2 N N times choose a size that allows the variable to appear at least 10 10 D times in 80% % of all the time windows 17

  18. Step 2: Feature creation Message count vector • Each message count vector: group together messages with the same identifier values • Each vector dimension: different message type • Value of the dimension: how many messages of that type appear in the message group message types state variables identifiers 18

  19. Step 2: Feature creation Message count vector 19

  20. Step 2: Feature creation State ratio vector • Capture the aggregated behavior of the system over a time window Message count vector • help detect problems related to individual operations Also implement as a Hadoop map-reduce job 20

  21. Step 3: Machine learning Principal Component Analysis (PCA)-based anomaly detection 21

  22. Step 3: Machine learning Principal Component Analysis (PCA)-based anomaly detection 22

  23. Step 3: Machine learning Intuition behind PCA anomaly detection 23

  24. Step 3: Machine learning Principal Component Analysis (PCA)-based anomaly detection 24

  25. Step 3: Machine learning Principal Component Analysis (PCA)-based anomaly detection 25

  26. Step 3: Machine learning Principal Component Analysis (PCA)-based anomaly detection 26

  27. Step 3: Machine learning Principal Component Analysis (PCA)-based anomaly detection 27

  28. Step 3: Machine learning Improving PCA detection results • Applied Term Frequency / Inverse Document Frequency (TF-IDF) where df j is total number of message groups that contain the j-th message type • Using better similarity metrics and data normalization 28

  29. Step 4: Visualization 29

  30. Methodology 30

  31. Evaluation Dataset: • From Elastic Compute Cloud (EC2) • 203 nodes of HDFS and 1 nodes of Darkstar 31

  32. Evaluation Parsing accuracy: Parse fails when cannot find a message template that matches the message and extract message variables. 32

  33. Evaluation Scalability: 50 nodes, takes less than 3 minutes , less than 10 minutes with 10 node 33

  34. Evaluation Darkstar • DarkMud Provided by the Darkstar team • Emulate 60 user clients in the DarkMud virtual world performing random operations • Run the experiment for 4800 seconds • Injected a performance disturbance by capping the CPU available to Darkstar to 50% during time 1400 to 1800 sec 34

  35. Evaluation Darkstar - state ratio vectors • 8 distinct values, including PREPARING , ACTIVE , COMMITTING , ABORTING and so on • Ratio between number of ABORTING to COMMITTING increases from about 1:2000 to about 1:2 • Darkstar does not adjust transaction timeout accordingly 35

  36. Evaluation Darkstar - message count vectors 68,029 transaction ids reported in 18 different message types, Y m is 68 , 029 × 18 • • PCA identifies the normal vectors: { create , join txn,commit , prepareAndCommit } • Augmented each feature vector using the timestamp of the last message in that group 36

  37. Evaluation Hadoop • Set up a Hadoop cluster on 203 EC2 nodes • Run sample Hadoop map-reduce jobs for 48 hours • Generate and processing over 200 TB of random datas • Collect over 24 million lines of logs from HDFS 37

  38. Evaluation Hadoop - message count vectors • Automatically chooses one identifier variable, the blockid , which is reported in 11,197,954 messages (about 50% of all messages) in 29 message types. • Y m has a dimension of 575, 139 × 29 38

  39. Evaluation Hadoop - message count vectors • The first anomaly in Table 7 uncovered a bug that has been hidden in HDFS for a long time. no single error message indicating the problem • we do not have the problem that causes confusion in traditional grep based log analysis. #:Got Exception while serving # to #:# • Algorithm does report some false positives, which are inevitable a few blocks are replicated 10 times instead of 3 times for the majority of blocks. 39

  40. Online Detection Two Stage Online Detection Systems 40

  41. Stage 1: Frequent pattern based filtering • event trace : a group of events that reports the same identifier. • session : a subset of closely-related events in the same event trace that has a predictable duration. • duration : the time difference between the earliest and latest timestamps of events in the session. • frequent pattern : a session with its duration distribution: • 1) the session is frequent in many event traces; • 2) most (e.g., 99.95th percentile) of the session’s duration is less than T max • T max : a user-specified maximum allowable detection latency • detection latency: the time between an event occurring and the decision of whether the event is normal or abnormal 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS

TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS

TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS Analysis Baojun Liu, Zhou Li, Peiyuan Zong, Chaoyi Lu , Haixin Duan, Ying Liu, Sumayah Alrwais, Xiaofeng Wang, Shuang Hao, Yaoqi Jia, Yiming Zhang, Kai

819 views • 30 slides
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko https://arstechnica.com/information-technology/2012/11/mushrooming-growth-of-ransomware- extorts-5-million-a-year/

298 views • 13 slides
Detecting Problems in the Database Access Code of Large Scale Systems An industrial Experience

Detecting Problems in the Database Access Code of Large Scale Systems An industrial Experience

Detecting Problems in the Database Access Code of Large Scale Systems An industrial Experience Report 1 Existing static analysis tools focus on language-related problems PMD Google error-prone Coverity FindBugs Facebook Infer However,

632 views • 31 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
by Mining Console Logs Wei Xu* Ling Huang Armando Fox* David Patterson* Michael Jordan*

by Mining Console Logs Wei Xu* Ling Huang Armando Fox* David Patterson* Michael Jordan*

UC Berkeley Detecting Large-Scale System Problems by Mining Console Logs Wei Xu* Ling Huang Armando Fox* David Patterson* Michael Jordan* Intel Labs Berkeley *UC Berkeley 1 Why console logs? Detecting problems in large scale

323 views • 14 slides
Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008 WenChuan Earthquake Zhang Huafeng and Jon Pedersen International Blaise Users Conference (IBUC) Baltimore, USA , 1 Introduction Two household

711 views • 22 slides
INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO ENVIRONMENTAL CONFLICT RESOLUTION America Speaks presentation to the 2008 ECR Conference Table Introductions Please form groups of 4-5 and give: Your name

848 views • 41 slides
Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is graphene? Graphene is a truly 2D system made of Carbon atoms arranged in an honeycomb hexagonal lattice Zero-gap semiconductor with a low-energy linear

268 views • 6 slides
Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA Masters level course: Chalmers MPALG and MPSOF programmes (DAT345) GU Applied Data Science programme (DIT871) Learning outcomes include:

305 views • 18 slides
Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic specification J. Lima, N. Escravana 1 Abstract In the recent years, the advent large-scale, highly targeted cyber-attacks raised the concern on the

375 views • 35 slides
An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of U.S. Government Employees DC-AAPOR Summer Conference Preview/Review Bureau of Labor Statistics Conference Center Washington DC Washington, DC

1.17k views • 25 slides
Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E. Santos-Neto, L. Costa, M. Ripeanu. IEEE TPC, 2014 Sami (sa894) - R244: Large-scale data processing and optimization Efficient Large-Scale Graph Processing on

381 views • 25 slides
Motivation Large-scale distributed systems becoming more common multiple datacenters, cloud

Motivation Large-scale distributed systems becoming more common multiple datacenters, cloud

Census: Location-Aware Membership Management for Large-Scale Distributed Systems James Cowling Dan R. K. Ports Barbara Liskov Raluca Ada Popa Abhijeet Gaikwad* MIT CSAIL *cole Centrale Paris Motivation Large-scale distributed systems

606 views • 48 slides
Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale

Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale

Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale electronic voting protocol: Primarily Internet-based Users voting from their own devices (such as home PC/laptop) Aimed toward actual

721 views • 21 slides
Internet Topology Generation for Large Scale BGP Simulation Jean-Michel Fourneau - Houssame

Internet Topology Generation for Large Scale BGP Simulation Jean-Michel Fourneau - Houssame

Internet Topology Generation for Large Scale BGP Simulation Jean-Michel Fourneau - Houssame Yahiaoui Outlook BGP: Border Gateway Protocol Large Scale Simulation: motivations Large Scale BGP Simulation Model Realistic Topologies

550 views • 17 slides
E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale

E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale

E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale Information Access Technologies Evaluation and Testing Evaluation and Testing Noriko Kando Noriko Kando National Institute of Informatics, Japan

632 views • 61 slides
Inferring Models of Concurrent Systems from Logs of Their Behavior with CSight A?a-1 timeout s0

Inferring Models of Concurrent Systems from Logs of Their Behavior with CSight A?a-1 timeout s0

Inferring Models of Concurrent Systems from Logs of Their Behavior with CSight A?a-1 timeout s0 send(m) s1 M!m-0 s2 A?a-1 Sender Receiver A?a-0 A?a-1 2,1 M?m-0 1,0 send(m) A?a-0 s5 M!m-1 s4 send(m) s3 2,2 recv(m) 2,0 M!m-0

1.22k views • 75 slides
Dynamic Policy Enforcement Dynamic Policy Enforcement in a Networked Environment in a Networked

Dynamic Policy Enforcement Dynamic Policy Enforcement in a Networked Environment in a Networked

Dynamic Policy Enforcement Dynamic Policy Enforcement in a Networked Environment in a Networked Environment Brandon Pollet Brandon Pollet Enterprise Security Group Enterprise Security Group Center for Information Security Center for

671 views • 28 slides
It Can Understand the Logs, Literally Aidi Pi , Wei Chen, Will Zeller and Xiaobo Zhou IPDPSW19

It Can Understand the Logs, Literally Aidi Pi , Wei Chen, Will Zeller and Xiaobo Zhou IPDPSW19

It Can Understand the Logs, Literally Aidi Pi , Wei Chen, Will Zeller and Xiaobo Zhou IPDPSW19 @ Rio de Janeiro Outline Introduction to distributed system logs Challenges NLog: A NLP based log analysis approach Evaluation

197 views • 18 slides
fjlesystems 3 1 last time hard drives seek time rotational latency block remapping by disk

fjlesystems 3 1 last time hard drives seek time rotational latency block remapping by disk

fjlesystems 3 1 last time hard drives seek time rotational latency block remapping by disk controller solid state disks wear leveling move data to new block when written work around limitations of large erasure blocks (that cant be

1.67k views • 110 slides
Log all the things! Honza Krl @honzakral Logs? Events! Log lines Twitter feed Invoices

Log all the things! Honza Krl @honzakral Logs? Events! Log lines Twitter feed Invoices

Log all the things! Honza Krl @honzakral Logs? Events! Log lines Twitter feed Invoices Metrics Why? What happened last Tuesday? Grep? Multiple machines Multiple logs Analysis/Discovery Time period Time? Time?! Time! apache

592 views • 33 slides
Improve Query Performance with the Query Log Analyzer Kees Vegter Field Engineer Query Log

Improve Query Performance with the Query Log Analyzer Kees Vegter Field Engineer Query Log

Improve Query Performance with the Query Log Analyzer Kees Vegter Field Engineer Query Log Analyzer kees@neo4j.com Query Log dbms.logs.query.enabled=true # If the execution of query takes more time than this threshold, # the query is

1.12k views • 27 slides
Creating LaTeX and HTML documents from within Stata using texdoc and webdoc Ben Jann University

Creating LaTeX and HTML documents from within Stata using texdoc and webdoc Ben Jann University

Creating LaTeX and HTML documents from within Stata using texdoc and webdoc Ben Jann University of Bern, ben.jann@soz.unibe.ch Nordic and Baltic Stata Users Group meeting Oslo, September 13, 2016 Ben Jann (University of Bern) texdoc/webdoc

563 views • 22 slides
2 Workloa d? 3 OLTP 4 OLAP OLTP 4 OLAP OLTP Streaming 4 Scan- OLAP OLTP Streaming

2 Workloa d? 3 OLTP 4 OLAP OLTP 4 OLAP OLTP Streaming 4 Scan- OLAP OLTP Streaming

2 Workloa d? 3 OLTP 4 OLAP OLTP 4 OLAP OLTP Streaming 4 Scan- OLAP OLTP Streaming oriented 4 Scan- OLAP OLTP Streaming Archiving oriented 4 Scan- Log- OLAP OLTP Streaming Archiving processing oriented 4 Scan- Log-

1.09k views • 105 slides

More recommend