Home

KLFA USER MANUAL

1. IVdO IO 4 9008 0 ZS00U 0 40084 0 06 99008 0 Sunsa gb G ejejg eutQ 0 0 0 9900 9 7900 S 090082 89009 8 Sunsmp cb g UDA BOT od poqoodxy So gudas ojejg ATeulouy duio 27 Examples Anomaly 1 Anomaly 1 appears in line 15 of the faulty log file The anomaly regards component com sun jbi framewor the id 5 correspond to this component as you can see from file components training properties In this case the anomaly is not caused by an unexpected event but the sys tem detects that the events regarding component 5 stopped before than ex pected In fact a new final state was added to the automaton By opening the automaton with the command java cp path to klfa tools ShowFSA klfaoutput 5 fsa we can see that many more events are expected Fur thermore by looking at the faulty log file we can see that the file is very short so we can deduce that it was truncated by the user or the application was blocked The Event column in this case do not represent the wrong event occurred but the last event seen The id of this last event is R0065 which correspond to the event regex JBIFWO0010 JBI framework ready to accept requests Anomaly 2 Anomaly 2 regards component javax enterprise system core also in this case the anomaly is caused by the premature end of messages Anomaly 3 Anomaly
2. 12008 x C ANT exportRules rules properties workingDir trainingCsvGen componentsDefinitionFile components training properties events correct txt events correct csv From examples glassfishForumUserIssue analysis you can sim ply run bin runComponentLevelEventsDetectionTraining sh Table 5 2 explains the parameters used 33 Developers Guide Table 5 2 AutomatedEventsDetector parameters Parameters description SlctExecutablePath path to slct path to the slct exe cutable replacement CORE5076 ing Using Java Us replaces all messages of this type with a default message this message generate a false positive which is caused by different versions of VM used so we removed info about the VM replacement domains do main l config domains do main1 config remove the part of the path that generate a false positive replacement ser vice jmx rmi jndi rmi 8686 jm remove this informa xtmmn because the path is system dependant and we do not have enough tests to permit to slct to understand that this is a parame ter replacement ser vice jmx rmi jndi rmi 8686 jm same as above xrmi replacement IDEBUG 34 5 1 Model Inference and Anomaly Detection remove information about the logging granularity It does
3. Parameters description non separator separator char used in the csv file minimizationLimit 100 do not minimize FSA ifthey have more than 100 states componentLevel do component level analysis training learn the models transformersConfig txt file with the rewriting rules defined for the different data clusters preprocessingRules txt file with the asso ciation between the different instances of rewriting strategies and the different parameters events correct csv csv file to load data from Table 4 4 LogTraceAnalyzer Component Level Analysis options 21 Examples java cp path to klfa tools kLFAEngine LogTraceAnalyzer separator splitActionLines actionLines actions correct properties minimizationLimit 100 actionLevel training transformersConfig txt preprocessingRules txt events correct csv From examples glassfishForumUserIssue analysis youcan sim ply run bin runActionLevelInference sh Application Level Analysis java cp path to klfa tools kLFAEngine LogTraceAnalyzer separator minimizationLimit 100 applicationLevel training transformersConfig txt preprocessingRules txt events correct csv From examples glassfishForumUserIssue analysis youcan sim ply run bin runApplicationLevelInference sh 41 3 Failure analysis Once the failure occurs the
4. LT GZ 900806 18 LT SUNSA gb I reL LT 8 008 S9TSOLELST 61009 9167788691 Y 68 VG 8 9 6 68 y L TeL Y G99 0 72 9401s3od 02004 6600 FT IG 0 02004 FT Sunsmq pb T FSUN 02004 X 66004 1 0 06004 FT 6010 IVdO IO 4 9008 0 ZS00U 0 40084 0 06 99008 0 Sunsa gb G ejejg eutQ 0 0 0 9900 9 7900 S 090082 89009 8 Sunsmp cb g UDA BOT od poqoodxy So gudas ojejg ATeulouy duio 45 Developers Guide Anomaly 1 Anomaly 1 appears in line 15 of the faulty log file The anomaly regards component com sun jbi framewor the id 5 correspond to this component as you can see from file components training properties In this case the anomaly is not caused by an unexpected event but the sys tem detects that the events regarding component 5 stopped before than ex pected In fact a new final state was added to the automaton By opening the automaton with the command java cp path to klfa tools ShowFSA klfaoutput 5 fsa we can see that many more events are expected Fur thermore by looking at the faulty log file we can see that the file is very short so we can deduce that it was truncated by the user or the application was blocked The Event column in
5. not introduce false positives just make events regular expres sions less readable replacement FINE same as above replacement FINER same as above replacement FINEST same as above replacement same as above dataExpression 2008 tell the system where is positioned the use ful event information using regex grouping componentExpression 2008 35 Developers Guide B 1 tell the system where the component name is positioned in the log line using regex grouping exportRules rules properties export the patterns detected by slct to file rules properties in the current dir workingDir trainingCsvGen generate component files in trainingCsv Gen dir componentsDefinitionFile save components ponents training properties ids to file compo nents training properties events correct txt events correct csv original log file the one that we generated in the previous step teh destination file Application Level Analysis and Action Level Analysis java cp th to klfa it unimib disco 1l ta alfa preprocessing eventTypesDetection AutomatedEventTypesDetector dontSplitComponents replacement CORE5076 Using Using Java replacement x domains domainl c
6. 3 regards component GLOBAL is not a real component it is a keyword used to indicate the automata that describes the way components execution alternate The anomaly type is Tail it indicates that an unseen tail was added to the state q109 The first anomalous event seen is 14 R0020 0 while it expected 3 R0032 3 R0031 13 1394096499 or 2 2135717321 the last three are de tected following the transition The more interesting is the first one which indicates that a deploy message from component 3 javax enterprise system tools admin is missing in the log We do not know if indicates the cause of the failure maybe it is because in one case it has been used the asadmin tool while i the other not Anomaly 4 Anomaly 4 regards component 14 it says that the component recorded less messages than expected This is because the premature end of the log file It is expecting a message of the type R0023 AutoDeploy Disabling AutoDeployment service that happens before stopping the Glassfish server While in this log the stopping phase of the server is not recorded Anomaly 5 Anomaly 5 indicates that at line 24 an anomalous event 4_289331648 28 4 1 Glassfish deployment failure occurs The event ID in this case is an hash The AutomatedEventTypesEx tractor assigns to a raw event line its hashcode as its id when the raw event is an outlier We have an outlier when a raw event does not match any event regexp The occurrence
7. faulty log file can be compared with the inferred models to detect anomalies To do this we have to process the faulty log file in a similar manner as in the model inference phase Figure report the required steps Raw Events Separation The command is the same as in the ModelGeneration phase except from the input and output parameters java cp path to klfa preprocessing rawEventsSeparation RegexBasedRawEventsSeparator eventStartExpression 2008 faultyLogs server fail log events fail txt 22 4 1 Glassfish deployment failure di From Mod el Inference Figure 4 1 Components involved in the failure analysis phase From examples glassfishForumUserIssue analysis you can sim ply run bin runRawEventsSeparationChecking sh Events Types Detection The command is similar as in the Model Generation phase except from the fact that we tell the tool to use the component and rules ids used in the Model Generation phase 23 Examples Component Level Analysis java cp path to klfa it unimib disco lta alfa preprocessing eventTypesDetection AutomatedEventType replacement CORE5076 Using Using Java replacement x domains domainl config domains domainl config replacement service jmx rmi jndi rmi 8686 jmxrmi replacement service jmx rmi jndi rmi 8686 jmxrmi replacement INFO replacement FINE r
8. this case do not represent the wrong event occurred but the last event seen The id of this last event is R0065 which correspond to the event regex JBIFWO0010 JBI framework ready to accept requests Anomaly 2 Anomaly 2 regards component javax enterprise system core also in this case the anomaly is caused by the premature end of messages Anomaly 3 Anomaly 3 regards component GLOBAL is not a real component it is a keyword used to indicate the automata that describes the way components execution alternate The anomaly type is Tail it indicates that an unseen tail was added to the state q109 The first anomalous event seen is 14 R0020 0 while it expected 3 R0032 3 R0031 13 1394096499 or 2 2135717321 the last three are de tected following the transition The more interesting is the first one which indicates that a deploy message from component 3 javax enterprise system tools admin is missing in the log We do not know if indicates the cause of the failure maybe it is because in one case it has been used the asadmin tool while i the other not Anomaly 4 Anomaly 4 regards component 14 it says that the component recorded less messages than expected This is because the premature end of the log file It is expecting a message of the type R0023 AutoDeploy Disabling AutoDeployment service that happens before stopping the Glassfish server While in this log the stopping phase of the server is not recorded Anomaly 5
9. transformersConfig txt preprocessingRules txt events correct csv From examples glassfishForumUserIssue analysis you sim ply run bin runApplicationLevelAnomalyDetection sh Anomalies interpretation In the model comparison phase the tool detects the anomalies present in the faulty log files and report them to the user by saving them in the file klfaoutput anomalies csv The last phase of the technique involves actively the user who has to in spect the reported anomalies and use them as a guide to inspect correct and faulty files to detect the problem Table shows the anomalies detected by the tool in the given case study We imported the csv file produced by the tool anomalies csv and sorted the items according to the column Original Event Line In the next paragraphs we are going to interpret them to give an exhaustive explanation of the problem 26 4 1 Glassfish deployment failure queuod W00 MON ec 200 8 8990879 68004 6 Lc 8 89468 01 6 Surnsixq orb 9 reL 8 900806118 E0004 LT LT GZ 900806 18 LT SUNSA gb I reL LT 8 008 S9TSOLELST 61009 9167788691 Y 68 VG 8 9 6 68 y L TeL Y G99 0 72 9401s3od 02004 6600 FT IG 0 02004 FT Sunsmq pb T FSUN 02004 X 66004 1 0 06004 FT 6010
10. Anomaly 5 indicates that at line 24 an anomalous event 4_289331648 46 5 1 Model Inference and Anomaly Detection occurs The event ID in this case is an hash The AutomatedEventTypesEx tractor assigns to a raw event line its hashcode as its id when the raw event is an outlier We have an outlier when a raw event does not match any event regexp The occurrence of an hashcode as an anomalous event can have two mean ings the specific event was never seen in the correct logs analyzed or the event was present in the logs analyzed but its was present very few time and it was not considered an event type by default this happens when an event occurs just once In the first case it can be an exceptional event that appear as a consequence of a failure or it can be a false positive caused by event regexp that do not generalize enough the data This should happen if in the correct log files we have events in which a parameter remains constant over all their occurrences in this case the parameter will be considered by slct as part of the event regex and in case the value change in the faulty execu tion because of environmental reasons e g domain of a web server it will be detected as an anomaly which may be not related to the experienced failure pay attention it should also be the case in which in the correct execution the system was behaving correctly because of this constant value In this case to further inspect the anomalous event we nee
11. Anomaly type can be branch tail or final state POsition in the trace in which the anomaly starts This number corresponds State of the component FSA in which the anoamly has been found State type can be existing if it is a state present in the component FSA or ne Sequence of anomalous preprocessed events observed POsition in the original log Sequence of anomalous events observed State in which the anomaly ends makes sens only if it is a brnach added ano Expected event going out from the anomalous state Events expected before state state 12 Chapter 4 Examples 4 1 Glassfish deployment failure This section describe a real case study in which we analyzed log files gener ated by the Glassfish J2EE application server to detect the cause of a failure while deploying the Petstore web application In this case study we collected the log files produced by glassfish during system tests derived models from the log files we applied the three different approaches and compared the log file produced during the failure This log file was provided by a final user of the system which was not able to deploy the java web application using Netbeans the files described in this example can be found in folder examples glassfishForumUserIssue 4 1 4 Monitoring In the monitoring phase we collected log files produced by Glassfish while it is performing different functionalities start up shutdown web applica
12. KLFA USER MANUAL USE OF KLFA FROM THE COMMAND LINE Contents 1 Introduction 2 Installing and Compiling KLFA 2 1 Installing a compiled version of KLFA 2 2 Compiling KLFA from a source distribution 2 3 Compiling KLFA from CVS 3 Tools 3 1 Monitoring 3 2 Model Generation 9 8 Failure Analysis 4 Examples 4 1 Glassfish deployment 4 1 1 Monitoring 4 1 2 Model 4 1 8 Failure analysis 5 Developers Guide 5 1 Model Inference and Anomaly Detection 5 1 1 Monitormg 1 2__ 1 5 1 3 Failure analysis Bibliography Qi 11 13 13 13 14 22 31 31 31 32 40 48 Chapter 1 Introduction This document describes kLFA the kBehavior Log File Analysis technique described in and Figure 1 1 shows the three steps of the technique while Figure 1 2 focus on the model generation Detailed information about the technique can be found in The following chapters describe for every step of the technique the tools involved and give examples of usage of the tools step 1 Monitoring step 2 Model Generation step 3 Failure Analysis in the field S in the field test cases uses uses log EN N pui model target system infere
13. acement FINEST replacement dataExpression X N 2008 xN N NL C A AI 42 5 1 Model Inference and Anomaly Detection componentExpression 2008 1 C NL NL loadComponents components training properties exportRules rules checking properties workingDir checkingCsvGen EventPatterns patternsDir trainingCsvGen load componentsDefinitionFile components fail properties events fail txt events fail csv From examples glassfishForumUserIssue analysis you can sim ply run bin runApplicationtLevelEventsDetectionChecking sh or bin run ActionLevelEventsDetectionChecking sh Comparison against the models Comparison against the model is done calling the LogTraceAnalyzer tool and giving the analysis type used in the model generation phase and specifying that we are now doing the comparison Component Level Analysis java cp path to klfa tools kLFAEngine LogTraceAnalyzer separator minimizationLimit 100 componentLevel checking transformersConfig txt preprocessingRules txt events fail csv From examples glassfishForumUserIssue analysis you can sim ply run bin runComponentLevelAnomalyDetection sh Action Level Analysis java cp path to klfa tools kLFAEngine LogTraceAnalyzer separator minimizationLimit 100 actionLevel checking transformersConfig txt preproces
14. ause of a message never seen before the exception Anomaly 7 Anomaly 7 is detected in line 27 of the trace file Also in this case if we take a look at the faulty log file events fail txt in line 27 we see that there is an exception which is related with the failure The technique has detected an useful information for the root cause analysis Anomaly 8 Anomaly 8 indicates that a new component appeared If we open components fail properties we see that component id 23 correspond to component com sun org apache commons modeler Registry By searchingfor it 29 Examples in the failure log we see that it appears because of an event occurred as a consequence of the failure 30 Chapter 5 Developers Guide This Chapter provides some guidelines to invoke KLFA APIs within your pro gram 5 1 Model Inference and Anomaly Detection This section describe a real case study in which we analyzed log files gener ated by the Glassfish J2EE application server to detect the cause of a failure while deploying the Petstore web application In this case study we collected the log files produced by glassfish during system tests derived models from the log files we applied the three different approaches and compared the log file produced during the failure This log file was provided by a final user of the system which was not able to deploy the java web application using Netbeans the files described in this exam
15. awEventsSeparator eventStartExpression 2008 correctLogs server logx events correct txt From examples glassfishForumUserIssue analysis youcan sim ply run bin runRawEventsSeparation Traning sh Table explains the options used 32 5 1 Model Inference and Anomaly Detection Events Types Detection Event types detection is performed using the AutomatedEventTypesDetector tool which uses slct to detect the event types and then parses the given log to produce a final csv file in which component names events and parameters are separated in different columns The usage of the AutomatedEventTypesDetector depends on the kind of analysis you want to perform on your log file Following we list the different option we used for the distinct analysis Component Level Analysis java cp path to klfa it unimib disco lta alfa preprocessing eventTypesDetection AutomatedEventTypesDetector slctExecutablePath path to slct replacement CORE5076 Using Using Java replacement domains domainl config domains domainl config replacement service jmx rmi jndi rmi 8686 jmxrmi replacement service jmx rmi jndi rmi 8686 jmxrmi replacement INFO replacement FINE replacement DEBUG replacement FINEST replacement FINER dataExpression 12008 NI NL componentExpression
16. d to take a look at the faulty log file events fail txt in line 24 we see that there is an exception which is related with the failure And that exception was never seen in the correct log files search for 289331648 in the correct log Anomaly 6 Anomaly 6 occur at line 25 the event 17 811928006 was unexpected As in the previous case the hashcode id was generate because of a message never seen before the exception Anomaly 7 Anomaly 7 is detected in line 27 of the trace file Also in this case if we take a look at the faulty log file events fail txt in line 27 we see that there is an exception which is related with the failure The technique has detected an useful information for the root cause analysis Anomaly 8 Anomaly 8 indicates that a new component appeared If we open components fail properties we see that component id 23 correspond to component com sun org apache commons modeler Registry By searchingfor it 47 Developers Guide in the failure log we see that it appears because of an event occurred as a consequence of the failure 48
17. ement X DEBUGVX replacement FINEST replacement FINER dataExpression 12008 NI NL componentExpression 12008 C xA AAI exportRules rules properties workingDir trainingCsvGen componentsDefinitionFile components training properties events correct txt events correct csv From examples glassfishForumUserIssue analysis you can sim ply run bin runActionLevelEventsDetectionTraining sh As you can see for both Application and Action Level Analysis the options are the same of the Component Level Analysis except from the additional dontSplitComponents This happens because the log file format is the same so the parsing options d not change the only difference is in the way events are detected in this case we do not need to detect events for components separately Transformation Rules Generation The next step is the automatic detection of the rewriting strategies to be used with the engine This is achieved by running TransformationRulesGenerator java cp path to klfa it unimib disco lta alfa parametersAnalysis TransformationRulesGenerator patterns rules properties signatureElements 0 1 events correct csv From examples glassfishForumUserIssue analysis youcan sim ply run bin runTransformationRulesGeneration sh If you already had a CSV file and for this reason you did not run Event Ty
18. entTypesDetection AutomatedEventType replacement CORE5076 Using Using Java replacement x domains domainl config domains domainl config replacement service jmx rmi jndi rmi 8686 jmxrmi replacement service jmx rmi jndi rmi 8686 jmxrmi replacement INFO replacement FINE replacement DEBUG replacement FINEST replacement FINER dataExpression 2008 1 C NIRN componentExpression WX N 2008 xN xN 251 C NL ANI EAI loadComponents components training properties exportRules rules checking properties workingDir checkingCsvGen loadEventPatterns patternsDir trainingCsvGen componentsDefinitionFile components fail properties events fail txt events fail csv From examples glassfishForumUserIssue analysis you can sim ply run bin runComponentLevelEventsDetectionChecking sh Application Level Analysis and Action Level Analysis java cp path to klfa it unimib disco lta alfa preprocessing eventTypesDetection AutomatedEventType dontSplitComponents replacement CORE5076 Using Using Java replacement domains domainl config domains domainl config replacement service jmx rmi jndi rmi 8686 jmxrmi replacement service jmx rmi jndi rmi 8686 jmxrmi replacement INFO replacement FINE replacement DEBUG repl
19. eplacement DEBUG replacement FINEST replacement FINER dataExpression 2008 1 C NIRN componentExpression WX N 2008 xN xN 251 C NL ANI EAI loadComponents components training properties exportRules rules checking properties workingDir checkingCsvGen loadEventPatterns patternsDir trainingCsvGen componentsDefinitionFile components fail properties events fail txt events fail csv From examples glassfishForumUserIssue analysis you can sim ply run bin runComponentLevelEventsDetectionChecking sh Application Level Analysis and Action Level Analysis java cp path to klfa it unimib disco lta alfa preprocessing eventTypesDetection AutomatedEventType dontSplitComponents replacement CORE5076 Using Using Java replacement domains domainl config domains domainl config replacement service jmx rmi jndi rmi 8686 jmxrmi replacement service jmx rmi jndi rmi 8686 jmxrmi replacement INFO replacement FINE replacement DEBUG replacement FINEST replacement dataExpression X N 2008 xN N NL C A AI 24 4 1 Glassfish deployment failure componentExpression 2008 1 C NL NL loadComponents components training properties exportRules rules checking properties worki
20. gine LogTraceAnalyzer separator minimizationLimit 100 applicationLevel training transformersConfig txt preprocessingRules txt events correct csv From examples glassfishForumUserIssue analysis youcan sim ply run bin runApplicationLevelInference sh 5 1 3 Failure analysis Once the failure occurs the faulty log file can be compared with the inferred models to detect anomalies To do this we have to process the faulty log file in a similar manner as in the model inference phase Figure report the required steps Raw Events Separation The command is the same as in the ModelGeneration phase except from the input and output parameters java cp path to klfa preprocessing rawEventsSeparation RegexBasedRawEventsSeparator eventStartExpression 2008 faultyLogs server fail log events fail txt 40 5 1 Model Inference and Anomaly Detection di From Mod el Inference Figure 5 1 Components involved in the failure analysis phase From examples glassfishForumUserIssue analysis you can sim ply run bin runRawEventsSeparationChecking sh Events Types Detection The command is similar as in the Model Generation phase except from the fact that we tell the tool to use the component and rules ids used in the Model Generation phase 41 Developers Guide Component Level Analysis java cp path to klfa it unimib disco lta alfa preprocessing ev
21. he application behavior In this phase the initial logs files are preprocessed with different tools in order to e have a complete event in a single line e automatically detect event types and associated parameters e detect rewriting strategies for parameters e infer a model of the log files structure Figure 3 1 shows the components involved in this phase All the compo nents must be called from command line and the user has to set parameters according to the analysis type and the log file analyzed Following sections describe the functionality of each component Tools Figure 3 1 Components involved in the model generation phase 10 3 3 Failure Analysis 3 3 Failure Analysis In this fail the logs recorded during faulty executions are preprocessed follow ing the criterion adopted in the model inference phase and then are compared with the inferred models Figure b 1 shows the components involved in this phase P d e From Model Inference Td n m Figure 3 2 Components involved in the failure analysis phase The results of this phase are a set of extended models and an anomaly file The anomaly file contains the colums described in Table 11 Tools Column name Component Anomaly Line State StateType Event Original log line Original log event To state Expected Expected incoming Description Name of the component that present this anomaly
22. ig txt preprocessingRules txt events correct csv From examples glassfishForumUserIssue analysis you can sim ply run bin runComponentLevelInference sh Table explains the options used Action Level Analysis 38 It first applies 5 1 Model Inference and Anomaly Detection Parameters description non separator separator char used in the csv file minimizationLimit 100 do not minimize FSA ifthey have more than 100 states componentLevel do component level analysis training learn the models transformersConfig txt file with the rewriting rules defined for the different data clusters preprocessingRules txt file with the asso ciation between the different instances of rewriting strategies and the different parameters events correct csv csv file to load data from Table 5 4 LogTraceAnalyzer Component Level Analysis options 39 Developers Guide java cp path to klfa tools kLFAEngine LogTraceAnalyzer separator splitActionLines actionLines actions correct properties minimizationLimit 100 actionLevel training transformersConfig txt preprocessingRules txt events correct csv From examples glassfishForumUserIssue analysis youcan sim ply run bin runActionLevelInference sh Application Level Analysis java cp path to klfa tools kLFAEn
23. ions used 14 4 1 Glassfish deployment failure Events Types Detection Event types detection is performed using the AutomatedEventTypesDetector tool which uses slct to detect the event types and then parses the given log to produce a final csv file in which component names events and parameters are separated in different columns The usage of the AutomatedEventTypesDetector depends on the kind of analysis you want to perform on your log file Following we list the different option we used for the distinct analysis Component Level Analysis java cp path to klfa it unimib disco lta alfa preprocessing eventTypesDetection AutomatedEventTypesDetector slctExecutablePath path to slct replacement CORE5076 Using Using Java replacement domains domainl config domains domainl config replacement service jmx rmi jndi rmi 8686 jmxrmi replacement service jmx rmi jndi rmi 8686 jmxrmi replacement INFO replacement FINE replacement DEBUG replacement FINEST replacement FINER dataExpression 12008 NI NL componentExpression 12008 x C ANT exportRules rules properties workingDir trainingCsvGen componentsDefinitionFile components training properties events correct txt events correct csv From examples glassfi
24. ip something like klfa 201010141601 zip just uncompress it in the location you prefer e g home fabrizio Pro grams klfa201010141601 Once you uncompressed it you just need to do the following commands 1 Gf using Linux or OSX make scripts executables e g chmod home fabrizio Programs klfa 201010141601 bin x 2 for any OS set the environment variable HOME to point to the folder where you installed klfa e g home f abrizio Programs klfa 201010141601 If you are using Linux or OSX with the BASH shell you could add the following line to file bashrc change the path according to your path export KLFA HOME home fabrizio Programs klfa 201010141601 3 for any OS add the bin folder in KLFA HOME to the PATH environ ment variable If you are using Linux or OSX with the BASH shell you could add the following line to file bashrc change the path according to your path export PATH SPATH home fabrizio Programs klfa 201010141601 bin Installing and Compiling KLFA You can check if the previous command succeeded by running the follow ing command and checking that you have an output similar to the one re ported below which klfaCsvAnalysis sh home fabrizio Programs klfa 201010141601 bin klfaCsvAnalysis sh Check if klfa is correctly installed by running klfaCsvAnalysis sh The command will output klfa command help Like in the following para graph This program builds model
25. nce target system W 2 f T monitoring models LAN M log automated gt 7 m del analysis tester inference suspicious lt gt sequences i models Figure 1 1 Automated log analysis Introduction 1 Event 1 log for each Detection component level analysis i log file qus 1 event o cpu gt detected erline Clustering PS Too event types mappings litt 1 annotated action level event component pelle log file analysis and event actions log file 1 Rule per line logs gt Matcher log file log file 1 event eC ELM er line application level analysis sm per ino 274 8 he ee 1210 i3 Model _ Data iti Data log file ReWriting Se Analysis clustered l log file strategy events Inference with data f gt L Engine flow info 4 aia Nd 7 2 Data Transformation re rere S La gt toll Legend n models sw module dad log file Figure 1 2 Model generation Chapter 2 Installing and Compiling KLFA 2 1 Installing a compiled version of KLFA If you received the KLFA compiled distribution z
26. ngDir checkingCsvGen EventPatterns patternsDir trainingCsvGen load componentsDefinitionFile components fail properties events fail txt events fail csv From examples glassfishForumUserIssue analysis you can sim ply run bin runApplicationtLevelEventsDetectionChecking sh or bin run ActionLevelEventsDetectionChecking sh Comparison against the models Comparison against the model is done calling the LogTraceAnalyzer tool and giving the analysis type used in the model generation phase and specifying that we are now doing the comparison Component Level Analysis java cp path to klfa tools kLFAEngine LogTraceAnalyzer separator minimizationLimit 100 componentLevel checking transformersConfig txt preprocessingRules txt events fail csv From examples glassfishForumUserIssue analysis you can sim ply run bin runComponentLevelAnomalyDetection sh Action Level Analysis java cp path to klfa tools kLFAEngine LogTraceAnalyzer separator minimizationLimit 100 actionLevel checking transformersConfig txt preprocessingRules txt events correct csv From examples glassfishForumUserIssue analysis you can sim ply run bin runActionLevelAnomalyDetection sh Application Level Analysis 25 Examples java cp path to klfa tools kLFAEngine LogTraceAnalyzer separator minimizationLimit 100 applicationLevel checking
27. of an hashcode as an anomalous event can have two mean ings the specific event was never seen in the correct logs analyzed or the event was present in the logs analyzed but its was present very few time and it was not considered an event type by default this happens when an event occurs just once In the first case it can be an exceptional event that appear as a consequence of a failure or it can be a false positive caused by event regexp that do not generalize enough the data This should happen if in the correct log files we have events in which a parameter remains constant over all their occurrences in this case the parameter will be considered by slct as part of the event regex and in case the value change in the faulty execu tion because of environmental reasons e g domain of a web server it will be detected as an anomaly which may be not related to the experienced failure pay attention it should also be the case in which in the correct execution the system was behaving correctly because of this constant value In this case to further inspect the anomalous event we need to take a look at the faulty log file events fail txt in line 24 we see that there is an exception which is related with the failure And that exception was never seen in the correct log files search for 289331648 in the correct log Anomaly 6 Anomaly 6 occur at line 25 the event 17 811928006 was unexpected As in the previous case the hashcode id was generate bec
28. onfig domains domainl config replacement 36 5 1 Model Inference and Anomaly Detection service jmx rmi jndi rmi x 8686 jmxrmi replacement service jmx rmi jndi rmi x 8686 jmxrmi replacement N INEOX replacement FINE replacement X DEBUGVX replacement FINEST replacement FINER dataExpression 12008 NI NL componentExpression 12008 C xA AAI exportRules rules properties workingDir trainingCsvGen componentsDefinitionFile components training properties events correct txt events correct csv From examples glassfishForumUserIssue analysis you can sim ply run bin runActionLevelEventsDetectionTraining sh As you can see for both Application and Action Level Analysis the options are the same of the Component Level Analysis except from the additional dontSplitComponents This happens because the log file format is the same so the parsing options d not change the only difference is in the way events are detected in this case we do not need to detect events for components separately Transformation Rules Generation The next step is the automatic detection of the rewriting strategies to be used with the engine This is achieved by running TransformationRulesGenerator java cp path to klfa it unimib disco lta alfa parametersAnalysis TransformationR
29. ove replacement same as above dataExpression 2008 tell the system where is positioned the use ful event information using regex grouping componentExpression 2008 17 Examples lt 8 tell the system where the component name is positioned in the log line using regex grouping exportRules rules properties export the patterns detected by slct to file rules properties in the current dir workingDir trainingCsvGen generate component files in trainingCsv Gen dir componentsDefinitionFile com save components ponents training properties ids to file compo nents training properties events correct txt original log file the one that we generated in the previous step events correct csv teh destination file Application Level Analysis and Action Level Analysis java cp path to klfa it unimib disco lta alfa preprocessing eventTypesDetection AutomatedEventTypesDetector dontSplitComponents replacement CORE5076 Using Using Java replacement x domains domainl config domains domainl config replacement 18 4 1 Glassfish deployment failure service jmx rmi jndi rmi x 8686 jmxrmi replacement service jmx rmi jndi rmi x 8686 jmxrmi replacement N INEOX replacement FINE replac
30. pesDetector you can generates transformation rules by running 19 Examples Parameters description patterns rules properties load events regex from file rules properties signatureElements 0 1 do not threat columns 0 and 1 as parameters events correct csv name of the csv file to analyze Table 4 3 TransformationRulesgenerator options java cp path to klfa it unimib disco lta alfa parametersAnalysis TransformationRulesGenerator signatureElements 0 1 events correct csv Table explains the options used Inference of the models Model inference is done using the LogTraceAnalyzer tool the data transformation rules detected by the TransformationRulesGenera tor Then it builds models using the kBehavior inference engine The analysis type is selected by the user providing the corresponding pa rameters to the LogTraceAnalyzer In the following paragraphs we explain how to do the different analysis Component Level Analysis java cp path to klfa tools kLFAEngine LogTraceAnalyzer separator minimizationLimit 100 componentLevel training transformersConfig txt preprocessingRules txt events correct csv From examples glassfishForumUserIssue analysis you can sim ply run bin runComponentLevelInference sh Table explains the options used Action Level Analysis 20 It first applies 4 1 Glassfish deployment failure
31. ple can be found in folder examples glassfishForumUserIssue 5 1 1 Monitoring In the monitoring phase we collected log files produced by Glassfish while it is performing different functionalities start up shutdown web application deploy and response to web application requests The log files are recorded with the default verbosity Log files are stored in the folder examples glassfishForumUserIssue correctLogs 31 Developers Guide Parameters description eventsStartExpression indicate that log mes sages start with correctLogs server log expand to all the correct log files events correct txt Table 5 1 RegexBasedRawEventsSeparator parameters 5 1 2 Model Generation In the model generation phase we preprocess the original log files in order to generate a model of the correct log file format Raw Events Separation Glassfish record logs in the Uniform Log Format Logging messages witten in this format start with and end with 1 and can span over different lines For this reason we need to preprocess the original log files in order to obtain a file in which each log message is recorded in a line In order to do this we descend into folder examples glassfishForumUserIssue analysis and run RegexBasedRaw EventsSeparator with the following command all in a line java cp path to klfa preprocessing rawEventsSeparation RegexBasedR
32. s of the application behavior by analyzing a trace file The trace file must be a collection of lines each one in the format COMPONENT EVENT PARAMETER Multiple traces can be defined in a file to Separate a trace from another put a line with the symbol Usage it unimib disco lta alfa klfa LogTraceAnalyzer options lt analysisType gt phas valueTranformersConfigFile preprocessingRules traceFile KLFA includes several programs and utilities described in the following Sections The most common utilities can be run by using the shell scripts in KLFA HOME bin We suggest to go through the examples in folder KLFA_HOME examples to understand how to use KLFA Some examples are described in Chapter others are described in the file R folder EADM E txt that you find in each example 2 2 Compiling KLFA from a source distribution If you received a source distribution zip of klfa something like klfa src 201010141601 zip uncompress it in the location you prefer e g home fabrizio Programs klfa src 201010141601 In order to compile an installable version of klfa from sources run the following command within the folder where you uncompressed klfa 2 3 Compiling KLFA from CVS ant distribution you could do cd home fabrizio Programs klfa src 201010141601 ant distribution The command will create the KLFA dis
33. shForumUserIssue analysis you can sim ply run bin runComponentLevelEventsDetectionTraining sh Table 5 2 explains the parameters used 15 Examples Table 4 2 AutomatedEventsDetector parameters Parameters description SlctExecutablePath path to slct path to the slct exe cutable replacement CORE5076 ing Using Java Us replaces all messages of this type with a default message this message generate a false positive which is caused by different versions of VM used so we removed info about the VM replacement domains do main l config domains do main1 config remove the part of the path that generate a false positive replacement ser vice jmx rmi jndi rmi 8686 jm remove this informa xtmmn because the path is system dependant and we do not have enough tests to permit to slct to understand that this is a parame ter replacement ser vice jmx rmi jndi rmi 8686 jm same as above xrmi replacement IDEBUG 16 4 1 Glassfish deployment failure remove information about the logging granularity It does not introduce false positives just make events regular expres sions less readable replacement FINE same as above replacement FINER same as above replacement FINEST same as ab
34. singRules txt events correct csv From examples glassfishForumUserIssue analysis you can sim ply run bin runActionLevelAnomalyDetection sh Application Level Analysis 43 Developers Guide java cp path to klfa tools kLFAEngine LogTraceAnalyzer separator minimizationLimit 100 applicationLevel checking transformersConfig txt preprocessingRules txt events correct csv From examples glassfishForumUserIssue analysis you sim ply run bin runApplicationLevelAnomalyDetection sh Anomalies interpretation In the model comparison phase the tool detects the anomalies present in the faulty log files and report them to the user by saving them in the file klfaoutput anomalies csv The last phase of the technique involves actively the user who has to in spect the reported anomalies and use them as a guide to inspect correct and faulty files to detect the problem Table shows the anomalies detected by the tool in the given case study We imported the csv file produced by the tool anomalies csv and sorted the items according to the column Original Event Line In the next paragraphs we are going to interpret them to give an exhaustive explanation of the problem 44 5 1 Model Inference and Anomaly Detection queuod W00 MON ec 200 8 8990879 68004 6 Lc 8 89468 01 6 Surnsixq orb 9 reL 8 900806118 E0004 LT
35. tion deploy and response to web application requests The log files are recorded with the default verbosity Log files are stored in the folder examples glassfishForumUserIssue correctLogs 13 Examples Parameters description eventsStartExpression indicate that log mes sages start with correctLogs server log expand to all the correct log files events correct txt Table 4 1 RegexBasedRawEventsSeparator parameters 4 1 2 Model Generation In the model generation phase we preprocess the original log files in order to generate a model of the correct log file format Raw Events Separation Glassfish record logs in the Uniform Log Format Logging messages witten in this format start with and end with 1 and can span over different lines For this reason we need to preprocess the original log files in order to obtain a file in which each log message is recorded in a line In order to do this we descend into folder examples glassfishForumUserIssue analysis and run RegexBasedRaw EventsSeparator with the following command all in a line java cp path to klfa preprocessing rawEventsSeparation RegexBasedRawEventsSeparator eventStartExpression 2008 correctLogs server logx events correct txt From examples glassfishForumUserIssue analysis youcan sim ply run bin runRawEventsSeparation Traning sh Table explains the opt
36. tribution zip in the dist folder e g home fabrizio Programs klfa src 201010141601 dist klfa 201010141601 zip After creating the distribution zip you can follow the commands described in Section 2 3 Compiling KLFA from CVS In order to install the head version of klfa stored on the UniMiB CVS reposi tory you need to download the following CVS modules e LogFileAnalysis LFA e BCT you need to download the TPTPIntegration branch LogFileAnalysis LFA is klfa BCT provides the libraries to infer automata The first step is the compilation of klfa dependencies To do so run ant buildDependencies The command will create the library bct jar in folder lib Next step is to run the command ant distribution This command builds the klfa distribution zip Follow the instructions described in Section to install klfa Other klfa ant compilation options are described by the build xml help To see the other compilation options just run ant Chapter 3 Tools 3 Monitoring In the monitoring phase the user is supposed to collect log files relative to correct system executions These log files can be collected at testing time during functional system tests or during correct runs of the system We do not provide any logging tool because the system can work with any of the existing logging systems 3 2 Model Generation In this phase the log files collected are analyzed by the system to derive a model that generalizes t
37. ulesGenerator patterns rules properties signatureElements 0 1 events correct csv From examples glassfishForumUserIssue analysis youcan sim ply run bin runTransformationRulesGeneration sh If you already had a CSV file and for this reason you did not run Event TypesDetector you can generates transformation rules by running 37 Developers Guide Parameters description patterns rules properties load events regex from file rules properties signatureElements 0 1 do not threat columns 0 and 1 as parameters events correct csv name of the csv file to analyze Table 5 3 TransformationRulesgenerator options java cp path to klfa it unimib disco lta alfa parametersAnalysis TransformationRulesGenerator signatureElements 0 1 events correct csv Table explains the options used Inference of the models Model inference is done using the LogTraceAnalyzer tool the data transformation rules detected by the TransformationRulesGenera tor Then it builds models using the kBehavior inference engine The analysis type is selected by the user providing the corresponding pa rameters to the LogTraceAnalyzer In the following paragraphs we explain how to do the different analysis Component Level Analysis java cp path to klfa tools kLFAEngine LogTraceAnalyzer separator minimizationLimit 100 componentLevel training transformersConf

KLFA USER MANUAL

Contents

Download Pdf Manuals

Related Search

Related Contents