Information Technology Reference
In-Depth Information
5 Property Monitoring
The final goal of the audit-trace analysis is to be able to monitor properties
determining the correct behaviour of the system, be in real time through analysis
of trace events, or oine , through the analysis of audit-log batches. Online and
oine analysis requires a way to aggregate data and rigidly specify what should
be checked. These requirements resulted in tools allowing the user to describe
inter-log-file relations and merge live traces originating across a cluster of nodes.
Work on developing a monitoring tool for oine analysis was concentrated on
a prototype that automatically analyses a set of log files, given a description of
what constitutes the key and what is the interesting value. This simple analysis
will track a session ID through several separate log files, or track a single request
by focusing on a request ID. Events are either sorted by appearance in the
log files or by their timestamps. The sequences are presented graphically using
the graphviz visualization package. The prototype is also able to check sessions
against a specification (represented as a state machine).
In audit trails used for oine analysis, the content and format of the audit
logs are usually defined by developers. In online analysis, however, there is a de
facto standard defined by a set of live tracing tools. These tools are based on the
Erlang trace BIFs, and support different tracing scenarios. However, we found
that for tracing of multi-node environments, no tool offered the combination
of user-friendliness and power that we needed. We developed to close that gap
in the OTP trace tool suite. The next step is to examine the aggregated traces
with the analysis tools built for the oine tracing tool, merging oine and online
tracing analysis.
The current versions of the tools show there is a need to design audit trails
which facilitate the definition of properties to be verified. Our research has used a
simple example of an SMS Log System to design the criteria and standards needed
to provide a testing basis, not only for our tools, but for any valid audit trail.
5.1 Exago, the Oine Monitoring Tool
Exago is an oine monitoring tool that allows property monitoring via audit log
file analysis. The applicability of the tool is independent of the implementation
language of the target system, placing requirements on the syntax and semantics
of the log files.
Exagos approach is to parse the log files, creating abstract representations of
the live events over a predefined time interval, and re-evaluate them against a
model of the system. If these abstract commands are accepted by the model, the
system behaves as expected. If they are not accepted, Exago reveals the system
anomalies in the information provided in the audit trails.
To use Exago, the relevant information of the events should be identified in
each log file:
-
The timestamp of the events
-
Theidentifierofthesessiontheeventbelongsto
-
An abstract value which describes the type and the details of the event.
