syslog processing for switch failure diagnosis and
play

Syslog Processing for Switch Failure Diagnosis and Prediction in - PowerPoint PPT Presentation

Dec 20, 2022 •182 likes •645 views

Syslog Processing for Switch Failure Diagnosis and Prediction in Datacenter Networks Shenglin Zhang, Weibin Meng, Jiahao Bu, Sen Yang Dan Pei, Ying Liu, Jun (Jim) Xu, Yu Chen, Hui Dong, Xianping Qu, Lei Song 9/21/2017 IWQOS 2017 1 Network

  1. Syslog Processing for Switch Failure Diagnosis and Prediction in Datacenter Networks Shenglin Zhang, Weibin Meng, Jiahao Bu, Sen Yang Dan Pei, Ying Liu, Jun (Jim) Xu, Yu Chen, Hui Dong, Xianping Qu, Lei Song 9/21/2017 IWQOS 2017 1

  2. Network Devices in Data Center Networks Inter-DC Network Core Core IDPS IDPS Router Firewall Firewall Access L3 Router VPN VPN Load Load Aggregation Switch balancer balancer L2 ToR Switch Server 9/21/2017 IWQOS 2017 2

  3. Network Devices in Data Center Networks Inter-DC Network • Switch Core Core IDPS IDPS • Top-of-rack switch Router • Aggregation switch Firewall Firewall Access • Router L3 Router VPN VPN • Access router Load Load Aggregation • Core router Switch balancer balancer • Middle box L2 ToR • Firewall Switch • Intrusion detection and prevention system (IDPS) • Load balancer • VPN Server 9/21/2017 IWQOS 2017 3

  4. Network Devices in Data Center Networks Inter-DC Network • Switch Core Core IDPS IDPS • Top-of-rack switch Router • Aggregation switch Firewall Firewall Access • Router L3 Router VPN VPN • Access router Load Load Aggregation • Core router Switch balancer balancer • Middle box L2 ToR • Firewall Switch • Intrusion detection and prevention system (IDPS) • Load balancer • VPN Server 9/21/2017 IWQOS 2017 4

  5. Scale of Network Devices in Datacenter • Hundreds of thousands to millions of servers Microsoft (C. Guo, et al., • Hundreds of thousands of switches SIGCOMM’15) • Millions of cables and fibers 9/21/2017 IWQOS 2017 5

  6. Scale of Network Devices in Datacenter • Hundreds of thousands to millions of servers Microsoft (C. Guo, et al., • Hundreds of thousands of switches SIGCOMM’15) • Millions of cables and fibers • Hundreds of thousands of servers Baidu • Tens of thousands of switches 9/21/2017 IWQOS 2017 6

  7. Scale of Network Devices in Datacenter • Hundreds of thousands to millions of servers Microsoft (C. Guo, et al., • Hundreds of thousands of switches SIGCOMM’15) • Millions of cables and fibers • Hundreds of thousands of servers Baidu • Tens of thousands of switches Swich failures are the norm rather than the • More than 400 switch failures per year exception (P. Gill, et al., SIGCOMM’11) 9/21/2017 IWQOS 2017 7

  8. Switch Failures Lead to Outages • A Cisco switch failure at the datacenter of Hosting.com • Affected a number of services including AWS for 1.5 hours 8

  9. Switch Failures Lead to Outages • A Cisco switch failure at the datacenter of Hosting.com • Affected a number of services including AWS for 1.5 hours • The datacenter network went dark after a switch failure • Almost every executive branch agency are affected for a few hours 9

  10. Switch Failure Diagnosis and Proactive Detection Frameworks Based on analyzing • SyslogDigest (IMC 2010) syslogs • Spatio-temporal Factorization (INFOCOM 2014) • Proactive Failure Detection (CNSM 2015) 9/21/2017 IWQOS 2017 10

  11. Syslog Structure Switch Message Message Detailed message ID timestamp type Jun 12 Interface te-1/1/59, changed state to Switch 1 19:03:03 SIF down 2014 Jul 15 Neighbour(rid:10.231.0.43, Switch 2 11:05:07 OSPF addr:10.231.39.61) on vlan23, changed 2015 state from Exchange to Loading Jan 12 SFP te-1/1/33 is plugged in, vendor: %%SLOT Switch 3 21:03:01 BROCADE, serial number: 2016 AAA210383148232 11

  12. The detailed message field Describe events occurring on switches • Interface up/down • Plug in/out of slot • DDoS attack • Operator log in/out Important to failure diagnosis and proactive detection Extracting events from the detailed message field • Pre-processing for failure diagnosis • Pre-processing for proactive failure detection 12

  13. Syslog M essages Under the Type “SIF” 1. Interface ae3, changed state to down 2. Vlan-interface vlan22, changed state to down 3. Interface ae3, changed state to up 4. Vlan-interface vlan22, changed state to up 5. Interface ae1, changed state to down 6. Vlan-interface vlan20, changed state to down 7. Interface ae1, changed state to up 8. Vlan-interface vlan20, changed state to up 13

  14. Syslog M essages Under the Type “SIF” Before A Failure 1. Interface *, changed state to down 2. Vlan-interface *, changed state to down 3. Interface *, changed state to up 4. Vlan-interface *, changed state to up Common practice for syslog pre-processing: Extracting templates from syslog messages Matching syslog messages to templates 14

  15. Syslog M essages Under the Type “SIF” Before A Failure 1. Interface *, changed state to down A template is a 2. Vlan-interface *, changed state to down combination of 3. Interface *, changed state to up words with high frequency 4. Vlan-interface *, changed state to up Common practice for syslog pre-processing: Extracting templates from syslog messages Matching syslog messages to templates 15

  16. Outline • Background and Motivation • Challenges • Key Ideas • Results • Conclusion 9/21/2017 CoNEXT 2015 16

  17. Challenges Huge amount of syslog Diverse types of messages syslog messages • Tens of millions everyday • Operator log in/out Unstructured • Long period of historical data for • Interface up/down texts training (two years) • Plug in/out of slot 17

  18. Challenges Huge amount of syslog Diverse types of messages syslog messages • Tens of millions everyday • Operator log in/out Unstructured • Long period of historical data for • Interface up/down texts training (two years) • Plug in/out of slot 18

  19. Templates should be updated periodically New kinds of syslog messages Failure diagnosis and Templates • Due to software or prediction should be firmware upgrades • Based on templates updated • Cannot be matched to • Periodically retrained periodically any existing template to keep up-to-date • New templates should be extracted 9/21/2017 IWQOS 2017 19

  20. Incrementally re-trainable Not incrementally re-trainable Template extraction method Computationally Incrementally efficient re-trainable Template extraction method 9/21/2017 IWQOS 2017 20

  21. Existing template extraction methods Method Conference Merits Drawbacks Not incrementally Signature Tree IMC 10 Accurate re-trainable Inaccurate and STE INFOCOM 14 None not incrementally re-trainable Learn LogSimilarity CNSM 15 Inaccurate incrementally 21

  22. Our goal Method Conference Merits Drawbacks Not incrementally Signature Tree IMC 10 Accurate re-trainable Accurate, incrementally re-trainable, efficient Inaccurate and template extraction method STE INFOCOM 14 None not incrementally re-trainable Learn LogSimilarity CNSM 15 Inaccurate incrementally 22

  23. Outline • Background and Motivation • Challenges • Key Ideas • Results • Conclusion 9/21/2017 CoNEXT 2015 23

  24. Construct FT-tree • Support: if a word W appears in some message, (the support of W) ++ 24

  25. Construct FT-tree • Support: if a word W appears in some message, (the support of W) ++ • Scan all the messages, order all of the words into a map M in the descending order of support 25

  26. Construct FT-tree • Support: if a word W appears in some message, (the support of W) ++ • Scan all the messages, order all of the words into a map M in the descending order of support Words Support “changed”, “state”, “to” 8 M “Interface”, “ Vlan- interface”, “up”, “down” 4 “vlan20”, “vlan22”, “ae1”, “ae3” 2 26

  27. Construct FT-tree • Order words in each message in the descending order of support • Interface ae3, changed state to down ➢ V1 = {“changed”, “state”, “to”, “Interface”, “down”, “ae3”} • Vlan-interface vlan22, changed state to down ➢ V2 = {“changed”, “state”, “to”, “ Vlan- interface”, “down”, “vlan22”} • Interface ae3, changed state to up ➢ V3 = {“changed”, “state”, “to”, “Interface”, “up”, “ae3” } • Vlan-interface vlan22, changed state to up ➢ V4 = {“changed”, “state”, “to”, “ Vlan- interface”, “up”, “vlan22”} • … Words Support “changed”, “state”, “to” 8 M “Interface”, “ Vlan- interface”, “up”, “down” 4 “vlan20”, “vlan22”, “ae1”, “ae3” 2 27

  28. Construct FT-tree SIF 28

  29. Construct FT-tree SIF changed V1 = {“changed”, “state”, “to”, State “Interface”, “down”, “ae3”} SIF to Interface down ae3 29

  30. Construct FT-tree SIF SIF changed changed V2 = {“changed”, “state”, V1 = {“changed”, “state”, “to”, “to”, “ Vlan- interface”, State State “Interface”, “down”, “ae3”} “down”, “vlan22”} SIF to to Interface Interface Vlan-interface down down down vlan22 ae3 ae3 30

  31. Construct FT-tree SIF V3 = {“changed”, “state”, changed “to”, “Interface”, “up”, State “ae3” } to Interface Vlan-interface down up down ae3 vlan22 ae3 31

  32. Construct FT-tree SIF SIF V3 = {“changed”, “state”, changed changed “to”, “Interface”, “up”, State State “ae3” } … to to Interface Vlan-interface Interface Vlan-interface down down up up up down down ae3 vlan22 ae3 ae1 vlan22 vlan20 vlan22 vlan20 ae3 ae3 ae1 32

Recommend

Outline Chronic Heart Failure: Diagnosis and Staging Effective Diagnosis, Diastolic Heart

Outline Chronic Heart Failure: Diagnosis and Staging Effective Diagnosis, Diastolic Heart

Outline Chronic Heart Failure: Diagnosis and Staging Effective Diagnosis, Diastolic Heart Failure Treatment and Monitoring Systolic Heart Failure Medications Devices and End-Stage Heart Failure Michael G. Shlipak, MD, MPH

377 views • 14 slides
Extending syslog-ng in Python: Best of both worlds Peter Czanik / syslog-ng, a One Identity

Extending syslog-ng in Python: Best of both worlds Peter Czanik / syslog-ng, a One Identity

Extending syslog-ng in Python: Best of both worlds Peter Czanik / syslog-ng, a One Identity business About me Peter Czanik from Hungary Evangelist at One Identity: syslog-ng upstream syslog-ng packaging, support, advocacy syslog-ng

520 views • 30 slides
Configuring Syslog Server on Cisco Routers with Cisco SDM Syslog Syslog is a standard for

Configuring Syslog Server on Cisco Routers with Cisco SDM Syslog Syslog is a standard for

Configuring Syslog Server on Cisco Routers with Cisco SDM Syslog Syslog is a standard for forwarding log messages in an Internet Protocol (IP) computer network. It allows separation of the software that generates log messages from the system that

900 views • 15 slides
Configuring Syslog Server On Cisco Routers Syslog Syslog is a standard for forwarding log messages

Configuring Syslog Server On Cisco Routers Syslog Syslog is a standard for forwarding log messages

Configuring Syslog Server On Cisco Routers Syslog Syslog is a standard for forwarding log messages in an Internet Protocol (IP) computer network. It allows separation of the software that generates log messages from the system that stores the

211 views • 19 slides
Layered Syslog Architecture (syslog-protocol draft) Rainer Gerhards Adiscon

Layered Syslog Architecture (syslog-protocol draft) Rainer Gerhards Adiscon

Layered Syslog Architecture (syslog-protocol draft) Rainer Gerhards Adiscon rgerhards@hq.adiscon.com 2004-02-24 Status around November 2003 RFC 3164, 3195, syslog-sign and -international each specify message format, transport specifics

511 views • 23 slides
DIAGNOSIS AND MANAGEMENT OF ACUTE HEART FAILURE Mefri Yanni, MD Bagian Kardiologi dan Kedokteran

DIAGNOSIS AND MANAGEMENT OF ACUTE HEART FAILURE Mefri Yanni, MD Bagian Kardiologi dan Kedokteran

DIAGNOSIS AND MANAGEMENT OF ACUTE HEART FAILURE Mefri Yanni, MD Bagian Kardiologi dan Kedokteran Vaskular RS.DR.M.Djamil Padang The 3rd Symcard Padang, Mei 2013 Outline Diagnosis Diagnosis Diagnosis Treatment options Therapeutic

704 views • 32 slides
2016 ESC Guidelines for the Diagnosis and treatment of on Acute & Chronic Heart Failure

2016 ESC Guidelines for the Diagnosis and treatment of on Acute & Chronic Heart Failure

2016 ESC Guidelines for the Diagnosis and treatment of on Acute & Chronic Heart Failure Acute heart failure: Management of the early phase John Parissis, MD Heart Failure Unit Attikon University Hospital Athens, Greece 2 Disclosures

544 views • 29 slides
Outline Chronic Heart Failure: Diagnosis and Staging Update on Effective Diastolic Heart

Outline Chronic Heart Failure: Diagnosis and Staging Update on Effective Diastolic Heart

Outline Chronic Heart Failure: Diagnosis and Staging Update on Effective Diastolic Heart Failure Monitoring and Treatment Systolic Heart Failure Medications Devices and End-Stage Heart Failure Michael G. Shlipak, MD, MPH

335 views • 14 slides
Chronic Outline Congestive ^ Heart Failure: Diagnosis and Staging Update on Effective

Chronic Outline Congestive ^ Heart Failure: Diagnosis and Staging Update on Effective

Chronic Outline Congestive ^ Heart Failure: Diagnosis and Staging Update on Effective Diastolic Heart Failure Monitoring and Treatment ACE Inhibitors, ARBs, and Beta Blockers Other Systolic Heart Failure Medications Michael G.

448 views • 13 slides
Syslog-ng, getting started, parsing messages, storing in Elasticsearch Peter Czanik /

Syslog-ng, getting started, parsing messages, storing in Elasticsearch Peter Czanik /

Syslog-ng, getting started, parsing messages, storing in Elasticsearch Peter Czanik / syslog-ng, a One Identity business About me Peter Czanik from Hungary Evangelist at One Identity: syslog-ng upstream syslog-ng packaging, support,

1.22k views • 100 slides
Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business

Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business

Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business About me Peter Czanik from Hungary Evangelist at One Identity: syslog-ng upstream syslog-ng packaging, support, advocacy syslog-ng originally

906 views • 35 slides
2016 ESC Guidelines for the Diagnosis and treatment of Acute & Chronic Heart Failure AHF -

2016 ESC Guidelines for the Diagnosis and treatment of Acute & Chronic Heart Failure AHF -

2016 ESC Guidelines for the Diagnosis and treatment of Acute & Chronic Heart Failure AHF - Initial phase in the emergency department: diagnosis and management Hctor Bueno, MD, PhD, FESC, FAHA Department of Cardiology & instituto de

525 views • 24 slides
EFFECT OF SWITCH FAILURE ON THE PERFORMANCE OF A SELF- STRUCTURING ANTENNA B. T. Perry*, C.M.

EFFECT OF SWITCH FAILURE ON THE PERFORMANCE OF A SELF- STRUCTURING ANTENNA B. T. Perry*, C.M.

EFFECT OF SWITCH FAILURE ON THE PERFORMANCE OF A SELF- STRUCTURING ANTENNA B. T. Perry*, C.M. Cole- J. E. Ross L.L. Nagy man E. J. Rothwell, and John Ross & Associates MC 483-478-105 L.C. Kempel 350 West 800 North Delphi Research Labs

453 views • 30 slides
PALLIATIVE CARE Advanced heart failure Heart failure has a poor prognosis Heart failure

PALLIATIVE CARE Advanced heart failure Heart failure has a poor prognosis Heart failure

PALLIATIVE CARE Advanced heart failure Heart failure has a poor prognosis Heart failure mortality remains unacceptably high. 30-40% of patients die within the first year of diagnosis(Cowie et al, 2000; Hobbs et al, 2007). 1 year

381 views • 17 slides
NetFlow Data Capturing and Processing at SWITCH and ETH Zurich Arno Wagner

NetFlow Data Capturing and Processing at SWITCH and ETH Zurich Arno Wagner

NetFlow Data Capturing and Processing at SWITCH and ETH Zurich Arno Wagner wagner@tik.ee.ethz.ch Communication Systems Laboratory Swiss Federal Institute of Technology Zurich (ETH Zurich) Talk Outline The DDoSVax Project The SWITCH Network

249 views • 23 slides
GET THE MOST OUT OF YOUR SECURITY LOGS USING SYSLOG-NG Libre Software Meeting 2017 Peter Czanik

GET THE MOST OUT OF YOUR SECURITY LOGS USING SYSLOG-NG Libre Software Meeting 2017 Peter Czanik

GET THE MOST OUT OF YOUR SECURITY LOGS USING SYSLOG-NG Libre Software Meeting 2017 Peter Czanik / Balabit ABOUT ME Peter Czanik from Hungary Evangelist at Balabit: syslog-ng upstream syslog-ng packaging, support, advocacy

548 views • 36 slides
SCALING YOUR LOGGING INFRASTRUCTURE USING SYSLOG-NG FOSDEM 2017 Peter Czanik / Balabit ABOUT

SCALING YOUR LOGGING INFRASTRUCTURE USING SYSLOG-NG FOSDEM 2017 Peter Czanik / Balabit ABOUT

SCALING YOUR LOGGING INFRASTRUCTURE USING SYSLOG-NG FOSDEM 2017 Peter Czanik / Balabit ABOUT ME Peter Czanik from Hungary Community Manager at Balabit: syslog-ng upstream syslog-ng packaging, support, advocacy Balabit is an

289 views • 18 slides
With Heart Failure Diagnosis and Management of Amyloid Associated HF Jonathan Howlett Libin

With Heart Failure Diagnosis and Management of Amyloid Associated HF Jonathan Howlett Libin

Novel Treatment Strategies for Patients With Heart Failure Diagnosis and Management of Amyloid Associated HF Jonathan Howlett Libin Cardiovascular Institute Comparison of Subtypes of Amyloid Cardiomyopathy Amyloid Type Systemic Amyloidosis

456 views • 6 slides
Automatic Failure Diagnosis based on Timing Behavior Anomaly Detection in Distributed Java Web

Automatic Failure Diagnosis based on Timing Behavior Anomaly Detection in Distributed Java Web

Automatic Failure Diagnosis based on Timing Behavior Anomaly Detection in Distributed Java Web Applications Diploma Thesis Presentation Nina S. Marwede Abteilung Software Engineering Fakultt II Department fr Informatik August 26, 2008

654 views • 41 slides
Failure Sketching: A Technique for Automated Root Cause Diagnosis of In-Production Failures

Failure Sketching: A Technique for Automated Root Cause Diagnosis of In-Production Failures

Failure Sketching: A Technique for Automated Root Cause Diagnosis of In-Production Failures Baris Kasikci, Benjamin Schubert, Cristiano Pereira, Gilles Pokam, George Candea Debugging In-Production Software Failures Today 2 Debugging

937 views • 93 slides
Sleep Apnea and Congestive Heart Failure, Diagnosis and Management Rami Kahwash, MD Orlando,

Sleep Apnea and Congestive Heart Failure, Diagnosis and Management Rami Kahwash, MD Orlando,

Sleep Apnea and Congestive Heart Failure, Diagnosis and Management Rami Kahwash, MD Orlando, Florida October 7-9, 2011 Presentation Outline Overview of sleep disordered-breathing (SDB) Pathophysiology of the cardiovascular

729 views • 33 slides
ESC Guidelines for the Diagnosis and Treatm ent of Acute and Chronic Heart Failure Patients

ESC Guidelines for the Diagnosis and Treatm ent of Acute and Chronic Heart Failure Patients

ESC Guidelines for the Diagnosis and Treatm ent of Acute and Chronic Heart Failure Patients with acute heart failure P ti t ith t h t f il frequently develop chronic heart failure Patients with chronic heart failure Patients

738 views • 71 slides
Lithium processing in stars Lithium processing in stars Diagnosis for stellar structure and

Lithium processing in stars Lithium processing in stars Diagnosis for stellar structure and

Lithium processing in stars Lithium processing in stars Diagnosis for stellar structure and evolution Diagnosis for stellar structure and evolution Corinne Charbonnel Corinne Charbonnel Geneva Observatory (Switzerland) & CNRS (France)

1.54k views • 48 slides
2016 ESC Guidelines for the Diagnosis and Treatment of on Acute & Chronic Heart Failure

2016 ESC Guidelines for the Diagnosis and Treatment of on Acute & Chronic Heart Failure

2016 ESC Guidelines for the Diagnosis and Treatment of on Acute & Chronic Heart Failure The importance of Stefan D. Anker, MD, PhD Gttingen / Germany Co-morbidities www.escardio.org/guidelines Co-morbidities to consider in HF &

772 views • 23 slides

More recommend