| CPC G06F 9/3005 (2013.01) [G06F 9/3017 (2013.01); G06F 9/542 (2013.01); G06F 16/1734 (2019.01); G06F 40/205 (2020.01)] | 22 Claims |
|
1. A system comprising:
a memory; and
one or more processing devices coupled to the memory, the one or more processing devices to:
analyze program code, including a control flow graph, of one or more applications executable by an operating system of a computing device to determine event-logging functions of the program code that generate event logs;
extract log message strings from the program code that describe event-logging statements associated with the event-logging functions;
generate regular expressions from the log message strings, the regular expressions comprising a template format of the log message strings that replace format specifiers with runtime-dependent arguments;
identify, via control flow analysis, a plurality of possible control flow paths of the log message strings through the control flow graph;
generate, during runtime execution of the program code on the computing device, a universal log file from a combination of system logs and process-specific event log messages of the one or more applications;
identify, via parsing the universal log file, log entries that most closely match one or more of the regular expressions of the log message strings, to identify matching log message string (LMS) entries; and
add the matching LMS entries, using a process-specific identifier of each matching LMS entry, as vertices to a universal provenance graph that associates the matching LMS entries with the system logs consistent with the plurality of possible control flow paths of the log message strings.
|