JPH09204340A - Multi-volume audit trace for fault tolerant computer - Google Patents

Abstract

PROBLEM TO BE SOLVED: To utilize a stored audit trace file for restoring on-line by enabling an audit trail constitution control processor to control the generation, renaming and erasing of the audit trace file on an audit trace disk storage device. SOLUTION: Both of a data disk processor 200 and the audit trace constitution control processor 220 generate an audit record so as to allow restoration to a consistent state in case of a fault. Primary and backup ADP controls the access of a disk volume storing the audit trace file. Primary ADP is normally provided with the control of disk access but in case of a fault, it is replaced with backup. In order to allow this taking over, primary ADP sends a periodical check point to the backup including all disk state information necessary for smooth taking over. These processings mutually work by exchanging messages through a messaging system 222.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to fault tolerant computer systems, and more particularly to techniques for recording changes to a database to allow consistent recovery of the database in the event of a failure.

[0002]

The basis for the design of fault tolerant computer systems is a program construct called a transaction. A transaction is a delimited set of operations or a set of related operations that changes the contents of a database from one consistent state to another. Database operations within a transaction are treated as a single unit. Either all the changes made by the transaction are made permanent (the transaction is processed) or the changes are not made immutable (the transaction is aborted). If a failure occurs during the execution of a transaction, any partial changes made to the database are automatically undone, leaving the database in a consistent state. Information about a database row or record affected by a transaction is written to the so-called audit trail before the transaction immutably processes its changes to the database. At the conceptual stage, the audit trail can be thought of as a provenance of changes to the database. The audit trail consists of a series of files whose records describe changes to the database. Audit trail records generally consist of pre-update and post-update images of modified database records (or physical pages). The pre-update image allows the database system to undo incomplete changes that occur when an application program stops or fails to terminate due to a system failure. In the post-update image, the database system can recover from a media failure by restoring an old (possibly inconsistent) copy of the database file and making the previous changes again. Other terms for audit trails containing this information include audit logs, or journals.

Generally, the series of files that make up the audit trail are physically stored on a single disk volume. When the continuous audit trail file on the disk volume is full, the archiving process transports the continuous audit trail file to tape, and the file becomes available for storing newly created records.

[0004]

This approach to physical storage of audit trail files has many disadvantages. The process storing the newly generated audit record must compete with the previously satisfied audit file archiving for disk access. This contention can effectively limit the acceptable rate of audit generation and ultimately transaction processing speed. Although the availability of tape to archive old audit records removes any restrictions on the total amount of storage available, saved audit trail files are not available for online recovery. Online recovery is limited to audit records stored on a single disk volume. One partial solution to the disk contention problem is
Its contents are provided here as a reference, J. Gray et
al., “Transaction Processing Con-cepts and Techn
iques ", Morgan Kauffman, 1993. The technique of Gray et al., presented in section 9.6.4 of this document, improves the problem of disk contention. Unfortunately, online recovery is Nevertheless, it is limited to a single disk volume.

An object of the present invention is to provide a multi-volume audit trail for a fault-tolerant computer that solves the above problems in the prior art.

[0006]

The above object of the present invention is a fault tolerant computer system, comprising: an audit generator for generating audit records; a plurality of audit trail disk storage devices for storing audit records in an audit file; A plurality of audit trail storage processing means for receiving audit records from the audit generator and directing the audit records to the audit trail disk storage device, and a new audit file that should be the current allocated audit file when the previously allocated audit file is full and the current A response audit trail storage operation that selects a new audit trail storage processing means, and an audit trail configuration processing coupled to the plurality of audit trail storage processing means, each audit record to a database accessed by the audit generator. Describe the changes, and each audit trail storage processor Has access to at least one audit trail storage disk unit, and the audit records are directed from the audit generator through the current response audit trail storage processing means to the currently allocated audit file, each new audit file being immediately Located on a different audit trail disk store than the previous audit file, each new audit trail store process receives a rollover message from its immediate previous audit trail store process to initiate a responsive handoff. Achieved by a fault tolerant computer system.

The above object of the present invention also serves as a backup for the audit generator, the first and second primary audit trail storage processes, and the first and second primary audit trail storage processes. In a fault-tolerant computer system equipped with backup backup audit trail storage processing of the first, the audit trail storage processing stores the audit records generated by the audit generator in an audit file accessible to the audit storage processing, and the first primary A method of switching the storage of currently generated audit records from an audit trail storage process to a second primary audit trail storage process, the first access to the first primary audit trail storage process and the first backup audit trail storage process. Audit generator for storage in each audit file By receiving the buffer of audit records in the first primary audit trail storage process and receiving the buffer of audit records, the first primary is that the first audit file is full and the buffer of records cannot be accepted. A rollover request message is sent from the first primary audit trail storage process to the second primary audit trail storage process, which is determined by the audit trail storage process, and the rollover request message includes the second primary audit trail storage process and the second primary audit trail storage process. Sending a rollover announcement message from the first primary audit trail storage operation to the audit generator, the rollover announcement message including a unique sequence number identifying a second audit file accessible to the backup audit trail storage operation of First audit file The second primary audit trail store operation receives a rollover request message containing information identifying the second primary audit trail store operation as the correct destination for the full indication and the currently generated audit record. A first checkpoint message is sent from the primary audit trail store process to the second backup audit trail store process, the first checkpoint message being in the second audit file where storage of audit records should be initiated. A first checkpoint acknowledgment message is sent from the second backup audit trail store operation to the second primary audit trail store operation in response to the first checkpoint message, including locator information identifying the location, and the rollover is performed. Second primary supervisor in response to request message Send a rollover acknowledgment message from the visa trail store process to the first primary audit trail store process, send a second checkpoint message from the first primary audit trail store process to the first backup audit trail store process, The second checkpoint message is the first
A second checkpoint acknowledgment message from the first backup audit trail store process to the first primary audit trail store process, in response to the second checkpoint message, including an indication that the audit file is full. It is also achieved by a method comprising the step of sending.

Further, the above object of the present invention is to provide a fault tolerant computer system comprising an audit generator, a protocol management process, and a plurality of audit trail storage processes, wherein the audit trail storage processes are the audit records generated by the audit generator. Is stored in an audit file that is accessible to the audit storage process, and is a method for rotating the responsiveness to the storage of the currently generated audit record in the audit trail storage process. Assigning a selected audit file that is accessible to the selected audit trail storage process that should be the current allocation audit trail storage process and the selected audit trail storage process that should be the current allocation audit file, b) the current assignment audit file Current allocation audit trail from audit generator for storage in Storage of audit record buffers, c) write buffer of audit records received from the audit generator from the current allocation audit trail storage process to the current allocation audit file, and d) consecutive buffers in current allocation audit trail storage process. Monitor the growth of the current allocation audit file when is written, e) compare the size of the current allocation audit trail with a first threshold in the current allocation audit trail storage process, and f) measure the first predetermined size. By the decision in step e) to cross the threshold of
It is also accomplished by a method comprising the step of sending a first threshold warning message from the current allocation audit trail storage process to the protocol management process.

Further, the above object of the present invention is to provide an audit generator and a plurality of audit trail storage processes. In a fault tolerant computer system, the audit trail storage process converts an audit record generated by the audit generator into an audit storage process. The current responsiveness for storing audit records generated by the audit generator is to store audit trail storage operations when the consecutive audit files are full, for storing in an accessible audit file. From the new audit trail store with a new response, used by consecutive rollover messages, are sequentially assigned unique sequence numbers, and each audit trail store process is assigned an audit record. One of the audit trail storage processes to store Is a fault tolerant method of storing a sequence number identifying at least a known audit file used by and processing rollover messages received in a first audit trail storage process, the first audit trail storage process comprising: A method that operates as if it were already a response audit trail store, a)
The first audit trail storage process receives a rollover message from the second audit trail storage process, the rollover message including the audit file sequence number of the next audit file to receive the audit record, b).
In the first audit trail storage process, extract the audit file sequence number from the rollover message, and c) compare the received audit file sequence number with at least the known audit file sequence number stored in the first audit trail storage process. And d) the decision in step c) that the received audit file sequence number is greater than at least the stored known audit file sequence number, go to step f), e) go to step h), f) first. In the rollover message to close the audit file identified by the audit file sequence number stored by the audit file sequence number stored in the first audit trail storage process, and g) receive the audit record from the first audit trail storage process. New identified by the sequence number contained in There open audit files also achieved by a method comprising the step of terminating the process h) rollover message.

[0010]

In accordance with the present invention, a fault tolerant computer system distributes an audit trail containing audit records across any number of disk volumes. After one audit trail file is filled, the audit records are directed towards the next audit trail file stored on a different disk volume. The storage of newly created audit trail records circulates among the available disk volumes. The contents of the filled audit trail file are
Eventually saved, those spaces will be made available again for storage of newly created audit records. The amount of audit available for online recovery after a failure is not limited to the storage capacity of any single disk volume. Furthermore, there is no contention for disk access between the archiving of filled audit trail files and the storage of newly created audit records. In one embodiment of the present invention, a fault tolerant computing system includes multiple processors and disk storage devices or volumes. At least one processing unit performs processing to generate audit records that describe changes to the database or system state. Some of the disk storage is selected to receive the audit records. Each such designated disk storage device has an associated primary audit trail disk processing (ADP) running on one of the processing units that controls disk access and disk access should the primary fail. Have a backup audit trail disk process (ADP) running on another processor that controls the.

Another process running on one of the processing units is known as an audit trail configuration management process. This process controls the creation, renaming, and deletion of audit trail files on the audit trail disk storage device. In response to system operator input, the audit trail configuration management process configures the number of disk storage devices to use to receive audits and the number of audit trail files stored on each designated storage device. Audit generator (generation program)
Directs its records to the primary audit trail file known as the current audit trail file. This current primary audit trail storage process monitors the growth of the current audit trail file while storing records. When the size of the current audit trail file reaches a threshold, the current audit trail storage process directs the audit trail configuration management process to prepare a new audit trail file. The audit trail configuration management process prepares a new audit trail file and informs the current audit trail storage process of the name of the new audit trail file. When the current audit trail file is full, the current primary audit trail store operation is
Send the name of the audit trail store that has access to the new audit trail file to the audit generator. Also,
The current audit trail store process sends a rollover message to the new audit trail store process. The present invention provides a special rollover message protocol to ensure that audit record storage is not disturbed by faults that occur during rollover.

The present invention also allows disk volumes to be designated as overflow audit trail storage. Overflow space is not available to the operator to mount the tape for the audit dump, or there is a sudden burst of audit occurrences that fills the primary audit trail before the oldest file is eligible to be renamed. Used in extreme situations, such as. Audit trail records are transferred to the overflow volume, thus freeing space for new audit occurrences. Also, the system operator
It is possible to identify the local disk volume used to hold the audit trail files restored from the audit dump as part of the recovery procedure. Various audit trail configuration parameters such as the number of active audit trail disk volumes and the number of files per volume can be adjusted online. New audit generators can be added to existing audit trails. The graphical user interface provides the operator with a display to explain the progress of the audit trail. For example, one bar chart shows the operator how much audit trail is currently being used. System operators can see at a glance if the current transaction workload is pushing audit trail capacity towards or beyond the overflow threshold, to the point where audit occurrences must be interrupted. .

The present invention may be better understood by reference to the following detailed description in connection with the accompanying drawings.

[0014]

DETAILED DESCRIPTION OF THE INVENTION The present invention relates to the storage of audit records in a fault tolerant computer system in which multiple processes run simultaneously and exchange messages. The term “processing”
Represents the flow of activity defined by the ordered set of machine language instructions that define the set of actions that the process should take and the data values it can read, write, and manipulate. Multiple processes can run simultaneously and asynchronously within a fault tolerant computer system. The term "message" refers to a unit of information transmitted from one process to another. The message is
It can either be “waited” or “not wait”. The “waited message” is
A message sent from one process to another, in which the sender does not proceed until it (sender) gets a response. A "waitless message" is a message sent from one process to another process in which the sender proceeds without waiting for a response. The sender accepts the response asynchronously. Certain special types of processing are relevant to the present invention. "Backup process" and "Primary process"
The backup process replaces the primary process if the primer process fails.
Together, the processing pairs are considered as a single logical entity. The primary processing is a message that contains the state information needed to enable takeover in case of a failure. A certain period (per
iodic) Send "checkpoint" to backup process.

"Disk processing" is processing for managing physical disk volumes. "Data volume" or "data disk process" is a process for managing database files. An "audit trail record" describes changes to the database or system state.
The audit trail record may include a "post-update image" and a "pre-update image". An "updated image" is a copy of a database record or physical page after changes have been made to it. A "pre-update image" is a copy of a database record or physical page before any changes were made to it. The "data volume" produces audit records related to updates to database files. The “audit trail file” is a file of audit trail records. An "audit trail" is an ordered sequence of audit trail files. "Audit trail disk processing (ADP)" is disk processing that receives a record and writes the record to an audit trail file.
An "audit generator" is any process that sends audit records to ADP. Examples of audit generators include data disk processing and audit trail configuration management processing.

According to the present invention, the subsequent files have different ADPs.
Provides a "multi-volume audit trail" which is an audit trail that resides on different disk volumes managed by. The audit generator is a “current audit trail file” that belongs to the audit trail assigned to the audit generator.
Send the currently generated audit to the ADP that manages the. In the context of the present invention, the "audit trail configuration management process" prepares the next current audit trail file in a sequence of files in the audit trail. "Roll over"
Is the transition from using a full current audit trail file to using the next audit trail file in the sequence of audit trails. FIG. 1 illustrates a fault tolerant computer system 100 according to the present invention. The fault tolerant computer system 100 includes a multi-processing device 102, 104, 106, 108, a device controller 110, 112, 114, 116, a disk storage device or a disk volume 118, 12.
0, 122, and tape storage device 124. Also,
The fault tolerant computer system 100 also includes a system terminal device 126. System bus 128
Interconnects the processing devices 102, 104, 106, 108 and the system terminal device 126. The device controller 110 provides system access to the disk volume 118, the device controller 112 provides access to the disk volume 120, the device controller 114 provides access to the disk volume 122, and the device controller 116 , Providing access to tape storage. The numbers, types, and arrangements of the hardware components shown are exemplary of the elements that may be used to implement the present invention.

FIG. 2 is a process explanatory diagram showing various processes running on the fault tolerant computer system 100 according to the present invention. A data disk process or data volume 200 is shown. The data disk process 200 operates to modify a database record stored on one of the disk volumes and generates an audit record. The data disk process 200 may actually represent multiple processes for changing a disk volume.
Audit trail disk processing (ADP) pair 202, 204,
206 includes a primary process and a backup process. The audit trail configuration management process 220 plays a role of controlling generation, renaming, and deletion of the audit trail file on the audit trail disk storage device. A backup audit trail configuration management process (not shown) is also provided to replace these functions in the event of a failure. Here, any process that creates an audit record for storage is referred to as an audit generator. Referring to FIG. 2, both the data disk process 200 and the audit trail configuration management process 220 generate audit records to allow recovery to a consistent state in the event of a failure. According to the invention, each audit generator has an ordered sequence of audit trail files or associated audit trails for storing audits. The primary and backup ADPs control access to the disk volumes that store the audit trail files. The primary ADP usually has control of disk access, but in case of failure, backup replaces it. To allow this takeover,
The primary ADP sends a periodic checkpoint to its backup that contains all of the disk state information needed for a smooth takeover.

The process of FIG. 2 runs on the processor of FIG. A single processor runs more than one process. The primary and backup processes of the process pair run on different processing units. The processes of FIG. 2 interact by exchanging messages via messaging system 222. The operation of the messaging system 222 is independent of whether the local area communication process operates on the same or a different processing device. If necessary, message information is transmitted via system bus 128. FIG. 2 is intended to be illustrative of the present invention, which may operate in the context of multiple audit generate and audit store combinations. FIG. 3 is a flow chart showing the initial stages of establishing and operating an audit trail across multi-disk volumes according to the present invention. The audit trail configuration management process 220 is step 30.
Generate an audit trail configuration data structure at 0. This audit trail configuration data structure includes the identification of the ADPs that should be included in the audit trail, the number of audit trail files that should be managed by each ADP, and the size of each file. In the preferred embodiment, the audit trail can span up to 16 disk storage devices. However, the maximum number of disk storage devices in the audit trail is arbitrary.

In step 310, audit trail configuration management process 22
0 sends a start message to each of the ADPs in the audit trail. At this time, all AD related to the audit trail
P learns the name and unique current audit trail file sequence number. In step 320, audit trail configuration management process 2
20 sends a message to the audit generator using the audit trail. The message includes the current ADP, the identification of the primary ADP that has access to the current audit trail file. FIG. 4 shows a portion of an exemplary audit trail configuration data structure 400 generated in step 300 according to the present invention. The audit trail configuration data structure 400 includes an active volume linked file containing entries 404, 406, and 408 corresponding to the ADP controlling the disk device selected by the operator for inclusion of the active audit trail. Contains list 402. Each ADP
Entry associated linked list of entries P ₁ to P ₃ which identify the pre-assigned audit trail file on the disk storage device that is controlled by the ADP 41
0, 412, and 414. Each ADP entry is associated with a linked active audit trail file.
Initially this list is blank, although it also has a list.

FIG. 5 shows a portion of the audit trail configuration data structure 400 after the first file has been selected to be the current audit trail file. The file identified by the pre-allocated file entry P ₃ is renamed here by the audit trail configuration management process 220 and is now identified by the entry F ₁ in the new linked list 416 of resident active audit trail files associated with the ADP entry 404. To be done. The file identified by entry F ₁ is therefore the first current audit trail file and ADP ₁ is the first current ADP. The newly generated audit is written to the current audit trail file via the current ADP. Current ADP monitors the growth of current audit trail files. When the current audit trail file reaches the threshold, the current ADP requests the audit trail configuration management process 220 to identify and prepare the next audit trail file. The following audit trail file is
It can be either an active audit trail file that is eligible under certain criteria for pre-assigned or renamed unused. In the preferred embodiment, the following criteria are used to determine eligibility for rename: In general, the candidate audit trail file must be dumped to tape in order to be qualified. (In the preferred embodiment, the operator may choose not to save the audit to tape unless dumping is required due to qualification.) The candidate file is
Without including the audit required to 1) restart the fault-tolerant computer system 200, 2) restore the data maintained in the audit generator's cache, or 3) cancel the currently pending transaction. Good. The current audit trail file cannot be renamed either. In the preferred embodiment, other miscellaneous processes, such as remote backup processes, may be denied the qualification to rename the audit trail file.

FIG. 6 shows a portion of the audit trail configuration data structure 400 after multiple files have been filled with an audit. Sequential active audit trail files are identified by incrementing the sequence number and associated (associated) resident linked list 4 for each ADP entry.
F ₁ , F distributed through 16, 418, and 420
_2, F _3. . . It has related entries marked as. 7 and 8 show a flow chart describing the steps of selecting the next current audit trail file in accordance with the present invention. In step 500, the audit trail configuration management process 220
Receive a request from the current ADP to prepare the next audit trail file. At step 502, the audit trail configuration management process 220 identifies the current ADP entry in the volume linked list 402. At step 504, the audit trail configuration management process 220 selects the next ADP entry in the volume linked list 402 as a candidate to be the new current ADP. At step 506, the audit trail configuration management process 220 determines if the volume identified by the candidate ADP entry is up. If the volume is up, then step 508 determines if there is a pre-allocated file identified by the entry in the pre-allocated file linked list associated with the candidate ADP entry. If the pre-allocated file linked list for the candidate ADP entry has entries, the file identified by the last entry in the list is selected at step 510 as the next current audit trail file and the candidate AD
P is the next current ADP.

The pre-allocated file linked list is then updated by removing the last entry. The resident file linked list is updated by adding to the entry a file sequence number that is one greater than the sequence number of the current audit trail file. If the pre-allocated file is not available, the audit trail configuration management process 220
A check is made at step 512 to see if the renamed entitlement file exists in the entry on the P entry's resident file linked list. If this resident file linked list has a rename eligible entry, the rename eligible file with the lowest sequence number is identified at step 510 as the next current audit trail file. This file is then renamed before use. Resident File Linked List removes the previous entry identifying the renamed audit trail file and adds a new entry at the end of the list with a sequence number one higher than the sequence number in the current audit trail file. Will be updated by This new entry identifies the next current audit trail file.

Referring to FIG. 8, if the volume identified by the candidate ADP entry is down or does not have a preallocated file or rename file, then audit trail configuration management process 220.
Identifies the next ADP entry on volume list 402 as a new candidate ADP entry in step 516. The search for the next candidate ADP entry may cycle to the beginning of the volume list 402 so that the next candidate ADP entry may be the first in the list. At step 518, the audit trail configuration management process 220 checks to see if it has cycled through all the volumes on the list in its search for audit trail files. If not, execution proceeds to step 506 to identify the appropriate next current audit trail file associated with the latest candidate ADP. If the audit trail configuration management process 220 has cycled through all ADP entries on the volume list and has not identified a suitable candidate to be the next audit trail file, the event is step 52.
Issued at 0. The event issued at step 520 explains, via the system terminal 126, that the audit trail file cannot be found. The audit trail configuration management process 220 then waits at step 522 for an event that may generate an available file. Such an event is an ADP to configuration
Additions, availability of ADP on the downed volume list, increased number of files per volume, transfer of monitoring from previously unqualified files to overflow, or other changes in the qualified status . After an event that could generate an available file, the audit trail configuration management process 220 proceeds to step 50 to restart the search.
Return to 2. As a result, audit storage is available in round robin, provided that the volumes referenced by volume list 402 remain operational and the full audit trail is eligible for rename on a timely basis. It goes through a large volume. Therefore, the audit trail is distributed over many volumes. The archiving process does not contend for a disk access with a currently generated audit store. The audit trail capacity available for online recovery exceeds the storage capacity of any one disk volume. A further advantage is that failure of a non-current ADP or disk volume does not stop the storage of currently generated audits. Therefore, the multi-volume audit trail technique of the present invention leads to an increase in mean time between failures (MTBF).

All ADPs associated with a multi-volume audit trail learn the name and sequence number of the current audit trail file when they boot. When the current ADP finds that its audit trail file is full, it marks the file as full and
Send a rollover request to the ADP with the next file in the sequence of files in the audit trail. The rollover request contains the name and sequence number of the newly created audit trail file. Both ADPs participating in the rollover update their data structures to indicate the name and sequence number of the new current audit trail file. The audit trail configuration management process 220 informs the rollover via asynchronous notification. All other ADPs not participating in the rollover do not learn about the new current audit trail files, but as a result they
Update their data structures when they themselves receive the rollover request. This will happen over time as the audit trail files are allocated in various ADPs in round robin. The following example shows how ADP learns which file is current. The three ADPs participating in the multi-volume audit trail (ADP ₁ ,
Assume that ADP ₂ and ADP ₃ ) are present. AD
It is further assumed that at P launch time ADP ₁ contains the current file name F ₁ (subscript indicates sequence number). Table 1 below shows each ADP view of the current audit trail file during a series of rollovers.

[0025]

[Table 1] ───────────────────────────────────Time ADP ₁ perspective ADP ₂ perspective ADP ₃ perspective After starting on the F ₁ ADP ₁ on the F ₁ ADP ₁ on the ADP ₁ of F ₁  ADP after the first rollover_TwoF on_Two ADP_TwoF on_Two ADP₁F on₁ (From ADP ₁ to ADP ₂ ) ADP after the second rollover_TwoF on_Two ADP_ThreeF on_Three ADP_ThreeF on_Three (ADP ₂ to ADP ₃ ) ADP after the third rollover₁F on_Four ADP_ThreeF on_Three ADP₁F on_Four (From ADP ₃ to ADP ₁ ) ... 9 to 11 are the current audit trail files filled?
Ready for handoff to the next audit trail file
Messages exchanged by ADP when they were made
, Audit trail configuration management process 220, and audit generation
Data. ADP _mThe entry labeled as
Represents the current ADP. ADP_{m + 1}D labeled
Write the audit after the rollover has taken place.
Represents the ADP that begins to jam. ADP_mAnd AD
P_{m + 1}Is a private policy unless a backup replaces it.
It is understood that this is Mali ADP. DP_xWith label
Marked entries ADP their audit_mCurrent
Represents all audit generated disk processes sent. TMP and LA
The entry with the bell is the audit trail configuration management process 2
Represents twenty. Message system traffic is
As you move back and forth across the page, time goes down the page.
Move. The arrow at the head of the line segment
Indicates the direction of sage system traffic. Line segment
The plus sign (+) at the end of the
Mark it as a message, line segment
The colon (:) at the end of the
wear. Each message has it's corresponding response
Have a number to associate with. Threshold is thick
Appears in italic typeface. No-wait
The message, in its description, is Keywort NOWA.
Have IT. All other messages are weighted
(waited) -It is assumed to be a message.

ADP _m receives a buffer of audit records, message 1+, and sends an acknowledgment, message: 1 from the audit generator. ADP _m stores a buffer of audit records in the current audit trail file. As it stores the audit, ADP _m monitors the growth of the current audit trail file. FIG. 9 shows that upon reaching the first threshold, the "preparation rollover threshold", ADP _m sends message 2+ to audit trail configuration management process 220, asking it to prepare a new audit trail file. . Audit trail configuration management process 22
Message 2+ is sent no wait because 0 may require system related services from ADP _m .
The weighted message is the audit trail configuration management process 2
A deadlock may occur between 20 and ADP _m . FIG. 10 shows an audit from that audit generator, ADP _m continuing to receive message 3+, but audit trail configuration management process 220 indicates that the current audit trail file is at the second threshold, "Audit Retention Threshold". You haven't prepared a new audit trail file by the time you reach. Upon reaching the audit retention threshold, ADP _m
Is currently sent audit, message 4+, in response,
Accepts message: 4, which tells the audit generator to keep all those new audits indefinitely. This audit retention threshold is generally not reached because the audit trail configuration management process 220 normally prepares a new audit trail file and informs ADP _{m long} before the audit retention threshold is reached. In response to the audit hold response, the audit generator will ask the current A when it can resume sending audits.
Send no wait message 5+ to DP.

The audit trail configuration management process 220 prepares a new audit trail file by renaming an audit trail file accessible to ADP _{m + 1} that was previously stored or transferred to overflow storage. The new audit trail file is assigned a sequence number one higher than the sequence number of the current audit trail file. Shortly after the audit trail configuration management process 220 prepares a new audit trail file, it informs ADP _m by sending a reply message: 2 to ADP _m . Response message:
2 contains the name and sequence number of the new audit trail file. If the current ADP _m tells any audit generator to hold audits, it informs them that they can resume sending their audits, message: 5. Then the audit generator again
Start sending those audits to DP _m . FIG.
Audit, message 7+ and: until ADP _m gets a request 8+ to write a buffer of audit records that does not match the rest of the current audit trail file.
Indicates to continue to receive 7. In other words,
The audit trail file is file full threshold (f
ile full threshold) has been reached. At this point, ADP
_m writes to disk all previously unwritten audits it has received. Then it marks the file as full and no wait
Send a rollover message 9+ to ADP _{m + 1} telling it that it will be the new ADP. and it is,
File Full Response Message: Respond to the Audit Generator with 8 indicating the name of ADP _{m + 1} . Audit is
It is now directed to ADP _{m + 1} , messages 10+ and: 10. Further details of rollover are shown below in FIG.
This will be described with reference to FIG.

[0028] is commonly referred to as "late audit generators are", other audit generator, they are, ADP m + ₁
Don't learn about rollover until you send an audit to ADP _m , which then gives them a file full response containing the names of. Next, these audit generators
Start sending those audits to _{m + 1} . Note that in FIG. 11, the response to message 8 occurs before the response to message 9. Old AD
P gives its audit generator a file full response before it receives a response to the rollover message from the new ADP. This leads to the possible race condition that the audit generator correctly sends the audit to the new ADP before the new ADP receives the rollover message. Referring to FIG. 11, this is message 9
This means that message 10+ can theoretically arrive at ADP _{m + 1} before +. This situation is catastrophic C
It should only occur in the case of a PU failure. If ADP _{m + 1} receives a buffer of audit records before recognizing that it is the current ADP, it will:
Give the file full response with the name of the known current ADP one before the present. The audit generator will return all ADs on the trail until it returns to the current ADP and the current ADP receives its rollover message.
Therefore take P's cyclic tour.

If the rollover message 9 was made weighted, such a cyclic tour would:
This can be avoided altogether, but this is a performance hit in the general case because the old ADP must wait for a response to the rollover message before it can then respond to any of its audit generators. Reduce. The preparation rollover and audit retention threshold calculations are described herein. In order to understand the basic principles of calculating these thresholds, it is useful to consider the audit generator as a collection of multi-corporating audit generation processes, referred to below as pins. The audit generator may continue to send audits to its current ADP for a short time after ADP tells the disk volume to hold the audit. When ADP tells it to keep an audit, the audit generator does this because some of its pins can execute instead of audit generate requests. Also, the audit generator may have already accumulated audit records in its audit buffer when ADP tells it to keep the audit. Therefore, ADP needs to set an audit retention threshold so that it can successfully accept this extra audit. Setting the audit retention threshold according to the following formula
Ensure that extra audits are accepted: AHT = MF- (B * (DV + DVP)) where AHT is the audit retention threshold, MF is the maximum size of the audit trail file, and B is the preferred embodiment. Is about 32K, the size of the audit generator's audit buffer, DV is the number of audit generators sending audits to ADP, and DVP is the total number of pins to those audit generators sending audits to ADP. The audit trail configuration management process 220 also sends audits, so it should be considered as a single pin audit generator for formulas.

The term (B * (DV + DVP)) represents the amount of audit ADP can (at least theoretically) receive after telling its associated audit generator to keep those audits. Adding the number of audit generators to the number of pins audits the request when each audit generator's buffer is completely full and fills the entire buffer with audit records when it begins to process the next request. Addresses the possibility that each pin of the generator will handle. The formula for the audit retention threshold shown above is very conservative. It produces an even lower threshold than is generally required to guarantee the memory of the entire audit. In the preferred embodiment, the prepare rollover threshold is the audit hold threshold of 7.
Set to 0%. Also, this value can be configured flexibly or can be derived from the actual audit generation rate (audit generation rate). When ADP fires, it does not know how many audit generators send it audits, nor does it know the number of pins on each audit generator. Therefore, the ADP must adaptively recalculate the audit retention threshold and prepare a rollover threshold each time it learns about a new audit generator. Audit generator AD audit
Each time it sends to P, it indicates the number of pins in that processing group. When ADP gets an audit from a particular audit generator for the first time, it updates the number of audit generators and the number of pins (DV and DVP in the above formula) and recalculates the audit retention threshold to get the rollover threshold. prepare.

Each time ADP recalculates the prepare rollover threshold, it must compare this value to the size of the current audit trail file. If the file size exceeds the prepare rollover threshold and the next file is not yet prepared, ADP
Must immediately send a request to the audit trail configuration management process 220 requesting it to prepare a new audit trail file. ADP _m during rollover
Or the situation where the failure of ADP _{m + 1} does not cause ADP to work as if it were current, ie "drop the baton", or one or more ADPs operate as if it were current. It is important that it does not result in either "breaking the baton". The present invention provides a fault tolerant rollover message protocol among the audit generators, ADP _m , ADP _{m + 1} , and their backups. FIG.
2 shows a fault tolerant rollover message protocol according to the present invention. Circles represent processes such as audit generator 700, primary ADP _m 702, primary ADP _{m + 1} 704, and their backups 706 and 708. Arrows represent messages passing back and forth between entities. Rollover occurs between primary ADP _m and primary ADP _{m + 1} .

The current primary ADP, ADP _m, is a backup of audit records from the audit generator, FIG.
The message A corresponding to the message 8+ is received. As described with reference to FIG. 6, the primary ADP
_m must mark the current audit trail file that is full and send a rollover request, message B or message 9+ of FIG. 6 to the primary ADP _{m + 1} . The primary ADP _{m + 1 then} sends a checkpoint, message C, to the backup ADP _{m + 1} , indicating that it has become the current ADP. Backup AD
P _{m + 1} returns an acknowledgment, message D. After the primary ADP _{m + 1} returns an acknowledgment, message E corresponding to message: 9 in FIG. 6, to the original rollover request, the primary ADP _m becomes the backup AD.
Check point P _m, sends a message F, indicating that it is no longer current ADP. Backup ADP
_{When m} returns an acknowledgment, message G, the rollover is complete and the protocol ends. ADP _m
Responds to the audit generator, message X, which corresponds to message 8 in FIG. 6, that the audit trail file is full and it must resend the buffer of audit records to the new primary ADP. Tell it that. This reply can be made at any time after message B but before message F.

This rollover protocol of the present invention provides 6 during various ADP processes (including backup).
Includes only one message (including acknowledgment). Fault-tolerant protocols based on processing pairs
It can be shown that fewer messages cannot be used. The manner in which this rollover protocol handles failures is now described. The rollover protocol must be able to handle single CPU failures rather than double CPU failures. Primary and backup ADP are different CPUs
At least one survives a single CPU failure. The failure of the backup ADP has no hindrance. When the backup ADP CPU fails, it is reloaded. As part of the CPU reload, the backup ADP will be restarted and the primary will properly update all its data structures so that it is ready to replace in case of failure of the primary. Send a checkpoint message to it. Backup AD before the primary fails
As long as P completely restarts, the rollover protocol will succeed.

Furthermore, at several points in the protocol,
The loss of primary ADP obviously does not bring the protocol down. For example, if the primary ADP _{m + 1} fails before the primary ADP _m sends message B or after the backup ADP _{m + 1} receives message C, the backup ADP _{m + 1} has sufficient information to successfully replace. Have and become primary. Further, if the primary ADP _m after before or backup ADP _m receives a message F primary ADP _m receives a message A fails, the backup ADP _m has sufficient information to replace well and the primary Become. And the primary ADP _m
After sending message B, but the primary ADP
If both primary ADP _m and primary ADP _{m + 1} fail before _{m + 1} sends message C, then both primary ADP _m and primary ADP _{m + 1} have sufficient information to successfully replace. And become the primary. Note that in this case, the audit generator must resend message A to the backup ADP _m that will take over and become the primary. Four failure scenarios remain to be considered:
I) The primary ADP _m fails after it sends message B but before it sends message F.
II) The primary ADP _{m + 1} fails after it receives message B but before it sends message C. III) The primary ADP _{m + 1} fails after it sends message C but before it responds with message E. IV) Primary ADP _m and primary ADP _{m + 1} fail after primary ADP _{m + 1} sends message C but before primary ADP _m sends message F.

For I, the backup ADP _m has not received message F yet, so when it replaces it still thinks it is current. I still think that it is current because the primary ADP _{m + 1} successfully received message B. Both the backup ADP _m and the primary ADP _{m + 1} believe that they are current. However,
They both do not work as if they were current. Before it still sends message B
Recall that the primary ADP _m marked the current audit trail as full. If the backup ADP _m (which becomes primary) receives a new audit, it will recognize that the audit trail file is full and will just restart the rollover. The primary ADP _{m + 1} will recognize that the sequence number of the rollover request is equal to or precedes the sequence number it is believed to be already current. Therefore, the primary ADP _{m + 1} has already started to acknowledge the request or otherwise use an audit trail file with a sequence number equal to or greater than that specified in the request. So ignore it.

However, if the backup AD
P_m(Becomes primary) roll over it
Suppose you don't receive an audit that results in a reboot.
As a result, it already thinks it is current
Receive the rollover request itself. This low
The sequence number in the failover request is current
And it exceeds the sequence number you already believe,
It closes and rolls over its current audit trail file.
Use the audit trail file specified in the server request
To start doing. Therefore, as a result,
Visa trail thinks that only one ADP is current
Return to the state of being. In case of II, primary ADP
_mIs the primary ADP_{m + 1}Know that the
It replaces and becomes primary.
Backup ADP_{m + 1}Re-rollover request to
Send. Backup ADP_{m + 1}Decides message C
This is a roll-up because I have not received
Be the first to learn about the bar and usually
So proceed with the protocol. II in the case of III
Similar to. Primary ADP_mIs the primary
ADP_{m + 1}Received a notification that the
Backup ADP that becomes primary_{m + 1}To low
Resend the failover request. Backup ADP
_{m + 1}Received message C, it
become. Upon receiving the retransmitted rollover request,
Backup ADP_{m + 1}Is the request sequence number
The sequence of files it already believes to be current
Be recognized as equal to or precede the
U. Therefore, backup ADP_{m + 1}Is resent
Acknowledge rollover request or otherwise request
Equal to or greater than that specified in
Use an audit trail file with a threshold sequence number
I've already started doing that, so ignore it.

Case IV is similar to case I. Both backup ADP _m and backup ADP _{m + 1} take over and become primary. Backup A
Since DP _{m + 1} received message C, it would think it is current. Backup ADP
It will think it is current because _m has never received message F. Both ADP
Thinks they are current, but ADP
Will eventually fix the situation. As for I,
The ADP in question relies on the sequence number of the rollover request and the fact that the primary ADP _m marked the current audit trail file as full before invoking the rollover. If the backup ADP _m (which becomes primary) receives a new audit, it will recognize that the audit trail file is full and will just restart the rollover. The backup ADP _{m + 1} (becoming the primary) will recognize that the sequence number of the rollover request is equal to or precedes the sequence number it is believed to already be current. Therefore, the backup ADP _{m + 1} has already acknowledged the request or has already begun to use an audit trail file with a sequence number equal to or greater than that specified in the request. So ignore it.

If the backup ADP _m does not receive the audit that would cause it to restart the rollover, it receives the rollover request itself, even if it already thinks it is current. Since the sequence number in this rollover request exceeds the sequence number it already believes to be current, it closes its current audit trail file and uses the audit trail file specified in the rollover request. Start. Again, the audit trail is the only ADP
Returns to operating as the current ADP. Hence,
The action taken by ADP, which it believes to be current, upon receiving the rollover request will depend on the sequence number. If you do not believe that ADP is current and that it receives a rollover request, three scenarios are possible. If the sequence number of the request is higher than the previous sequence number known to ADP, this is normal and this AD
P should be current. If the sequence number of the request is equal to the previous sequence number, it means that a protocol failure has occurred because all the processes cannot follow the above rules. And the ADP has failed. If the sequence number of the request is less than the known sequence number, the requester has been delayed by some utilization and ADP acknowledges this request and ignores it.

[0039]

[Table 2] ─────────────────────────────────── ADP state Sequence number State Action This ADP is a request Sequence number of> Normal case. It is currently known to this ADP This is a sequence number that I think should not be current . Request sequence number = protocol error! The ADP sequence number immediately fails because it should not be known to this ADP . Request Sequence Number <Lazy Requester. Known to this ADP This ADP should acknowledge the request, but does not process it . This ADP is the sequence number of the request> this ADP is late. Sea it has been known to ADP in the current it is, it should start that you use the new file that has been specified in the request to close the sequence number Lumpur, which I think there old audit trail file.

Request Sequence Number Delay Requester. <= Known to ADP This ADP should acknowledge the request, sequence number but not process it . The configured audit trail has a limited capacity. The active audit trail capacity is calculated as n * m * x, where n is the number of active volumes in the audit trail, m is the number of audit trail files per volume, and x is the capacity of a single audit trail file. It This capacity limit is
The rate of audit generation becomes important when the storage space exceeds the rate at which storage space becomes available for new audit storage, that is, full audit files become eligible for rename. For example, there may be a sudden burst of audit generation that is not available to the operator to mount the tape for the audit dump, or that fills the audit trail.
The present invention allows the system operator to specify the selected disk volume for overflow audit trail storage. In operation, overflow storage is used once the configurable threshold percentage of active audit trail capacity is occupied by full audit trail files that are not eligible for rename. The overflow threshold is typically configured to be anywhere from 50% to 100% of audit trail capacity. An optimal threshold can also be calculated from the audit generation rate and active audit trail capacity. Audit trail records are transferred to the overflow volume to make room for new audit generations.

The audit trail configuration management process 220 maintains the overflow audit configuration data structure. This data structure contains an overflow volume linked list that has an entry for the ADP responsible for the overflow volume. FIG. 13 illustrates the steps for using overflow audit trail storage according to the present invention. Stage 8
At 00, the audit trail configuration management process 220 determines that the audit trail threshold percentage or greater is full. Oldest audit trail file (lowest sequence number) that is not yet eligible for rename at step 802
Is copied to one of the volumes configured for that purpose and marked as eligible for rename. The audit trail configuration management process 220 selects a target overflow volume by cycling through the overflow volume linked list until it finds an ADP entry with memory space on disk storage. If for some reason overflow and regular audit trail storage share the same disk volume and the active audit trail files on the disk volume should be copied to overflow space on the same disk volume, then the file is simply A renamed and new pre-allocated audit trail file is created in the overflow space of the disk volume.

In step 804, the system terminal 126
Displays a warning that something must be done to remove the use of overflow space. The appropriate action is because the audit trail file is not eligible for rename. If the audit is not dumped,
The operator should install the tape. If the pending transaction is preventing the file from being renamed, the transaction should be terminated. If the CPU running the audit generator requires auditing for cache recovery, the operator may use periodic flushing of the cache.
flushing) should be waited for. If another process, such as remote backup, denies renaming for many audit trail files, the process should be inspected or examined. Also, if storage space is available, the operator can increase the number of files per volume or add volumes to the audit trail. If the overflow audit once stored in the file is no longer needed because the audit stored therein is saved, the overflow file is erased. If the audit trail continues to fill in spite of the use of overflow space, then the start non-transaction threshold may be reached. At this threshold, audit trail configuration management process 220 does not allow new transactions. The threshold should be configured to leave sufficient audit trail capacity to accommodate the audits that result from pending transactions. When the audit trail capacity becomes available so that the initiating no transaction threshold is no longer exceeded, the audit trail configuration management process 220 again allows new transactions.

The system manager can also identify a set of disk volumes that hold the audit trail files restored from the audit dump as part of the recovery procedure. The audit trail configuration management process 220 maintains another volume linked list containing an entry for the ADP designated to receive the restored audit trail file. As when having an overflow,
The audit trail configuration management process 220 cycles through this volume linked list to find the next ADP that has space to receive the restored audit.
The present invention is a fault tolerant computer system 200.
Provides the ability to reconstruct the audit trail without restarting the. Volumes can be added to or deleted from the set of volumes used to hold the active audit trail, its overflow space, and its restored files. The number of active files per volume, the overflow threshold, and the no transaction start threshold may also be changed. When a new active volume is added to the audit trail, extra files are allocated on that volume to add capacity to the active audit trail. Removing active volumes from the audit trail has the net effect of reducing the number of active audit trail files.

When an active volume is deleted, its entry is marked on the volume linked list so that it is no longer used to hold a new audit trail file. However, any files already existing on the volume remain until they are no longer needed. Once all of the files on the volume are no longer needed, the volume will
Removed from its subsequent role in the composition. This means that the deleted volume is in a transitive "deleted" state while it still contains the audit trail files. When the previously deleted volume is restored to the active state, it becomes so marked and becomes available again to hold the new audit file and maintains its position in the linked list.
FIG. 14 illustrates an audit trail status display 900 according to the present invention. The status display 900 includes an audit trail consumption bar graph 902,
An audit trail file status chart 904 and status information area 906 are included. The audit trail consumption bar graph 902 shows the percentage of audit trail capacity consumed by audit trail files that are not entitled to rename. Overflow threshold and initiating no transaction threshold are clearly marked on the bar graph. As a result, the system operator is provided with an easily understandable indication of current audit trail behavior.

The audit trail file status chart 904 is
List audit trail file names, their file status and their dump status. The file status indicates whether the file is available, that is, eligible for rename, active (not eligible for rename), or preallocated. The dumping status is shown only for active files. Possible damping states are "dumped", "not dumped",
Includes "current" and "non-dumping". A "non-dumping" state indicates that the system was configured not to dump audit when the file was written. The status area 906 includes an indication that the current audit trail status is "normal" or "overflow in use". Also here, the system operator can see the name of the oldest file, "First pinned file", which is not eligible to be renamed. There is a brief explanation why the file is not eligible to be renamed. The display shown shows that the oldest unqualified file is not qualified as it is the current audit trail file. While the above is a complete description of the preferred embodiment of the present invention, various alternatives, modifications and equivalents may be used. It will be clear that the invention is likewise applicable with appropriate modifications to the embodiments described above. For example, the audit trail technique described above may be applied to the storage of any serially generated records that are added in sequence. Therefore, the above description should not be taken as limiting the scope of the invention, which is defined by the established limits of the appended claims.

[0046]

The fault tolerant computer system of the present invention includes an audit generator that generates audit records, a plurality of audit trail disk storage devices that store audit records in an audit file, and audit records that receive audit records from the audit generator. To the audit trail disk storage, and a new audit file that should be the current allocated audit file and a new audit that should be the current response audit trail storage processing when the previously allocated audit file is full. An audit trail configuration process coupled to the plurality of audit trail storage processing means for selecting a trail storage processing means, each audit record describing a change to the database accessed by the audit generator, and each audit trail storage processing operation. Means is at least one audit trail record Having access to the disk unit, the audit records are directed from the audit generator through the current response audit trail store processing means to the current allocated audit file, each new audit file being a different audit file than the previous audit file. Located on the trail disk storage device, each new audit trail storage processing means receives a rollover message from its immediately preceding audit trail storage processing means to initiate a responsive handoff. Therefore,
The present invention provides a fault tolerant computer system that distributes an audit trail containing audit records across any number of disk volumes. After one audit trail file is filled, the audit records are directed towards the next audit trail file stored on a different disk volume. The storage of newly created audit trail records circulates among the available disk volumes. The contents of the filled audit trail files are eventually saved and their space is made available again for storage of newly created audit records. The amount of audit available for online recovery after a failure is not limited to the storage capacity of any single disk volume. Furthermore, there is no contention for disk access between the archiving of filled audit trail files and the storage of newly created audit records. Also,
The present invention allows disk volumes to be designated as overflow audit trail storage. Overflow space is not available to the operator to mount the tape for the audit dump, or there is a sudden burst of audit occurrences that fills the primary audit trail before the oldest file is eligible to be renamed. Used in extreme situations, such as. Audit trail records are transferred to the overflow volume,
Therefore free up space for new audit occurrences. The system operator can also identify the local disk volume used to hold the audit trail files restored from the audit dump as part of the recovery procedure. Further, in the present invention, various audit trail configuration parameters such as the number of active audit trail disk volumes and the number of files per volume can be adjusted online. New audit generators can be added to existing audit trails. The graphical user interface provides the operator with a display to explain the progress of the audit trail.

The method of the present invention also serves as a backup for the audit generator, the first and second primary audit trail storage processes, and the first and second primary audit trail storage processes. In a fault tolerant computer system equipped with backup audit trail storage processing, the audit trail storage processing stores the audit records generated by the audit generator in an audit file accessible to the audit storage processing,
A method of switching the storage of currently generated audit records from a first primary audit trail storage process to a second primary audit trail storage process, the method comprising: accessing a first primary audit trail storage process and a first backup audit trail storage process. The first audit file is full by receiving a buffer of audit records from the audit generator in the first primary audit trail store process for storage in the possible first audit file, and receiving the buffer of audit records and A rollover request message is sent from the first primary audit trail storage process to the second primary audit trail storage process by determining that the buffer of records cannot be accepted by the first primary audit trail storage process. The request message is the second primer Includes a unique sequence number that identifies the audit trail storage process and the second second audit file accessible to the backup audit trail storage process, first
Sends a rollover announcement message from the primary audit trail store operation to the audit generator, the rollover announcement message as the correct destination for the first audit file full indication and the currently generated audit record. The first checkpoint message from the second primary audit trail storage process to the second backup audit trail storage process by receiving a rollover request message in the second primary audit trail storage process. Send, the first checkpoint message includes locator information identifying the location in the second audit file at which storage of the audit record should begin, and the second backup in response to the first checkpoint message. From audit trail storage processing Send a first checkpoint acknowledgment message to the primary audit trail store process of the first and a rollover acknowledgment message from the second primary audit trail store process to the first primary audit trail store process in response to the rollover request message. Sending a second checkpoint message from the first primary audit trail storage process to the first backup audit trail storage process, the second checkpoint message indicating that the first audit file is full. Including, second
In response to the checkpoint message of step 1, sending a second checkpoint acknowledgment message from the first backup audit trail store process to the first primary audit trail store process. Accordingly, the present invention provides a fault tolerant computer system that distributes an audit trail containing audit records across any number of disk volumes. After one audit trail file is filled, the audit records are directed towards the next audit trail file stored on a different disk volume. The storage of newly created audit trail records circulates among the available disk volumes. The contents of the filled audit trail files are eventually saved and their space is made available again for storage of newly created audit records. The amount of audit available for online recovery after a failure is not limited to the storage capacity of any single disk volume. Furthermore, there is no contention for disk access between the archiving of filled audit trail files and the storage of newly created audit records. The present invention also allows disk volumes to be designated as overflow audit trail storage. Overflow space is not available to the operator to mount the tape for the audit dump, or there is a sudden burst of audit occurrences that fills the primary audit trail before the oldest file is eligible to be renamed. Used in extreme situations, such as. Audit trail records are transferred to the overflow volume, thus freeing space for new audit occurrences. The system operator can also identify the local disk volume used to hold the audit trail files restored from the audit dump as part of the recovery procedure.
Further, in the present invention, various audit trail configuration parameters such as the number of active audit trail disk volumes and the number of files per volume can be adjusted online. New audit generators can be added to existing audit trails. The graphical user interface provides the operator with a display to explain the progress of the audit trail.

Further, in the fault tolerant computer system including the audit generator, the protocol management process, and the plurality of audit trail storage processes, the method of the present invention, the audit trail storage process processes the audit records generated by the audit generator. A method for storing in an audit file accessible to the audit storage process, and a method for rotating the responsiveness to the storage of the currently generated audit record in the audit trail storage process, comprising: a) using a protocol management process, Assign a selected audit file accessible to the selected audit trail storage process that should be the current assigned audit trail storage process and a selected audit trail storage process that should be the current assigned audit file, b) in the current assigned audit file Current allocation audit trail storage from audit generator for storage The buffer of audit records received from the audit generator from the current allocation audit trail storage process to the current allocation audit file, and d) the current allocation audit trail storage process Monitor the growth of the current allocation audit file as it is written, e) compare the size of the current allocation audit trail to a first threshold with a current allocation audit trail storage operation, and f) measure a first predetermined size. The step e) of sending a first threshold warning message from the current allocation audit trail storage process to the protocol management process upon determination of step e) to cross the threshold. Accordingly, the present invention provides a fault tolerant computer system that distributes an audit trail containing audit records across any number of disk volumes. After one audit trail file is filled, the audit records are
Directed towards the next audit trail file stored on a different disk volume. The storage of newly created audit trail records circulates among the available disk volumes. The contents of the filled audit trail files are eventually saved and their space is made available again for storage of newly created audit records.
The amount of audit available for online recovery after a failure is not limited to the storage capacity of any single disk volume. Furthermore, there is no contention for disk access between the archiving of filled audit trail files and the storage of newly created audit records. The present invention also allows disk volumes to be designated as overflow audit trail storage.
Overflow space is not available to the operator to mount the tape for the audit dump, or there is a sudden burst of audit occurrences that fills the primary audit trail before the oldest file is eligible to be renamed. Used in extreme situations, such as. Audit trail records are transferred to the overflow volume, thus freeing space for new audit occurrences. The system operator can also identify the local disk volume used to hold the audit trail files restored from the audit dump as part of the recovery procedure. Further, in the present invention, various audit trail configuration parameters such as the number of active audit trail disk volumes and the number of files per volume can be adjusted online. New audit generators can be added to existing audit trails. The graphical user interface provides the operator with a display to explain the progress of the audit trail.

Further, the method of the present invention comprises an audit generator and a plurality of audit trail storage processes. In a fault-tolerant computer system, the audit trail storage process accesses the audit records generated by the audit generator to the audit storage process. The current responsiveness for storing audit records generated by the audit generator is to store from the audit trail store process that has the first response when the consecutive audit files are full. A continuously used audit file transferred by sending a rollover message to an audit trail store with a new response is assigned a unique sequence number in sequence, and each audit trail store processes an audit record. By one of the audit trail storage process to store A fault tolerant method of storing a sequence number identifying at least a known audit file used and processing rollover messages received in a first audit trail storage operation, wherein the first audit trail storage operation is as if Is a response audit trail storage process, wherein a) the first audit trail storage process receives a rollover message from the second audit trail storage process, and the rollover message is: Including the audit file sequence number of the next audit file to receive the audit record, b) in the first audit trail storage process, extract the audit file sequence number from the rollover message, and c) specify the received audit file sequence number. At least the known audit files stored in the first audit trail storage process. Comparing with the file sequence number, d) determining in step c) that the received audit file sequence number is greater than at least the stored known audit file sequence number, go to step f) and e) go to step h). , F) first
In the rollover message to close the audit file identified by the audit file sequence number stored by the audit file sequence number stored in the first audit trail storage process, and g) receive the audit record from the first audit trail storage process. Opening a new audit file identified by the sequence number contained in h) and h) ending the processing of the rollover message. Accordingly, the present invention provides a fault tolerant computer system that distributes an audit trail containing audit records across any number of disk volumes. After one audit trail file is filled, the audit records are directed towards the next audit trail file stored on a different disk volume. The storage of newly created audit trail records circulates among the available disk volumes. The contents of the filled audit trail files are eventually saved and their space is made available again for storage of newly created audit records. The amount of audit available for online recovery after a failure is not limited to the storage capacity of any single disk volume. Furthermore, there is no contention for disk access between the archiving of filled audit trail files and the storage of newly created audit records.
The present invention also allows disk volumes to be designated as overflow audit trail storage. Overflow space is not available to the operator to mount the tape for the audit dump, or there is a sudden burst of audit occurrences that fills the primary audit trail before the oldest file is eligible to be renamed. Used in extreme situations, such as.
Audit trail records are transferred to the overflow volume, thus freeing space for new audit occurrences. The system operator can also identify the local disk volume used to hold the audit trail files restored from the audit dump as part of the recovery procedure. Further, in the present invention, various audit trail configuration parameters such as the number of active audit trail disk volumes and the number of files per volume can be adjusted online. New audit generators can be added to existing audit trails. The graphical user interface provides the operator with a display to explain the progress of the audit trail.

[Brief description of drawings]

FIG. 1 is a diagram showing a fault tolerant computer system according to the present invention.

FIG. 2 is a process explanatory diagram showing various processes running on a fault-tolerant computer system according to the present invention.

FIG. 3 is a flow chart describing the steps of establishing a multi-volume audit trail according to the present invention.

FIG. 4 is a diagram showing an audit trail configuration data structure according to the present invention.

FIG. 5 is another diagram showing an audit trail configuration data structure according to the present invention.

FIG. 6 is another diagram showing an audit trail configuration data structure according to the present invention.

FIG. 7 is a flow chart describing the steps of selecting the next current audit trail file in accordance with the present invention.

FIG. 8 is another flowchart describing the steps of selecting the next current audit trail file in accordance with the present invention.

FIG. 9 illustrates messages exchanged between fault tolerant computer system components during operation of a multi-volume audit trail according to the present invention.

FIG. 10 is another diagram illustrating messages exchanged between fault tolerant computer system components during operation of a multi-volume audit trail according to the present invention.

FIG. 11 is another diagram illustrating messages exchanged between fault tolerant computer system components during operation of a multi-volume audit trail according to the present invention.

FIG. 12 illustrates a fault tolerant rollover message protocol according to the present invention.

FIG. 13 illustrates the steps of using overflow audit trail storage according to the present invention.

FIG. 14 is a diagram showing an audit trail status display according to the present invention.

[Explanation of symbols]

100 fault tolerant computer system 102, 104, 106, 108 multi-processing unit 110, 112, 114, 116 device controller 118, 120, 122 disk storage device (disk volume) 124 tape storage device 126 system terminal device 128 system bus

 ─────────────────────────────────────────────────── ─── Continued Front Page (72) Inventor Robert Van der Linden 95117 Scotts Valley South Nevera, California, USA 128 (72) Inventor William Jay Carrey, USA 95117 San Jose Maplewood Avenue 457 (72) Inventor James Allian California 95125 San Jose Merlin Way 1766 (72) Inventor Matthew McLean Washington 98007 Bellevue Unit B2 North East One Hundred and Forty Sevens Place 4421

Claims (3)

[Claims] 1. A fault tolerant computer system, comprising: an audit generator for generating audit records;
A plurality of audit trail disk storage devices for storing the audit records in an audit file; a plurality of audit trail storage processing means for receiving the audit records from the audit generator and guiding the audit records to the audit trail disk storage device; Coupled to the plurality of audit trail storage processing means for selecting a new audit file to be the current allocated audit file and a new audit trail storage processing means to be the current response audit trail storage processing when the assigned audit file is full Audit trail configuration processing, each said audit record describes a modification to a database accessed by said audit generator, and each said audit trail storage processing means stores at least one audit trail storage disk device. Have access to the audit record, the audit record From the Nerator through the Current Response Audit Trail Storage Processing Means to the Current Allocation Audit File, each said new audit file is placed on a different audit trail disk storage than the immediately preceding audit file and each said new audit file. A fault tolerant computer system, wherein the trail storage processing means receives a rollover message from an immediately preceding audit trail storage processing means to initiate a responsive handoff. 2. An audit generator, first and second primary audit trail storage operations, and first and second backup audit trail storage operations serving as backups for the first and second primary audit trail storage operations. In the fault-tolerant computer system, the audit trail storage process stores the audit record generated by the audit generator in an audit file accessible to the audit storage process, and the first primary audit trail. A method of switching the storage of currently generated audit records from a storage process to the second primary audit trail storage process, the method comprising access to the first primary audit trail storage process and the first backup audit trail storage process. For storage in one audit file. A buffer of audit records is received from the negotiator in the first primary audit trail storage process, and the buffer of audit records is received, whereby the first audit file is full and the buffer of records cannot be accepted. In the first primary audit trail storage process, sending a rollover request message from the first primary audit trail storage process to the second primary audit trail storage process, wherein the rollover request message is A second primary audit trail storage process and a unique sequence number identifying a second audit file accessible to the second backup audit trail storage process, the first primary audit trail storage process to the audit generator. To rollover notification Messe And the rollover announcement message includes information identifying the second primary audit trail store as the correct destination for an indication that the first audit file is full and a currently generated audit record; Sending a first checkpoint message from the second primary audit trail storage process to the second backup audit trail storage process by receiving the rollover request message in the primary audit trail storage process of
The first checkpoint message includes locator information identifying a location in the second audit file where storage of audit records should begin, and the second checkpoint message is responsive to the second checkpoint message. Sending a first checkpoint acknowledgment message from the backup audit trail storage process to the second primary audit trail storage process, and in response to the rollover request message from the second primary audit trail storage process to the first primary audit trail storage process.
A first checkpoint message to the first backup audit trail storage process, and a second checkpoint message to the first backup audit trail storage process.
Checkpoint message includes an indication that the first audit file is full and, in response to the second checkpoint message, from the first backup audit trail storage process to the first primary audit. Sending the second checkpoint acknowledgment message to the trail storage process. 3. A fault tolerant computer system comprising an audit generator, a protocol management process, and a plurality of audit trail storage processes, wherein the audit trail storage process uses the audit records generated by the audit generator as the audit storage process. For storing in an audit file that is accessible to, and a method of rotating the responsiveness to the storage of the currently generated audit record in the audit trail storage processing, a) using the protocol management processing, Allocate a selected audit trail storage operation that should be an assigned audit trail storage operation and a selected audit file accessible to the selected audit trail storage operation that should be a current assigned audit file; b) said current allocation audit file The current allocation from the audit generator for storage in Transmitting a buffer of audit records to an audit trail storage process, c) writing the buffer of audit records received from the audit generator from the current allocation audit trail storage process to the current allocation audit file, and d) the current allocation audit trail. A store operation monitors the growth of the current allocation audit file as successive buffers are written, and e) compares the size of the current allocation audit trail to a first threshold in the current allocation audit trail storage operation. F) sending a first threshold warning message from the current allocation audit trail storage process to the protocol management process upon the determination in step e) that the magnitude exceeds the first predetermined threshold. A method characterized by the following.