You are here

Multi-level trace events linking, storage and display

Tracing complete systems provides information at several levels: operating system, virtual machine, user space. The information may take the form of raw traced event data, or more synthetic event data deduced from one or several raw events (a scheduling change event may be interpreted as a "schedule out" event for the previously executing process and a "schedule in" event for the new process. More elaborate analysis modules may provide even higher level synthetic events (e.g. a file opening and several read operations may be represented by an abstract "sequentially read a complete file" event). In other cases, the relationship between a new synthetic event and underlying detailed events may not be as direct. For instance, a high concentration of network requests may be an indication of a cyber-attack; no network request in isolation is necessarily part of the attack but together they form a strong symptom of a possible attack.

In the global project, there are therefore several tracks which use or generate information at different levels, possibly in different "dimensions" (level of detail or abstraction, time synchronisation information, system level from hypervisor to operating system to application). This is the case for Multi-level traces synchronisation (operating system level, virtual machine level, application level, node level) where events in different time domains are matched (network packet send and receive events) to estimate the clock differences. Similarly, Trace abstraction connects low level events to higher level abstract synthetic events, and Automated fault identification generates fault warning events based on the analysis of trace events. Finally, Trace directed modeling may also introduce synthetic events that correspond to significant events in the modeled system state.

While all these tracks are initially pursued separately, a common underlying recurring need can be identified. The user must be able to navigate through the base raw events as well as through the new information generated by the analysis modules. Furthermore, it must be possible to easily and efficiently retrieve and visualize the links between the elements at the different levels. The challenge is at three levels, conceptual (how to model in a uniform way these links covering different dimensions), algorithmic (how to efficiently store and access these links considering the huge number of events involved) and ergonomic (how to present a simple and effective visualization of these events and links).