Log data compliance

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . The objections and rejections from the Office Action of 1/28/2025 are hereby withdrawn. New grounds for rejection are presented below. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 11/6/2025 has been entered. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-4, 6, 7, 9-14, and 16-22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Klaedtke (US 20200076852 A1) and Ferro et al. (US 20060206612 A1)[hereinafter “Ferro”]. Regarding Claims 1 and 22, Klaedtke discloses a method (and corresponding computer system, see Paragraph [0093]) for determining compliance of multiple processes performed by another computer system [Paragraph [0011] – “FIG. 5 is a flow diagram illustrating a process for detecting patterns in an event stream”Paragraph [0013] – “A problem unique to computer systems and solved by embodiments of the present invention is how to efficiently analyze logged events in a manner that is scalable, e.g., scalable to effectively to handle several thousand to several millions of events per second (or more). Furthermore, the analysis of events is often required to be performed in real-time, that is, the events should be processed at the rate they are generated. This is an ever growing problem in computer systems (including networked systems) that are increasingly growing by adding more and more system components. Each additional system component can generate events that should be analyzed to determine whether the system components and the overall system is performing correctly (e.g., within policy constraints). Thus, embodiments of the invention provide mechanisms for distributing and parallelizing the analysis of a stream of events for determining whether system components or an overall network of system components are performing correctly.”], the method comprising: receiving log data comprising multiple traces, each trace comprising a sequence of multiple log events [See the slices in Fig. 2, “E1 E4” and “E2 E4” each comprising two events.Paragraph [0090] – “the log analyzer 208 receives one or more logged events (e.g., E1, E2, E3, E4 . . . )”Paragraph [0092] – “In an embodiment, a plurality of monitors (214-1, 214-2 . . . 214-N), each corresponding to a respective one of the slices (212-1, 212-2 . . . 212-N), performs the plurality of individual policy checks and outputs their results to a reporter 216.”] corresponding to one of multiple different respective process executions of the multiple processes and representing an execution of multiple tasks, each of the multiple log events being associated with an event time and with one of the multiple tasks [Paragraph [0090] – “At operation 508, the log analyzer 208 receives one or more logged events (e.g., E1, E2, E3, E4 . . . ) as the event stream 202. A timestamp can be included in each of the logged events. The event stream 202 may be received from a plurality of system components (C1, C2, C3 . . . ) of the system 100.”The events correspond to different component processes, see Paragraph [0013].], at least one of the multiple tasks occurring in two or more traces [See the slices in Fig. 2, “E1 E4” and “E2 E4” each including E4.]; creating a single stream of log events using the traces, the single stream of log events comprising the multiple log events from the multiple respective different process executions [Paragraph [0091] – “At operation 510, the log analyzer 208 analyzes each received event in the one or more logged events to assign each received event to one or more slices (e.g., slices 212-1, 212-2 . . . 212-N).”Paragraph [0092] – “In an embodiment, a plurality of monitors (214-1, 214-2 . . . 214-N), each corresponding to a respective one of the slices (212-1, 212-2 . . . 212-N), performs the plurality of individual policy checks and outputs their results to a reporter 216.”], wherein the single stream of log events is sorted by the associated event time [Paragraph [0040] – “Furthermore, policies correlate events and data values within the events with each other in a temporal dimension.”]; and executing one or more evaluation functions on the set of variables to determine compliance of the multiple processes, the one or more evaluation functions representing compliance rules based on the set of variables [Paragraph [0089] – “At operation 506, the log analyzer 208 constructs one or more event groups based on the policy specification 206 and the event data classification 204.”Paragraph [0091] – “The grouping of each received event into slices is performed based on the one or more event groups constructed at step 506. Received events that do not fit into any of the event groups (e.g., irrelevant for the policy) are dropped.”Paragraph [0092] – “At operation 512, the log analyzer 208 checks each slice individually against the policy specification 206 to determine whether there is a policy violation. In an embodiment, a plurality of monitors (214-1, 214-2 . . . 214-N), each corresponding to a respective one of the slices (212-1, 212-2 . . . 212-N), performs the plurality of individual policy checks and outputs their results to a reporter 216.”], at least one of the compliance rules being based on the at least one of the multiple tasks occurring in the two or more traces [The corresponding compliance evaluation of E4, which is included in multiple slices.]. Klaedtke fails to disclose iterating over the single stream of log events according to the associated event time, and for each log event, executing one or more update functions that define updates of a set of variables based on the log events, the set of variables comprising at least one cross-trace variable associated with the at least one of the multiple tasks occurring in two or more traces to calculate an updated value of one or more of the set of variables, wherein the one or more update functions define updates of the at least one cross-trace variable in response to the log events of more than one of the traces, and the at least one cross-trace variable encodes a status of the associated task in each of the two or more traces at an event time; and that the evaluation functions are also based on the updated variables including the at least one cross-trace variable. However, Ferro discloses the use of an update function for updating variables based on cross-trace variables between data stores in response to the occurrence of a triggering event [See Paragraphs [0031]-[0035] and [0039]-[0040]], in which the at least one cross-trace variable encodes a status of the associated task at an event time [Paragraph [0035] – “Cross-system characteristics information may include data regarding the time the cross-system activity occurred, the identity of the system from which the cross-system activity originated, the identity of a business object that caused the cross-system activity, etc.”]. It would have been obvious to perform such information updating on the data stream and its corresponding slices and to perform the compliance evaluation on the updated data stream in order for the compliance evaluation to produce a more pertinent result based on the most recent events. Regarding Claim 2, Klaedtke discloses that the method comprises executing the one or more evaluation functions for each log event [Paragraph [0091] – “At operation 510, the log analyzer 208 analyzes each received event in the one or more logged events to assign each received event to one or more slices (e.g., slices 212-1, 212-2 . . . 212-N).”Paragraph [0092] – “At operation 512, the log analyzer 208 checks each slice individually against the policy specification 206 to determine whether there is a policy violation. In an embodiment, a plurality of monitors (214-1, 214-2 . . . 214-N), each corresponding to a respective one of the slices (212-1, 212-2 . . . 212-N), performs the plurality of individual policy checks and outputs their results to a reporter 216.”]. Regarding Claim 3, the combination would disclose that the method comprises performing the steps of creating, iterating and executing in real-time to determine compliance while receiving further log data [Paragraph [0040] of Ferro – “For example, if the computing systems that make up the distributed system environments contain local logging systems, then the local logging systems can transmit cross-linking information containing data such as the identity of the originating system of the cross-system activity and a timestamp for the cross-system activity to system 100. In the example discussed above, when a change in services offered on first system 410 is initiated, if first system 410 contained a local logging system, then the local logging system could transmit the cross-linking information to system 100 for logging. Subsequently, this logged cross-linking information could be accessed to obtain more detailed cross-system characteristics of the cross-system activity if required (discussed below).”Paragraph [0042] of Ferro – “In addition to cross-linking information as discussed above, the application could also transmit information regarding the user that initiated such changes, the identity of the application, the identity of the task or event that caused such changes, etc. This more detailed cross-system activity could be transmitted synchronously or asynchronously and in near-time or queued.”Paragraph [0036] of Klaedtke – “In embodiments, monitors check properties on event streams in real-time. Parallelizing the monitoring process (e.g., on multiple computation nodes) can achieve a throughput that enables real-time monitoring.”]. Regarding Claim 4, Klaedtke discloses that the compliance rules comprise a conditional obligation [Paragraph [0040] – “In an example, a policy can state that a server is only allowed to access files classified as confidential when the most recent security patches have been previously installed. … For example, an event of installing a security patch is temporally related to accessing a confidential file by the example policy stated above.”] or are defined across multiple processes [Paragraph [0040] – “A policy describes how a system and its components, e.g., the system including system components (C1, C2, C3, . . . ) in FIG. 1, should and should not behave.”]. Regarding Claim 6, the combination would disclose that the update functions define an update of one of the set of variables [Paragraph [0039] of Ferro – “In this embodiment, activities or events that occur on any of the computing systems of distributed system 400 may have cross-system effects. For example, a change in services offered by first system 410 may have effects on second system 420 in that the list maintained by second system 420 may need to be updated to reflect the change in services offered by first system 410.”] in response to log data from multiple processes or multiple process instances [Paragraph [0029] of Klaedtke – “The system 100 includes a plurality of system components (C1, C2, C3, . . . ) that interact with each other, for example, over asynchronous channels. Each of the system components (C1, C2, C3, . . . ) logs actions it performs.”]. Regarding Claim 7, Klaedtke discloses that the log data comprises log data generated by a computer system executing an operating system [Paragraphs [0037]-[0039], the log data is generated via Unix OS], and the log data is generated by different processes executed by the operating system [Paragraph [0029] – “The system 100 includes a plurality of system components (C1, C2, C3, . . . ) that interact with each other, for example, over asynchronous channels. Each of the system components (C1, C2, C3, . . . ) logs actions it performs.”]. Regarding Claim 9, Klaedtke discloses that the multiple log events comprise start log events that indicate the beginning of one of the multiple tasks and stop events that indicate the end of the one of the multiple tasks [See the parallel processing in Fig. 4 regarding “consume” and “request.”Paragraph [0079] – “The substream 0 includes the events consume(a, t) and request(a′, t′)”]. Regarding Claim 10, Klaedtke discloses that the one or more evaluation functions are represented by evaluation predicates [Paragraph [0041] – “The core syntax of the policy specification language of an embodiment of the present invention is given by the grammar: … where p ranges over the predicate symbols (which describe events or properties of events or properties of data values), x ranges over the variables names, and r over the registers. Furthermore, I specifies a relative time period.”]. Regarding Claim 11, Klaedtke discloses that the evaluation predicates are associated with a logical value indicating a predetermined occurrence of log events [Paragraph [0041] – “The core syntax of the policy specification language of an embodiment of the present invention is given by the grammar: … where p ranges over the predicate symbols (which describe events or properties of events or properties of data values), x ranges over the variables names, and r over the registers. Furthermore, I specifies a relative time period.”]. Regarding Claim 12, Klaedtke discloses that the evaluation predicates are defined on a graph structure [See the graph structure of Fig. 4, the predicates being “consume” and “request.”Paragraph [0073] – “An event ev(a, t) determines interpretation of the predicate symbol ev”]. Regarding Claim 13, Klaedtke discloses that the graph structure defines a precedence among the evaluation predicates [See the graph structure of Fig. 4, “consume” followed by “request.”]. Regarding Claim 14, Klaedtke discloses that the method further comprises determining a set of evaluation functions or update functions that require execution based on the graph structure [See Fig. 4 and Paragraph [0077] – “The given event classification is transformed with respect to the guards of the policy specification. FIG. 4 illustrates an example where m=2, according to an embodiment of the invention. For example, using FIG. 4, an event request(0,3) is classified in C.sub.20 because the guard request(agent′, token′) AND token′=token+1 is satisfiable for some event in C.sub.10, that is, any event consume(a, 2) with a∈custom-character. The variable token′ is frozen to the data value 3 (originating from the event request(0,3)), and the variable token is frozen to the data value 2 (originating from the event consume(a, 2)).”] and executing only the set of evaluation functions or update functions in that iteration [Paragraph [0080] – “An intuitive reason why slicing, according to embodiments of the invention, is property preserving and the substreams can be monitored independently from each other is that an event that does not satisfy a guard is irrelevant for satisfaction of the temporal property. For instance, for EVENTUALLYI FREEZE x.g AND p, when the event does not satisfy g, then the event is trivially not a witness that p becomes eventually true within the time bound I. The event can therefore be safely ignored.”]. Regarding Claim 16, Klaedtke discloses that the set is stored on volatile computer memory [Paragraph [0093] – “The processor 604 executes computer executable instructions comprising embodiments of the system for performing the functions and methods described above. In embodiments, the computer executable instructions are locally stored and accessed from a non-transitory computer readable medium, such as storage 610, which may be a hard drive or flash drive. Read Only Memory (ROM) 606 includes computer executable instructions for initializing the processor 604, while the random-access memory (RAM) 608 is the main memory for loading and processing instructions executed by the processor 604.”]. Regarding Claim 17, Klaedtke discloses that the graph structure represents a combination of the state that has been checked and the evaluation functions or update functions that require execution [See the parallel processing in Fig. 4, which includes a 0.5s pause in completing the path on the right side.]. Regarding Claim 18, Klaedtke discloses: generating an instance of an update function or evaluation function or both to represent a rule [See the parallel processing in Fig. 4 regarding “consume” and “request.”]; storing the generated instance in volatile computer memory [Paragraph [0093] – “The processor 604 executes computer executable instructions comprising embodiments of the system for performing the functions and methods described above. In embodiments, the computer executable instructions are locally stored and accessed from a non-transitory computer readable medium, such as storage 610, which may be a hard drive or flash drive. Read Only Memory (ROM) 606 includes computer executable instructions for initializing the processor 604, while the random-access memory (RAM) 608 is the main memory for loading and processing instructions executed by the processor 604.”]; executing the generated instance in the volatile computer memory [See the parallel processing in Fig. 4 regarding “consume” and “request.”]; and discarding or overwriting the generated instance in the volatile computer memory while further determining compliance [Paragraph [0092] – “At operation 512, the log analyzer 208 checks each slice individually against the policy specification 206 to determine whether there is a policy violation. In an embodiment, a plurality of monitors (214-1, 214-2 . . . 214-N), each corresponding to a respective one of the slices (212-1, 212-2 . . . 212-N), performs the plurality of individual policy checks and outputs their results to a reporter 216.” This is performed subsequent to the event classification.]. Regarding Claim 19, Klaedtke discloses determining compliance of the two or more traces in parallel against multiple rules, the two or more traces being dependent on each other [The corresponding compliance evaluation of “E1 E4” and “E2 E4,” which both include E4.Paragraph [0092] – “At operation 512, the log analyzer 208 checks each slice individually against the policy specification 206 to determine whether there is a policy violation. In an embodiment, a plurality of monitors (214-1, 214-2 . . . 214-N), each corresponding to a respective one of the slices (212-1, 212-2 . . . 212-N), performs the plurality of individual policy checks and outputs their results to a reporter 216.”]. Regarding Claim 20, Klaedtke discloses that the one or more evaluation functions are executed for an in-force time interval defined by the rules [See the parallel processing in Fig. 4, which includes a [0,5s] pause in completing the path on the right side.Paragraph [0080] – “For instance, for EVENTUALLYI FREEZE x.g AND p, when the event does not satisfy g, then the event is trivially not a witness that p becomes eventually true within the time bound I. The event can therefore be safely ignored.”]. Regarding Claim 21, Klaedtke discloses non-transitory computer readable medium with program code stored thereon that, when executed by a computer, causes the computer to perform the method of claim 1 [Paragraph [0093] – “The processor 604 executes computer executable instructions comprising embodiments of the system for performing the functions and methods described above. In embodiments, the computer executable instructions are locally stored and accessed from a non-transitory computer readable medium, such as storage 610, which may be a hard drive or flash drive. Read Only Memory (ROM) 606 includes computer executable instructions for initializing the processor 604, while the random-access memory (RAM) 608 is the main memory for loading and processing instructions executed by the processor 604.”]. Claim(s) 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Klaedtke (US 20200076852 A1), Ferro et al. (US 20060206612 A1)[hereinafter “Ferro”], and Chandrasekaran (US 20070271573 A1). Regarding Claim 15, Klaedtke fails to disclose traversing the graph structure to assess compliance by, at each step: adding evaluation functions and update functions to the set, executing the evaluation functions and update functions in the set, and removing one or more of the evaluation functions and one or more of the update functions from the set as defined by the graph structure. However, Chandrasekaran discloses the addition, execution, and removal of evaluation and updating functions to a logical query [See Paragraph [0138], the addition of “barriers” to parallel sub-sequence tracks that permit logically updating or deleting earlier events.]. It would have been obvious to take such an approach in order to conserve computational resources during even classification. Response to Arguments Applicant argues: PNG media_image1.png 530 787 media_image1.png Greyscale Examiner’s Response: The Examiner respectfully disagrees. Klaedtke discloses receiving log data comprising multiple traces, each trace comprising a sequence of multiple log events [See the slices in Fig. 2, “E1 E4” and “E2 E4” each comprising two events.Paragraph [0090] – “the log analyzer 208 receives one or more logged events (e.g., E1, E2, E3, E4 . . . )”Paragraph [0092] – “In an embodiment, a plurality of monitors (214-1, 214-2 . . . 214-N), each corresponding to a respective one of the slices (212-1, 212-2 . . . 212-N), performs the plurality of individual policy checks and outputs their results to a reporter 216.”] corresponding to one of multiple different respective process executions of the multiple processes and representing an execution of multiple tasks, each of the multiple log events being associated with an event time and with one of the multiple tasks [Paragraph [0090] – “At operation 508, the log analyzer 208 receives one or more logged events (e.g., E1, E2, E3, E4 . . . ) as the event stream 202. A timestamp can be included in each of the logged events. The event stream 202 may be received from a plurality of system components (C1, C2, C3 . . . ) of the system 100.”The events correspond to different component processes, see Paragraph [0013].], at least one of the multiple tasks occurring in two or more traces [See the slices in Fig. 2, “E1 E4” and “E2 E4” each including E4.]. Applicant argues: PNG media_image2.png 126 792 media_image2.png Greyscale PNG media_image3.png 353 787 media_image3.png Greyscale Examiner’s Response: The Examiner respectfully disagrees. The slices are fed to the monitors of log analyzer 208 [Paragraph [0091] – “At operation 510, the log analyzer 208 analyzes each received event in the one or more logged events to assign each received event to one or more slices (e.g., slices 212-1, 212-2 . . . 212-N).”Paragraph [0092] – “In an embodiment, a plurality of monitors (214-1, 214-2 . . . 214-N), each corresponding to a respective one of the slices (212-1, 212-2 . . . 212-N), performs the plurality of individual policy checks and outputs their results to a reporter 216.”] as a single stream from slicer 210 [See Fig. 2]. Applicant argues: PNG media_image4.png 487 786 media_image4.png Greyscale Examiner’s Response: Ferro is cited regarding this limitation. Applicant argues: PNG media_image5.png 121 792 media_image5.png Greyscale PNG media_image6.png 213 786 media_image6.png Greyscale Examiner’s Response: Ferro is cited regarding the limitations involving the “cross-trace variable.” Klaedtke discloses the compliance rules being based on the at least one of the multiple tasks occurring in the two or more traces [The corresponding compliance evaluation of E4, which is included in multiple slices.]. Applicant argues: PNG media_image7.png 622 783 media_image7.png Greyscale PNG media_image8.png 349 784 media_image8.png Greyscale PNG media_image9.png 29 789 media_image9.png Greyscale … PNG media_image10.png 530 793 media_image10.png Greyscale Examiner’s Response: The Examiner respectfully disagrees in that the application of the teachings of Ferro relative to the context of Klaedtke would read on the recited cross-trace analysis of tasks corresponding to multiple processes [Paragraph [0090] of Klaedtke – “At operation 508, the log analyzer 208 receives one or more logged events (e.g., E1, E2, E3, E4 . . . ) as the event stream 202. A timestamp can be included in each of the logged events. The event stream 202 may be received from a plurality of system components (C1, C2, C3 . . . ) of the system 100.”The events correspond to different component processes, see Paragraph [0013] of Klaedtke.]. Applicant argues: PNG media_image11.png 212 786 media_image11.png Greyscale Examiner’s Response: The Examiner respectfully disagrees. Ferro discloses that the at least one cross-trace variable encodes a status of the associated task at an event time [Paragraph [0035] – “Cross-system characteristics information may include data regarding the time the cross-system activity occurred, the identity of the system from which the cross-system activity originated, the identity of a business object that caused the cross-system activity, etc.”]. Applicant argues: PNG media_image12.png 393 783 media_image12.png Greyscale Examiner’s Response: Klaedtke discloses determining compliance of the two or more traces in parallel against multiple rules, the two or more traces being dependent on each other [The corresponding compliance evaluation of “E1 E4” and “E2 E4,” which both include E4.Paragraph [0092] – “At operation 512, the log analyzer 208 checks each slice individually against the policy specification 206 to determine whether there is a policy violation. In an embodiment, a plurality of monitors (214-1, 214-2 . . . 214-N), each corresponding to a respective one of the slices (212-1, 212-2 . . . 212-N), performs the plurality of individual policy checks and outputs their results to a reporter 216.”]. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: US 20190108112 A1 – SYSTEM AND METHOD FOR GENERATING A LOG ANALYSIS REPORT FROM A SET OF DATA SOURCES Robert et al., On-line Monitoring of Real Time Applications for Early Error Detection, IEEE, 2008 Any inquiry concerning this communication or earlier communications from the examiner should be directed to KYLE ROBERT QUIGLEY whose telephone number is (313)446-4879. The examiner can normally be reached 9AM-5PM EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arleen Vazquez can be reached at (571) 272-2619. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KYLE R QUIGLEY/Primary Examiner, Art Unit 2857