Ex Parte Cowham et alDownload PDFPatent Trial and Appeal BoardMar 11, 201511590142 (P.T.A.B. Mar. 11, 2015) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE ____________________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________________ Ex parte ADRIAN COWHAM, NEESHANT D. DESAI, and DEVON L. DAWSON ____________________ Appeal 2013-001143 Application 11/590,142 Technology Center 2400 ____________________ Before: JOSEPH L. DIXON, JAMES R. HUGHES, and ERIC S. FRAHM, Administrative Patent Judges. DIXON, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Appellants appeal under 35 U.S.C. § 134 from a rejection of claims 1– 9, 11–17, and 25–28. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. The invention relates to managing syslog protocol messages (see generally, Spec. 1:14–3:20). Claim 1, reproduced below, is illustrative of the claimed subject matter: Appeal 2013-001143 Application 11/590,142 2 1. A method for managing syslog messages relative to the format of the syslog messages, the method comprising: receiving a syslog message; determining, by a computer, whether the syslog message format is valid by comparing the syslog message format to the format of one of a plurality of separate syslog message templates to identify whether the format of the syslog message matches the format of the syslog message template; if the syslog message format does not match the format of the syslog message template, individually comparing the syslog message format with formats of the other syslog message templates until a match is found or it is determined that the syslog message format matches none of the formats of the syslog message templates; and if it is determined that the syslog message format matches none of the formats of the syslog message templates, determining whether to accept the syslog message format as a new format of the syslog message templates. REFERENCES The prior art relied upon by the Examiner in rejecting the claims on appeal is: Aguilar-Macias US 7,844,999 B1 Nov. 30, 2010 Grabarnik Opatowski US 2005/0022207 A1 US 2005/0080763 A1 Jan. 27, 2005 Apr. 14, 2005 How to configure and use the Jalasoft Xian Syslog Server, Revision: B0001-SLR01, Date 11/30/05, Jalasoft Knowledge Base Articles, © 2005 Jalasoft Corp., (hereinafter “Jalasoft”) Appeal 2013-001143 Application 11/590,142 3 REJECTION The Examiner made the following rejection: Claims 1–9, 11–17, and 25–28 stand rejected under 35 U.S.C §103(a) as being unpatentable over Jalasoft, Opatowski, Aguilar-Macias, and Grabarnik. ANALYSIS Claims 1–9, 11–17, and 25–27 Appellants contend that Aguilar-Macias fails to teach the claim 1 limitation “if it is determined that the syslog message format matches none of the formats of the syslog message templates, determining whether to accept the syslog message format as a new format of the syslog message templates” (App. Br. 9–10). Specifically, Appellants argue: Aguilar-Macias adds an available parser to the list and does not create a new parser based on the received message. Adding the newly found parser to the list associated with the host that receives the message, as disclosed in Aguilar-Macias, is not the same as determining whether to accept the received message format as a new format of the message templates, as recited in claim 1. (App. Br. 10). We disagree with Appellants. First, as the Examiner notes, claim 1 does not require creating a new parser based on a new format of a received syslog message (Ans. 3). Rather, claim 1 recites “determining whether to accept the syslog message format as a new format of the syslog message templates.” That is, claim 1 merely requires adding the ability of the computer to match received syslog messages having the new format with a syslog message template. Aguilar- Appeal 2013-001143 Application 11/590,142 4 Macias discloses unsuccessfully attempting to parse a message—for example, a syslog message (Aguilar-Macias, col. 5, ll. 10–16)—with the parsers currently associated with a host (Aguilar-Macias, col. 6, ll. 1–28). The host then attempts to detect the device type of the message originator by using a comprehensive list of parsers available (Aguilar-Macias, col. 6, ll. 29–38). Specifically, If the message was not parsed successfully, the event builder module 34 can direct a device detection module 38 to discover the appropriate parser to use by performing a brute- force parsing of the message using all the available parsers until the correct parser is found. The device detection module 38, upon finding a parser that works on the message, adds this parser, and any other parser associated with the device type of the found parser, to the list of parsers that are associated with the host. The event builder module 34 can then build a normalized security event by parsing the message using the parser identified by the device detection module. (Aguilar-Macias, col. 7, ll. 34–44). Here, we find that adding the found parser that can parse the message to the host’s list of parsers meets the claim 1 limitation of accepting a syslog message format as a new format. Second, we note that Appellants have not presented specific arguments regarding the Grabarnik reference, which the Examiner also relies on with respect to the argued claim 1 limitation (see Final Rej. 5–6). Grabarnik discloses that in response to encountering an unparseable message, “the machine may create possible (candidate) parsing rule templates” (Grabarnik, ¶ 74). “[T]he machine refines and verifies the parsing rule by applying the parsing rule to the current message. . . . Further, in the case when the analyst is satisfied with results, the machine uses . . . and saves parsing rules . . . . That is, . . . a newly created rule is added to the Appeal 2013-001143 Application 11/590,142 5 parsing rules and run against all data.” (Grabarnik, ¶¶ 76–77). Appellants have not specifically explained why this disclosure in Grabarnik fails to meet the claim 1 limitation “if it is determined that the syslog message format matches none of the formats of the syslog message templates, determining whether to accept the syslog message format as a new format of the syslog message templates.” We are, therefore, not persuaded the Examiner erred in rejecting claim 1, and claims 2–9, 11–17, and 25–27 not specifically argued separately. Claim 28 Appellants contend: Grabarnik fails to determine that a predetermined number of messages having a particular invalid format have been received, as recited in claim 28. Instead, the system of Grabarnik shows parsing errors to an analyst after adding a new rule to a set of parsing rules and running the parsing rules against all data. See Grabarnik, paragraph [0077]. As such, the parsing errors in Grabarnik are shown to the analyst after running the parsing rules, and not in response to determining that a predetermined number of messages having a particular invalid format have been received. (App. Br. 12). We disagree with Appellants. Grabarnik discloses: “In step 601, the machine parses messages until it encounters a message generating error during parsing (i.e., the machine is unable to parse a message), or until it reaches the end of the data. The unparseable message is displayed to the analyst in the log viewer . . . .” (Grabarnik, ¶ 71). We agree with the Examiner (Final Rej. 19–20; Ans. 4– 5) that this disclosure meets the claim 28 limitations of “determining that a predetermined number of messages having a particular currently invalid Appeal 2013-001143 Application 11/590,142 6 format have been received and, responsive to the determination, automatically sending an alert to a human being” because Grabarnik’s machine first encounters an unparseable message, then displays the message to the analyst. We note that although Appellants acknowledge the Examiner’s interpretation that the claim 28 limitation “determining that a predetermined number of messages having a particularly currently invalid format have been received” encompasses Garbarnik’s encountering one unparseable message, Appellants do not specifically argue against this interpretation (see App. Br. 12–13). We are, therefore, not persuaded the Examiner erred in rejecting claim 28. CONCLUSION The Examiner did not err in rejecting claims 1–9, 11–17, and 25–28 under 35 U.S.C. § 103(a). DECISION For the above reasons, the Examiner’s decision rejecting claims 1–9, 11–17, and 25–28 is affirmed. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED Klh Copy with citationCopy as parenthetical citation
