DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-16, 18 and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by U.S. Patent Application Publication 2007/0283194 to Villella et al.
As concerns claim 1, a network log time alignment method, comprising: obtaining to-be-analyzed log data (0005-log messages) of multiple network devices (0005-variety network platforms; 0081);  
parsing the log data of the multiple network devices to obtain features (0058-parsing log messages; 0006-processing log messages; metadata, fields of information; 0007-rules based processing of log messages; 0013; 0081-hostname identifier) in the log data of the multiple network devices; 
determining a set of features (0116-0117-events, statistics; abstract-events (e.g. unauthorized access, logins, etc.)) in the log data of the multiple network devices are associated with each other according to the features obtained in the log data of the multiple network devices 
performing alignment (0006-normalization of log information, time zones; 0021-time stamp, normalize for local time zone, clock offset, platform time; 0022-collected time stamps related to a common time reference; 0098-timestamp synchronized) on log time in the log data of the multiple network devices according to the set of associated features.
  	As concerns claim 9, a network log processing apparatus, wherein the apparatus comprises: a processor (0050-inherent computer will have a processor); and a non-transitory computer readable medium (inherent computer will have memory, 0050) which contains computer-executable instructions; the processor is configured to execute the computer-executable instructions to perform operations comprising: 
obtaining to-be-analyzed log data (0005-log messages) of multiple network devices (0005-variety network platforms; 0081);  
parsing the log data of the multiple network devices to obtain features of each network device (0058-parsing log messages; 0006-processing log messages; metadata, fields of information; 0007-rules based processing of log messages; 0013; 0081-hostname identifier); 
determining associated features of the multiple network devices according to the features of each network device (0006-metadata, fields of information; 0007; 0016; 0116-0117-similar events, event statistics); and 
performing alignment (0006-normalization of log information, time zones; 0021-time stamp, normalize for local time zone, clock offset, platform time; 0098) on log time in the log data of the multiple network devices according to the associated features.  

As concerns claims 3 and 11, the invention according to claims 1 and 9, wherein the parsing the log data of the multiple network devices to obtain features of each network device comprises: obtaining identical events (0055-same events on different computers; 0089) in the log data of the multiple network devices by means of analysis; and 
for each network device, determining log items that correspond to the identical events and that are in log data of the network device as the features of the network device (0055-log manager determines log events).  
As concerns claims 4 and 12, the invention according to claims 1 and 9, wherein the method further comprises: obtaining pairing events (0055-same events on different computers; 0110) in a system; and the parsing the log data of the multiple network devices to obtain features of each network device comprises: recognizing the pairing events in the log data of the multiple network devices (0055-log manager determines log events; 0106; 0116); and for each network device, determining log items corresponding to the pairing events as the features of the network device (0055; 0106; 0097).  
As concerns claims 5 and 13, the invention according to claims 1 and 9, wherein the method further comprises: obtaining pairing statuses in a system (0074; 0109-0110); and the 
As concerns claims 6 and 14, the invention according to claims 1 and 9, wherein each network device has multiple features, and the determining associated features of the multiple network devices according to the features of each network device comprises: determining features having a maximum correlation in multiple features of the multiple network devices (0097-parsing information of particular fields; 0098-log particular type of message; 0099-rule to log messages based on various features/parameters;  0108-analysis tool, frequency of particular event, breakdown of events by type), wherein the features having the maximum correlation are the associated features of the multiple network devices (0097; 0108; 0111-rules, event data; thus features from multiple devices that match rule have a “maximum correlation” with each other; 0116-analyze to determine if information is reoccurring, certain events over a period of time are similar).  
As concerns claims 7 and 15, the invention according to claims 1 and 9, wherein the performing alignment on log time in the log data of the multiple network devices according to the associated features comprises: 
obtaining a reference time (0022) for log alignment; 
and for each network device, determining a calibration time deviation (0022) of the network device, wherein the calibration time deviation is a difference between a log time of the associated feature of the network device and the reference time (0022-time stamp for collected event, system time…time is used to make corrections for clock offsets; 0098-synchronizing time 
As concerns claims 8 and 16, the method according to claim 7, 
wherein the reference time is a log time of an associated feature in log data of a network device in the multiple network devices, or 
the reference time is a fault report time (0099; 0108).
As concerns claims 18 and 20, the invention according to claims 7 and 15, wherein the log time in the log data of the first network device is a first log time (labeling “log time” as “first log time” is merely a label), and wherein the method further comprises: subtracting the calibration time deviation from a second log time (0022-correction to clock offsets; 0098-synchronizing time will inherently perform the correct calculation for alignment based on difference) in the log data of the first network device, the first and second log time being separate and distinct from each other (first and second log times are log times of separate events, at “separate” and “distinct” time points; fig. 21-alarm events).

Allowable Subject Matter
Claims 17 and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Response to Arguments
Applicant's arguments filed December 31, 2020 have been fully considered but they are not persuasive. 
The applicant’s arguments are directed to newly directed limitations. These limitations have been addressed in the rejection cited above (see at least paragraphs 0116-0117-similar events, event statistics, and reoccurring events).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN B WALSH whose telephone number is (571)272-7063.  The examiner can normally be reached on 7:30-3:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christopher L Parry can be reached on 571-272-8328.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to 


/JOHN B WALSH/Primary Examiner, Art Unit 2451