CN112882920A - Alarm policy verification method and device, electronic equipment and readable storage medium - Google Patents

Alarm policy verification method and device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN112882920A
CN112882920A CN202110470624.XA CN202110470624A CN112882920A CN 112882920 A CN112882920 A CN 112882920A CN 202110470624 A CN202110470624 A CN 202110470624A CN 112882920 A CN112882920 A CN 112882920A
Authority
CN
China
Prior art keywords
alarm
verification analysis
strategy
verification
policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110470624.XA
Other languages
Chinese (zh)
Other versions
CN112882920B (en
Inventor
马瑞宽
杨宜
邹永强
杨晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Accumulus Technologies Tianjin Co Ltd
Original Assignee
Accumulus Technologies Tianjin Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Accumulus Technologies Tianjin Co Ltd filed Critical Accumulus Technologies Tianjin Co Ltd
Priority to CN202110470624.XA priority Critical patent/CN112882920B/en
Publication of CN112882920A publication Critical patent/CN112882920A/en
Application granted granted Critical
Publication of CN112882920B publication Critical patent/CN112882920B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3409Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3089Monitoring arrangements determined by the means or processing involved in sensing the monitored data, e.g. interfaces, connectors, sensors, probes, agents
    • G06F11/3093Configuration details thereof, e.g. installation, enabling, spatial arrangement of the probes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/32Monitoring with visual or acoustical indication of the functioning of the machine
    • G06F11/324Display of status information
    • G06F11/327Alarm or error message display
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/542Event management; Broadcasting; Multicasting; Notifications

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Multimedia (AREA)
  • Alarm Systems (AREA)

Abstract

The invention provides an alarm strategy verification method, an alarm strategy verification device, electronic equipment and a readable storage medium, and relates to the technical field of computers. The method comprises the following steps: acquiring an alarm strategy; if receiving an operation that a user needs to verify and analyze the alarm strategy, acquiring a verification analysis parameter corresponding to the alarm strategy and generating a verification analysis number corresponding to the alarm strategy; receiving a time interval of system log data input by a user; screening a plurality of target log events which are positioned in a time interval and accord with the verification analysis parameters from the log data of the historical system, and generating a verification analysis result of a verification analysis number according to the event data of the target log events; and updating the strategy parameters of the alarm strategy according to the verification analysis result of the verification analysis number. The configuration parameters of the alarm strategy are subjected to prepositive verification analysis by using the log data of the historical system, so that the technical effect of completing the reasonable configuration and optimization of the strategy before the alarm strategy is started is achieved.

Description

Alarm policy verification method and device, electronic equipment and readable storage medium
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to an alarm policy verification method, an alarm policy verification device, electronic equipment and a readable storage medium.
Background
The alarm event management is an important module in the log auditing system, and can realize alarm on sensitive events based on system log data so as to process alarm events in time and avoid greater risks. In the management of the alarm event, the alarm strategy configuration is a precondition, and whether the alarm strategy configuration is proper or not directly influences the health degree of the subsequent alarm event.
In the prior art, a user usually performs parameter configuration of an alarm strategy through the knowledge of the user on a service, the rationality of the parameter configuration often depends strongly on the service familiarity and the configuration experience value of a configuration worker, the configuration experience requirement is high, and the limitation of system use is large; the unreasonable configuration easily causes invalid alarm events, thereby bringing higher manual interpretation cost; the unreasonable configuration easily causes omission or redundancy of alarm events, so that the target of alarm prompt cannot be efficiently achieved; the scheme for reversely adjusting the alarm strategy according to the specific alarm event provided by the prior art has poor timeliness in practical application.
Disclosure of Invention
The embodiment of the invention provides an alarm strategy verification method, an alarm strategy verification device, electronic equipment and a readable storage medium, and aims to solve the problems that an alarm strategy strongly depends on configuration experience, the manual interpretation cost is high, the alarm prompt efficiency is low, and the strategy tuning timeliness is poor in the prior art.
In order to solve the technical problem, the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides an alarm policy verification method, including:
acquiring an alarm strategy selected by a user from an alarm strategy list;
if receiving an operation that a user needs to verify and analyze the alarm strategy, acquiring a verification analysis parameter corresponding to the alarm strategy and generating a verification analysis number corresponding to the alarm strategy;
receiving a time interval of system log data input by a user;
screening a plurality of target log events which are positioned in the time interval and accord with the verification analysis parameters from historical system log data, and generating a verification analysis result of the verification analysis number according to event data of the target log events;
and updating the strategy parameters of the alarm strategy according to the verification analysis result of the verification analysis number.
Optionally, each time the alarm policy performs verification analysis, the alarm policy corresponds to one verification analysis number; the method further comprises the following steps:
when one alarm strategy corresponds to a plurality of verification analysis numbers, receiving a first operation input by a user, and displaying a comparison interface of verification analysis results corresponding to the verification analysis numbers based on the first operation so as to reflect the optimization condition of the alarm strategy before and after the strategy parameters of the alarm strategy are modified.
Optionally, the screening out a plurality of target log events which are located in the time interval and meet the verification analysis parameter from the historical system log data includes:
writing a first target log event which is in the time interval and accords with the verification analysis parameter in the historical system log data into a graph data list;
traversing the historical system log data, and continuously writing a target log event which is positioned in the time interval and accords with the verification analysis parameter into the graph data list until the writing time of the last target log event in the graph data list is greater than the termination time of the time interval;
and displaying the graphic data list.
Optionally, the event data of the target log event at least includes a key-value pair of the occurrence time of the target log event and the number of the target log events.
Optionally, if the alarm policy is deleted before updating the policy parameter of the alarm policy, the method further includes:
and adding an alarm strategy according to the verification analysis result of the current verification analysis number.
Optionally, when the verification analysis parameter includes a policy parameter of the alarm policy, if the policy parameter of the alarm policy is modified, the obtaining the verification analysis parameter corresponding to the alarm policy includes:
and updating the updated strategy parameters into the verification analysis parameters.
Optionally, when the event data of the target log event further includes an event type of the target log event, the verification analysis result of the verification analysis number includes at least one of a historical event number list counted by time, a historical event number list counted by the event type, and an operation frequency list counted by historical events of different times.
In a second aspect, an embodiment of the present invention further provides an apparatus for verifying an alarm policy, including:
the acquisition module is used for acquiring an alarm strategy selected by a user from the alarm strategy list;
the obtaining module is further configured to obtain a verification analysis parameter corresponding to the alarm policy and generate a verification analysis number corresponding to the alarm policy if an operation that a user needs to perform verification analysis on the alarm policy is received;
the receiving module is used for receiving a time interval of system log data input by a user;
the execution module is used for screening out a plurality of target log events which are positioned in the time interval and accord with the verification analysis parameters from the log data of the historical system, and generating a verification analysis result of the verification analysis number according to the event data of the target log events;
and the updating module is used for updating the strategy parameters of the alarm strategy according to the verification analysis result of the verification analysis serial number.
In a third aspect, an embodiment of the present invention further provides an electronic device, including: a processor, a memory and a program stored on the memory and executable on the processor, which program, when executed by the processor, performs the steps of the alarm policy validation method according to any one of the first aspect.
In a fourth aspect, an embodiment of the present invention further provides a readable storage medium, where the readable storage medium stores a program, and the program, when executed by a processor, implements the steps of the alarm policy verification method according to any one of the first aspect.
According to the invention, the technical means of carrying out prepositive verification analysis on the configuration parameters of the log alarm strategy by using the log data of the historical system is adopted, so that the reasonable configuration and optimization of the strategy are completed before the alarm strategy is started, the labor cost is greatly saved, the alarm event omission and redundancy risks caused by unreasonable configuration are avoided, and the usability, timeliness and practicability of alarm event management in the log audit system are improved. The warning strategy verification method is suitable for general service personnel and has strong universality; the rationality and pertinence of the current alarm strategy configuration parameters are verified based on historical sample data, and the most rational configuration parameters are finally updated in a key mode, so that the maximization of the health degree and the practicability of the alarm event triggered based on the alarm strategy is ensured.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic flow chart of an alarm policy verification method according to an embodiment of the present invention;
fig. 2 is a second schematic flowchart of an alarm policy verification method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an alarm policy verification apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a schematic flow chart of an alarm policy verification method according to an embodiment of the present invention; the warning strategy verification method comprises the following steps:
step 11: acquiring an alarm strategy selected by a user from an alarm strategy list;
step 12: if receiving an operation that a user needs to verify and analyze the alarm strategy, acquiring a verification analysis parameter corresponding to the alarm strategy and generating a verification analysis number corresponding to the alarm strategy;
step 13: receiving a time interval of system log data input by a user;
step 14: screening a plurality of target log events which are positioned in the time interval and accord with the verification analysis parameters from historical system log data, and generating a verification analysis result of the verification analysis number according to event data of the target log events;
step 15: and updating the strategy parameters of the alarm strategy according to the verification analysis result of the verification analysis number.
According to the invention, the technical means of carrying out prepositive verification analysis on the configuration parameters of the log alarm strategy by using the log data of the historical system is adopted, so that the reasonable configuration and optimization of the strategy are completed before the alarm strategy is started, the labor cost is greatly saved, the alarm event omission and redundancy risks caused by unreasonable configuration are avoided, and the usability, timeliness and practicability of alarm event management in the log audit system are improved. The warning strategy verification method is suitable for general service personnel and has strong universality; the rationality and pertinence of the current alarm strategy configuration parameters are verified based on historical sample data, and the most rational configuration parameters are finally updated in a key mode, so that the maximization of the health degree and the practicability of the alarm event triggered based on the alarm strategy is ensured.
In some embodiments of the present invention, optionally, the analysis result of the verification analysis number is displayed in a form of a graph.
In some embodiments of the present invention, optionally, each time the alarm policy performs verification analysis, the alarm policy corresponds to one verification analysis number; the method further comprises the following steps:
when one alarm strategy corresponds to a plurality of verification analysis numbers, receiving a first operation input by a user, and displaying a comparison interface of verification analysis results corresponding to the verification analysis numbers based on the first operation so as to reflect the optimization condition of the alarm strategy before and after the strategy parameters of the alarm strategy are modified.
In some embodiments of the present invention, optionally, the user comprehensively compares and analyzes the verification analysis result corresponding to each verification analysis number through the comparison interface to obtain the verification analysis number meeting the preset convergence effect.
In the embodiment of the invention, the alarm strategy verification method verifies the reasonability and pertinence of the current alarm strategy configuration parameter based on historical sample data, one alarm strategy can correspond to a plurality of verification analysis numbers, each verification analysis realizes the adjustment of the alarm strategy parameter, a user can support the adjustment and comparison analysis of various configuration parameters by operating a comparison interface of the verification analysis results corresponding to the verification analysis numbers, the optimization conditions of the alarm strategy before and after the strategy parameter modification of the alarm strategy are checked, and the target strategy parameter is gradually adjusted to realize the final optimization of the alarm strategy effect.
In some embodiments of the present invention, optionally, when one alarm policy corresponds to multiple verification analysis numbers, multiple verification analysis tasks are asynchronously started to perform verification analysis simultaneously.
In some embodiments of the present invention, optionally, the screening out a plurality of target log events that are within the time interval and meet the verification analysis parameter from the historical system log data includes:
writing a first target log event which is in the time interval and accords with the verification analysis parameter in the historical system log data into a graph data list;
traversing the historical system log data, and continuously writing a target log event which is positioned in the time interval and accords with the verification analysis parameter into the graph data list until the writing time of the last target log event in the graph data list is greater than the termination time of the time interval;
and displaying the graphic data list.
In the embodiment of the invention, the target log event is screened through the log data of the historical system, the verification analysis parameters and the time interval to obtain the graphic data list of the target log event, so that the verification analysis process and the verification analysis result of the alarm strategy are visually displayed, a user can conveniently modify the parameters of the alarm strategy according to the verification analysis result, and the problem of dependence on the experience of an operator is reduced; the verification based on the historical target log events reduces the number of invalid alarm events, and simultaneously solves the problem of large amount of manual interpretation of invalid alarms; the strategy parameters are verified and adjusted in advance according to the historical data, and the problem of timeliness caused by the fact that the alarm strategy must be adjusted reversely through the alarm event is solved.
Specifically, referring to fig. 2, fig. 2 is a second flowchart of the alarm policy verification method according to the embodiment of the present invention, where starting a verification analysis task according to a verification analysis number and generating a target log event includes:
step 21: declaring a list variable of the graphic data list;
step 22: declaring an integer variable i;
step 23: judging the data volume corresponding to the current time, if the data volume is 1, representing that the data is written for the first time, then turning to step 241; otherwise, go to step 251;
step 241: assigning i to 0, and proceeding to step 242;
step 242: writing a first piece of { key: value } data in a sample interval into the list; turning to step 26;
step 251: performing self-increment operation on the data volume corresponding to the current time, and turning to step 252;
step 252: judging whether the time of the last data in the list is different from the sample termination time, if so, turning to a step 2531; otherwise, go to step 2532;
step 2531: writing { key: value } data in a sample interval into the list, and performing self-increment on a variable i; turning to step 26;
step 2532: adding data to a value list of the last element in the list, writing { key: value } data in a sample interval, and performing self-increment on a variable i; turning to step 26;
step 26: circularly traversing the historical event data which accord with the verification analysis parameters, and turning to the step 23; otherwise, exiting the traversal and returning list data displayed in a graphical mode.
In some embodiments of the present invention, optionally, the event data of the target log event at least includes a key-value pair of the occurrence time of the target log event and the number of the target log events.
In the embodiment of the invention, the event data of the target log event is a key value pair, the composition of the key value pair is related according to the verification analysis parameter name, the historical time attribute, the number of users and the like, and the key value pair can be adjusted according to the actual requirements of the users.
In some embodiments of the present invention, optionally, the verification analysis parameter includes at least one of an alarm name, an alarm type, a query time interval, a trigger condition, a trigger threshold, and an alarm white list.
In some embodiments of the present invention, optionally, the analysis result of the verification analysis number includes: at least one of a total number of historical events, a number of associated users, and an event trigger probability.
In some embodiments of the present invention, optionally, the graph data list comprises at least one of a historical event number list counted by time, a historical event number list counted by event type, or an operation frequency list counted by historical events of different times.
In some embodiments of the present invention, optionally, if the alarm policy is deleted before updating the policy parameter of the alarm policy, the method further includes:
and adding an alarm strategy according to the verification analysis result of the current verification analysis number.
In the embodiment of the invention, when the alarm strategy is deleted, the user can generate the alarm strategy by adding strategy data according to the verification analysis parameter corresponding to the current verification analysis number and the verification analysis result, thereby flexibly ensuring the safety of the alarm strategy parameter.
In some embodiments of the present invention, optionally, the updating the policy parameter of the alarm policy according to the verification analysis result of the verification analysis number includes:
acquiring the alarm strategy number according to the verification analysis number;
acquiring the verification analysis parameters according to the verification analysis serial number, and acquiring detailed information of the alarm strategy according to the alarm strategy serial number;
and updating the alarm strategy according to the verification analysis parameters and the detailed information of the alarm strategy.
Specifically, after the verification analysis task is finished, if the user confirms the parameter configuration result, the alarm policy may be updated, and the steps are as follows: firstly, a system acquires a verification analysis number and a corresponding verification analysis parameter of the task; acquiring a corresponding alarm strategy number according to the verification analysis number so as to acquire the details of the alarm strategy; judging the state of the current alarm strategy, and if the alarm strategy is in a normal state, updating the original alarm strategy; if the alarm strategy is deleted, a new alarm strategy is added according to the result of the verification analysis.
In some embodiments of the present invention, optionally, when the verification analysis parameter includes a policy parameter of the alarm policy, if the policy parameter of the alarm policy is modified, the obtaining the verification analysis parameter corresponding to the alarm policy includes:
and updating the updated strategy parameters into the verification analysis parameters.
In the embodiment of the invention, when the verification analysis parameters comprise the strategy parameters of the alarm strategy, if the user modifies the strategy parameters, the current verification analysis parameters comprise the latest strategy parameters, thereby ensuring the timeliness of the current verification analysis.
Specifically, whether the target task exists in a current verification analysis list is inquired according to the alarm strategy number and the current verification analysis parameter;
if the target task exists, further judging the recording state value of the task, namely whether verification analysis is finished or not;
if the verification analysis is completed, returning the verification analysis number and the state value of the task, otherwise, only returning the state value, and butting the output result to generate a verification analysis result;
and if the target task does not exist, generating a verification analysis number of the task, inserting 1 piece of verification analysis data, generating a verification analysis result by butting, and asynchronously starting the verification analysis task.
In some embodiments of the present invention, optionally, when the event data of the target log event further includes an event type of the target log event, the verification analysis result of the verification analysis number includes at least one of a historical event number list counted by time, a historical event number list counted by the event type, and an operation frequency list counted by historical events of different times.
In this embodiment of the present invention, the event data of the target log event includes: when the event type of the target log event, the occurrence time of the target log event and the number of the target log events are determined, the dimension of the verification analysis result can relate to a historical event number list counted according to time, a historical event number list counted according to the event type or an operation frequency list counted according to historical events of different times, a user can intuitively obtain the alarm possibility of the historical events of different dimensions through the lists to perform parameter adjustment of an alarm strategy, the problem of dependence on the experience of an operator is reduced, and a general operator can determine reasonable configuration parameters through the multi-dimensional image verification analysis result; the screening based on the historical target events also reduces the number of invalid alarm events, and solves the problem that a large amount of manual interpretation is required for invalid alarms; counting event types of various target events solves the timeliness problem caused by the fact that the alarm strategy must be reversely adjusted through specific alarm events.
In some embodiments of the present invention, optionally, the policy parameters of the alarm policy are stored in a policy table, and are obtained by querying according to the policy number of each alarm policy.
Referring to fig. 3, fig. 3 is a schematic structural diagram of an alarm policy verification apparatus according to an embodiment of the present invention; the embodiment of the present invention further provides an alarm policy verification apparatus 30, including:
an obtaining module 31, configured to obtain an alarm policy selected by a user from an alarm policy list;
the obtaining module 31 is further configured to, if an operation that a user needs to perform verification analysis on the alarm policy is received, obtain a verification analysis parameter corresponding to the alarm policy, and generate a verification analysis number corresponding to the alarm policy;
a receiving module 32, configured to receive a time interval of system log data input by a user;
the execution module 33 is configured to screen out a plurality of target log events which are located in the time interval and meet the verification analysis parameters from historical system log data, and generate a verification analysis result of the verification analysis number according to event data of the target log events;
and the updating module 34 is configured to update the policy parameter of the alarm policy according to the verification analysis result of the verification analysis number.
In the embodiment of the invention, the warning strategy verification device adopts the technical means of carrying out prepositive verification analysis on the configuration parameters of the log warning strategy by using the log data of the historical system, so that the reasonable configuration and optimization of the strategy are completed before the warning strategy is started, the labor cost is greatly saved, the omission and redundancy risks of warning events caused by unreasonable configuration are avoided, and the usability, the timeliness and the practicability of the management of the warning events in the log audit system are improved. The warning strategy verification device is suitable for general service personnel and has strong universality; the rationality and pertinence of the current alarm strategy configuration parameters are verified based on historical sample data, and the most rational configuration parameters are finally updated in a key mode, so that the maximization of the health degree and the practicability of the alarm event triggered based on the alarm strategy is ensured.
In some embodiments of the present invention, optionally, the analysis result of the verification analysis number is displayed in a form of a graph.
In some embodiments of the present invention, optionally, each time the alarm policy performs verification analysis, the alarm policy corresponds to one verification analysis number;
when an alarm policy corresponds to a plurality of verification analysis numbers, the execution module 33 is further configured to receive a first operation input by a user, and display a comparison interface of verification analysis results corresponding to the plurality of verification analysis numbers based on the first operation, so as to reflect an optimization condition of the alarm policy before and after a policy parameter of the alarm policy is modified.
In some embodiments of the present invention, optionally, the user comprehensively compares and analyzes the verification analysis result corresponding to each verification analysis number through the comparison interface to obtain the verification analysis number meeting the preset convergence effect.
In the embodiment of the invention, the alarm strategy verification device verifies the reasonability and pertinence of the current alarm strategy configuration parameter based on historical sample data, one alarm strategy can correspond to a plurality of verification analysis numbers, each verification analysis realizes the adjustment of the alarm strategy parameter, a user can support the adjustment and comparison analysis of various configuration parameters by operating a comparison interface of the verification analysis results corresponding to the verification analysis numbers, the optimization conditions of the alarm strategy before and after the strategy parameter modification of the alarm strategy are checked, and the target strategy parameter is gradually adjusted to realize the final optimization of the alarm strategy effect.
In some embodiments of the present invention, optionally, when one alarm policy corresponds to multiple verification analysis numbers, multiple verification analysis tasks are asynchronously started to perform verification analysis simultaneously.
In some embodiments of the present invention, optionally, the executing module 33 is further configured to write a first target log event, which is located in the time interval and meets the verification analysis parameter, in the historical system log data into a graph data list; traversing the historical system log data, and continuously writing a target log event which is positioned in the time interval and accords with the verification analysis parameter into the graph data list until the writing time of the last target log event in the graph data list is greater than the termination time of the time interval; and displaying the graphic data list.
In the embodiment of the invention, the target log event is screened through the log data of the historical system, the verification analysis parameters and the time interval to obtain the graphic data list of the target log event, so that the verification analysis process and the verification analysis result of the alarm strategy are visually displayed, a user can conveniently modify the parameters of the alarm strategy according to the verification analysis result, and the problem of dependence on the experience of an operator is reduced; the verification based on the historical target log events reduces the number of invalid alarm events, and simultaneously solves the problem of large amount of manual interpretation of invalid alarms; the strategy parameters are verified and adjusted in advance according to the historical data, and the problem of timeliness caused by the fact that the alarm strategy must be adjusted reversely through the alarm event is solved.
In some embodiments of the present invention, optionally, the event data of the target log event at least includes a key-value pair of the occurrence time of the target log event and the number of the target log events.
In the embodiment of the invention, the event data of the target log event is a key value pair, the composition of the key value pair is related according to the verification analysis parameter name, the historical time attribute, the number of users and the like, and the key value pair can be adjusted according to the actual requirements of the users.
In some embodiments of the present invention, optionally, the verification analysis parameter includes at least one of an alarm name, an alarm type, a query time interval, a trigger condition, a trigger threshold, and an alarm white list.
In some embodiments of the present invention, optionally, the analysis result of the verification analysis number includes: at least one of a total number of historical events, a number of associated users, and an event trigger probability.
In some embodiments of the present invention, optionally, the graph data list comprises at least one of a historical event number list counted by time, a historical event number list counted by event type, or an operation frequency list counted by historical events of different times.
In some embodiments of the present invention, optionally, if the alarm policy is deleted before the policy parameter is updated to the alarm policy, the executing module 33 is further configured to add an additional alarm policy according to the verification analysis result of the current verification analysis number.
In the embodiment of the invention, when the alarm strategy is deleted, the user can generate the alarm strategy by adding strategy data according to the verification analysis parameter corresponding to the current verification analysis number and the verification analysis result, thereby flexibly ensuring the safety of the alarm strategy parameter.
In some embodiments of the present invention, optionally, the updating module 34 is further configured to obtain the alarm policy number according to the verification analysis number; acquiring the verification analysis parameters according to the verification analysis serial number, and acquiring detailed information of the alarm strategy according to the alarm strategy serial number; and updating the alarm strategy according to the verification analysis parameters and the detailed information of the alarm strategy.
Specifically, after the verification analysis task is finished, if the user confirms the parameter configuration result, the alarm policy may be updated, and the steps are as follows: firstly, a system acquires a verification analysis number and a corresponding verification analysis parameter of the task; acquiring a corresponding alarm strategy number according to the verification analysis number so as to acquire the details of the alarm strategy; judging the state of the current alarm strategy, and if the alarm strategy is in a normal state, updating the original alarm strategy; if the alarm strategy is deleted, a new alarm strategy is added according to the result of the verification analysis.
In some embodiments of the present invention, optionally, when the verification analysis parameter includes a policy parameter of the alarm policy, if the policy parameter of the alarm policy is modified, the obtaining module 31 is further configured to update the updated policy parameter to the verification analysis parameter. In the embodiment of the invention, when the verification analysis parameters comprise the strategy parameters of the alarm strategy, if the user modifies the strategy parameters, the current verification analysis parameters comprise the latest strategy parameters, thereby ensuring the timeliness of the current verification analysis.
Specifically, whether the target task exists in a current verification analysis list is inquired according to the alarm strategy number and the current verification analysis parameter;
if the target task exists, further judging the recording state value of the task, namely whether verification analysis is finished or not;
if the verification analysis is completed, returning the verification analysis number and the state value of the task, otherwise, only returning the state value, and butting the output result to generate an analysis result;
and if the target task does not exist, generating a verification analysis number of the task, inserting 1 piece of verification analysis data, generating an analysis result by butting, and asynchronously starting the verification analysis task.
In some embodiments of the present invention, optionally, when the event data of the target log event further includes an event type of the target log event, the verification analysis result of the verification analysis number includes at least one of a historical event number list counted by time, a historical event number list counted by the event type, and an operation frequency list counted by historical events of different times.
In this embodiment of the present invention, the event data of the target log event includes: when the event type of the target log event, the occurrence time of the target log event and the number of the target log events are determined, the dimension of the verification analysis result can relate to a historical event number list counted according to time, a historical event number list counted according to the event type or an operation frequency list counted according to historical events of different times, a user can intuitively obtain the alarm possibility of the historical events of different dimensions through the lists to perform parameter adjustment of an alarm strategy, the problem of dependence on the experience of an operator is reduced, and a general operator can determine reasonable configuration parameters through the multi-dimensional image verification analysis result; the screening based on the historical target events also reduces the number of invalid alarm events, and solves the problem that a large amount of manual interpretation is required for invalid alarms; counting event types of various target events solves the timeliness problem caused by the fact that the alarm strategy must be reversely adjusted through specific alarm events.
In some embodiments of the present invention, optionally, the policy parameters of the alarm policy are stored in a policy table, and are obtained by querying according to the policy number of each alarm policy.
Fig. 4 shows an electronic device, where fig. 4 is a schematic structural diagram of the electronic device according to an embodiment of the invention;
the electronic device 40 includes: the processor 41, the memory 42, and the program stored in the memory 42 and capable of running on the processor 41, where the program, when executed by the processor 41, implements each process of implementing any one of the embodiments of the alarm policy verification method described above, and can achieve the same technical effect, and are not described herein again to avoid repetition.
The embodiment of the present invention further provides a readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the computer program implements each process of any one of the embodiments of the alarm policy verification method described above, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.
The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (10)

1. An alarm policy verification method, comprising:
acquiring an alarm strategy selected by a user from an alarm strategy list;
if receiving an operation that a user needs to verify and analyze the alarm strategy, acquiring a verification analysis parameter corresponding to the alarm strategy and generating a verification analysis number corresponding to the alarm strategy;
receiving a time interval of system log data input by a user;
screening a plurality of target log events which are positioned in the time interval and accord with the verification analysis parameters from historical system log data, and generating a verification analysis result of the verification analysis number according to event data of the target log events;
and updating the strategy parameters of the alarm strategy according to the verification analysis result of the verification analysis number.
2. The warning strategy verification method according to claim 1, wherein each time the warning strategy performs verification analysis, the warning strategy corresponds to one verification analysis number; the method further comprises the following steps:
when one alarm strategy corresponds to a plurality of verification analysis numbers, receiving a first operation input by a user, and displaying a comparison interface of verification analysis results corresponding to the verification analysis numbers based on the first operation so as to reflect the optimization condition of the alarm strategy before and after the strategy parameters of the alarm strategy are modified.
3. The method of claim 1, wherein the screening of the historical system log data for a plurality of target log events within the time interval and meeting the validation analysis parameters comprises:
writing a first target log event which is in the time interval and accords with the verification analysis parameter in the historical system log data into a graph data list;
traversing the historical system log data, and continuously writing a target log event which is positioned in the time interval and accords with the verification analysis parameter into the graph data list until the writing time of the last target log event in the graph data list is greater than the termination time of the time interval;
and displaying the graphic data list.
4. The alert policy validation method of claim 1, wherein the event data of the target log event comprises at least a key-value pair of the target log event occurrence time and the target log event number.
5. The method of claim 1, wherein if the alarm policy is deleted before updating the policy parameters of the alarm policy, the method further comprises:
and adding an alarm strategy according to the verification analysis result of the current verification analysis number.
6. The method according to claim 1, wherein when the verification analysis parameter includes a policy parameter of the alarm policy, if the policy parameter of the alarm policy is modified, the obtaining the verification analysis parameter corresponding to the alarm policy includes:
and updating the updated strategy parameters into the verification analysis parameters.
7. The alarm policy validation method according to claim 4, wherein when the event data of the target log event further includes an event type of the target log event, the validation analysis result of the validation analysis number includes at least one of a list of a number of historical events counted by time, a list of a number of historical events counted by an event type, and a list of an operation frequency counted by a different number of historical events.
8. An alarm policy validation apparatus, comprising:
the acquisition module is used for acquiring an alarm strategy selected by a user from the alarm strategy list;
the obtaining module is further configured to obtain a verification analysis parameter corresponding to the alarm policy and generate a verification analysis number corresponding to the alarm policy if an operation that a user needs to perform verification analysis on the alarm policy is received;
the receiving module is used for receiving a time interval of system log data input by a user;
the execution module is used for screening out a plurality of target log events which are positioned in the time interval and accord with the verification analysis parameters from the log data of the historical system, and generating a verification analysis result of the verification analysis number according to the event data of the target log events;
and the updating module is used for updating the strategy parameters of the alarm strategy according to the verification analysis result of the verification analysis serial number.
9. An electronic device, comprising: a processor, a memory and a program stored on the memory and executable on the processor, the program, when executed by the processor, implementing the steps of the alarm policy validation method according to any of claims 1 to 7.
10. A readable storage medium, characterized in that the readable storage medium has stored thereon a program which, when being executed by a processor, carries out the steps of the alert policy verification method according to any one of claims 1 to 7.
CN202110470624.XA 2021-04-29 2021-04-29 Alarm policy verification method and device, electronic equipment and readable storage medium Active CN112882920B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110470624.XA CN112882920B (en) 2021-04-29 2021-04-29 Alarm policy verification method and device, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110470624.XA CN112882920B (en) 2021-04-29 2021-04-29 Alarm policy verification method and device, electronic equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN112882920A true CN112882920A (en) 2021-06-01
CN112882920B CN112882920B (en) 2021-06-29

Family

ID=76040235

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110470624.XA Active CN112882920B (en) 2021-04-29 2021-04-29 Alarm policy verification method and device, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN112882920B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113704186A (en) * 2021-11-01 2021-11-26 云账户技术(天津)有限公司 Alarm event generation method and device, electronic equipment and readable storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103513983A (en) * 2012-06-25 2014-01-15 国际商业机器公司 Method and system for predictive alert threshold determination tool
CN104866410A (en) * 2015-06-05 2015-08-26 江苏国电南自海吉科技有限公司 State monitoring log storing and accessing method based on IEC 61850
CN105183625A (en) * 2015-08-31 2015-12-23 北京奇虎科技有限公司 Log data processing method and apparatus
CN106649123A (en) * 2016-12-28 2017-05-10 中国银行股份有限公司 Continuous integration-oriented alarm system and method
CN108833383A (en) * 2018-06-01 2018-11-16 南瑞集团有限公司 Linkage defense system based on deep learning and agent
CN109542737A (en) * 2018-09-29 2019-03-29 中国平安人寿保险股份有限公司 Platform alert processing method, device, electronic device and storage medium
US20190205191A1 (en) * 2017-12-28 2019-07-04 Dropbox, Inc. File system warnings application programing interface (api)
CN112055336A (en) * 2020-08-24 2020-12-08 浙江鸿城科技有限责任公司 Method for identifying priority of alarm information

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103513983A (en) * 2012-06-25 2014-01-15 国际商业机器公司 Method and system for predictive alert threshold determination tool
CN104866410A (en) * 2015-06-05 2015-08-26 江苏国电南自海吉科技有限公司 State monitoring log storing and accessing method based on IEC 61850
CN105183625A (en) * 2015-08-31 2015-12-23 北京奇虎科技有限公司 Log data processing method and apparatus
CN106649123A (en) * 2016-12-28 2017-05-10 中国银行股份有限公司 Continuous integration-oriented alarm system and method
US20190205191A1 (en) * 2017-12-28 2019-07-04 Dropbox, Inc. File system warnings application programing interface (api)
CN108833383A (en) * 2018-06-01 2018-11-16 南瑞集团有限公司 Linkage defense system based on deep learning and agent
CN109542737A (en) * 2018-09-29 2019-03-29 中国平安人寿保险股份有限公司 Platform alert processing method, device, electronic device and storage medium
CN112055336A (en) * 2020-08-24 2020-12-08 浙江鸿城科技有限责任公司 Method for identifying priority of alarm information

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
WEI HAN 等: ""Research on Alert Strategy of Unmanned surface Vessel Based on Typical Missions"", 《2019 3RD INTERNATIONAL SYMPOSIUM ON AUTONOMOUS SYSTEMS》 *
洪权 等: ""湖南电网云上综合智能告警功能实现与分析"", 《湖南电力》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113704186A (en) * 2021-11-01 2021-11-26 云账户技术(天津)有限公司 Alarm event generation method and device, electronic equipment and readable storage medium

Also Published As

Publication number Publication date
CN112882920B (en) 2021-06-29

Similar Documents

Publication Publication Date Title
US10289286B2 (en) Thing modeler for internet of things
CN108572996B (en) Synchronization method and device of database table structure, electronic equipment and storage medium
US8219575B2 (en) Method and system for specifying, preparing and using parameterized database queries
US20140052695A1 (en) Systems and methods for capturing data refinement actions based on visualized search of information
US20140149568A1 (en) Monitoring alerts in a computer landscape environment
CN113127347B (en) Interface testing method, device, equipment and readable storage medium
US10108655B2 (en) Interactive log file visualization tool
CN112328499A (en) Test data generation method, device, equipment and medium
WO2019214014A1 (en) Online product management method and apparatus, terminal device, and storage medium
US8606762B2 (en) Data quality administration framework
CN112882920B (en) Alarm policy verification method and device, electronic equipment and readable storage medium
CN112882702A (en) Information processing method and device for report configuration
CN109240916A (en) Information output controlling method, device and computer readable storage medium
US11442995B2 (en) Filtering of log search results based on automated analysis
CN113010208A (en) Version information generation method, version information generation device, version information generation equipment and storage medium
CN115408032A (en) Data model management method, device, server, medium and product
CN115033436A (en) Page testing method and device, electronic equipment and storage medium
CN114968817A (en) Method, device, equipment and storage medium for evaluating code change influence range
US9811931B2 (en) Recommendations for creation of visualizations
US10635573B2 (en) Auto-generated multiple input variants
CN111831527A (en) Method, apparatus, electronic device, and medium for scanning database performance problems
EP3999917A1 (en) Method and system for generating a digital representation of asset information in a cloud computing environment
US20120278351A1 (en) Presenting results with visual cues
CN111831534A (en) Method and device for verifying accuracy of datagram table
US20200143394A1 (en) Event impact analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant