CN113835981A - Log format adapting method, system, device and computer readable storage medium - Google Patents
Log format adapting method, system, device and computer readable storage medium Download PDFInfo
- Publication number
- CN113835981A CN113835981A CN202110970954.5A CN202110970954A CN113835981A CN 113835981 A CN113835981 A CN 113835981A CN 202110970954 A CN202110970954 A CN 202110970954A CN 113835981 A CN113835981 A CN 113835981A
- Authority
- CN
- China
- Prior art keywords
- log
- information
- template
- type
- format
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3466—Performance evaluation by tracing or monitoring
- G06F11/3476—Data logging
Abstract
The application relates to a log format adaptation method, a system, a device and a computer readable storage medium, belonging to the technical field of computer software, wherein the adaptation method comprises the steps of obtaining a log default template; the log default template comprises a log default template of an HTTP (hyper text transport protocol); editing a log default template to obtain a log format template and storing the log format template; determining the type of a system log to be sent out through auditing network flow, and reading a log format template corresponding to the type; the network flow comprises an HTTP request message; extracting information in network flow, and filling the information into a value in a corresponding log format template to generate a to-be-sent log, wherein the information comprises a source IP (Internet protocol); sending the log to be sent out to a log server, so that the log server analyzes the log to be sent out and obtains information in the log to be sent out; and receiving and displaying the information in the log to be sent out. The method and the device have the effect of improving the adaptability of the log template to the log server.
Description
Technical Field
The present application relates to the field of computer software technologies, and in particular, to a method, a system, an apparatus, and a computer-readable storage medium for adapting a log format.
Background
The system log is information that records hardware and software problems in the system, and can also monitor events occurring in the system. Through which the user can check the cause of the error or look for traces left by the attacker when under attack.
In the related art, the system logs sent out by the devices are all built-in fixed templates, the sequence of each structure is fixed, and all the structure logs are represented in the form of key = "value", for example, src = "1.1.1.1"; the separators adopted between each structure are also fixed, and the key words of the keys are also predefined, so that when the equipment sends the outgoing log to the server, the equipment only needs to fill the obtained value into the template, then the equipment sends the filled outgoing log to the log server of the user, and the log server analyzes the outgoing log
For the related art in the foregoing, the inventor believes that because the format of the system log sent out by the device is fixed, but because the log servers of the users are different, the log server only depends on the log template with the fixed format, and then the log server has a great possibility of analyzing the log to be sent out, so that the log template cannot be flexibly adapted to the log server.
Disclosure of Invention
In order to improve the adaptability of the log template to the log server, the application provides a log format adapting method, a log format adapting system, a log format adapting device and a computer readable storage medium.
In a first aspect, the present application provides a log format adaptation method, which adopts the following technical scheme:
a log format adaptation method, comprising:
acquiring a log default template; the log default template comprises a plurality of types, including a log default template of an HTTP (hyper text transport protocol) and a log default template of an icmp (internet protocol);
editing the content in the log default template to obtain a log format template and storing the log format template; the type of the log format template corresponds to the type of the log default template;
determining the type of a system log to be sent out through auditing network flow, and reading the log format template corresponding to the type; the network traffic comprises an icmp request message and an HTTP request message; the type of the system log to be sent out is configured in advance, and the type of the system log to be sent out corresponds to the type of the log format template;
extracting information in the network flow, and filling the information into a value corresponding to the information in the corresponding log format template to generate a to-be-sent log, wherein the information comprises a source IP and a source port;
sending the to-be-sent-out log to a log server, so that the log server analyzes the to-be-sent-out log and obtains information in the to-be-sent-out log;
and receiving and displaying the information in the log to be sent out.
By adopting the technical scheme, after the log default template is obtained, the user can edit the log default template according to the log server of the user, so that a log format template is obtained; then based on the type of the system log to be sent out, reading a log format template corresponding to the system log to be sent out, and then filling the acquired information into a value corresponding to the log format template information, thereby generating a log to be sent out; and then the to-be-sent log is sent to the log server, the log server can analyze the to-be-sent log so as to obtain the information in the to-be-sent log, and then the information is displayed after being received so as to be known by a user.
The user can edit the default log template according to the own log server, so that the to-be-sent log can be adapted to the log server, and the log server can analyze the to-be-sent log, thereby improving the adaptability of the log template to the log server.
Optionally, the specific method for editing the content in the log default template includes:
editing keywords in the log default template to obtain the log format template; the log default template comprises a manufacturer ID, a keyword of the manufacturer ID is vendor, vendor = 'topsec', and after the keyword is edited, the keyword of the manufacturer ID in the log format template is aaaa, aaaa = 'topsec'.
Optionally, before the information is filled into the value corresponding to the information in the corresponding log format template, the method further includes:
comparing the type of the separator in the information with the type of the separator in the log to be sent out, and if the type of the separator in the information is the same as the type of the separator in the log to be sent out, performing escape on the type of the separator in the information according to a preset escape rule; the escape refers to that the same separator in the information as that in the outgoing log is converted into other characters.
By adopting the technical scheme, the same characters in the flow information and the outgoing log are converted into other characters in an escape mode, so that the problem that the analysis of the outgoing log by the log server has errors after the outgoing log is sent to the log server in the later period is avoided.
Optionally, the escape rule is configured in the log server by the user in advance; wherein the escape rule comprises converting the separator "|" into a separator "|/".
By adopting the technical scheme, the log server can receive information sent by a plurality of devices, namely, a plurality of types of logs to be sent out, but because the escape rule in the log server is certain, the escape of the types of information characters in the plurality of types of logs to be sent out is the same, so that the source of the devices can be conveniently identified.
Optionally, the specific method for editing the content in the log default template further includes:
and editing the log default template on line or after downloading.
By adopting the technical scheme, different requirements of users can be met through different editing modes.
Optionally, the specific method for storing the log format template includes:
and the plurality of log format templates are stored separately or collectively.
By adopting the technical scheme, different storage modes are adopted, and different requirements of users can be met.
In a second aspect, the present application provides a log format adaptation system, which adopts the following technical solutions:
a log format adaptation system comprises a test device and a log server;
the test equipment comprises a display screen, a storage module and a first processor; the display screen, the storage module and the editing module are all in communication connection with the first processor;
the display screen is used for displaying a log default template and displaying information in the log to be sent out; the editing module is used for editing a log default template; the storage module stores a log format template and a log default template;
the first processor is used for auditing network flow to determine the type of a system log to be sent out and reading the log format template corresponding to the type; the first processor is used for extracting the information in the network flow and filling the information into the value corresponding to the information in the corresponding log format template so as to generate a to-be-sent log;
the log server comprises a second processor which is in communication connection with the first processor;
and the second processor is used for receiving and analyzing the log to be sent out so as to obtain and send the information in the log to be sent out.
By adopting the technical scheme, the first processor derives the log default template from the storage module, the display screen displays the log default template, then the user edits the log default template through the editing module to obtain the log format template, and the user stores the log format template in the storage module; then, enabling the first processor to audit network flow so as to determine the type of the log to be sent out by the user, and reading a log format template corresponding to the type; then, the first processor extracts information in the network flow and sends the information to a value corresponding to the information in the log format template to generate a to-be-sent log; then the first processor sends the log to be sent out to a log server, and the second processing module analyzes the log to be sent out to obtain information in the log to be sent out; the second processing module feeds back information in the to-be-sent log to the test equipment, and the display screen displays the information;
the user can edit the default log template according to the own log server, so that the to-be-sent log can be adapted to the log server, and the log server can analyze the to-be-sent log, thereby improving the adaptability of the log template to the log server.
Optionally, the test apparatus further includes a third processor; the third processor is in communication connection with the first processor;
and the third processor is used for comparing the type of the separator in the information with the type of the separator in the log to be sent out, and if the type of the separator in the information is the same as the type of the separator in the log to be sent out, the type of the separator in the information is transferred according to a preset transfer rule.
By adopting the technical scheme, after the first processor extracts the information in the network flow, the information is transmitted to the third processor, the third processor judges the separator in the information, and if the type of the separator in the information is the same as that of the separator in the log to be sent out, the type of the separator in the information is transferred according to a preset transfer rule; and the third processor transmits the escaped information to the second processor, and the second processor fills the information into the value corresponding to the information in the log format template so as to generate the outgoing log.
In a third aspect, the present application provides a log format adapting device, which adopts the following technical scheme:
a log format adaptation apparatus, comprising:
a memory for storing the log format adaptation program;
and the processor is used for executing the log format adapting program stored on the memory so as to realize the steps of the log format adapting method.
In a fourth aspect, the present application provides a computer-readable storage medium, which adopts the following technical solutions:
a computer readable storage medium storing a computer program that can be loaded by a processor and executes the above-described log format adaptation method.
Drawings
Fig. 1 is a block diagram of the network architecture of the present application.
Fig. 2 is a block flow diagram of an embodiment of the method of the present application.
FIG. 3 is a block diagram of a process for disambiguating characters in information in an embodiment of the method.
Fig. 4 is a block diagram of another embodiment of the present application.
Description of reference numerals: 100. testing equipment; 110. a display screen; 120. a storage module; 130. a first processor; 140. a third processor; 150. an editing module; 200. a log server; 210. a second processor.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to fig. 1 to 4 of the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, in the present application, a log format adaptation network architecture is built based on a log format adaptation method, and includes a test device and a log server, where the log server may be in communication connection with one test device or a plurality of test devices. The test equipment can be equipment with an operation interface, such as a smart phone and production equipment, and the operation interface can be an operation display interface capable of performing human-computer interaction, such as a webui interface. The test equipment sends the log to be sent out to the log server, the log server is used for analyzing the log to be sent out so as to obtain information in the log to be sent out, then the information is fed back to the test equipment, and the information can be displayed through operation interfaces such as a webui interface and the like so as to be known by a user.
In the related art, because the format of the system log sent out by the device is fixed, but the log servers of the users are different, the log server only depends on the log template with the fixed format, and the log server has a great possibility of analyzing the log to be sent out to generate errors, so that the log template cannot be flexibly adapted to the log server.
For example, in the related art, the format of the outgoing log is key = value, and then adjacent values are separated by a space; assume that the format of the pending outgoing journal is sip =1.1.1.1 spout =51415 dip =2.2.2.2 dport =80 proto = TCP; in turn, a source IP address, a source port number, a destination IP address, a destination port number, and a network layer protocol.
If the log server of the user requires that the outgoing log is not provided with a key and then the middle is separated by using an 'I', the outgoing log is sent by adopting the log template in the related technology, and the log server cannot analyze the outgoing log.
Therefore, in order to improve the adaptability of the log template to the log server, the present application provides a log format adaptation method, and referring to fig. 2, the method may include the following steps S110 to S160:
s110, acquiring a log default template; the log default template can be of various types, and can be any one of a log default template of an HTTP (hyper text transport protocol), a log default template of an icmp protocol, a log default template of an attack detection class, a log default template of a zombie host class, a log default template of a malicious program detection class and the like.
The log default template is built in the test equipment and is a fixed format template.
One fixed format of the log default template is as follows:
| key | whether or not to display key | Spacer between adjacent values | Sequence of | value coding mode | Meaning transferring method | |
| Vendor ID | vendor | Is that | Blank space | 1 | Is free of | |
| Type of device | dev-type | Is that | Blank space | 2 | Is free of | |
| Device name | dev-name | Is that | Blank space | 3 | Is free of | |
| Managing addresses | dev-ip | Is that | Blank space | 4 | Is free of | |
| Time | time | Is that | Blank space | 5 | Is free of | |
| Log type | index | Is that | Blank space | 6 | Is free of | |
| Module name | recorder | Is that | Blank space | 7 | Is free of | |
| Classification | type | Is that | Blank space | 8 | Is free of | |
| Sub-classifications | sub-type | Is that | Blank space | 9 | Is free of | |
| Risk rating | level | Is that | Blank space | 10 | Is free of | |
| Session ID | sid | Is that | Blank space | 11 | Is free of | |
| Network layer protocol | proto | Is that | Blank space | 12 | Is free of | |
| Source IP | sip | Is that | Blank space | 13 | Is free of | |
| Source port | spoort | Is that | Blank space | 14 | Is free of | |
| Destination IP | dip | Is that | Blank space | 15 | Is free of | |
| Destination port | dport | Is that | Blank space | 16 | Is free of | |
| Source IPv6 address | sipv6 | Is that | Blank space | 17 | Is free of | |
| Destination IPv6 Address | dipv6 | Is that | Blank space | 18 | Is free of | |
| vlanID | vid | Is that | Blank space | 19 | Is free of | |
| Input interface | sdev | Is that | Blank space | 20 | Is free of | |
| Outlet interface | ddev | Is that | Blank space | 21 | Is free of | |
| Source MAC address | smac | Is that | Blank space | 22 | Is free of | |
| Destination MAC address | dmac | Is that | Blank space | 23 | Is free of |
S120, editing the content in the log default template to obtain a log format template and storing the log format template; and the type of the log format template corresponds to the type of the log default template.
The user can edit the content in the log default template according to the self requirement so as to change the format of the log default template; for example, the keywords, order, etc. in the log default template are edited.
S130, determining the type of the system log to be sent out by auditing the network flow, and reading a log format template corresponding to the type; the network traffic comprises network protocol request messages such as an icmp request message and an HTTP request message; the type of the system log to be sent out is preset in the test equipment by the user.
For example, a user configures a log that the device requires an outgoing icmp protocol; if the test equipment audits the icmp request message, the log format template of the icmp protocol is automatically called.
S140, extracting information in the network flow, and filling the information into a value corresponding to the information in a corresponding log format template to generate a to-be-sent log; the information includes public information such as a source IP and a source port, and may also include information specific to a network protocol, for example, sender information, recipient information, etc. in a mail protocol;
for example, if the extracted information is a source IP, after the test device calls the log format template of the icmp protocol, the obtained source IP is filled into the value corresponding to the source IP, so as to generate a to-be-sent log.
One specific method for editing content in the log default template may include:
editing keywords in the log default template to obtain a log format template; the manufacturer ID included in the log default template is vendor, the keyword of the vendor ID is vendor, that is, vendor = "topsec", and after the keyword is edited, the keyword of the vendor ID in the log format template is aaaa, that is, aaaa = "topsec". Of course, in other editing methods, the interval symbol between each set of key and value, the encoding method and the order of the value, and the like included in the log default template may be edited.
For example, a log of a malicious program class issued through a log default template is as follows:
vendor = "topsec" dev _ type = "4" dev _ name = "" dev _ ip = "192.168.23.50" time = "2019-09-2417:44:23" index = "302" recorder = "video" type = "11" sub _ type = "11.1" level = "4" sid = "5d89e577000015f" pro = "TCP" sip = "18.1.1.2" sport = "20" dip = "17.1.1.2" dport = "49946" sipv6= "", "dipv 6=" vid = "" sdev = "0" dd = "1" smac = "0C: 29:4D:04: b8 "dmac ="00:90:0B:3E: c0: DA "op =" alert "rule ="0 "msg ="13296f528d570e126b7671639f215745 "repeat ="1 "file =" coded 2.exe "file =" EXE "file ="8192 "md 5="13296f528d570e126b7671639f21574 "sha 1=" app _ pro = "FTP" app = "FTP" method = "stoid =" apredix = "direction =" c2s "sgeo =" usa "hedgeo =" usa.
The user can edit the default template of the log, so that the log format template does not display keys (keywords), and the separators between each group of keys and values, namely the separators, are separated by "|" without spaces, and then the values are not used "; then the above-mentioned malware class log becomes as follows:
topsec |4| 192.168.23.50|2019-09-2417:44:23|302| virus |11|11.1|4|5D89E577000015f | TCP |18.1.1.2|20|17.1.1.2|49946| felth 0| feath 1|00:0C:29:4D:04: B8|00:90:0B:3E: C0: DA | alert |0|13296f528D570E126B7671639f215745|1| coded 2.EXE | EXE |8192|13296f528D 126B7671639f215745| FTP | STOR | C2 | 2s USA | USA.
S150, sending the log to be sent out to a log server, so that the log server analyzes the log to be sent out and obtains information in the log to be sent out;
the test equipment sends the to-be-sent-out log to the log server, and the log server analyzes the to-be-sent-out log after receiving the to-be-sent-out log, so that information in the to-be-sent-out log is obtained.
S160, receiving and displaying the information in the log to be sent out;
the log server feeds back the information in the log to be sent out to the test equipment, and the test equipment can display the information in the log to be sent out through the webui interface after receiving the information in the log to be sent out.
If the interval symbol in the information is the same as the interval symbol in the outgoing log, the analysis of the outgoing log by the log server has an error after the outgoing log is sent to the log server; therefore, in order to convert the same character in the message as that in the outgoing log into another character, it is necessary to escape the spacer in the message, so as to refer to fig. 3, before filling the message into the value corresponding to the message in the corresponding log format template in step S140, step S141 is further included:
s141, comparing the type of the separator in the information with the type of the separator in the log to be sent out, and if the type of the separator in the information is the same as the type of the separator in the log to be sent out, performing escape on the type of the separator in the information according to a preset escape rule; the escape refers to that the same separator in the information as in the outgoing log is converted into other characters. The separator refers to the above-mentioned spacer.
For example, the to-be-sent logs are separated by the "|" symbol, but the value just filled into the to-be-sent logs, that is, the information contains the "|" symbol, and the "|" symbol in the information needs to be escaped.
For example, (1.1.1.1|41515|2.2.2 |80| TCP | rpm | qa), the log indicates the sequence of source address, source port, destination address, destination port, transport layer protocol and operation information, wherein the operation information is rpm | qa with "|" character, if the "|" character of the information is not escaped, the log server may consider the operation information to be rpm only after being received by the log server, and qa may be lost or put to the next value; therefore, the "|" character in the information needs to be escaped; for example, replacing the "|" character in the message with "|/", the log server will know that the message content is actually rpm | qa upon receiving rpm |/qa.
For one embodiment of the escape rule, the method may comprise:
the escape rule is configured in the log server by the user in advance; one log server corresponds to one escape rule, and the escape rules of the test equipment communicated with the log server are the same as the escape rules preset in the log server. For example, the escape rule for the log server may be to escape the quotation mark as "\", and the escape rule for another log server may be to escape the separator "|" as "|/", specifically set by the user.
A specific method for editing a log default template can further include:
editing the log default template on line or editing the log default template after downloading;
the online editing method comprises the steps that after the log default template can be displayed on a webui interface of the test equipment, a user can directly edit the log default template on the webui interface; after the log default template is displayed on a webui interface of the test equipment, the log default template can be downloaded from the webui interface and then edited; similar to the Word document, the Word document can be directly edited in a browser, or the Word document is downloaded from the browser to a desktop and then edited, and the browser is equivalent to a webui interface.
A specific way to store the log format template can include:
the plurality of log format templates are stored separately or in a centralized manner;
the independent storage method comprises the steps that each type of log format template can be stored in a webui interface of a corresponding log; the centralized storage method comprises the steps that all types of log format templates can be collected in a folder, and then the folder exists in a single webui interface. It can be understood that: the log format templates are similar to the Word documents, the Word documents can be independently arranged on the desktop, or a folder can be newly arranged on the desktop, and then the Word documents are moved into the folder.
The implementation principle of the embodiment is as follows:
after the log default template is obtained, the user edits the log default template according to a log server of the user, so that a log format template is obtained; then based on the type of the system log to be sent out, reading a log format template corresponding to the system log to be sent out, and then filling the acquired information into a value corresponding to the log format template information, thereby generating a log to be sent out; and then the to-be-sent log is sent to the log server, the log server can analyze the to-be-sent log so as to obtain the information in the to-be-sent log, and then the information is displayed after being received so as to be known by a user.
Referring to fig. 4, based on the foregoing method embodiment, a second embodiment of the present application further provides a log format adaptation system, which may include: test equipment 100 and log server 200;
the test apparatus 100 includes a display screen 110, a storage module 120, an editing module 150, and a first processor 130; the display screen 110, the storage module 120 and the editing module 150 are all in communication connection with the first processor 130;
the display screen 110 is used for displaying a log default template and displaying information in the log to be sent out;
the editing module 150 is used for editing the log default template;
the storage module 120 stores a log default template and a log format template;
the first processor 130 is configured to audit network traffic, to determine a type of a system log to be sent out, and read a log format template corresponding to the type; the first processor 130 is further configured to extract information in the network traffic, so as to fill the information into a value corresponding to the information in a corresponding log format template, so as to generate a pending outgoing log;
the log server 200 comprises a second processor 210, the second processor 210 being communicatively connected to the first processor 130;
the second processor 210 is configured to receive and parse the pending outgoing log to obtain information in the pending outgoing log and send the information.
It should be noted that the editing module 150 may be the display screen 110, or may be a keyboard and a mouse; when the editing module 150 is the display screen 110, the display screen 110 is a touch display screen; the user can edit the log default template by touching the display screen, or the keyboard and the mouse.
To implement the escape of the delimiter in the information, the test apparatus 100 further comprises a third processor 140, the third processor 140 being communicatively connected to the first processor 130;
the third processor 140 is configured to compare the type of the separator in the information with the type of the separator in the log to be sent out, and if the type of the separator in the information is the same as the type of the separator in the log to be sent out, perform an escape on the type of the separator in the information according to a preset escape rule.
In addition, the first processor 130 and the third processor 140 may be the same processor or different processors.
The implementation principle of the implementation is as follows:
the user derives a log default template from the storage module 120 through the first processor 130, and the log default template is displayed on the display screen 110; then, the user edits the log default template through the editing module 150, so as to obtain a log format template and store the log format template in the storage module 120; then, the first processor 130 audits the network flow, so as to determine the type of the log to be sent out by the user, and reads a log format template corresponding to the type; then, the first processor 130 extracts information in the network traffic, and fills the information into a value corresponding to the information in the log format template to generate a to-be-sent log and send the to-be-sent log; after the log server 200 receives the to-be-sent-out log, the second processor 210 analyzes the to-be-sent-out log to obtain and send information in the to-be-sent-out log; and then the display screen 110 displays the information.
A third embodiment of the present application further provides a log format adapting apparatus, which may include: a memory and a processor;
the memory is used for storing the log format adapting program;
the processor is used for executing the log format adapting program stored in the memory so as to realize the steps of the log format adapting method.
The memory may be in communication connection with the processor through a communication bus, which may be an address bus, a data bus, a control bus, or the like.
Additionally, the memory may include Random Access Memory (RAM) and may also include non-volatile memory (NVM), such as at least one disk memory.
And the processor may be a general-purpose processor including a Central Processing Unit (CPU), a Network Processor (NP), etc.; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, etc.
The fourth embodiment of the present application further provides a computer-readable storage medium, which stores a computer program that can be loaded by a processor and execute the above-mentioned log format adaptation method.
The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. Among other things, the available media may be magnetic media (e.g., floppy disks, hard disks, magnetic tape), optical media (e.g., DVDs), or semiconductor media (e.g., solid state disks).
The foregoing is a preferred embodiment in its own right and not intended to limit the scope of the application, and any feature disclosed in this specification (including the abstract and drawings) may be replaced by alternative features serving equivalent or similar purposes, unless expressly stated otherwise. That is, unless expressly stated otherwise, each feature is only an example of a generic series of equivalent or similar features.
Claims (10)
1. A method for log format adaptation, comprising:
acquiring a log default template; the log default template comprises a plurality of types, including a log default template of an HTTP (hyper text transport protocol) and a log default template of an icmp (internet protocol);
editing the content in the log default template to obtain a log format template and storing the log format template; the type of the log format template corresponds to the type of the log default template;
determining the type of a system log to be sent out through auditing network flow, and reading the log format template corresponding to the type; the network traffic comprises an icmp request message and an HTTP request message; the type of the system log to be sent out is configured in advance, and the type of the system log to be sent out corresponds to the type of the log format template;
extracting information in the network flow, and filling the information into a value corresponding to the information in the corresponding log format template to generate a to-be-sent log; wherein the information comprises a source IP and a source port;
sending the to-be-sent-out log to a log server, so that the log server analyzes the to-be-sent-out log and obtains information in the to-be-sent-out log;
and receiving and displaying the information in the log to be sent out.
2. The log format adapting method according to claim 1, wherein the specific method for editing the content in the log default template comprises:
editing keywords in the log default template to obtain the log format template; the log default template comprises a manufacturer ID, a keyword of the manufacturer ID is vendor, vendor = 'topsec', and after the keyword is edited, the keyword of the manufacturer ID in the log format template is aaaa, aaaa = 'topsec'.
3. The log format adapting method according to claim 2, wherein before the information is filled into the value corresponding to the information in the corresponding log format template, the method further comprises:
comparing the type of the separator in the information with the type of the separator in the log to be sent out, and if the type of the separator in the information is the same as the type of the separator in the log to be sent out, performing escape on the type of the separator in the information according to a preset escape rule; the escape refers to that the same separator in the information as that in the outgoing log is converted into other characters.
4. The log format adapting method according to claim 3, wherein the escape rule is pre-configured in the log server by a user; where the escape rule includes converting the separator "|" to a separator "|/".
5. The log format adapting method according to any one of claims 1 to 4, wherein the specific method for editing the content in the log default template further comprises:
and editing the log default template on line or after downloading.
6. The log format adaptation method according to any one of claims 1 to 4, wherein the specific method for storing the log format template comprises:
and the plurality of log format templates are stored separately or collectively.
7. A log format adaptation system, characterized by comprising a test device (100) and a log server (200);
the test device (100) comprises a display screen (110), a storage module (120), an editing module (150) and a first processor (130); the display screen (110), the storage module (120) and the editing module (150) are in communication connection with the first processor (130);
the display screen (110) is used for displaying a log default template and displaying information in the log to be sent out; the editing module (150) is used for editing the log default template; the storage module (120) stores a log format template and a log default template;
the first processor (130) is configured to audit network traffic, to determine a type of a system log to be sent out, and to read the log format template corresponding to the type; the first processor (130) is configured to extract information in the network traffic, and send the information to a value corresponding to the information in the corresponding log format template, so as to generate a pending outgoing log;
the log server (200) comprises a second processor (210), the second processor (210) being communicatively connected to the first processor (130);
the second processor (210) is configured to receive and parse the to-be-outgoing log to obtain information in the to-be-outgoing log and send the information.
8. The log format adaptation system of claim 7, wherein the test device (100) further comprises a third processor (140); the third processor (140) is communicatively coupled to the first processor (130);
and the third processor (140) is used for comparing the type of the separator in the information with the type of the separator in the log to be sent out, and if the type of the separator in the information is the same as the type of the separator in the log to be sent out, the type of the separator in the information is escaped according to a preset escape rule.
9. An apparatus for adapting a log format, comprising:
a memory for storing a log format adaptation program;
a processor for executing a log format adaptation program stored on said memory for implementing the steps of the log format adaptation method as claimed in any one of claims 1 to 6.
10. A computer-readable storage medium, in which a computer program is stored which can be loaded by a processor and which performs the log format adaptation method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110970954.5A CN113835981A (en) | 2021-08-23 | 2021-08-23 | Log format adapting method, system, device and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110970954.5A CN113835981A (en) | 2021-08-23 | 2021-08-23 | Log format adapting method, system, device and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113835981A true CN113835981A (en) | 2021-12-24 |
Family
ID=78960935
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110970954.5A Withdrawn CN113835981A (en) | 2021-08-23 | 2021-08-23 | Log format adapting method, system, device and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113835981A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113849386A (en) * | 2021-09-26 | 2021-12-28 | 北京天融信网络安全技术有限公司 | Log data generation method and device, storage medium and electronic equipment |
-
2021
- 2021-08-23 CN CN202110970954.5A patent/CN113835981A/en not_active Withdrawn
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113849386A (en) * | 2021-09-26 | 2021-12-28 | 北京天融信网络安全技术有限公司 | Log data generation method and device, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8539224B2 (en) | Obscuring form data through obfuscation | |
| CN111917740B (en) | Abnormal flow alarm log detection method, device, equipment and medium | |
| US8625642B2 (en) | Method and apparatus of network artifact indentification and extraction | |
| CN112468520B (en) | Data detection method, device and equipment and readable storage medium | |
| US9390432B2 (en) | Email marketing campaign auditor systems | |
| US20070263259A1 (en) | E-Mail Transmission System | |
| JP2007512585A (en) | Method and system for preventing abuse of email messages | |
| CN112347165B (en) | Log processing method and device, server and computer readable storage medium | |
| US10296746B2 (en) | Information processing device, filtering system, and filtering method | |
| KR20060094851A (en) | System and method for testing a data format using targeted variant input | |
| CN113835981A (en) | Log format adapting method, system, device and computer readable storage medium | |
| CN110278272B (en) | Universal method for simulating Socket request | |
| JPWO2019043804A1 (en) | Log analysis device, log analysis method and program | |
| CN108696713A (en) | Safety detecting method, device and the test equipment of code stream | |
| CN112822204A (en) | NAT detection method, device, equipment and medium | |
| CN104811418A (en) | Virus detection method and apparatus | |
| US20150074154A1 (en) | Method of secure storing of content objects, and system and apparatus thereof | |
| CN105635225A (en) | Method and system of using mobile terminal to access mobile internet-based server and mobile terminal | |
| CN113051876B (en) | Malicious website identification method and device, storage medium and electronic equipment | |
| CN111177595B (en) | Method for extracting asset information by templating HTTP protocol | |
| WO2021129849A1 (en) | Log processing method, apparatus and device, and storage medium | |
| JP2008269401A (en) | Log management program and log management device | |
| CN107770188B (en) | Efficient automatic message mirroring method based on universal server | |
| US20220188301A1 (en) | Permutation-based clustering of computer-generated data entries | |
| KR102663914B1 (en) | Electronic apparatus and method for analyzing http traffic thereby |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20211224 |