CN115914369A - Network shooting range log file acquisition proxy gateway, acquisition system and method - Google Patents

Network shooting range log file acquisition proxy gateway, acquisition system and method Download PDF

Info

Publication number
CN115914369A
CN115914369A CN202211270903.2A CN202211270903A CN115914369A CN 115914369 A CN115914369 A CN 115914369A CN 202211270903 A CN202211270903 A CN 202211270903A CN 115914369 A CN115914369 A CN 115914369A
Authority
CN
China
Prior art keywords
acquisition
file
proxy gateway
server
instruction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211270903.2A
Other languages
Chinese (zh)
Inventor
周兴怀
谢峥
高庆官
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Cyber Peace Technology Co Ltd
Original Assignee
Nanjing Cyber Peace Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Cyber Peace Technology Co Ltd filed Critical Nanjing Cyber Peace Technology Co Ltd
Priority to CN202211270903.2A priority Critical patent/CN115914369A/en
Publication of CN115914369A publication Critical patent/CN115914369A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a proxy gateway, a system and a method for collecting network shooting range log files. The invention adds an acquisition proxy gateway for a network shooting range scene, wherein the proxy gateway is respectively communicated with an acquisition server and a file server inside and outside the shooting range scene; the proxy gateway is provided with an encryption module, an instruction forwarding module, a strategy configuration module and a file transfer module; the instruction forwarding module receives and analyzes the acquisition instruction sent by the acquisition server, and sends the acquisition instruction to a probe on a specified virtual machine or entity machine according to metadata information in the acquisition instruction; meanwhile, the result of the execution instruction of each probe is collected and fed back to the acquisition server; the strategy configuration module inquires strategy configuration information from the acquisition server according to the strategy configuration ID and stores the strategy configuration information in a proxy gateway local for probe inquiry; the file transfer module caches the log files collected by the probe. The invention can solve the problem of network isolation, enhance the probe capability and reduce the pressure of the acquisition server.

Description

Network shooting range log file acquisition proxy gateway, acquisition system and method
Technical Field
The invention relates to a proxy gateway, a proxy system and a proxy method for collecting log files of a network shooting range, and belongs to the technical field of networks.
Background
A network target Range (Cyber Range) is a technology or product for simulating and reproducing the running states and running environments of network architecture, system equipment and business processes in a real network space based on a virtualization technology, so as to more effectively realize the behaviors of learning, research, inspection, competition, exercise and the like related to network security, thereby improving the network security confrontation level of personnel and mechanisms.
In a real network shooting range environment, a plurality of machines can run simultaneously, including virtual machines, physical machines and the like, a large number of log files can be generated in real time, the log files record running state information of a system and an application program, and the method has important values for analyzing and researching security events, system stability, system risks, bugs and the like in a network shooting range or a compound network shooting range.
Because most of the devices in the network shooting range are in a closed network environment and do not communicate with the external network, it is inconvenient to acquire log files on some of the machines. At present, a log file on a certain machine is obtained mainly through the scheme shown in fig. 1. And deploying a scene management system for managing the setting, initialization, networking, destruction and other operations of the network shooting range scene and the machines in the scene. When a network shooting range scene is created by the scene management system, probes are installed on all machines in the scene and used for collecting machine information and reporting the machine information to a collection server. When the scene management system starts a scene, a log file or a directory path which needs to be monitored by the probe is configured. Therefore, after the probe is started, the corresponding file monitoring information is collected and uploaded to the collection server. A user can inquire file information under a certain machine in a certain scene from the acquisition server through the scene management system, wherein the file information comprises file names, paths, sizes, states, authorities and the like. In addition to the network shooting range scene, a remote desktop gateway system is needed to be deployed, and the system can manage remote connection of all machines in all network scenes. After a user creates and initializes a scene through a scene management system, information such as remote connection protocols, account passwords or secret keys of all machines in the scene, networking topology and the like needs to be pushed to a remote desktop gateway system for storage. The user can select and log in a certain machine in a certain scene by logging in the remote desktop gateway. The user may download the designated log file in the machine to the user's local machine using a download tool provided by the remote desktop gateway.
The prior scheme has the following defects: 1. a set of desktop gateway system needs to be deployed separately, and the resource overhead of the server is increased. 2. The scene management system needs to push information such as access protocols, account passwords, secret keys and the like of all machines in a scene to the desktop gateway after a network shooting range scene is initialized, and if scene information or access information of the machines in the scene changes midway, for example, login accounts or passwords of a certain machine in the scene change, a remote desktop gateway system needs to be pushed in real time, so that the complexity of the system is increased, and the implementation and maintenance difficulty is increased. 3. The probes installed inside the virtual machines or the entity machines in the network shooting range scene are directly communicated with the acquisition server, if the whole network scene is in a closed network, the communication is blocked, and a user cannot check information acquired by the probes. 4. If the user wants to acquire the log file, the user can only manually log in the desktop gateway system, and after the user accesses a certain machine in a certain scene, the user manually selects the desired log file to download, so that the efficiency is very low. 5. Because the desktop gateway system needs to be connected to a corresponding virtual machine or a corresponding physical machine through a network, a large amount of log file downloading operations occupy bandwidth resources in a scene, so that the system performance is reduced, and normal node management is affected. 6. The change of the file, such as the size, the content, the authority, the checksum and the like, cannot be monitored in real time, and certain strategies cannot be set, such as the abnormal change of the content, the log uploading backup is automatically triggered, and the like. 7. The log files are not backed up, once the network scene is closed or restarted, the virtual machine resources in the network scene are recovered, the entity machine is also reset, important log files are lost, and subsequent copy is affected.
Disclosure of Invention
The purpose of the invention is as follows: aiming at least one problem in the prior art, the invention provides a new network shooting range log file acquisition scheme, which deletes a desktop gateway system in the prior scheme, saves resource overhead, reduces management complexity, and designs an acquisition proxy gateway/acquisition proxy gateway system to solve the problem of network isolation, enhance probe capability and reduce the pressure of an acquisition server.
The technical scheme is as follows: in order to achieve the purpose, the invention adopts the following technical scheme:
a network shooting range log file acquisition proxy gateway is provided with at least two network cards, wherein one network card is used for communicating with a virtual machine or an entity machine inside a shooting range scene, and the other network card is used for communicating with an acquisition server and a file server outside the shooting range scene; the proxy gateway is provided with an encryption module, an instruction forwarding module, a strategy configuration module and a file transfer module;
the encryption module is used for encrypting and decrypting the communication between the proxy gateway and the acquisition server as well as the communication between the proxy gateway and the file server;
the instruction forwarding module is used for receiving and analyzing the acquisition instruction sent by the acquisition server, and sending the acquisition instruction to a probe on a specified virtual machine or entity machine according to metadata information in the acquisition instruction; meanwhile, the result of the execution instruction of each probe is collected and fed back to the acquisition server; if the acquisition instruction comprises the ID of the executable script file, downloading the corresponding executable script file from the file server according to the ID of the executable script file, and caching the executable script file to the file transfer module for the downloading of the probe;
the strategy configuration module is used for inquiring strategy configuration information from the acquisition server according to the strategy configuration ID and storing the strategy configuration information in the local proxy gateway for probe inquiry; the strategy configuration information comprises target file information and uploading frequency acquired by the probe;
and the file transfer module is used for caching the log files collected by the probe and uploading the files to the file server.
Preferably, the collection instruction comprises instruction content, a collection output content format, a policy configuration ID, a running task ID, metadata containing the specified virtual machine or entity machine which needs to execute the collection instruction, and an executable script file ID; the acquisition instruction execution result fed back by the probe on the virtual machine or the physical machine comprises the name of the probe, the information of the machine where the probe is located, the format of acquisition output content, a policy configuration ID, an operation task ID, an executable script file ID, whether the command is successfully executed or not, error information and acquisition output content.
Preferably, the encryption module refuses the response to the request which is not from the acquisition server;
preferably, the file transfer module is used for identifying, compressing, encrypting and combining the log files uploaded by the probe.
A network shooting range log file acquisition proxy gateway system comprises a first-level acquisition proxy gateway and a plurality of second-level acquisition proxy gateways, wherein the first-level acquisition proxy gateways are provided with at least two network cards, one of the network cards is used for communicating with the second-level acquisition proxy gateways, and the other network card is used for communicating with an acquisition server and a file server outside a shooting range scene; the second-level acquisition proxy gateway is provided with at least two network cards, one of the network cards is used for communicating with the first-level acquisition proxy gateway, and the other network card is used for communicating with a virtual machine or an entity machine in the shooting range scene; the first-level acquisition proxy gateway and the second-level proxy gateway are respectively provided with an encryption module, an instruction forwarding module, a strategy configuration module and a file transfer module;
the encryption module is used for encrypting and decrypting communication outside the shooting range scene;
the instruction forwarding module of the first-level acquisition proxy gateway is used for receiving and analyzing the acquisition instruction sent by the acquisition server and forwarding the instruction to the second-level acquisition proxy gateway; the instruction forwarding module of the second-level acquisition proxy gateway is used for receiving the acquisition instruction and sending the acquisition instruction to a probe on a specified virtual machine or entity machine according to metadata information in the acquisition instruction; meanwhile, the results of the instructions executed by the probes are collected and fed back to the acquisition server through the first-stage acquisition proxy gateway; if the acquisition instruction comprises an executable script file ID, downloading a corresponding executable script file from a file server through a first-stage acquisition proxy gateway according to the executable script file ID, and caching the executable script file to a file transfer module for downloading by a probe;
the first-stage acquisition proxy gateway is used for inquiring the strategy configuration information from the acquisition server according to the strategy configuration ID and storing the strategy configuration information in the local; the strategy configuration module of the second-level acquisition proxy gateway is used for inquiring strategy configuration information from the first-level acquisition proxy gateway according to the strategy configuration ID and storing the strategy configuration information in the local for the probe to inquire; the strategy configuration information comprises target file information and uploading frequency acquired by the probe;
the file transfer module of the first-level acquisition proxy gateway is used for caching the log file uploaded by the second-level acquisition proxy gateway and uploading the file to the file server; and the file transfer module of the second-level acquisition proxy gateway is used for caching the log files uploaded by the probe and uploading the files to the first-level acquisition proxy gateway.
A network shooting range log file acquisition system comprises a scene management system, an acquisition server, a file server, a virtual machine and/or an entity machine in a shooting range scene, and an acquisition proxy gateway; the scene management system is used for configuring the networking form of the acquisition proxy gateway, the addresses of the acquisition server and the file server, managing log acquisition tasks, configuring information related to acquisition instructions and issuing the log acquisition instructions through the acquisition server; the acquisition server is used for receiving the instruction of the scene management system, issuing the instruction to the acquisition proxy gateway, acquiring a log file download address after the instruction is successfully executed, and returning the download address to the scene management system; and the file server is used for storing executable script files required by the running of the probe on the virtual machine or the physical machine and log files acquired and uploaded by the probe.
A network shooting range log file acquisition system comprises a scene management system, an acquisition server, a file server, a plurality of shooting range scenes comprising virtual machines and/or entity machines, and an acquisition proxy gateway system; the scene management system is used for configuring the networking form of the acquisition proxy gateway, the addresses of the acquisition server and the file server, managing log acquisition tasks, configuring information related to acquisition instructions and issuing the log acquisition instructions through the acquisition server; the acquisition server is used for receiving the instruction of the scene management system, issuing the instruction to the acquisition proxy gateway system, acquiring a log file download address after the instruction is successfully executed, and returning the download address to the scene management system; the file server is used for storing executable script files required by the operation of the probe on the virtual machine or the physical machine and log files acquired and uploaded by the probe.
Preferably, the log file collection in each shooting range scenario corresponds to one second collection proxy gateway in the collection proxy gateway system.
Preferably, the scene management system stores default policy configuration information, and monitors different log files for different purposes of the shooting range scene; the scene management system supports definition of one or more acquisition templates, and the acquisition templates comprise a plurality of acquisition instructions and policy configuration information.
A network shooting range log file collection method is realized by the network shooting range log file collection system, and the method comprises the following steps:
configuring a virtual machine or an entity machine needing to install a probe in a scene management system, acquiring the networking form of a proxy gateway, acquiring the addresses of a server and a file server, and acquiring default acquisition strategy configuration information;
after the shooting range scene is started, a virtual machine or an entity machine is installed and starts a probe, and a default executable script is downloaded from a file server through a collection proxy gateway or a collection proxy gateway system;
configuring a log acquisition task in a scene management system, selecting one or more files to be downloaded, generating an acquisition instruction by the scene management system, sending the acquisition instruction to an acquisition server, sending the acquisition instruction to an acquisition proxy gateway or an acquisition proxy gateway system by the acquisition server, and forwarding the instruction to a probe on a corresponding virtual machine or entity machine by the acquisition proxy gateway or the acquisition proxy gateway system;
after a probe on a virtual machine or an entity machine receives an acquisition instruction, an executable script and strategy configuration information specified by the instruction are acquired through an acquisition proxy gateway or an acquisition proxy gateway system, a specified log file is acquired and uploaded to the acquisition proxy gateway or the acquisition proxy gateway system, and after the file is uploaded, an acquisition instruction execution result is fed back;
the collection proxy gateway or the collection proxy gateway system processes the collected log files and uploads the processed log files to the file server; the acquisition server returns the file download address to the scene management system; downloading the collected log files by the scene management system according to the file downloading addresses;
if the strategy configuration information in the acquisition instruction received by the probe comprises a regular acquisition interval, the probe acquires and uploads the corresponding log file regularly, and then only the latest file needs to be downloaded directly from the file server in the scene management system, and the acquisition instruction does not need to be issued through the acquisition server.
Has the advantages that: compared with the prior art, the invention has the following advantages:
1. according to the invention, a desktop gateway system is abandoned, so that the resource overhead is saved, and the complexity of pushing scene and machine connection information to the desktop gateway system by a scene management system is avoided; by the added file server, log files in a shooting range scene can be managed and backed up in a unified manner, repeated and low-efficiency manual operation of a user can be avoided, important log files caused by the scene or machine halt and fault can be prevented from being lost, a backup effect can be achieved, and data support can be provided for the copy of a subsequent scene.
2. The executable script stored in the file server can enable the probe to complete a complex task of collecting log files, and also can enable the probe to complete a collection task according to a specified strategy through script setting.
3. According to the invention, through the newly-added acquisition proxy gateway, the machine in the network shooting range scene can be prevented from being exposed to the external network, so that the interference of the external network environment is avoided, the scene can simulate a real network environment better, and the communication blocking of the probe and the acquisition server caused by the isolation of the network shooting range scene from the external network can be avoided.
4. The acquisition proxy gateway can perform processing such as aggregation screening on the log files acquired by the probe, can further enhance the probe capability and reduce the pressure of an acquisition server.
5. The acquisition proxy gateway can further perform networking to form an acquisition proxy gateway system, and can avoid the situation that a large number of probes in different scenes simultaneously download script files and upload log files, which causes great pressure on a file server and network bandwidth.
6. The collection system of the invention can configure collection tasks on the scene management system page, download log files of different machines in batch, even different scenes, automatically collect and backup important log files through strategy configuration, and monitor the change condition of the files.
7. According to the invention, log files are stored and backed up through the file server, the same file on the same virtual machine or the same file on the same entity machine only needs to be uploaded once, the file is stored in the file server for a long time after being uploaded, and the subsequent downloading is carried out through the file server outside the scene, so that bandwidth resources in the scene are not occupied.
Drawings
Fig. 1 is a schematic diagram illustrating a conventional network shooting range log file collection principle.
Fig. 2 is a schematic diagram illustrating a network shooting range log file collection principle according to an embodiment of the present invention.
Fig. 3 is a schematic diagram illustrating a network shooting range log file collection principle according to another embodiment of the present invention.
Detailed Description
The technical solution of the present invention will be clearly and completely described below with reference to the accompanying drawings and specific embodiments.
The embodiment of the invention discloses a network shooting range log file acquisition proxy gateway which is provided with at least two network cards, wherein one network card is used for communicating with a virtual machine or an entity machine inside a shooting range scene, and the other network card is used for communicating with an acquisition server and a file server outside the shooting range scene; the proxy gateway is provided with an encryption module, an instruction forwarding module, a strategy configuration module and a file transfer module; the encryption module is used for encrypting and decrypting the communication between the proxy gateway and the acquisition server and the file server; the instruction forwarding module is used for receiving and analyzing the acquisition instruction sent by the acquisition server and sending the acquisition instruction to a probe on a specified virtual machine or entity machine according to metadata information in the acquisition instruction; meanwhile, the results of the instructions executed by the probes are collected and fed back to the acquisition server; if the acquisition instruction comprises the ID of the executable script file, downloading the corresponding executable script file from the file server according to the ID of the executable script file, and caching the executable script file in a file transfer module for downloading by the probe; the strategy configuration module is used for inquiring strategy configuration information from the acquisition server according to the strategy configuration ID and storing the strategy configuration information in the proxy gateway local for probe inquiry; and the file transfer module is used for caching the log files collected by the probe and uploading the files to the file server.
In addition, in order to expand the application of collecting multi-scene log files, the network shooting range log file collecting proxy gateway system disclosed by the embodiment of the invention comprises a first-stage collecting proxy gateway and a plurality of second-stage collecting proxy gateways, wherein the first-stage collecting proxy gateway is provided with at least two network cards, one of the network cards is used for communicating with the second-stage collecting proxy gateway, and the other network card is used for communicating with a collecting server and a file server outside a shooting range scene; the second-level acquisition proxy gateway is provided with at least two network cards, one of which is used for communicating with the first-level acquisition proxy gateway, and the other one is used for communicating with a virtual machine or an entity machine in the shooting range scene; the first-level collection proxy gateway and the second-level proxy gateway are respectively provided with an encryption module, an instruction forwarding module, a strategy configuration module and a file transfer module.
The encryption module is used for encrypting and decrypting communication outside the shooting range scene; the instruction forwarding module of the first-level acquisition proxy gateway is used for receiving and analyzing the acquisition instruction sent by the acquisition server and forwarding the instruction to the second-level acquisition proxy gateway; the instruction forwarding module of the second-level acquisition proxy gateway is used for receiving the acquisition instruction and sending the acquisition instruction to a probe on a specified virtual machine or entity machine according to metadata information in the acquisition instruction; meanwhile, the results of the instructions executed by the probes are collected and fed back to the acquisition server through the first-stage acquisition proxy gateway; and if the acquisition instruction comprises the ID of the executable script file, downloading the corresponding executable script file from the file server through the first-stage acquisition proxy gateway according to the ID of the executable script file, and caching the executable script file to a file transfer module for downloading by the probe. The strategy configuration module of the first-stage acquisition proxy gateway is used for inquiring strategy configuration information from the acquisition server according to the strategy configuration ID and storing the strategy configuration information in the local; the strategy configuration module of the second-level acquisition proxy gateway is used for inquiring strategy configuration information from the first-level acquisition proxy gateway according to the strategy configuration ID and storing the strategy configuration information in the local for probe inquiry; the strategy configuration information comprises target file information acquired by the probe and uploading frequency. The file transfer module of the first-level acquisition proxy gateway is used for caching the log file uploaded by the second-level acquisition proxy gateway and uploading the file to the file server; and the file transfer module of the second-level acquisition proxy gateway is used for caching the log files uploaded by the probe and uploading the files to the first-level acquisition proxy gateway.
The following describes the construction and process of a network shooting range log file collection system using a proxy gateway/proxy gateway system according to an embodiment of the present invention in detail with reference to fig. 2 and 3.
As shown in fig. 2, a proxy gateway service is added to a network scenario, and a proxy gateway service program may run on a virtual machine and start to run together with the scenario. The proxy gateway has two network cards, one of which is used for communicating with the network outside the scene, and the other of which is used for communicating with the network inside the scene. The proxy gateway internally comprises an encryption module, an instruction forwarding module, a strategy configuration module and a file transfer module. The functions of each module are as follows:
the encryption module is responsible for encrypting and decrypting communication between the encryption module and the collection server and communication between the encryption module and the file server, and has the capability of distinguishing external requests, if the external requests do not come from the collection server, responses can be refused, and therefore the network in a scene can be protected from being attacked and influenced by an external network.
The instruction forwarding module is used for decomposing the instruction sent from the acquisition server, issuing the instruction to one or more specified probes according to metadata information content in the instruction, and meanwhile, collecting results of the instruction execution of each probe and feeding back the results to the acquisition server. If the instruction comprises the content script Id for downloading the executable script file, the instruction forwarding module downloads the script file in advance and then caches the script file in the file transfer module for the probe to use.
An instruction content template:
Figure BDA0003892825650000081
Figure BDA0003892825650000091
if the script Id is configured, downloading the corresponding executable script file through the script Id and storing the executable script file in the local, and splicing the command in the command and the local executable script file into a string of instructions. Such as: command, "/var/oscec/bin/python { script }", executable script files downloaded through the script Id are saved in/var/oss/bin/tools/get _ host _ info.
Acquiring an instruction execution result template:
Figure BDA0003892825650000092
the collection output content output depends on the command and the script id, and if the execution result is the content of the state information such as the size and the authority of the common collection file, the output only contains the content. If the log file uploading instruction is executed, the output is a file downloading address returned to the probe by the file server.
The strategy configuration module is used for storing strategy configuration information required by the probe execution instruction. If the configId is configured in the command received by the proxy gateway, the policy configuration information inquired in the server is collected and stored in the local policy configuration module. Similarly, after the probe takes the command, the corresponding policy configuration information is inquired in the policy configuration module of the proxy gateway according to the configid. These policy configurations define the file path, upload frequency, etc. used to control probe acquisition, such as upload/var/log/test. Log files under path every 3 minutes.
Policy configuration information template:
Figure BDA0003892825650000101
the file transfer module is used for caching log files collected by the probe, adding tags to the log files, identifying which scene the log files come from, compressing, encrypting, combining (for example, combining log files of the same type on a plurality of virtual machines or entity machines in one scene, such as/var/log/app/app.log, into a larger log file), and the like, and uploading the files to the file server after the files are processed. The transfer module can also be matched with the instruction forwarding module to cache the executable script file downloaded from the file server, so that the situation that when a plurality of probes in a scene execute the same executable script at the same time, the probes are downloaded from the file server at the same time to cause pressure or occupy network bandwidth for the file server can be avoided.
The scene management system stores some default strategy configurations, and can monitor the blind log files according to different purposes of the scene. For example, if the main purpose of the scene is attack and defense confrontation, the security log is mainly monitored. And if the main purpose of the scene is simulation competition, the flow logs are monitored in a key mode, and if the main purpose of the scene is simulation network pressure measurement, the system index logs are monitored in a key mode. And a monitoring acquisition strategy can be added by a user in a customized way.
As shown in fig. 3, the proxy gateway may also be deployed separately from the network scenario, and form networking with other gateways, that is, a proxy gateway system is adopted. For example, two second acquisition proxy gateways, namely proxy gateways a and B, are configured in the network scenario 1 and the network scenario 2, and then a first acquisition proxy gateway, namely proxy gateway C, is separately deployed. Therefore, the functions of the file transfer module in the proxy gateway C can be utilized to mark, compress, encrypt, combine and the like the log files collected and uploaded in a plurality of network scenes. If machines from multiple network scenes need to use the same script file, the script file downloaded from the file server can be cached by the proxy gateway C for the machines in the multiple network scenes to use, and the pressure on the file server is further reduced.
The probes installed in each machine in a scene can communicate with the acquisition server through the proxy gateway, and the encryption module of the proxy gateway ensures that the communication between the probes and the acquisition server is encrypted. Therefore, the machine in the scene can be prevented from being exposed to the external network environment, and the communication interruption between the probe and the acquisition server caused by the isolation of the scene self network can be avoided.
Besides the network scene, a set of file servers is required to be deployed additionally for storing executable script files required by the operation of the probe and log files acquired and uploaded by the probe from machines in the scene. After the probe start-up on each machine in the scene is completed, the default executable script needs to be downloaded from the file server through the proxy gateway. In operation, if the instruction content received by the proxy gateway includes the script id, the script is downloaded from the file server in advance for the subsequent probe downloading. The file server can also compress and combine the log files stored in the file server, and can also delete expired and overlarge log files periodically so as to save the disk space and reduce the bandwidth occupation of a user during downloading.
Before a network scene is started, a user configures virtual machines or entity machines needing to be provided with probes, a networking form of a proxy gateway, addresses of a collection server and a file server, default collected strategy configuration information and the like in a scene management system. Therefore, after the machines in the scene are started, the probe on each machine pulls the specified script from the file server through the proxy gateway, and starts to execute the collection task according to the specified command and the strategy configuration information.
If the user downloads a certain file for the first time, only one or more files need to be selected, and the command containing the policy configuration can be sent to the acquisition server through the scene management system. The acquisition server issues the instruction to the corresponding proxy gateway, and the proxy gateway forwards the instruction to the probe on the corresponding machine. After the probe takes the instruction, the corresponding script is downloaded and executed according to the instruction and the content configured by the strategy, the script acquires the appointed file and uploads the file to a file transfer module of the proxy gateway, and the file transfer module processes the file and uploads the processed file to a file server. Meanwhile, the probe can also collect the basic information of the file, such as name, state, size and the like, and reports the basic information to the collection server through the proxy gateway. For example, reporting the following information
Figure BDA0003892825650000111
/>
Figure BDA0003892825650000112
Figure BDA0003892825650000121
After uploading, the probe returns information that the instruction is successfully executed, the information is transmitted to the acquisition server through the proxy gateway, and the acquisition server searches a file downloading address from the instruction execution result and returns the file downloading address to the scene management system. Therefore, a user can obtain the address of the downloaded file through the scene management system and download the collected log file through the page.
If the instruction received by the probe contains policy configuration information, and the policy configuration information contains a regular acquisition interval, if the value of repeat is true, the probe can periodically acquire and upload a corresponding log file. Therefore, the user can download the log file through the scene management system subsequently, and can directly download the latest file from the file server instead of issuing an instruction through the acquisition server again.
Since a network scenario may include a large amount of log files that need to be monitored and collected, the scenario management system supports defining one or more collection templates, including multiple collection instructions and policy configuration information, and may specify, for example, a machine of an operating system, and collect some specific types of log files, such as collecting/var/log/syslog files specific to linux operating systems.

Claims (10)

1. A network shooting range log file acquisition proxy gateway is characterized by being provided with at least two network cards, wherein one network card is used for communicating with a virtual machine or an entity machine inside a shooting range scene, and the other network card is used for communicating with an acquisition server and a file server outside the shooting range scene; the proxy gateway is provided with an encryption module, an instruction forwarding module, a strategy configuration module and a file transfer module;
the encryption module is used for encrypting and decrypting the communication between the proxy gateway and the acquisition server as well as the communication between the proxy gateway and the file server;
the instruction forwarding module is used for receiving and analyzing the acquisition instruction sent by the acquisition server, and sending the acquisition instruction to a probe on a specified virtual machine or entity machine according to metadata information in the acquisition instruction; meanwhile, the result of the execution instruction of each probe is collected and fed back to the acquisition server; if the acquisition instruction comprises an executable script file ID, downloading a corresponding executable script file from a file server according to the executable script file ID, and caching the executable script file to the file transfer module for the probe to download;
the strategy configuration module is used for inquiring strategy configuration information from the acquisition server according to the strategy configuration ID and storing the strategy configuration information in the local proxy gateway for probe inquiry; the strategy configuration information comprises target file information and uploading frequency acquired by the probe;
and the file transfer module is used for caching the log files collected by the probe and uploading the files to the file server.
2. The network shooting range log file collection proxy gateway of claim 1, wherein the collection instructions include instruction content, collection output content format, policy configuration ID, run task ID, metadata containing instructions specifying which virtual or physical machines need to execute the collection instructions, and executable script file ID; the acquisition instruction execution result fed back by the probe on the virtual machine or the physical machine comprises the name of the probe, the information of the machine where the probe is located, the format of acquisition output content, a strategy configuration ID, an operation task ID, an executable script file ID, whether the command is successfully executed or not, error information and acquisition output content.
3. The web shooting range log file collection proxy gateway of claim 1, wherein the encryption module rejects a response to a request not from a collection server.
4. The network shooting range log file collection proxy gateway of claim 1, wherein the file transfer module is configured to identify, compress, encrypt, and merge log files uploaded by the probe.
5. A network shooting range log file acquisition proxy gateway system is characterized by comprising a first-level acquisition proxy gateway and a plurality of second-level acquisition proxy gateways, wherein the first-level acquisition proxy gateways are provided with at least two network cards, one of the network cards is used for communicating with the second-level acquisition proxy gateways, and the other network card is used for communicating with an acquisition server and a file server outside a shooting range scene; the second-level acquisition proxy gateway is provided with at least two network cards, one of the network cards is used for communicating with the first-level acquisition proxy gateway, and the other network card is used for communicating with a virtual machine or an entity machine in the shooting range scene; the first-level acquisition proxy gateway and the second-level proxy gateway are respectively provided with an encryption module, an instruction forwarding module, a strategy configuration module and a file transfer module;
the encryption module is used for encrypting and decrypting communication outside the shooting range scene;
the instruction forwarding module of the first-level acquisition proxy gateway is used for receiving and analyzing the acquisition instruction sent by the acquisition server and forwarding the instruction to the second-level acquisition proxy gateway; the instruction forwarding module of the second-level acquisition proxy gateway is used for receiving the acquisition instruction and sending the acquisition instruction to a probe on a specified virtual machine or entity machine according to metadata information in the acquisition instruction; meanwhile, the results of the instructions executed by the probes are collected and fed back to the acquisition server through the first-stage acquisition proxy gateway; if the acquisition instruction comprises an executable script file ID, downloading a corresponding executable script file from a file server through a first-stage acquisition proxy gateway according to the executable script file ID, and caching the executable script file to a file transfer module for downloading by a probe;
the first-stage acquisition proxy gateway is used for inquiring the strategy configuration information from the acquisition server according to the strategy configuration ID and storing the strategy configuration information in the local; the strategy configuration module of the second-level acquisition proxy gateway is used for inquiring strategy configuration information from the first-level acquisition proxy gateway according to the strategy configuration ID and storing the strategy configuration information in the local for the probe to inquire; the strategy configuration information comprises target file information and uploading frequency acquired by the probe;
the file transfer module of the first-level acquisition proxy gateway is used for caching the log file uploaded by the second-level acquisition proxy gateway and uploading the file to the file server; and the file transfer module of the second-level acquisition proxy gateway is used for caching the log files uploaded by the probe and uploading the files to the first-level acquisition proxy gateway.
6. A network shooting range log file collection system, comprising a scene management system, a collection server, a file server, a virtual machine and/or a physical machine in a shooting range scene, and a collection proxy gateway according to claim 1; the scene management system is used for configuring the networking form of the acquisition proxy gateway, the addresses of the acquisition server and the file server, managing log acquisition tasks, configuring information related to acquisition instructions and issuing the log acquisition instructions through the acquisition server; the acquisition server is used for receiving the instruction of the scene management system, issuing the instruction to the acquisition proxy gateway, acquiring a log file download address after the instruction is successfully executed, and returning the download address to the scene management system; the file server is used for storing executable script files required by the operation of the probe on the virtual machine or the physical machine and log files acquired and uploaded by the probe.
7. A network shooting range log file collection system, comprising a scenario management system, a collection server, a file server, a plurality of shooting range scenarios comprising virtual machines and/or physical machines, and a collection proxy gateway system according to claim 4; the scene management system is used for configuring the networking mode of the acquisition proxy gateway, the addresses of the acquisition server and the file server, managing log acquisition tasks, configuring information related to acquisition instructions and issuing the log acquisition instructions through the acquisition server; the acquisition server is used for receiving the instruction of the scene management system, issuing the instruction to the acquisition proxy gateway system, acquiring a log file download address after the instruction is successfully executed, and returning the download address to the scene management system; and the file server is used for storing executable script files required by the running of the probe on the virtual machine or the physical machine and log files acquired and uploaded by the probe.
8. The network shooting range log file collection system of claim 7, wherein the log file collection in each shooting range scenario corresponds to one second collection proxy gateway in the collection proxy gateway system.
9. The network shooting range log file collection system of claim 6 or 7, wherein the scene management system stores default policy configuration information, and monitors different log files for different uses of the shooting range scene; the scene management system supports defining one or more acquisition templates, and the acquisition templates comprise a plurality of acquisition instructions and strategy configuration information.
10. A network shooting range log file collection method, which is implemented by the network shooting range log file collection system according to claim 6 or 7, the method comprising:
configuring a virtual machine or an entity machine needing to install a probe in a scene management system, acquiring the networking form of a proxy gateway, acquiring the addresses of a server and a file server, and acquiring default acquisition strategy configuration information;
after the shooting range scene is started, a virtual machine or an entity machine is installed and starts a probe, and a default executable script is downloaded from a file server through a collection proxy gateway or a collection proxy gateway system;
configuring a log acquisition task in a scene management system, selecting one or more files to be downloaded, generating an acquisition instruction by the scene management system, sending the acquisition instruction to an acquisition server, sending the acquisition instruction to an acquisition proxy gateway or an acquisition proxy gateway system by the acquisition server, and forwarding the instruction to a probe on a corresponding virtual machine or entity machine by the acquisition proxy gateway or the acquisition proxy gateway system;
after a probe on a virtual machine or an entity machine receives an acquisition instruction, acquiring an executable script and strategy configuration information specified by the instruction through an acquisition proxy gateway or an acquisition proxy gateway system, acquiring a specified log file and uploading the log file to the acquisition proxy gateway or the acquisition proxy gateway system, and after the file is uploaded, feeding back an acquisition instruction execution result;
the collection proxy gateway or the collection proxy gateway system processes the collected log files and uploads the processed log files to the file server; the acquisition server returns the file download address to the scene management system; downloading the collected log files by the scene management system according to the file downloading addresses;
if the strategy configuration information in the acquisition instruction received by the probe comprises a regular acquisition interval, the probe acquires and uploads the corresponding log file regularly, and then only the latest file needs to be downloaded directly from the file server in the scene management system, and the acquisition instruction does not need to be issued through the acquisition server.
CN202211270903.2A 2022-10-17 2022-10-17 Network shooting range log file acquisition proxy gateway, acquisition system and method Pending CN115914369A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211270903.2A CN115914369A (en) 2022-10-17 2022-10-17 Network shooting range log file acquisition proxy gateway, acquisition system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211270903.2A CN115914369A (en) 2022-10-17 2022-10-17 Network shooting range log file acquisition proxy gateway, acquisition system and method

Publications (1)

Publication Number Publication Date
CN115914369A true CN115914369A (en) 2023-04-04

Family

ID=86473398

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211270903.2A Pending CN115914369A (en) 2022-10-17 2022-10-17 Network shooting range log file acquisition proxy gateway, acquisition system and method

Country Status (1)

Country Link
CN (1) CN115914369A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116319482A (en) * 2023-05-22 2023-06-23 南京赛宁信息技术有限公司 Wazuh-based custom probe acquisition system and method in network target range
CN116684301A (en) * 2023-06-26 2023-09-01 北京永信至诚科技股份有限公司 Method, system, equipment and storage medium for realizing cross-range task collaboration
CN117240726A (en) * 2023-11-07 2023-12-15 博智安全科技股份有限公司 Target data acquisition method and device, electronic equipment and storage medium

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116319482A (en) * 2023-05-22 2023-06-23 南京赛宁信息技术有限公司 Wazuh-based custom probe acquisition system and method in network target range
CN116319482B (en) * 2023-05-22 2023-08-22 南京赛宁信息技术有限公司 Wazuh-based custom probe acquisition system and method in network target range
CN116684301A (en) * 2023-06-26 2023-09-01 北京永信至诚科技股份有限公司 Method, system, equipment and storage medium for realizing cross-range task collaboration
CN116684301B (en) * 2023-06-26 2024-01-30 北京永信至诚科技股份有限公司 Method, system, equipment and storage medium for realizing cross-range task collaboration
CN117240726A (en) * 2023-11-07 2023-12-15 博智安全科技股份有限公司 Target data acquisition method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN115914369A (en) Network shooting range log file acquisition proxy gateway, acquisition system and method
US8910129B1 (en) Scalable control system for test execution and monitoring utilizing multiple processors
US20230096032A1 (en) Hybrid Approach To Data Governance
US8024712B1 (en) Collecting application logs
US11068380B2 (en) Capturing and encoding of network transactions for playback in a simulation environment
US11838195B2 (en) Deployable network sensor for multiple platforms
CN111092759B (en) Log management method, device and medium in JBOD (just in Bunch) out-of-band management system
CA3051439C (en) Playback of captured network transactions in a simulation environment
US11165663B2 (en) Network management using a distributed ledger
US20210373953A1 (en) System and method for an action contextual grouping of servers
Dalle Vacche et al. Zabbix network monitoring essentials
CN111901325B (en) Service extension method and device for honeypot nodes, electronic device and storage medium
WO2019220480A1 (en) Monitoring device, monitoring method, and program
KR102657160B1 (en) Data management device, data management method and a computer-readable storage medium for storing data management program
US20240160640A1 (en) System and method of blockchain ledger data transfer and replication
US20240179154A1 (en) Security event transformation and logging systems and methods
US11996982B2 (en) Configuration hash comparison
US20240176625A1 (en) Event logging protocol connector systems and methods
Gómez et al. Using Lamport’s logical clocks to consolidate log files from different sources
Ali et al. Monitoring with nagios and trend analysis with cacti
CN114124459A (en) Cluster server safety protection method, device, equipment and storage medium
CN117579523A (en) Distributed event high-speed acquisition and analysis system
KR100418361B1 (en) Remote management method for RAID system through a network
CN117667623A (en) Method for monitoring server resources in real time
CN117675391A (en) Rule-based distributed unified HTTP access method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination