WO2016184079A1 - Method and device for processing system log message - Google Patents

Method and device for processing system log message Download PDF

Info

Publication number
WO2016184079A1
WO2016184079A1 PCT/CN2015/096862 CN2015096862W WO2016184079A1 WO 2016184079 A1 WO2016184079 A1 WO 2016184079A1 CN 2015096862 W CN2015096862 W CN 2015096862W WO 2016184079 A1 WO2016184079 A1 WO 2016184079A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
peer
icmp
syslog
unreachable
Prior art date
Application number
PCT/CN2015/096862
Other languages
French (fr)
Chinese (zh)
Inventor
徐林
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016184079A1 publication Critical patent/WO2016184079A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications

Definitions

  • This application relates to, but is not limited to, network communication techniques.
  • the system log (Syslog) message can be sent to the Syslog server through the network.
  • the Syslog server can store the Syslog message of the device that sends the Syslog message in a unified manner, or parse the content for corresponding processing.
  • FIG. 1 is a schematic structural diagram of a router of the related art. As shown in FIG. 1 , a method for processing a system log message by a router of the related art generally includes:
  • the port module sends the received packet to the protocol stack module, and the protocol stack module sends the debugging information in the packet to the debugging information management module, and the debugging information management module selectively sends the Syslog according to the first configuration information of the command line interface module.
  • the client module sends the debugging information.
  • the Syslog client module sends the debugging information to the protocol stack module according to the second configuration information of the command line interface module (for example, an Internet Protocol (IP) address and port).
  • IP Internet Protocol
  • the protocol stack module encapsulates the syslog packet into a user data packet protocol (UDP) packet to the port module; the port module sends the UDP packet to the device where the Syslog server is located;
  • UDP user data packet protocol
  • the alarm management module sends an alarm log to the Syslog client module, and the Syslog client module organizes the alarm log into a protocol stack according to the first configuration information of the command line interface module, and sends the alarm log to the protocol stack module.
  • the module encapsulates the syslog packet into a UDP packet and sends it to the port module.
  • the port module sends the UDP packet to the device where the Syslog server resides.
  • the port module sends the UDP packet to the device where the Syslog server is located. If the device where the Syslog server is located does not find the Syslog that matches the IP address and port in the UDP packet. Server, the device where the Syslog server is located Sending the ICMP peer-to-peer packet to the router, the port module of the router sends the received ICMP peer unreachable packet to the protocol stack module, and continues to perform the subsequent steps. This will form a Syslog packet loopback. Because the packet is sent quickly, the CPU usage of the router is high.
  • This paper proposes a method and device for processing system log messages, which can avoid Syslog packet loopback, thereby reducing CPU usage.
  • a method for processing system log Syslog messages including:
  • the network device receives the control packet protocol ICMP peer unreachable message from the Syslog server.
  • the network device determines that the source Internet Protocol IP address in the ICMP peer unreachable packet is the same as the IP address in the second configuration information, and the source port in the ICMP peer unreachable packet is the same as the port in the second configuration information.
  • the Syslog packet is not sent to the device where the Syslog server is located.
  • the method further includes: when the network device determines that the source IP address in the ICMP peer unreachable message is different from the IP address in the second configuration information, or the ICMP peer When the source port in the unreachable packet is different from the port in the second configuration information, the network device sends the Syslog packet to the device where the Syslog server is located.
  • the method further includes:
  • the network device When the network device does not receive the ICMP peer unreachable packet corresponding to the probe packet, or determines the source IP address and the second configuration information in the ICMP peer unreachable packet corresponding to the probe packet If the IP address in the ICMP peer unreachable packet is different from the port in the second configuration information, the device is located in the Syslog server. Send the Syslog packet.
  • the method further includes: when the network device receives the ICMP peer unreachable message corresponding to the test packet, and determines that the ICMP peer unreachable message corresponding to the test packet is When the source IP address is the same as the IP address in the second configuration information, and the source port in the ICMP peer unreachable packet corresponding to the probe packet is the same as the port in the second configuration information, The step of not sending the Syslog message to the Syslog server is continued.
  • the time when the network device sends the probe packet for the nth time when the time interval of the (n-1)th transmission of the probe packet is less than a preset maximum trial interval The interval is:
  • ⁇ T n is the time interval at which the network device sends the test packet for the nth time
  • ⁇ T n-1 is the time interval (n-1) of the network device for transmitting the test packet
  • k1 and k2 Is a constant
  • n is an integer greater than or equal to 2.
  • the network device sends the test packet for the nth time when the network device sends the probe packet at the (n-1)th time interval that is greater than or equal to the preset maximum probe interval.
  • the time interval is the maximum trial interval; wherein n is an integer greater than or equal to 2.
  • a device for processing system log Syslog messages including:
  • the receiving module is configured to: receive the control packet protocol ICMP peer unreachable message from the Syslog server;
  • the sending module is configured to: determine that the source Internet Protocol IP address in the ICMP peer unreachable packet is the same as the IP address in the second configuration information, and the source port and the second configuration information in the ICMP peer unreachable packet
  • the Syslog packet is sent to the device where the Syslog server is located.
  • the sending module is further configured to:
  • the Syslog packet is sent to the device where the Syslog server is located.
  • the sending module is further configured to:
  • the Syslog packet is sent to the device where the Syslog server is located.
  • the receiving module is further configured to:
  • the sending module is further configured to:
  • the source port in the text is the same as the port in the second configuration information, and the step of not sending the Syslog message to the Syslog server is continued.
  • a computer readable storage medium storing computer executable instructions for performing the method of any of the above.
  • the embodiment of the present invention includes: the network device receives the ICMP peer unreachable message from the Syslog server; and the network device determines the source IP address and the second configuration information in the ICMP peer unreachable message.
  • the IP address is the same, and the source port in the ICMP peer unreachable packet is the same as the port in the second configuration.
  • the Syslog packet is not sent to the device where the Syslog server resides.
  • the source network protocol IP address in the ICMP peer unreachable message and the IP address in the second configuration information are the same, and the source port and the first in the ICMP peer unreachable message are determined by the solution of the embodiment of the present invention.
  • the Syslog packets are not sent to the Syslog server. This reduces the loopback of Syslog packets and reduces the CPU usage.
  • Figure 1 is a schematic diagram of the structure of a router
  • FIG. 2 is a flowchart of a method for processing a Syslog message according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of an apparatus for processing a Syslog message according to an embodiment of the present invention.
  • an embodiment of the present invention provides a method for processing a Syslog message, including:
  • Step 200 The network device receives the ICMP peer unreachable message from the Syslog server.
  • the network device may be any device in the network, such as a router.
  • Step 201 The network device determines that the source IP address in the ICMP peer unreachable packet is the same as the IP address in the second configuration information, and the source port in the ICMP peer unreachable packet and the port in the second configuration information
  • the Syslog packet is sent to the device where the Syslog server is located.
  • the network device determines that the source IP address in the ICMP peer unreachable packet is different from the IP address in the second configuration information, or the source port and the second configuration information in the ICMP peer unreachable packet. If the ports in the port are different, send Syslog packets to the device where the Syslog server resides.
  • the method may further include: the network device sends a test packet to the device where the Syslog server is located at a preset time; when the network device detects the ICMP peer unreachable message corresponding to the packet, or determines the ICMP pair corresponding to the test packet.
  • the source IP address in the unreachable packet is different from the IP address in the second configuration information, or the source port in the ICMP peer unreachable packet corresponding to the probe packet and the port in the second configuration information are not
  • the Syslog packet is sent to the device where the Syslog server is located.
  • the network device receives the ICMP peer unreachable packet corresponding to the probe packet, and determines that the source IP address in the ICMP peer unreachable packet corresponding to the probe packet is the same as the IP address in the second configuration information. If the source port in the ICMP peer unreachable packet corresponding to the probe packet is the same as the port in the second configuration information, the step of not sending the Syslog packet to the Syslog server is continued.
  • the time interval for the network device to send the test packet for the nth time may be: when the time interval for the network device to transmit the test packet is less than the preset maximum probe interval.
  • ⁇ T n is the time interval at which the network device transmits the probe packet for the nth time
  • ⁇ T n-1 is the time interval at which the network device (n-1) transmits the probe packet
  • k1 and k2 are constants, and n is greater than or equal to An integer of 2
  • the time interval for the network device to send the probe packet for the nth time may be the maximum trial time. interval.
  • an embodiment of the present invention further provides an apparatus for processing a syslog message, which may be configured in a network device, and includes at least:
  • the receiving module 31 is configured to: receive a control packet protocol ICMP peer unreachable message from the Syslog server;
  • the sending module 32 is configured to: determine that the source Internet Protocol IP address in the ICMP peer unreachable message is the same as the IP address in the second configuration information, and the source port and the second configuration in the ICMP peer unreachable message
  • the Syslog packet is sent to the device where the Syslog server is located.
  • the sending module 32 is further configured to:
  • the source IP address in the ICMP peer unreachable packet is different from the IP address in the second configuration information, or the source port in the ICMP peer unreachable packet is different from the port in the second configuration information.
  • the device where the Syslog server is located sends Syslog packets.
  • the sending module 32 is further configured to:
  • a test packet is sent to the device where the Syslog server is located.
  • the ICMP peer unreachable packet corresponding to the probe packet is not received, or the ICMP peer unreachable packet corresponding to the probe packet is determined.
  • the source IP address and the IP address in the second configuration information are different, or the source port in the ICMP peer unreachable packet corresponding to the probe packet is different from the port in the second configuration information, and the Syslog server is located.
  • the device sends a Syslog message.
  • the receiving module 31 is further configured to:
  • the sending module 32 is also configured to:
  • the source IP address and the second configuration in the ICMP peer unreachable packet corresponding to the test packet are determined.
  • the IP address of the information is the same, and the source port in the ICMP peer unreachable packet corresponding to the probe packet is the same as the port in the second configuration information, and the Syslog message is not sent to the Syslog server.
  • the port module sends the received packet to the protocol stack module, and the protocol stack module sends the debugging information in the packet to the debugging information management module.
  • the debugging information management module is configured according to the first configuration of the command line interface module. The information is selectively sent to the Syslog client module to send debugging information.
  • the Syslog client module organizes the debugging information into the Syslog message according to the second configuration information (for example, the IP address and the port) of the command line interface module, and sends the debugging information to the protocol stack module.
  • the stack module encapsulates the syslog packet into a user data packet protocol (UDP) and sends the packet to the port module.
  • the port module sends the UDP packet to the device where the Syslog server is located.
  • UDP user data packet protocol
  • the alarm management module sends an alarm log to the Syslog client module, and the Syslog client module organizes the alarm log into a syslog packet according to the first configuration information of the command line interface module, and sends the alarm log to the protocol stack module.
  • the stack module encapsulates the syslog packet into a UDP packet and sends it to the port module.
  • the port module sends the UDP packet to the device where the Syslog server resides.
  • the port module After the port module sends the UDP packet to the device where the Syslog server is located, if the device where the Syslog server is located does not find the Syslog server that matches the IP address and port in the UDP packet, the device where the Syslog server resides sends the device to the network device.
  • the port module of the network device After the ICMP peer unreachable packet is received, the port module of the network device sends the ICMP peer unreachable packet to the protocol stack module.
  • the protocol stack module sends the ICMP peer unreachable packet.
  • the debugging information is sent to the debugging information management module, and the debugging information management module selectively sends the debugging information to the Syslog client module according to the first configuration information of the command interface module, and the Syslog client module determines the source IP address in the debugging information and When the IP address in the second configuration information is the same, and the source port in the debugging information is the same as the port in the second configuration information, the debugging information is not organized into a Syslog message and sent to the protocol stack module.
  • the Syslog client module determines that the source IP address in the debugging information and the IP address in the second configuration information are different, and the source port in the debugging information and the port in the second configuration information are different.
  • the Syslog packet is sent to the protocol stack module.
  • the protocol stack module encapsulates the Syslog packet into a UDP packet and sends it to the port module.
  • the port module sends the UDP packet to the port module.
  • the Syslog client sends a probe packet to the protocol stack module at a preset time.
  • the protocol stack module encapsulates the probe packet into a UDP packet and sends the packet to the port module.
  • the port module sends the UDP packet to the device where the Syslog server is located. .
  • the port module does not receive the ICMP peer unreachable packet corresponding to the probe packet, or the Syslog client module determines the source IP address and the second configuration information in the ICMP peer unreachable packet corresponding to the probe packet. If the source IP address of the ICMP peer unreachable packet is different from the port in the second configuration information, the device sends a Syslog message to the device where the Syslog server resides.
  • the port module receives the ICMP peer unreachable packet corresponding to the probe packet, and the Syslog client module determines the source IP address and the IP address in the second configuration information of the ICMP peer unreachable packet corresponding to the probe packet. If the source port of the ICMP peer unreachable packet corresponding to the probe packet is the same as the port in the second configuration information, the Syslog client module continues to send the Syslog packet to the Syslog server. step.
  • all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve.
  • the devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • the device/function module/functional unit in the above embodiment When the device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium.
  • the above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the source network protocol IP address in the ICMP peer unreachable message and the IP address in the second configuration information are the same, and the source port and the first in the ICMP peer unreachable message are determined by the solution of the embodiment of the present invention.
  • the Syslog packets are not sent to the Syslog server. This reduces the loopback of Syslog packets and reduces the CPU usage.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Disclosed is a method and device for processing a system log (Syslog) message. The method comprises: a network device receiving a control message protocol (ICMP) peer unreachable message from a Syslog server; the network device determining that a source Internet protocol (IP) address in the ICMP peer unreachable message is the same as an IP address in second configuration information, and that a source port in the ICMP peer unreachable message is the same as a port in the second configuration information, and not sending the Syslog message to a device where the Syslog server is located.

Description

一种处理系统日志报文的方法和装置Method and device for processing system log message 技术领域Technical field
本申请涉及但不限于网络通信技术。This application relates to, but is not limited to, network communication techniques.
背景技术Background technique
在Unix类操作系统上,系统日志(Syslog)消息可以通过网络发送到Syslog服务器,Syslog服务器可以对发送Syslog消息的设备的Syslog消息进行统一的存储,或解析其中的内容作相应的处理。On a Unix-based operating system, the system log (Syslog) message can be sent to the Syslog server through the network. The Syslog server can store the Syslog message of the device that sends the Syslog message in a unified manner, or parse the content for corresponding processing.
路由器是Syslog的应用场景之一。图1为相关技术的路由器的结构组成示意图,如图1所示,相关技术的路由器处理系统日志报文的方法大致包括:The router is one of the application scenarios of Syslog. FIG. 1 is a schematic structural diagram of a router of the related art. As shown in FIG. 1 , a method for processing a system log message by a router of the related art generally includes:
端口模块将接收到的报文发送给协议栈模块,协议栈模块将报文中的调试信息发送给调试信息管理模块,调试信息管理模块根据命令行接口模块的第一配置信息选择性的向Syslog客户端模块发送调试信息;Syslog客户端模块根据命令行接口模块的第二配置信息(例如,互联网协议(IP,Internet Protocol)地址和端口)将调试信息组织成Syslog报文发送给协议栈模块,协议栈模块将Syslog报文封装成用户数据包协议(UDP,User Datagram Protocol)报文发送给端口模块;端口模块将UDP报文发送给Syslog服务器所在的设备;The port module sends the received packet to the protocol stack module, and the protocol stack module sends the debugging information in the packet to the debugging information management module, and the debugging information management module selectively sends the Syslog according to the first configuration information of the command line interface module. The client module sends the debugging information. The Syslog client module sends the debugging information to the protocol stack module according to the second configuration information of the command line interface module (for example, an Internet Protocol (IP) address and port). The protocol stack module encapsulates the syslog packet into a user data packet protocol (UDP) packet to the port module; the port module sends the UDP packet to the device where the Syslog server is located;
或者,当路由器出现故障时,告警管理模块向Syslog客户端模块发送告警日志,Syslog客户端模块根据命令行接口模块的第一配置信息将告警日志组织成Syslog报文发送给协议栈模块,协议栈模块将Syslog报文封装成UDP报文发送给端口模块;端口模块将UDP报文发送给Syslog服务器所在的设备。Or, when the router is faulty, the alarm management module sends an alarm log to the Syslog client module, and the Syslog client module organizes the alarm log into a protocol stack according to the first configuration information of the command line interface module, and sends the alarm log to the protocol stack module. The module encapsulates the syslog packet into a UDP packet and sends it to the port module. The port module sends the UDP packet to the device where the Syslog server resides.
相关技术的处理系统日志报文的方法中,端口模块将UDP报文发送给Syslog服务器所在的设备后,如果Syslog服务器所在的设备查找不到与UDP报文中的IP地址和端口相匹配的Syslog服务器,则Syslog服务器所在的设备 向路由器发送控制报文协议(ICMP,Internet Control Message Protocol)对端不可达报文,路由器的端口模块将接收到的ICMP对端不可达报文发送给协议栈模块,并继续执行后续的步骤,这样就会形成Syslog报文回环,由于报文发送速度很快,会导致路由器的CPU使用率很高。In the related method of processing the system log message, the port module sends the UDP packet to the device where the Syslog server is located. If the device where the Syslog server is located does not find the Syslog that matches the IP address and port in the UDP packet. Server, the device where the Syslog server is located Sending the ICMP peer-to-peer packet to the router, the port module of the router sends the received ICMP peer unreachable packet to the protocol stack module, and continues to perform the subsequent steps. This will form a Syslog packet loopback. Because the packet is sent quickly, the CPU usage of the router is high.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
本文提出了一种处理系统日志报文的方法和装置,能够避免Syslog报文回环,从而降低CPU使用率。This paper proposes a method and device for processing system log messages, which can avoid Syslog packet loopback, thereby reducing CPU usage.
一种处理系统日志Syslog报文的方法,包括:A method for processing system log Syslog messages, including:
网络设备接收到来自Syslog服务器的控制报文协议ICMP对端不可达报文;The network device receives the control packet protocol ICMP peer unreachable message from the Syslog server.
网络设备判断出ICMP对端不可达报文中的源互联网协议IP地址和第二配置信息中的IP地址相同,且ICMP对端不可达报文中的源端口和第二配置信息中的端口相同,不向Syslog服务器所在的设备发送Syslog报文。The network device determines that the source Internet Protocol IP address in the ICMP peer unreachable packet is the same as the IP address in the second configuration information, and the source port in the ICMP peer unreachable packet is the same as the port in the second configuration information. The Syslog packet is not sent to the device where the Syslog server is located.
可选地,该方法还包括:当所述网络设备判断出所述ICMP对端不可达报文中的源IP地址和所述第二配置信息中的IP地址不相同,或所述ICMP对端不可达报文中的源端口和所述第二配置信息中的端口不相同时,所述网络设备向所述Syslog服务器所在的设备发送所述Syslog报文。Optionally, the method further includes: when the network device determines that the source IP address in the ICMP peer unreachable message is different from the IP address in the second configuration information, or the ICMP peer When the source port in the unreachable packet is different from the port in the second configuration information, the network device sends the Syslog packet to the device where the Syslog server is located.
可选地,该方法还包括:Optionally, the method further includes:
所述网络设备每隔预设时间向所述Syslog服务器所在的设备发送试探报文;Sending, by the network device, a test packet to the device where the Syslog server is located, at a preset time;
当所述网络设备未接收到试探报文对应的ICMP对端不可达报文,或判断出所述试探报文对应的ICMP对端不可达报文中的源IP地址和所述第二配置信息中的IP地址不相同,或判断出所述试探报文对应的ICMP对端不可达报文中的源端口和所述第二配置信息中的端口不相同时,向所述Syslog服务器所在的设备发送所述Syslog报文。 When the network device does not receive the ICMP peer unreachable packet corresponding to the probe packet, or determines the source IP address and the second configuration information in the ICMP peer unreachable packet corresponding to the probe packet If the IP address in the ICMP peer unreachable packet is different from the port in the second configuration information, the device is located in the Syslog server. Send the Syslog packet.
可选地,该方法还包括:当所述网络设备接收到所述试探报文对应的ICMP对端不可达报文,且判断出所述试探报文对应的ICMP对端不可达报文中的源IP地址和所述第二配置信息中的IP地址相同,且判断出所述试探报文对应的ICMP对端不可达报文中的源端口和所述第二配置信息中的端口相同时,继续执行不向所述Syslog服务器发送所述Syslog报文的步骤。Optionally, the method further includes: when the network device receives the ICMP peer unreachable message corresponding to the test packet, and determines that the ICMP peer unreachable message corresponding to the test packet is When the source IP address is the same as the IP address in the second configuration information, and the source port in the ICMP peer unreachable packet corresponding to the probe packet is the same as the port in the second configuration information, The step of not sending the Syslog message to the Syslog server is continued.
可选地,当所述网络设备第(n-1)次发送所述试探报文的时间间隔小于预先设置的最大试探时间间隔时,所述网络设备第n次发送所述试探报文的时间间隔为:
Figure PCTCN2015096862-appb-000001
 Optionally, the time when the network device sends the probe packet for the nth time when the time interval of the (n-1)th transmission of the probe packet is less than a preset maximum trial interval The interval is:
Figure PCTCN2015096862-appb-000001
其中,ΔTn为所述网络设备第n次发送所述试探报文的时间间隔,ΔTn-1为所述网络设备第(n-1)发送所述试探报文的时间间隔,k1和k2为常数,n为大于或等于2的整数。Where ΔT n is the time interval at which the network device sends the test packet for the nth time, and ΔT n-1 is the time interval (n-1) of the network device for transmitting the test packet, k1 and k2 Is a constant, and n is an integer greater than or equal to 2.
可选地,当所述网络设备第(n-1)次发送所述试探报文的时间间隔大于或等于预先设置的最大试探时间间隔时,所述网络设备第n次发送所述试探报文的时间间隔为所述最大试探时间间隔;其中,n为大于或等于2的整数。Optionally, the network device sends the test packet for the nth time when the network device sends the probe packet at the (n-1)th time interval that is greater than or equal to the preset maximum probe interval. The time interval is the maximum trial interval; wherein n is an integer greater than or equal to 2.
一种处理系统日志Syslog报文的装置,包括:A device for processing system log Syslog messages, including:
接收模块,设置为:接收到来自Syslog服务器的控制报文协议ICMP对端不可达报文;The receiving module is configured to: receive the control packet protocol ICMP peer unreachable message from the Syslog server;
发送模块,设置为:判断出ICMP对端不可达报文中的源互联网协议IP地址和第二配置信息中的IP地址相同,且ICMP对端不可达报文中的源端口和第二配置信息中的端口相同,不向Syslog服务器所在的设备发送Syslog报文。The sending module is configured to: determine that the source Internet Protocol IP address in the ICMP peer unreachable packet is the same as the IP address in the second configuration information, and the source port and the second configuration information in the ICMP peer unreachable packet The Syslog packet is sent to the device where the Syslog server is located.
可选地,所述发送模块还设置为:Optionally, the sending module is further configured to:
判断出所述ICMP对端不可达报文中的源IP地址和所述第二配置信息中的IP地址不相同,或所述ICMP对端不可达报文中的源端口和所述第二配置信息中的端口不相同,向所述Syslog服务器所在的设备发送所述Syslog报文。Determining that the source IP address in the ICMP peer unreachable packet is different from the IP address in the second configuration information, or the source port and the second configuration in the ICMP peer unreachable packet The Syslog packet is sent to the device where the Syslog server is located.
可选地,所述发送模块还设置为: Optionally, the sending module is further configured to:
每隔预设时间向所述Syslog服务器所在的设备发送试探报文;当未接收到试探报文对应的ICMP对端不可达报文,或判断出所述试探报文对应的ICMP对端不可达报文中的源IP地址和所述第二配置信息中的IP地址不相同,或判断出所述试探报文对应的ICMP对端不可达报文中的源端口和所述第二配置信息中的端口不相同时,向所述Syslog服务器所在的设备发送所述Syslog报文。Sending a probe packet to the device where the Syslog server is located, and receiving the ICMP peer unreachable packet corresponding to the probe packet, or determining that the ICMP peer corresponding to the probe packet is unreachable. The source IP address in the packet is different from the IP address in the second configuration information, or the source port and the second configuration information in the ICMP peer unreachable packet corresponding to the probe packet are determined. The Syslog packet is sent to the device where the Syslog server is located.
可选地,所述接收模块还设置为:Optionally, the receiving module is further configured to:
接收到所述试探报文对应的ICMP对端不可达报文;Receiving an ICMP peer unreachable message corresponding to the test packet;
所述发送模块还设置为:The sending module is further configured to:
判断出所述试探报文对应的ICMP对端不可达报文中的源IP地址和所述第二配置信息中的IP地址相同,且判断出所述试探报文对应的ICMP对端不可达报文中的源端口和所述第二配置信息中的端口相同,继续执行不向所述Syslog服务器发送所述Syslog报文的步骤。Determining that the source IP address in the ICMP peer unreachable message corresponding to the test packet is the same as the IP address in the second configuration information, and determining the ICMP peer unreachable report corresponding to the test packet The source port in the text is the same as the port in the second configuration information, and the step of not sending the Syslog message to the Syslog server is continued.
一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于执行上述任一项的方法。A computer readable storage medium storing computer executable instructions for performing the method of any of the above.
与相关技术相比,本发明实施例包括:网络设备接收到来自Syslog服务器的ICMP对端不可达报文;网络设备判断出ICMP对端不可达报文中的源IP地址和第二配置信息中的IP地址相同,且ICMP对端不可达报文中的源端口和第二配置信息中的端口相同,不向Syslog服务器所在的设备发送Syslog报文。通过本发明实施例的方案,在判断出ICMP对端不可达报文中的源互联网协议IP地址和第二配置信息中的IP地址相同,且ICMP对端不可达报文中的源端口和第二配置信息中的端口相同时,不向Syslog服务器所在的设备发送Syslog报文,从而避免了Syslog报文的回环,降低了CPU的使用率。Compared with the related art, the embodiment of the present invention includes: the network device receives the ICMP peer unreachable message from the Syslog server; and the network device determines the source IP address and the second configuration information in the ICMP peer unreachable message. The IP address is the same, and the source port in the ICMP peer unreachable packet is the same as the port in the second configuration. The Syslog packet is not sent to the device where the Syslog server resides. The source network protocol IP address in the ICMP peer unreachable message and the IP address in the second configuration information are the same, and the source port and the first in the ICMP peer unreachable message are determined by the solution of the embodiment of the present invention. When the ports in the configuration information are the same, the Syslog packets are not sent to the Syslog server. This reduces the loopback of Syslog packets and reduces the CPU usage.
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图概述BRIEF abstract
图1为路由器的结构组成示意图; Figure 1 is a schematic diagram of the structure of a router;
图2为本发明实施例处理Syslog报文的方法的流程图;2 is a flowchart of a method for processing a Syslog message according to an embodiment of the present invention;
图3为本发明实施例处理Syslog报文的装置的结构组成示意图。FIG. 3 is a schematic structural diagram of an apparatus for processing a Syslog message according to an embodiment of the present invention.
本发明的实施方式Embodiments of the invention
下面结合附图对本发明的实施方式进行描述。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的各种方式可以相互组合。Embodiments of the present invention will be described below with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the various manners in the embodiments may be combined with each other without conflict.
参见图2,本发明实施例提出了一种处理Syslog报文的方法,包括:Referring to FIG. 2, an embodiment of the present invention provides a method for processing a Syslog message, including:
步骤200、网络设备接收到来自Syslog服务器的ICMP对端不可达报文。Step 200: The network device receives the ICMP peer unreachable message from the Syslog server.
本步骤中,网络设备可以是网络中的任意设备,例如路由器等。In this step, the network device may be any device in the network, such as a router.
步骤201、网络设备判断出ICMP对端不可达报文中的源IP地址和第二配置信息中的IP地址相同,且ICMP对端不可达报文中的源端口和第二配置信息中的端口相同,不向Syslog服务器所在的设备发送Syslog报文。Step 201: The network device determines that the source IP address in the ICMP peer unreachable packet is the same as the IP address in the second configuration information, and the source port in the ICMP peer unreachable packet and the port in the second configuration information The Syslog packet is sent to the device where the Syslog server is located.
本步骤中,当网络设备判断出ICMP对端不可达报文中的源IP地址和第二配置信息中的IP地址不相同,或ICMP对端不可达报文中的源端口和第二配置信息中的端口不相同时,向Syslog服务器所在的设备发送Syslog报文。In this step, the network device determines that the source IP address in the ICMP peer unreachable packet is different from the IP address in the second configuration information, or the source port and the second configuration information in the ICMP peer unreachable packet. If the ports in the port are different, send Syslog packets to the device where the Syslog server resides.
该方法还可以包括:网络设备每隔预设时间向Syslog服务器所在的设备发送试探报文;当网络设备试探报文对应的ICMP对端不可达报文,或判断出试探报文对应的ICMP对端不可达报文中的源IP地址和第二配置信息中的IP地址不相同,或判断出试探报文对应的ICMP对端不可达报文中的源端口和第二配置信息中的端口不相同时,向Syslog服务器所在的设备发送Syslog报文。The method may further include: the network device sends a test packet to the device where the Syslog server is located at a preset time; when the network device detects the ICMP peer unreachable message corresponding to the packet, or determines the ICMP pair corresponding to the test packet. The source IP address in the unreachable packet is different from the IP address in the second configuration information, or the source port in the ICMP peer unreachable packet corresponding to the probe packet and the port in the second configuration information are not The Syslog packet is sent to the device where the Syslog server is located.
其中,当网络设备接收到试探报文对应的ICMP对端不可达报文,且判断出试探报文对应的ICMP对端不可达报文中的源IP地址和第二配置信息中的IP地址相同,且判断出试探报文对应的ICMP对端不可达报文中的源端口和第二配置信息中的端口相同时,继续执行不向Syslog服务器发送Syslog报文的步骤。The network device receives the ICMP peer unreachable packet corresponding to the probe packet, and determines that the source IP address in the ICMP peer unreachable packet corresponding to the probe packet is the same as the IP address in the second configuration information. If the source port in the ICMP peer unreachable packet corresponding to the probe packet is the same as the port in the second configuration information, the step of not sending the Syslog packet to the Syslog server is continued.
其中,当网络设备第(n-1)次发送试探报文的时间间隔小于预先设置的 最大试探时间间隔时,网络设备第n次发送试探报文的时间间隔可以是:
Figure PCTCN2015096862-appb-000002
其中,ΔTn为网络设备第n次发送试探报文的时间间隔,ΔTn-1为网络设备第(n-1)发送试探报文的时间间隔,k1和k2为常数,n为大于或等于2的整数;当网络设备第(n-1)次发送试探报文的时间间隔大于或等于预先设置的最大试探时间间隔时,网络设备第n次发送试探报文的时间间隔可以是最大试探时间间隔。The time interval for the network device to send the test packet for the nth time may be: when the time interval for the network device to transmit the test packet is less than the preset maximum probe interval.
Figure PCTCN2015096862-appb-000002
Where ΔT n is the time interval at which the network device transmits the probe packet for the nth time, and ΔT n-1 is the time interval at which the network device (n-1) transmits the probe packet, k1 and k2 are constants, and n is greater than or equal to An integer of 2; when the time interval for the network device to transmit the probe packet is greater than or equal to the preset maximum probe interval, the time interval for the network device to send the probe packet for the nth time may be the maximum trial time. interval.
参见图3,本发明实施例还提出了一种处理Syslog报文的装置,可以设置在网络设备中,至少包括:Referring to FIG. 3, an embodiment of the present invention further provides an apparatus for processing a syslog message, which may be configured in a network device, and includes at least:
接收模块31,设置为:接收到来自Syslog服务器的控制报文协议ICMP对端不可达报文;The receiving module 31 is configured to: receive a control packet protocol ICMP peer unreachable message from the Syslog server;
发送模块32,设置为:判断出ICMP对端不可达报文中的源互联网协议IP地址和第二配置信息中的IP地址相同,且ICMP对端不可达报文中的源端口和第二配置信息中的端口相同,不向Syslog服务器所在的设备发送Syslog报文。The sending module 32 is configured to: determine that the source Internet Protocol IP address in the ICMP peer unreachable message is the same as the IP address in the second configuration information, and the source port and the second configuration in the ICMP peer unreachable message The Syslog packet is sent to the device where the Syslog server is located.
本发明实施例的装置中,发送模块32还设置为:In the apparatus of the embodiment of the present invention, the sending module 32 is further configured to:
判断出ICMP对端不可达报文中的源IP地址和第二配置信息中的IP地址不相同,或ICMP对端不可达报文中的源端口和第二配置信息中的端口不相同,向Syslog服务器所在的设备发送Syslog报文。The source IP address in the ICMP peer unreachable packet is different from the IP address in the second configuration information, or the source port in the ICMP peer unreachable packet is different from the port in the second configuration information. The device where the Syslog server is located sends Syslog packets.
本发明实施例的装置中,发送模块32还设置为:In the apparatus of the embodiment of the present invention, the sending module 32 is further configured to:
每隔预设时间向Syslog服务器所在的设备发送试探报文;当未接收到试探报文对应的ICMP对端不可达报文,或判断出试探报文对应的ICMP对端不可达报文中的源IP地址和第二配置信息中的IP地址不相同,或判断出试探报文对应的ICMP对端不可达报文中的源端口和第二配置信息中的端口不相同时,向Syslog服务器所在的设备发送Syslog报文。A test packet is sent to the device where the Syslog server is located. The ICMP peer unreachable packet corresponding to the probe packet is not received, or the ICMP peer unreachable packet corresponding to the probe packet is determined. The source IP address and the IP address in the second configuration information are different, or the source port in the ICMP peer unreachable packet corresponding to the probe packet is different from the port in the second configuration information, and the Syslog server is located. The device sends a Syslog message.
本发明实施例的装置中,接收模块31还设置为:In the apparatus of the embodiment of the present invention, the receiving module 31 is further configured to:
接收到试探报文对应的ICMP对端不可达报文;Receiving the ICMP peer unreachable packet corresponding to the probe packet;
发送模块32还设置为:The sending module 32 is also configured to:
判断出试探报文对应的ICMP对端不可达报文中的源IP地址和第二配置 信息中的IP地址相同,且判断出试探报文对应的ICMP对端不可达报文中的源端口和第二配置信息中的端口相同,继续执行不向Syslog服务器发送Syslog报文的步骤。The source IP address and the second configuration in the ICMP peer unreachable packet corresponding to the test packet are determined. The IP address of the information is the same, and the source port in the ICMP peer unreachable packet corresponding to the probe packet is the same as the port in the second configuration information, and the Syslog message is not sent to the Syslog server.
如图1所示,端口模块将接收到的报文发送给协议栈模块,协议栈模块将报文中的调试信息发送给调试信息管理模块,调试信息管理模块根据命令行接口模块的第一配置信息选择性的向Syslog客户端模块发送调试信息;Syslog客户端模块根据命令行接口模块的第二配置信息(例如,IP地址和端口)将调试信息组织成Syslog报文发送给协议栈模块,协议栈模块将Syslog报文封装成用户数据包协议(UDP,User Datagram Protocol)报文发送给端口模块;端口模块将UDP报文发送给Syslog服务器所在的设备;As shown in Figure 1, the port module sends the received packet to the protocol stack module, and the protocol stack module sends the debugging information in the packet to the debugging information management module. The debugging information management module is configured according to the first configuration of the command line interface module. The information is selectively sent to the Syslog client module to send debugging information. The Syslog client module organizes the debugging information into the Syslog message according to the second configuration information (for example, the IP address and the port) of the command line interface module, and sends the debugging information to the protocol stack module. The stack module encapsulates the syslog packet into a user data packet protocol (UDP) and sends the packet to the port module. The port module sends the UDP packet to the device where the Syslog server is located.
或者,当网络设备出现故障时,告警管理模块向Syslog客户端模块发送告警日志,Syslog客户端模块根据命令行接口模块的第一配置信息将告警日志组织成Syslog报文发送给协议栈模块,协议栈模块将Syslog报文封装成UDP报文发送给端口模块;端口模块将UDP报文发送给Syslog服务器所在的设备。Or, when the network device is faulty, the alarm management module sends an alarm log to the Syslog client module, and the Syslog client module organizes the alarm log into a syslog packet according to the first configuration information of the command line interface module, and sends the alarm log to the protocol stack module. The stack module encapsulates the syslog packet into a UDP packet and sends it to the port module. The port module sends the UDP packet to the device where the Syslog server resides.
端口模块将UDP报文发送给Syslog服务器所在的设备后,如果Syslog服务器所在的设备查找不到与UDP报文中的IP地址和端口相匹配的Syslog服务器,则Syslog服务器所在的设备向网络设备发送ICMP对端不可达报文,网络设备的端口模块接收到ICMP对端不可达报文后,将ICMP对端不可达报文发送给协议栈模块,协议栈模块将ICMP对端不可达报文中的调试信息发送给调试信息管理模块,调试信息管理模块根据命令接口模块的第一配置信息选择性的向Syslog客户端模块发送调试信息,当Syslog客户端模块判断出调试信息中的源IP地址和第二配置信息中的IP地址相同,且调试信息中的源端口和第二配置信息中的端口相同时,不将调试信息组织成Syslog报文发送给协议栈模块。After the port module sends the UDP packet to the device where the Syslog server is located, if the device where the Syslog server is located does not find the Syslog server that matches the IP address and port in the UDP packet, the device where the Syslog server resides sends the device to the network device. After the ICMP peer unreachable packet is received, the port module of the network device sends the ICMP peer unreachable packet to the protocol stack module. The protocol stack module sends the ICMP peer unreachable packet. The debugging information is sent to the debugging information management module, and the debugging information management module selectively sends the debugging information to the Syslog client module according to the first configuration information of the command interface module, and the Syslog client module determines the source IP address in the debugging information and When the IP address in the second configuration information is the same, and the source port in the debugging information is the same as the port in the second configuration information, the debugging information is not organized into a Syslog message and sent to the protocol stack module.
其中,当Syslog客户端模块判断出调试信息中的源IP地址和第二配置信息中的IP地址不相同,且调试信息中的源端口和第二配置信息中的端口不相同时,将调试信息组织成Syslog报文发送给协议栈模块,协议栈模块将Syslog报文封装成UDP报文发送给端口模块,端口模块将UDP报文发送给 Syslog服务器所在的设备。The Syslog client module determines that the source IP address in the debugging information and the IP address in the second configuration information are different, and the source port in the debugging information and the port in the second configuration information are different. The Syslog packet is sent to the protocol stack module. The protocol stack module encapsulates the Syslog packet into a UDP packet and sends it to the port module. The port module sends the UDP packet to the port module. The device where the Syslog server is located.
之后,Syslog客户端模块每隔预设时间向协议栈模块发送试探报文,协议栈模块将试探报文封装成UDP报文发送给端口模块,端口模块将UDP报文发送给Syslog服务器所在的设备。Afterwards, the Syslog client sends a probe packet to the protocol stack module at a preset time. The protocol stack module encapsulates the probe packet into a UDP packet and sends the packet to the port module. The port module sends the UDP packet to the device where the Syslog server is located. .
当端口模块未接收到试探报文对应的ICMP对端不可达报文,或Syslog客户端模块判断出试探报文对应的ICMP对端不可达报文中的源IP地址和第二配置信息中的IP地址不相同,或判断出试探报文对应的ICMP对端不可达报文中的源端口和第二配置信息中的端口不相同时,向Syslog服务器所在的设备发送Syslog报文。If the port module does not receive the ICMP peer unreachable packet corresponding to the probe packet, or the Syslog client module determines the source IP address and the second configuration information in the ICMP peer unreachable packet corresponding to the probe packet. If the source IP address of the ICMP peer unreachable packet is different from the port in the second configuration information, the device sends a Syslog message to the device where the Syslog server resides.
当端口模块接收到试探报文对应的ICMP对端不可达报文,且Syslog客户端模块判断出试探报文对应的ICMP对端不可达报文中的源IP地址和第二配置信息中的IP地址相同,且判断出试探报文对应的ICMP对端不可达报文中的源端口和第二配置信息中的端口相同时,Syslog客户端模块继续执行不向Syslog服务器发送所述Syslog报文的步骤。The port module receives the ICMP peer unreachable packet corresponding to the probe packet, and the Syslog client module determines the source IP address and the IP address in the second configuration information of the ICMP peer unreachable packet corresponding to the probe packet. If the source port of the ICMP peer unreachable packet corresponding to the probe packet is the same as the port in the second configuration information, the Syslog client module continues to send the Syslog packet to the Syslog server. step.
本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行,在执行时,包括方法实施例的步骤之一或其组合。One of ordinary skill in the art will appreciate that all or a portion of the steps of the above-described embodiments can be implemented using a computer program flow, which can be stored in a computer readable storage medium, such as on a corresponding hardware platform (eg, The system, device, device, device, etc. are executed, and when executed, include one or a combination of the steps of the method embodiments.
可选地,上述实施例的全部或部分步骤也可以使用集成电路来实现,这些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。Alternatively, all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve.
上述实施例中的装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。The devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
上述实施例中的装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。 When the device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. The above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
工业实用性Industrial applicability
通过本发明实施例的方案,在判断出ICMP对端不可达报文中的源互联网协议IP地址和第二配置信息中的IP地址相同,且ICMP对端不可达报文中的源端口和第二配置信息中的端口相同时,不向Syslog服务器所在的设备发送Syslog报文,从而避免了Syslog报文的回环,降低了CPU的使用率。 The source network protocol IP address in the ICMP peer unreachable message and the IP address in the second configuration information are the same, and the source port and the first in the ICMP peer unreachable message are determined by the solution of the embodiment of the present invention. When the ports in the configuration information are the same, the Syslog packets are not sent to the Syslog server. This reduces the loopback of Syslog packets and reduces the CPU usage.

Claims (11)

  1. 一种处理系统日志Syslog报文的方法,包括:A method for processing system log Syslog messages, including:
    网络设备接收到来自Syslog服务器的控制报文协议ICMP对端不可达报文;The network device receives the control packet protocol ICMP peer unreachable message from the Syslog server.
    网络设备判断出ICMP对端不可达报文中的源互联网协议IP地址和第二配置信息中的IP地址相同,且ICMP对端不可达报文中的源端口和第二配置信息中的端口相同,不向Syslog服务器所在的设备发送Syslog报文。The network device determines that the source Internet Protocol IP address in the ICMP peer unreachable packet is the same as the IP address in the second configuration information, and the source port in the ICMP peer unreachable packet is the same as the port in the second configuration information. The Syslog packet is not sent to the device where the Syslog server is located.
  2. 根据权利要求1所述的方法,该方法还包括:The method of claim 1 further comprising:
    当所述网络设备判断出所述ICMP对端不可达报文中的源IP地址和所述第二配置信息中的IP地址不相同,或所述ICMP对端不可达报文中的源端口和所述第二配置信息中的端口不相同时,所述网络设备向所述Syslog服务器所在的设备发送所述Syslog报文。When the network device determines that the source IP address in the ICMP peer unreachable message is different from the IP address in the second configuration information, or the source port in the ICMP peer unreachable message When the ports in the second configuration information are different, the network device sends the Syslog message to the device where the Syslog server is located.
  3. 根据权利要求1所述的方法,该方法还包括:The method of claim 1 further comprising:
    所述网络设备每隔预设时间向所述Syslog服务器所在的设备发送试探报文;Sending, by the network device, a test packet to the device where the Syslog server is located, at a preset time;
    当所述网络设备未接收到试探报文对应的ICMP对端不可达报文,或判断出所述试探报文对应的ICMP对端不可达报文中的源IP地址和所述第二配置信息中的IP地址不相同,或判断出所述试探报文对应的ICMP对端不可达报文中的源端口和所述第二配置信息中的端口不相同时,向所述Syslog服务器所在的设备发送所述Syslog报文。When the network device does not receive the ICMP peer unreachable packet corresponding to the probe packet, or determines the source IP address and the second configuration information in the ICMP peer unreachable packet corresponding to the probe packet If the IP address in the ICMP peer unreachable packet is different from the port in the second configuration information, the device is located in the Syslog server. Send the Syslog packet.
  4. 根据权利要求3所述的方法,该方法还包括:The method of claim 3, further comprising:
    当所述网络设备接收到所述试探报文对应的ICMP对端不可达报文,且判断出所述试探报文对应的ICMP对端不可达报文中的源IP地址和所述第二配置信息中的IP地址相同,且判断出所述试探报文对应的ICMP对端不可达报文中的源端口和所述第二配置信息中的端口相同时,继续执行不向所述Syslog服务器发送所述Syslog报文的步骤。When the network device receives the ICMP peer unreachable packet corresponding to the probe packet, and determines the source IP address and the second configuration in the ICMP peer unreachable packet corresponding to the probe packet If the IP address in the information is the same, and it is determined that the source port in the ICMP peer unreachable packet corresponding to the probe packet is the same as the port in the second configuration information, the continuation is not sent to the Syslog server. The step of the Syslog message.
  5. 根据权利要求3所述的方法,其中,当所述网络设备第(n-1)次发 送所述试探报文的时间间隔小于预先设置的最大试探时间间隔时,所述网络设备第n次发送所述试探报文的时间间隔为:
    Figure PCTCN2015096862-appb-100001
    The method according to claim 3, wherein the network device transmits the nth time when the network device transmits (n-1) times the trial message has a time interval smaller than a preset maximum trial time interval. The time interval of the test packet is:
    Figure PCTCN2015096862-appb-100001
    其中,ΔTn为所述网络设备第n次发送所述试探报文的时间间隔,ΔTn-1为所述网络设备第(n-1)发送所述试探报文的时间间隔,k1和k2为常数,n为大于或等于2的整数。Where ΔT n is the time interval at which the network device sends the test packet for the nth time, and ΔT n-1 is the time interval (n-1) of the network device for transmitting the test packet, k1 and k2 Is a constant, and n is an integer greater than or equal to 2.
  6. 根据权利要求3所述的方法,其中,当所述网络设备第(n-1)次发送所述试探报文的时间间隔大于或等于预先设置的最大试探时间间隔时,所述网络设备第n次发送所述试探报文的时间间隔为所述最大试探时间间隔;其中,n为大于或等于2的整数。The method according to claim 3, wherein the network device is n when the time interval in which the network device transmits the probe message (n-1) times is greater than or equal to a preset maximum trial interval. The time interval at which the probe packet is sent is the maximum trial interval; wherein n is an integer greater than or equal to 2.
  7. 一种处理系统日志Syslog报文的装置,包括:A device for processing system log Syslog messages, including:
    接收模块,设置为:接收到来自Syslog服务器的控制报文协议ICMP对端不可达报文;The receiving module is configured to: receive the control packet protocol ICMP peer unreachable message from the Syslog server;
    发送模块,设置为:判断出ICMP对端不可达报文中的源互联网协议IP地址和第二配置信息中的IP地址相同,且ICMP对端不可达报文中的源端口和第二配置信息中的端口相同,不向Syslog服务器所在的设备发送Syslog报文。The sending module is configured to: determine that the source Internet Protocol IP address in the ICMP peer unreachable packet is the same as the IP address in the second configuration information, and the source port and the second configuration information in the ICMP peer unreachable packet The Syslog packet is sent to the device where the Syslog server is located.
  8. 根据权利要求7所述的装置,其中,所述发送模块还设置为:The apparatus of claim 7, wherein the sending module is further configured to:
    判断出所述ICMP对端不可达报文中的源IP地址和所述第二配置信息中的IP地址不相同,或所述ICMP对端不可达报文中的源端口和所述第二配置信息中的端口不相同,向所述Syslog服务器所在的设备发送所述Syslog报文。Determining that the source IP address in the ICMP peer unreachable packet is different from the IP address in the second configuration information, or the source port and the second configuration in the ICMP peer unreachable packet The Syslog packet is sent to the device where the Syslog server is located.
  9. 根据权利要求7所述的装置,其中,所述发送模块还设置为:The apparatus of claim 7, wherein the sending module is further configured to:
    每隔预设时间向所述Syslog服务器所在的设备发送试探报文;当未接收到试探报文对应的ICMP对端不可达报文,或判断出所述试探报文对应的ICMP对端不可达报文中的源IP地址和所述第二配置信息中的IP地址不相同,或判断出所述试探报文对应的ICMP对端不可达报文中的源端口和所述第二配置信息中的端口不相同时,向所述Syslog服务器所在的设备发送所述Syslog报文。 Sending a probe packet to the device where the Syslog server is located, and receiving the ICMP peer unreachable packet corresponding to the probe packet, or determining that the ICMP peer corresponding to the probe packet is unreachable. The source IP address in the packet is different from the IP address in the second configuration information, or the source port and the second configuration information in the ICMP peer unreachable packet corresponding to the probe packet are determined. The Syslog packet is sent to the device where the Syslog server is located.
  10. 根据权利要求9所述的装置,其中,所述接收模块还设置为:The apparatus of claim 9, wherein the receiving module is further configured to:
    接收到所述试探报文对应的ICMP对端不可达报文;Receiving an ICMP peer unreachable message corresponding to the test packet;
    所述发送模块还设置为:The sending module is further configured to:
    判断出所述试探报文对应的ICMP对端不可达报文中的源IP地址和所述第二配置信息中的IP地址相同,且判断出所述试探报文对应的ICMP对端不可达报文中的源端口和所述第二配置信息中的端口相同,继续执行不向所述Syslog服务器发送所述Syslog报文的步骤。Determining that the source IP address in the ICMP peer unreachable message corresponding to the test packet is the same as the IP address in the second configuration information, and determining the ICMP peer unreachable report corresponding to the test packet The source port in the text is the same as the port in the second configuration information, and the step of not sending the Syslog message to the Syslog server is continued.
  11. 一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于执行权利要求1-6任一项的方法。 A computer readable storage medium storing computer executable instructions for performing the method of any of claims 1-6.
PCT/CN2015/096862 2015-05-21 2015-12-09 Method and device for processing system log message WO2016184079A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510264673.2A CN106301832B (en) 2015-05-21 2015-05-21 Method and device for processing system log message
CN201510264673.2 2015-05-21

Publications (1)

Publication Number Publication Date
WO2016184079A1 true WO2016184079A1 (en) 2016-11-24

Family

ID=57319403

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/096862 WO2016184079A1 (en) 2015-05-21 2015-12-09 Method and device for processing system log message

Country Status (2)

Country Link
CN (1) CN106301832B (en)
WO (1) WO2016184079A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11444913B2 (en) * 2018-11-29 2022-09-13 Huawei Technologies Co., Ltd. Data transmission method, apparatus, and system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109151075B (en) * 2018-10-30 2021-07-20 迈普通信技术股份有限公司 Log processing method and device and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040162994A1 (en) * 2002-05-13 2004-08-19 Sandia National Laboratories Method and apparatus for configurable communication network defenses
CN1825812A (en) * 2005-02-25 2006-08-30 华为技术有限公司 System and method for managing network web log information
CN102098291A (en) * 2010-12-17 2011-06-15 天津曙光计算机产业有限公司 FPGA (Field Programmable Gate Array)-based network security log processing method and device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006086800A (en) * 2004-09-16 2006-03-30 Fujitsu Ltd Communication apparatus for selecting source address
JP2007201564A (en) * 2006-01-23 2007-08-09 Nec Corp Estimate system, terminal, estimate method, and program
CN101005455B (en) * 2006-12-30 2012-06-27 中国科学院计算技术研究所 Flow control method based on by-path interference
CN102025483B (en) * 2009-09-17 2012-07-04 国基电子(上海)有限公司 Wireless router and method for preventing malicious scanning by using same
CN101917450B (en) * 2010-08-31 2013-08-07 华为技术有限公司 Message forwarding method for preventing network attack and gateway
CN102843373A (en) * 2012-08-28 2012-12-26 北京星网锐捷网络技术有限公司 Method and device for obtaining UDP (user datagram protocol) service inaccessibility and network device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040162994A1 (en) * 2002-05-13 2004-08-19 Sandia National Laboratories Method and apparatus for configurable communication network defenses
CN1825812A (en) * 2005-02-25 2006-08-30 华为技术有限公司 System and method for managing network web log information
CN102098291A (en) * 2010-12-17 2011-06-15 天津曙光计算机产业有限公司 FPGA (Field Programmable Gate Array)-based network security log processing method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11444913B2 (en) * 2018-11-29 2022-09-13 Huawei Technologies Co., Ltd. Data transmission method, apparatus, and system

Also Published As

Publication number Publication date
CN106301832B (en) 2020-04-03
CN106301832A (en) 2017-01-04

Similar Documents

Publication Publication Date Title
Hofstede et al. Flow monitoring explained: From packet capture to data analysis with netflow and ipfix
JP6858749B2 (en) Devices and methods for establishing connections in load balancing systems
US9054952B2 (en) Automated passive discovery of applications
US7995478B2 (en) Network communication with path MTU size discovery
US20090316581A1 (en) Methods, Systems and Computer Program Products for Dynamic Selection and Switching of TCP Congestion Control Algorithms Over a TCP Connection
US11496403B2 (en) Modifying the congestion control algorithm applied to a connection based on request characteristics
US20160112545A1 (en) Tcp link configuration method, apparatus, and device
WO2018112877A1 (en) Path calculating and access request distributing methods, devices and systems
CN109413219B (en) Domain name resolution method and device, server and storage medium
US10284460B1 (en) Network packet tracing
US9686233B2 (en) Tracking network packets across translational boundaries
US20120210433A1 (en) Exfiltration testing and extrusion assessment
CN107786521B (en) Method, device and switch for defending distributed reflection denial of service attack
WO2016187967A1 (en) Method and apparatus for realizing log transmission
US9509777B2 (en) Connection method and management server
JP2006203575A (en) Communicating method
WO2016184079A1 (en) Method and device for processing system log message
CN106961393B (en) Detection method and device for UDP (user Datagram protocol) message in network session
US10992702B2 (en) Detecting malware on SPDY connections
US11265372B2 (en) Identification of a protocol of a data stream
US9455911B1 (en) In-band centralized control with connection-oriented control protocols
US20180007089A1 (en) Network evaluator
Vernersson Analysis of UDP-based reliable transport using network emulation
Huang et al. Stateful traffic replay for web application proxies
US10644983B2 (en) Control plane analytics and policing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15892453

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15892453

Country of ref document: EP

Kind code of ref document: A1