CN104717085B - A kind of daily record analysis method and device - Google Patents
A kind of daily record analysis method and device Download PDFInfo
- Publication number
- CN104717085B CN104717085B CN201310688769.2A CN201310688769A CN104717085B CN 104717085 B CN104717085 B CN 104717085B CN 201310688769 A CN201310688769 A CN 201310688769A CN 104717085 B CN104717085 B CN 104717085B
- Authority
- CN
- China
- Prior art keywords
- initial data
- characteristic value
- event type
- daily record
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of daily record analysis method and device, this method includes:Obtain the initial data in different-format daily record;Determine the event type of the initial data ownership;For the initial data for belonging to each event type, perform:When determining that the characteristic value of initial data of the event type is mismatched with knowledge base characteristic value set in advance, the initial data is parsed, obtains the corresponding nonstandardized technique event of the event type;And when matching and needing to configure text create-rule to the initial data, the first display rule display by the initial data according to setting;And matched in the characteristic value for determining the initial data of the event type with knowledge base characteristic value set in advance, and need not to the initial data configure text create-rule when, by the initial data according to setting second display rule display.Waste of resource can be preferably solved, intercommunity is poor between each log system, has certain confinement problems.
Description
Technical field
The present invention relates to field of computer technology, more particularly, to a kind of daily record analysis method and device.
Background technology
Daily record have recorded the various events that system occurs daily in detail, protect and improve information security, can
Can help to find and ward off calamity in advance by the daily record data of various operating systems, application program, equipment and safety product,
And find the basic reason of security incident.And under reality, each host, the network equipment, application system produce daily record with
Corresponding business is closely related, and various equipment are different by different manufacturer's offers, journal format.Collect, handle, search
Rope even simply explains that log information is all very labor intensive and time, therefore daily record parsing and log management become
Become more and more important.
For the daily record of different-format, currently used analytic method is to establish a set of daily record respectively to every kind of journal format
Resolution system, such as database, can establish database journal resolution system, for the network equipment, can be with
Correspondence establishment network equipment daily record resolution system etc., different daily record resolution systems corresponds to different journal formats respectively, so
Daily record parsing and journal format can be bound, be parsed respectively so as to fulfill the daily record to different-format.
The prior art establishes a set of daily record resolution system respectively for every kind of journal format, can be relatively quick to every kind of day
Will makes parsing, but with the development of business, journal format also can constantly change and perfect with the variation of business, this is right
Daily record parsing work can bring many problems, once journal format changes, original daily record resolution system certainly will also will be into
The modification and maintenance of line code, very big burden is brought to maintenance work.
In conclusion due to corresponding to different daily record resolution systems for different journal formats so that more wasteful
Resource, intercommunity is poor between each log system, and a set of daily record resolution system cannot be suitable for the solution of a variety of journal formats at the same time
Analysis.
The content of the invention
The present invention provides a kind of daily record analysis method and device, can preferably solve equal for different journal formats
Corresponding different daily record resolution system so that more wasteful resource, intercommunity is poor between each log system, has certain office
Sex-limited problem.
A kind of daily record analytic method, including:Obtain the initial data in different-format daily record;Determine the original of the acquisition
The event type of attribution data;For the initial data for belonging to each event type, operations described below is performed:Determining the thing
When the characteristic value of the initial data of part type is mismatched with knowledge base characteristic value set in advance, the initial data is solved
Analysis, obtains the corresponding nonstandardized technique event of the event type;And the feature in the initial data for determining the event type
When being worth and matched with knowledge base characteristic value set in advance, and needing to configure text create-rule to the initial data, by described in
Initial data is shown according to the first display rule of setting;And determine the characteristic value of the initial data of the event type with
Knowledge base characteristic value set in advance matching, and when need not configure text create-rule to the initial data, by the original
Beginning data are shown according to the second display rule of setting.
By pre-establishing event type and setting knowledge base characteristic value, the daily record of different-format is subjected to Unified
Analysis, is finally shown according to analysis result, it is achieved thereby that for the daily record of different-format, can be shown, general
Property it is preferable, save resource.
Determine the event type of the initial data ownership of the acquisition, including:By regular expression rule matching algorithm,
The initial data of acquisition is parsed;By the initial data after parsing compared with the different event types set;Determining
When going out the packet variable of the event type comprising one of setting in the initial data after parsing, determine that the initial data is returned
Belong to the event type.
By using above-mentioned technical proposal, event type is introduced, initial data and event type are matched, by difference
The daily record of form is divided for the first time, further increases the versatility of this programme.
The different event types of the setting determine in the following manner:Obtain the day of the different-format of default quantity
Will;The daily record of the different-format of acquisition is classified according to the rule of setting;And analyze the daily record of the different-format of acquisition
Component;Sorted daily record and the corresponding component of each daily record are corresponded into storage.
By using above-mentioned technical proposal, event type is introduced, initial data and event type are matched, by difference
The daily record of form is divided for the first time, further increases the versatility of this programme.
The characteristic value of the initial data of the event type and knowledge planting modes on sink characteristic set in advance are determined in the following manner
Whether value matches:According to characteristic value formula, the corresponding characteristic value of initial data of the event type is calculated;The feature that will be obtained
Value is compared with knowledge base characteristic value set in advance;When comparison result meets matching and requires, the event type is determined
The characteristic value of initial data with knowledge base characteristic value set in advance be to match;When comparison result does not meet matching and requires,
The characteristic value and knowledge base characteristic value set in advance for determining the initial data of the event type mismatch.
By using above-mentioned technical proposal, when being parsed to daily record, analytical range is wide, all kinds of hosts, the network equipment,
DB, application server, application system daily record can parse.
The first display rule display by the initial data according to setting, including:By text create-rule, by described in
Each field of initial data is reconfigured, according to the first display rule display of setting.
By using above-mentioned technical proposal, efficiently, outgoing event can be quickly parsed, administrator is without professional knowledge with regard to that can know
The implication of every, road daily record, quickly pinpoints the problems.
A kind of daily record resolver, including:Module is obtained, for obtaining the initial data in different-format daily record;Determine
Module, the event type that the initial data for determining the acquisition belongs to;Execution module, for for each event class of ownership
The initial data of type, performs operations described below:Determine the characteristic value of the initial data of the event type with it is set in advance
When knowledge base characteristic value mismatches, the initial data is parsed, obtains the corresponding nonstandardized technique event of the event type;
And matched in the characteristic value for determining the initial data of the event type with knowledge base characteristic value set in advance, and need
When configuring text create-rule to the initial data, the first display rule display by the initial data according to setting;And
Matched in the characteristic value for determining the initial data of the event type with knowledge base characteristic value set in advance, and need not pair
During the initial data configuration text create-rule, the second display rule display by the initial data according to setting.
By pre-establishing event type and setting knowledge base characteristic value, the daily record of different-format is subjected to Unified
Analysis, is finally shown according to analysis result, it is achieved thereby that for the daily record of different-format, can be shown, general
Property it is preferable, save resource.
The execution module, specifically for by regular expression rule matching algorithm, being carried out to the initial data of acquisition
Parsing;By the initial data after parsing compared with the different event types set;In the initial data after determining parsing
During the packet variable of the event type comprising one of setting, determine that the initial data belongs to the event type.
By using above-mentioned technical proposal, event type is introduced, initial data and event type are matched, by difference
The daily record of form is divided for the first time, further increases the versatility of this programme.
The execution module, the different event types specifically for determining the setting in the following manner:Obtain pre-
If the daily record of the different-format of quantity;The daily record of the different-format of acquisition is classified according to the rule of setting;And analyze and obtain
The component of the daily record of the different-format obtained;Sorted daily record and the corresponding component of each daily record are corresponded into storage.
By using above-mentioned technical proposal, event type is introduced, initial data and event type are matched, by difference
The daily record of form is divided for the first time, further increases the versatility of this programme.
The execution module, specifically in the following manner determine the event type initial data characteristic value with
Whether knowledge base characteristic value set in advance matches:According to characteristic value formula, the initial data for calculating the event type corresponds to
Characteristic value;Obtained characteristic value is compared with knowledge base characteristic value set in advance;Meeting matching in comparison result will
When asking, the characteristic value for determining the initial data of the event type with knowledge base characteristic value set in advance is to match;Comparing
When as a result not meeting matching and requiring, the characteristic value of the initial data of the event type and knowledge planting modes on sink characteristic set in advance are determined
Value mismatches.
By using above-mentioned technical proposal, when being parsed to daily record, analytical range is wide, all kinds of hosts, the network equipment,
DB, application server, application system daily record can parse.
The execution module, specifically for by text create-rule, each field of the initial data is carried out again
Combination, according to the first display rule display of setting.
By using above-mentioned technical proposal, efficiently, outgoing event can be quickly parsed, administrator is without professional knowledge with regard to that can know
The implication of every, road daily record, quickly pinpoints the problems.
Brief description of the drawings
Fig. 1 is a kind of daily record analytic method flow chart of proposition in the embodiment of the present invention;
Fig. 2 is a kind of daily record resolver structure composition schematic diagram of proposition in the embodiment of the present invention.
Embodiment
Different daily record resolution systems is corresponded to for different journal formats so that ratio for existing under normal conditions
Compared with waste of resource, intercommunity is poor between each log system, and a set of daily record resolution system cannot be suitable for a variety of daily record lattice at the same time
The problem of parsing of formula, the embodiment of the present invention propose technical solution in, by pre-establish event type and setting knowledge
Al Kut value indicative, carries out analytic uniform by the daily record of different-format, is finally shown according to analysis result, it is achieved thereby that being directed to
The daily record of different-format, can be shown, versatility is preferable, save resource.
Below in conjunction with each attached drawing to the main realization principle of technical solution of the embodiment of the present invention, embodiment and
It is set forth in the beneficial effect that should be able to reach.
The embodiment of the present invention proposes a kind of daily record analytic method, as shown in Figure 1, its concrete processing procedure is for example following:
Step 11, the initial data in different-format daily record is obtained.
Initial data is by the data that include, the lattice of each daily record in distinct device or the original log of different system generation
Implication representated by formula and the daily record is not fully identical.
Step 12, whether the initial data for judging to obtain matches with the decision rule of setting, if it is judged that be it is yes, then
Step 13 is performed, conversely, performing step 14.
Step 13, when the initial data and the judgment rule of setting for determining to obtain match, it is determined that the original number
According to the event type belonged to.
The initial data of acquisition can be parsed by regular expression rule matching algorithm, by the original after parsing
Beginning data are compared with the different event types set.One of setting is included in the initial data after determining parsing
During the packet variable of event type, determine that initial data belongs to the event type.
Specifically, the different event types of setting determine in the following manner:Obtain the different-format of default quantity
Daily record, the daily record of the different-format of acquisition is classified according to the rule of setting, and analyzes the daily record of the different-format of acquisition
Component, sorted daily record and the corresponding component of each daily record are corresponded into storage.
In specific implementation, the event type that initial data is belonged to can in the following manner be determined and stored:It is
The a certain number of daily records transmitted in system or equipment, the daily record to those acquisitions carry out statistical analysis, such as can be according to original
The corresponding system type of daily record, device type, by those daily records of acquisition according to certain rule classification, facilitate determining for daily record
Justice, establishes Log Types.The component of original log is analyzed, establishes daily record primary attribute table, the primary attribute of daily record is day
The basic component of will, can describe any daily record by the various combinations of primary attribute, under every a kind of Log Types
Foundation specifically operates thin item, is distinguished with characteristic value.The classification of daily record is completed by above-mentioned steps.
It should be noted that by daily record according to certain rule classification when, the rule of classification can be determined flexibly, such as can
With by the source of daily record, daily record behavior, produce the system etc. of daily record.
In specific implementation, the event type that the initial data obtained is belonged to is determined, can determine in the following manner logical
The match pattern that regular expression rule matching algorithm builds Log Types by a series of spcial character is crossed, then matching
Pattern is compared with original log, according to whether including match pattern in comparison other, after system matches success and with key-
The form caching regular expression rule of value, wherein key is to report and submit device IP, and value is regular expression rule, so
Matching efficiency can preferably be improved.The packet variable or special variable value extracted after successful match in regular expression, then
These variables and the good daily record primary attribute of predefined are established into correspondence, attribute variable and its value are in the form of key-vale
It is buffered in map.Calculate what initial data was belonged to by regular expression and its required variate-value extracted out
Event type.
Step 14, if it is judged that being no, that is, the initial data and the judgment rule of setting obtained mismatches, it is determined that
The initial data of the acquisition is not the event type of standardization, then can abandon the initial data of the acquisition.
Step 15, after event type that initial data is belonged to is determined, judge that the initial data of the acquisition corresponds to
Characteristic value whether with knowledge base characteristic value set in advance match.If it is judged that being yes, then step 16 is performed, otherwise hold
Row step 17.
According to characteristic value formula, the corresponding characteristic value of initial data of the event type, the characteristic value that will be obtained are calculated
It is compared with knowledge base characteristic value set in advance.When comparison result meets matching and requires, the event type is determined
The characteristic value of initial data is to match with knowledge base characteristic value set in advance, when comparison result does not meet matching and requires, really
The characteristic value of the initial data of the fixed event type is mismatched with knowledge base characteristic value set in advance.
This step in specific implementation, passes through the characteristic value formula of daily record(Such as logical expression)With the analysis needed for it
The variate-value of taking-up calculates characteristic value.By event type knowledge base under the characteristic value calculated and corresponding all event types
(Such as operate thin item)Characteristic value matched, corresponding log object is generated after successful match, completes knowledge base association.Obtain
Operating thin item characteristic value can be stored according to the form of key-value, and key is characterized value, and value is the thin item daily record of operation
ID。
Step 16, if it is judged that being yes, determine whether text generation rule whether are needed to configure to the initial data
Then.If it is judged that being yes, then step 18 is performed, otherwise perform step 19.
Step 17, do not determining the characteristic value of the initial data of event type and knowledge base characteristic value set in advance not
Timing, parses initial data, obtains the corresponding nonstandardized technique event of the event type.
Step 18, the characteristic value of the initial data of the event type and knowledge base characteristic value set in advance are being determined
When matching, and needing to configure text create-rule to the initial data, the first display by the initial data according to setting
Rule display.
By text create-rule, each field of the initial data is reconfigured, it is aobvious according to the first of setting
Show regular display.
In specific implementation, in order to form the text information for allowing administrator easily to understand and understand its implication, it is necessary to establish just
Literary create-rule, text create-rule are reconfigured by the primary attribute of daily record, e.g., original log:<44>09-26-
201318:13:32System0.Info192.168.1.187sshd[2535]:Accepted password for
Testuser from192.168.1.100, by being formed after text create-rule:“05-28-200718:13:32 users are led to
Cross sshd service login hosts 192.168.1.187 successes ".
Specifically, text create-rule is also to be recombinated each field of daily record by way of logical expression,
The regular effect is that daily record is translated, and translates into the text information that administrator easily understands.
Step 19, the characteristic value of the initial data of event type and knowledge base characteristic value set in advance are being determined
When matching somebody with somebody, and text create-rule need not be configured to the initial data, the second display rule by initial data according to setting
Display.
Second display rule can also be acquiescence display rule, in the case of this kind, can by the initial data of acquisition according to
The rule of setting, generates the log content of acquiescence, or display content is blank.
Correspondingly, the embodiment of the present invention also proposes a kind of daily record resolver, as shown in Fig. 2, including:
Module 201 is obtained, for obtaining the initial data in different-format daily record.
Determining module 202, the event type that the initial data for determining the acquisition belongs to.
Execution module 203, for for the initial data for belonging to each event type, performing operations described below:Determining
When the characteristic value of the initial data of the event type is mismatched with knowledge base characteristic value set in advance, to the initial data
Parsed, obtain the corresponding nonstandardized technique event of the event type;And in the initial data for determining the event type
Characteristic value matched with knowledge base characteristic value set in advance, and need to the initial data configure text create-rule when,
The first display rule display by the initial data according to setting;And in the spy for the initial data for determining the event type
Value indicative is matched with knowledge base characteristic value set in advance, and need not to the initial data configure text create-rule when, will
The initial data is shown according to the second display rule of setting.
Specifically, above-mentioned execution module 203, specifically for by regular expression rule matching algorithm, to the original of acquisition
Beginning data are parsed;By the initial data after parsing compared with the different event types set;After parsing is determined
During the packet variable of the event type comprising one of setting in initial data, determine that the initial data belongs to the event class
Type.
Specifically, above-mentioned execution module 203, the different event classes specifically for determining the setting in the following manner
Type:Obtain the daily record of the different-format of default quantity;The daily record of the different-format of acquisition is classified according to the rule of setting;
And analyze the component of the daily record of the different-format of acquisition;Sorted daily record and the corresponding component of each daily record are corresponded to
Storage.
Specifically, above-mentioned execution module 203, the initial data specifically for determining the event type in the following manner
Characteristic value whether matched with knowledge base characteristic value set in advance:According to characteristic value formula, the original of the event type is calculated
The corresponding characteristic value of beginning data;Obtained characteristic value is compared with knowledge base characteristic value set in advance;In comparison result
When meeting matching and requiring, the characteristic value and knowledge base characteristic value set in advance that determine the initial data of the event type are
Match somebody with somebody;When comparison result does not meet matching and requires, determine the event type initial data characteristic value with it is set in advance
Knowledge base characteristic value mismatches.
Specifically, above-mentioned execution module 203, specifically for by text create-rule, by each word of the initial data
Duan Jinhang is reconfigured, according to the first display rule display of setting.
In technical solution set forth above of the embodiment of the present invention, a kind of preferably embodiment is given, according to original day
The corresponding system type of will, device type, establish daily record classification(That is event type).Analyze the component of original log, root
Daily record primary attribute is established according to the result of analysis., can will be different types of original by the foundation of original log decision rule
Daily record identifies, and establishes the correspondence in original log between critical field and daily record primary attribute, by pair of foundation
It should be related to and correspond to respectively in different daily record classification.For any bar original log, which is probably by not
What same system or equipment was sent, the implication representated by each former address daily record is different.Administrator is allowed easily to see in order to be formed
The text information understood simultaneously understands the implication representated by daily record, it is necessary to establish text create-rule(As log properties reconfigure)、
Knowledge base correlation rule(Such as characteristic value formula), classified according to daily record, defined representated by characteristic value different in such daily record
Different implications.By above-mentioned steps, the whole resolving of original log is completed.Without establishing daily record solution respectively to every class daily record
Analysis system, it is only necessary to establish daily record resolution rules, analytical range is wide, all kinds of hosts, the network equipment, DB, application server,
Application system daily record can parse, once journal format changes, it is only necessary to original log decision rule is changed, and without repairing
Change backstage code, safeguard simple, policy-flexible.
It will be understood by those skilled in the art that the embodiment of the present invention can be provided as method, apparatus(Equipment)Or computer
Program product.Therefore, in terms of the present invention can use complete hardware embodiment, complete software embodiment or combine software and hardware
Embodiment form.Moreover, the present invention can use the meter for wherein including computer usable program code in one or more
Calculation machine usable storage medium(Including but not limited to magnetic disk storage, read-only optical disc, optical memory etc.)The computer of upper implementation
The form of program product.
The present invention be with reference to according to the method for the embodiment of the present invention, device(Equipment)With the flow chart of computer program product
And/or block diagram describes.It should be understood that each flow in flowchart and/or the block diagram can be realized by computer program instructions
And/or the flow in square frame and flowchart and/or the block diagram and/or the combination of square frame.These computer programs can be provided to refer to
The processors of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices is made to produce
One machine so that the instruction performed by computer or the processor of other programmable data processing devices, which produces, to be used for realization
The device for the function of being specified in one flow of flow chart or multiple flows and/or one square frame of block diagram or multiple square frames.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which produces, to be included referring to
Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or
The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, thus in computer or
The instruction performed on other programmable devices is provided and is used for realization in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in a square frame or multiple square frames.
Although preferred embodiments of the present invention have been described, but those skilled in the art once know basic creation
Property concept, then can make these embodiments other change and modification.So appended claims be intended to be construed to include it is excellent
Select embodiment and fall into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
God and scope.In this way, if these modifications and changes of the present invention belongs to the scope of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to comprising including these modification and variations.
Claims (6)
- A kind of 1. daily record analytic method, it is characterised in that including:Obtain the initial data in different-format daily record;Determine the event type of the initial data ownership of the acquisition;For the initial data for belonging to each event type, operations described below is performed:It is right when determining that the characteristic value of initial data of the event type is mismatched with knowledge base characteristic value set in advance The initial data is parsed, and obtains the corresponding nonstandardized technique event of the event type;AndMatch, and need with knowledge base characteristic value set in advance in the characteristic value for determining the initial data of the event type When configuring text create-rule to the initial data, the first display rule display by the initial data according to setting;And Matched in the characteristic value for determining the initial data of the event type with knowledge base characteristic value set in advance, and need not pair During the initial data configuration text create-rule, the second display rule display by the initial data according to setting;Wherein it is determined that the event type of the initial data ownership of the acquisition, including:By regular expression rule matching algorithm, the initial data of acquisition is parsed;By the initial data after parsing compared with the different event types set;During the packet variable of the event type comprising one of setting in the initial data after determining parsing, determine described Initial data belongs to the event type;Wherein, the different event types of the setting determine in the following manner:Obtain the daily record of the different-format of default quantity;The daily record of the different-format of acquisition is classified according to the rule of setting;AndAnalyze the component of the daily record of the different-format obtained;Sorted daily record and the corresponding component of each daily record are corresponded into storage.
- 2. the method as described in claim 1, it is characterised in that determine the initial data of the event type in the following manner Characteristic value whether matched with knowledge base characteristic value set in advance:According to characteristic value formula, the corresponding characteristic value of initial data of the event type is calculated;Obtained characteristic value is compared with knowledge base characteristic value set in advance;When comparison result meets matching and requires, determine that the characteristic value of the initial data of the event type is known with set in advance It is matching to know Al Kut value indicative;When comparison result does not meet matching and requires, determine the event type initial data characteristic value with it is set in advance Knowledge base characteristic value mismatches.
- 3. the method as described in claim 1, it is characterised in that the initial data is aobvious according to the first display rule of setting Show, including:By text create-rule, each field of the initial data is reconfigured, is advised according to the first display of setting Then show.
- A kind of 4. daily record resolver, it is characterised in that including:Module is obtained, for obtaining the initial data in different-format daily record;Determining module, the event type that the initial data for determining the acquisition belongs to;Execution module, for for the initial data for belonging to each event type, performing operations described below:Determining the event When the characteristic value of the initial data of type is mismatched with knowledge base characteristic value set in advance, the initial data is solved Analysis, obtains the corresponding nonstandardized technique event of the event type;And the feature in the initial data for determining the event type When being worth and matched with knowledge base characteristic value set in advance, and needing to configure text create-rule to the initial data, by described in Initial data is shown according to the first display rule of setting;And determine the characteristic value of the initial data of the event type with Knowledge base characteristic value set in advance matching, and when need not configure text create-rule to the initial data, by the original Beginning data are shown according to the second display rule of setting;Wherein, the execution module, specifically for by regular expression rule matching algorithm, being carried out to the initial data of acquisition Parsing;By the initial data after parsing compared with the different event types set;In the initial data after determining parsing During the packet variable of the event type comprising one of setting, determine that the initial data belongs to the event type;Wherein, the execution module, the different event types specifically for determining the setting in the following manner:Obtain pre- If the daily record of the different-format of quantity;The daily record of the different-format of acquisition is classified according to the rule of setting;And analyze and obtain The component of the daily record of the different-format obtained;Sorted daily record and the corresponding component of each daily record are corresponded into storage.
- 5. device as claimed in claim 4, it is characterised in that the execution module, specifically for determining in the following manner Whether the characteristic value of the initial data of the event type matches with knowledge base characteristic value set in advance:It is public according to characteristic value Formula, calculates the corresponding characteristic value of initial data of the event type;By obtained characteristic value and knowledge Al Kut set in advance Value indicative is compared;When comparison result meets matching and requires, determine the event type initial data characteristic value with it is pre- The knowledge base characteristic value first set is matching;When comparison result does not meet matching and requires, the original of the event type is determined The characteristic value of data is mismatched with knowledge base characteristic value set in advance.
- 6. device as claimed in claim 4, it is characterised in that the execution module, specifically for by text create-rule, Each field of the initial data is reconfigured, according to the first display rule display of setting.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310688769.2A CN104717085B (en) | 2013-12-16 | 2013-12-16 | A kind of daily record analysis method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310688769.2A CN104717085B (en) | 2013-12-16 | 2013-12-16 | A kind of daily record analysis method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104717085A CN104717085A (en) | 2015-06-17 |
| CN104717085B true CN104717085B (en) | 2018-05-01 |
Family
ID=53416080
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310688769.2A Active CN104717085B (en) | 2013-12-16 | 2013-12-16 | A kind of daily record analysis method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104717085B (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105138593A (en) * | 2015-07-31 | 2015-12-09 | 山东蚁巡网络科技有限公司 | Method for extracting log key information in user-defined way by using regular expressions |
| CN105389338B (en) * | 2015-10-20 | 2018-09-04 | 北京用友政务软件有限公司 | A kind of analytic method of buying acceptance of the bid data |
| CN107025233B (en) * | 2016-01-29 | 2020-04-28 | 苏宁云计算有限公司 | Data feature processing method and device |
| CN107070706A (en) * | 2017-03-24 | 2017-08-18 | 中国联合网络通信集团有限公司 | Log processing method and device based on Service-Oriented Architecture Based |
| CN110019067B (en) * | 2017-09-26 | 2023-05-30 | 深圳市中兴微电子技术有限公司 | Log analysis method and system |
| CN107818150B (en) * | 2017-10-23 | 2021-11-26 | 中国移动通信集团广东有限公司 | Log auditing method and device |
| CN108228875B (en) * | 2018-01-18 | 2021-12-14 | 奇安信科技集团股份有限公司 | Log analysis method and device based on perfect hash |
| CN109413131A (en) * | 2018-04-28 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of method and device of log parsing |
| CN108735275A (en) * | 2018-05-28 | 2018-11-02 | 重庆浩雅宇殊科技有限公司 | A kind of automatic report preparing system and report-generating method |
| CN108712294A (en) * | 2018-06-05 | 2018-10-26 | 陈艳 | A method of network equipment monitoring alarm is realized based on Syslog knowledge bases |
| CN108920377B (en) * | 2018-07-16 | 2022-03-04 | 杭州安恒信息技术股份有限公司 | Log playback test method, system and device and readable storage medium |
| CN109783459A (en) * | 2019-01-04 | 2019-05-21 | 平安科技(深圳)有限公司 | The method, apparatus and computer readable storage medium of data are extracted from log |
| CN110765090B (en) * | 2019-10-31 | 2023-05-02 | 泰康保险集团股份有限公司 | Log data management method and device, storage medium and electronic equipment |
| CN112667672A (en) * | 2021-01-06 | 2021-04-16 | 北京启明星辰信息安全技术有限公司 | Log analysis method and analysis device |
| CN115686853A (en) * | 2022-11-03 | 2023-02-03 | 北京优特捷信息技术有限公司 | Log element extraction method, device, equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1549160A (en) * | 2003-05-23 | 2004-11-24 | 联想(北京)有限公司 | Equipment daily record real-time analyzing system and journal analyzing method based on card technique |
| CN1645336A (en) * | 2005-01-20 | 2005-07-27 | 上海复旦光华信息科技股份有限公司 | Automatic extraction and analysis for formwork based on heterogenerous logbook |
| CN101237326A (en) * | 2008-02-29 | 2008-08-06 | 华为技术有限公司 | Method, device and system for real time parsing of device log |
| CN101286891A (en) * | 2008-05-30 | 2008-10-15 | 杭州华三通信技术有限公司 | Method and device for parsing system log |
| CN102164050A (en) * | 2011-05-16 | 2011-08-24 | 北京星网锐捷网络技术有限公司 | Log parsing method and log parsing node device |
| CN102768636A (en) * | 2011-05-05 | 2012-11-07 | 阿里巴巴集团控股有限公司 | Log analysis method and log analysis device |
| EP2590102A1 (en) * | 2010-06-30 | 2013-05-08 | Fujitsu Limited | Trail log analysis system, trail log analysis program, and trail log analysis method |
-
2013
- 2013-12-16 CN CN201310688769.2A patent/CN104717085B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1549160A (en) * | 2003-05-23 | 2004-11-24 | 联想(北京)有限公司 | Equipment daily record real-time analyzing system and journal analyzing method based on card technique |
| CN1645336A (en) * | 2005-01-20 | 2005-07-27 | 上海复旦光华信息科技股份有限公司 | Automatic extraction and analysis for formwork based on heterogenerous logbook |
| CN101237326A (en) * | 2008-02-29 | 2008-08-06 | 华为技术有限公司 | Method, device and system for real time parsing of device log |
| CN101286891A (en) * | 2008-05-30 | 2008-10-15 | 杭州华三通信技术有限公司 | Method and device for parsing system log |
| EP2590102A1 (en) * | 2010-06-30 | 2013-05-08 | Fujitsu Limited | Trail log analysis system, trail log analysis program, and trail log analysis method |
| CN102768636A (en) * | 2011-05-05 | 2012-11-07 | 阿里巴巴集团控股有限公司 | Log analysis method and log analysis device |
| CN102164050A (en) * | 2011-05-16 | 2011-08-24 | 北京星网锐捷网络技术有限公司 | Log parsing method and log parsing node device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104717085A (en) | 2015-06-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104717085B (en) | A kind of daily record analysis method and device | |
| US20200153864A1 (en) | Event integration frameworks | |
| EP2244418B1 (en) | Database security monitoring method, device and system | |
| US10140453B1 (en) | Vulnerability management using taxonomy-based normalization | |
| WO2018006789A1 (en) | Parameter checking method and apparatus, and network management server and computer storage medium | |
| CN107733863B (en) | Log debugging method and device under distributed hadoop environment | |
| Song | Testing and evaluation system for cloud computing information security products | |
| JP2005512196A5 (en) | ||
| CN101933003A (en) | Automated application dependency mapping | |
| WO2017092447A1 (en) | Method and apparatus for data quality management and control | |
| US8700632B2 (en) | Managing heterogeneous data | |
| CN104268173A (en) | Centralized data monitoring method, device and system | |
| US20140068033A1 (en) | Systems, methods, and articles of manufacture to manage alarm configurations of servers | |
| CA2999469A1 (en) | Encryption deployment discovery | |
| CN110088744A (en) | A kind of database maintenance method and its system | |
| CN111666205A (en) | Data auditing method, system, computer equipment and storage medium | |
| CN116137908A (en) | Dynamically determining trust level of end-to-end links | |
| CN115982012A (en) | Evaluation model and method for interface management capability maturity | |
| JP2016099857A (en) | Fraudulent program handling system and fraudulent program handling method | |
| CN109165513B (en) | System configuration information inspection method and device and server | |
| CN111209266A (en) | Auditing method and device based on Redis database and electronic equipment | |
| CN108549815B (en) | White list library management system and method | |
| CN113347060B (en) | Method, device and system for detecting power network fault based on process automation | |
| CN114268569B (en) | Configurable network operation and maintenance acceptance test method and device | |
| CN114356374A (en) | Vehicle data processing method and device and vehicle |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |