CN106250290A - The analysis method and device of abnormal information - Google Patents

The analysis method and device of abnormal information Download PDF

Info

Publication number
CN106250290A
CN106250290A CN201610632592.8A CN201610632592A CN106250290A CN 106250290 A CN106250290 A CN 106250290A CN 201610632592 A CN201610632592 A CN 201610632592A CN 106250290 A CN106250290 A CN 106250290A
Authority
CN
China
Prior art keywords
abnormal information
alarm
alarm event
signing messages
analysis
Prior art date
Application number
CN201610632592.8A
Other languages
Chinese (zh)
Inventor
姚捷
吴劼平
Original Assignee
广州唯品会信息科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 广州唯品会信息科技有限公司 filed Critical 广州唯品会信息科技有限公司
Priority to CN201610632592.8A priority Critical patent/CN106250290A/en
Publication of CN106250290A publication Critical patent/CN106250290A/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3006Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3055Monitoring arrangements for monitoring the status of the computing system or of the computing system component, e.g. monitoring if the computing system is on, off, available, not available
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3089Monitoring arrangements determined by the means or processing involved in sensing the monitored data, e.g. interfaces, connectors, sensors, probes, agents
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/805Real-time
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/875Monitoring of systems including the internet

Abstract

The invention discloses a kind of analysis method of abnormal information, server, when receiving, by data/address bus, the abnormal information that terminal sends, captures the abnormal information in described data/address bus, and wherein, abnormal information includes abnormal log and anomalous event;From rule base, extract alarm regulation, and be cached in internal memory;According to described alarm regulation, the described abnormal information captured is analyzed;When analysis result is alarm event, report to alarm event alert reception source.The invention also discloses the analytical equipment of a kind of abnormal information.The present invention improves real-time, efficiency and the accuracy that abnormal information is analyzed.

Description

The analysis method and device of abnormal information
Technical field
The present invention relates to internet arena, particularly relate to the analysis method and device of a kind of abnormal information.
Background technology
The large-scale distributed software system of server in use, often occur unpredictable system exception and Event, O&M and monitoring personnel need to learn system exception, just can make corresponding repair action.At present, monitoring server is abnormal Information, is usually and first receives abnormal information, then wait until that abnormal information is accumulated to a certain amount of, then be analyzed, cause exception The real-time of information analysis is poor, and, when analyzing abnormal information, general is manually analyzed, and causes abnormal information to be divided Efficiency and the accuracy of analysis are relatively low.
Summary of the invention
Present invention is primarily targeted at the analysis method and device proposing a kind of abnormal information, it is intended to solve traditional different The often analysis mode of information, the technical problem that real-time is poor.
For achieving the above object, the analysis method of a kind of abnormal information that the present invention provides, the analysis of described abnormal information Method includes:
Server, when receiving, by data/address bus, the abnormal information that terminal sends, captures the exception in described data/address bus Information, wherein, abnormal information includes abnormal log and anomalous event;
From rule base, extract alarm regulation, and be cached in internal memory;
According to described alarm regulation, the described abnormal information captured is analyzed;
When analysis result is alarm event, report to alarm event alert reception source.
Preferably, the described step being analyzed the described abnormal information captured according to described alarm regulation includes:
The described abnormal information captured is pushed to analyze in queue by described server;
Abnormal information in described analysis queue is compared with described alarm regulation;
When the key message having abnormal information mates with alarm regulation, determine that described abnormal information is alarm event.
Preferably, the described step that abnormal information in described analysis queue and described alarm regulation are compared it Before, the analysis method of described abnormal information also includes:
The multiple analyzer of described startup of server, in order to analyze team according to each analyzer parallel parsing started Abnormal information in row.
Preferably, described when analysis result is alarm event, alarm event reports to alert the step bag in reception source Include:
It is alarm event in analysis result, and when including multiple alarm event, described server is according to each alarm event Key message, generate the signing messages that each alarm event is corresponding;
Signing messages corresponding for each alarm event is cached to signing messages mapping table successively;
If there being the signing messages that alarm event is corresponding consistent with caching signing messages, then add up the individual of described warning information Number, and report an alarm event to alarm reception source;
If the signing messages that each alarm event is corresponding is the most inconsistent with caching signing messages, then cache each alarm event Corresponding signing messages, and report to each alarm event alert reception source.
Preferably, when the caching duration caching signing messages reaches preset duration, described caching signing messages is deleted.
Additionally, for achieving the above object, the present invention also proposes the analytical equipment of a kind of abnormal information, described abnormal information Analytical equipment includes:
Handling module, for when receiving, by data/address bus, the abnormal information that terminal sends, capturing described data/address bus In abnormal information, wherein, abnormal information includes abnormal log and anomalous event;
Extract cache module, for extracting alarm regulation from rule base, and be cached in internal memory;
Analyze module, for the described abnormal information captured being analyzed according to described alarm regulation;
Reporting module, for when analysis result is alarm event, reports to alarm event alert reception source.
Preferably, described analysis module includes:
Push unit, for being pushed to analyze in queue by the described abnormal information captured;
Comparing unit, for comparing the abnormal information in described analysis queue with described alarm regulation;
Determine unit, for when the key message having abnormal information mates with alarm regulation, determine described abnormal information For alarm event.
Preferably, described analysis module also includes:
Start unit, is used for starting multiple analyzer, in order to according to described in each analyzer parallel parsing started point Abnormal information in analysis queue.
Preferably, described reporting module includes:
Signal generating unit, being used in analysis result is alarm event, and when including multiple alarm event, alerts thing according to each The key message of part, generates the signing messages that each alarm event is corresponding;
Buffer unit, for being cached to signing messages mapping table successively by signing messages corresponding for each alarm event;
Add up to report unit, if for there being the signing messages that alarm event is corresponding consistent with caching signing messages, then adding up The number of described warning information, and report an alarm event to alarm reception source;
Caching reports unit, if it is the most inconsistent with caching signing messages to be used for signing messages corresponding to each alarm event, Then cache the signing messages that each alarm event is corresponding, and report to each alarm event alert reception source.
Preferably, the analytical equipment of described abnormal information also includes:
Removing module, during for reaching preset duration at the caching duration caching signing messages, deletes described caching signature Information.
The analysis method and device of the abnormal information that the present invention proposes, server is receiving terminal transmission by data/address bus Abnormal information time, can capture the abnormal information in described data/address bus, from rule base, then extract alarm regulation, and delay It is stored in internal memory, further according to described alarm regulation, the described abnormal information captured is analyzed, be alarm thing in analysis result During part, alarm event reports to alert reception source, and need not be abnormal information be accumulated to a certain amount of after, more unified carry out Analyzing, the present invention captures abnormal information in real time, and is analyzed, by alarm regulation, the abnormal information captured, and not only increases different The often real-time of information analysis, also improves efficiency and accuracy that abnormal information is analyzed.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of the analysis method first embodiment of abnormal information of the present invention;
Fig. 2 is that the present invention is analyzed the schematic flow sheet of first embodiment to the described abnormal information captured;
Fig. 3 is that the present invention is analyzed the schematic flow sheet of the second embodiment to the described abnormal information captured;
Fig. 4 is that the present invention one implements scene schematic diagram;
Fig. 5 is another enforcement scene schematic diagram of the present invention;
Fig. 6 be the present invention when analysis result is alarm event, alarm event is reported to alert reception source preferably implement The schematic flow sheet of example;
Fig. 7 is the high-level schematic functional block diagram of the analytical equipment first embodiment of abnormal information of the present invention;
Fig. 8 is the first refinement high-level schematic functional block diagram analyzing module in Fig. 7;
Fig. 9 is the second refinement high-level schematic functional block diagram analyzing module in Fig. 7;
Figure 10 is the refinement high-level schematic functional block diagram of reporting module in Fig. 7.
The realization of the object of the invention, functional characteristics and advantage will in conjunction with the embodiments, are described further referring to the drawings.
Detailed description of the invention
Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.
Schematic flow sheet with reference to the analysis method first embodiment that Fig. 1, Fig. 1 are abnormal information of the present invention.
In the present embodiment, the analysis method of described abnormal information includes:
Step S10, server, when receiving, by data/address bus, the abnormal information that terminal sends, captures described data/address bus In abnormal information, wherein, abnormal information includes abnormal log and anomalous event;
In the present embodiment, before described step S10, sending the step of abnormal data including terminal, described terminal sends The mode of abnormal data includes: described terminal first produces two kinds of abnormal information, including error log (Error Log) and Event log (Event Log), is then collected abnormal information by a catcher (Error Log Collector) After be sent to server.
In the present embodiment, server first passes through the abnormal information that the data/address bus reception terminal of centralization sends, then When receiving abnormal information, real-time analysis engine capture the abnormal information in described data/address bus.It should be noted that institute State real-time analysis engine be one can the distributed type assemblies of horizontal extension, there is the function capturing abnormal information in real time.Described grab The mode taking the abnormal information in described data/address bus includes: all capture;Capture according to predetermined number, capture i.e. every time and preset The abnormal information of number;Capture according to the time of reception, i.e. first capture according to the anomalous event first received.
Step S20, extracts alarm regulation from rule base, and is cached in internal memory;
Step S30, is analyzed the described abnormal information captured according to described alarm regulation;
When grabbing abnormal information in described data/address bus, then from rule base, extract alarm regulation, and be cached to interior In depositing, then according to described alarm regulation, the abnormal information captured in described data/address bus is analyzed.It should be appreciated that From rule base, extract alarm regulation, and be cached in internal memory, it is simple to the follow-up type determining alarm event.
In the present embodiment, in order to improve the accuracy of information analysis, with reference to Fig. 2, described step S30 includes:
Step S31, the described abnormal information captured is pushed to analyze in queue by described server;
In the present embodiment, when grabbing abnormal information in described data/address bus, the described abnormal information that first will capture Be pushed to analyze in queue, it is to be understood that abnormal information be pushed in transmit queue so that each abnormal information according to Order is analyzed successively, it is to avoid randomly draw, and meanwhile, repeating of also avoiding that abnormal information extract extracts.
Step S32, compares the abnormal information in described analysis queue with described alarm regulation;
Step S33, when the key message having abnormal information mates with alarm regulation, determines that described abnormal information is for alarm Event.
Then, the abnormal information in described analysis queue is compared with described alarm regulation, specifically: extract abnormal Key message in information, described key message includes the source of the type of abnormal information, rule field and abnormal information, root According to these key messages, described abnormal information is compared with alarm regulation, having key message and the alarm of abnormal information During rule match, determine that described abnormal information is alarm event, and determine the type of alarm event further, with specific reference to announcement Police regulations then determine, such as, the key message in alarm event mates with alarm regulation, then this alarm event is exactly this alarm rule Then corresponding type.
Further, in order to improve the efficiency that abnormal information is analyzed, with reference to Fig. 3, before described step S32, described step S30 also includes:
Step S34, the multiple analyzer of described startup of server, in order to according to each analyzer parallel parsing institute started State the abnormal information analyzed in queue.
In the present embodiment, before the abnormal information in described analysis queue and described alarm regulation are compared, institute State server to open and first move multiple analyzer, then according to abnormal information described in each analyzer parallel parsing started.
Step S30, when analysis result is alarm event, reports to alarm event alert reception source.
In the present embodiment, when analysis result is alarm event, according to above-mentioned it has been determined that the type of alarm event, Report to described alarm event alert in reception source.
Specifically, described step S30 includes:
The alarm event of generation is pushed in transmit queue;
From transmit queue, extract alarm event and report to alert reception source.
For being best understood from the present embodiment, it is exemplified below, with reference to Fig. 4: Error Log can be produced in client (i.e. terminal) (error log) and the abnormal information of Event Log (event log) two type, then by an Error Log Collector (catcher) is sent to server after abnormal information being collected.Server passes through a Log Data Bus (the daily record data bus of centralization) receives all of abnormal log/anomalous event, and Erroy Log Analyzer (divides in real time Analysis engine) the real-time abnormal log/anomalous event capturing data/address bus, and quickly analyze, it is out an announcement as analyzed Alert event, can be pushed to Alert Repository (record alert database) inner, it should be appreciated that all generations by alarm event Warning information, be stored in record alert database with standard data format.
Analysis engine analyzes concrete mode reference Fig. 5 of abnormal log/anomalous event in real time, as it is shown in figure 5, Error The Acceptor assembly of Log Analyzer (real-time analysis engine) can pull daily record data from lasting from Log Data Bus, For promoting the performance of unitary analysis, first the daily record pulled can be pushed in a journal queue Log Channel (i.e. analyze team Row), then Analysis Manager (analysis task manager) can be responsible for consuming Log Channel (daily record passage) inner different Often information, performs high performance abnormal log analysis work, say, that determine the data volume of abnormal information, according to abnormal information Data volume determine Analysis Worker (analyzer) to be launched, Analysis Manager is again from Rule Repository (rule base) reads rule, and Analysis Manager starts multiple Analysis Worker, allows Analysis Worker captures different abnormal informations and does parallel parsing.Alarm is produced, then at the announcement of the standard of structure after analyzing Alert event, sends in alarm event queue Alert Event Channel (i.e. in transmit queue), eventually through an Alert Reporting Worker, is reported to Surveillance center or other alarm reception sources by the alarm event of generation.
The analysis method of the abnormal information that the present embodiment proposes, server is receiving the different of terminal transmission by data/address bus Often during information, the abnormal information in described data/address bus can be captured, from rule base, then extract alarm regulation, and be cached to In internal memory, further according to described alarm regulation, the described abnormal information captured is analyzed, when analysis result is alarm event, Alarm event reports to alert reception source, and need not be abnormal information be accumulated to a certain amount of after, more unified be analyzed, The present invention captures abnormal information in real time, and is analyzed, by alarm regulation, the abnormal information captured, and not only increases abnormal letter The real-time that breath is analyzed, also improves efficiency and accuracy that abnormal information is analyzed.
It is understood that the present embodiment provide a kind of abnormal log and anomalous event analyzed in real time in production environment and The ability of alarm, monitored data bus, analyze the data monitored, configuration warning strategies and rule, alert in time, it is achieved that analyze Abnormal log and the real-time analysis of anomalous event, and very first time generation alarm, help monitoring personnel's rapid detection different to system Often.
Further, in order to improve the intelligent of abnormal information analysis, propose the present invention based on first embodiment and extremely believe Second embodiment of the analysis method of breath, at the present embodiment, with reference to Fig. 6, described step S40 includes:
Step S41, is alarm event in analysis result, and when including multiple alarm event, described server is according to each The key message of alarm event, generates the signing messages that each alarm event is corresponding;
Step S42, is cached to signing messages mapping table successively by signing messages corresponding for each alarm event;
Step S43, if there being the signing messages that alarm event is corresponding consistent with caching signing messages, then adds up described alarm letter The number of breath, and report an alarm event to alarm reception source;
Step S44, if signing messages corresponding to each alarm event is the most inconsistent with caching signing messages, then caches each The signing messages that alarm event is corresponding, and report to each alarm event alert reception source.
In the present embodiment, it is alarm event in analysis result, and when including multiple alarm event, described server elder generation root According to the key message of each alarm event, generate the signing messages that each alarm event is corresponding.In the present embodiment, described A.L.S. Breath is preferably Hash (Hash) signing messages, then signing messages corresponding for each alarm event is cached to signing messages successively Mapping table.Now, described server judges that alarm event has been maintained in described signing messages mapping table, i.e. judges to accuse Signing messages corresponding to alert event is consistent with the signing messages cached before, if unanimously, adds up the number of described warning information, i.e. Now determine that described alarm event is consistent with warning information before, need not report repeatedly, as long as reporting one of them to alert thing Part is to alarm reception source.
If the signing messages that each alarm event is corresponding is the most inconsistent with caching signing messages, each alarm event is described all It is unique type, then signing messages corresponding for each alarm event is cached in signing messages mapping table, each is accused Alert event all reports to alert reception source.
In the present embodiment, being the equal of that alarm event performs convergence operation, convergence is to prevent in server, wink Between receive a large amount of identical alarm, without convergence mechanism, alarm engine will face moment produce a large amount of alarm events wind Danger, therefore, in this enforcement, can restrain synchronization simultaneous exception on multiple host, it is to avoid produce big Amount repeat alarm, thus improve that warning information reports intelligent.
Further, in order to improve the real-time that alarm event reports, the caching duration at caching signing messages reaches pre- If during duration, delete described caching signing messages.
It is to say, the signing messages of each alarm event is when caching, a preset time period only can be cached, such as 10 Second, in these 10 seconds, if there being the signing messages of other alarm event consistent with caching signing messages, it is believed that reported announcement Alert event, need not report again, if the caching duration of caching signing messages was more than 10 seconds, then deletes described caching signing messages, Follow-up receive warning information again, though signing messages corresponding to the warning information being newly received and the caching signature deleted Information is consistent, and being also considered as current warning information needs to report, again by signing messages corresponding for the warning information being newly received Cache.
The present invention further provides the analytical equipment of a kind of abnormal information.
High-level schematic functional block diagram with reference to the analytical equipment first embodiment that Fig. 7, Fig. 7 are abnormal information of the present invention.
It is emphasized that it will be apparent to those skilled in the art that functional block diagram shown in Fig. 7 is only a preferable reality Executing the exemplary plot of example, those skilled in the art, can be easily around the functional module of the analytical equipment of the abnormal information shown in Fig. 7 Carry out supplementing of new functional module;The title of each functional module is self-defined title, is only used for auxiliary and understands this abnormal information Each program function block of analytical equipment, be not used in restriction technical scheme, the core of technical solution of the present invention is, The function that the functional module of each self-defined title is to be reached.
In the present embodiment, the analytical equipment of described abnormal information includes:
Handling module 10, for when receiving, by data/address bus, the abnormal information that terminal sends, capturing described data total Abnormal information in line, wherein, abnormal information includes abnormal log and anomalous event;
In the present embodiment, handling module 10 by data/address bus receive terminal send abnormal information before, terminal First sending abnormal data, described terminal sends the mode of abnormal data and includes: described terminal first produces two kinds of abnormal letter Breath, including error log (Error Log) and event log (Event Log), then by a catcher (Error Log Collector) server it is sent to after abnormal information being collected.
In the present embodiment, handling module 10 first passes through the data/address bus of centralization and receives the abnormal information that terminal sends, Then, when receiving abnormal information, the abnormal information in described data/address bus is captured.Described handling module 10 captures described number Include according to the mode of the abnormal information in bus: all capture;Capture according to predetermined number, capture the different of predetermined number the most every time Often information;Capture according to the time of reception, i.e. first capture according to the anomalous event first received.
Extract cache module 20, for extracting alarm regulation from rule base, and be cached in internal memory;
Analyze module 30, for the described abnormal information captured being analyzed according to described alarm regulation;
When handling module 10 grabs abnormal information in described data/address bus, extract cache module 20 again from rule base Extract alarm regulation, and be cached in internal memory, then analyze module 30 according to described alarm regulation to capturing described data/address bus In abnormal information be analyzed.It should be appreciated that extract alarm regulation from rule base, and it is cached in internal memory, it is simple to The follow-up type determining alarm event.
In the present embodiment, in order to improve the accuracy of information analysis, with reference to Fig. 8, described analysis module 30 includes:
Push unit 31, for being pushed to analyze in queue by the described abnormal information captured;
In the present embodiment, when grabbing abnormal information in described data/address bus, the institute that push unit 31 first will capture State abnormal information to be pushed to analyze in queue, it is to be understood that abnormal information is pushed in transmit queue by push unit 31, Each abnormal information is analyzed the most successively, it is to avoid randomly draw, meanwhile, also avoids abnormal information to extract Repeat extraction.
Comparing unit 32, for comparing the abnormal information in described analysis queue with described alarm regulation;
Determine unit 33, for when the key message having abnormal information mates with alarm regulation, determine described abnormal letter Breath is alarm event.
Then, the abnormal information in described analysis queue is compared, specifically by comparing unit 32 with described alarm regulation Ground: extract the key message in abnormal information, described key message includes the type of abnormal information, rule field and abnormal letter The source of breath, according to these key messages, described abnormal information is compared by comparing unit 32 with alarm regulation, is having exception When the key message of information mates with alarm regulation, determine that unit 33 determines that described abnormal information is alarm event, and further Ground determines the type of alarm event, determines with specific reference to alarm regulation, such as, and the key message in alarm event and alarm regulation Coupling, then this alarm event is exactly the type that this alarm regulation is corresponding.
Further, in order to improve the efficiency that abnormal information is analyzed, with reference to Fig. 9, described analysis module 30 also includes:
Start unit 34, is used for starting multiple analyzer, in order to according to each analyzer parallel parsing started Analyze the abnormal information in queue.
In the present embodiment, the abnormal information in described analysis queue is compared by comparing unit 32 with described alarm regulation To before, start unit 34 opens and first moves multiple analyzer, then according to letter abnormal described in each analyzer parallel parsing started Breath.
Reporting module 40, for when analysis result is alarm event, reports to alarm event alert reception source.
In the present embodiment, when analysis result is alarm event, described reporting module 40 according to above-mentioned it has been determined that The type of alarm event, reports to described alarm event alert in reception source.
Specifically, described reporting module 40 is used for:
The alarm event of generation is pushed in transmit queue;
From transmit queue, extract alarm event and report to alert reception source.
For being best understood from the present embodiment, it is exemplified below, with reference to Fig. 4: Error Log can be produced in client (i.e. terminal) (error log) and the abnormal information of Event Log (event log) two type, then by an Error Log Collector (catcher) is sent to server after abnormal information being collected.Server passes through a Log Data Bus (the daily record data bus of centralization) receives all of abnormal log/anomalous event, and Erroy Log Analyzer (divides in real time Analysis engine) the real-time abnormal log/anomalous event capturing data/address bus, and quickly analyze, it is out an announcement as analyzed Alert event, can be pushed to Alert Repository (record alert database) inner, it should be appreciated that all generations by alarm event Warning information, be stored in record alert database with standard data format.
Analysis engine analyzes concrete mode reference Fig. 5 of abnormal log/anomalous event in real time, as it is shown in figure 5, Error The Acceptor assembly of Log Analyzer (real-time analysis engine) can pull daily record data from lasting from Log Data Bus, For promoting the performance of unitary analysis, first the daily record pulled can be pushed in a journal queue Log Channel (i.e. analyze team Row), then Analysis Manager (analysis task manager) can be responsible for consuming Log Channel (daily record passage) inner different Often information, performs high performance abnormal log analysis work, say, that determine the data volume of abnormal information, according to abnormal information Data volume determine Analysis Worker (analyzer) to be launched, Analysis Manager is again from Rule Repository (rule base) reads rule, and Analysis Manager starts multiple Analysis Worker, allows Analysis Worker captures different abnormal informations and does parallel parsing.Alarm is produced, then at the announcement of the standard of structure after analyzing Alert event, sends in alarm event queue Alert Event Channel (i.e. in transmit queue), eventually through an Alert Reporting Worker, is reported to Surveillance center or other alarm reception sources by the alarm event of generation.
The analytical equipment of the abnormal information that the present embodiment proposes, server is receiving the different of terminal transmission by data/address bus Often during information, the abnormal information in described data/address bus can be captured, from rule base, then extract alarm regulation, and be cached to In internal memory, further according to described alarm regulation, the described abnormal information captured is analyzed, when analysis result is alarm event, Alarm event reports to alert reception source, and need not be abnormal information be accumulated to a certain amount of after, more unified be analyzed, The present invention captures abnormal information in real time, and is analyzed, by alarm regulation, the abnormal information captured, and not only increases abnormal letter The real-time that breath is analyzed, also improves efficiency and accuracy that abnormal information is analyzed.
It is understood that the present embodiment provide a kind of abnormal log and anomalous event analyzed in real time in production environment and The ability of alarm, monitored data bus, analyze the data monitored, configuration warning strategies and rule, alert in time, it is achieved that analyze Abnormal log and the real-time analysis of anomalous event, and very first time generation alarm, help monitoring personnel's rapid detection different to system Often.
Further, in order to improve the intelligent of abnormal information analysis, propose the present invention based on first embodiment and extremely believe Second embodiment of the analytical equipment of breath, at the present embodiment, with reference to Figure 10, described reporting module 40 includes:
Signal generating unit 41, being used in analysis result is alarm event, and when including multiple alarm event, alerts according to each The key message of event, generates the signing messages that each alarm event is corresponding;
Buffer unit 42, for being cached to signing messages mapping table successively by signing messages corresponding for each alarm event;
Add up to report unit 43, if for there being the signing messages that alarm event is corresponding consistent with caching signing messages, then tiring out Count the number of described warning information, and report an alarm event to alarm reception source;
Caching reports unit 44, if all differing with caching signing messages for the signing messages that each alarm event is corresponding Cause, then cache the signing messages that each alarm event is corresponding, and report to each alarm event alert reception source.
In the present embodiment, it is alarm event in analysis result, and when including multiple alarm event, the first root of signal generating unit 41 According to the key message of each alarm event, generate the signing messages that each alarm event is corresponding.In the present embodiment, described A.L.S. Breath is preferably Hash (Hash) signing messages, and then signing messages corresponding for each alarm event is cached by buffer unit 42 successively To signing messages mapping table.Now, it is determined that alarm event has been maintained in described signing messages mapping table, i.e. judge to accuse Signing messages corresponding to alert event is consistent with the signing messages cached before, if unanimously, adds up to report unit 43 to add up described announcement The number of alarming information, the most now determines that described alarm event is consistent with warning information before, need not report repeatedly, as long as reporting One of them alarm event is to alarm reception source.
If the signing messages that each alarm event is corresponding is the most inconsistent with caching signing messages, each alarm event is described all It is unique type, then caching reports unit 44 that signing messages corresponding for each alarm event is cached to signing messages mapping In table, all report to each alarm event alert reception source.
In the present embodiment, being the equal of that alarm event performs convergence operation, convergence is to prevent in server, wink Between receive a large amount of identical alarm, without convergence mechanism, alarm engine will face moment produce a large amount of alarm events wind Danger, therefore, in this enforcement, can restrain synchronization simultaneous exception on multiple host, it is to avoid produce big Amount repeat alarm, thus improve that warning information reports intelligent.
Further, in order to improve the real-time that alarm event reports, the analytical equipment of described abnormal information also includes:
Removing module, during for reaching preset duration at the caching duration caching signing messages, deletes described caching signature Information.
It is to say, the signing messages of each alarm event is when caching, a preset time period only can be cached, such as 10 Second, in these 10 seconds, if there being the signing messages of other alarm event consistent with caching signing messages, it is believed that reported announcement Alert event, need not report again, if the caching duration of caching signing messages was more than 10 seconds, then removing module deletes described caching label Name information, follow-up receives warning information again, though signing messages corresponding to the warning information being newly received with deleted Caching signing messages is consistent, and being also considered as current warning information needs to report, again by corresponding for the warning information that is newly received Signing messages caches.
It should be noted that in this article, term " includes ", " comprising " or its other variant any are intended to non-row Comprising of his property, so that include that the process of a series of key element, method, article or system not only include those key elements, and And also include other key element being not expressly set out, or also include intrinsic for this process, method, article or system Key element.In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that including this The process of key element, method, article or system there is also other identical element.
The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
These are only the preferred embodiments of the present invention, not thereby limit the scope of the claims of the present invention, every utilize this Equivalent structure or equivalence flow process that bright description and accompanying drawing content are made convert, or are directly or indirectly used in other relevant skill Art field, is the most in like manner included in the scope of patent protection of the present invention.

Claims (10)

1. the analysis method of an abnormal information, it is characterised in that the analysis method of described abnormal information includes:
Server, when receiving, by data/address bus, the abnormal information that terminal sends, captures the exception letter in described data/address bus Breath, wherein, abnormal information includes abnormal log and anomalous event;
From rule base, extract alarm regulation, and be cached in internal memory;
According to described alarm regulation, the described abnormal information captured is analyzed;
When analysis result is alarm event, report to alarm event alert reception source.
2. the analysis method of abnormal information as claimed in claim 1, it is characterised in that described according to described alarm regulation to grabbing The step that the described abnormal information taken is analyzed includes:
The described abnormal information captured is pushed to analyze in queue by described server;
Abnormal information in described analysis queue is compared with described alarm regulation;
When the key message having abnormal information mates with alarm regulation, determine that described abnormal information is alarm event.
3. the analysis method of abnormal information as claimed in claim 2, it is characterised in that described different by described analysis queue Before the step that often information and described alarm regulation are compared, the analysis method of described abnormal information also includes:
The multiple analyzer of described startup of server, in order to analyze in queue according to each analyzer parallel parsing started Abnormal information.
4. the analysis method of the abnormal information as described in any one of claim 1-3, it is characterised in that described in analysis result be During alarm event, the step that alarm event reports to alert reception source includes:
It is alarm event in analysis result, and when including multiple alarm event, described server is according to the pass of each alarm event Key information, generates the signing messages that each alarm event is corresponding;
Signing messages corresponding for each alarm event is cached to signing messages mapping table successively;
If there being the signing messages that alarm event is corresponding consistent with caching signing messages, then add up the number of described warning information, and Report an alarm event to alarm reception source;
If the signing messages that each alarm event is corresponding is the most inconsistent with caching signing messages, then cache each alarm event corresponding Signing messages, and each alarm event is reported to alert reception source.
5. the analysis method of abnormal information as claimed in claim 4, it is characterised in that at the caching duration of caching signing messages When reaching preset duration, delete described caching signing messages.
6. the analytical equipment of an abnormal information, it is characterised in that the analytical equipment of described abnormal information includes:
Handling module, for when receiving, by data/address bus, the abnormal information that terminal sends, capturing in described data/address bus Abnormal information, wherein, abnormal information includes abnormal log and anomalous event;
Extract cache module, for extracting alarm regulation from rule base, and be cached in internal memory;
Analyze module, for the described abnormal information captured being analyzed according to described alarm regulation;
Reporting module, for when analysis result is alarm event, reports to alarm event alert reception source.
7. the analytical equipment of abnormal information as claimed in claim 6, it is characterised in that described analysis module includes:
Push unit, for being pushed to analyze in queue by the described abnormal information captured;
Comparing unit, for comparing the abnormal information in described analysis queue with described alarm regulation;
Determine unit, for when the key message having abnormal information mates with alarm regulation, determine that described abnormal information is for accusing Alert event.
8. the analytical equipment of abnormal information as claimed in claim 7, it is characterised in that described analysis module also includes:
Start unit, is used for starting multiple analyzer, in order to analyze team according to each analyzer parallel parsing started Abnormal information in row.
9. the analytical equipment of the abnormal information as described in any one of claim 6-8, it is characterised in that described reporting module bag Include:
Signal generating unit, being used in analysis result is alarm event, and when including multiple alarm event, according to each alarm event Key message, generates the signing messages that each alarm event is corresponding;
Buffer unit, for being cached to signing messages mapping table successively by signing messages corresponding for each alarm event;
Add up to report unit, if for there being the signing messages that alarm event is corresponding consistent with caching signing messages, then accumulative described The number of warning information, and report an alarm event to alarm reception source;
Caching reports unit, if it is the most inconsistent with caching signing messages to be used for signing messages corresponding to each alarm event, then delays Deposit the signing messages that each alarm event is corresponding, and report to each alarm event alert reception source.
10. the analytical equipment of abnormal information as claimed in claim 9, it is characterised in that the analytical equipment of described abnormal information Also include:
Removing module, during for reaching preset duration at the caching duration caching signing messages, deletes described caching signing messages.
CN201610632592.8A 2016-08-03 2016-08-03 The analysis method and device of abnormal information CN106250290A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610632592.8A CN106250290A (en) 2016-08-03 2016-08-03 The analysis method and device of abnormal information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610632592.8A CN106250290A (en) 2016-08-03 2016-08-03 The analysis method and device of abnormal information

Publications (1)

Publication Number Publication Date
CN106250290A true CN106250290A (en) 2016-12-21

Family

ID=58077450

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610632592.8A CN106250290A (en) 2016-08-03 2016-08-03 The analysis method and device of abnormal information

Country Status (1)

Country Link
CN (1) CN106250290A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107704332A (en) * 2017-09-28 2018-02-16 努比亚技术有限公司 Freeze screen solution method, mobile terminal and computer-readable recording medium
CN107748712A (en) * 2017-11-03 2018-03-02 郑州云海信息技术有限公司 A kind of log automatic analyzing method based on Linux system
CN108304723A (en) * 2018-01-17 2018-07-20 链家网(北京)科技有限公司 A kind of anomaly detection method and device
CN108551444A (en) * 2018-03-30 2018-09-18 新华三信息安全技术有限公司 A kind of log processing method, device and equipment
CN109041090A (en) * 2018-08-21 2018-12-18 京信通信系统(中国)有限公司 Abnormality eliminating method, device and electronic equipment based on base station

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101170455A (en) * 2007-11-20 2008-04-30 中兴通讯股份有限公司 Automatic reporting method and device for exception information
CN104104734A (en) * 2014-08-04 2014-10-15 浪潮(北京)电子信息产业有限公司 Log analysis method and device
CN104133986A (en) * 2014-07-10 2014-11-05 国家电网公司 Multi-business-object-oriented distribution network warning information integrated rational analysis method
US20150135312A1 (en) * 2012-08-31 2015-05-14 Hitachi, Ltd. Service performance monitoring method
CN105427545A (en) * 2015-12-30 2016-03-23 山东中创软件商用中间件股份有限公司 Drools-based equipment warning management method and device
CN105430681A (en) * 2015-11-04 2016-03-23 努比亚技术有限公司 Automatic abnormity upload and recovery methods, automatic abnormity upload device and mobile terminal

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101170455A (en) * 2007-11-20 2008-04-30 中兴通讯股份有限公司 Automatic reporting method and device for exception information
US20150135312A1 (en) * 2012-08-31 2015-05-14 Hitachi, Ltd. Service performance monitoring method
CN104133986A (en) * 2014-07-10 2014-11-05 国家电网公司 Multi-business-object-oriented distribution network warning information integrated rational analysis method
CN104104734A (en) * 2014-08-04 2014-10-15 浪潮(北京)电子信息产业有限公司 Log analysis method and device
CN105430681A (en) * 2015-11-04 2016-03-23 努比亚技术有限公司 Automatic abnormity upload and recovery methods, automatic abnormity upload device and mobile terminal
CN105427545A (en) * 2015-12-30 2016-03-23 山东中创软件商用中间件股份有限公司 Drools-based equipment warning management method and device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107704332A (en) * 2017-09-28 2018-02-16 努比亚技术有限公司 Freeze screen solution method, mobile terminal and computer-readable recording medium
CN107748712A (en) * 2017-11-03 2018-03-02 郑州云海信息技术有限公司 A kind of log automatic analyzing method based on Linux system
CN108304723A (en) * 2018-01-17 2018-07-20 链家网(北京)科技有限公司 A kind of anomaly detection method and device
CN108551444A (en) * 2018-03-30 2018-09-18 新华三信息安全技术有限公司 A kind of log processing method, device and equipment
CN109041090A (en) * 2018-08-21 2018-12-18 京信通信系统(中国)有限公司 Abnormality eliminating method, device and electronic equipment based on base station

Similar Documents

Publication Publication Date Title
AU2018203374A1 (en) Advanced intelligence engine
CA2790206C (en) Automated malware detection and remediation
CN103685575B (en) A kind of web portal security monitoring method based on cloud framework
KR101327317B1 (en) Apparatus and method for sap application traffic analysis and monitoring, and the information protection system thereof
US20150070506A1 (en) Event triggered location based participatory surveillance
CN105183609B (en) A kind of real-time monitoring system for being applied to software system and method
CN101697545B (en) Security incident correlation method and device as well as network server
CN103368979B (en) Network security verifying device based on improved K-means algorithm
CN102158355B (en) Log event correlation analysis method and device capable of concurrent and interrupted analysis
CN103246735B (en) A kind of method for processing abnormal data and system
CN103914485B (en) System and method for remotely collecting, retrieving and displaying application system logs
US9455892B2 (en) Data loss monitoring of partial data streams
US20160112287A1 (en) Storing and analyzing network traffic data
CN102918534B (en) Inquiry pipeline
CN103274272A (en) Elevator integrated management system and elevator integrated management method
CN104113519A (en) Network attack detection method and device thereof
US20150317477A1 (en) System For Automatically Collecting and Analyzing Crash Dumps
CN106371986A (en) Log treatment operation and maintenance monitoring system
US9852041B2 (en) Systems and methods for categorizing exceptions and logs
US10867034B2 (en) Method for detecting a cyber attack
CN105264861B (en) Method and apparatus for detecting multistage event
US20110016528A1 (en) Method and Device for Intrusion Detection
KR100748246B1 (en) Multi-step integrated security monitoring system and method using intrusion detection system log collection engine and traffic statistic generation engine
CN103428183B (en) Method and device for identifying malicious website
CN103746992B (en) Based on reverse intruding detection system and method thereof

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20171219

Address after: 510000 Guangzhou City, Guangzhou, Guangdong, Fangcun Avenue, one of the 314 self compiled

Applicant after: Guangzhou Pinwei Software Co., Ltd.

Address before: Liwan District Fangcun Huahai street Guangzhou city Guangdong province 510000 No. 20 self 1-5 building (only for office use)

Applicant before: Guangzhou VIPSHOP Information and Technology Co., Ltd.

Effective date of registration: 20171219

Address after: 510000 Guangzhou City, Guangzhou, Guangdong, Fangcun Avenue, one of the 314 self compiled

Applicant after: Guangzhou Pinwei Software Co., Ltd.

Address before: Liwan District Fangcun Huahai street Guangzhou city Guangdong province 510000 No. 20 self 1-5 building (only for office use)

Applicant before: Guangzhou VIPSHOP Information and Technology Co., Ltd.

TA01 Transfer of patent application right
RJ01 Rejection of invention patent application after publication

Application publication date: 20161221

RJ01 Rejection of invention patent application after publication