CN108170580A - A kind of rule-based log alarming method, apparatus and system - Google Patents

A kind of rule-based log alarming method, apparatus and system Download PDF

Info

Publication number
CN108170580A
CN108170580A CN201711174472.9A CN201711174472A CN108170580A CN 108170580 A CN108170580 A CN 108170580A CN 201711174472 A CN201711174472 A CN 201711174472A CN 108170580 A CN108170580 A CN 108170580A
Authority
CN
China
Prior art keywords
alarm
rule
alarm rule
log information
collection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201711174472.9A
Other languages
Chinese (zh)
Inventor
张佳璐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lianjia Beijing Technology Co Ltd
Original Assignee
Lianjia Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lianjia Beijing Technology Co Ltd filed Critical Lianjia Beijing Technology Co Ltd
Priority to CN201711174472.9A priority Critical patent/CN108170580A/en
Publication of CN108170580A publication Critical patent/CN108170580A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/32Monitoring with visual or acoustical indication of the functioning of the machine
    • G06F11/324Display of status information
    • G06F11/327Alarm or error message display
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3006Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/865Monitoring of software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/875Monitoring of systems including the internet

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the present invention provides a kind of rule-based log alarming method, apparatus and system.The method includes:The log information for including first flag ID that service to be detected generates is obtained in real time;It obtains with the matched alarm rule collection of first flag ID as target alarm rule collection, alarm rule collection includes at least one alarm rule, and each rule includes regular expression and type of alarm;The alarm rule that target alarm rule is concentrated is obtained successively, if judging to know the regular expression that log information meets in the alarm rule obtained, the type of alarm triggering alarm in the alarm rule of acquisition.Described device and system are used to perform the method.The log information that cleansing pin of the embodiment of the present invention generates different services selects corresponding alarm rule collection to carry out alarm analysis, on the one hand meets the individual demand of different services, on the other hand improves the efficiency of alarm analysis.

Description

A kind of rule-based log alarming method, apparatus and system
Technical field
The present embodiments relate to field of computer technology more particularly to a kind of rule-based log alarming analysis sides Method, apparatus and system.
Background technology
With the propulsion and implementation of Internet service, website can vertically and laterally be divided into multiple individual services. The characteristics of each service and visit capacity are not quite similar, and have the special service for doing middle layer, there is the special clothes for doing Data Analysis Services Business has the special service for doing represent layer, there is the special service for doing data storing platform.For different service features, take not Same log analysis and alarm rule, while making alarm close to business, alarm creates, manages and reaches the standard grade more aspect, alarm more Accurately, it is the emphasis of concern more in time.
The either alarm system of commercial version of increasing income present on society at present or with our business structure system It is continuous to develop and adjust, it is impossible to fully meet the various individual needs of our log alarmings, i.e., it cannot be according to different services Feature, will pass through all alarm rule judgements to every one log information of generation can obtain alarming result, so as to lead The problem of low to log information alarm analysis efficiency is caused.
Invention content
In view of the problems of the existing technology, the embodiment of the present invention provides a kind of rule-based log alarming method, dress It puts and system.
In a first aspect, the embodiment of the present invention provides a kind of rule-based log alarming method, including:
The log information that service to be detected generates is obtained in real time, and it is corresponding that the log information includes the service to be detected First flag ID;
It obtains with the matched alarm rule collection of the first flag ID as target alarm rule collection, the alarm rule collection Including at least one alarm rule, each rule includes regular expression and type of alarm;
The alarm rule that the target alarm rule is concentrated is obtained successively, if judging to know that the log information meets Regular expression in the alarm rule obtained, then the type of alarm triggering in the alarm rule of acquisition are reported It is alert.
Second aspect, the embodiment of the present invention provide a kind of rule-based log alarming device, including:
Acquisition module, for obtaining the log information that service to be detected generates in real time, the log information includes described treat The corresponding first flag ID of detection service;
Matching module, for obtaining with the described first mark matched alarm rule collection of ID as target alarm rule collection, The alarm rule collection includes at least one alarm rule, and each rule includes regular expression and type of alarm;
Alarm module, for obtaining the alarm rule that the target alarm rule is concentrated successively, if judging to know institute The regular expression in the alarm rule that log information satisfaction obtains is stated, then the report in the alarm rule of acquisition Police's formula triggering alarm.
The third aspect, the embodiment of the present invention provide a kind of rule-based log alarming system, the day including communication connection Will warning device, daily record consumption device, database and alarming management device;
The log alarming device is used to perform the method described in first aspect;
The daily record consumption device is used to obtain the log information that each service generates, and the log information is sent to institute State log alarming device;
The database is used to store alarm rule collection and warning message;
The alarming management device is used to that the alarm rule collection to be configured.
Fourth aspect, the embodiment of the present invention provide a kind of electronic equipment, including:Processor, memory and bus, wherein,
The processor and the memory complete mutual communication by the bus;
The memory is stored with the program instruction that can be performed by the processor, and the processor calls described program to refer to Enable the method and step for being able to carry out first aspect.
5th aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium storing program for executing, including:
The non-transient computer readable storage medium storing program for executing stores computer instruction, and the computer instruction makes the computer Perform the method and step of first aspect.
A kind of rule-based log alarming method, apparatus and system provided in an embodiment of the present invention, by according to daily record First flag ID in message obtains corresponding target alarm rule collection, and is alarmed and advised according to each item that target alarm rule is concentrated Then judge whether the log information should trigger alarm, the log information generated for different services selects corresponding alarm rule Collect to carry out alarm analysis, on the one hand meet the individual demand of different services, on the other hand improve the effect of alarm analysis Rate.
Description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair Some bright embodiments, for those of ordinary skill in the art, without creative efforts, can be with root Other attached drawings are obtained according to these attached drawings.
Fig. 1 is a kind of rule-based log alarming method flow schematic diagram provided in an embodiment of the present invention;
Fig. 2 is a kind of rule-based log alarming method flow schematic diagram provided in an embodiment of the present invention;
Fig. 3 is a kind of rule-based log alarming apparatus structure schematic diagram provided in an embodiment of the present invention;
Fig. 4 is a kind of rule-based log alarming system structure diagram provided in an embodiment of the present invention;
Fig. 5 is a kind of electronic equipment entity structure schematic diagram provided in an embodiment of the present invention.
Specific embodiment
Purpose, technical scheme and advantage to make the embodiment of the present invention are clearer, below in conjunction with the embodiment of the present invention In attached drawing, the technical solution in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is Part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art All other embodiments obtained without creative efforts shall fall within the protection scope of the present invention.
Fig. 1 is a kind of rule-based log alarming method flow schematic diagram provided in an embodiment of the present invention, such as Fig. 1 institutes Show, the method includes:
Step 101:The log information that service to be detected generates is obtained in real time, and the log information includes the clothes to be detected Be engaged in corresponding first flag ID;
Specifically, work support of the operation of website by multiple services, therefore each service can be generated in the task of execution Corresponding log information, using multiple services as service to be detected, log alarming device obtains what service to be detected generated in real time Log information, it should be noted that include the corresponding first flag ID of the service to be detected in log information, and each to be checked It is unique to survey the first flag ID of service, therefore, can know the day by the first flag ID recognized in log information Will message is generated by which service to be detected.
Step 102:It obtains with the matched alarm rule collection of the first flag ID as target alarm rule collection, the report Alert rule set includes at least one alarm rule, and each rule includes regular expression and type of alarm;
Specifically, since different services may generate different log informations, and the alarm demand of different services is not Together, therefore, it is in advance the corresponding alarm rule collection of each service construction one, log alarming rule set includes at least one report Then, warning device carries out the second identifier IDs corresponding with each alarm rule collection of the first flag ID in log information to police regulations Match, if the second identifier IDs corresponding with some alarm rule collection of the first flag ID in log information is identical, this is reported For alert rule set as target alarm rule collection, the alarm rule concentrated with the target alarm rule carries out alarm analysis.It should say Bright, each alarm rule concentration includes at least one alarm rule, and all includes rule list in each alarm rule Up to formula and type of alarm.
Step 103:The alarm rule that the target alarm rule is concentrated is obtained successively, if judging to know the daily record Message meets the regular expression in the alarm rule obtained, then the type of alarm in the alarm rule of acquisition Triggering alarm.
An alarm rule is obtained specifically, being concentrated every time from target alarm rule, then judges whether log information is full Regular expression in foot this alarm rule, if it is satisfied, then the type of alarm in this alarm rule is alarmed.
The embodiment of the present invention obtains corresponding target alarm rule collection by the first flag ID in log information, and Judge whether the log information should trigger alarm according to each alarm rule that target alarm rule is concentrated, for different services The log information of generation selects corresponding alarm rule collection to carry out alarm analysis, on the one hand meets the personalization of different services On the other hand demand improves the efficiency of alarm analysis.
Specifically, on the basis of above-described embodiment, the log information includes keyword to be detected, and the judgement is known The log information meets the regular expression in the alarm rule obtained, including:
The alarm rule is parsed, obtains keyword and logical relation in regular expression, the logic is closed System include logical AND, logic or with any one or combination in logic NOT;
Keyword to be detected in the log information and keyword and logical relation in the regular expression, The result of calculation of the regular expression is obtained, if the result of calculation is true, judgement knows that the log information satisfaction obtains Regular expression in the alarm rule taken.
Specifically, log information includes multiple keywords to be detected, judging whether the log information meets alarm rule During regular expression in then, it is necessary first to alarm rule is parsed, it especially will be to the regular expression in alarm rule Formula is parsed, and corresponding keyword and logical relation can be obtained after parsing, can be included in one of regular expression Logical AND, logic or with any one or combination in logic NOT.The keyword obtained according to keyword to be detected and parsing Logical operation is carried out with logical relation, the result of calculation of the regular expression is obtained, if result is true, illustrates that the daily record disappears Breath meets the regular expression, if result is false, illustrates that the log information is unsatisfactory for the regular expression, needs to obtain at this time The next alarm rule that target alarm rule is taken to concentrate.If it should be noted that is sent out after being parsed to regular expression It is existing nested in logic shutdown, it can specify that analyze and process logic rules relationship step by step outside at this time, and mistake herein Priority processing contains only the input item of single keyword in journey, in input item of the processing containing logical relation.Such as:Logical relation For (A | B) & (C | the alarm rule of D)s &E first parses outermost logical relation, i.e. logical AND, calling logic and function, group (A | B) into logical AND relationship, (C | D) and E are passed to as a parameter group.Judge to contain in input parameter in the function Single keyword, but containing logical relation or, then first judge single keyword E whether with the keyword to be detected in log information Matching judges whether include keyword E in the keyword to be detected in log information, illustrates to match if including if, no Then mismatch.If keyword E is matched, logic OR is recalled, input parameter is A and B, is judged in keyword to be detected If including A or B, illustrate to match with (A | B), continue calling logic or function, input parameter is C and D, if it is determined that be checked It surveys in keyword if including C or D, illustrates to match with (C | D), it is true that can obtain result of calculation at this time, shows to form most Three elements all successful match of the logical AND of outer layer further illustrate that log information meets the rule list in the alarm rule obtained Up to formula.
The embodiment of the present invention judges whether log information should be alarmed by pre-set alarm rule, with rule The thought and form of change, create alarm rule collection, and research staff only needs the keyword being configured in advance in alarm rule and patrols The relationship of collecting, it is easy to operate.
On the basis of above-described embodiment, the method further includes:
The corresponding alarm rule collection of multiple services to be detected is pre-created, and the alarm rule collection is deposited Storage.
Specifically, it is in advance its corresponding alarm rule collection of each service-creation to be detected, and all by what is created The alarm rule collection of service to be detected is stored, when need to some it is to be detected service generate log information alarm During analysis, corresponding alarm rule collection can be called to be analyzed, therefore, the embodiment of the present invention is alarmed by targetedly selecting Rule improves the efficiency of alarm analysis.
On the basis of above-described embodiment, the alarm rule further includes the corresponding second identifier ID of service to be detected, phase It answers, it is described to be pre-created the corresponding alarm rule collection of multiple services to be detected, and the alarm rule collection is deposited Storage, including:
The corresponding alarm rule of multiple services to be detected is pre-created, by the alarm rule according to the mark the Two ID are grouped, and form multiple alarm rule collection, and the alarm rule collection is stored.
It is in each alarm rule specifically, when being pre-created the corresponding alarm rule of multiple services to be detected Add the corresponding second identifier ID of the service to be detected, it is to be understood that second identifier ID and the detection in alarm rule The first flag ID serviced in the log information generated is the same, therefore, can just pass through the first flag in log information ID finds corresponding target alarm rule collection.After the alarm rule for creating all services to be detected, according to the second mark Know ID to be grouped it, the alarm rule for belonging to same second identifier ID is classified as one group of composition alarm rule collection, then The alarm rule collection of each service to be detected is stored.
Inherent classification can be carried out to the alarm rule being pre-created, the first order is the second mark of each service to be detected Know ID, the second level is related for Keywords matching, i.e. the information such as regular expression and type of alarm.
Keyword can be divided into two classes:
A kind of is what is planned in advance, and relatively fixed and general keyword, this class keywords are suitable for whole, more Number service or certain one kind service.Daily record rank and common resources-type belong to this class keywords.Daily record rank has logical With applicability and stability, change smaller after determining, and all serve logs are applicable in.It is common resources-type, such as database Related, caching correlation, the relevant daily record of frame etc. can use some fixed keyword identification, such as database correlation Mark etc. is write a Chinese character in simplified form with keyword DB marks, the related English with keyword Cache marks, frame correlation frame of caching.
Another kind of is customized keyword, these keywords are typically specific to the business of all kinds of services.
Logical relation:Logical AND, logic or logic NOT.Logical relation is developed in the form of a method in advance, log information It is input condition with the keyword in rule, if offend the logic as output result.Logical relation can be nested.Such as:Life Middle keyword A and hit keyword B;Hit keyword A and hit keyword B or C.
The embodiment of the present invention judges whether log information should be alarmed by pre-set alarm rule, with rule The thought and form of change, create alarm rule collection, and research staff only needs the keyword being configured in advance in alarm rule and patrols The relationship of collecting, it is easy to operate.
On the basis of above-described embodiment, the alarm rule further includes precedence information, correspondingly, described obtain successively The alarm rule that the alarm rule is concentrated, including:
Obtain an alarm rule of the alarm rule concentration successively according to the priority.
Specifically, since alarm rule concentration includes at least one alarm rule, need to obtain an alarm rule every time Alarm analysis is carried out, by being that each alarm rule sets a priority and then obtains report successively according to priority in advance The alarm rule that police regulations are then concentrated.It should be noted that when setting priority, it can be according to the important journey of alarm rule Degree is set, this can also be not specifically limited according to other rule settings, the embodiment of the present invention.
The alarm rule that the embodiment of the present invention is concentrated by obtaining alarm rule successively according to priority, daily record is disappeared Breath first matches important alarm rule, can be found in time containing important exception information hence in daily record, so as to With timely processing.
On the basis of the various embodiments described above, the type of alarm includes:Alarm triggering mode and alarm sending method, institute State alarm triggering mode include single triggering and threshold triggers, it is described alarm sending method include mail alarm, SMS alarm and Wechat is alarmed.
Specifically, type of alarm include alarm triggering mode and alarm sending method, it is so-called alarm triggering mode be Alarm triggering in what situations, including single triggering and threshold triggers, as long as single triggering refers to that the log information is met Certain alarm rule just triggers alarm, which is suitable for especially severe and uncommon Exception Type.It is another For threshold triggers, statistical log message meets the item number of the alarm rule of target alarm rule concentration or accounts for target alarm rule collection The ratio of the total number of middle alarm rule, and threshold value is set, alarm is then triggered more than threshold value.It should be noted that threshold value can be with According to abnormal severity and coverage sets itself threshold size.It needs warning message being sent to after triggering is alarmed Therefore corresponding staff, can be alarmed, any one or combination in the alarm of SMS alarm and wechat by mail Mode sends warning message.It should be noted that corresponding enabling time, stopping can also be set in alarm rule The information such as time, entry-into-force time and life cycle.
The embodiment of the present invention obtains corresponding target alarm rule collection by the first flag ID in log information, and Judge whether the log information should trigger alarm according to each alarm rule that target alarm rule is concentrated, for different services The log information of generation selects corresponding alarm rule collection to carry out alarm analysis, on the one hand meets the personalization of different services On the other hand demand improves the efficiency of alarm analysis.
Fig. 2 is a kind of rule-based log alarming method flow schematic diagram provided in an embodiment of the present invention, such as Fig. 2 institutes Show, the method, including:
Step 201:Obtain log information;The log information that service to be detected generates, the wherein log information are obtained in real time Include first flag ID, perform step 202;
Step 202:Obtain target alarm rule collection;Alarm rule collection corresponds to second identifier ID, in acquisition and log information The identical corresponding alarm rule collection of second identifier ID of first flag ID, and using the alarm rule collection as goal rule collection, Perform step 203;
Step 203:Parse alarm rule;It is concentrated according to the priority of alarm rule from target alarm rule and obtains a report Police regulations then, and parse the alarm rule, perform step 204;
Step 204:Determine keyword and logical relation;If the regular expression in alarm rule has multilayer nest pass System, then can determine keyword and logical relation, generate multiple logical relation functions, and obtain and wrapped in each logical relation function The keyword and logical relation included, it is assumed that outermost logical relation is logical AND in the regular expression, performs step 205;
Step 205:Whether logical relation function is met;Judge whether log information meets logic successively according to preset rules Relation function if not satisfied, then performing step 206, otherwise performs step 209;
Step 206:Do not offend;Since the outermost layer logical relation of the alarm rule is logical AND, as long as having one A logical relation function is unsatisfactory for, and illustrates not offend the alarm rule, performs step 207;
Step 207:Whether it is the last item rule;Judge this alarm whether be target alarm rule concentrate last Alarm rule if it is not, then performing step 208, otherwise performs step 214;
Step 208:Choose next rule;An alarm rule are obtained from target alarm rule according further to priority Then, step 203 is performed;
Step 209:Whether it is the last one function;Judge whether the logical relation function is the last item, if it is not, Step 210 is then performed, otherwise performs step 211;
Step 210:Perform next function;Next logical relation function in the alarm rule is obtained, and performs step Rapid 205;
Step 211:Offend the alarm rule;If log information meets all logical relation functions, illustrate to meet This alarm rule illustrates to have offended this alarm rule, and records offence alarm rule item number, performs step 212;
Step 212:Whether threshold value is reached;Judge log information offence alarm rule item number whether reach threshold value or The ratio that the item number of offence alarm rule accounts for total alarm rule item number reaches threshold value, if reached, performs step 213, otherwise Perform step 214;
Step 213:Alarm;Triggering alarm;
Step 214:Terminate.
The embodiment of the present invention obtains corresponding target alarm rule collection by the first flag ID in log information, and Judge whether the log information should trigger alarm according to each alarm rule that target alarm rule is concentrated, for different services The log information of generation selects corresponding alarm rule collection to carry out alarm analysis, on the one hand meets the personalization of different services On the other hand demand improves the efficiency of alarm analysis.
Fig. 3 is a kind of rule-based log alarming apparatus structure schematic diagram provided in an embodiment of the present invention, such as Fig. 3 institutes Show, described device includes:Acquisition module 301, matching module 302 and alarm module 303, wherein:
Acquisition module 301 is used to obtain the log information that service to be detected generates in real time, and the log information includes described It is to be detected to service corresponding mark ID;Matching module 302 indicates the matched alarm rule collection of ID as mesh for obtaining with described Alarm rule collection is marked, the alarm rule collection includes at least one alarm rule, and each rule includes regular expression and report Police's formula;Alarm module 303 is used to obtain the alarm rule that the target alarm rule is concentrated successively, if judging to know institute The regular expression in the alarm rule that log information satisfaction obtains is stated, then the report in the alarm rule of acquisition Police's formula triggering alarm.
Specifically, acquisition module 301 obtains the log information that service to be detected generates in real time, it should be noted that daily record Include the corresponding first flag ID of the service to be detected in message, and the first flag ID of each service to be detected is unique , therefore, it can know which service to be detected is the log information be by by the first flag ID recognized in log information It generates.Since different services may generate different log informations, and the alarm demand of different services is different, therefore, It is in advance the corresponding alarm rule collection of each service construction one, alarm rule concentration includes at least one alarm rule, matches Module 302 matches the second identifier IDs corresponding with each alarm rule collection of the first flag ID in log information, if First flag ID second identifier IDs corresponding with some alarm rule collection in log information is identical, then by the alarm rule collection As target alarm rule collection, the alarm rule concentrated with the target alarm rule carries out alarm analysis.It is it should be noted that every One alarm rule concentration includes at least one alarm rule, and all include regular expression and alarm in each alarm rule Mode.Alarm module 303 is concentrated from target alarm rule obtain an alarm rule every time, then judges whether log information is full Regular expression in foot this alarm rule, if it is satisfied, then the type of alarm in this alarm rule is alarmed.
The embodiment of device provided by the invention specifically can be used for performing the process flow of above-mentioned each method embodiment, Details are not described herein for function, is referred to the detailed description of above method embodiment.
The embodiment of the present invention obtains corresponding target alarm rule collection by the first flag ID in log information, and Judge whether the log information should trigger alarm according to each alarm rule that target alarm rule is concentrated, for different services The log information of generation selects corresponding alarm rule collection to carry out alarm analysis, on the one hand meets the personalization of different services On the other hand demand improves the efficiency of alarm analysis.
Fig. 4 is a kind of rule-based log alarming system structure diagram provided in an embodiment of the present invention, such as Fig. 4 institutes Show, the system comprises:Log alarming device 401, daily record consumption device 402, database 403 and the alarming and managing of communication connection Device 404;
The log alarming device 401 is used to perform above-mentioned method;
The daily record consumption device 402 is used to obtain the log information that each service generates, and sending the log information into To the log alarming device 401;
The database 403 is used to store alarm rule collection and warning message;
The alarming management device 404 is used to that the alarm rule collection to be configured.
Specifically, log alarming device 401 receives the log information that daily record consumption device 402 is sent, and pass through above-mentioned side Method carries out alarm analysis to the log information, and the specific analytical method embodiment of the present invention repeats no more.
Daily record consumption device 402 consumes the real-time log information of each service to be detected.It is required that each service to be detected Daily record have first flag ID with service-conformance to be detected.Distributed post can be used to subscribe to message system Apache Kafka Build log information consumption device.
Database 403 is responsible for the first flag ID, keyword, keyword point of the log information of storage service creation to be detected The warning message details that class, alarm rule and alarm rule generate after being offended.
Alarming management device 404 being checked and analyze for the generation and management of alarm rule, warning message.Alarming and managing Device 404 is overall to provide three parts function, corresponds to two different pages respectively:
First part is the first flag ID of log information and keyword management interface.There is provided the two respective list respectively Show, increase newly, deleting, enabling, deactivating function.
First flag ID administration interfaces:The list for providing first flag ID shows, increases newly, deleting, enabling, deactivate function with And with preview of all alarm rule of service subordinate to be detected and redirect the function of displaying.In the behaviour for deleting, enabling, stopping Under work, may be selected alarm rule associated with the first flag ID of the log information whether synchronization removal, enabling, stopping.
Keyword input interface:The increase of the main classification that keyword is provided, deletion, enabling, stopping, relative alarm rule Preview function;The increase of keyword under classification, deletion, enabling, stopping, relative alarm rule preview function.It is general and fixed Keyword can be created according to the characteristic of oneself as one kind;All customized keywords, can be separately as one kind.
Second part is alarm rule administration interface.The list displaying of alarm rule is created, is deleted, enabling, stops, is excellent The setting of first grade.
The generation of alarm rule:The first step selects serve log identification name;The one or more keywords of second step selection Classification selects next or multiple keywords of each classifying.Choose the relationship of the logic between keyword;Third step setting report Police regulations triggering mode then and its threshold value;4th step sets warning message Manners of Delivery;5th step sets the automatic of alarm rule Entry-into-force time, life cycle, priority.
The embodiment of device provided by the invention specifically can be used for performing the process flow of above-mentioned each method embodiment, Details are not described herein for function, is referred to the detailed description of above method embodiment.
The embodiment of the present invention obtains corresponding target alarm rule collection by the first flag ID in log information, and Judge whether the log information should trigger alarm according to each alarm rule that target alarm rule is concentrated, for different services The log information of generation selects corresponding alarm rule collection to carry out alarm analysis, on the one hand meets the personalization of different services On the other hand demand improves the efficiency of alarm analysis.
Fig. 5 is a kind of electronic equipment entity structure schematic diagram provided in an embodiment of the present invention, as shown in figure 5, the electronics Equipment, including:Processor (processor) 501, memory (memory) 502 and bus 503;Wherein,
The processor 501 and memory 502 complete mutual communication by the bus 503;
The processor 501 is used to call the program instruction in the memory 502, to perform above-mentioned each method embodiment The method provided, such as including:The log information that service to be detected generates is obtained in real time, and the log information includes described treat The corresponding first flag ID of detection service;It obtains with the matched alarm rule collection of the first flag ID as target alarm rule Collection, the alarm rule collection include at least one alarm rule, and each rule includes regular expression and type of alarm;Successively The alarm rule that the target alarm rule is concentrated is obtained, if judging to know that the log information meets the report obtained Police regulations then in regular expression, then in the alarm rule of acquisition type of alarm triggering alarm.
The present embodiment discloses a kind of computer program product, and the computer program product includes being stored in non-transient calculating Computer program on machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is calculated When machine performs, computer is able to carry out the method that above-mentioned each method embodiment is provided, such as including:Clothes to be detected are obtained in real time The log information that business generates, the log information include the corresponding first flag ID of the service to be detected;It obtains and described the As target alarm rule collection, the alarm rule collection includes at least one alarm and advises the one mark matched alarm rule collection of ID Then, each rule includes regular expression and type of alarm;The alarm that the target alarm rule is concentrated is obtained successively Rule, if judging to know the regular expression that the log information meets in the alarm rule obtained, according to acquisition Type of alarm triggering alarm in the alarm rule.
The present embodiment provides a kind of non-transient computer readable storage medium storing program for executing, the non-transient computer readable storage medium storing program for executing Computer instruction is stored, the computer instruction makes the computer perform the method that above-mentioned each method embodiment is provided, example Such as include:The log information that service to be detected generates is obtained in real time, and it is corresponding that the log information includes the service to be detected First flag ID;It obtains with the matched alarm rule collection of the first flag ID as target alarm rule collection, the alarm rule Then collection includes at least one alarm rule, and each rule includes regular expression and type of alarm;The target is obtained successively The alarm rule that alarm rule is concentrated, if judging to know the rule that the log information meets in the alarm rule obtained Then expression formula, then the type of alarm triggering alarm in the alarm rule of acquisition.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through The relevant hardware of program instruction is completed, and aforementioned program can be stored in a computer read/write memory medium, the program When being executed, step including the steps of the foregoing method embodiments is performed;And aforementioned storage medium includes:ROM, RAM, magnetic disc or light The various media that can store program code such as disk.
The embodiments such as device described above are only schematical, wherein the unit illustrated as separating component It may or may not be physically separate, the component shown as unit may or may not be physics list Member, you can be located at a place or can also be distributed in multiple network element.It can be selected according to the actual needs In some or all of module realize the purpose of this embodiment scheme.Those of ordinary skill in the art are not paying creativeness Labour in the case of, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on such understanding, on Technical solution is stated substantially in other words to embody the part that the prior art contributes in the form of software product, it should Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers It enables and (can be personal computer, server or the network equipment etc.) so that computer equipment is used to perform each implementation Method described in certain parts of example or embodiment.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although The present invention is described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that:It still may be used To modify to the technical solution recorded in foregoing embodiments or carry out equivalent replacement to which part technical characteristic; And these modification or replace, various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (10)

  1. A kind of 1. rule-based log alarming method, which is characterized in that including:
    The log information that service to be detected generates is obtained in real time, and the log information includes the service corresponding first to be detected Identify ID;
    It obtains with the matched alarm rule collection of the first flag ID as target alarm rule collection, the alarm rule collection includes At least one alarm rule, each rule include regular expression and type of alarm;
    The alarm rule that the target alarm rule is concentrated is obtained successively, if judging, knowing that the log information meets obtains The alarm rule in regular expression, then in the alarm rule of acquisition type of alarm triggering alarm.
  2. 2. according to the method described in claim 1, it is characterized in that, the log information include keyword to be detected, it is described to sentence It is disconnected to know that the log information meets the regular expression in the alarm rule obtained, including:
    The alarm rule is parsed, obtains keyword and logical relation in regular expression, the logical relation packet Include logical AND, logic or with any one or combination in logic NOT;
    Keyword to be detected in the log information and keyword and logical relation in the regular expression obtain The result of calculation of the regular expression if the result of calculation is true, judges to know that the log information meets what is obtained Regular expression in the alarm rule.
  3. 3. according to the method described in claim 1, it is characterized in that, the method, further includes:
    The corresponding alarm rule collection of multiple services to be detected is pre-created, and the alarm rule collection is stored.
  4. 4. according to the method described in claim 3, it is characterized in that, the alarm rule further includes service corresponding the to be detected Two mark ID correspondingly, described be pre-created the corresponding alarm rule collection of multiple services to be detected, and the alarm are advised Then collection is stored, including:
    The corresponding alarm rule of multiple services to be detected is pre-created, by the alarm rule according to the second identifier ID It is grouped, forms multiple alarm rule collection, the alarm rule collection is stored.
  5. 5. according to the method described in claim 1, it is characterized in that, the alarm rule further includes precedence information, correspondingly, The alarm rule for obtaining the alarm rule successively and concentrating, including:
    Obtain an alarm rule of the alarm rule concentration successively according to the priority.
  6. 6. according to claim 1-5 any one of them methods, which is characterized in that the type of alarm includes:Alarm triggering side Formula and alarm sending method, the alarm triggering mode include single triggering and threshold triggers, and the alarm sending method includes Mail alarm, SMS alarm and wechat alarm.
  7. 7. a kind of rule-based log alarming device, which is characterized in that including:
    Acquisition module, for obtaining the log information that service to be detected generates in real time, the log information includes described to be detected Service corresponding mark ID;
    Matching module, it is described for obtaining with the described first mark matched alarm rule collection of ID as target alarm rule collection Alarm rule collection includes at least one alarm rule, and each rule includes regular expression and type of alarm;
    Alarm module, for obtaining the alarm rule that the target alarm rule is concentrated successively, if judging to know the day Will message meets the regular expression in the alarm rule obtained, then the alarm side in the alarm rule of acquisition Formula triggering alarm.
  8. 8. a kind of rule-based log alarming system, which is characterized in that the log alarming device including communication connection, daily record disappear Take device, database and alarming management device;
    The log alarming device requires 1-5 any one of them methods for perform claim;
    The daily record consumption device is used to obtain the log information that each service generates, and the log information is sent to the day Will warning device;
    The database is used to store alarm rule collection and warning message;
    The alarming management device is used to that the alarm rule collection to be configured.
  9. 9. a kind of electronic equipment, which is characterized in that including:Processor, memory and bus, wherein,
    The processor and the memory complete mutual communication by the bus;
    The memory is stored with the program instruction that can be performed by the processor, and the processor calls described program instruction energy It is enough to perform such as claim 1-6 any one of them methods.
  10. 10. a kind of non-transient computer readable storage medium storing program for executing, which is characterized in that the non-transient computer readable storage medium storing program for executing is deposited Computer instruction is stored up, the computer instruction makes the computer perform such as claim 1-6 any one of them methods.
CN201711174472.9A 2017-11-22 2017-11-22 A kind of rule-based log alarming method, apparatus and system Withdrawn CN108170580A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711174472.9A CN108170580A (en) 2017-11-22 2017-11-22 A kind of rule-based log alarming method, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711174472.9A CN108170580A (en) 2017-11-22 2017-11-22 A kind of rule-based log alarming method, apparatus and system

Publications (1)

Publication Number Publication Date
CN108170580A true CN108170580A (en) 2018-06-15

Family

ID=62527300

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711174472.9A Withdrawn CN108170580A (en) 2017-11-22 2017-11-22 A kind of rule-based log alarming method, apparatus and system

Country Status (1)

Country Link
CN (1) CN108170580A (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109491880A (en) * 2018-11-01 2019-03-19 郑州云海信息技术有限公司 A kind of method and apparatus optimizing log analysis
CN110059472A (en) * 2019-03-16 2019-07-26 平安城市建设科技(深圳)有限公司 Menu authority configuring method, device, equipment and readable storage medium storing program for executing
CN110276938A (en) * 2019-07-25 2019-09-24 新奥(中国)燃气投资有限公司 A kind of cloud alarm system and a kind of alarm method
CN110399405A (en) * 2019-07-26 2019-11-01 广州虎牙科技有限公司 Log alarming method, apparatus, system and storage medium
CN110727558A (en) * 2019-10-09 2020-01-24 北京字节跳动网络技术有限公司 Information prompting method and device, storage medium and electronic equipment
CN110825592A (en) * 2019-11-06 2020-02-21 北京皮尔布莱尼软件有限公司 Method and computing device for generating alarm content
CN110865921A (en) * 2019-11-08 2020-03-06 拉扎斯网络科技(上海)有限公司 Data monitoring method and device, readable storage medium and electronic equipment
CN112069305A (en) * 2020-11-13 2020-12-11 北京智慧星光信息技术有限公司 Data screening method and device and electronic equipment
CN112256533A (en) * 2019-11-04 2021-01-22 北京京东振世信息技术有限公司 Data monitoring alarm processing method, device, medium and electronic equipment
CN112288990A (en) * 2019-07-24 2021-01-29 上海东方富联科技有限公司 Method, system, medium and device for generating internet of things event based on internet of things data
CN113112869A (en) * 2021-04-08 2021-07-13 南威软件股份有限公司 Method, device, equipment and medium for customizing electronic fence and processing data
CN113138891A (en) * 2020-01-19 2021-07-20 上海臻客信息技术服务有限公司 Service monitoring system based on log
CN113190423A (en) * 2021-04-20 2021-07-30 北京异乡旅行网络科技有限公司 Service data monitoring method, device and system
CN113553309A (en) * 2021-07-28 2021-10-26 恒安嘉新(北京)科技股份公司 Log template determination method and device, electronic equipment and storage medium
CN113810242A (en) * 2020-06-16 2021-12-17 中盈优创资讯科技有限公司 System log analysis method and device
CN115208657A (en) * 2022-07-11 2022-10-18 阿里云计算有限公司 Log security detection method and device, electronic equipment and storage medium
CN115292062A (en) * 2022-07-29 2022-11-04 成都智元汇信息技术股份有限公司 Method, system and device for realizing product sequence confirmation based on stream architecture
CN115292064A (en) * 2022-07-29 2022-11-04 成都智元汇信息技术股份有限公司 Method, system and device for realizing sequential confirmation of Internet of things equipment based on flow architecture
CN116311828A (en) * 2023-05-11 2023-06-23 武汉科迪智能环境股份有限公司 Alarm management method, alarm management device, computer equipment and computer readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101291256A (en) * 2008-06-02 2008-10-22 杭州华三通信技术有限公司 Method and system for upgrading system log to alarm
CN103220173A (en) * 2013-04-09 2013-07-24 北京搜狐新媒体信息技术有限公司 Alarm monitoring method and alarm monitoring system
CN105119783A (en) * 2015-09-30 2015-12-02 北京奇艺世纪科技有限公司 Network request data detection method and device
CN106385331A (en) * 2016-09-08 2017-02-08 努比亚技术有限公司 Method and system for monitoring alarm based on log
CN107104840A (en) * 2017-05-21 2017-08-29 郑州云海信息技术有限公司 A kind of daily record monitoring method, apparatus and system
US20170251047A1 (en) * 2016-02-29 2017-08-31 Red Hat, Inc. Syslog advertisements

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101291256A (en) * 2008-06-02 2008-10-22 杭州华三通信技术有限公司 Method and system for upgrading system log to alarm
CN103220173A (en) * 2013-04-09 2013-07-24 北京搜狐新媒体信息技术有限公司 Alarm monitoring method and alarm monitoring system
CN105119783A (en) * 2015-09-30 2015-12-02 北京奇艺世纪科技有限公司 Network request data detection method and device
US20170251047A1 (en) * 2016-02-29 2017-08-31 Red Hat, Inc. Syslog advertisements
CN106385331A (en) * 2016-09-08 2017-02-08 努比亚技术有限公司 Method and system for monitoring alarm based on log
CN107104840A (en) * 2017-05-21 2017-08-29 郑州云海信息技术有限公司 A kind of daily record monitoring method, apparatus and system

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109491880A (en) * 2018-11-01 2019-03-19 郑州云海信息技术有限公司 A kind of method and apparatus optimizing log analysis
CN110059472A (en) * 2019-03-16 2019-07-26 平安城市建设科技(深圳)有限公司 Menu authority configuring method, device, equipment and readable storage medium storing program for executing
CN112288990A (en) * 2019-07-24 2021-01-29 上海东方富联科技有限公司 Method, system, medium and device for generating internet of things event based on internet of things data
CN110276938A (en) * 2019-07-25 2019-09-24 新奥(中国)燃气投资有限公司 A kind of cloud alarm system and a kind of alarm method
CN110399405A (en) * 2019-07-26 2019-11-01 广州虎牙科技有限公司 Log alarming method, apparatus, system and storage medium
CN110727558A (en) * 2019-10-09 2020-01-24 北京字节跳动网络技术有限公司 Information prompting method and device, storage medium and electronic equipment
CN112256533A (en) * 2019-11-04 2021-01-22 北京京东振世信息技术有限公司 Data monitoring alarm processing method, device, medium and electronic equipment
CN110825592A (en) * 2019-11-06 2020-02-21 北京皮尔布莱尼软件有限公司 Method and computing device for generating alarm content
CN110865921A (en) * 2019-11-08 2020-03-06 拉扎斯网络科技(上海)有限公司 Data monitoring method and device, readable storage medium and electronic equipment
CN113138891A (en) * 2020-01-19 2021-07-20 上海臻客信息技术服务有限公司 Service monitoring system based on log
CN113810242A (en) * 2020-06-16 2021-12-17 中盈优创资讯科技有限公司 System log analysis method and device
CN112069305B (en) * 2020-11-13 2021-03-30 北京智慧星光信息技术有限公司 Data screening method and device and electronic equipment
CN112069305A (en) * 2020-11-13 2020-12-11 北京智慧星光信息技术有限公司 Data screening method and device and electronic equipment
CN113112869A (en) * 2021-04-08 2021-07-13 南威软件股份有限公司 Method, device, equipment and medium for customizing electronic fence and processing data
WO2022213634A1 (en) * 2021-04-08 2022-10-13 南威软件股份有限公司 Customization and data processing method and apparatus for electronic fence, and device and medium
CN113190423A (en) * 2021-04-20 2021-07-30 北京异乡旅行网络科技有限公司 Service data monitoring method, device and system
CN113190423B (en) * 2021-04-20 2024-02-20 北京异乡旅行网络科技有限公司 Method, device and system for monitoring service data
CN113553309A (en) * 2021-07-28 2021-10-26 恒安嘉新(北京)科技股份公司 Log template determination method and device, electronic equipment and storage medium
CN115208657A (en) * 2022-07-11 2022-10-18 阿里云计算有限公司 Log security detection method and device, electronic equipment and storage medium
CN115292062A (en) * 2022-07-29 2022-11-04 成都智元汇信息技术股份有限公司 Method, system and device for realizing product sequence confirmation based on stream architecture
CN115292064A (en) * 2022-07-29 2022-11-04 成都智元汇信息技术股份有限公司 Method, system and device for realizing sequential confirmation of Internet of things equipment based on flow architecture
CN116311828A (en) * 2023-05-11 2023-06-23 武汉科迪智能环境股份有限公司 Alarm management method, alarm management device, computer equipment and computer readable storage medium

Similar Documents

Publication Publication Date Title
CN108170580A (en) A kind of rule-based log alarming method, apparatus and system
US11586972B2 (en) Tool-specific alerting rules based on abnormal and normal patterns obtained from history logs
US20170109657A1 (en) Machine Learning-Based Model for Identifying Executions of a Business Process
US10002144B2 (en) Identification of distinguishing compound features extracted from real time data streams
US20170109676A1 (en) Generation of Candidate Sequences Using Links Between Nonconsecutively Performed Steps of a Business Process
US20170109668A1 (en) Model for Linking Between Nonconsecutively Performed Steps in a Business Process
CN112579728B (en) Behavior abnormity identification method and device based on mass data full-text retrieval
US20170109667A1 (en) Automaton-Based Identification of Executions of a Business Process
CN110309030A (en) Log analysis monitoring system and method based on ELK and Zabbix
US11042525B2 (en) Extracting and labeling custom information from log messages
US20180046956A1 (en) Warning About Steps That Lead to an Unsuccessful Execution of a Business Process
CN110830438A (en) Abnormal log warning method and device and electronic equipment
US20170109639A1 (en) General Model for Linking Between Nonconsecutively Performed Steps in Business Processes
US11201802B2 (en) Systems and methods for providing infrastructure metrics
CN110162445A (en) The host health assessment method and device of Intrusion Detection based on host log and performance indicator
CN114726654B (en) Data analysis method and server for coping with cloud computing network attack
CN107592236A (en) The monitoring method and device of a kind of related business datum of promotion message
US20170109638A1 (en) Ensemble-Based Identification of Executions of a Business Process
US20170109640A1 (en) Generation of Candidate Sequences Using Crowd-Based Seeds of Commonly-Performed Steps of a Business Process
CN111325422B (en) Work order dispatching method and system
CN109639456A (en) A kind of automation processing platform for the improved method and alarm data that automation alerts
CN110968479A (en) Business-level full-link monitoring method for application program and server
CN114116872A (en) Data processing method and device, electronic equipment and computer readable storage medium
CN113849362B (en) Business service platform management method, device and computer readable storage medium
CN109918048A (en) Target object extracting method, device, system and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20180615

WW01 Invention patent application withdrawn after publication