CN108170580A - A kind of rule-based log alarming method, apparatus and system - Google Patents
A kind of rule-based log alarming method, apparatus and system Download PDFInfo
- Publication number
- CN108170580A CN108170580A CN201711174472.9A CN201711174472A CN108170580A CN 108170580 A CN108170580 A CN 108170580A CN 201711174472 A CN201711174472 A CN 201711174472A CN 108170580 A CN108170580 A CN 108170580A
- Authority
- CN
- China
- Prior art keywords
- alarm
- rule
- alarm rule
- log information
- collection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/32—Monitoring with visual or acoustical indication of the functioning of the machine
- G06F11/324—Display of status information
- G06F11/327—Alarm or error message display
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3006—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2201/00—Indexing scheme relating to error detection, to error correction, and to monitoring
- G06F2201/865—Monitoring of software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2201/00—Indexing scheme relating to error detection, to error correction, and to monitoring
- G06F2201/875—Monitoring of systems including the internet
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the present invention provides a kind of rule-based log alarming method, apparatus and system.The method includes:The log information for including first flag ID that service to be detected generates is obtained in real time;It obtains with the matched alarm rule collection of first flag ID as target alarm rule collection, alarm rule collection includes at least one alarm rule, and each rule includes regular expression and type of alarm;The alarm rule that target alarm rule is concentrated is obtained successively, if judging to know the regular expression that log information meets in the alarm rule obtained, the type of alarm triggering alarm in the alarm rule of acquisition.Described device and system are used to perform the method.The log information that cleansing pin of the embodiment of the present invention generates different services selects corresponding alarm rule collection to carry out alarm analysis, on the one hand meets the individual demand of different services, on the other hand improves the efficiency of alarm analysis.
Description
Technical field
The present embodiments relate to field of computer technology more particularly to a kind of rule-based log alarming analysis sides
Method, apparatus and system.
Background technology
With the propulsion and implementation of Internet service, website can vertically and laterally be divided into multiple individual services.
The characteristics of each service and visit capacity are not quite similar, and have the special service for doing middle layer, there is the special clothes for doing Data Analysis Services
Business has the special service for doing represent layer, there is the special service for doing data storing platform.For different service features, take not
Same log analysis and alarm rule, while making alarm close to business, alarm creates, manages and reaches the standard grade more aspect, alarm more
Accurately, it is the emphasis of concern more in time.
The either alarm system of commercial version of increasing income present on society at present or with our business structure system
It is continuous to develop and adjust, it is impossible to fully meet the various individual needs of our log alarmings, i.e., it cannot be according to different services
Feature, will pass through all alarm rule judgements to every one log information of generation can obtain alarming result, so as to lead
The problem of low to log information alarm analysis efficiency is caused.
Invention content
In view of the problems of the existing technology, the embodiment of the present invention provides a kind of rule-based log alarming method, dress
It puts and system.
In a first aspect, the embodiment of the present invention provides a kind of rule-based log alarming method, including:
The log information that service to be detected generates is obtained in real time, and it is corresponding that the log information includes the service to be detected
First flag ID;
It obtains with the matched alarm rule collection of the first flag ID as target alarm rule collection, the alarm rule collection
Including at least one alarm rule, each rule includes regular expression and type of alarm;
The alarm rule that the target alarm rule is concentrated is obtained successively, if judging to know that the log information meets
Regular expression in the alarm rule obtained, then the type of alarm triggering in the alarm rule of acquisition are reported
It is alert.
Second aspect, the embodiment of the present invention provide a kind of rule-based log alarming device, including:
Acquisition module, for obtaining the log information that service to be detected generates in real time, the log information includes described treat
The corresponding first flag ID of detection service;
Matching module, for obtaining with the described first mark matched alarm rule collection of ID as target alarm rule collection,
The alarm rule collection includes at least one alarm rule, and each rule includes regular expression and type of alarm;
Alarm module, for obtaining the alarm rule that the target alarm rule is concentrated successively, if judging to know institute
The regular expression in the alarm rule that log information satisfaction obtains is stated, then the report in the alarm rule of acquisition
Police's formula triggering alarm.
The third aspect, the embodiment of the present invention provide a kind of rule-based log alarming system, the day including communication connection
Will warning device, daily record consumption device, database and alarming management device;
The log alarming device is used to perform the method described in first aspect;
The daily record consumption device is used to obtain the log information that each service generates, and the log information is sent to institute
State log alarming device;
The database is used to store alarm rule collection and warning message;
The alarming management device is used to that the alarm rule collection to be configured.
Fourth aspect, the embodiment of the present invention provide a kind of electronic equipment, including:Processor, memory and bus, wherein,
The processor and the memory complete mutual communication by the bus;
The memory is stored with the program instruction that can be performed by the processor, and the processor calls described program to refer to
Enable the method and step for being able to carry out first aspect.
5th aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium storing program for executing, including:
The non-transient computer readable storage medium storing program for executing stores computer instruction, and the computer instruction makes the computer
Perform the method and step of first aspect.
A kind of rule-based log alarming method, apparatus and system provided in an embodiment of the present invention, by according to daily record
First flag ID in message obtains corresponding target alarm rule collection, and is alarmed and advised according to each item that target alarm rule is concentrated
Then judge whether the log information should trigger alarm, the log information generated for different services selects corresponding alarm rule
Collect to carry out alarm analysis, on the one hand meet the individual demand of different services, on the other hand improve the effect of alarm analysis
Rate.
Description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Some bright embodiments, for those of ordinary skill in the art, without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is a kind of rule-based log alarming method flow schematic diagram provided in an embodiment of the present invention;
Fig. 2 is a kind of rule-based log alarming method flow schematic diagram provided in an embodiment of the present invention;
Fig. 3 is a kind of rule-based log alarming apparatus structure schematic diagram provided in an embodiment of the present invention;
Fig. 4 is a kind of rule-based log alarming system structure diagram provided in an embodiment of the present invention;
Fig. 5 is a kind of electronic equipment entity structure schematic diagram provided in an embodiment of the present invention.
Specific embodiment
Purpose, technical scheme and advantage to make the embodiment of the present invention are clearer, below in conjunction with the embodiment of the present invention
In attached drawing, the technical solution in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
Part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
All other embodiments obtained without creative efforts shall fall within the protection scope of the present invention.
Fig. 1 is a kind of rule-based log alarming method flow schematic diagram provided in an embodiment of the present invention, such as Fig. 1 institutes
Show, the method includes:
Step 101:The log information that service to be detected generates is obtained in real time, and the log information includes the clothes to be detected
Be engaged in corresponding first flag ID;
Specifically, work support of the operation of website by multiple services, therefore each service can be generated in the task of execution
Corresponding log information, using multiple services as service to be detected, log alarming device obtains what service to be detected generated in real time
Log information, it should be noted that include the corresponding first flag ID of the service to be detected in log information, and each to be checked
It is unique to survey the first flag ID of service, therefore, can know the day by the first flag ID recognized in log information
Will message is generated by which service to be detected.
Step 102:It obtains with the matched alarm rule collection of the first flag ID as target alarm rule collection, the report
Alert rule set includes at least one alarm rule, and each rule includes regular expression and type of alarm;
Specifically, since different services may generate different log informations, and the alarm demand of different services is not
Together, therefore, it is in advance the corresponding alarm rule collection of each service construction one, log alarming rule set includes at least one report
Then, warning device carries out the second identifier IDs corresponding with each alarm rule collection of the first flag ID in log information to police regulations
Match, if the second identifier IDs corresponding with some alarm rule collection of the first flag ID in log information is identical, this is reported
For alert rule set as target alarm rule collection, the alarm rule concentrated with the target alarm rule carries out alarm analysis.It should say
Bright, each alarm rule concentration includes at least one alarm rule, and all includes rule list in each alarm rule
Up to formula and type of alarm.
Step 103:The alarm rule that the target alarm rule is concentrated is obtained successively, if judging to know the daily record
Message meets the regular expression in the alarm rule obtained, then the type of alarm in the alarm rule of acquisition
Triggering alarm.
An alarm rule is obtained specifically, being concentrated every time from target alarm rule, then judges whether log information is full
Regular expression in foot this alarm rule, if it is satisfied, then the type of alarm in this alarm rule is alarmed.
The embodiment of the present invention obtains corresponding target alarm rule collection by the first flag ID in log information, and
Judge whether the log information should trigger alarm according to each alarm rule that target alarm rule is concentrated, for different services
The log information of generation selects corresponding alarm rule collection to carry out alarm analysis, on the one hand meets the personalization of different services
On the other hand demand improves the efficiency of alarm analysis.
Specifically, on the basis of above-described embodiment, the log information includes keyword to be detected, and the judgement is known
The log information meets the regular expression in the alarm rule obtained, including:
The alarm rule is parsed, obtains keyword and logical relation in regular expression, the logic is closed
System include logical AND, logic or with any one or combination in logic NOT;
Keyword to be detected in the log information and keyword and logical relation in the regular expression,
The result of calculation of the regular expression is obtained, if the result of calculation is true, judgement knows that the log information satisfaction obtains
Regular expression in the alarm rule taken.
Specifically, log information includes multiple keywords to be detected, judging whether the log information meets alarm rule
During regular expression in then, it is necessary first to alarm rule is parsed, it especially will be to the regular expression in alarm rule
Formula is parsed, and corresponding keyword and logical relation can be obtained after parsing, can be included in one of regular expression
Logical AND, logic or with any one or combination in logic NOT.The keyword obtained according to keyword to be detected and parsing
Logical operation is carried out with logical relation, the result of calculation of the regular expression is obtained, if result is true, illustrates that the daily record disappears
Breath meets the regular expression, if result is false, illustrates that the log information is unsatisfactory for the regular expression, needs to obtain at this time
The next alarm rule that target alarm rule is taken to concentrate.If it should be noted that is sent out after being parsed to regular expression
It is existing nested in logic shutdown, it can specify that analyze and process logic rules relationship step by step outside at this time, and mistake herein
Priority processing contains only the input item of single keyword in journey, in input item of the processing containing logical relation.Such as:Logical relation
For (A | B) & (C | the alarm rule of D)s &E first parses outermost logical relation, i.e. logical AND, calling logic and function, group
(A | B) into logical AND relationship, (C | D) and E are passed to as a parameter group.Judge to contain in input parameter in the function
Single keyword, but containing logical relation or, then first judge single keyword E whether with the keyword to be detected in log information
Matching judges whether include keyword E in the keyword to be detected in log information, illustrates to match if including if, no
Then mismatch.If keyword E is matched, logic OR is recalled, input parameter is A and B, is judged in keyword to be detected
If including A or B, illustrate to match with (A | B), continue calling logic or function, input parameter is C and D, if it is determined that be checked
It surveys in keyword if including C or D, illustrates to match with (C | D), it is true that can obtain result of calculation at this time, shows to form most
Three elements all successful match of the logical AND of outer layer further illustrate that log information meets the rule list in the alarm rule obtained
Up to formula.
The embodiment of the present invention judges whether log information should be alarmed by pre-set alarm rule, with rule
The thought and form of change, create alarm rule collection, and research staff only needs the keyword being configured in advance in alarm rule and patrols
The relationship of collecting, it is easy to operate.
On the basis of above-described embodiment, the method further includes:
The corresponding alarm rule collection of multiple services to be detected is pre-created, and the alarm rule collection is deposited
Storage.
Specifically, it is in advance its corresponding alarm rule collection of each service-creation to be detected, and all by what is created
The alarm rule collection of service to be detected is stored, when need to some it is to be detected service generate log information alarm
During analysis, corresponding alarm rule collection can be called to be analyzed, therefore, the embodiment of the present invention is alarmed by targetedly selecting
Rule improves the efficiency of alarm analysis.
On the basis of above-described embodiment, the alarm rule further includes the corresponding second identifier ID of service to be detected, phase
It answers, it is described to be pre-created the corresponding alarm rule collection of multiple services to be detected, and the alarm rule collection is deposited
Storage, including:
The corresponding alarm rule of multiple services to be detected is pre-created, by the alarm rule according to the mark the
Two ID are grouped, and form multiple alarm rule collection, and the alarm rule collection is stored.
It is in each alarm rule specifically, when being pre-created the corresponding alarm rule of multiple services to be detected
Add the corresponding second identifier ID of the service to be detected, it is to be understood that second identifier ID and the detection in alarm rule
The first flag ID serviced in the log information generated is the same, therefore, can just pass through the first flag in log information
ID finds corresponding target alarm rule collection.After the alarm rule for creating all services to be detected, according to the second mark
Know ID to be grouped it, the alarm rule for belonging to same second identifier ID is classified as one group of composition alarm rule collection, then
The alarm rule collection of each service to be detected is stored.
Inherent classification can be carried out to the alarm rule being pre-created, the first order is the second mark of each service to be detected
Know ID, the second level is related for Keywords matching, i.e. the information such as regular expression and type of alarm.
Keyword can be divided into two classes:
A kind of is what is planned in advance, and relatively fixed and general keyword, this class keywords are suitable for whole, more
Number service or certain one kind service.Daily record rank and common resources-type belong to this class keywords.Daily record rank has logical
With applicability and stability, change smaller after determining, and all serve logs are applicable in.It is common resources-type, such as database
Related, caching correlation, the relevant daily record of frame etc. can use some fixed keyword identification, such as database correlation
Mark etc. is write a Chinese character in simplified form with keyword DB marks, the related English with keyword Cache marks, frame correlation frame of caching.
Another kind of is customized keyword, these keywords are typically specific to the business of all kinds of services.
Logical relation:Logical AND, logic or logic NOT.Logical relation is developed in the form of a method in advance, log information
It is input condition with the keyword in rule, if offend the logic as output result.Logical relation can be nested.Such as:Life
Middle keyword A and hit keyword B;Hit keyword A and hit keyword B or C.
The embodiment of the present invention judges whether log information should be alarmed by pre-set alarm rule, with rule
The thought and form of change, create alarm rule collection, and research staff only needs the keyword being configured in advance in alarm rule and patrols
The relationship of collecting, it is easy to operate.
On the basis of above-described embodiment, the alarm rule further includes precedence information, correspondingly, described obtain successively
The alarm rule that the alarm rule is concentrated, including:
Obtain an alarm rule of the alarm rule concentration successively according to the priority.
Specifically, since alarm rule concentration includes at least one alarm rule, need to obtain an alarm rule every time
Alarm analysis is carried out, by being that each alarm rule sets a priority and then obtains report successively according to priority in advance
The alarm rule that police regulations are then concentrated.It should be noted that when setting priority, it can be according to the important journey of alarm rule
Degree is set, this can also be not specifically limited according to other rule settings, the embodiment of the present invention.
The alarm rule that the embodiment of the present invention is concentrated by obtaining alarm rule successively according to priority, daily record is disappeared
Breath first matches important alarm rule, can be found in time containing important exception information hence in daily record, so as to
With timely processing.
On the basis of the various embodiments described above, the type of alarm includes:Alarm triggering mode and alarm sending method, institute
State alarm triggering mode include single triggering and threshold triggers, it is described alarm sending method include mail alarm, SMS alarm and
Wechat is alarmed.
Specifically, type of alarm include alarm triggering mode and alarm sending method, it is so-called alarm triggering mode be
Alarm triggering in what situations, including single triggering and threshold triggers, as long as single triggering refers to that the log information is met
Certain alarm rule just triggers alarm, which is suitable for especially severe and uncommon Exception Type.It is another
For threshold triggers, statistical log message meets the item number of the alarm rule of target alarm rule concentration or accounts for target alarm rule collection
The ratio of the total number of middle alarm rule, and threshold value is set, alarm is then triggered more than threshold value.It should be noted that threshold value can be with
According to abnormal severity and coverage sets itself threshold size.It needs warning message being sent to after triggering is alarmed
Therefore corresponding staff, can be alarmed, any one or combination in the alarm of SMS alarm and wechat by mail
Mode sends warning message.It should be noted that corresponding enabling time, stopping can also be set in alarm rule
The information such as time, entry-into-force time and life cycle.
The embodiment of the present invention obtains corresponding target alarm rule collection by the first flag ID in log information, and
Judge whether the log information should trigger alarm according to each alarm rule that target alarm rule is concentrated, for different services
The log information of generation selects corresponding alarm rule collection to carry out alarm analysis, on the one hand meets the personalization of different services
On the other hand demand improves the efficiency of alarm analysis.
Fig. 2 is a kind of rule-based log alarming method flow schematic diagram provided in an embodiment of the present invention, such as Fig. 2 institutes
Show, the method, including:
Step 201:Obtain log information;The log information that service to be detected generates, the wherein log information are obtained in real time
Include first flag ID, perform step 202;
Step 202:Obtain target alarm rule collection;Alarm rule collection corresponds to second identifier ID, in acquisition and log information
The identical corresponding alarm rule collection of second identifier ID of first flag ID, and using the alarm rule collection as goal rule collection,
Perform step 203;
Step 203:Parse alarm rule;It is concentrated according to the priority of alarm rule from target alarm rule and obtains a report
Police regulations then, and parse the alarm rule, perform step 204;
Step 204:Determine keyword and logical relation;If the regular expression in alarm rule has multilayer nest pass
System, then can determine keyword and logical relation, generate multiple logical relation functions, and obtain and wrapped in each logical relation function
The keyword and logical relation included, it is assumed that outermost logical relation is logical AND in the regular expression, performs step 205;
Step 205:Whether logical relation function is met;Judge whether log information meets logic successively according to preset rules
Relation function if not satisfied, then performing step 206, otherwise performs step 209;
Step 206:Do not offend;Since the outermost layer logical relation of the alarm rule is logical AND, as long as having one
A logical relation function is unsatisfactory for, and illustrates not offend the alarm rule, performs step 207;
Step 207:Whether it is the last item rule;Judge this alarm whether be target alarm rule concentrate last
Alarm rule if it is not, then performing step 208, otherwise performs step 214;
Step 208:Choose next rule;An alarm rule are obtained from target alarm rule according further to priority
Then, step 203 is performed;
Step 209:Whether it is the last one function;Judge whether the logical relation function is the last item, if it is not,
Step 210 is then performed, otherwise performs step 211;
Step 210:Perform next function;Next logical relation function in the alarm rule is obtained, and performs step
Rapid 205;
Step 211:Offend the alarm rule;If log information meets all logical relation functions, illustrate to meet
This alarm rule illustrates to have offended this alarm rule, and records offence alarm rule item number, performs step 212;
Step 212:Whether threshold value is reached;Judge log information offence alarm rule item number whether reach threshold value or
The ratio that the item number of offence alarm rule accounts for total alarm rule item number reaches threshold value, if reached, performs step 213, otherwise
Perform step 214;
Step 213:Alarm;Triggering alarm;
Step 214:Terminate.
The embodiment of the present invention obtains corresponding target alarm rule collection by the first flag ID in log information, and
Judge whether the log information should trigger alarm according to each alarm rule that target alarm rule is concentrated, for different services
The log information of generation selects corresponding alarm rule collection to carry out alarm analysis, on the one hand meets the personalization of different services
On the other hand demand improves the efficiency of alarm analysis.
Fig. 3 is a kind of rule-based log alarming apparatus structure schematic diagram provided in an embodiment of the present invention, such as Fig. 3 institutes
Show, described device includes:Acquisition module 301, matching module 302 and alarm module 303, wherein:
Acquisition module 301 is used to obtain the log information that service to be detected generates in real time, and the log information includes described
It is to be detected to service corresponding mark ID;Matching module 302 indicates the matched alarm rule collection of ID as mesh for obtaining with described
Alarm rule collection is marked, the alarm rule collection includes at least one alarm rule, and each rule includes regular expression and report
Police's formula;Alarm module 303 is used to obtain the alarm rule that the target alarm rule is concentrated successively, if judging to know institute
The regular expression in the alarm rule that log information satisfaction obtains is stated, then the report in the alarm rule of acquisition
Police's formula triggering alarm.
Specifically, acquisition module 301 obtains the log information that service to be detected generates in real time, it should be noted that daily record
Include the corresponding first flag ID of the service to be detected in message, and the first flag ID of each service to be detected is unique
, therefore, it can know which service to be detected is the log information be by by the first flag ID recognized in log information
It generates.Since different services may generate different log informations, and the alarm demand of different services is different, therefore,
It is in advance the corresponding alarm rule collection of each service construction one, alarm rule concentration includes at least one alarm rule, matches
Module 302 matches the second identifier IDs corresponding with each alarm rule collection of the first flag ID in log information, if
First flag ID second identifier IDs corresponding with some alarm rule collection in log information is identical, then by the alarm rule collection
As target alarm rule collection, the alarm rule concentrated with the target alarm rule carries out alarm analysis.It is it should be noted that every
One alarm rule concentration includes at least one alarm rule, and all include regular expression and alarm in each alarm rule
Mode.Alarm module 303 is concentrated from target alarm rule obtain an alarm rule every time, then judges whether log information is full
Regular expression in foot this alarm rule, if it is satisfied, then the type of alarm in this alarm rule is alarmed.
The embodiment of device provided by the invention specifically can be used for performing the process flow of above-mentioned each method embodiment,
Details are not described herein for function, is referred to the detailed description of above method embodiment.
The embodiment of the present invention obtains corresponding target alarm rule collection by the first flag ID in log information, and
Judge whether the log information should trigger alarm according to each alarm rule that target alarm rule is concentrated, for different services
The log information of generation selects corresponding alarm rule collection to carry out alarm analysis, on the one hand meets the personalization of different services
On the other hand demand improves the efficiency of alarm analysis.
Fig. 4 is a kind of rule-based log alarming system structure diagram provided in an embodiment of the present invention, such as Fig. 4 institutes
Show, the system comprises:Log alarming device 401, daily record consumption device 402, database 403 and the alarming and managing of communication connection
Device 404;
The log alarming device 401 is used to perform above-mentioned method;
The daily record consumption device 402 is used to obtain the log information that each service generates, and sending the log information into
To the log alarming device 401;
The database 403 is used to store alarm rule collection and warning message;
The alarming management device 404 is used to that the alarm rule collection to be configured.
Specifically, log alarming device 401 receives the log information that daily record consumption device 402 is sent, and pass through above-mentioned side
Method carries out alarm analysis to the log information, and the specific analytical method embodiment of the present invention repeats no more.
Daily record consumption device 402 consumes the real-time log information of each service to be detected.It is required that each service to be detected
Daily record have first flag ID with service-conformance to be detected.Distributed post can be used to subscribe to message system Apache Kafka
Build log information consumption device.
Database 403 is responsible for the first flag ID, keyword, keyword point of the log information of storage service creation to be detected
The warning message details that class, alarm rule and alarm rule generate after being offended.
Alarming management device 404 being checked and analyze for the generation and management of alarm rule, warning message.Alarming and managing
Device 404 is overall to provide three parts function, corresponds to two different pages respectively:
First part is the first flag ID of log information and keyword management interface.There is provided the two respective list respectively
Show, increase newly, deleting, enabling, deactivating function.
First flag ID administration interfaces:The list for providing first flag ID shows, increases newly, deleting, enabling, deactivate function with
And with preview of all alarm rule of service subordinate to be detected and redirect the function of displaying.In the behaviour for deleting, enabling, stopping
Under work, may be selected alarm rule associated with the first flag ID of the log information whether synchronization removal, enabling, stopping.
Keyword input interface:The increase of the main classification that keyword is provided, deletion, enabling, stopping, relative alarm rule
Preview function;The increase of keyword under classification, deletion, enabling, stopping, relative alarm rule preview function.It is general and fixed
Keyword can be created according to the characteristic of oneself as one kind;All customized keywords, can be separately as one kind.
Second part is alarm rule administration interface.The list displaying of alarm rule is created, is deleted, enabling, stops, is excellent
The setting of first grade.
The generation of alarm rule:The first step selects serve log identification name;The one or more keywords of second step selection
Classification selects next or multiple keywords of each classifying.Choose the relationship of the logic between keyword;Third step setting report
Police regulations triggering mode then and its threshold value;4th step sets warning message Manners of Delivery;5th step sets the automatic of alarm rule
Entry-into-force time, life cycle, priority.
The embodiment of device provided by the invention specifically can be used for performing the process flow of above-mentioned each method embodiment,
Details are not described herein for function, is referred to the detailed description of above method embodiment.
The embodiment of the present invention obtains corresponding target alarm rule collection by the first flag ID in log information, and
Judge whether the log information should trigger alarm according to each alarm rule that target alarm rule is concentrated, for different services
The log information of generation selects corresponding alarm rule collection to carry out alarm analysis, on the one hand meets the personalization of different services
On the other hand demand improves the efficiency of alarm analysis.
Fig. 5 is a kind of electronic equipment entity structure schematic diagram provided in an embodiment of the present invention, as shown in figure 5, the electronics
Equipment, including:Processor (processor) 501, memory (memory) 502 and bus 503;Wherein,
The processor 501 and memory 502 complete mutual communication by the bus 503;
The processor 501 is used to call the program instruction in the memory 502, to perform above-mentioned each method embodiment
The method provided, such as including:The log information that service to be detected generates is obtained in real time, and the log information includes described treat
The corresponding first flag ID of detection service;It obtains with the matched alarm rule collection of the first flag ID as target alarm rule
Collection, the alarm rule collection include at least one alarm rule, and each rule includes regular expression and type of alarm;Successively
The alarm rule that the target alarm rule is concentrated is obtained, if judging to know that the log information meets the report obtained
Police regulations then in regular expression, then in the alarm rule of acquisition type of alarm triggering alarm.
The present embodiment discloses a kind of computer program product, and the computer program product includes being stored in non-transient calculating
Computer program on machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is calculated
When machine performs, computer is able to carry out the method that above-mentioned each method embodiment is provided, such as including:Clothes to be detected are obtained in real time
The log information that business generates, the log information include the corresponding first flag ID of the service to be detected;It obtains and described the
As target alarm rule collection, the alarm rule collection includes at least one alarm and advises the one mark matched alarm rule collection of ID
Then, each rule includes regular expression and type of alarm;The alarm that the target alarm rule is concentrated is obtained successively
Rule, if judging to know the regular expression that the log information meets in the alarm rule obtained, according to acquisition
Type of alarm triggering alarm in the alarm rule.
The present embodiment provides a kind of non-transient computer readable storage medium storing program for executing, the non-transient computer readable storage medium storing program for executing
Computer instruction is stored, the computer instruction makes the computer perform the method that above-mentioned each method embodiment is provided, example
Such as include:The log information that service to be detected generates is obtained in real time, and it is corresponding that the log information includes the service to be detected
First flag ID;It obtains with the matched alarm rule collection of the first flag ID as target alarm rule collection, the alarm rule
Then collection includes at least one alarm rule, and each rule includes regular expression and type of alarm;The target is obtained successively
The alarm rule that alarm rule is concentrated, if judging to know the rule that the log information meets in the alarm rule obtained
Then expression formula, then the type of alarm triggering alarm in the alarm rule of acquisition.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through
The relevant hardware of program instruction is completed, and aforementioned program can be stored in a computer read/write memory medium, the program
When being executed, step including the steps of the foregoing method embodiments is performed;And aforementioned storage medium includes:ROM, RAM, magnetic disc or light
The various media that can store program code such as disk.
The embodiments such as device described above are only schematical, wherein the unit illustrated as separating component
It may or may not be physically separate, the component shown as unit may or may not be physics list
Member, you can be located at a place or can also be distributed in multiple network element.It can be selected according to the actual needs
In some or all of module realize the purpose of this embodiment scheme.Those of ordinary skill in the art are not paying creativeness
Labour in the case of, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on such understanding, on
Technical solution is stated substantially in other words to embody the part that the prior art contributes in the form of software product, it should
Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers
It enables and (can be personal computer, server or the network equipment etc.) so that computer equipment is used to perform each implementation
Method described in certain parts of example or embodiment.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
The present invention is described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that:It still may be used
To modify to the technical solution recorded in foregoing embodiments or carry out equivalent replacement to which part technical characteristic;
And these modification or replace, various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution spirit and
Range.
Claims (10)
- A kind of 1. rule-based log alarming method, which is characterized in that including:The log information that service to be detected generates is obtained in real time, and the log information includes the service corresponding first to be detected Identify ID;It obtains with the matched alarm rule collection of the first flag ID as target alarm rule collection, the alarm rule collection includes At least one alarm rule, each rule include regular expression and type of alarm;The alarm rule that the target alarm rule is concentrated is obtained successively, if judging, knowing that the log information meets obtains The alarm rule in regular expression, then in the alarm rule of acquisition type of alarm triggering alarm.
- 2. according to the method described in claim 1, it is characterized in that, the log information include keyword to be detected, it is described to sentence It is disconnected to know that the log information meets the regular expression in the alarm rule obtained, including:The alarm rule is parsed, obtains keyword and logical relation in regular expression, the logical relation packet Include logical AND, logic or with any one or combination in logic NOT;Keyword to be detected in the log information and keyword and logical relation in the regular expression obtain The result of calculation of the regular expression if the result of calculation is true, judges to know that the log information meets what is obtained Regular expression in the alarm rule.
- 3. according to the method described in claim 1, it is characterized in that, the method, further includes:The corresponding alarm rule collection of multiple services to be detected is pre-created, and the alarm rule collection is stored.
- 4. according to the method described in claim 3, it is characterized in that, the alarm rule further includes service corresponding the to be detected Two mark ID correspondingly, described be pre-created the corresponding alarm rule collection of multiple services to be detected, and the alarm are advised Then collection is stored, including:The corresponding alarm rule of multiple services to be detected is pre-created, by the alarm rule according to the second identifier ID It is grouped, forms multiple alarm rule collection, the alarm rule collection is stored.
- 5. according to the method described in claim 1, it is characterized in that, the alarm rule further includes precedence information, correspondingly, The alarm rule for obtaining the alarm rule successively and concentrating, including:Obtain an alarm rule of the alarm rule concentration successively according to the priority.
- 6. according to claim 1-5 any one of them methods, which is characterized in that the type of alarm includes:Alarm triggering side Formula and alarm sending method, the alarm triggering mode include single triggering and threshold triggers, and the alarm sending method includes Mail alarm, SMS alarm and wechat alarm.
- 7. a kind of rule-based log alarming device, which is characterized in that including:Acquisition module, for obtaining the log information that service to be detected generates in real time, the log information includes described to be detected Service corresponding mark ID;Matching module, it is described for obtaining with the described first mark matched alarm rule collection of ID as target alarm rule collection Alarm rule collection includes at least one alarm rule, and each rule includes regular expression and type of alarm;Alarm module, for obtaining the alarm rule that the target alarm rule is concentrated successively, if judging to know the day Will message meets the regular expression in the alarm rule obtained, then the alarm side in the alarm rule of acquisition Formula triggering alarm.
- 8. a kind of rule-based log alarming system, which is characterized in that the log alarming device including communication connection, daily record disappear Take device, database and alarming management device;The log alarming device requires 1-5 any one of them methods for perform claim;The daily record consumption device is used to obtain the log information that each service generates, and the log information is sent to the day Will warning device;The database is used to store alarm rule collection and warning message;The alarming management device is used to that the alarm rule collection to be configured.
- 9. a kind of electronic equipment, which is characterized in that including:Processor, memory and bus, wherein,The processor and the memory complete mutual communication by the bus;The memory is stored with the program instruction that can be performed by the processor, and the processor calls described program instruction energy It is enough to perform such as claim 1-6 any one of them methods.
- 10. a kind of non-transient computer readable storage medium storing program for executing, which is characterized in that the non-transient computer readable storage medium storing program for executing is deposited Computer instruction is stored up, the computer instruction makes the computer perform such as claim 1-6 any one of them methods.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711174472.9A CN108170580A (en) | 2017-11-22 | 2017-11-22 | A kind of rule-based log alarming method, apparatus and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711174472.9A CN108170580A (en) | 2017-11-22 | 2017-11-22 | A kind of rule-based log alarming method, apparatus and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108170580A true CN108170580A (en) | 2018-06-15 |
Family
ID=62527300
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711174472.9A Withdrawn CN108170580A (en) | 2017-11-22 | 2017-11-22 | A kind of rule-based log alarming method, apparatus and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108170580A (en) |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109491880A (en) * | 2018-11-01 | 2019-03-19 | 郑州云海信息技术有限公司 | A kind of method and apparatus optimizing log analysis |
CN110059472A (en) * | 2019-03-16 | 2019-07-26 | 平安城市建设科技(深圳)有限公司 | Menu authority configuring method, device, equipment and readable storage medium storing program for executing |
CN110276938A (en) * | 2019-07-25 | 2019-09-24 | 新奥(中国)燃气投资有限公司 | A kind of cloud alarm system and a kind of alarm method |
CN110399405A (en) * | 2019-07-26 | 2019-11-01 | 广州虎牙科技有限公司 | Log alarming method, apparatus, system and storage medium |
CN110727558A (en) * | 2019-10-09 | 2020-01-24 | 北京字节跳动网络技术有限公司 | Information prompting method and device, storage medium and electronic equipment |
CN110825592A (en) * | 2019-11-06 | 2020-02-21 | 北京皮尔布莱尼软件有限公司 | Method and computing device for generating alarm content |
CN110865921A (en) * | 2019-11-08 | 2020-03-06 | 拉扎斯网络科技(上海)有限公司 | Data monitoring method and device, readable storage medium and electronic equipment |
CN112069305A (en) * | 2020-11-13 | 2020-12-11 | 北京智慧星光信息技术有限公司 | Data screening method and device and electronic equipment |
CN112256533A (en) * | 2019-11-04 | 2021-01-22 | 北京京东振世信息技术有限公司 | Data monitoring alarm processing method, device, medium and electronic equipment |
CN112288990A (en) * | 2019-07-24 | 2021-01-29 | 上海东方富联科技有限公司 | Method, system, medium and device for generating internet of things event based on internet of things data |
CN113112869A (en) * | 2021-04-08 | 2021-07-13 | 南威软件股份有限公司 | Method, device, equipment and medium for customizing electronic fence and processing data |
CN113138891A (en) * | 2020-01-19 | 2021-07-20 | 上海臻客信息技术服务有限公司 | Service monitoring system based on log |
CN113190423A (en) * | 2021-04-20 | 2021-07-30 | 北京异乡旅行网络科技有限公司 | Service data monitoring method, device and system |
CN113553309A (en) * | 2021-07-28 | 2021-10-26 | 恒安嘉新(北京)科技股份公司 | Log template determination method and device, electronic equipment and storage medium |
CN113810242A (en) * | 2020-06-16 | 2021-12-17 | 中盈优创资讯科技有限公司 | System log analysis method and device |
CN115208657A (en) * | 2022-07-11 | 2022-10-18 | 阿里云计算有限公司 | Log security detection method and device, electronic equipment and storage medium |
CN115292062A (en) * | 2022-07-29 | 2022-11-04 | 成都智元汇信息技术股份有限公司 | Method, system and device for realizing product sequence confirmation based on stream architecture |
CN115292064A (en) * | 2022-07-29 | 2022-11-04 | 成都智元汇信息技术股份有限公司 | Method, system and device for realizing sequential confirmation of Internet of things equipment based on flow architecture |
CN116311828A (en) * | 2023-05-11 | 2023-06-23 | 武汉科迪智能环境股份有限公司 | Alarm management method, alarm management device, computer equipment and computer readable storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101291256A (en) * | 2008-06-02 | 2008-10-22 | 杭州华三通信技术有限公司 | Method and system for upgrading system log to alarm |
CN103220173A (en) * | 2013-04-09 | 2013-07-24 | 北京搜狐新媒体信息技术有限公司 | Alarm monitoring method and alarm monitoring system |
CN105119783A (en) * | 2015-09-30 | 2015-12-02 | 北京奇艺世纪科技有限公司 | Network request data detection method and device |
CN106385331A (en) * | 2016-09-08 | 2017-02-08 | 努比亚技术有限公司 | Method and system for monitoring alarm based on log |
CN107104840A (en) * | 2017-05-21 | 2017-08-29 | 郑州云海信息技术有限公司 | A kind of daily record monitoring method, apparatus and system |
US20170251047A1 (en) * | 2016-02-29 | 2017-08-31 | Red Hat, Inc. | Syslog advertisements |
-
2017
- 2017-11-22 CN CN201711174472.9A patent/CN108170580A/en not_active Withdrawn
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101291256A (en) * | 2008-06-02 | 2008-10-22 | 杭州华三通信技术有限公司 | Method and system for upgrading system log to alarm |
CN103220173A (en) * | 2013-04-09 | 2013-07-24 | 北京搜狐新媒体信息技术有限公司 | Alarm monitoring method and alarm monitoring system |
CN105119783A (en) * | 2015-09-30 | 2015-12-02 | 北京奇艺世纪科技有限公司 | Network request data detection method and device |
US20170251047A1 (en) * | 2016-02-29 | 2017-08-31 | Red Hat, Inc. | Syslog advertisements |
CN106385331A (en) * | 2016-09-08 | 2017-02-08 | 努比亚技术有限公司 | Method and system for monitoring alarm based on log |
CN107104840A (en) * | 2017-05-21 | 2017-08-29 | 郑州云海信息技术有限公司 | A kind of daily record monitoring method, apparatus and system |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109491880A (en) * | 2018-11-01 | 2019-03-19 | 郑州云海信息技术有限公司 | A kind of method and apparatus optimizing log analysis |
CN110059472A (en) * | 2019-03-16 | 2019-07-26 | 平安城市建设科技(深圳)有限公司 | Menu authority configuring method, device, equipment and readable storage medium storing program for executing |
CN112288990A (en) * | 2019-07-24 | 2021-01-29 | 上海东方富联科技有限公司 | Method, system, medium and device for generating internet of things event based on internet of things data |
CN110276938A (en) * | 2019-07-25 | 2019-09-24 | 新奥(中国)燃气投资有限公司 | A kind of cloud alarm system and a kind of alarm method |
CN110399405A (en) * | 2019-07-26 | 2019-11-01 | 广州虎牙科技有限公司 | Log alarming method, apparatus, system and storage medium |
CN110727558A (en) * | 2019-10-09 | 2020-01-24 | 北京字节跳动网络技术有限公司 | Information prompting method and device, storage medium and electronic equipment |
CN112256533A (en) * | 2019-11-04 | 2021-01-22 | 北京京东振世信息技术有限公司 | Data monitoring alarm processing method, device, medium and electronic equipment |
CN110825592A (en) * | 2019-11-06 | 2020-02-21 | 北京皮尔布莱尼软件有限公司 | Method and computing device for generating alarm content |
CN110865921A (en) * | 2019-11-08 | 2020-03-06 | 拉扎斯网络科技(上海)有限公司 | Data monitoring method and device, readable storage medium and electronic equipment |
CN113138891A (en) * | 2020-01-19 | 2021-07-20 | 上海臻客信息技术服务有限公司 | Service monitoring system based on log |
CN113810242A (en) * | 2020-06-16 | 2021-12-17 | 中盈优创资讯科技有限公司 | System log analysis method and device |
CN112069305B (en) * | 2020-11-13 | 2021-03-30 | 北京智慧星光信息技术有限公司 | Data screening method and device and electronic equipment |
CN112069305A (en) * | 2020-11-13 | 2020-12-11 | 北京智慧星光信息技术有限公司 | Data screening method and device and electronic equipment |
CN113112869A (en) * | 2021-04-08 | 2021-07-13 | 南威软件股份有限公司 | Method, device, equipment and medium for customizing electronic fence and processing data |
WO2022213634A1 (en) * | 2021-04-08 | 2022-10-13 | 南威软件股份有限公司 | Customization and data processing method and apparatus for electronic fence, and device and medium |
CN113190423A (en) * | 2021-04-20 | 2021-07-30 | 北京异乡旅行网络科技有限公司 | Service data monitoring method, device and system |
CN113190423B (en) * | 2021-04-20 | 2024-02-20 | 北京异乡旅行网络科技有限公司 | Method, device and system for monitoring service data |
CN113553309A (en) * | 2021-07-28 | 2021-10-26 | 恒安嘉新(北京)科技股份公司 | Log template determination method and device, electronic equipment and storage medium |
CN115208657A (en) * | 2022-07-11 | 2022-10-18 | 阿里云计算有限公司 | Log security detection method and device, electronic equipment and storage medium |
CN115292062A (en) * | 2022-07-29 | 2022-11-04 | 成都智元汇信息技术股份有限公司 | Method, system and device for realizing product sequence confirmation based on stream architecture |
CN115292064A (en) * | 2022-07-29 | 2022-11-04 | 成都智元汇信息技术股份有限公司 | Method, system and device for realizing sequential confirmation of Internet of things equipment based on flow architecture |
CN116311828A (en) * | 2023-05-11 | 2023-06-23 | 武汉科迪智能环境股份有限公司 | Alarm management method, alarm management device, computer equipment and computer readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108170580A (en) | A kind of rule-based log alarming method, apparatus and system | |
US11586972B2 (en) | Tool-specific alerting rules based on abnormal and normal patterns obtained from history logs | |
US20170109657A1 (en) | Machine Learning-Based Model for Identifying Executions of a Business Process | |
US10002144B2 (en) | Identification of distinguishing compound features extracted from real time data streams | |
US20170109676A1 (en) | Generation of Candidate Sequences Using Links Between Nonconsecutively Performed Steps of a Business Process | |
US20170109668A1 (en) | Model for Linking Between Nonconsecutively Performed Steps in a Business Process | |
CN112579728B (en) | Behavior abnormity identification method and device based on mass data full-text retrieval | |
US20170109667A1 (en) | Automaton-Based Identification of Executions of a Business Process | |
CN110309030A (en) | Log analysis monitoring system and method based on ELK and Zabbix | |
US11042525B2 (en) | Extracting and labeling custom information from log messages | |
US20180046956A1 (en) | Warning About Steps That Lead to an Unsuccessful Execution of a Business Process | |
CN110830438A (en) | Abnormal log warning method and device and electronic equipment | |
US20170109639A1 (en) | General Model for Linking Between Nonconsecutively Performed Steps in Business Processes | |
US11201802B2 (en) | Systems and methods for providing infrastructure metrics | |
CN110162445A (en) | The host health assessment method and device of Intrusion Detection based on host log and performance indicator | |
CN114726654B (en) | Data analysis method and server for coping with cloud computing network attack | |
CN107592236A (en) | The monitoring method and device of a kind of related business datum of promotion message | |
US20170109638A1 (en) | Ensemble-Based Identification of Executions of a Business Process | |
US20170109640A1 (en) | Generation of Candidate Sequences Using Crowd-Based Seeds of Commonly-Performed Steps of a Business Process | |
CN111325422B (en) | Work order dispatching method and system | |
CN109639456A (en) | A kind of automation processing platform for the improved method and alarm data that automation alerts | |
CN110968479A (en) | Business-level full-link monitoring method for application program and server | |
CN114116872A (en) | Data processing method and device, electronic equipment and computer readable storage medium | |
CN113849362B (en) | Business service platform management method, device and computer readable storage medium | |
CN109918048A (en) | Target object extracting method, device, system and computer readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20180615 |
|
WW01 | Invention patent application withdrawn after publication |