CN109542857A - Audit log storage method, querying method, device and relevant device - Google Patents
Audit log storage method, querying method, device and relevant device Download PDFInfo
- Publication number
- CN109542857A CN109542857A CN201811414615.3A CN201811414615A CN109542857A CN 109542857 A CN109542857 A CN 109542857A CN 201811414615 A CN201811414615 A CN 201811414615A CN 109542857 A CN109542857 A CN 109542857A
- Authority
- CN
- China
- Prior art keywords
- audit log
- log
- audit
- target
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
This specification embodiment provides a kind of audit log storage method, querying method, device and relevant device, the audit log storage method includes: when receiving the first audit log, obtain the incidence relation between corresponding second audit log of the first audit log, the first audit log and association identification three and storage, by the first audit log and association identification associated storage to the first storage location, when having received the second audit log, the second storage location relevant to association identification is arrived into the storage of the second audit log;Wherein, the first audit log is mail audit log or forum's audit log, and the second audit log is content auditing log or attachment audit log.The embodiment of the present invention, which needs not wait for, has received content auditing log or attachment audit log, therefore not received duration and network transmission speed by content auditing log or attachment audit log is influenced, audit log is stored in time, and then ensure that the real-time that audit log is shown.
Description
Technical field
This specification is related to network communication technology field more particularly to a kind of audit log storage method, querying method, dress
It sets and relevant device.
Background technique
Currently, enterprise and group are woven in IT information security field and face than previous increasingly complex situation, especially in network
Security fields.Wherein, log audit is the important link in network security, and the storage of audit log is the important set of the link
At part.
When storing mail audit log and forum's audit log, content corresponding thereto is also stored under normal circumstances
Audit log and/or attachment audit log.Currently, log management platform receives the mail that audit platform is sent by a port
Audit log or forum's audit log receive examining with mail audit log or forum for audit platform transmission by another port
The corresponding content auditing log of log or attachment audit log are counted, when mail audit log or forum's audit log are corresponding
After content auditing log or attachment audit log all receive, another rise is stored.And in storage, each content is examined
Log or attachment audit log is counted all individually to be stored with a file.
When content auditing log or very big attachment audit log, receiving time is longer, leads to corresponding mail audit day
Will or forum's audit log cannot store as early as possible, to influence the real-time exhibition of mail audit log or forum's audit log.
When network transmission speed decline, the receiving time of content auditing log or attachment audit log extends, this to influence just more
Obviously.
Summary of the invention
To overcome the problems in correlation technique, present description provides a kind of audit log storage methods, issuer
Method, device and relevant device.
According to this specification embodiment in a first aspect, a kind of audit log storage method is provided, applied to log management
Equipment, which comprises
When receiving the first audit log, first audit log, first audit log corresponding the is obtained
Incidence relation and storage between two audit logs and association identification three;
By first audit log and the association identification associated storage to the first storage location;
When having received second audit log, second audit log storage is arrived related to the association identification
The second storage location;
Wherein, first audit log is the mail audit log or forum's audit log for carrying interior perhaps attachment, institute
State content auditing log or the attachment audit log that the second audit log is mail or forum.
According to the second aspect of this specification embodiment, a kind of audit log querying method is provided, is applied to log management
Equipment, which comprises
The inquiry request of the second audit log corresponding to the first audit log is received, the inquiry request carries association mark
Know, first audit log is mail audit log or forum's audit log, and second audit log is mail or forum
Content auditing log or attachment audit log;
Target store path is obtained according to the association identification;
According to the target store path, second audit log is obtained.
According to the third aspect of this specification embodiment, a kind of audit log storage device is provided, is applied to log management
Equipment, described device include:
Incidence relation obtains module, for when receiving the first audit log, obtains first audit log, described
Incidence relation and storage between corresponding second audit log of first audit log and association identification three;
First memory module, for first audit log and the association identification associated storage to be stored position to first
It sets;
Second memory module, for when having received second audit log, the second audit log storage to be arrived
The second storage location corresponding with the association identification.
Wherein, first audit log is the mail audit log or forum's audit log for carrying interior perhaps attachment, institute
State content auditing log or the attachment audit log that the second audit log is mail or forum.
According to the fourth aspect of this specification embodiment, a kind of audit log inquiry unit is provided, is applied to log management
Equipment, described device include:
Inquiry request receiving module, for receiving the inquiry request of the second audit log corresponding to the first audit log,
The inquiry request carries association identification, and first audit log is mail audit log or forum's audit log, and described the
Two audit logs are content auditing log or the attachment audit log of mail or forum;
Store path obtains module, for obtaining target store path according to the association identification;
Log acquisition module, for obtaining second audit log according to the target store path.
According to the 5th of this specification embodiment aspect, provide a kind of log management device, including memory, processor and
It is stored in the computer program that can be run on the memory and on the processor, wherein described in the processor executes
Such as first aspect described in any item methods are realized when program.
According to the 6th of this specification embodiment the aspect, a kind of computer readable storage medium is provided, meter is stored thereon with
Calculation machine program, when described program is executed by processor the step of any one of realization first aspect the method.
According to the 7th of this specification embodiment aspect, provide a kind of log management device, including memory, processor and
It is stored in the computer program that can be run on the memory and on the processor, wherein described in the processor executes
Such as second aspect described in any item methods are realized when program.
According to the eighth aspect of this specification embodiment, a kind of computer readable storage medium is provided, is stored thereon with meter
Calculation machine program, when described program is executed by processor the step of any one of realization second aspect the method.
The technical solution that the embodiment of this specification provides can include the following benefits:
In this specification embodiment, when receiving audit log mail or forum's audit log, the audit log is obtained
After incidence relation between corresponding content auditing log or attachment audit log and association identification three, just by audit log
Mail or forum's audit log are associated with association identification and are stored, and need not wait for and have received content auditing log or attachment and examine
Log is counted, therefore do not received duration and network transmission speed by content auditing log or attachment audit log to be influenced, so that examining
Meter log can store in time, and then ensure that the real-time that audit log is shown.
It should be understood that above general description and following detailed description be only it is exemplary and explanatory, not
This specification can be limited.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows the reality for meeting this specification
Example is applied, and is used to explain the principle of this specification together with specification.
Fig. 1 is the flow example figure of audit log storage method provided in an embodiment of the present invention.
Fig. 2 is the flow example figure of audit log querying method provided in an embodiment of the present invention.
Fig. 3 is the functional block diagram of audit log storage device provided in an embodiment of the present invention.
Fig. 4 is the functional block diagram of audit log inquiry unit provided in an embodiment of the present invention.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with this specification.On the contrary, they are only and such as institute
The example of the consistent device and method of some aspects be described in detail in attached claims, this specification.
It is only to be not intended to be limiting this explanation merely for for the purpose of describing particular embodiments in the term that this specification uses
Book.The "an" of used singular, " described " and "the" are also intended to packet in this specification and in the appended claims
Most forms are included, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein is
Refer to and includes that one or more associated any or all of project listed may combine.
It will be appreciated that though various information may be described using term first, second, third, etc. in this specification, but
These information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not taking off
In the case where this specification range, the first information can also be referred to as the second information, and similarly, the second information can also be claimed
For the first information.Depending on context, word as used in this " if " can be construed to " ... when " or
" when ... " or " in response to determination ".
Next this specification embodiment is described in detail.
It should be noted that for the convenience of description, herein, the postal for carrying interior perhaps attachment is indicated with the first audit log
Part audit log or forum's audit log show that the content auditing log of mail or forum or attachment are audited with the second audit log sheet
Log.
Embodiment one
Fig. 1 is the flow example figure of audit log storage method provided in an embodiment of the present invention.The audit log storage side
Method is applied to log management device, as shown in Figure 1, this method may comprise steps of:
S101 obtains the first audit log, the corresponding second instance of the first audit log when receiving the first audit log
Count the incidence relation between log and association identification three.
S102, by the first audit log and association identification associated storage to the first storage location.
The storage of second audit log is arrived relevant to association identification second when having received the second audit log by S103
Storage location.
Wherein, incidence relation is used to indicate the corresponding relationship between the first audit log and the second audit log, so as to
The two is separated into (the first audit log and the second audit log are stored in different storage locations respectively), timesharing (
One audit log and the second audit log are stored at different times respectively) storage when, by the incidence relation by the two
It is associated.
Incidence relation can be using format that is known or newly defining.For example, the format of incidence relation may is that first examines
Count the-the second audit log of log-association identification.In another example, the format of incidence relation is also possible to: the first audit day
Will-association identification, the second audit log-association identification.
After obtaining incidence relation, incidence relation can be stored in the memory of log management device.Receiving phase
It, can be by incidence relation from the memory of log management device after the second audit log and the second audit log of associated storage answered
It deletes, to save the resource of log management device.For example, incidence relation table can be established in the memory of log management device, it will
The incidence relation of acquisition is added to incidence relation table, after the second audit log stores, then the incidence relation is closed from association
It is to be deleted in table.
It should be noted that the execution of step S102 does not need premised on having received the second audit log, as long as log
Management equipment has received the first audit log and obtains above-mentioned incidence relation can store the first audit log immediately,
So that the first audit log can quickly and in time be shown, the real-time that the first audit log is shown ensure that.
As it can be seen that by step S101 and S102, so that mail audit log or forum's audit log be not by content auditing day
Will or attachment audit log receive the influence of duration and network transmission speed, can store in time when receiving audit log,
To ensure that the real-time of audit log displaying.
Pass through step S103, it is ensured that the pass between the second audit log stored afterwards and the first audit log first stored
Connection.
During an illustrative realization, corresponding second audit of the first audit log, the first audit log is obtained
Incidence relation between log and association identification three may include: in first data packet for receiving the second audit log
When, association identification is distributed for the second audit log, and the first corresponding relationship between association identification and the second audit log is write
Enter in the first mapping table;When receiving the first audit log, according between the first audit log and the second audit log
Known second corresponding relationship determine the second audit log;According to the second audit log, searched in the first mapping table
Association identification;Association identification is added in the second corresponding relationship, incidence relation is obtained.
Wherein, the second corresponding relationship can be known according to the filename field of the first audit log.First audit log
The content of filename field is the filename of the second audit log, therefore is based on this available first audit log and the second instance
Count the second corresponding relationship between log.
It illustrates.When receiving first data packet of the second audit log a, closed for the second audit log a distribution
Connection mark 5000, obtains the first corresponding relationship: the second audit log a-5000.When receiving the first audit log A, from first
The filename field of audit log A reads filename " a ", and know the second corresponding relationship: the second audit log a- first audits day
Will A finds the corresponding pass the first audit log A from the first corresponding relationship " the second audit log a-5000 " according to filename " a "
Connection mark 5000, to obtain incidence relation: second the first audit log of audit log a- A-5000.
During an illustrative realization, corresponding second audit of the first audit log, the first audit log is obtained
Incidence relation between log and association identification three may include: when receiving the first audit log, for the first audit day
Will distributes association identification;By association identification be added between the first audit log and the second audit log known to it is second corresponding
In relationship, incidence relation is obtained.
It illustrates.When receiving the first audit log A, association identification 5000 is distributed for the first audit log A.From
The filename field of one audit log A reads filename " a ", knows the second corresponding relationship: the second audit log a- first audit
Association identification 5000 is added in second corresponding relationship by log A, and obtain incidence relation: the second audit log a- first is examined
Count log A-5000.
It should be noted that when receiving the first audit log, it can be according to the filename field of the first audit log
Judge whether the first audit log has corresponding second audit log, is determining whether to distribute association identification.For example, file name
Duan Buwei sky then determines that the first audit log has corresponding second audit log, distributes association mark at this time for the first audit log
Know, it was not at this time the first audit day that filename field, which is that empty then determining first audit log does not have corresponding second audit log,
Will distributes association identification.
During an illustrative realization, by the second audit log storage to the second storage corresponding with association identification
Position may include: that the second audit log of multiple targets that data volume is less than or equal to given amount of data threshold value is merged storage
Into same file;The second audit log of target that data volume is greater than given amount of data threshold value is individually stored to a file
In.
Wherein, given amount of data threshold value can need to set according to concrete application.For example, given amount of data threshold can be set
Value is the data volume of a data packet.In this way, when the second audit log only has single data packet, just with other single packets
The second audit log merge storage into a file, when the second audit log has multiple data packets, by second audit day
Will is individually stored into a file.
The second audit log of multiple targets by the way that data volume to be less than or equal to given amount of data threshold value merges storage and arrives
In same file, memory space can be saved, reduces the waste of storage resource.For example: in 2000 the second audit logs,
There is the log of 1000 600 bytes that are averaged, since minimum memory unit is 1K byte (1024 byte), incite somebody to action when according to existing scheme
When this 1000 logs are respectively individually stored in the small documents of a 1K byte, (about by 1000 × (1024-600) of waste
The memory space of 40 ten thousand) a bytes, and when this 1000 logs being merged storage into a file according to this embodiment scheme,
The byte number vacated is no more than 1024.
One it is illustrative realize during, data volume is less than or equal to multiple targets the of given amount of data threshold value
Two audit logs are stored into same file, may include: to receive data volume less than or equal to given amount of data threshold value
When the second audit log of target, identify to obtain the first store path according to the corresponding target association of the second audit log of target, the
One store path corresponds to multiple association identifications;Determine the first index file and the first data file under the first store path, the
One index file does not include the data portion for storing log content, and the audit log write of target second is entered the first data text
Part, and addition is identified comprising target association in the first index file and the second audit log of target is in the first data file
Location information index entry;Or, determining the second index file under the first store path, the second index file includes for depositing
The audit log write of target second is entered the data portion of the second index file by the data portion for storing up log content, and second
The indexing head part addition of index file is comprising target association mark and the second audit log of target in the second index file
The index entry of location information.
According to this example, when storage data quantity is less than or equal to the second audit log of target of given amount of data threshold value,
Log content and index entry can all be stored into index file and (not need to establish data file at this time), it can also be by log
Content and index entry are respectively stored into data file and index file and (do not need to establish data file at this time).
Wherein, location information may include initial position, data length.
In above-mentioned example, a kind of storage mode includes data file, and another storage mode does not include data file, but
Index entry and data content are written in a file.Latter storage mode can reduce the number of operations for opening file, from
And it economizes on resources.
During an illustrative realization, the first index file and the first data text under the first store path are determined
Part may include: under the first store path of detection currently with the presence or absence of existing index file and data with existing file;If first deposits
It stores up under path there is currently existing index file and data with existing file, determines that existing index file is the first index file, really
Determining data with existing file is the first data file;Or, if there is currently no existing index file and having under the first store path
Data file creates new index file and new data file under the first store path, respectively as the first index file and
One data file;Determine the second index file under the first store path, may include: under the second store path of detection is currently
It is no to there is existing index file;If determining that existing index file is the there is currently existing index file under the second store path
Two index files;Or, creating new rope under the second store path if there is currently no existing index files under the second store path
Quotation part, as the second index file.
According to this example, when the second small audit log of multiple data volumes is merged storage in one file, each
It before the storage of first is stored in file the second audit log, needs to create file under the first store path, from each
Second the second audit log stored starts in file, and file has existed, and stores into existing file.
During an illustrative realization, association identification is number;According to the corresponding mesh of the second audit log of target
Mark association identification obtains the first store path, and the first store path corresponds to multiple association identifications, may include: by target association mark
Knowledge is converted to hexadecimal number, as the first hexadecimal number;By the first hexadecimal number and specified hexadecimal number carry out by
Position and operation, obtain the second hexadecimal number;Top N data in second hexadecimal number are converted into store path format,
The first store path is obtained, N is natural number.
It illustrates.Target association is identified as 5000,5000&0XFFFFF800=0X00001000, takes 0X00001000
First 5 00001, be converted to 00/001, then the first store path is 00/001, wherein 00 is one layer of catalogue, and 001 is index
The filename of file.Wherein, symbol " & " indicates step-by-step and operation.At this point, the first index file is the 001.min under 00/001
File, the first data file are the 001.data file under 00/001.
Equally, target association is identified as 5001,5001&0XFFFFF800=0X00001000, and the first store path is also
00/001, illustrate that the second audit log that association identification is 5000 and the second audit log that association identification is 5001 are deposited at this time
Storage is suffered in same file 001.
Certainly, it will be appreciated by those skilled in the art that in order to which corresponding second audit log of multiple association identifications is stored
Into same file, multiple association identifications can also be mapped to same file in other way, for example, by pair
Multiple logical operations that association identification sequence is set obtain store path, and this is not limited by the present invention.
During an illustrative realization, data volume is greater than to the second audit log of target of given amount of data threshold value
Individually storage may include: in the audit of target second for having received data volume greater than given amount of data threshold value into a file
When log, identify to obtain the second store path according to the corresponding target association of the second audit log of target, the second store path with
Target association mark corresponds;The audit log write of target second is entered into the second data file under the second store path.
It can be only when storage data quantity is greater than the second audit log of target of given amount of data threshold value according to this example
Data file is established, is not required to establish index entry (because the store path obtained according to association identification can directly find storage day
The data file of will content).Certainly, in other examples, the target second instance of given amount of data threshold value is greater than for data volume
Log is counted, index entry is also can establish, includes association identification and location information in index entry, location information is set as default value.
Wherein, it is identified to obtain the second store path, the second storage according to the corresponding target association of the second audit log of target
Path and target association mark correspond, may include: by target association mark be converted to hexadecimal number, by this 16 into
Number processed is converted to store path format, obtains the second store path.
It illustrates.Target association is identified as 5000,5000 hexadecimal numbers for being converted into 8 bytes
(0x00001388), being converted to store path format is 00/001/388,00/001/388 as the second store path.Second number
According to the 388.data file that file is in 00/001/388.
During an illustrative realization, the first audit log and association identification associated storage are stored into position to first
It sets, may include: the specific field that association identification is written to the first audit log, the first audit day of association identification will be had been written into
Will is stored to the first storage location.
Audit log storage method provided in an embodiment of the present invention, when receiving audit log mail or forum's audit log
When, the association obtained between the audit log and corresponding content auditing log or attachment audit log and association identification three is closed
After system, just audit log mail or forum's audit log are associated with association identification and are stored, needed not wait in having received
Hold audit log or attachment audit log, therefore is not received duration and network transmission by content auditing log or attachment audit log
The influence of rate, enables audit log to store in time, and then ensure that the real-time that audit log is shown.
Embodiment two
Based on above-mentioned audit log storage method embodiment, the embodiment of the invention also provides corresponding audit logs to look into
Ask embodiment of the method.
Fig. 2 is the flow example figure of audit log querying method provided in an embodiment of the present invention.Audit log issuer
Method is applied to log management device, as shown in Fig. 2, this method may comprise steps of:
S201 receives the inquiry request of the second audit log corresponding to the first audit log, which, which carries, closes
Connection mark.
S202 obtains target store path according to association identification.
S203 obtains the second audit log according to target store path.
It wherein, can be with according to the concrete mode that association identification obtains target store path are as follows:
Mode one: being converted to hexadecimal number for association identification, as the first hexadecimal number;By the first hexadecimal number
Step-by-step and operation are carried out with specified hexadecimal number, obtains the second hexadecimal number;By the top N number in the second hexadecimal number
According to store path format is converted to, store path is obtained, N is natural number.
Mode two: being converted to hexadecimal number for association identification, which is converted to store path format, is obtained
To store path.
During an illustrative realization, according to target store path, the second audit log is obtained, may include:
If the corresponding target index entry of association identification is searched there are index file under target store path, in indexed file, from target
Index entry extracts the target position information of the second audit log, from the position that target position information indicates, reads for the second audit day
Will;Or, reading for the second audit day from the data file under target store path if index file is not present under target store path
Will.
It illustrates.Target association is identified as 5000, the hexadecimal number for being converted into 8 bytes for 5000
0x00001388, being converted to store path format is 00/001/388, to 00/001/388 path under inquiry that whether there is or not files is entitled
388 this file therefrom reads log content if so, directly opening 388 files;If do not had under 00/001/388 path
There is this file of file entitled 388, carries out step-by-step and operation with 0XFFFFF800 for 5000, obtain 0X00001000, take preceding 5
Position 00001 is converted to 00/001, opens the 001.min file under 00 catalogue, therefrom searches index entry according to association identification, then
Log storage position is found according to index entry, reads log content from storage position.
During an illustrative realization, from the position that target position information indicates, the second audit log is read, it can
If not including data portion for storing log content to include: index file, incidence number corresponding with index file is opened
According to file, the second audit log is read in the position that target position information indicates from associated data files;Or, if index file packet
The data portion for storing log content is included, the position that target position information indicates from the data portion of index file is read
Second audit log.
Wherein, associated data files correspond to the first data file in previous embodiment one.
Audit log querying method provided in an embodiment of the present invention, obtains store path using association identification, from storage road
Diameter obtains audit log, can quickly find audit log, improves search efficiency.
Embodiment three
The embodiment of the invention provides a kind of audit log storage device, the device is for executing in previous embodiment one
Audit log storage method.
Fig. 3 is the functional block diagram of audit log storage device provided in an embodiment of the present invention.Audit log storage dress
It sets and is applied to log management device, as shown in figure 3, the apparatus may include:
Incidence relation obtains module 310, for obtaining the first audit log, first when receiving the first audit log
Incidence relation and storage between corresponding second audit log of audit log and association identification three.
First memory module 320, for by the first audit log and association identification associated storage to the first storage location.
Second memory module 330, for when having received the second audit log, the storage of the second audit log being arrived and being associated with
Identify corresponding second storage location.
Wherein, the first audit log is the mail audit log or forum's audit log for carrying interior perhaps attachment, the second instance
Count content auditing log or the attachment audit log that log is mail or forum.
During an illustrative realization, incidence relation, which obtains module 310, to be specifically used for: receiving second
When first data packet of audit log, association identification is distributed for the second audit log, and association identification is audited day with second
The first corresponding relationship between will is written in the first mapping table;When receiving the first audit log, according to the first audit
Known second corresponding relationship between log and the second audit log determines the second audit log;According to the second audit log,
Association identification is searched in the first mapping table;Association identification is added in the second corresponding relationship, incidence relation is obtained.
During an illustrative realization, incidence relation, which obtains module 310, to be specifically used for: receiving first
When audit log, association identification is distributed for the first audit log;Association identification is added to the first audit log and the second audit
In known second corresponding relationship between log, incidence relation is obtained.
During an illustrative realization, the second memory module 330 can be specifically used for: data volume is less than or is waited
Merge storage into same file in the second audit log of multiple targets of given amount of data threshold value;Data volume is greater than specified number
It individually stores according to the second audit log of target of amount threshold value into a file.
During an illustrative realization, the second memory module 330 is specified for data volume to be less than or equal to
When the second audit log of multiple targets of data-quantity threshold is stored into same file, it can be specifically used for: receive data
When amount is less than or equal to the second audit log of target of given amount of data threshold value, according to the corresponding target of the second audit log of target
Association identification obtains the first store path, and the first store path corresponds to multiple association identifications;Determine under the first store path
One index file and the first data file, the first index file does not include the data portion for storing log content, by target
Second audit log write enters the first data file, and addition includes target association mark and target the in the first index file
The index entry of location information of two audit logs in the first data file;Or, determining the second index under the first store path
File, the second index file include the data portion for storing log content, and the audit log write of target second is entered the second rope
The data portion of quotation part, and include target association mark and target second in the addition of the indexing head part of the second index file
The index entry of location information of the audit log in the second index file.
During an illustrative realization, the second memory module 330 is for being greater than the specified number for data volume
When individually storing according to the second audit log of target of amount threshold value into a file, it can be specifically used for: receive data volume
Greater than given amount of data threshold value the second audit log of target when, identified according to the corresponding target association of the second audit log of target
The second store path is obtained, the second store path and target association mark correspond;The audit log write of target second is entered the
The second data file under two store paths.
One it is illustrative realize during, the second memory module 330 is for determining the under the first store path
When one index file and the first data file, it can be specifically used for: currently with the presence or absence of existing rope under the first store path of detection
Quotation part and data with existing file;If there is currently existing index file and the data with existing file under the first store path,
It determines that existing index file is the first index file, determines that data with existing file is the first data file;Or, if the first storage road
There is currently no existing index files and data with existing file under diameter, and new index file and new number are created under the first store path
According to file, respectively as the first index file and the first data file.Second memory module 330 is for determining the first storage road
When the second index file under diameter, it can be specifically used for: currently with the presence or absence of existing index file under the second store path of detection;
If determining that existing index file is the second index file there is currently existing index file under the second store path;Or, if second
There is currently no existing index files under store path, and new index file is created under the second store path, as the second index
File.
During an illustrative realization, association identification is number;Second memory module 330 is for according to target
The corresponding target association of second audit log identifies to obtain the first store path, and the first store path corresponds to multiple association identifications,
It can be specifically used for: target association mark is converted into hexadecimal number, as the first hexadecimal number;By the first hexadecimal
It is several to carry out step-by-step and operation with specified hexadecimal number, obtain the second hexadecimal number;By the top N in the second hexadecimal number
Data are converted to store path format, obtain the first store path, and N is natural number.
One it is illustrative realize during, the first memory module 320 can be specifically used for: by association identification write-in the
The specific field of one audit log stores the first audit log for having been written into association identification to the first storage location.
The audit log that audit log storage device provided in an embodiment of the present invention and present invention one provide
Storage method is corresponding, and therefore, the unspecified place of the present embodiment refers to saying for corresponding portion in previous embodiment one
Bright, details are not described herein again.
Example IV
The embodiment of the invention provides a kind of audit log inquiry unit, the device is for executing in previous embodiment two
Audit log querying method.
Fig. 4 is the functional block diagram of audit log inquiry unit provided in an embodiment of the present invention.Audit log inquiry dress
It sets and is applied to log management device, as shown in figure 4, the apparatus may include:
Inquiry request receiving module 410, the inquiry for receiving the second audit log corresponding to the first audit log are asked
It asks, inquiry request carries association identification, and the first audit log is mail audit log or forum's audit log, the second audit log
Content auditing log or attachment audit log for mail or forum.
Store path obtains module 420, for obtaining target store path according to association identification.
Log acquisition module 430, for obtaining the second audit log according to target store path.
During an illustrative realization, log acquisition module 430 is specifically used for: if existing under target store path
Index file searches the corresponding target index entry of the association identification in indexed file, extracts described the from target index entry
The target position information of two audit logs reads the second audit log from the position that target position information indicates;Or, if target
Index file is not present under store path, reads the second audit log from the data file under target store path.
During an illustrative realization, log acquisition module 430 is specifically used for: if index file does not include being used for
The data portion of log content is stored, associated data files corresponding with index file, the target from associated data files are opened
Read the second audit log in the position of location information instruction;Or, if index file includes the data portion for storing log content
Point, the second audit log is read in the position that target position information indicates from the data portion of index file.
The audit log that audit log inquiry unit provided in an embodiment of the present invention and present invention two provide
Querying method is corresponding, and therefore, the unspecified place of the present embodiment refers to saying for corresponding portion in previous embodiment two
Bright, details are not described herein again.
Embodiment five
The embodiment of the present invention provides a kind of log management device, including memory, processor and storage are on a memory simultaneously
The computer program that can be run on a processor, wherein processor is realized any in previous embodiment one when executing the program
Audit log storage method.
Embodiment six
The embodiment of the present invention provides a kind of computer readable storage medium, is stored thereon with computer program, the program quilt
The step of any audit log storage method in previous embodiment one is realized when processor executes.
Embodiment seven
The embodiment of the present invention provides a kind of log management device, including memory, processor and storage are on a memory simultaneously
The computer program that can be run on a processor, wherein processor is realized any in previous embodiment two when executing the program
Audit log querying method.
Embodiment eight
The embodiment of the present invention provides a kind of computer readable storage medium, is stored thereon with computer program, the program quilt
The step of any audit log querying method in previous embodiment two is realized when processor executes.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The module of explanation may or may not be physically separated, and the component shown as module can be or can also be with
It is not physical module, it can it is in one place, or may be distributed on multiple network modules.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize this specification scheme.Those of ordinary skill in the art are not
In the case where making the creative labor, it can understand and implement.
It is above-mentioned that this specification specific embodiment is described.Other embodiments are in the scope of the appended claims
It is interior.In some cases, the movement recorded in detail in the claims or step can be come according to the sequence being different from embodiment
It executes and desired result still may be implemented.In addition, process depicted in the drawing not necessarily require show it is specific suitable
Sequence or consecutive order are just able to achieve desired result.In some embodiments, multitasking and parallel processing be also can
With or may be advantageous.
Those skilled in the art will readily occur to this specification after considering specification and practicing the invention applied here
Other embodiments.This specification is intended to cover any variations, uses, or adaptations of this specification, these modifications,
Purposes or adaptive change follow the general principle of this specification and do not apply in the art including this specification
Common knowledge or conventional techniques.The description and examples are only to be considered as illustrative, the true scope of this specification and
Spirit is indicated by the following claims.
It should be understood that this specification is not limited to the precise structure that has been described above and shown in the drawings,
And various modifications and changes may be made without departing from the scope thereof.The range of this specification is only limited by the attached claims
System.
The foregoing is merely the preferred embodiments of this specification, all in this explanation not to limit this specification
Within the spirit and principle of book, any modification, equivalent substitution, improvement and etc. done should be included in the model of this specification protection
Within enclosing.
Claims (18)
1. a kind of audit log storage method, which is characterized in that be applied to log management device, which comprises
When receiving the first audit log, first audit log, the corresponding second instance of first audit log are obtained
Count the incidence relation between log and association identification three and storage;
By first audit log and the association identification associated storage to the first storage location;
When having received second audit log, by second audit log storage to relevant to the association identification the
Two storage locations;
Wherein, first audit log is the mail audit log or forum's audit log of perhaps attachment in carrying, described the
Two audit logs are content auditing log or the attachment audit log of mail or forum.
2. the method according to claim 1, wherein described obtain first audit log, described first examine
Count the incidence relation between corresponding second audit log of log and association identification three, comprising:
When receiving first data packet of second audit log, the association mark is distributed for second audit log
Know, and the first corresponding relationship between the association identification and second audit log is written in the first mapping table;
When receiving first audit log, according between first audit log and second audit log
The second corresponding relationship known determines second audit log;
According to second audit log, the association identification is searched in first mapping table;
The association identification is added in second corresponding relationship, the incidence relation is obtained.
3. the method according to claim 1, wherein described obtain first audit log, described first examine
Count the incidence relation between corresponding second audit log of log and association identification three, comprising:
When receiving first audit log, the association identification is distributed for first audit log;
By the association identification be added between first audit log and second audit log known to second pair
In should being related to, the incidence relation is obtained.
4. the method according to claim 1, wherein described arrive second audit log storage and the pass
Connection identifies corresponding second storage location, comprising:
The second audit log of multiple targets that data volume is less than or equal to given amount of data threshold value is merged into storage and arrives same file
In;
The second audit log of target that data volume is greater than the given amount of data threshold value is individually stored into a file.
5. according to the method described in claim 4, it is characterized in that, described be less than or equal to given amount of data threshold value for data volume
The second audit log of multiple targets store into same file, comprising:
When having received target second audit log of the data volume less than or equal to the given amount of data threshold value, according to the mesh
It marks the corresponding target association of the second audit log to identify to obtain the first store path, first store path corresponds to multiple associations
Mark;
Determine that the first index file and the first data file under first store path, first index file do not include
For storing the data portion of log content, the target second audit log write is entered into first data file, Yi Ji
Addition is comprising target association mark and second audit log of target in first number in first index file
According to the index entry of the location information in file;Or, determining the second index file under first store path, second rope
Quotation part includes the data portion for storing log content, and the target second audit log write is entered the second index text
The data portion of part, and second index file indexing head part addition comprising the target association mark and it is described
The index entry of location information of the second audit log of target in second index file.
6. according to the method described in claim 4, it is characterized in that, described be greater than the given amount of data threshold value for data volume
The second audit log of target is individually stored into a file, comprising:
When having received target second audit log of the data volume greater than the given amount of data threshold value, according to the target second
The corresponding target association of audit log identifies to obtain the second store path, and second store path and the target association identify
It corresponds;
The target second audit log write is entered into the second data file under second store path.
7. according to the method described in claim 5, it is characterized in that,
The first index file and the first data file under determination first store path, comprising:
It detects under first store path currently with the presence or absence of existing index file and data with existing file;
If there is currently the existing index file and the data with existing file under first store path, determination is described
Having index file is first index file, determines that the data with existing file is first data file;Or, if described
There is currently no the existing index files and the data with existing file under first store path, in first store path
It is lower to create new index file and new data file, respectively as first index file and first data file;
The second index file under determination first store path, comprising:
It detects under second store path currently with the presence or absence of existing index file;
If determining that the existing index file is described the there is currently the existing index file under second store path
Two index files;Or, if there is currently no the existing index files under second store path, on second storage road
New index file is created under diameter, as second index file.
8. according to the method described in claim 5, it is characterized in that, the association identification is number;It is described according to the target
The corresponding target association of second audit log identifies to obtain the first store path, and first store path corresponds to multiple association marks
Know, comprising:
Target association mark is converted into hexadecimal number, as the first hexadecimal number;
First hexadecimal number and specified hexadecimal number are subjected to step-by-step and operation, obtain the second hexadecimal number;
Top N data in second hexadecimal number are converted into store path format, obtain first store path,
N is natural number.
9. the method according to claim 1, wherein described by first audit log and the association identification
Associated storage is to the first storage location, comprising:
The specific field that the association identification is written to first audit log will have been written into the first of the association identification and examine
Log storage is counted to the first storage location.
10. a kind of audit log querying method based on audit log storage method described in claim 1, which is characterized in that
Applied to log management device, which comprises
The inquiry request of the second audit log corresponding to the first audit log is received, the inquiry request carries association identification,
First audit log is mail audit log or forum's audit log, and second audit log is the interior of mail or forum
Hold audit log or attachment audit log;
Target store path is obtained according to the association identification;
According to the target store path, second audit log is obtained.
11. according to the method described in claim 10, it is characterized in that, described according to the target store path, described in acquisition
Second audit log, comprising:
If there are index files under the target store path, the corresponding mesh of the association identification is searched in the index file
Index entry is marked, the target position information of second audit log is extracted from the target index entry, is believed from the target position
The position of instruction is ceased, second audit log is read;Or,
If index file is not present under the target store path, described in the data file reading under the target store path
Second audit log.
12. according to the method for claim 11, which is characterized in that the position from target position information instruction,
Read second audit log, comprising:
If the index file does not include the data portion for storing log content, pass corresponding with the index file is opened
Join data file, the second audit day is read in the position of the instruction of the target position information described in the associated data files
Will;Or,
If the index file includes the data portion for storing log content, the institute from the data portion of the index file
Read second audit log in the position for stating target position information instruction.
13. a kind of audit log storage device, which is characterized in that be applied to log management device, described device includes:
Incidence relation obtains module, for obtaining first audit log, described first when receiving the first audit log
Incidence relation and storage between corresponding second audit log of audit log and association identification three;
First memory module, for by first audit log and the association identification associated storage to the first storage location;
Second memory module, for when having received second audit log, second audit log storage to be arrived and institute
State corresponding second storage location of association identification;
Wherein, first audit log is the mail audit log or forum's audit log of perhaps attachment in carrying, described the
Two audit logs are content auditing log or the attachment audit log of mail or forum.
14. a kind of audit log inquiry unit, which is characterized in that be applied to log management device, described device includes:
Inquiry request receiving module, it is described for receiving the inquiry request of the second audit log corresponding to the first audit log
Inquiry request carries association identification, and first audit log is mail audit log or forum's audit log, the second instance
Count content auditing log or the attachment audit log that log is mail or forum;
Store path obtains module, for obtaining target store path according to the association identification;
Log acquisition module, for obtaining second audit log according to the target store path.
15. a kind of log management device, which is characterized in that including memory, processor and be stored on the memory and can
The computer program run on the processor, wherein the processor realized when executing described program as claim 1~
9 described in any item methods.
16. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that described program is processed
The step of any one of claim 1~9 the method is realized when device executes.
17. a kind of log management device, which is characterized in that including memory, processor and be stored on the memory and can
The computer program run on the processor, wherein the processor realizes such as claim 10 when executing described program
~12 described in any item methods.
18. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that described program is processed
The step of any one of claim 10~12 the method is realized when device executes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811414615.3A CN109542857B (en) | 2018-11-26 | 2018-11-26 | Audit log storage method, audit log query method, audit log storage device, audit log query device and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811414615.3A CN109542857B (en) | 2018-11-26 | 2018-11-26 | Audit log storage method, audit log query method, audit log storage device, audit log query device and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109542857A true CN109542857A (en) | 2019-03-29 |
| CN109542857B CN109542857B (en) | 2021-06-29 |
Family
ID=65850129
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811414615.3A Active CN109542857B (en) | 2018-11-26 | 2018-11-26 | Audit log storage method, audit log query method, audit log storage device, audit log query device and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109542857B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111162989A (en) * | 2019-12-11 | 2020-05-15 | 杭州迪普科技股份有限公司 | Method and device for processing mail audit log |
| CN111866098A (en) * | 2020-07-03 | 2020-10-30 | 北京小米松果电子有限公司 | Log processing method and device and storage medium |
| CN112199053A (en) * | 2020-12-02 | 2021-01-08 | 杭州觅睿科技股份有限公司 | Log recording method, device and medium applied to small-capacity storage area |
| CN112559517A (en) * | 2020-12-01 | 2021-03-26 | 福建天泉教育科技有限公司 | Access method and terminal for associated data in memory |
| CN113051121A (en) * | 2019-12-26 | 2021-06-29 | 百度在线网络技术(北京)有限公司 | Log information retrieval method and device, electronic equipment and medium |
| CN111522785B (en) * | 2020-04-17 | 2024-04-09 | 上海中通吉网络技术有限公司 | Data extraction auditing method, device and equipment |
| CN111866098B (en) * | 2020-07-03 | 2024-04-26 | 北京小米松果电子有限公司 | Log processing method, device and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101118534A (en) * | 2006-04-11 | 2008-02-06 | 韦瑞吉(新加坡)私人有限公司 | Event log management system |
| CN101155074A (en) * | 2006-09-29 | 2008-04-02 | 株式会社日立制作所 | Inter-client communication log management system |
| CN104573082A (en) * | 2015-01-28 | 2015-04-29 | 武汉大学 | Space small file data distribution storage method and system based on access log information |
| CN105488201A (en) * | 2015-12-08 | 2016-04-13 | 北京皮尔布莱尼软件有限公司 | Log inquiry method and system |
| CN105975376A (en) * | 2016-04-28 | 2016-09-28 | 广州市锲致智能技术有限公司 | Log processing based numerical control system security processing method |
| CN107992402A (en) * | 2017-12-26 | 2018-05-04 | 河南恒华科技有限公司 | Blog management method and log management apparatus |
| CN108038231A (en) * | 2017-12-26 | 2018-05-15 | 广东欧珀移动通信有限公司 | log processing method, device, terminal device and storage medium |
-
2018
- 2018-11-26 CN CN201811414615.3A patent/CN109542857B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101118534A (en) * | 2006-04-11 | 2008-02-06 | 韦瑞吉(新加坡)私人有限公司 | Event log management system |
| CN101155074A (en) * | 2006-09-29 | 2008-04-02 | 株式会社日立制作所 | Inter-client communication log management system |
| CN104573082A (en) * | 2015-01-28 | 2015-04-29 | 武汉大学 | Space small file data distribution storage method and system based on access log information |
| CN105488201A (en) * | 2015-12-08 | 2016-04-13 | 北京皮尔布莱尼软件有限公司 | Log inquiry method and system |
| CN105975376A (en) * | 2016-04-28 | 2016-09-28 | 广州市锲致智能技术有限公司 | Log processing based numerical control system security processing method |
| CN107992402A (en) * | 2017-12-26 | 2018-05-04 | 河南恒华科技有限公司 | Blog management method and log management apparatus |
| CN108038231A (en) * | 2017-12-26 | 2018-05-15 | 广东欧珀移动通信有限公司 | log processing method, device, terminal device and storage medium |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111162989A (en) * | 2019-12-11 | 2020-05-15 | 杭州迪普科技股份有限公司 | Method and device for processing mail audit log |
| CN113051121A (en) * | 2019-12-26 | 2021-06-29 | 百度在线网络技术(北京)有限公司 | Log information retrieval method and device, electronic equipment and medium |
| CN111522785B (en) * | 2020-04-17 | 2024-04-09 | 上海中通吉网络技术有限公司 | Data extraction auditing method, device and equipment |
| CN111866098A (en) * | 2020-07-03 | 2020-10-30 | 北京小米松果电子有限公司 | Log processing method and device and storage medium |
| CN111866098B (en) * | 2020-07-03 | 2024-04-26 | 北京小米松果电子有限公司 | Log processing method, device and storage medium |
| CN112559517A (en) * | 2020-12-01 | 2021-03-26 | 福建天泉教育科技有限公司 | Access method and terminal for associated data in memory |
| CN112559517B (en) * | 2020-12-01 | 2022-07-05 | 福建天泉教育科技有限公司 | Access method and terminal for associated data in memory |
| CN112199053A (en) * | 2020-12-02 | 2021-01-08 | 杭州觅睿科技股份有限公司 | Log recording method, device and medium applied to small-capacity storage area |
| CN112199053B (en) * | 2020-12-02 | 2021-06-22 | 杭州觅睿科技股份有限公司 | Log recording method, device and medium applied to small-capacity storage area |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109542857B (en) | 2021-06-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109542857A (en) | Audit log storage method, querying method, device and relevant device | |
| CN104702588B (en) | Resolver, block processing device and associated method | |
| CN107566206B (en) | Flow measuring method, equipment and system | |
| CN110287696B (en) | Detection method, device and equipment for rebound shell process | |
| US20020184315A1 (en) | Redundant email address detection and capture system | |
| CN105975433B (en) | A kind of message processing method and device | |
| CN108400909A (en) | A kind of flow statistical method, device, terminal device and storage medium | |
| CN106294222A (en) | A kind of method and device determining PCIE device and slot corresponding relation | |
| US7187676B2 (en) | Apparatus and method for steering a communication to an open stream | |
| CN109299157A (en) | A kind of data export method and device of distributed big single table | |
| CN109298882A (en) | Management method, computer readable storage medium and the terminal device of interface | |
| CN108306832A (en) | A kind of network flow quantity shunting method and device | |
| CN109271793A (en) | Internet of Things cloud platform device class recognition methods and system | |
| CN110201393A (en) | Configuration data storage method and device and electronic equipment | |
| CN108897859A (en) | A kind of metadata retrieval method, apparatus, equipment and computer readable storage medium | |
| CN106033428B (en) | The selection method of uniform resource locator and the selection device of uniform resource locator | |
| CN106021136A (en) | Serial port mapping method and device based on Linux or Unix kernel operating system | |
| CN110035006A (en) | The individual networks equipment of Forwarding plane resetting | |
| CN110493302A (en) | A kind of document transmission method, equipment and computer readable storage medium | |
| CN109726091A (en) | A kind of blog management method and relevant apparatus | |
| CN107133231A (en) | A kind of data capture method and device | |
| CN106033438A (en) | Public sentiment data storage method and server | |
| CN109818824A (en) | A kind of message transmitted test method, equipment and storage equipment, program product | |
| CN104333461A (en) | Identification method, system and identification device for internet application flow | |
| CN109089227A (en) | A kind of short message group technology and device, computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |