CN109542857B - Audit log storage method, audit log query method, audit log storage device, audit log query device and related equipment - Google Patents
Audit log storage method, audit log query method, audit log storage device, audit log query device and related equipment Download PDFInfo
- Publication number
- CN109542857B CN109542857B CN201811414615.3A CN201811414615A CN109542857B CN 109542857 B CN109542857 B CN 109542857B CN 201811414615 A CN201811414615 A CN 201811414615A CN 109542857 B CN109542857 B CN 109542857B
- Authority
- CN
- China
- Prior art keywords
- audit log
- log
- target
- audit
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the specification provides an audit log storage method, an audit log query method, an audit log storage device and related equipment, wherein the audit log storage method comprises the following steps: when the first audit log is received, acquiring and storing the first audit log, a second audit log corresponding to the first audit log and an association identifier, associating and storing the first audit log and the association identifier to a first storage position, and when the second audit log is received, storing the second audit log to a second storage position related to the association identifier; the first audit log is an email audit log or a forum audit log, and the second audit log is a content audit log or an attachment audit log. The embodiment of the invention does not need to wait until the content audit log or the accessory audit log is received, so the method is not influenced by the receiving duration of the content audit log or the accessory audit log and the network transmission rate, the audit log can be stored in time, and the real-time property of the audit log display is further ensured.
Description
Technical Field
The present disclosure relates to the field of network communication technologies, and in particular, to an audit log storage method, an audit log query method, an audit log storage device, and a related device.
Background
Currently, enterprises and organizations face more complicated situations in the field of IT information security, particularly in the field of network security. The log audit is an important link in network security, and the storage of the audit log is an important component of the link.
When the mail audit log and the forum audit log are stored, the corresponding content audit log and/or attachment audit log are also stored in general. Currently, a log management platform receives a mail audit log or a forum audit log sent by an audit platform through one port, receives a content audit log or an attachment audit log corresponding to the mail audit log or the forum audit log sent by the audit platform through another port, and stores the mail audit log or the forum audit log and the content audit log or the attachment audit log after the mail audit log or the forum audit log and the content audit log or the attachment audit log corresponding to the mail audit log are received. And when storing, each content audit log or attachment audit log is stored by a file.
When the content audit log or the attachment audit log is large, the receiving time is long, so that the corresponding mail audit log or forum audit log cannot be stored as soon as possible, and the real-time display of the mail audit log or the forum audit log is influenced. This effect is more pronounced when the network transmission rate decreases, and the reception time of the content audit log or the attachment audit log is extended.
Disclosure of Invention
In order to overcome the problems in the related art, the specification provides an audit log storage method, an audit log query method, an audit log storage device and related equipment.
According to a first aspect of embodiments of the present specification, there is provided an audit log storage method applied to a log management device, the method including:
when a first audit log is received, acquiring and storing an association relation among the first audit log, a second audit log corresponding to the first audit log and an association identifier;
storing the first audit log and the association identifier association to a first storage location;
when the second audit log is received, storing the second audit log to a second storage position related to the association identifier;
the first audit log is an email audit log or a forum audit log carrying content or attachments, and the second audit log is a content audit log or an attachment audit log of an email or a forum.
According to a second aspect of the embodiments of the present specification, there is provided an audit log query method, applied to a log management device, the method including:
receiving an inquiry request of a second audit log corresponding to a first audit log, wherein the inquiry request carries an associated identifier, the first audit log is a mail audit log or a forum audit log, and the second audit log is a content audit log or an attachment audit log of a mail or a forum;
obtaining a target storage path according to the association identifier;
and acquiring the second audit log according to the target storage path.
According to a third aspect of the embodiments of the present specification, there is provided an audit log storage apparatus applied to a log management device, the apparatus including:
the association relation acquisition module is used for acquiring and storing the first audit log, a second audit log corresponding to the first audit log and an association identifier when the first audit log is received;
the first storage module is used for storing the first audit log and the association identifier in a first storage position in an association manner;
and the second storage module is used for storing the second audit log to a second storage position corresponding to the associated identifier when the second audit log is received.
The first audit log is an email audit log or a forum audit log carrying content or attachments, and the second audit log is a content audit log or an attachment audit log of an email or a forum.
According to a fourth aspect of the embodiments of the present specification, there is provided an audit log query apparatus, which is applied to a log management device, the apparatus including:
the query request receiving module is used for receiving a query request of a second audit log corresponding to a first audit log, wherein the query request carries an association identifier, the first audit log is a mail audit log or a forum audit log, and the second audit log is a content audit log or an attachment audit log of a mail or a forum;
the storage path acquisition module is used for acquiring a target storage path according to the association identifier;
and the log acquisition module is used for acquiring the second audit log according to the target storage path.
According to a fifth aspect of embodiments herein, there is provided a log management device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method according to any one of the first aspect when executing the program.
According to a sixth aspect of embodiments herein, there is provided a computer readable storage medium, on which a computer program is stored, which when executed by a processor, performs the steps of the method of any one of the first aspect.
According to a seventh aspect of embodiments herein, there is provided a log management device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method according to any one of the second aspect when executing the program.
According to an eighth aspect of embodiments herein, there is provided a computer readable storage medium, on which a computer program is stored, which when executed by a processor, performs the steps of the method of any one of the second aspects.
The technical scheme provided by the embodiment of the specification can have the following beneficial effects:
in the embodiment of the specification, when the audit log mail or the forum audit log is received, after the association relation between the audit log and the corresponding content audit log or the corresponding attachment audit log and the association identifier is obtained, the audit log mail or the forum audit log and the association identifier are stored in an associated manner without waiting for the completion of the reception of the content audit log or the attachment audit log, so that the audit log is not influenced by the receiving duration of the content audit log or the attachment audit log and the network transmission rate, the audit log can be stored in time, and the real-time performance of the audit log display is further ensured.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the specification.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present specification and together with the description, serve to explain the principles of the specification.
Fig. 1 is a flowchart illustrating an audit log storage method according to an embodiment of the present invention.
Fig. 2 is a flowchart illustrating an audit log query method according to an embodiment of the present invention.
Fig. 3 is a functional block diagram of an audit log storage apparatus according to an embodiment of the present invention.
Fig. 4 is a functional block diagram of an audit log query apparatus according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the specification, as detailed in the appended claims.
The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present specification. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The following provides a detailed description of examples of the present specification.
For convenience of description, in this document, the first audit log is used to represent an email audit log or a forum audit log carrying content or an attachment, and the second audit log is used to represent a content audit log or an attachment audit log of an email or a forum.
Example one
Fig. 1 is a flowchart illustrating an audit log storage method according to an embodiment of the present invention. The audit log storage method is applied to a log management device, and as shown in fig. 1, the method may include the following steps:
s101, when the first audit log is received, acquiring the first audit log, a second audit log corresponding to the first audit log and an association relation among the association identification.
S102, the first audit log and the associated identification are stored in a first storage position in an associated mode.
S103, when the second audit log is received, the second audit log is stored in a second storage position related to the associated identifier.
The association relationship is used for indicating a corresponding relationship between the first audit log and the second audit log, so that when the first audit log and the second audit log are stored separately (the first audit log and the second audit log are stored in different storage positions respectively) and in a time-sharing manner (the first audit log and the second audit log are stored at different times respectively), the first audit log and the second audit log are associated through the association relationship.
The association may be in a known or newly defined format. For example, the format of the association may be: first audit log-second audit log-association identification. In another example, the format of the association relationship may also be: the first audit log-associated identification and the second audit log-associated identification.
After obtaining the association relationship, the association relationship may be stored in a memory of the log management device. After receiving the corresponding second audit log and storing the second audit log in an associated manner, the association relationship can be deleted from the memory of the log management device, so as to save resources of the log management device. For example, an association table may be established in the memory of the log management device, the obtained association may be added to the association table, and after the second audit log is stored, the association may be deleted from the association table.
It should be noted that, the execution of step S102 does not need to take the second audit log as a premise, and the log management device can immediately store the first audit log as long as it receives the first audit log and obtains the association relationship, so that the first audit log can be quickly and timely displayed, and the real-time performance of displaying the first audit log is ensured.
Therefore, through the steps S101 and S102, the mail audit log or the forum audit log is not influenced by the receiving duration and the network transmission rate of the content audit log or the attachment audit log, and can be stored in time when the audit log is received, so that the display instantaneity of the audit log is ensured.
By step S103, the association between the second audit log stored later and the first audit log stored earlier is ensured.
In an exemplary implementation process, obtaining an association relationship among the first audit log, the second audit log corresponding to the first audit log, and the association identifier may include: when a first data packet of a second audit log is received, distributing an association identifier for the second audit log, and writing a first corresponding relation between the association identifier and the second audit log into a first corresponding relation table; when the first audit log is received, determining a second audit log according to a known second corresponding relation between the first audit log and the second audit log; searching the association identifier in the first corresponding relation table according to the second audit log; and adding the association identifier into the second corresponding relationship to obtain the association relationship.
The second corresponding relationship can be obtained according to the file name field of the first audit log. The content of the file name field of the first audit log is the file name of the second audit log, so that the second corresponding relation between the first audit log and the second audit log can be obtained based on the file name field of the first audit log.
For example. When a first data packet of a second audit log a is received, distributing a correlation identifier 5000 for the second audit log a to obtain a first corresponding relation: second audit log a-5000. When the first audit log A is received, reading a file name 'a' from a file name field of the first audit log A, and acquiring a second corresponding relation: the second audit log a-the first audit log A finds the association identifier 5000 corresponding to the first audit log A from the first corresponding relation "the second audit log a-5000" according to the file name "a", so as to obtain the association relation: second audit log a-first audit log a-5000.
In an exemplary implementation process, obtaining an association relationship among the first audit log, the second audit log corresponding to the first audit log, and the association identifier may include: when a first audit log is received, distributing a correlation identifier for the first audit log; and adding the association identifier into a known second corresponding relation between the first audit log and the second audit log to obtain an association relation.
For example. When the first audit log a is received, the association identifier 5000 is allocated to the first audit log a. Reading a file name 'a' from a file name field of the first audit log A, and acquiring a second corresponding relation: the second audit log a, the first audit log a, adds the association identifier 5000 to the second corresponding relationship to obtain an association relationship: second audit log a-first audit log a-5000.
It should be noted that, when the first audit log is received, whether the first audit log has a corresponding second audit log may be determined according to a file name field of the first audit log, and whether to allocate the association identifier is determined. For example, if the file name field is not empty, it is determined that the first audit log has a corresponding second audit log, at this time, the first audit log is assigned with the association identifier, and if the file name field is empty, it is determined that the first audit log does not have a corresponding second audit log, at this time, the first audit log is not assigned with the association identifier.
In an exemplary implementation, storing the second audit log in a second storage location corresponding to the association identifier may include: merging and storing a plurality of target second audit logs with the data volume less than or equal to a specified data volume threshold value into the same file; and independently storing the target second audit logs with the data volume larger than the specified data volume threshold value into one file.
Wherein, the threshold of the designated data amount can be set according to the specific application requirement. For example, the specified data amount threshold may be set to the data amount of one packet. In this way, when the second audit log has only a single data packet, the second audit log is merged with the second audit logs of other single data packets and stored in a file, and when the second audit log has a plurality of data packets, the second audit log is separately stored in a file.
The plurality of target second audit logs with the data volume less than or equal to the specified data volume threshold are merged and stored in the same file, so that the storage space can be saved, and the waste of storage resources can be reduced. For example, the following steps are carried out: in the 2000 second audit logs, there are 1000 logs of 600 bytes on average, and since the minimum storage unit is 1 kbyte (1024 bytes), when the 1000 logs are individually stored in a small file of 1 kbyte according to the existing scheme, 1000 × (1024-600) (about 40 ten thousand) bytes of storage space will be wasted, whereas when the 1000 logs are stored in a file in a combined manner according to the scheme of the present embodiment, the number of bytes left out will not exceed 1024 at most.
In one exemplary implementation, storing a plurality of target second audit logs having a data volume less than or equal to a specified data volume threshold into the same file may include: when a target second audit log with the data volume less than or equal to a specified data volume threshold is received, obtaining a first storage path according to a target association identifier corresponding to the target second audit log, wherein the first storage path corresponds to a plurality of association identifiers; determining a first index file and a first data file under a first storage path, wherein the first index file does not comprise a data part for storing log content, writing a target second audit log into the first data file, and adding an index item containing a target association identifier and position information of the target second audit log in the first data file in the first index file; or, determining a second index file under the first storage path, wherein the second index file comprises a data part for storing log content, writing the target second audit log into the data part of the second index file, and adding an index entry containing the target association identifier and the position information of the target second audit log in the second index file to the index head part of the second index file.
According to the present example, when storing the target second audit log having the data volume less than or equal to the specified data volume threshold, both the log content and the index entry may be stored in the index file (in which case the data file does not need to be created), or the log content and the index entry may be stored in the data file and the index file, respectively (in which case the data file does not need to be created).
The position information may include a start position and a data length.
In the above example, one storage mode includes data files, and the other storage mode does not include data files, but index entries and data contents are written into one file. The latter storage mode can reduce the operation times of opening the file, thereby saving resources.
In an exemplary implementation, determining the first index file and the first data file under the first storage path may include: detecting whether an existing index file and an existing data file exist in a first storage path at present; if the existing index file and the existing data file exist in the first storage path at present, determining that the existing index file is the first index file, and determining that the existing data file is the first data file; or if the existing index file and the existing data file do not exist in the first storage path at present, creating a new index file and a new data file in the first storage path, and respectively using the new index file and the new data file as a first index file and a first data file; determining the second index file under the first storage path may include: detecting whether an existing index file exists at present under a second storage path; if the existing index file currently exists in the second storage path, determining the existing index file as a second index file; or if the existing index file does not exist in the second storage path at present, creating a new index file in the second storage path as the second index file.
According to the present example, when a plurality of second audit logs with small data size are merged and stored in one file, before a first second audit log for storage in each file is stored, a file needs to be created in a first storage path, and the file may already exist and be stored in the existing file from the second audit log for storage in each file.
In one exemplary implementation, the association identifier is a number; obtaining a first storage path according to the target association identifier corresponding to the target second audit log, where the first storage path corresponds to multiple association identifiers, and the obtaining the first storage path may include: converting the target association identifier into a hexadecimal number as a first hexadecimal number; performing bitwise AND operation on the first hexadecimal number and the specified hexadecimal number to obtain a twenty-sixth hexadecimal number; and converting the first N bits of data in the twenty-sixth binary number into a storage path format to obtain a first storage path, wherein N is a natural number.
For example. The target association identifier is 5000, 5000&0xffff 800 is 0X00001000, the first 5 bits 00001 of 0X00001000 are taken, and the result is converted to 00/001, and the first storage path is 00/001, where 00 is a layer directory and 001 is a file name of the index file. Wherein the symbol "&" represents a bitwise and operation. At this time, the first index file is a 001.min file under 00/001, and the first data file is a 001.data file under 00/001.
Similarly, the target association identifier is 5001, 5001&0xffff 800 is 0X00001000, and the first storage path is also 00/001, which indicates that the second audit log with association identifier 5000 and the second audit log with association identifier 5001 are stored in the same file 001.
Of course, it should be understood by those skilled in the art that, in order to store the second audit log corresponding to multiple association identifiers in the same file, multiple association identifiers may also be mapped to the same file in other ways, for example, a storage path is obtained by performing multiple logical operations on the sequence of association identifiers, which is not limited in this disclosure.
In an exemplary implementation, separately storing the target second audit log having the data volume greater than the specified data volume threshold into a file may include: when the target second audit log with the data volume larger than the specified data volume threshold is received, obtaining a second storage path according to the target association identifier corresponding to the target second audit log, wherein the second storage path corresponds to the target association identifier one to one; and writing the target second audit log into a second data file under a second storage path.
According to the example, when the target second audit log with the data volume larger than the specified data volume threshold is stored, only the data file can be established without establishing the index entry (because the data file storing the log content can be directly found according to the storage path obtained by the association identifier). Of course, in other examples, for the target second audit log with the data volume greater than the specified data volume threshold, an index entry may also be established, where the index entry includes the association identifier and the location information, and the location information is set as a default value.
The obtaining of the second storage path according to the target association identifier corresponding to the target second audit log, where the second storage path corresponds to the target association identifier one to one, may include: and converting the target association identifier into a hexadecimal number, and converting the hexadecimal number into a storage path format to obtain a second storage path.
For example. The target association id is 5000, 5000 is converted to 8-byte hexadecimal number (0x00001388), the format of the storage path is 00/001/388, and 00/001/388 is the second storage path. The second data file is the 388.data file in 00/001/388.
In one exemplary implementation, the associating and storing the first audit log and the association identifier to a first storage location may include: and writing the association identifier into a specified field of the first audit log, and storing the first audit log written with the association identifier into a first storage position.
According to the audit log storage method provided by the embodiment of the invention, when the audit log mail or the forum audit log is received, the association relation between the audit log and the corresponding content audit log or the corresponding attachment audit log and the association identifier is obtained, the audit log mail or the forum audit log and the association identifier are stored in an associated manner without waiting for the content audit log or the attachment audit log to be received completely, so that the audit log can be stored in time without being influenced by the receiving duration and the network transmission rate of the content audit log or the attachment audit log, and the real-time property of the audit log display is further ensured.
Example two
Based on the embodiment of the audit log storage method, the embodiment of the invention also provides a corresponding embodiment of an audit log query method.
Fig. 2 is a flowchart illustrating an audit log query method according to an embodiment of the present invention. The audit log query method is applied to a log management device, and as shown in fig. 2, the method may include the following steps:
s201, receiving a query request of a second audit log corresponding to the first audit log, wherein the query request carries the association identifier.
And S202, obtaining a target storage path according to the association identifier.
And S203, acquiring a second audit log according to the target storage path.
The specific way of obtaining the target storage path according to the association identifier may be:
the first method is as follows: converting the associated identification into a hexadecimal number as a first hexadecimal number; performing bitwise AND operation on the first hexadecimal number and the specified hexadecimal number to obtain a twenty-sixth hexadecimal number; and converting the first N bits of data in the twenty-sixth binary number into a storage path format to obtain a storage path, wherein N is a natural number.
The second method comprises the following steps: and converting the associated identification into a hexadecimal number, and converting the hexadecimal number into a storage path format to obtain a storage path.
In an exemplary implementation, obtaining the second audit log according to the target storage path may include: if the index file exists in the target storage path, searching a target index item corresponding to the association identifier in the index file, extracting target position information of a second audit log from the target index item, and reading the second audit log from a position indicated by the target position information; or if the index file does not exist under the target storage path, reading a second audit log from the data file under the target storage path.
For example. The target association mark is 5000, 5000 is converted into a hexadecimal number 0x00001388 of 8 bytes, the storage path format is 00/001/388, whether a file with the file name of 388 exists or not is inquired under the path 00/001/388, if yes, the file is directly opened 388, and the log content is read from the file; if the file with the file name of 388 does not exist in the 00/001/388 path, 5000 and 0XFFFF 800 are subjected to bitwise AND operation to obtain 0X00001000, the first 5 bits 00001 are taken and converted into 00/001, a 001.min file under a 00 directory is opened, an index entry is searched according to the associated identifier, a log storage position is found according to the index entry, and log content is read from the storage position.
In an exemplary implementation, reading the second audit log from the location indicated by the target location information may include: if the index file does not comprise a data part for storing the log content, opening a related data file corresponding to the index file, and reading a second audit log from a position indicated by the target position information in the related data file; or, if the index file comprises a data part for storing the log content, reading the second audit log from the position indicated by the target position information in the data part of the index file.
The associated data file corresponds to the first data file in the first embodiment.
According to the audit log query method provided by the embodiment of the invention, the storage path is obtained by using the association identifier, the audit log is obtained from the storage path, the audit log can be quickly searched, and the query efficiency is improved.
EXAMPLE III
The embodiment of the invention provides an audit log storage device, which is used for executing the audit log storage method in the first embodiment.
Fig. 3 is a functional block diagram of an audit log storage apparatus according to an embodiment of the present invention. The audit log storage device is applied to a log management device, and as shown in fig. 3, the device may include:
the association relationship obtaining module 310 is configured to obtain and store the first audit log, the second audit log corresponding to the first audit log, and the association relationship between the first audit log and the association identifier when the first audit log is received.
The first storage module 320 is configured to store the first audit log and the association identifier in a first storage location in an associated manner.
The second storage module 330 is configured to, when the second audit log is received, store the second audit log in a second storage location corresponding to the association identifier.
The first audit log is an email audit log or a forum audit log carrying content or attachments, and the second audit log is a content audit log or an attachment audit log of the email or the forum.
In an exemplary implementation process, the association relation obtaining module 310 may be specifically configured to: when a first data packet of a second audit log is received, distributing an association identifier for the second audit log, and writing a first corresponding relation between the association identifier and the second audit log into a first corresponding relation table; when the first audit log is received, determining a second audit log according to a known second corresponding relation between the first audit log and the second audit log; searching the association identifier in the first corresponding relation table according to the second audit log; and adding the association identifier into the second corresponding relationship to obtain the association relationship.
In an exemplary implementation process, the association relation obtaining module 310 may be specifically configured to: when a first audit log is received, distributing a correlation identifier for the first audit log; and adding the association identifier into a known second corresponding relation between the first audit log and the second audit log to obtain an association relation.
In an exemplary implementation process, the second storage module 330 may be specifically configured to: merging and storing a plurality of target second audit logs with the data volume less than or equal to a specified data volume threshold value into the same file; and independently storing the target second audit logs with the data volume larger than the specified data volume threshold value into one file.
In an exemplary implementation process, the second storage module 330, when configured to store a plurality of target second audit logs with a data volume less than or equal to a specified data volume threshold into the same file, may specifically be configured to: when a target second audit log with the data volume less than or equal to a specified data volume threshold is received, obtaining a first storage path according to a target association identifier corresponding to the target second audit log, wherein the first storage path corresponds to a plurality of association identifiers; determining a first index file and a first data file under a first storage path, wherein the first index file does not comprise a data part for storing log content, writing a target second audit log into the first data file, and adding an index item containing a target association identifier and position information of the target second audit log in the first data file in the first index file; or, determining a second index file under the first storage path, wherein the second index file comprises a data part for storing log content, writing the target second audit log into the data part of the second index file, and adding an index entry containing the target association identifier and the position information of the target second audit log in the second index file to the index head part of the second index file.
In an exemplary implementation process, when the second storage module 330 is configured to store the target second audit log with the data volume greater than the specified data volume threshold into a file separately, the second storage module may be specifically configured to: when the target second audit log with the data volume larger than the specified data volume threshold is received, obtaining a second storage path according to the target association identifier corresponding to the target second audit log, wherein the second storage path corresponds to the target association identifier one to one; and writing the target second audit log into a second data file under a second storage path.
In an exemplary implementation process, when the second storage module 330 is configured to determine the first index file and the first data file under the first storage path, it may specifically be configured to: detecting whether an existing index file and an existing data file exist in a first storage path at present; if the existing index file and the existing data file exist in the first storage path at present, determining that the existing index file is a first index file, and determining that the existing data file is a first data file; or if the existing index file and the existing data file do not exist in the first storage path at present, creating a new index file and a new data file in the first storage path, and respectively using the new index file and the new data file as the first index file and the first data file. When the second storage module 330 is configured to determine the second index file under the first storage path, it may specifically be configured to: detecting whether an existing index file exists at present under a second storage path; if the existing index file currently exists in the second storage path, determining the existing index file as a second index file; or if the existing index file does not exist in the second storage path at present, creating a new index file in the second storage path as the second index file.
In one exemplary implementation, the association identifier is a number; the second storage module 330 is configured to obtain a first storage path according to the target association identifier corresponding to the target second audit log, where the first storage path corresponds to multiple association identifiers, and may be specifically configured to: converting the target association identifier into a hexadecimal number as a first hexadecimal number; performing bitwise AND operation on the first hexadecimal number and the specified hexadecimal number to obtain a twenty-sixth hexadecimal number; and converting the first N bits of data in the twenty-sixth binary number into a storage path format to obtain a first storage path, wherein N is a natural number.
In an exemplary implementation, the first storage module 320 may be specifically configured to: and writing the association identifier into a specified field of the first audit log, and storing the first audit log written with the association identifier into a first storage position.
The audit log storage device provided in the embodiment of the present invention corresponds to the audit log storage method provided in the first embodiment of the present invention, and therefore, reference is made to the description of the corresponding part in the first embodiment where this embodiment is not described in detail, and details are not described here.
Example four
The embodiment of the invention provides an audit log query device, which is used for executing the audit log query method in the second embodiment.
Fig. 4 is a functional block diagram of an audit log query apparatus according to an embodiment of the present invention. The audit log query device is applied to a log management device, as shown in fig. 4, the device may include:
the query request receiving module 410 is configured to receive a query request for a second audit log corresponding to a first audit log, where the query request carries an association identifier, the first audit log is a mail audit log or a forum audit log, and the second audit log is a content audit log or an attachment audit log of a mail or a forum.
And the storage path obtaining module 420 is configured to obtain a target storage path according to the association identifier.
The log obtaining module 430 is configured to obtain a second audit log according to the target storage path.
In an exemplary implementation process, the log obtaining module 430 is specifically configured to: if an index file exists in the target storage path, searching a target index item corresponding to the association identifier in the index file, extracting target position information of the second audit log from the target index item, and reading the second audit log from a position indicated by the target position information; or if the index file does not exist under the target storage path, reading a second audit log from the data file under the target storage path.
In an exemplary implementation process, the log obtaining module 430 is specifically configured to: if the index file does not comprise a data part for storing the log content, opening a related data file corresponding to the index file, and reading a second audit log from a position indicated by the target position information in the related data file; or, if the index file comprises a data part for storing the log content, reading the second audit log from the position indicated by the target position information in the data part of the index file.
The audit log query device provided in the embodiment of the present invention corresponds to the audit log query method provided in the second embodiment of the present invention, and therefore, where detailed description is not given in this embodiment, please refer to the description of the corresponding part in the second embodiment, which is not described herein again.
EXAMPLE five
The embodiment of the invention provides log management equipment, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the processor executes the program, the audit log storage method in any one of the previous embodiments is realized.
EXAMPLE six
The embodiment of the invention provides a computer readable storage medium, which stores a computer program, and the program is executed by a processor to realize the steps of the audit log storage method in any one of the foregoing embodiments.
EXAMPLE seven
The embodiment of the invention provides log management equipment, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the processor executes the program, any one of the audit log query methods in the second embodiment is realized.
Example eight
The embodiment of the invention provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any one of the audit log query methods in the second embodiment.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in the specification. One of ordinary skill in the art can understand and implement it without inventive effort.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It will be understood that the present description is not limited to the precise arrangements described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The above description is only a preferred embodiment of the present disclosure, and should not be taken as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.
Claims (17)
1. An audit log storage method is applied to a log management device, and comprises the following steps:
when a first audit log is received, acquiring and storing an association relation among the first audit log, a second audit log corresponding to the first audit log and an association identifier;
storing the first audit log and the association identifier association to a first storage location;
when the second audit log is received, storing the second audit log to a second storage position related to the association identifier;
the first audit log is an email audit log or a forum audit log carrying content or attachments, and the second audit log is a content audit log or an attachment audit log of an email or a forum;
the storing the second audit log to a second storage location corresponding to the association identifier includes:
merging and storing a plurality of target second audit logs with the data volume less than or equal to a specified data volume threshold value into the same file;
and independently storing the target second audit logs with the data volume larger than the specified data volume threshold value into a file.
2. The method of claim 1, wherein the obtaining of the association relationship among the first audit log, the second audit log corresponding to the first audit log, and the association identifier comprises:
when a first data packet of the second audit log is received, distributing the association identifier for the second audit log, and writing a first corresponding relation between the association identifier and the second audit log into a first corresponding relation table;
when the first audit log is received, determining a second audit log according to a known second corresponding relation between the first audit log and the second audit log;
searching the association identifier in the first corresponding relation table according to the second audit log;
and adding the association identifier into the second corresponding relationship to obtain the association relationship.
3. The method of claim 1, wherein the obtaining of the association relationship among the first audit log, the second audit log corresponding to the first audit log, and the association identifier comprises:
when the first audit log is received, distributing the association identifier for the first audit log;
and adding the association identifier into a known second corresponding relation between the first audit log and the second audit log to obtain the association relation.
4. The method of claim 3, wherein storing the plurality of target second audit logs having a data volume less than or equal to the specified data volume threshold into the same file comprises:
when a target second audit log with the data volume less than or equal to the specified data volume threshold is received, obtaining a first storage path according to a target association identifier corresponding to the target second audit log, wherein the first storage path corresponds to a plurality of association identifiers;
determining a first index file and a first data file under the first storage path, wherein the first index file does not comprise a data part for storing log contents, writing the target second audit log into the first data file, and adding an index item containing the target association identifier and the position information of the target second audit log in the first data file in the first index file; or, determining a second index file under the first storage path, where the second index file includes a data portion for storing log content, writing the target second audit log into the data portion of the second index file, and adding an index entry containing the target association identifier and location information of the target second audit log in the second index file to an index header portion of the second index file.
5. The method of claim 3, wherein storing the target second audit log having the amount of data greater than the specified data amount threshold separately in a file comprises:
when a target second audit log with the data volume larger than the specified data volume threshold is received, obtaining a second storage path according to a target association identifier corresponding to the target second audit log, wherein the second storage path corresponds to the target association identifier one to one;
and writing the target second audit log into a second data file under the second storage path.
6. The method of claim 4,
the determining the first index file and the first data file under the first storage path includes:
detecting whether an existing index file and an existing data file exist in the first storage path at present;
if the existing index file and the existing data file currently exist in the first storage path, determining that the existing index file is the first index file, and determining that the existing data file is the first data file; or, if the existing index file and the existing data file do not exist currently under the first storage path, creating a new index file and a new data file under the first storage path, which are respectively used as the first index file and the first data file;
the determining the second index file under the first storage path includes:
detecting whether an existing index file exists under the second storage path at present;
if the existing index file currently exists in the second storage path, determining that the existing index file is the second index file; or, if the existing index file does not exist in the second storage path currently, creating a new index file in the second storage path as the second index file.
7. The method of claim 4, wherein the association identifier is a number; the obtaining a first storage path according to the target association identifier corresponding to the target second audit log, where the first storage path corresponds to multiple association identifiers, includes:
converting the target association identifier into a hexadecimal number as a first hexadecimal number;
performing bitwise AND operation on the first hexadecimal number and the specified hexadecimal number to obtain a twenty-sixth hexadecimal number;
and converting the first N bits of data in the twenty-sixth binary number into a storage path format to obtain the first storage path, wherein N is a natural number.
8. The method of claim 1, wherein storing the first audit log and the association identification association to a first storage location comprises:
and writing the association identifier into a specified field of the first audit log, and storing the first audit log written with the association identifier into a first storage position.
9. An audit log query method based on the audit log storage method of claim 1, applied to a log management device, the method comprising:
receiving an inquiry request of a second audit log corresponding to a first audit log, wherein the inquiry request carries an associated identifier, the first audit log is a mail audit log or a forum audit log, and the second audit log is a content audit log or an attachment audit log of a mail or a forum;
obtaining a target storage path according to the association identifier;
and acquiring the second audit log according to the target storage path.
10. The method of claim 9, wherein obtaining the second audit log according to the target storage path comprises:
if an index file exists in the target storage path, searching a target index item corresponding to the association identifier in the index file, extracting target position information of the second audit log from the target index item, and reading the second audit log from a position indicated by the target position information; or the like, or, alternatively,
and if the index file does not exist under the target storage path, reading the second audit log from the data file under the target storage path.
11. The method of claim 10, wherein reading the second audit log from the location indicated by the target location information comprises:
if the index file does not comprise a data part for storing log contents, opening a related data file corresponding to the index file, and reading the second audit log from a position indicated by the target position information in the related data file; or the like, or, alternatively,
and if the index file comprises a data part for storing log content, reading the second audit log from the position indicated by the target position information in the data part of the index file.
12. An audit log storage device, applied to a log management device, the device comprising:
the association relation acquisition module is used for acquiring and storing the first audit log, a second audit log corresponding to the first audit log and an association identifier when the first audit log is received;
the first storage module is used for storing the first audit log and the association identifier in a first storage position in an association manner;
the second storage module is used for storing the second audit log to a second storage position corresponding to the associated identifier when the second audit log is received;
the first audit log is an email audit log or a forum audit log carrying content or attachments, and the second audit log is a content audit log or an attachment audit log of an email or a forum;
the storing the second audit log to a second storage location corresponding to the association identifier includes:
merging and storing a plurality of target second audit logs with the data volume less than or equal to a specified data volume threshold value into the same file;
and independently storing the target second audit logs with the data volume larger than the specified data volume threshold value into a file.
13. An audit log query device based on the audit log storage device of claim 12, applied to a log management device, the device comprising:
the query request receiving module is used for receiving a query request of a second audit log corresponding to a first audit log, wherein the query request carries an association identifier, the first audit log is a mail audit log or a forum audit log, and the second audit log is a content audit log or an attachment audit log of a mail or a forum;
the storage path acquisition module is used for acquiring a target storage path according to the association identifier;
and the log acquisition module is used for acquiring the second audit log according to the target storage path.
14. A log management device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 8 when executing the program.
15. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 8.
16. A log management device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 9 to 11 when executing the program.
17. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 9 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811414615.3A CN109542857B (en) | 2018-11-26 | 2018-11-26 | Audit log storage method, audit log query method, audit log storage device, audit log query device and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811414615.3A CN109542857B (en) | 2018-11-26 | 2018-11-26 | Audit log storage method, audit log query method, audit log storage device, audit log query device and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109542857A CN109542857A (en) | 2019-03-29 |
| CN109542857B true CN109542857B (en) | 2021-06-29 |
Family
ID=65850129
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811414615.3A Active CN109542857B (en) | 2018-11-26 | 2018-11-26 | Audit log storage method, audit log query method, audit log storage device, audit log query device and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109542857B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111162989A (en) * | 2019-12-11 | 2020-05-15 | 杭州迪普科技股份有限公司 | Method and device for processing mail audit log |
| CN113051121B (en) * | 2019-12-26 | 2023-07-28 | 百度在线网络技术(北京)有限公司 | Log information retrieval method, device, electronic equipment and medium |
| CN111522785B (en) * | 2020-04-17 | 2024-04-09 | 上海中通吉网络技术有限公司 | Data extraction auditing method, device and equipment |
| CN111866098B (en) * | 2020-07-03 | 2024-04-26 | 北京小米松果电子有限公司 | Log processing method, device and storage medium |
| CN112559517B (en) * | 2020-12-01 | 2022-07-05 | 福建天泉教育科技有限公司 | Access method and terminal for associated data in memory |
| CN112199053B (en) * | 2020-12-02 | 2021-06-22 | 杭州觅睿科技股份有限公司 | Log recording method, device and medium applied to small-capacity storage area |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101118534A (en) * | 2006-04-11 | 2008-02-06 | 韦瑞吉(新加坡)私人有限公司 | Event log management system |
| CN101155074A (en) * | 2006-09-29 | 2008-04-02 | 株式会社日立制作所 | Inter-client communication log management system |
| CN104573082A (en) * | 2015-01-28 | 2015-04-29 | 武汉大学 | Space small file data distribution storage method and system based on access log information |
| CN105488201A (en) * | 2015-12-08 | 2016-04-13 | 北京皮尔布莱尼软件有限公司 | Log inquiry method and system |
| CN105975376A (en) * | 2016-04-28 | 2016-09-28 | 广州市锲致智能技术有限公司 | Log processing based numerical control system security processing method |
| CN107992402A (en) * | 2017-12-26 | 2018-05-04 | 河南恒华科技有限公司 | Blog management method and log management apparatus |
| CN108038231A (en) * | 2017-12-26 | 2018-05-15 | 广东欧珀移动通信有限公司 | log processing method, device, terminal device and storage medium |
-
2018
- 2018-11-26 CN CN201811414615.3A patent/CN109542857B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101118534A (en) * | 2006-04-11 | 2008-02-06 | 韦瑞吉(新加坡)私人有限公司 | Event log management system |
| CN101155074A (en) * | 2006-09-29 | 2008-04-02 | 株式会社日立制作所 | Inter-client communication log management system |
| CN104573082A (en) * | 2015-01-28 | 2015-04-29 | 武汉大学 | Space small file data distribution storage method and system based on access log information |
| CN105488201A (en) * | 2015-12-08 | 2016-04-13 | 北京皮尔布莱尼软件有限公司 | Log inquiry method and system |
| CN105975376A (en) * | 2016-04-28 | 2016-09-28 | 广州市锲致智能技术有限公司 | Log processing based numerical control system security processing method |
| CN107992402A (en) * | 2017-12-26 | 2018-05-04 | 河南恒华科技有限公司 | Blog management method and log management apparatus |
| CN108038231A (en) * | 2017-12-26 | 2018-05-15 | 广东欧珀移动通信有限公司 | log processing method, device, terminal device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109542857A (en) | 2019-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109542857B (en) | Audit log storage method, audit log query method, audit log storage device, audit log query device and related equipment | |
| CN110191428B (en) | Data distribution method based on intelligent cloud platform | |
| CN110851371B (en) | Message processing method and related equipment | |
| CN110134648A (en) | Log processing method, device, equipment, system and computer readable storage medium | |
| CN111061752B (en) | Data processing method and device and electronic equipment | |
| CN114385091B (en) | Method and device for realizing network disk drive character, network disk and storage medium | |
| CN108897859A (en) | A kind of metadata retrieval method, apparatus, equipment and computer readable storage medium | |
| US20190324947A1 (en) | Method, device and computer program product for deleting snapshots | |
| CN114610951A (en) | Data processing method and device, electronic equipment and readable storage medium | |
| CN112698959A (en) | Multi-core communication method and device | |
| CN109377383A (en) | Product data synchronous method, device, computer equipment and storage medium | |
| CN110413711A (en) | A kind of variance data acquisition methods and its storage medium | |
| CN101404797B (en) | Storage method, storage management apparatus and storage system for long and short messages | |
| CN109857553A (en) | EMS memory management process and device | |
| CN105939402A (en) | MAC table entry obtaining method and device | |
| CN111026613B (en) | Log processing method and device | |
| CN111752941B (en) | Data storage and access method and device, server and storage medium | |
| CN116155828B (en) | Message order keeping method and device for multiple virtual queues, storage medium and electronic equipment | |
| CN110688201A (en) | Log management method and related equipment | |
| CN113419687B (en) | Object storage method, system, equipment and storage medium | |
| CN110825521B (en) | Memory use management method and device and storage medium | |
| CN112650964B (en) | Service processing method, equipment and machine readable storage medium | |
| CN108694219B (en) | Data processing method and device | |
| CN111865794B (en) | Logical port association method, system, equipment and data transmission system | |
| CN104881441B (en) | File reception and storage method, inspection method based on LAN and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |