CN112491593A - Network element alarm processing method and device - Google Patents
Network element alarm processing method and device Download PDFInfo
- Publication number
- CN112491593A CN112491593A CN202011259804.5A CN202011259804A CN112491593A CN 112491593 A CN112491593 A CN 112491593A CN 202011259804 A CN202011259804 A CN 202011259804A CN 112491593 A CN112491593 A CN 112491593A
- Authority
- CN
- China
- Prior art keywords
- alarm
- information
- original
- alarm information
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 19
- 238000012545 processing Methods 0.000 claims abstract description 92
- 238000000034 method Methods 0.000 claims abstract description 26
- 238000004891 communication Methods 0.000 claims abstract description 19
- 238000003860 storage Methods 0.000 claims description 31
- 230000002776 aggregation Effects 0.000 claims description 21
- 238000004220 aggregation Methods 0.000 claims description 21
- 238000001914 filtration Methods 0.000 claims description 20
- 238000011084 recovery Methods 0.000 claims description 16
- 238000007405 data analysis Methods 0.000 description 22
- 238000004458 analytical method Methods 0.000 description 21
- 230000006870 function Effects 0.000 description 20
- 238000013480 data collection Methods 0.000 description 17
- 238000007781 pre-processing Methods 0.000 description 14
- 238000007726 management method Methods 0.000 description 11
- 238000004364 calculation method Methods 0.000 description 9
- 238000013500 data storage Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000004590 computer program Methods 0.000 description 5
- 238000013507 mapping Methods 0.000 description 5
- 230000008520 organization Effects 0.000 description 5
- 230000010355 oscillation Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000004931 aggregating effect Effects 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000005192 partition Methods 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013144 data compression Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000003306 harvesting Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0213—Standardised network management protocols, e.g. simple network management protocol [SNMP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0604—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a network element alarm processing method and device, relates to the field of communication, and can support large-scale network alarm processing and improve alarm processing efficiency. The method comprises the following steps: acquiring a plurality of simple network management protocol trap SNMP trap messages received by a data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID); determining at least one piece of target alarm information according to a first rule according to an original alarm OID and an original alarm equipment IP address corresponding to a plurality of pieces of original alarm information; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information; and determining an alarm node according to the target parameter information. The invention is used for processing the network element alarm.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a method and an apparatus for processing a network element alarm.
Background
An alarm is a notification of a particular event, typically caused by a difference between the actual state and the expected value of a managed resource or the termination of servicing of a managed resource with a particular function. The processing of the alarm comprises the definition and classification of the explicit alarm; and adopting different processing schemes according to different categories of alarms. The alarm processing comprises alarm acquisition, alarm analysis and alarm storage. Alarm collection is realized by a Simple Network Management Protocol (SNMP), and alarm information can be carried in an SNMP trap data packet; the alarm analysis comprises the identification, combination, filtration and the like of the alarm. Although the current alarm obtaining mode by using the SNMP trap can meet the alarm analysis of an enterprise network or a metropolitan area network, the method cannot support the obtaining of big data when facing a large-scale network; for the information acquisition mode, the corresponding alarm analysis generally adopts a post analysis mode, the timeliness of the alarm analysis is poor, and the daily network maintenance requirement is difficult to meet.
Disclosure of Invention
Embodiments of the present invention provide a network element alarm processing method and apparatus, which can support alarm processing of a large-scale network and improve alarm processing efficiency.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, a method for processing a network element alarm is provided, including: acquiring a plurality of simple network management protocol trap SNMP trap messages received by a data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID); determining at least one piece of target alarm information according to a first rule according to an original alarm OID and an original alarm equipment IP address corresponding to a plurality of pieces of original alarm information; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information; and determining an alarm node according to the target parameter information.
In a second aspect, an apparatus for processing an alarm of a network element is provided, including: the acquisition module is used for acquiring a plurality of simple network management protocol trap SNMP trap messages received by the data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID); the processing module is used for determining at least one piece of target alarm information according to a first rule according to the original alarm OID and the original alarm equipment IP address corresponding to the plurality of pieces of original alarm information acquired by the acquisition module; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information; and the determining module is used for determining the alarm node according to the target parameter information determined by the processing module.
In a third aspect, an apparatus for processing a network element alarm is provided, including: a memory, a processor, a bus, and a communication interface; the memory is used for storing computer execution instructions, and the processor is connected with the memory through a bus; when the network element alarm processing apparatus is in operation, the processor executes computer-executable instructions stored in the memory, so as to cause the network element alarm processing apparatus to execute the network element alarm processing method according to the first aspect.
In a fourth aspect, a computer-readable storage medium is provided, which includes computer-executable instructions, which, when executed on a computer, cause the computer to perform the network element alarm processing method as provided in the first aspect.
The network element alarm processing method provided by the embodiment of the invention comprises the following steps: acquiring a plurality of simple network management protocol trap SNMP trap messages received by a data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID); determining at least one piece of target alarm information according to a first rule according to an original alarm OID and an original alarm equipment IP address corresponding to a plurality of pieces of original alarm information; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information; and determining an alarm node according to the target parameter information. The alarm information of the embodiment of the invention can be acquired by the data acquisition program, and because the embodiment of the invention realizes the deployment of the program through the docker mirror image of the data acquisition program, the data acquisition program can be conveniently deployed at a plurality of acquisition nodes, thereby forming a data acquisition cluster and realizing the acquisition of big data; and after acquiring a large amount of alarm information, the embodiment of the invention can aggregate and filter the alarm information according to the preset rule, thereby reducing redundant alarm information and improving the processing efficiency of the alarm information.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a network element alarm processing system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a data acquisition architecture according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an architecture for data forwarding according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a network element alarm processing method according to an embodiment of the present invention;
fig. 5 is a second schematic flowchart of a method for processing an alarm of a network element according to an embodiment of the present invention;
fig. 6 is a third schematic flow chart of a network element alarm processing method according to an embodiment of the present invention;
fig. 7 is a fourth schematic flowchart of a network element alarm processing method according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a network element alarm processing apparatus according to an embodiment of the present invention;
fig. 9 is a second schematic structural diagram of a network element alarm processing apparatus according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of another network element alarm processing apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that, in the embodiments of the present invention, words such as "exemplary" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
For the convenience of clearly describing the technical solutions of the embodiments of the present invention, in the embodiments of the present invention, the words "first", "second", and the like are used for distinguishing the same items or similar items with basically the same functions and actions, and those skilled in the art can understand that the words "first", "second", and the like are not limited in number or execution order.
For the classification of the alarms, the alarms can be classified into attention-free alarms, flash oscillation alarms and associated alarms from the dimension of the influence surface according to the characteristics of the communication network. The warning without attention means that the terminal service is not influenced, the terminal is not sensed, the maintenance priority is low, and the requirement on recovery time is low; the flash oscillation alarm refers to an alarm with time correlation, the flash alarm refers to an alarm which is short in time, continuous in flash and repeatedly appears, and the oscillation alarm has the characteristic of a large number of outbreaks within a certain time (oscillation period) besides the characteristic of the flash alarm. The association alarm refers to an alarm with spatial correlation, that is, an alarm generated on different network elements due to the same fault has a large relationship with a network topology. For the definition of the alarm, different network element device manufacturers may adopt different definitions for the alarm, such as an alarm level, an alarm description, and an Object Identifier (OID).
At present, the processing of network element alarm includes three aspects, one is that at the network element equipment side, a triggering mechanism and a reporting mechanism of alarm are set; secondly, designing an alarm correlation mechanism among different network element devices at the network management side of a manufacturer; thirdly, multi-source heterogeneous alarms are subjected to standardization processing on the comprehensive network management side (such as a network management system provided by a mobile operator), and cross-professional and cross-manufacturer alarm optimization processing is performed. The method for processing the network element alarm at the present stage is to receive the alarm sent by the network element by using the SNMP trap message and analyze the alarm, and specifically comprises the following steps: monitoring an SNMP trap message of a designated port (default to 162 port) by a data acquisition program, acquiring alarm information through analysis after receiving the SNMP trap message, and storing the alarm information into a database; the alarm analysis is to implement the identification of the alarm information by performing operations such as aggregation, filtering and the like on the alarm information in the database. However, in the current stage of alarm processing, the alarm data acquisition program and the alarm analysis program are generally single-machine programs, which can only support alarm processing in the scene with a small number of network elements, such as an enterprise network and a metropolitan area network, but cannot support alarm processing on a large-scale network; because the analysis program generally adopts a post analysis mode, the timeliness of alarm analysis is poor, and after the alarm analysis is completed, the analysis result is directly stored in the database, so that a third party cannot acquire related alarm data, and the openness of the alarm data is poor.
An embodiment of the present invention provides a network element alarm processing system, which is shown in fig. 1 and includes a data acquisition layer, a data forwarding layer, a data analysis layer, and a data storage layer.
The data acquisition layer performs docker transformation on the data acquisition program through a containerization docker technology, so that the data acquisition program is deployed on each network element by using a docker mirror image of the data acquisition program to realize data acquisition; the data collected by the data collection layer may be SNMP messages, xFlow logs, Domain Name System (DNS) logs, Authentication Authorization Accounting (AAA) logs, and the like, and the data collection layer may support data collection for networks such as a metropolitan area network, a backbone network, and a bearer network. The docker mirror image based on the data acquisition program can deploy the data acquisition program in a plurality of servers in a cluster mode to realize cluster acquisition of data.
The data forwarding layer is used for forwarding the data acquired by the data acquisition layer, in the embodiment of the invention, the data forwarding layer can be deployed with a distributed message middleware, and the distributed message middleware can be realized by KAFKA; in order to support data forwarding of a large-scale network, the distributed message middleware KAFKA herein may be deployed in a cluster, which may include one or more servers, and data collected by the data collection layer may be stored in a distributed manner to any server in the cluster.
It should be noted that, for the data acquisition layer, based on the distributed deployment mode of the message middleware KAFKA, the message middleware KAFKA can collect data by the data acquisition cluster, and by increasing the number of servers of the acquisition cluster and the number of servers of the message middleware KAFKA cluster, the number of network elements supported by the network element alarm processing system can be greatly increased, and based on the clustered deployment mode, the horizontal expansion of the data acquisition layer and the data forwarding layer is facilitated.
For the data analysis layer, the data forwarding layer is deployed to realize the decoupling of the data acquisition layer and the data analysis layer, and the data analysis layer is not connected with the data acquisition layer any more, but acquires data from the data forwarding layer in a uniform mode; and the third party can obtain data from the data forwarding layer only by supporting the message middleware KAFKA without adapting to a specific communication protocol, so that the data forwarding layer provides better open service for the network element alarm processing system. The distributed message middleware KAFKA of the data forwarding layer can avoid the problem that the network element alarm processing system is unavailable due to single-point faults, and the availability of the system is improved.
The data analysis layer is used for analyzing and processing the data collected by the data collection layer, and the data analysis layer can comprise a data analysis module and a data storage module. The data analysis module comprises a data preprocessing submodule, an SPARK real-time calculation submodule and a stream type calculation submodule, wherein the data preprocessing submodule is used for converting data in a text format into an entity class object identified by a program according to the data analysis requirement; and the data preprocessing submodule is also used for aggregating and filtering the data acquired by the data acquisition layer and reducing the data volume of data analysis. The SPARK real-time calculation submodule is used for batch processing of preprocessed data, the processing period of the SPARK real-time calculation submodule can be several seconds or minutes, and the like, so that real-time data analysis with the delay of second level is achieved, the processing of the data comprises statistics of data occurrence times, data generation time and the like, and the submodule can be used for analyzing network element alarm information. The flow type calculation submodule is used for processing the preprocessed data and storing the processing result into a database, wherein the transmission of the data comprises the occurrence times of statistical data and the like, and the submodule can be used for monitoring the network element performance in real time. The data storage module comprises a memory database, an on-line analytical processing (OLAP) database and a relational database, wherein the memory database is used for storing structured or unstructured data, the storage capacity of the memory database is limited by a system memory, and the memory database can support the query service of the SPARK real-time computation submodule and the streaming computation submodule; the OLAP database is used for distributively storing the structured data, the storage capacity of the OLAP database can be increased along with the increase of cluster resources in the network element alarm system, and the increase, deletion, modification and check of the stored data can be realized; the relational database is used for storing structured data, performing Structured Query Language (SQL) query on the data, and storing result data after aggregation statistics. It should be noted that the OLAP database may be an HBase database, and the relational database may be a MYSQL database.
The data storage layer includes an on-line transaction processing (OLTP) database, an OLTP database, for distributed storage of structured data, such as data that is parsed and processed.
It should be noted that the data collected and analyzed by the network element alarm processing system may be network element alarm information, traffic analysis data, and the like, and therefore, the network element alarm processing system may also be applied to other data processing scenarios. The streaming computation submodule can process the alarm information in time when the network element alarm processing system generates an alarm storm, and the alarm processing efficiency is improved. The alarm storm means that when a network element is abnormal, a large number of alarms are generated and reported in a short time, so that an alarm server of a network management system is blocked, and normal reporting of the alarms of other network elements is influenced.
Based on the network element alarm processing system shown in fig. 1, an embodiment of the present invention provides an architectural diagram of data acquisition, which is shown in fig. 2 and includes: the system comprises a network element alarm processing system, a data acquisition node 1, data acquisition nodes 2 and … and a data acquisition node n.
The network element alarm processing system is used for analyzing the data acquired by the data acquisition node and determining the data association relation; the data acquisition node 1, the data acquisition nodes 2 and … and the data acquisition node n are used for acquiring network element data. The data acquisition node may be deployed in a server, and the server may acquire alarm information, log information, and the like of a network element connected to the server through a data acquisition program of the data acquisition node.
It should be noted that, the data acquisition node bottom layer is based on an openstack architecture, and a docker mirror image encapsulated with a data acquisition program is managed and deployed by using kubernets, where the data acquisition node may be a server deployed with the data acquisition program.
Corresponding to the architecture of data acquisition, an embodiment of the present invention may further provide an architecture diagram of data forwarding, as shown in fig. 3, including: the system comprises a network element alarm processing system, a data acquisition node 1, data acquisition nodes 2 and …, a data acquisition node n, a data forwarding node 1, data forwarding nodes 2 and … and a data forwarding node m.
The network element alarm processing system, the data collection node 1, the data collection nodes 2 and … and the data collection node n are the same as the network element alarm processing system, the data collection node 1, the data collection nodes 2 and … and the data collection node n in fig. 1. The data forwarding node 1, the data forwarding nodes 2 and … and the data forwarding node m are used for storing the data acquired by the data acquisition node in a distributed manner so as to be analyzed and processed by the network element alarm processing system; the data forwarding node 1, the data forwarding nodes 2 and …, and the data forwarding node m are also used for providing data open services to third parties.
It should be noted that, the data forwarding node here may be a server deployed with KAFKA-based message middleware, and may store the data collected by the data collection node in a distributed manner. The data forwarding architecture shown in fig. 3 is only an example, the data forwarding node may also receive data collected by multiple data collection nodes, and correspondingly, the data collected by the data collection nodes may also be stored in multiple data forwarding nodes.
Based on the above network element alarm processing system, the embodiment of the invention provides a network element alarm processing method, which can be applied to alarm processing of large-scale networks, improve alarm processing efficiency, and facilitate expansion of data acquisition range. As shown in fig. 4, the method includes:
s101, acquiring a plurality of simple network management protocol trap SNMP trap messages received by the data acquisition node.
The data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap packet includes original alarm information, which includes an original alarm device Internet Protocol (IP) address and an original alarm OID.
Specifically, the network elements in the communication network may actively report an alarm in the form of an SNMP trap message, where the data collection node is configured to receive the SNMP trap message reported by the network elements. Because the number of the data acquisition nodes can be set according to the number of the network elements in the communication network, when the number of the network elements is large, the number of the data acquisition nodes can be correspondingly increased to meet the data acquisition requirements of the network elements.
Because different network element manufacturers may have different definitions of alarms, such as alarm levels, alarm interpretations and the like, the data acquisition node can determine the original alarm information of the network elements corresponding to the SNMP trap messages by analyzing the SNMP trap messages according to the alarm definitions prestored in the database, so that the original alarm information is converted into the format of standard alarm information.
Further, the determination of the original alarm information of the network element corresponding to the SNMP trap message may be implemented by a primary OID and a secondary OID carried by the SNMP trap message, where the primary OID and the secondary OID may be defined by international organization for standardization negotiation and used to indicate different network element objects. For example, the primary OID "1.3.6.1.2.1.1" is used to indicate system parameters, and its corresponding secondary OID "1.3.6.1.2.1.1.1.0" is used to indicate to obtain system basic information; the primary OID "1.3.6.1.2.1.2" is used to indicate the network interface, and its corresponding secondary OID "1.3.6.1.2.1.2.1.0" is used to indicate the number of network interfaces.
In a possible implementation manner, the OID carried by the SNMP trap message may also be defined by each network element manufacturer, but it should be noted that the definition of the OID by the network element manufacturer also needs to comply with the specification negotiated by the international standardization organization, for example, the network element manufacturer defines a first-level OID corresponding to a system parameter, and since the first-level OID is already negotiated and defined by the international standardization organization, the network element manufacturer may directly use the OID; when the object defined by the network element manufacturer is not defined by negotiation of the international standardization organization, the network element manufacturer can define the corresponding OID by itself.
After the first-level OID and the second-level OID are determined, the data acquisition node can query the alarm definition stored in the database according to the first-level OID and the second-level OID, and convert the original alarm information carried by the SNMP trap message into a text format of standard alarm information. When the data acquisition node queries the alarm definition in the database, because the second-level OID is usually a specific object under the first-level OID, the data acquisition node may query the corresponding alarm definition in the database only through the second-level OID, and the second-level OID may be the original alarm OID included in the original alarm information.
The conversion of the original alarm information into the standard alarm information can be performed according to alarm parameters, which may include the name of the alarm device, the type of the device, the model of the device, location information, an alarm header, alarm time, alarm recovery time, the type of the alarm, the original alarm level, the unified alarm level, the possible reason of the alarm, etc., where the location information is used to indicate the location information of the alarm (such as interface information, board information), the alarm header is used to indicate the brief information of the alarm, the alarm time is used to indicate the time when the alarm information is generated, the alarm recovery time is used to indicate the time when the alarm recovery information is generated, the alarm type is used to indicate that attention is not needed to be paid to the alarm, the flash oscillation type alarm and the associated alarm (or other alarm types set by those skilled in the art), the original alarm level is used to indicate that the, the unified alarm level is used for indicating the alarm level defined by the negotiation of the international organization for standardization of the alarm information, and the possible reasons of the alarm are used for indicating the possible reasons for generating the alarm information.
The original alarm information carried by each SNMP trap message may include one or more of the alarm parameters, and the data acquisition node may combine one or more of the alarm parameters to form a unified format of standard alarm information. As shown in table 1 below, the standard alarm information may include a device type, an alarm name, an alarm level, an alarm device IP address, an alarm description, and the like.
TABLE 1
It should be noted that the alarm information collection and the alarm information standardization of this step can be implemented by the data collection layer shown in fig. 1. The functions of the data acquisition nodes in the embodiment of the invention are actually realized by data acquisition programs, the data acquisition programs deployed at the data acquisition nodes are realized by a docker mirror image encapsulated with the data acquisition programs, the process of deploying the data acquisition programs by the docker mirror image is a conventional technical means in the field, and the process is not described herein again. It should be noted that, in the embodiment of the present invention, a database needs to be configured for the data acquisition program, and is used for storing the alarm definitions of the network elements by each network element manufacturer, and when the alarm definitions are subjected to the operations of addition, deletion, modification and check, the operation can be performed through the configured database, and the data acquisition program does not need to be operated any more. Because the data acquisition program is configured with the database, when the data acquisition program is subjected to docker operation, the configured database is also required to be subjected to docker operation, and docker images in which the data acquisition program and the database are encapsulated are respectively generated.
The data acquisition program is also configured with a configuration file for initializing the data acquisition program. The data acquisition program can receive the SNMP trap message through the monitoring port 162, the port 162 can be mapped to a physical server port, and the configuration file of the data acquisition program can be mapped to a file on the physical server. The mapping of the port and the configuration file can be set by a person skilled in the art when the container is generated, when the data acquisition program is upgraded, the mapping can be realized only by replacing the image file of the data acquisition program, and the port mapping and the configuration file mapping can be kept unchanged. Similarly, the database configured by the data acquisition program and the initialization file configured by the database can also generate mirror images and map the mirror images to files on the server, so that the service is provided for the data acquisition program; the upgrading of the database can also be realized by replacing the corresponding image file. Because the data acquisition program and the database container can be generated respectively, and the data acquisition program container and the database container can adopt different ports and file mapping, a plurality of acquisition examples can be deployed on the same physical server, and the acquisition examples are not affected with each other, and the performance of the physical server is fully utilized; of course, the harvesting instances may also be deployed on different physical servers.
S102, determining at least one piece of target alarm information according to a first rule according to original alarm OIDs corresponding to a plurality of pieces of original alarm information and IP addresses of original alarm equipment.
The target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating the alarm part corresponding to the target alarm information.
Specifically, the analysis processing on the original alarm information may be implemented by a SPARK framework, and this step may be implemented by a data analysis module of the data analysis layer shown in fig. 1. After the data acquisition node converts the alarm information into standard alarm information, the standard alarm information may include parameters shown in table 1, and may also include other parameters, such as an alarm OID. For example, the standard alarm information may further include parameters as shown in table 2 below:
TABLE 2
After the data analysis module obtains the standard alarm information converted by the data acquisition layer, because the standard alarm information is in a text format, the standard alarm information in the text format can be subjected to format conversion by the data preprocessing submodule in the data analysis module, so that an entity object can be identified by a data analysis program of the data analysis layer. For example, when the standard alarm information is shown in table 2 above, the entity object converted by the data preprocessing sub-module may be as follows:
the process of converting the standard alarm information in the text format into the entity field by the data preprocessing submodule can be realized by a map function of SPARK. After the format conversion of the standard alarm information is completed, all the original alarm information can be processed, so that the data volume during the subsequent data analysis is reduced, and the data processing efficiency is improved.
It should be noted that the original alarm device IP address and the original alarm OID in the original alarm information in step S101 are the alarm device IP address and the alarm OID in table 2. In the following, the present embodiment still refers to the converted standard alarm information with the original alarm information.
Optionally, the first rule includes a first aggregation sub-rule and a first filtering sub-rule, as shown in fig. 5, step S102 includes;
and S1021, determining at least one piece of first alarm information according to the original alarm OID and the original alarm device IP address corresponding to the plurality of pieces of original alarm information and the first aggregation sub-rule.
Wherein the first alarm information comprises a first alarm level.
Specifically, the data collection node can collect a large amount of original alarm information, and after standardizing the original alarm information and converting the original alarm information into an entity object identified by a data analysis program, the original alarm information can be reduced according to various rules, so that the alarm processing efficiency is improved. The reduction of the original alarm information may be performed by operations such as aggregation and filtering according to corresponding rules, for example, the first rule may include a first aggregation sub-rule, and the first aggregation sub-rule is used to aggregate the same original alarm information generated by the same network element into one piece of first alarm information. Further, the first aggregation sub-rule may aggregate the same original alarm information generated by the same network element into one piece of first alarm information according to the parameters, such as the original alarm device IP address, the original alarm OID, and the original alarm header, carried by the original alarm information.
For example, if the entity object of the first original alarm message is as follows:
the entity objects of the second original alarm message are as follows:
the entity objects of the third original alarm information are as follows:
the above shows some entity objects of the first, second and third pieces of original alarm information, but a person skilled in the art can recognize that the first and second pieces of original alarm information are the same original alarm information generated by the same network element according to the first aggregation sub-rule, so that the data preprocessing sub-module can aggregate the first and second pieces of original alarm information into one piece of first alarm information; although the third original alarm message is the same as part of the alarm parameters of the first original alarm message, it can be determined that the two original alarm messages are generated by different network elements according to the IP addresses of the alarm devices, so that the two original alarm messages cannot be aggregated.
Similarly, the data preprocessing submodule may implement aggregation of the original alarm information by traversing all the original alarm information, thereby determining at least one piece of first alarm information.
It should be noted that the above-mentioned first aggregation sub-rule is only exemplary, and those skilled in the art may set it as needed, so as to aggregate the original alarm information into different first alarm information. The data preprocessing submodule can realize the aggregation of the original alarm information through a reduce function of SPARK.
S1022, determining at least one piece of target alarm information according to the first alarm level corresponding to at least one piece of first alarm information and the first filtering sub-rule.
Specifically, the alarm levels of the alarm information may include an alarm, a secondary alarm, a major alarm, and because the alarm information of different alarm levels has different influences on the network element and the communication network, some alarm information that does not affect the network element and the communication network may be filtered according to the alarm levels of the alarm information. Of course, the alarm level of the alarm information may also be represented by a first-level alarm, a second-level alarm, a third-level alarm, and the like, where the alarm information corresponding to the first-level alarm has the smallest influence on the network element and the communication network, and the higher the alarm level is, the greater the influence of the corresponding alarm information on the network element and the communication network is.
The first filtering sub-rule may be that the first alarm information corresponding to the first-level alarm is filtered according to the alarm level corresponding to the first alarm information, the first alarm information corresponding to the alarm above the second-level alarm is retained, and the first alarm information filtered by the first filtering sub-rule may be determined as the target alarm information.
Illustratively, if the entity object of the first piece of first warning information is as follows:
the entity objects of the second piece of first alarm information are as follows:
according to the alarm levels of the first alarm information and the second alarm information, the data preprocessing submodule can filter the first alarm information and reserve the second first alarm information, namely, the second first alarm information is determined as target alarm information. Similarly, the data preprocessing submodule may filter the first alarm information by traversing all the first alarm information, so as to determine at least one piece of target alarm information.
It should be noted that, different from aggregation of original alarm information, in this step, the first filtering sub-rule for filtering the first alarm information may be obtained from the relational database by the data preprocessing sub-module, and the first filtering sub-rule is sent to a corresponding worker node of the SPARK in a broadcast variable manner, and the SPARK implements filtering of the first alarm information through a filter function. The relational database here may be a relational database within a data storage module in the data analysis layer shown in fig. 1.
S103, determining an alarm node according to the target parameter information.
Specifically, the target parameter information here is the same as the alarm parameter described above, and may include positioning information, an alarm header, an alarm time, an alarm recovery time, an alarm type, and the like. The network element of the alarm can be determined according to the IP address of the alarm device in the target parameter information, the specific alarm system, such as a network interface, a Central Processing Unit (CPU), a load, etc., can be determined according to the target alarm OID, and the specific alarm part can be determined according to the positioning information. The alarm node refers to a network element, an interface or a board card, and the like, and the alarm node is determined, that is, the target alarm information is determined to be a network element alarm, an interface alarm or a board card alarm, and the like.
For example, if the entity object of the target parameter information is as follows:
according to the entity object of the target parameter information, the alarm node can be determined to be a 3055 port of the network element corresponding to the IP address 1.2.1.0.
This step can be implemented by the SPARK real-time computation submodule in fig. 1 through a map function. Similarly, the SPARK real-time calculation sub-module can realize the classification of the target alarm information by traversing all the target alarm information, and each target alarm information corresponds to an alarm node.
The alarm information of the embodiment of the invention can be acquired by the data acquisition program, and because the embodiment of the invention realizes the deployment of the program through the docker mirror image of the data acquisition program, the data acquisition program can be conveniently deployed at a plurality of acquisition nodes, thereby forming a data acquisition cluster and realizing the acquisition of big data; and after acquiring a large amount of alarm information, the embodiment of the invention can aggregate and filter the alarm information according to the preset rule, thereby reducing redundant alarm information and improving the processing efficiency of the alarm information.
Optionally, the first rule further includes an alarm pairing sub-rule, as shown in fig. 6, after step S1022, the method may further include:
and S1023, determining target alarm information in the target time period.
Specifically, the original alarm information processed in the above steps S1021 to S1022 is data obtained in one acquisition period, and if the acquisition period is 2S, the original alarm information is the original alarm information acquired by all data acquisition nodes in 2S. When a person skilled in the art needs to analyze the original alarm information of the network element in the target time period, the original alarm information processed by the data preprocessing submodule and the original alarm information acquired by the data acquisition node can be acquired through the streaming calculation submodule, and the alarm information is processed (the processed original alarm information and the processed original alarm information) through the first aggregation sub-rule and the first filtering sub-rule, so that the reduction of the alarm information is completed, and the efficiency of analyzing the subsequent alarm information is improved.
It should be noted that the target time period may be set by a person skilled in the art, for example, the target time period may be 10min, and the processed original alarm information may be the original alarm information processed in step S1022, or may be the original alarm information acquired by the data acquisition node, and the relationship between the alarm generated by the network element and the time may be determined by processing the alarm information in the target time period, and if more alarm information is generated in the first time, the network element fault condition at the time may be analyzed in a key manner.
The stream type calculation submodule can acquire the alarm information of the target time period through a window function, and can aggregate the alarm information again through a reduce function when aggregating the processed original alarm information and the original alarm information acquired by the data acquisition node, so that the data volume of data analysis is reduced. The streaming sub-module here is the streaming sub-module shown in fig. 1.
S1024, determining at least one alarm event according to the corresponding relation between the at least one piece of first alarm information and the alarm pairing sub-rule.
Wherein, the alarm event comprises target alarm information, or target alarm information and target alarm recovery information.
Specifically, the alarm event refers to a complete alarm process, including alarm information and alarm recovery information corresponding to the alarm information; of course, the alarm event may include only alarm information when the alarm is not recovered. The alarm pairing sub-rule may include multiple types according to the type of the alarm, but there exists a corresponding relationship between the alarm trigger and the alarm recovery between the paired alarm information and the alarm recovery information, for example, the alarm information pairs corresponding to the interface down and the interface up, and the alarm information pairs corresponding to the CPU utilization exceeding the threshold and the CPU utilization falling to the threshold are equal.
The alarm matching sub-rule can be acquired from a relational database by an SPARK real-time calculation sub-module, the alarm matching sub-rule is sent to a corresponding worker node of the SPARK in a broadcast variable mode, the SPARK labels alarm information and alarm recovery information through a map function, and matches the alarm information with corresponding alarm recovery information through a repartition and resource within partition function and a map partition function, so that an alarm event is determined. Of course, when there is no corresponding alarm recovery information in the alarm information, the individual alarm information may also be determined as an alarm event. The relational database here may also be a relational database within a data storage module in the data analysis layer shown in fig. 1.
It should be noted that step S1024 may be executed after step S1023, or after step S1022, and those skilled in the art may set the steps as needed. When S1024 is executed after S1023, this step may be performed by the streaming sub-module; when S1024 is executed after S1022, this step may be performed by the SPARK real-time computation submodule.
In this embodiment, the step S1023 can reduce the original alarm information in a period of time, improve the efficiency of subsequently analyzing the original alarm information in the period of time, and determine the association of different alarms in time; through the step S1024, the corresponding relationship between the alarm information and the alarm recovery information can be established, and the subsequent analysis of the recovered alarm is not needed, so that the analysis efficiency of the alarm information can be further improved.
Optionally, as shown in fig. 7, after step S101, the method further includes:
s201, storing the original alarm information to a message middleware.
Specifically, the message middleware here, i.e., the message middleware in the data forwarding layer shown in fig. 1, since the message middleware is a distributed storage system, the storage space of the message middleware can be expanded as the original alarm information increases. Meanwhile, the message middleware can provide a data interface for the outside, so that a third-party information processor can directly access the data interface of the message middleware to acquire related original alarm information, and the process of repeatedly acquiring the original alarm information can be avoided.
After step S1021, the method further includes:
s301, storing at least one piece of first alarm information to a first database.
Specifically, the first database may be a memory database in the data storage module shown in fig. 1, and after the first warning information is determined in step S1021, the first warning information may be stored in the memory database in a serialized manner, and when subsequent analysis is performed, if the same first warning information needs to be obtained, the first warning information may be directly obtained from the memory data, so that repeated pre-processing of the first warning information is avoided.
In a possible implementation manner, after step S1021, the first alarm information may be further converted into a DataFrame format, and the first alarm information in the DataFrame format is stored in a persistent manner in the OLAP database, so as to be used by other offline data analysis programs and online data analysis programs, such as the processed original alarm information obtained in step S1023. The OLAP database is an OLAP database in the data storage module shown in fig. 1, and the OLAP database can support high-speed writing, has a high data compression rate, and can effectively utilize the continuity of data when reading a large amount of data, thereby reducing the disk overhead.
In a possible implementation manner, after step S103 or S1024, the method may further include:
and S104, storing the analysis result.
Specifically, the analysis result may be the alarm node determined in step S103, or the alarm event determined in step S1024, and the analysis result may be stored in the OLTP database. It should be noted that the analysis result here also needs to be converted into a DataFrame format and then stored in a persistent manner in an OLTP database, i.e., the OLTP database of the data storage layer shown in fig. 1.
The network element alarm processing method provided by the embodiment of the invention comprises the following steps: acquiring a plurality of simple network management protocol trap SNMP trap messages received by a data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID); determining at least one piece of target alarm information according to a first rule according to an original alarm OID and an original alarm equipment IP address corresponding to a plurality of pieces of original alarm information; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information; and determining an alarm node according to the target parameter information. The alarm information of the embodiment of the invention can be acquired by the data acquisition program, and because the embodiment of the invention realizes the deployment of the program through the docker mirror image of the data acquisition program, the data acquisition program can be conveniently deployed at a plurality of acquisition nodes, thereby forming a data acquisition cluster and realizing the acquisition of big data; and after acquiring a large amount of alarm information, the embodiment of the invention can aggregate and filter the alarm information according to the preset rule, thereby reducing redundant alarm information and improving the processing efficiency of the alarm information.
As shown in fig. 8, an embodiment of the present invention provides a network element alarm processing apparatus 40, including:
an obtaining module 401, configured to obtain multiple SNMP trap messages received by a data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap message includes original alarm information including an original alarm device internet protocol IP address and an original alarm object identifier OID.
A processing module 402, configured to determine at least one piece of target alarm information according to a first rule according to an original alarm OID and an original alarm device IP address that correspond to multiple pieces of original alarm information acquired by the acquisition module 401; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating the alarm part corresponding to the target alarm information.
And a determining module 403, configured to determine an alarm node according to the target parameter information determined by the processing module 402.
Optionally, the first rule includes a first aggregation sub-rule and a first filtering sub-rule. The processing module 402 is specifically configured to: determining at least one piece of first alarm information according to original alarm OIDs corresponding to a plurality of pieces of original alarm information and an IP address of original alarm equipment and a first aggregation sub-rule; the first alarm information comprises a first alarm level; and determining at least one piece of target alarm information according to a first alarm grade corresponding to at least one piece of first alarm information and a first filtering sub-rule.
Optionally, the first rule further includes an alarm pairing sub-rule. The processing module 402 is further configured to determine at least one alarm event according to the at least one first alarm information and the alarm pairing sub-rule; the alarm event includes target alarm information, or target alarm information and target alarm recovery information.
Optionally, as shown in fig. 9, the network element alarm processing apparatus 40 further includes a first storage module 404, a second storage module 405, and a third storage module 406.
The first storage module 404 is configured to store at least one piece of first warning information in a first database.
And a second storage module 405, configured to store the original alarm information in the message middleware.
And a third storage module 406, configured to store information corresponding to the alarm node.
The network element alarm processing device provided by the embodiment of the invention comprises: the acquisition module is used for acquiring a plurality of simple network management protocol trap SNMP trap messages received by the data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID); the processing module is used for determining at least one piece of target alarm information according to a first rule according to the original alarm OID and the original alarm equipment IP address corresponding to the plurality of pieces of original alarm information acquired by the acquisition module; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information; and the determining module is used for determining the alarm node according to the target parameter information determined by the processing module. The alarm information of the embodiment of the invention can be acquired by the data acquisition program, and because the embodiment of the invention realizes the deployment of the program through the docker mirror image of the data acquisition program, the data acquisition program can be conveniently deployed at a plurality of acquisition nodes, thereby forming a data acquisition cluster and realizing the acquisition of big data; and after acquiring a large amount of alarm information, the embodiment of the invention can aggregate and filter the alarm information according to the preset rule, thereby reducing redundant alarm information and improving the processing efficiency of the alarm information.
Referring to fig. 10, an embodiment of the present invention further provides another network element alarm processing apparatus, including a memory 51, a processor 52, a bus 53, and a communication interface 54; the memory 51 is used for storing computer execution instructions, and the processor 52 is connected with the memory 51 through a bus 53; when the network element alarm processing device is operating, the processor 52 executes the computer executable instructions stored in the memory 51 to make the network element alarm processing device execute the network element alarm processing method provided in the above embodiment.
In particular implementations, processor 52(52-1 and 52-2) may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 10, for example, as one embodiment. And as an example, the network element alarm processing means may include a plurality of processors 52, such as the processor 52-1 and the processor 52-2 shown in fig. 10. Each of the processors 52 may be a single-Core Processor (CPU) or a multi-Core Processor (CPU). Processor 52 may refer herein to one or more devices, circuits, and/or processing cores that process data (e.g., computer program instructions).
The memory 51 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that may store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that may store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 51 may be self-contained and coupled to the processor 52 via a bus 53. The memory 51 may also be integrated with the processor 52.
In a specific implementation, the memory 51 is used for storing data in the present application and computer-executable instructions corresponding to software programs for executing the present application. The processor 52 may perform various functions of the network element alarm processing device by running or executing software programs stored in the memory 51 and invoking data stored in the memory 51.
The communication interface 54 is any device, such as a transceiver, for communicating with other devices or communication networks, such as a control system, a Radio Access Network (RAN), a Wireless Local Area Network (WLAN), and the like. The communication interface 54 may include a receiving unit implementing a receiving function and a transmitting unit implementing a transmitting function.
The bus 53 may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an extended ISA (enhanced industry standard architecture) bus, or the like. The bus 53 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 10, but this is not intended to represent only one bus or type of bus.
An embodiment of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium includes a computer execution instruction, and when the computer execution instruction runs on a computer, the computer is enabled to execute the network element alarm processing method provided in the foregoing embodiment.
The embodiment of the present invention further provides a computer program, where the computer program may be directly loaded into the memory and contains a software code, and the computer program is loaded and executed by a computer, so as to implement the network element alarm processing method provided in the above embodiment.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules or units is only one logical function division, and there may be other division ways in actual implementation. For example, various elements or components may be combined or may be integrated into another device, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form. Units described as separate parts may or may not be physically separate, and parts displayed as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed to a plurality of different places. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partially contributed to by the prior art, or all or part of the technical solutions may be embodied in the form of a software product, where the software product is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (12)
1. A network element alarm processing method is characterized by comprising the following steps:
acquiring a plurality of simple network management protocol trap SNMP trap messages received by a data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring the SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID);
determining at least one piece of target alarm information according to a first rule according to an original alarm OID and an original alarm equipment IP address corresponding to a plurality of pieces of original alarm information; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information;
and determining an alarm node according to the target parameter information.
2. The network element alarm processing method of claim 1, wherein the first rule comprises a first aggregation sub-rule and a first filtering sub-rule; the determining at least one piece of target alarm information according to the original alarm OID and the original alarm device IP address corresponding to the plurality of pieces of original alarm information and the first rule comprises:
determining at least one piece of first alarm information according to original alarm OIDs corresponding to a plurality of pieces of original alarm information and an IP address of original alarm equipment and a first aggregation sub-rule; the first alarm information comprises a first alarm level;
and determining at least one piece of target alarm information according to a first alarm grade corresponding to at least one piece of first alarm information and a first filtering sub-rule.
3. The network element alarm processing method of claim 2, wherein the first rule further comprises an alarm pairing sub-rule; after determining at least one piece of target alarm information according to a first filtering sub-rule according to a first alarm level corresponding to at least one piece of first alarm information, the method further includes:
determining at least one alarm event according to at least one corresponding relation between the first alarm information and an alarm pairing sub-rule; the alarm event includes the target alarm information, or the target alarm information and target alarm recovery information.
4. The method for processing the alarm of the network element according to claim 2, wherein after determining at least one first alarm message according to a first aggregation sub-rule according to an original alarm OID and an original alarm device IP address corresponding to a plurality of pieces of the original alarm messages, the method further comprises:
and storing at least one piece of first alarm information to a first database.
5. The method for processing the network element alarm according to claim 3 or 4, wherein after the acquiring the plurality of SNMP trap messages received by the data acquisition node, the method further comprises:
and storing the original alarm information to message middleware.
6. A network element alarm processing apparatus, comprising:
the acquisition module is used for acquiring a plurality of simple network management protocol trap SNMP trap messages received by the data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring the SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID);
the processing module is used for determining at least one piece of target alarm information according to a first rule according to the original alarm OID and the original alarm equipment IP address corresponding to the plurality of pieces of original alarm information acquired by the acquisition module; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information;
and the determining module is used for determining the alarm node according to the target parameter information determined by the processing module.
7. The apparatus of claim 6, wherein the first rule comprises a first aggregation sub-rule and a first filtering sub-rule; the processing module is specifically configured to:
determining at least one piece of first alarm information according to original alarm OIDs corresponding to a plurality of pieces of original alarm information and an IP address of original alarm equipment and a first aggregation sub-rule; the first alarm information comprises a first alarm level;
and determining at least one piece of target alarm information according to a first alarm grade corresponding to at least one piece of first alarm information and a first filtering sub-rule.
8. The apparatus of claim 7, wherein the first rule further comprises an alarm pairing sub-rule; the processing module is further configured to determine at least one alarm event according to an alarm pairing sub-rule according to a correspondence between at least one piece of the first alarm information; the alarm event includes the target alarm information, or the target alarm information and target alarm recovery information.
9. The network element alarm processing device of claim 7, further comprising a first storage module;
the first storage module is used for storing at least one piece of first alarm information to a first database.
10. The network element alarm processing device according to claim 8 or 9, further comprising a second storage module;
and the second storage module is used for storing the original alarm information to a message middleware.
11. A network element alarm processing device is characterized by comprising a memory, a processor, a bus and a communication interface; the memory is used for storing computer execution instructions, and the processor is connected with the memory through the bus; when the network element alarm processing device is in operation, the processor executes the computer-executable instructions stored in the memory to cause the network element alarm processing device to perform the network element alarm processing method according to any one of claims 1 to 5.
12. A computer-readable storage medium, comprising computer-executable instructions that, when executed on a computer, cause the computer to perform the network element alarm handling method of any of claims 1-5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011259804.5A CN112491593B (en) | 2020-11-12 | 2020-11-12 | Network element alarm processing method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011259804.5A CN112491593B (en) | 2020-11-12 | 2020-11-12 | Network element alarm processing method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112491593A true CN112491593A (en) | 2021-03-12 |
CN112491593B CN112491593B (en) | 2022-10-25 |
Family
ID=74929949
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011259804.5A Active CN112491593B (en) | 2020-11-12 | 2020-11-12 | Network element alarm processing method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112491593B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113608839A (en) * | 2021-08-10 | 2021-11-05 | 曙光信息产业(北京)有限公司 | Cluster alarm method and device, computer equipment and storage medium |
CN113778789A (en) * | 2021-08-15 | 2021-12-10 | 新华三大数据技术有限公司 | Alarm information processing method and device |
CN114501502A (en) * | 2022-02-10 | 2022-05-13 | 中盈优创资讯科技有限公司 | Alarm normalization method and device for 5G core network equipment |
CN114826881A (en) * | 2022-04-15 | 2022-07-29 | 北京科杰科技有限公司 | Intelligent operation and maintenance method based on correlation analysis and computer readable storage medium |
CN116088381A (en) * | 2023-01-31 | 2023-05-09 | 惠州市海葵信息技术有限公司 | Equipment alarm data processing method, controller and storage medium |
CN116599820A (en) * | 2023-05-26 | 2023-08-15 | 北京天融信网络安全技术有限公司 | Alarm filtering processing method, device, equipment and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020069199A1 (en) * | 2000-12-01 | 2002-06-06 | Young-Hyun Kang | Method for managing alarm information in a network management system |
CN106603317A (en) * | 2017-02-20 | 2017-04-26 | 山东浪潮商用系统有限公司 | Alarm monitoring strategy analysis method based on data mining technology |
CN107979495A (en) * | 2017-12-04 | 2018-05-01 | 斯凯文软件技术(广东)有限公司 | A kind of gradient processing method of network management alarm storm |
CN110719194A (en) * | 2019-09-12 | 2020-01-21 | 中国联合网络通信集团有限公司 | Network data analysis method and device |
-
2020
- 2020-11-12 CN CN202011259804.5A patent/CN112491593B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020069199A1 (en) * | 2000-12-01 | 2002-06-06 | Young-Hyun Kang | Method for managing alarm information in a network management system |
CN106603317A (en) * | 2017-02-20 | 2017-04-26 | 山东浪潮商用系统有限公司 | Alarm monitoring strategy analysis method based on data mining technology |
CN107979495A (en) * | 2017-12-04 | 2018-05-01 | 斯凯文软件技术(广东)有限公司 | A kind of gradient processing method of network management alarm storm |
CN110719194A (en) * | 2019-09-12 | 2020-01-21 | 中国联合网络通信集团有限公司 | Network data analysis method and device |
Non-Patent Citations (1)
Title |
---|
张柳: "云环境下网络告警管理系统", 《中国优秀硕士学位论文电子期刊》 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113608839A (en) * | 2021-08-10 | 2021-11-05 | 曙光信息产业(北京)有限公司 | Cluster alarm method and device, computer equipment and storage medium |
CN113778789A (en) * | 2021-08-15 | 2021-12-10 | 新华三大数据技术有限公司 | Alarm information processing method and device |
CN114501502A (en) * | 2022-02-10 | 2022-05-13 | 中盈优创资讯科技有限公司 | Alarm normalization method and device for 5G core network equipment |
CN114501502B (en) * | 2022-02-10 | 2024-01-05 | 中盈优创资讯科技有限公司 | Alarm normalization method and device for 5G core network equipment |
CN114826881A (en) * | 2022-04-15 | 2022-07-29 | 北京科杰科技有限公司 | Intelligent operation and maintenance method based on correlation analysis and computer readable storage medium |
CN116088381A (en) * | 2023-01-31 | 2023-05-09 | 惠州市海葵信息技术有限公司 | Equipment alarm data processing method, controller and storage medium |
CN116088381B (en) * | 2023-01-31 | 2024-02-06 | 惠州市海葵信息技术有限公司 | Equipment alarm data processing method, controller and storage medium |
CN116599820A (en) * | 2023-05-26 | 2023-08-15 | 北京天融信网络安全技术有限公司 | Alarm filtering processing method, device, equipment and storage medium |
CN116599820B (en) * | 2023-05-26 | 2024-03-19 | 北京天融信网络安全技术有限公司 | Alarm filtering processing method, device, equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN112491593B (en) | 2022-10-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112491593B (en) | Network element alarm processing method and device | |
US10154053B2 (en) | Method and apparatus for grouping features into bins with selected bin boundaries for use in anomaly detection | |
CN111131379B (en) | Distributed flow acquisition system and edge calculation method | |
US20160373328A1 (en) | Monitoring network entities via a central monitoring system | |
CN103220167B (en) | A kind of distributed monitoring system and date storage method thereof | |
CN111010378B (en) | Method for rapidly accessing various sensors and various protocols to cloud platform | |
US9800662B2 (en) | Generic network trace with distributed parallel processing and smart caching | |
CN109639648A (en) | A kind of acquisition strategies generation method and system based on acquisition data exception | |
CN111049673A (en) | Method and system for counting and monitoring API call in service gateway | |
CN111177193A (en) | Flink-based log streaming processing method and system | |
US10536397B2 (en) | Packet count-based object locking protocol | |
CN114726854B (en) | Service request processing method and device and cloud service system | |
US9544214B2 (en) | System and method for optimized event monitoring in a management environment | |
CN115712646A (en) | Alarm strategy generation method, device and storage medium | |
CN116662127A (en) | Method, system, equipment and medium for classifying and early warning equipment alarm information | |
KR20190017947A (en) | Hierarchical data collector and related techniques for use in real-time data collection | |
CN112148508A (en) | Information processing method and related device | |
CN113766363B (en) | Fault monitoring method and device and computing equipment | |
CN115114316A (en) | Processing method, device, cluster and storage medium for high-concurrency data | |
CN114422324B (en) | Alarm information processing method and device, electronic equipment and storage medium | |
CN117255005B (en) | CDN-based service alarm processing method, device, equipment and medium | |
US20240275707A1 (en) | Anomaly detection for network devices using intent-based analytics | |
CN117762728A (en) | Data acquisition method and device and electronic equipment | |
CN115865612A (en) | Network fault processing method and device, storage medium and electronic equipment | |
CN116418646A (en) | Method, apparatus, device and computer readable storage medium for transmitting data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |