CN113259166A - Log alarm processing method and device - Google Patents
Log alarm processing method and device Download PDFInfo
- Publication number
- CN113259166A CN113259166A CN202110581089.5A CN202110581089A CN113259166A CN 113259166 A CN113259166 A CN 113259166A CN 202110581089 A CN202110581089 A CN 202110581089A CN 113259166 A CN113259166 A CN 113259166A
- Authority
- CN
- China
- Prior art keywords
- alarm
- attribute information
- log
- memory
- storage medium
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/13—File access structures, e.g. distributed indices
- G06F16/137—Hash-based
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/1805—Append-only file systems, e.g. using logs or journals to store data
- G06F16/1815—Journaling file systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to a log alarm processing method and a device, wherein the method comprises the following steps: receiving logs reported by the multi-type terminal equipment by using the storage medium; processing the log carrying the first attribute information to obtain an alarm object comprising second attribute information; the first attribute information is used for including alarm content and a log source, and the second attribute information includes the alarm content, the log source and an alarm level; performing hash calculation on the second attribute information of the alarm object, and storing the calculation result in the memory; and determining whether the storage medium stores the alarm object or not according to the calculation result aiming at each alarm object. The scheme of the invention can reduce the operation pressure of the management platform when receiving the alarm message.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a log alarm processing method and device.
Background
The log file is used as an important record for tracking the activity of each terminal device and the network interaction situation of the terminal device and other terminal devices, and can reflect the operation condition of the system.
In the prior art, once the terminal device generates the alarm message, the alarm message is sent to the relevant management platform, but because the number of the alarm messages generated by the terminal device is large and the alarm message contains repeated messages, the management platform is subjected to large and unnecessary operation pressure.
Therefore, in view of the above disadvantages, it is desirable to provide a log alarm processing method and apparatus.
Disclosure of Invention
The technical problem to be solved by the present invention is that a management platform has a large operation pressure when receiving an alarm message, and a method and an apparatus for processing a log alarm are provided to overcome the defects in the prior art.
In order to solve the above technical problem, the present invention provides a log alarm processing method, which is applied to a management platform, wherein the management platform comprises a memory and a storage medium, and the method comprises:
receiving logs reported by the multi-type terminal equipment by using the storage medium;
processing the log carrying the first attribute information to obtain an alarm object comprising second attribute information; the first attribute information is used for including alarm content and a log source, and the second attribute information includes the alarm content, the log source and an alarm level;
performing hash calculation on the second attribute information of the alarm object, and storing the calculation result in the memory;
and determining whether the storage medium stores the alarm object or not according to the calculation result aiming at each alarm object.
In a possible implementation manner, the processing the log carrying the first attribute information to obtain the alarm object including the second attribute information includes:
acquiring a plurality of alarm tags of the management platform; the alarm tag is used for representing a log alarm category concerned by the management platform;
if the alarm content in the first attribute information comprises at least one alarm tag, determining the log carrying the first attribute information as an alarm message;
and processing the alarm message to obtain an alarm object comprising second attribute information.
In a possible implementation manner, the processing the alarm message to obtain an alarm object including the second attribute information includes:
constructing a mapping relation between an alarm tag and an alarm level;
determining the alarm level of the alarm message based on the mapping relation and the alarm tag included in the alarm content in the alarm message;
and encapsulating the alarm message and the alarm level of the alarm message to obtain an alarm object comprising second attribute information.
In a possible implementation manner, the determining, for each alarm object, whether the storage medium stores the alarm object according to the calculation result includes:
for each alarm object, determining whether the alarm object is repeated according to the calculation result;
if the alarm object is repeated, updating the occurrence frequency of the alarm object in the memory by a mode that the counting class is AtomicLong, and determining that the storage medium does not store the alarm object;
and if not, determining that the storage medium stores the alarm object.
In a possible implementation manner, after the updating the number of occurrences of the alarm object in the memory by the way that the count class is AtomicLong, the method further includes:
and synchronizing the occurrence times of the alarm object in the memory to the storage medium when a first preset time length after the time point when the memory stores the calculation result corresponding to the alarm object for the first time is reached.
In one possible implementation manner, after the determining that the storage medium stores the alert object, the method includes:
and acquiring the unique address of the log stored by the storage medium for the first time, so as to store the occurrence times of the alarm object in the memory by using the unique address.
In a possible implementation manner, after the determining that the storage medium stores the alert object, the method further includes:
when a second preset time length after the time point when the memory stores the calculation result corresponding to the alarm object for the first time is reached, if the occurrence frequency of the alarm object in the memory is determined to be 1 time, deleting the calculation result corresponding to the alarm object stored in the memory; and the second preset time length is greater than the first preset time length.
The invention also provides a log alarm processing device, which is applied to a management platform, wherein the management platform comprises a memory and a storage medium, and the device comprises:
the receiving module is used for receiving the logs reported by the multi-type terminal equipment by utilizing the storage medium;
the processing module is used for processing the log carrying the first attribute information to obtain an alarm object comprising second attribute information; the first attribute information is used for including alarm content and a log source, and the second attribute information includes the alarm content, the log source and an alarm level;
the calculation module is used for carrying out Hash calculation on the second attribute information of the alarm object and storing the calculation result in the memory;
and the determining module is used for determining whether the storage medium stores the alarm object or not according to the calculation result aiming at each alarm object.
The invention also provides a log alarm processing device, which comprises: at least one memory and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor is configured to invoke the machine readable program to perform the method as described above.
The invention also provides a computer readable medium having stored thereon computer instructions which, when executed by a processor, cause the processor to perform the method as described above.
The log alarm method and the log alarm device have the following beneficial effects that:
according to the technical scheme provided by the invention, the second attribute information of the alarm object is subjected to Hash calculation, the calculation result is stored in the memory, and then whether the alarm object is stored in the storage medium is determined according to the calculation result. According to the scheme, the alarm object does not need to be stored in the memory, and then whether the alarm object is stored in the storage medium is determined, but only the calculation result of performing the hash calculation on the second attribute information of the alarm object is stored in the memory.
Drawings
FIG. 1 is a flow chart of a log alarm processing method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a log alarm processing method according to another embodiment of the present invention;
FIG. 3 is a schematic diagram of a log alarm processing device provided by an embodiment of the invention;
fig. 4 is a schematic diagram of a log alarm processing apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
FIG. 1 shows a flow diagram of a log alarm processing method according to one embodiment. It is to be appreciated that the method can be performed by any apparatus, device, platform, cluster of devices having computing and processing capabilities. This method is executed by a management platform (e.g., a log server) and is explained below.
Referring to fig. 1, the method includes:
step 101: and receiving the logs reported by the multi-type terminal equipment by using the storage medium.
In some embodiments, each terminal device generates a log of events, i.e., log files, at runtime. The log file is a file with growing contents, like a life recorder of the terminal device, and records the operating drips of the terminal device in detail. The multi-type terminal device can be, for example, an industrial monitoring audit, an industrial firewall, an industrial gatekeeper, an industrial control security evaluation system, an industrial control security inspection toolbox, a vulnerability scanning system, an intrusion prevention system, a database audit, a security operation and maintenance management platform, a bastion machine, an intrusion detection system and the like, and can be specifically determined according to an actual application scenario without limitation. It is understood that, the operation and maintenance personnel of the log server can analyze and check the log file to know the software and hardware information of each terminal device in time and check errors in the configuration process and the reasons of the errors.
In this embodiment, the log server receives logs reported by various types of terminal devices through a storage medium, and sends the logs to the log processing engine for processing. It can be understood that the logs generated by the terminal devices are not all alarm logs, for example, the log and the time log are not alarm logs, and the log failure log and the time log thereof are alarm logs, so that the alarm logs need to be extracted from a plurality of logs.
In some embodiments, after the storage medium receives the logs sent by each terminal device, a multi-threaded message queue is added to wait for processing, which can improve the processing efficiency and anti-concurrency capability of the log server on the logs.
Step 102: and processing the log carrying the first attribute information to obtain an alarm object comprising the second attribute information.
In step 102, the first attribute information is used to include alarm content and log source, and the second attribute information includes alarm content, log source and alarm level. The alarm content is the specific content of the log, such as login failure content. The log source is the unique identifier of the terminal device sending the log, and the unique identifier is not specifically limited herein, for example, a combination of a hard disk number, a MAC address, an IP address, and the like.
In some embodiments, step 102 may specifically include the following steps:
acquiring a plurality of alarm tags of a management platform; the alarm tag is used for representing a log alarm category concerned by the management platform;
if the alarm content in the first attribute information comprises at least one alarm tag, determining the log carrying the first attribute information as an alarm message;
and processing the alarm message to obtain an alarm object comprising the second attribute information.
In this embodiment, the management platform is preset with a plurality of alarm tags to extract alarm logs (i.e., alarm messages) from the logs, and then processes the alarm messages to obtain an alarm object, so as to determine whether the alarm messages are repeated by using second attribute information included in the alarm object. Specifically, if the alarm content in the first attribute information includes at least one alarm tag, the log carrying the first attribute information is determined as an alarm message.
In addition, the alarm tags may be based on a preset regular expression, specifically, a log is matched with the regular expression, and if the current regular expression returns a correct result, the log matched with the current regular expression is determined to be an alarm message.
Since the alarm level is not included in the alarm message, it is not beneficial for the manager to process the alarm message in time. That is, if the management platform determines the alarm level of the log according to the alarm message, the manager can take processing measures in time according to the alarm level of the log.
In some embodiments, the step of processing the alarm message to obtain the alarm object including the second attribute information may include the following steps:
constructing a mapping relation between an alarm tag and an alarm level;
determining the alarm level of the alarm message based on the mapping relation and the alarm tag included in the alarm content in the alarm message;
and encapsulating the alarm message and the alarm level of the alarm message to obtain an alarm object comprising the second attribute information.
In the embodiment of the invention, the alarm level of the alarm message is determined by utilizing the mapping relation between the alarm tag and the alarm level which is constructed in advance and based on the mapping relation and the alarm tag included in the alarm content in the alarm message, so that a manager can conveniently and timely make treatment measures according to the alarm level of the alarm message.
It will be appreciated that the alarm level may also be modified at the discretion of the administrator to accommodate personalized settings.
Step 103: and performing hash calculation on the second attribute information of the alarm object, and storing the calculation result in the memory.
In the prior art, the alarm message is directly stored in the memory, and then whether the alarm message is repeated is judged, which occupies too much memory space, thus being not beneficial to reducing the operation pressure of the log server.
In step 103, the second attribute information of the alarm object is subjected to hash calculation, and the calculation result is stored in the memory, so that whether the alarm message is repeated is determined by using the calculation result (i.e. hash data), which does not occupy too much memory space, and thus is beneficial to reducing the operating pressure of the log server.
Step 104: and determining whether the storage medium stores the alarm object or not according to the calculation result aiming at each alarm object.
If the manager does not actively modify the alarm level, whether the alarm object, the alarm message or the log is repeated can be determined according to the calculation result; if the manager actively modifies the alarm level, it can be determined whether the alarm message or log is repeated according to the calculation result. This is because the alert level is obtained based on the alert content of the alert message. Thus, in step 104, the situation is addressed where the administrator is not actively modifying the alert level. That is, if there is duplication in the calculation result for each alarm object, it indicates that the storage medium has stored an alarm object that is the same as the alarm content, log source, and alarm level of the alarm object, so that the alarm object does not need to be stored in the storage medium; on the contrary, if the calculation result is not repeated for each alarm object, it indicates that the storage medium does not store the log having the same alarm content, log source and alarm level as the alarm object, so that the alarm object needs to be stored in the storage medium.
In the prior art, if the alarm object is repeated, the counting mode usually adopts zero clearing operation. Specifically, for example, in the process of performing the zero clearing operation when the preset number of times before performing the zero clearing operation is 5 times, if the zero clearing operation is newly generated 2 times, if the zero clearing operation is adopted, the result is 0 times, and actually the number should be 2 times. To solve the technical problem, in some embodiments, the step 104 may specifically include the following steps:
for each alarm object, determining whether the alarm object is repeated according to a calculation result;
if the alarm object is repeated, updating the occurrence frequency of the alarm object in the memory by a mode that the counting class is AtomicLong, and determining that the storage medium does not store the alarm object;
if not, the storage medium is determined to store the alarm object.
In this embodiment, the method that the count class is AtomicLong is used to update the occurrence frequency of the alarm object in the memory, which is beneficial to ensuring the security of the thread, that is, ensuring the security of the frequency count, and reducing the probability of data loss.
In the prior art, when the number of terminal devices is large, the number of alarm messages is increased greatly along with the increase of the number of terminal devices, and if a large number of repeated alarms occur in a short time, the concurrency is greatly increased. If all the repeated alarms are displayed, effective alarm information is not easy to find, important alarm information is screened in a large number of repeated alarms, a large amount of time and energy are undoubtedly consumed, the result is more and more successful, and the insertion speed cannot meet the requirement.
In the embodiment, whether the alarm objects are repeated or not is determined according to the calculation result for each alarm object, and if the alarm objects are repeated, the storage medium is determined not to store the alarm objects, so that the repeated alarm objects can be combined, and the processing capacity of concurrent data can be improved.
Further, in some embodiments, after the step of updating the number of occurrences of the alarm object in the memory by counting the number of occurrences of the alarm object in a manner that the class is AtomicLong, the method further includes:
and synchronizing the occurrence times of the alarm object in the memory to a storage medium when a first preset time length after the time point when the memory stores the calculation result corresponding to the alarm object for the first time is reached.
In this embodiment, by using the time limit after the time point when the memory stores the calculation result corresponding to the alarm object for the first time, the limit condition for synchronizing the occurrence number of the alarm object in the memory to the storage medium is set as the time limit, and compared with the limit condition that the time limit is the number of times (for example, when the occurrence number reaches the preset number, synchronizing the occurrence number of the alarm object in the memory to the storage medium is performed), it is beneficial to ensure that data falls to the ground (i.e., is synchronized to the storage medium) safely, so that data loss can be avoided. That is, the limitation of the number of times as the limitation condition may have problems: in the memory, the storage frequency does not reach the condition of triggering storage to the storage medium, and if the problems of power failure, server downtime, service interruption and the like occur in the middle, data loss can be caused.
In some embodiments, the first preset time period may be 10 seconds.
In some embodiments, within a first preset time period after the time point when the memory first stores the calculation result corresponding to the alarm object is reached, if the occurrence frequency of the alarm object in the memory reaches a preset frequency threshold, in order to improve the timeliness of processing the alarm object, it is necessary to improve the alarm level of the alarm object, for example, an alarm voice may be generated to prompt a manager to process in time.
Further, in some embodiments, after determining that the storage medium stores the alert object, the method further comprises:
and acquiring the unique address of the log stored by the storage medium for the first time, so as to utilize the unique address to store the occurrence times of the alarm object in the memory.
In this embodiment, in order to synchronize the occurrence frequency of the alarm object in the memory to the storage medium, after the alarm object is first stored in the storage medium, the unique address for storing the alarm object needs to be returned, so as to synchronize the subsequent occurrence frequency, that is, the repeated occurrence frequency, to the unique address, thereby achieving landing of data.
Further, in some embodiments, after the step of determining that the storage medium stores the alert object, the method further comprises:
when a second preset time length after the time point when the memory stores the calculation result corresponding to the alarm object for the first time is reached, if the occurrence frequency of the alarm object in the memory is determined to be 1 time, deleting the calculation result corresponding to the alarm object stored in the memory; and the second preset time length is greater than the first preset time length.
In this embodiment, if the occurrence frequency of the alarm object in the memory is always 1 time after the second preset time length after the time point when the memory stores the calculation result corresponding to the alarm object for the first time is reached, the occurrence frequency represents that the alarm object is not prominent, the memory space occupied by the calculation result of the alarm object is not avoided, and the calculation result corresponding to the alarm object stored in the memory can be deleted, so that the memory space can be increased, and the operating pressure of the management platform when receiving the alarm message is further reduced.
In some embodiments, the second preset time period may be 24 hours.
As can be seen, in the process shown in fig. 1, the hash calculation is performed on the second attribute information of the alarm object, the calculation result is stored in the memory, and then, according to the calculation result, it is determined whether the storage medium stores the alarm object. According to the scheme, the alarm object does not need to be stored in the memory, and then whether the alarm object is stored in the storage medium is determined, but only the calculation result of performing the hash calculation on the second attribute information of the alarm object is stored in the memory.
FIG. 2 shows a flow diagram of a log alarm processing method according to another embodiment. Referring to fig. 2, the method includes:
step 201: and receiving the logs reported by the multi-type terminal equipment by using the storage medium.
Step 202: and acquiring a plurality of alarm tags of the management platform.
Step 203: and if the alarm content in the first attribute information comprises at least one alarm tag, determining the log carrying the first attribute information as an alarm message.
Step 204: and constructing a mapping relation between the alarm label and the alarm level.
Step 205: and determining the alarm level of the alarm message based on the mapping relation and the alarm tag included in the alarm content in the alarm message.
Step 206: and encapsulating the alarm message and the alarm level of the alarm message to obtain an alarm object comprising the second attribute information.
Step 207: and performing hash calculation on the second attribute information of the alarm object, and storing the calculation result in the memory.
Step 208: and aiming at each alarm object, determining whether the alarm object is repeated or not according to the calculation result. If so, go to step 209; if not, step 210 is performed.
Step 209: and updating the occurrence frequency of the alarm object in the memory by a mode that the counting class is AtomicLong, and determining that the storage medium does not store the alarm object.
Step 210: determining that the storage medium stores the alarm object.
As shown in fig. 3 and 4, an embodiment of the present invention provides a log alarm processing device and a log alarm processing apparatus. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware level, as shown in fig. 3, a hardware structure diagram of the log alarm apparatus provided in the embodiment of the present invention is that, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 3, the device in the embodiment may also generally include other hardware, such as a forwarding chip responsible for processing a packet, and the like. Taking a software implementation as an example, as shown in fig. 4, as a logical apparatus, the apparatus is formed by reading a corresponding computer program instruction in a non-volatile memory into a memory by a CPU of a device in which the apparatus is located and running the computer program instruction.
As shown in fig. 4, the log alarm processing apparatus provided in this embodiment includes:
a receiving module 401, configured to receive, by using the storage medium, a log reported by multiple types of terminal devices;
a processing module 402, configured to process a log carrying first attribute information to obtain an alarm object including second attribute information; the first attribute information is used for including alarm content and a log source, and the second attribute information includes the alarm content, the log source and an alarm level;
a calculating module 403, configured to perform hash calculation on the second attribute information of the alarm object, and store a calculation result in the memory;
and a determining module 404, configured to determine, for each alarm object, whether the storage medium stores the alarm object according to the calculation result.
In an embodiment of the present invention, the receiving module 401 may be configured to perform step 101 in the above-described method embodiment, the processing module 402 may be configured to perform step 102 in the above-described method embodiment, the calculating module 403 may be configured to perform step 103 in the above-described method embodiment, and the determining module 404 may be configured to perform step 104 in the above-described method embodiment.
In an embodiment of the present invention, the processing module 402 is configured to perform the following operations:
acquiring a plurality of alarm tags of the management platform; the alarm tag is used for representing a log alarm category concerned by the management platform;
if the alarm content in the first attribute information comprises at least one alarm tag, determining the log carrying the first attribute information as an alarm message;
and processing the alarm message to obtain an alarm object comprising second attribute information.
In an embodiment of the present invention, when the processing module 402 performs the processing on the alarm message to obtain the alarm object including the second attribute information, the processing module is further configured to perform the following operations:
constructing a mapping relation between an alarm tag and an alarm level;
determining the alarm level of the alarm message based on the mapping relation and the alarm tag included in the alarm content in the alarm message;
and encapsulating the alarm message and the alarm level of the alarm message to obtain an alarm object comprising second attribute information.
In an embodiment of the present invention, the determining module 404 is configured to perform the following operations:
for each alarm object, determining whether the alarm object is repeated according to the calculation result;
if the alarm object is repeated, updating the occurrence frequency of the alarm object in the memory by a mode that the counting class is AtomicLong, and determining that the storage medium does not store the alarm object;
and if not, determining that the storage medium stores the alarm object.
In an embodiment of the present invention, the determining module 404 is further configured to:
and synchronizing the occurrence times of the alarm object in the memory to the storage medium when a first preset time length after the time point when the memory stores the calculation result corresponding to the alarm object for the first time is reached.
In an embodiment of the present invention, the determining module 404 is further configured to:
and acquiring the unique address of the alarm object stored in the storage medium for the first time, so as to store the occurrence times of the alarm object in the memory by using the unique address.
In an embodiment of the present invention, the determining module 404 is further configured to:
when a second preset time length after the time point when the memory stores the calculation result corresponding to the alarm object for the first time is reached, if the occurrence frequency of the alarm object in the memory is determined to be 1 time, deleting the calculation result corresponding to the alarm object stored in the memory; and the second preset time length is greater than the first preset time length.
It is to be understood that the illustrated structure of the embodiment of the present invention does not constitute a specific limitation to the log alarm apparatus. In other embodiments of the present invention, the log alarm may include more or fewer components than shown, or some components may be combined, some components may be split, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
The embodiment of the invention also provides log alarm processing equipment, which comprises: at least one memory and at least one processor;
at least one memory for storing a machine readable program;
at least one processor for invoking a machine readable program to perform the log alarm processing method of any embodiment of the present invention.
Embodiments of the present invention also provide a computer-readable medium storing instructions for causing a computer to perform a log alarm processing method as described herein. Specifically, a method or an apparatus equipped with a storage medium on which a software program code that realizes the functions of any of the above-described embodiments is stored may be provided, and a computer (or a CPU or MPU) of the method or the apparatus is caused to read out and execute the program code stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments can be implemented not only by executing the program code read out by the computer, but also by performing a part or all of the actual operations by an operation method or the like operating on the computer based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion unit connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion unit to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments can still be repaired, or some technical features thereof can be equivalently replaced; and such repair or replacement does not depart from the spirit and scope of the corresponding technical solutions.
Claims (10)
1. A log alarm processing method is applied to a management platform, wherein the management platform comprises a memory and a storage medium, and the method comprises the following steps:
receiving logs reported by the multi-type terminal equipment by using the storage medium;
processing the log carrying the first attribute information to obtain an alarm object comprising second attribute information; the first attribute information is used for including alarm content and a log source, and the second attribute information includes the alarm content, the log source and an alarm level;
performing hash calculation on the second attribute information of the alarm object, and storing the calculation result in the memory;
and determining whether the storage medium stores the alarm object or not according to the calculation result aiming at each alarm object.
2. The method of claim 1, wherein the processing the log with the first attribute information to obtain the alarm object including the second attribute information comprises:
acquiring a plurality of alarm tags of the management platform; the alarm tag is used for representing a log alarm category concerned by the management platform;
if the alarm content in the first attribute information comprises at least one alarm tag, determining the log carrying the first attribute information as an alarm message;
and processing the alarm message to obtain an alarm object comprising second attribute information.
3. The method of claim 2, wherein the processing the alarm message to obtain an alarm object including second attribute information comprises:
constructing a mapping relation between an alarm tag and an alarm level;
determining the alarm level of the alarm message based on the mapping relation and the alarm tag included in the alarm content in the alarm message;
and encapsulating the alarm message and the alarm level of the alarm message to obtain an alarm object comprising second attribute information.
4. The method according to claim 1, wherein the determining, for each alarm object, whether the storage medium stores the alarm object according to the calculation result comprises:
for each alarm object, determining whether the alarm object is repeated according to the calculation result;
if the alarm object is repeated, updating the occurrence frequency of the alarm object in the memory by a mode that the counting class is AtomicLong, and determining that the storage medium does not store the alarm object;
and if not, determining that the storage medium stores the alarm object.
5. The method of claim 4, wherein after updating the number of occurrences in the memory for the alarm object by counting the occurrences of the alarm object with the AtomicLong class, the method further comprises:
and synchronizing the occurrence times of the alarm object in the memory to the storage medium when a first preset time length after the time point when the memory stores the calculation result corresponding to the alarm object for the first time is reached.
6. The method of claim 5, after determining that the storage medium stores the alert object, comprising:
and acquiring the unique address of the alarm object stored in the storage medium for the first time, so as to store the occurrence times of the alarm object in the memory by using the unique address.
7. The method of claim 5, after determining that the storage medium stores the alert object, further comprising:
when a second preset time length after the time point when the memory stores the calculation result corresponding to the alarm object for the first time is reached, if the occurrence frequency of the alarm object in the memory is determined to be 1 time, deleting the calculation result corresponding to the alarm object stored in the memory; and the second preset time length is greater than the first preset time length.
8. A log alarm processing device is applied to a management platform, wherein the management platform comprises a memory and a storage medium, and the device comprises:
the receiving module is used for receiving the logs reported by the multi-type terminal equipment by utilizing the storage medium;
the processing module is used for processing the log carrying the first attribute information to obtain an alarm object comprising second attribute information; the first attribute information is used for including alarm content and a log source, and the second attribute information includes the alarm content, the log source and an alarm level;
the calculation module is used for carrying out Hash calculation on the second attribute information of the alarm object and storing the calculation result in the memory;
and the determining module is used for determining whether the storage medium stores the alarm object or not according to the calculation result aiming at each alarm object.
9. A log alarm processing device, comprising: at least one memory and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor, configured to invoke the machine readable program to perform the method of any of claims 1-7.
10. A computer readable medium having stored thereon computer instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110581089.5A CN113259166B (en) | 2021-05-27 | 2021-05-27 | Log alarm processing method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110581089.5A CN113259166B (en) | 2021-05-27 | 2021-05-27 | Log alarm processing method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113259166A true CN113259166A (en) | 2021-08-13 |
CN113259166B CN113259166B (en) | 2021-10-01 |
Family
ID=77184943
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110581089.5A Active CN113259166B (en) | 2021-05-27 | 2021-05-27 | Log alarm processing method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113259166B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114064421A (en) * | 2021-11-16 | 2022-02-18 | 展讯通信(上海)有限公司 | Alarm processing method and device |
CN114466009A (en) * | 2021-12-22 | 2022-05-10 | 天翼云科技有限公司 | Data processing method, edge super-fusion terminal, cloud terminal and readable storage medium |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1553724A1 (en) * | 2004-01-09 | 2005-07-13 | Alcatel | Alarm log file reporting using XML tagging |
CN101169761A (en) * | 2007-12-03 | 2008-04-30 | 腾讯数码(天津)有限公司 | Large capacity cache implement method and storage system |
US20110276781A1 (en) * | 2010-05-05 | 2011-11-10 | Microsoft Corporation | Fast and Low-RAM-Footprint Indexing for Data Deduplication |
CN103532754A (en) * | 2013-10-12 | 2014-01-22 | 北京首信科技股份有限公司 | System and method for high-speed memory and distributed type processing of massive logs |
US20200117546A1 (en) * | 2018-10-12 | 2020-04-16 | EMC IP Holding Company LLC | Memory efficient perfect hashing for large records |
CN111078513A (en) * | 2018-10-22 | 2020-04-28 | 杭州海康威视数字技术股份有限公司 | Log processing method, device, equipment, storage medium and log alarm system |
CN112148693A (en) * | 2020-10-19 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Data processing method, device and storage medium |
CN112306812A (en) * | 2020-11-11 | 2021-02-02 | 武汉悦学帮网络技术有限公司 | Log processing method and device, computer equipment and storage medium |
CN112632019A (en) * | 2020-12-22 | 2021-04-09 | 苏州浪潮智能科技有限公司 | Log management method and device, electronic equipment and storage medium |
-
2021
- 2021-05-27 CN CN202110581089.5A patent/CN113259166B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1553724A1 (en) * | 2004-01-09 | 2005-07-13 | Alcatel | Alarm log file reporting using XML tagging |
CN101169761A (en) * | 2007-12-03 | 2008-04-30 | 腾讯数码(天津)有限公司 | Large capacity cache implement method and storage system |
US20110276781A1 (en) * | 2010-05-05 | 2011-11-10 | Microsoft Corporation | Fast and Low-RAM-Footprint Indexing for Data Deduplication |
CN103532754A (en) * | 2013-10-12 | 2014-01-22 | 北京首信科技股份有限公司 | System and method for high-speed memory and distributed type processing of massive logs |
US20200117546A1 (en) * | 2018-10-12 | 2020-04-16 | EMC IP Holding Company LLC | Memory efficient perfect hashing for large records |
CN111078513A (en) * | 2018-10-22 | 2020-04-28 | 杭州海康威视数字技术股份有限公司 | Log processing method, device, equipment, storage medium and log alarm system |
CN112148693A (en) * | 2020-10-19 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Data processing method, device and storage medium |
CN112306812A (en) * | 2020-11-11 | 2021-02-02 | 武汉悦学帮网络技术有限公司 | Log processing method and device, computer equipment and storage medium |
CN112632019A (en) * | 2020-12-22 | 2021-04-09 | 苏州浪潮智能科技有限公司 | Log management method and device, electronic equipment and storage medium |
Non-Patent Citations (1)
Title |
---|
胡倩等: "一种基于属性哈希的告警日志去重方法", 《计算机科学》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114064421A (en) * | 2021-11-16 | 2022-02-18 | 展讯通信(上海)有限公司 | Alarm processing method and device |
CN114466009A (en) * | 2021-12-22 | 2022-05-10 | 天翼云科技有限公司 | Data processing method, edge super-fusion terminal, cloud terminal and readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN113259166B (en) | 2021-10-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113259166B (en) | Log alarm processing method and device | |
CN107515796B (en) | Equipment abnormity monitoring processing method and device | |
CN113238913A (en) | Intelligent server fault pushing method, device, equipment and storage medium | |
CN107800783B (en) | Method and device for remotely monitoring server | |
WO2019085074A1 (en) | Website vulnerability scanning method and apparatus, computer device and storage medium | |
WO2021139322A1 (en) | Method and apparatus for processing network device data, computer equipment and storage medium | |
CN114356499A (en) | Kubernetes cluster alarm root cause analysis method and device | |
CN111901176B (en) | Fault determination method, device, equipment and storage medium | |
CN108845916B (en) | Platform monitoring and alarming method, device, equipment and computer readable storage medium | |
CN107040576A (en) | Information-pushing method and device, communication system | |
WO2021174684A1 (en) | Cutover information processing method, system and apparatus | |
CN112000504A (en) | Fault processing method and device for computing node and electronic equipment | |
CN111737255A (en) | Method and system for storing interlocking monitoring data | |
CN112835591B (en) | Operation and maintenance configuration management method and system supporting cross-language and cross-platform | |
CN107741891B (en) | Object reconstruction method, medium, device and computing equipment | |
US20070208784A1 (en) | Parsing computer system logging information collected by common logging | |
CN113268206A (en) | Network target range resource hot plug implementation method and system | |
CN110519337B (en) | Node state judging and collecting method, state decision device and state collector | |
CN114386047A (en) | Application vulnerability detection method and device, electronic equipment and storage medium | |
CN114510398A (en) | Anomaly monitoring method, apparatus, device, system and medium | |
CN114301696A (en) | Malicious domain name detection method and device, computer equipment and storage medium | |
CN113852984A (en) | Wireless terminal access monitoring system and method, electronic equipment and readable storage device | |
CN113268401A (en) | Log information output method and device and computer readable storage medium | |
CN111444032A (en) | Computer system fault repairing method, system and equipment | |
CN114513398B (en) | Network equipment alarm processing method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address | ||
CP03 | Change of name, title or address |
Address after: Room 01, floor 1, building 104, No. 3 minzhuang Road, Haidian District, Beijing 100195 Patentee after: Changyang Technology (Beijing) Co.,Ltd. Address before: 100195 room 01, 2 / F, building 103, 3 minzhuang Road, Haidian District, Beijing Patentee before: CHANGYANG TECH (BEIJING) Co.,Ltd. |