CN114826773B - User-defined log alarming method and device based on log data - Google Patents
User-defined log alarming method and device based on log data Download PDFInfo
- Publication number
- CN114826773B CN114826773B CN202210621212.6A CN202210621212A CN114826773B CN 114826773 B CN114826773 B CN 114826773B CN 202210621212 A CN202210621212 A CN 202210621212A CN 114826773 B CN114826773 B CN 114826773B
- Authority
- CN
- China
- Prior art keywords
- log
- alarm
- expression
- log data
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 230000014509 gene expression Effects 0.000 claims description 99
- 238000010195 expression analysis Methods 0.000 claims description 43
- 238000012545 processing Methods 0.000 claims description 20
- 238000012544 monitoring process Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 6
- 230000000007 visual effect Effects 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims description 2
- 238000013461 design Methods 0.000 description 10
- 238000012423 maintenance Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 2
- 238000011144 upstream manufacturing Methods 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method for custom log alarming based on log data, which comprises the following steps: in the field of network security, log data fields are customized according to actual service requirements, and a log alarm rule maker can pull different log data according to actual requirements, and embeds pre-designed operation rules such as logical comparison, range, value enumeration and the like through condition judgment of the log data fields, so as to customize the log data alarm rules. And a plurality of logic rule analysis engines based on the log data fields are realized, and whether the log data reach the threshold value of the alarm rule is automatically judged. If the alarm threshold is reached, the system automatically triggers the alarm push of the mail mode.
Description
Technical Field
The invention relates to the field of network security, in particular to a method and a step for realizing a custom alarm method based on log data fields.
Background
In the present big data age, network applications are various, and various applications are difficult to realize due to the design of software programs, and depend on network security defense of various application software. So each internet server, local area network server at present, choose to buy and install some professional network security products to improve the security of the server.
In the process of protecting the network security product, a log mode is adopted to inform the operation and maintenance personnel of the protection information in a common mode. However, the operation and maintenance personnel are required to actively check the log file, so that the working efficiency is low and the workload is high. In addition, the current log monitoring alarm of the network security product is fixed with a plurality of alarm indexes, and after the log monitoring alarm is on line, the monitoring indexes are required to be modified, and the monitoring dimension is increased only by developing and updating a monitoring program. The network security alarm system which is based on the log data field and is used for setting the log alarm in a self-defined mode forms a set of alarm condition self-defining degree, can monitor the log data in real time and alarm, can greatly facilitate operation and maintenance management work and improve the working efficiency.
Disclosure of Invention
The invention discloses a log data field-based custom log alarm method, which is used for solving the technical problems of low working efficiency, large workload and high operation cost caused by the fact that the prior art needs to manually monitor log files, alarm indexes are fixed and the continuous change is needed. The method is applied to the protection process of the network security product, and comprises the following steps:
first, fields of log data are defined, and one log type field is set for each log data according to actual service requirements. In the field of network security, the log field should contain the necessary fields of network uplink traffic, network downlink traffic, network transmission data packet number, network download data packet number, log record time stamp, network security mark, etc. In the process of protecting the network security product, corresponding log files from the log to the equipment are recorded at necessary time points or scenes according to the design of the service.
And designing a log alarm expression according to the log field in the step, and carrying out custom expression logic writing by using the field of log data. The expression logic supports the operations of the sum, or, not, greater than, equal to, less than, greater than or equal to, less than or equal to, unequal to, numerical range, date range, field summation, field addition, subtraction, multiplication, division and the like of the log fields, and the custom alarm expression design is completed. The program stores the designed alarm expression in a database for analysis by a subsequent expression analysis engine.
Specifically, the custom alarm expression is to set log alarm based on log data field type custom, the custom degree is greatly higher than the fixed alarm index in the prior art, the alarm index is not required to be changed manually, the flexibility of log alarm is improved, and the death of the fixed index is reduced.
And secondly, designing an expression analysis engine according to the self-defined alarm expression to analyze and then judge whether log alarm is to be carried out or not. The expression analysis engine is mainly used for analyzing the operations of AND, OR, NOT, greater than or equal to, less than or equal to, greater than or equal to, unequal to, numerical range, date range, field summation, field addition, subtraction, multiplication and division and the like.
Specifically, the expression analysis engine is determined according to logic operation in the self-defined alarm expression, and is used for analyzing the alarm index self-defined by the self-defined alarm expression, and judging whether an alarm is required according to the analyzed result; the labor force for the operation and maintenance personnel to actively check the log file to judge whether to alarm or not in the prior art is saved, and the working efficiency is greatly improved.
According to the log data fields defined in the steps, the custom alarm expressions determined according to the log data fields and the expression analysis engine determined according to the custom expressions, building a log collection, log stream processing and log storage environment for storing data generated by the log collection. The log data of each device is collected by using the logstack module and transmitted to the kafka module in real time, the log processing program subscribes to the data in the kafka module, and the log is output to the elastiscearch module for storage.
And finally, using a log processing program to process log data in the kafka module in real time, reading the log data and an alarm expression obtained through logic judgment, inputting the log data and the alarm expression into an expression analysis engine, calculating the log data through the expression analysis engine, and judging whether the output needs an alarm or not. If the alarm is needed, turning to the next step to alarm; the log alarm information needing alarm uses unified mail sending module to alarm mail.
Correspondingly, the invention also provides a device for self-defining alarm based on the log data field, which is applied to the protection process of the network security product, and comprises the following steps:
and the self-defining module is used for defining the fields of the log data according to the actual service requirements and giving each log data a log type field. The log field should contain the necessary fields such as network upstream traffic, network downstream traffic, network sent data packet number, network downloaded data packet number, log record time stamp, network security tag, etc. Specifically, during the protection process of the network security product, according to the design of the service, corresponding log files from the log to the equipment are recorded at necessary time points or scenes. So that the processing module uses the fields of the log data to perform custom expression logic writing.
And the processing module is used for carrying out custom expression logic writing by using the fields of the log data so as to determine a custom alarm expression. The expression logic supports operations of log field addition, or, non, greater than, equal to, less than, greater than or equal to, less than or equal to, unequal to, numerical range, date range, field summation, field addition, subtraction, multiplication and division and the like, and is used for completing the design of the self-defined alarm expression. The program stores the designed alarm expression in a database for analysis by a subsequent expression analysis engine. And designing an expression analysis engine according to the self-defined alarm expression to identify various logic judgment and calculation methods in the alarm expression for analysis.
And the storage module is used for building a log collection, log stream processing and log storage environment by utilizing the data generated by the module. The log data of each device is collected by the log-mesh module and transmitted to the kafka module in real time, the log processing program subscribes the data in the kafka module, and the log is output to the elastic search module for storage.
Correspondingly, the custom alarm expression in the processing module is judged and stored in the processing module according to the logic generated by the log data; and when the expression analysis engine needs to analyze the logic judgment of the custom alarm expression, corresponding data is called from the module.
And the alarm module is used for processing the log data in the kafka module in real time by using a log processing program, reading the log data and the alarm expression obtained through logic judgment, inputting the log data into an expression analysis engine, calculating the log data by the expression analysis engine, and judging whether the output needs an alarm or not. If the alarm is needed, turning to the next step to alarm; the log alarm information needing alarm uses unified mail sending module to alarm mail.
Therefore, by applying the technical scheme, the method dynamically realizes the determination of the custom alarm expression based on the log data field, and when the expression engine is determined based on the custom alarm expression and the result analyzed by the expression analysis engine needs to be alarmed, the alarm is carried out; monitoring is continued if not needed. The self-defined alarm expression can dynamically define alarm indexes according to different types of fields, so that the alarm indexes can be dynamically modified based on the log data fields without developing codes or updating a monitoring program, the monitoring indexes and the monitoring dimensions are modified, the log file is not required to be manually checked and maintained, the labor is saved, the convenience of operation and maintenance is improved, and the operation cost is saved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 shows a log data field-based custom alarm method data processing flow chart of a log data-based custom log alarm method according to an embodiment of the present invention;
FIG. 2 shows the design and analysis of an alarm expression of a custom log alarm method based on log data according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a custom log alert device based on log data according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present invention is not limited to the specific embodiments disclosed below.
First embodiment:
referring to the log data processing flow of FIG. 1
Step S101, at the network security product end, according to the pre-designed service, the running log is recorded in the log file of the server. The filecoat service built in the security product automatically collects log data and transmits the log data to the logstack module.
Specifically, the field types which the fields should contain are determined according to different fields to determine the custom alarm expression through logic operation according to the field types, so that the field types in the custom alarm expression can be ensured to be complete, all types are covered, and the custom alarm expression designed according to the field types is ensured to be accurate.
And step S102, after the log data are collected by the log-mesh module, adding a time stamp, summarizing and storing the log data into the kafka module, and determining a custom alarm expression according to the daily data in the log-mesh module to form a custom alarm system.
The custom alarm system subscribes to the data in the consumption kafka module in step S103, an expression analysis engine is generated according to the custom alarm expression, the custom alarm expression analysis engine analyzes the function of the custom alarm expression, digital fields can be accumulated according to the expression, aggregation, comparison and other operations are realized, and a periodic alarm mechanism can be realized by accumulating variable values in a later period. If the alarm condition threshold is reached, sending alarm data to the mail alarm module.
Step S104 is to store the log data in the elastic search module and continue to monitor whether the step S103 needs alarming or not, and repeat the above steps to judge whether the alarming is needed or not.
By executing the technical scheme, the log-based log alarm is set in a self-defined mode based on the log data field, a set of network security alarm system with high alarm condition self-definition degree and capable of monitoring log data and giving an alarm in real time is formed, operation and maintenance management work can be greatly facilitated, and working efficiency is improved. The method solves the problems that in the protection process of the network security product, the protection information is told to the operation and maintenance personnel in a log mode, and the operation and maintenance personnel is required to actively check the log file, so that the working efficiency is low and the workload is large.
Specific embodiment II:
alarm expression design and resolution with reference to FIG. 2
Step S201 pulls any piece of log data requiring custom alarms. By data processing, the field key of the log is read, metadata is automatically generated, and the page can self-define data types (calculation of each data type, which needs to be implemented in an expression parser) of each metadata, such as string, int, float, bootan and the like. The metadata is stored in association with the log type.
Step S202, the self-defining alarm expression is drawn according to the expression designer page, log field metadata is pulled, and operator is combined for self-defining assembly.
The expression designer designs according to field metadata through a preset comparison operator and a logic operator, and improves the priority of the computer through brackets. Such as:
metadata definition:
{ name: "upstream traffic", key: "upBytes", type: "int" }
{ name: "downstream traffic", key: "Down bytes", type: "int" }
{ name: "time", key: "time", type: "date" }
{ name: "device type", key: "deviceType", type: "string" }
The expression is exemplified by:
{
JUSON_LogType : “SBLL”,
JUSON_ByType : “by_device”,
JUSON_Calc : “JUSON_SUM($ { upBytes } + { downBytes })>10000”,
JUSON_Where : “${ time } > ‘2022-01-10 00 : 00 : 00’ && ${ time } > ‘ 2022-01-10 00 : 00 : 59’”
}
meaning: the statistical device is between 2022-01-10 00:00:00 and 2022-01-10 00:00:59, and when the sum of the uplink flow and the downlink flow is larger than 10000, the statistical device alarms that the flow exceeds a threshold value 10000.
The alert expression in step S203 is stored in the mysql database by means of json strings. Wherein the json string is determined based on the type of the day data field.
In step S204, the alarm processing is to load log data and alarm expressions, perform data processing, and perform alarm judgment in combination with an expression analyzer.
The expression analyzer is used for analyzing the expression, designing an expression analysis engine according to the self-defined alarm expression, and judging whether log alarm is needed or not after analysis. The expression analysis engine is mainly used for analyzing the operations of AND, OR, NOT, greater than, equal to, less than, greater than or equal to, less than or equal to, unequal to, numerical range, date range, field summation, field addition, subtraction, multiplication and division and the like, and the designed content that the expression analysis engine can analyze is specifically as follows:
(1) Type of log (justun_logtype): and a log generated by the equipment end is automatically generated when metadata processing is performed. Each type corresponds to a set of metadata from which actual values of the metadata can be obtained.
(2) Statistical dimension (JUSON_ByType) by device (by_device), by log type (by_logType), by session (by_session), by portal (by_ifname), etc.
(3) The function (expression, conditional use) is calculated as a numerical accumulation (JUSON_SUM), average (JUSON_AVG), maximum (JUSON_MAX), maximum (JUSON_MIN), whether the value (JUSON_HAS) is included, etc.
(4) Condition range (juson_white): the range of the statistical data is controlled.
(5) Common operations: mathematical operations (addition, subtraction, multiplication, division), logical operations (and or), comparison operations (greater than or equal to, less than, greater than or equal to, less than or equal to, and not equal to).
Step S205 carries out alarm judgment according to the result analyzed by the expression analyzer in the step S204, if the alarm is needed, the mail alarm is carried out through the mail server, or other alarm approaches are carried out. If no alarm is needed, the next set of data is continued to be monitored.
By executing the technical scheme, the design mode of the self-defined alarm expression, the design mode and the specific analysis mode of the expression analysis engine are analyzed in detail, so-called self-defined log alarm setting is realized, and a set of network security alarm system with high alarm condition self-definition degree and capability of monitoring log data and alarming in real time is formed.
Third embodiment:
referring to fig. 3, a schematic structural diagram of a custom log alert device based on log data
Step S301, defining fields of log data by the self-defining module according to the actual service requirement, and giving each log data a log type field;
specifically, a field of log data is defined, and a log type field is set according to the type of the log data.
Step S302, the processing module uses the fields of the log data to carry out custom expression logic writing, and determines an expression analysis formula engine according to the custom alarm expression; the expression logic supports operations of log field and, or, not, greater than, equal to, less than, unequal to, numerical range, date range, field summation, field addition, subtraction, multiplication, division, and the like.
Specifically, a custom alarm expression is determined, and an expression parsing engine is determined according to the custom alarm expression. The user-defined alarm expression is determined according to the log data field, and the expression analysis engine is determined through logic operation and analyzes the logic operation in the user-defined alarm expression.
And step S303, the storage module builds a log collection, log stream processing and log storage environment by using the data generated by the modules. The module collects log data of each device, transmits the log data to data subscribed by a log processing program in real time, and outputs and stores the processed log data.
The step S304 of the alarm module using the result of the analysis engine analysis of the log alarm expression to determine whether an alarm is needed, specifically includes:
the generated log data is processed in real time through a log processing program, the log data and the alarm expression are read, the log data and the alarm expression are input into an expression analysis engine, the calculation is carried out through the expression analysis engine, and whether an alarm is needed or not is output. If the alarm is needed, turning to the next step to alarm; the method comprises the steps of carrying out mail alarm on log alarm information needing to be alarmed by using a unified mail sending module of a system; the alarm data are stored in a unified warehouse to a special alarm record index table for subsequent visual display; if no alarm is needed, the next set of data is continuously monitored.
Those skilled in the art will appreciate that the drawing is merely a schematic illustration of a preferred implementation scenario and that the modules or flows in the drawing are not necessarily required to practice the invention.
Those skilled in the art will appreciate that modules in an apparatus in an implementation scenario may be distributed in an apparatus in an implementation scenario according to an implementation scenario description, or that corresponding changes may be located in one or more apparatuses different from the implementation scenario. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above-mentioned inventive sequence numbers are merely for description and do not represent advantages or disadvantages of the implementation scenario.
The foregoing disclosure is merely illustrative of some embodiments of the invention, and the invention is not limited thereto, as modifications may be made by those skilled in the art without departing from the scope of the invention.
Claims (9)
1. The method for custom log alarming based on log data is characterized by being applied to the field of network security, and comprises the following steps:
(1) Carrying out custom expression logic writing by using the fields of log data to determine a log alarm expression, wherein the fields of the log data are defined according to service requirements;
(2) Designing an expression analysis engine according to the log alarm expression, and automatically analyzing the log alarm expression which is determined by logic writing of the custom expression;
(3) Monitoring log data in real time according to the expression analysis engine, and judging whether an alarm is given according to the result of the expression analysis engine;
the method comprises the steps of carrying out custom expression logic writing and determining a log alarm expression by using fields of log data, wherein the method comprises the following steps:
the log alarm expression is stored in a database through a real-time processing program so as to be analyzed by a subsequent expression analysis engine;
the log alarm expression is determined by pulling log field metadata, combining with the sum, or not, more than, equal to, less than, more than or equal to, not equal to, a numerical value range, a date range, field summation, field addition, subtraction, multiplication and division and self-defining assembly of log data fields;
the real-time processing program stores the log alarm expression so as to be called by an expression analysis engine;
the log data field is used for determining a log alarm expression, custom expression logic writing is carried out according to the type of the log data field, and the log alarm expression is determined.
2. The method of claim 1, wherein the log data field is configured with a log type field according to each log data, and is defined according to the determined log type field, wherein the defined log field includes network uplink traffic, network downlink traffic, network transmission packet number, network download packet number, log record time stamp, and network security flag.
3. The method of claim 1, wherein the expression parsing engine is configured to parse the log alarm expression and determine whether an alarm is needed according to the result, and the method is specifically as follows:
judging whether to alarm according to the analyzed result of the expression analysis engine, specifically comprising:
the log data and the alarm expression are read and input to the expression analysis engine, the calculation is carried out by the expression analysis engine, and whether the alarm is needed or not is output; if the alarm is needed, turning to the next step to alarm; the method comprises the steps that log alarm information needing to be alarmed is subjected to mail alarm by using a unified mail sending module of a system; the alarm data are stored in a unified warehouse to a special alarm record index table for subsequent visual display; if the alarm is not needed, continuing to analyze;
the expression analysis engine is used for analyzing log types, statistical dimensions, calculation functions, condition ranges and common operations through AND, OR, NOT, more than, equal to, less than, more than or equal to, less than or equal to, numerical value ranges, date ranges, field summation, field addition, subtraction, multiplication and division determination according to the log alarm expressions.
4. A method for custom log alarming based on log data according to any one of claims 1-3, wherein the log collection, log stream processing and log storage environment are built according to data fields generated in the definition and analysis process; the storage environment stores the contents of the log data field, the log alarm expression and the expression analysis engine for calling and searching when the program runs.
5. A log data-based custom log alert device, the device comprising:
and a self-defining module: the module defines the fields of the log data, and gives each log data a log type field;
the processing module is used for: the module uses the fields of log data to carry out custom expression logic writing, and determines an expression analysis formula engine according to the log alarm expression;
and a storage module: the module builds a log collection, log stream processing and log storage environment;
and an alarm module: the module processes log data in real time by using a log processing program, reads the log data and an alarm expression obtained through logic judgment, inputs the log data and the alarm expression into an expression analysis engine, calculates the log data by the expression analysis engine, and judges whether the output needs an alarm or not;
the method comprises the steps of carrying out custom expression logic writing and determining a log alarm expression by using fields of log data, wherein the method comprises the following steps:
the log alarm expression is stored in a database through a real-time processing program so as to be analyzed by a subsequent expression analysis engine;
the log alarm expression is determined by pulling log field metadata, combining with the sum, or not, more than, equal to, less than, more than or equal to, not equal to, a numerical value range, a date range, field summation, field addition, subtraction, multiplication and division and self-defining assembly of log data fields;
the real-time processing program stores the log alarm expression so as to be called by an expression analysis engine;
the log data field is used for determining a log alarm expression, custom expression logic writing is carried out according to the type of the log data field, and the log alarm expression is determined.
6. The apparatus for log data-based custom log alerting as claimed in claim 5, wherein the custom module is specifically configured to:
and defining a field of log data, and setting a log type field according to the type of the log data.
7. The apparatus for customized log alert based on log data as claimed in claim 5, wherein the processing module is specifically configured to:
determining a log alarm expression and determining an expression analysis engine according to the log alarm expression;
the log alarm expression is determined according to the log data field, and the expression analysis engine is determined through logic operation and analyzes the logic operation in the log alarm expression.
8. The apparatus for log data-based custom log alert as claimed in claim 5, wherein the storage module is specifically configured to:
the log data generated by the self-defining module and the processing module are collected and a storage environment is built, so that the alarm module can conveniently call and search the log data.
9. The apparatus for log data-based custom log alerting as set forth in claim 5, wherein said alerting module is specifically configured to:
the expression analysis engine analyzes the result of the log alarm expression and judges whether the log alarm expression needs to be alarmed or not, and the method specifically comprises the following steps:
the log data and the alarm expression are read and input to the expression analysis engine, the calculation is carried out by the expression analysis engine, and whether the alarm is needed or not is output; if the alarm is needed, turning to the next step to alarm; the method comprises the steps of carrying out mail alarm on log alarm information needing to be alarmed by using a unified mail sending module of a system; the alarm data are stored in a unified warehouse to a special alarm record index table for subsequent visual display; if no alarm is needed, the next set of data is continued to be monitored.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210621212.6A CN114826773B (en) | 2022-06-02 | 2022-06-02 | User-defined log alarming method and device based on log data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210621212.6A CN114826773B (en) | 2022-06-02 | 2022-06-02 | User-defined log alarming method and device based on log data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114826773A CN114826773A (en) | 2022-07-29 |
| CN114826773B true CN114826773B (en) | 2024-04-16 |
Family
ID=82519736
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210621212.6A Active CN114826773B (en) | 2022-06-02 | 2022-06-02 | User-defined log alarming method and device based on log data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114826773B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115934782B (en) * | 2023-02-13 | 2023-05-12 | 山东星维九州安全技术有限公司 | Method for analyzing and processing security log and computer storage medium |
| CN117785831A (en) * | 2024-01-05 | 2024-03-29 | 合肥卓讯云网科技有限公司 | Log processing method and device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2230602A1 (en) * | 2009-03-18 | 2010-09-22 | Fujitsu Limited | Processing apparatus and method for acquiring log information |
| CN107612740A (en) * | 2017-09-30 | 2018-01-19 | 武汉光谷信息技术股份有限公司 | A kind of daily record monitoring system and method under distributed environment |
| CN112906373A (en) * | 2021-02-20 | 2021-06-04 | 成都新希望金融信息有限公司 | Alarm calculation method and device, electronic equipment and storage medium |
| CN113676464A (en) * | 2021-08-09 | 2021-11-19 | 国家电网有限公司 | Network security log alarm processing method based on big data analysis technology |
| CN114548706A (en) * | 2022-01-27 | 2022-05-27 | 广州车行易科技股份有限公司 | Early warning method for business risk and related equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11582251B2 (en) * | 2020-05-26 | 2023-02-14 | Paypal, Inc. | Identifying patterns in computing attacks through an automated traffic variance finder |
-
2022
- 2022-06-02 CN CN202210621212.6A patent/CN114826773B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2230602A1 (en) * | 2009-03-18 | 2010-09-22 | Fujitsu Limited | Processing apparatus and method for acquiring log information |
| CN107612740A (en) * | 2017-09-30 | 2018-01-19 | 武汉光谷信息技术股份有限公司 | A kind of daily record monitoring system and method under distributed environment |
| CN112906373A (en) * | 2021-02-20 | 2021-06-04 | 成都新希望金融信息有限公司 | Alarm calculation method and device, electronic equipment and storage medium |
| CN113676464A (en) * | 2021-08-09 | 2021-11-19 | 国家电网有限公司 | Network security log alarm processing method based on big data analysis technology |
| CN114548706A (en) * | 2022-01-27 | 2022-05-27 | 广州车行易科技股份有限公司 | Early warning method for business risk and related equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114826773A (en) | 2022-07-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114826773B (en) | User-defined log alarming method and device based on log data | |
| CN110928718B (en) | Abnormality processing method, system, terminal and medium based on association analysis | |
| CN110708204B (en) | Abnormity processing method, system, terminal and medium based on operation and maintenance knowledge base | |
| WO2021217855A1 (en) | Abnormal root cause positioning method and apparatus, and electronic device and storage medium | |
| Anicic et al. | EP-SPARQL: a unified language for event processing and stream reasoning | |
| US10225165B2 (en) | Apparatus and method for processing data streams in a communication network | |
| CN105183625A (en) | Log data processing method and apparatus | |
| CN111813960B (en) | Knowledge graph-based data security audit model device, method and terminal equipment | |
| CN106844576A (en) | A kind of method for detecting abnormality, device and monitoring device | |
| JP2020129421A (en) | Log query user interface | |
| CN111866016A (en) | Log analysis method and system | |
| CN103248625A (en) | Monitoring method and system for abnormal operation of web crawler | |
| CN114548706A (en) | Early warning method for business risk and related equipment | |
| CN114648393A (en) | Data mining method, system and equipment applied to bidding | |
| CN115296933B (en) | Industrial production data risk level assessment method and system | |
| CN116166505A (en) | Monitoring platform, method, storage medium and equipment for dual-state IT architecture in financial industry | |
| CN116436659A (en) | Quantitative analysis method and device for network security threat | |
| CN110149303B (en) | Party-school network security early warning method and early warning system | |
| CN109687999A (en) | A kind of association analysis method of alarm failure, device and equipment | |
| CN110677271B (en) | Big data alarm method, device, equipment and storage medium based on ELK | |
| CN116795631A (en) | Service system monitoring alarm method, device, equipment and medium | |
| CN114697247B (en) | Fault detection method, device, equipment and storage medium of streaming media system | |
| CN116149908A (en) | Data link fusing method and device and electronic equipment | |
| CN114546780A (en) | Data monitoring method, device, equipment, system and storage medium | |
| Yu et al. | An approach to failure prediction in cluster by self-updating cause-and-effect graph |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |