CN116074095A - Log analysis method, device, equipment and storage medium - Google Patents

Log analysis method, device, equipment and storage medium Download PDF

Info

Publication number
CN116074095A
CN116074095A CN202310105366.4A CN202310105366A CN116074095A CN 116074095 A CN116074095 A CN 116074095A CN 202310105366 A CN202310105366 A CN 202310105366A CN 116074095 A CN116074095 A CN 116074095A
Authority
CN
China
Prior art keywords
log
client
log file
file
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310105366.4A
Other languages
Chinese (zh)
Inventor
申勐
王欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202310105366.4A priority Critical patent/CN116074095A/en
Publication of CN116074095A publication Critical patent/CN116074095A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/1805Append-only file systems, e.g. using logs or journals to store data
    • G06F16/1815Journaling file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a log analysis method, a device, equipment and a storage medium, which relate to the field of network security and comprise the following steps: acquiring state information of a client in a preset database based on a service layer in a service end, and judging whether the client is in an online state or not; if yes, a log acquisition instruction is sent to the client to acquire a first log file sent by the client and analyze the first log file; comparing the event ID in the analyzed first log file with a preset rule base, determining a first attack event corresponding to the first log file, and determining an associated client of the first log file through the first attack event; and collecting a second attack event of the associated client, and determining an attack scene through attack link aggregation. The relevant clients are determined after the analyzed event ID determines the attack event, and then the attack scene is obtained according to the attack events of all clients, so that the attack event can be automatically determined to respond in a complex network environment, and the response efficiency of the network security event is improved.

Description

Log analysis method, device, equipment and storage medium
Technical Field
The present invention relates to the field of network security, and in particular, to a method, an apparatus, a device, and a storage medium for log analysis.
Background
When an emergency response to the network security event is made, operation and maintenance personnel locate the problem and solve the network security event by collecting and analyzing the logs of the server. However, in a complex network environment, network security events involve more servers, and at this time, the number of servers to be analyzed is increased, so that operation and maintenance personnel cannot quickly comb the network security events and quickly locate associated hosts, which results in the conditions of confusion, missing information and the like of the internal network environment where the operation and maintenance personnel are currently located, and reduces the efficiency of emergency response, thereby causing great loss of the network security events to victim enterprises.
In the prior art, although log files can be automatically collected according to a log storage path of a server, when facing a complex network environment, operation and maintenance personnel are required to analyze a known problem server first, then the problem server which possibly exists can be judged according to analysis results and experience, and then the operations of log collection, analysis and the like are repeatedly performed, so that the process efficiency of emergency response is greatly reduced, and analysis errors possibly occur. Therefore, how to improve the emergency response efficiency of network security events and improve the accuracy of emergency response is a highly desirable problem in the art.
Disclosure of Invention
Accordingly, the present invention aims to provide a log analysis method, apparatus, device and storage medium, which can determine an attack event through the analyzed event ID, then determine an associated client, and obtain an attack scene according to the attack events of all clients, and automatically determine the attack event to respond in a complex network environment, thereby improving the response efficiency of network security events. The specific scheme is as follows:
in a first aspect, the present application provides a log analysis method, applied to a server, including:
acquiring state information of a client corresponding to the server in a preset database based on a preset service layer in the server, and judging whether the client is in an online state based on the state information of the client;
if yes, a log acquisition instruction is sent to the client to acquire a first log file sent by the client, and file analysis is carried out based on a corresponding format of the first log file;
comparing the analyzed event ID in the first log file with a preset rule base, determining a first attack event corresponding to the first log file, and determining an associated client of the first log file through the first attack event;
and acquiring a second log file of the associated client, determining a corresponding second attack event based on the second log file, and then determining a corresponding attack scene based on the first attack event and the second attack event and through attack link aggregation.
Optionally, before the obtaining, based on the preset service layer in the service end, the state information of the client corresponding to the service end in the preset database, the method further includes:
determining a log acquisition mode based on a preset interface layer of the server;
and if the log acquisition mode is automatic acquisition, triggering the step of acquiring the state information of the client corresponding to the server in a preset database based on a preset service layer in the server.
Optionally, after determining the log collection mode based on the preset interface layer of the server, the method further includes:
if the log acquisition mode is automatic acquisition, determining a corresponding target client through the pre-acquired IP address of the equipment to be monitored so as to determine the target acquisition range of the automatic acquisition; the equipment to be monitored is provided with a corresponding client in advance;
correspondingly, the step of obtaining the state information of the client corresponding to the server in the preset database based on the preset service layer in the server includes:
and acquiring state information of the target client corresponding to the target acquisition range in a preset database based on a preset service layer in the server.
Optionally, after determining the log collection mode based on the preset interface layer of the server, the method further includes:
if the log collection mode is manual uploading, directly receiving a third log file uploaded by a worker through a preset file receiving interface, and analyzing the file based on a corresponding format of the third log file.
Optionally, the obtaining the first log file sent by the client includes:
and acquiring a first log file which is sent to the preset shared folder by the client from the preset shared folder for storage.
Optionally, the file parsing based on the corresponding format of any log file includes:
judging the file format of the log file based on the file suffix of the log file;
if the file format of the log file is a compressed package format, decompressing the log file to obtain an evtx log file, and analyzing the evtx log file;
if the file format of the log file is the evtx format, directly analyzing the file of the log file.
Optionally, the comparing the analyzed event ID in the first log file with a preset rule base to determine a first attack event corresponding to the first log file includes:
determining an attack behavior corresponding to the first log file according to the event ID in the first log file based on a preset rule base;
analyzing the first log file based on the attack condition corresponding to the attack behavior to obtain a first attack event corresponding to the first log file.
In a second aspect, the present application provides a log analysis device, applied to a server, including:
the state determining module is used for acquiring state information of a client corresponding to the server in a preset database based on a preset service layer in the server, and judging whether the client is in an online state based on the state information of the client;
the file analysis module is used for sending a log acquisition instruction to the client if the file analysis module is used for acquiring a first log file sent by the client and carrying out file analysis based on a corresponding format of the first log file;
the client determining module is used for comparing the analyzed event ID in the first log file with a preset rule base, determining a first attack event corresponding to the first log file, and determining an associated client of the first log file through the first attack event;
the scene restoration module is used for collecting a second log file of the associated client and determining a corresponding second attack event based on the second log file, and then determining a corresponding attack scene based on the first attack event and the second attack event and through attack link aggregation.
In a third aspect, the present application provides an electronic device comprising a processor and a memory; the memory is used for storing a computer program, and the computer program is loaded and executed by the processor to realize the log analysis method.
In a fourth aspect, the present application provides a computer readable storage medium storing a computer program which when executed by a processor implements the aforementioned log analysis method.
In the application, firstly, state information of a client corresponding to the server in a preset database is acquired based on a preset service layer in the server, and whether the client is in an online state is judged based on the state information of the client; if the client is in an online state, a log acquisition instruction is sent to the client to acquire a first log file sent by the client, and file analysis is carried out based on a corresponding format of the first log file; comparing the analyzed event ID in the first log file with a preset rule base, determining a first attack event corresponding to the first log file, and determining an associated client of the first log file through the first attack event; and acquiring a second log file of the associated client, determining a corresponding second attack event based on the second log file, and then determining a corresponding attack scene based on the first attack event and the second attack event and through attack link aggregation. Therefore, according to the technical scheme, the server can analyze the event ID in the log file of the corresponding client to determine the corresponding attack event, determine the associated client according to the current attack event, and automatically restore the attack scene according to the first attack event and the second attack event of the associated client.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a log analysis method provided in the present application;
FIG. 2 is a flowchart of a specific log analysis method provided in the present application;
FIG. 3 is a diagram illustrating an example of log file content provided herein;
FIG. 4 is a flowchart of a specific log analysis method provided in the present application;
FIG. 5 is a flowchart of a log analysis module provided in the present application;
FIG. 6 is a flow chart of communication between a agent end and a server end provided in the present application;
fig. 7 is a schematic structural diagram of a log analysis device provided in the present application;
fig. 8 is a block diagram of an electronic device provided in the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The network security event in the complex network environment can involve more servers, operation and maintenance personnel can not quickly comb and locate the associated hosts, the emergency response efficiency is low, in the prior art, although log files can be automatically collected, the operation and maintenance personnel still need to analyze the known problem servers and judge other problem servers according to analysis results.
Referring to fig. 1, an embodiment of the present invention discloses a log analysis method, which is applied to a server, and includes:
step S11, acquiring state information of a client corresponding to the server in a preset database based on a preset service layer in the server, and judging whether the client is in an online state based on the state information of the client.
It should be noted that, the log analysis method disclosed in this embodiment is divided into a server and a agent, that is, a server and a client, where the client may run on a device to be monitored, for example, the client running on a server corresponding to the server is used as the client corresponding to the server. In this embodiment, first, state information of a client in a preset database is obtained based on a preset service layer in a server, and whether the client is in an online state is determined based on the state information of the client.
As shown in fig. 2, the service end is divided into an interface layer and a service layer, the preset service layer is used for processing, analyzing and linking the log file, and the preset service layer is developed by using Go language and can be divided into two modules: and the log analysis module and the analysis result processing module are used for analyzing the log. The server side can acquire state information of the client side in a preset database through the log analysis module in the service layer to judge the state of the client side. It can be understood that the agent end is deployed together with the server end, and the deployment object is all Windows system servers or personal hosts in the current network environment, and after the deployment is completed, the deployment object is communicated with the server end, and the local state information, namely the client state information, including information such as a system version, an IP address, a process, a service and the like, is sent to the server end, so that the server end receives the information sent by the client end, then stores the information in a preset database, and judges whether the client end is in an online state or not based on the client state information in the preset database for next operation. When the agent end is deployed, the server end is deployed together, and the client state information is stored in the preset database after being sent to the server end, so that the follow-up server end can conveniently and directly call the state information in the preset database, and the efficiency of confirming the client state before log acquisition can be improved.
And step S12, if yes, a log acquisition instruction is sent to the client to acquire a first log file sent by the client, and file analysis is carried out based on a corresponding format of the first log file.
In this embodiment, when the agent end is in an online state, the server end issues a log acquisition instruction to the agent end to obtain a first log file sent by the agent end. It can be understood that the agent terminal is internally provided with a function of receiving instructions, and after the instructions are acquired from the server terminal to the log, the instructions are executed on the current server where the agent terminal is located, namely, the equipment to be monitored starts to execute. After receiving the log file, the log analysis module of the server needs to firstly determine the format of the received log file, and select a corresponding analysis strategy to analyze the file based on the corresponding format of the first log file, as shown in fig. 3, the log analysis module uses an elastic/beans module in Go language to call wevtapi.dll to analyze and extract fields of the log file based on the information such as event ID, recorded event, process ID, thread ID, destination address, source address and the like in the log file.
And S13, comparing the analyzed event ID in the first log file with a preset rule base, determining a first attack event corresponding to the first log file, and determining an associated client of the first log file through the first attack event.
In this embodiment, the analyzed event ID in the first log file is compared with a preset rule base, and rules for event ID, corresponding system event behavior, and possible attack behavior are integrated in the preset rule base. And comparing to determine a first attack event corresponding to the first log file, determining an associated client of the first log file through the first attack event, for example, after a certain log in the first log file is matched with a corresponding system event behavior or attack behavior, extracting a destination address, a source address and an occurrence event field in the log, and searching other servers associated with the log so as to extract the log from the associated server and analyze the log again. Therefore, the related server is searched through the system event behavior or the attack behavior corresponding to the log, errors possibly caused by searching the related server through manual work are avoided, and the analysis speed of the log file is improved.
Step S14, collecting a second log file of the associated client and determining a corresponding second attack event based on the second log file, and then determining a corresponding attack scene based on the first attack event and the second attack event and through attack link aggregation.
In this embodiment, after determining the association server, a second log file of the association client is collected and a corresponding second attack event is determined based on the second log file, where a determination step of the second attack event is the same as a determination step of the first attack event, and will not be described in detail herein. As shown in fig. 2, after the log analysis module outputs the analysis result, the log analysis module enters an analysis result processing module of the service layer. In the module, the attack link aggregation is performed by combining the analysis results of the associated assets, namely the associated clients, aiming at the attack event, and the attack scene is restored after the aggregation. By analyzing the log files of the associated servers and combining analysis results of a plurality of clients possibly suffering from network attack, the response accuracy of the network security event is improved.
As shown in fig. 2, according to the above technical solution, in this embodiment, state information of a client corresponding to the server in a preset database is first obtained based on a preset service layer in the server, and whether the client is in an online state is determined based on the state information of the client; if the client is in an online state, a log acquisition instruction is sent to the client to acquire a first log file sent by the client, and file analysis is carried out based on a corresponding format of the first log file; comparing the analyzed event ID in the first log file with a preset rule base, determining a first attack event corresponding to the first log file, and determining an associated client of the first log file through the first attack event; and acquiring a second log file of the associated client, determining a corresponding second attack event based on the second log file, and then determining a corresponding attack scene based on the first attack event and the second attack event and through attack link aggregation. Therefore, according to the technical scheme, the server can analyze the event ID in the log file of the corresponding client to determine the corresponding attack event, determine the associated client according to the current attack event, and automatically restore the attack scene according to the first attack event and the second attack event of the associated client.
Based on the above embodiment, the present application may automatically collect the log file and analyze the log file to determine the attack event of the associated server, and the following detailed description will be given on the process of log collection and log file analysis. Referring to fig. 4, an embodiment of the present application discloses a specific log analysis method, which is applied to a server, and includes:
step S21, determining a log acquisition mode based on a preset interface layer of the server.
Based on the above embodiment, the server is divided into an interface layer and a service layer, the interface layer is a front-end Web page function area, a Vue frame is used as a front-end development frame, and the Vue frame is used for development, so that the interface layer has the advantages of light weight, bidirectional data binding, componentization, high running speed and the like, and a task management type Web front-end application can be constructed. The embodiment can determine the log acquisition mode through a preset interface layer. The interface layer is specifically used for task management, log acquisition and result display. The task management comprises the functions of creating tasks, project personnel management and progress synchronous display; the log collection is divided into two modes of automatic collection and manual uploading; the result display function is used for forming a complete attack scene analysis chart at the interface layer after the log analysis task is completed, and the complete attack scene analysis chart comprises information such as specific occurrence event, time, operation, source/destination IP and the like. Therefore, the response result of the network security time can be visually displayed, and the operation and maintenance personnel can obtain the analysis result more conveniently and rapidly.
Step S22, if the log collection mode is automatic collection, acquiring state information of a client corresponding to the server in a preset database based on a preset service layer in the server, and judging whether the client is in an online state based on the state information of the client.
In this embodiment, as shown in fig. 5, after the interface layer of the server creates a log analysis task and sets related parameters, a log collection mode needs to be determined. In a specific embodiment, if the log collection mode is automatic collection, the collection target range needs to be specified, which may be a single server or multiple servers, and the corresponding servers are corresponding through IP addresses of the servers, and the corresponding target client may be determined through the IP address of the device to be monitored obtained in advance, so as to determine the automatic collection target collection range. It can be understood that the device to be monitored is pre-installed with a corresponding client. Correspondingly, the step of obtaining the state information of the client corresponding to the server in the preset database based on the preset service layer in the server includes: and acquiring state information of the target client corresponding to the target acquisition range in a preset database based on a preset service layer in the server.
In another specific embodiment, if the log collection mode is manual uploading, a third log file uploaded by a worker is directly received through a preset file receiving interface, so as to perform file analysis based on a corresponding format of the third log file. Through setting up multiple log collection mode, can select corresponding mode more conveniently in different situations and carry out log collection, improve the stability of network security incident response.
And S23, if yes, sending a log acquisition instruction to the client so as to acquire a first log file sent to the preset shared folder by the client for storage from the preset shared folder, and carrying out file analysis on the first log file.
In this embodiment, if the log collection mode is automatic collection, the server sends a log collection instruction to the agent terminal through the interface layer when the agent terminal is in an online state. It can be understood that in this process, the agent end embeds the function of receiving the instruction, and starts to execute the instruction from the server at the current server after receiving the instruction from the server. After log file collection is completed, the agent end uses Windows file sharing function in file transmission to uniformly upload the log files to a preset shared folder so as to be convenient for the server end to obtain. In this way, in the internal network environment of an enterprise or an organization, the stability and reliability of the whole file transmission process can be ensured by using the file sharing function of Windows.
It can be understood that in step S22, if the log collection mode is selected to be manual uploading, log files with multiple formats may be obtained, so that the file format of the log file may be determined based on the file suffix of the log file; if the file format of the log file is a compressed package format, decompressing the log file to obtain an evtx log file, and analyzing the evtx log file; if the file format of the log file is the evtx format, directly analyzing the file of the log file.
Step S24, determining an attack behavior corresponding to the first log file based on an event ID in the first log file based on a preset rule base, analyzing the first log file based on an attack condition corresponding to the attack behavior to obtain a first attack event corresponding to the first log file, and determining an associated client of the first log file through the first attack event.
In this embodiment, after the log file is parsed, a rule base constructed according to rules collected and arranged in advance in the system performs preliminary matching on the corresponding event ID and possible attack behaviors, after the corresponding attack behaviors are matched, further matching analysis is performed on attack conditions required by different attack behaviors, and comprehensive analysis and judgment are performed by combining the log context, so that a more accurate analysis result is finally obtained, and thus, the accuracy of the log analysis result can be improved.
Step S25, collecting a second log file of the associated client and determining a corresponding second attack event based on the second log file, and then determining a corresponding attack scene based on the first attack event and the second attack event and through attack link aggregation.
For more specific processing in step S25, reference may be made to the corresponding content disclosed in the foregoing embodiment, and no further description is given here.
According to the technical scheme, as shown in fig. 5 and 6, in the embodiment, the agent end stores own state information into a preset database when deployed, after the server end judges that the agent end is online by acquiring the state information in the preset database, a log acquisition instruction is sent out by a log analysis module, so that the agent end uploads a log file to a preset shared folder, then the server end determines an attack behavior corresponding to the first log file according to an event ID in the first log file based on a preset rule base, analyzes the first log file based on an attack condition corresponding to the attack behavior, obtains a first attack event corresponding to the first log file, determines an associated client of the first log file through the first attack event, and further restores an attack scene. Therefore, an emergency response system with double-end working modes of the service end and the agent end is constructed, file transmission between the log file service end and the agent end is facilitated, the speed of log analysis is improved, and the accuracy of a log analysis result can be improved by further determining an attack event after determining an associated client.
Referring to fig. 7, the embodiment of the application also discloses a log analysis device, which is applied to a server and includes:
the state determining module 11 is configured to obtain state information of a client corresponding to the server in a preset database based on a preset service layer in the server, and determine whether the client is in an online state based on the state information of the client;
the file analysis module 12 is configured to send a log acquisition instruction to the client if the first log file is received, so as to obtain a first log file sent by the client, and perform file analysis based on a corresponding format of the first log file;
the client determining module 13 is configured to compare the parsed event ID in the first log file with a preset rule base, determine a first attack event corresponding to the first log file, and determine an associated client of the first log file through the first attack event;
the scenario reduction module 14 is configured to collect a second log file of the associated client and determine a corresponding second attack event based on the second log file, and then determine a corresponding attack scenario based on the first attack event and the second attack event and through attack link aggregation.
In this embodiment, first, state information of a client corresponding to the server in a preset database is obtained based on a preset service layer in the server, and whether the client is in an online state is determined based on the state information of the client; if the client is in an online state, a log acquisition instruction is sent to the client to acquire a first log file sent by the client, and file analysis is carried out based on a corresponding format of the first log file; comparing the analyzed event ID in the first log file with a preset rule base, determining a first attack event corresponding to the first log file, and determining an associated client of the first log file through the first attack event; and acquiring a second log file of the associated client, determining a corresponding second attack event based on the second log file, and then determining a corresponding attack scene based on the first attack event and the second attack event and through attack link aggregation. Therefore, in the embodiment, the corresponding attack event can be determined by analyzing the event ID in the log file of the corresponding client through the server, determining the associated client according to the current attack event, and automatically restoring the attack scene according to the first attack event and the second attack event of the associated client.
In some specific embodiments, the state determining module 11 further includes:
the acquisition mode determining submodule is used for determining a log acquisition mode based on a preset interface layer of the server;
and the information acquisition triggering unit is used for triggering the step of acquiring the state information of the client corresponding to the server in a preset database based on a preset service layer in the server if the log acquisition mode is automatic acquisition.
In some embodiments, the acquisition mode determining submodule further includes:
the range determining unit is used for determining a corresponding target client through the pre-acquired IP address of the equipment to be monitored so as to determine the target acquisition range of the automatic acquisition if the log acquisition mode is automatic acquisition; the equipment to be monitored is provided with a corresponding client in advance;
correspondingly, the state determining module 11 specifically includes:
the information acquisition unit is used for acquiring the state information of the target client corresponding to the target acquisition range in a preset database based on a preset service layer in the server.
In some embodiments, the acquisition mode determining submodule further includes:
and the file receiving unit is used for directly receiving a third log file uploaded by a worker through a preset file receiving interface if the log acquisition mode is manual uploading, so as to analyze the file based on the corresponding format of the third log file.
In some embodiments, the file parsing module 12 specifically includes:
the file acquisition unit is used for acquiring a first log file which is sent to the preset shared folder by the client from the preset shared folder and is stored in the preset shared folder.
In some embodiments, the file parsing module 12 specifically includes:
a format judging unit for judging the file format of the log file based on the file suffix of the log file;
the first file analysis unit is used for carrying out decompression operation on the log file to obtain an evtx log file if the file format of the log file is a compressed package format, and carrying out file analysis on the evtx log file;
and the second file analysis unit is used for directly carrying out file analysis on the log file if the file format of the log file is evtx format.
In some specific embodiments, the client determining module 13 specifically includes:
an attack behavior determining unit, configured to determine an attack behavior corresponding to the first log file according to an event ID in the first log file based on a preset rule base;
and the attack event determining unit is used for analyzing the first log file based on the attack condition corresponding to the attack behavior to obtain a first attack event corresponding to the first log file.
Further, the embodiment of the present application further discloses an electronic device, and fig. 8 is a block diagram of an electronic device 20 according to an exemplary embodiment, where the content of the figure is not to be considered as any limitation on the scope of use of the present application.
Fig. 8 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. Wherein the memory 22 is configured to store a computer program that is loaded and executed by the processor 21 to implement the relevant steps in the log analysis method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 25 is used for acquiring external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 221, a computer program 222, and the like, and the storage may be temporary storage or permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device 20 and computer programs 222, which may be Windows Server, netware, unix, linux, etc. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the log analysis method performed by the electronic device 20 disclosed in any of the previous embodiments.
Further, the application also discloses a computer readable storage medium for storing a computer program; wherein the computer program, when executed by a processor, implements the previously disclosed log analysis method. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing has outlined the detailed description of the preferred embodiment of the present application, and the detailed description of the principles and embodiments of the present application has been provided herein by way of example only to facilitate the understanding of the method and core concepts of the present application; meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims (10)

1. The log analysis method is characterized by being applied to a server and comprising the following steps:
acquiring state information of a client corresponding to the server in a preset database based on a preset service layer in the server, and judging whether the client is in an online state based on the state information of the client;
if yes, a log acquisition instruction is sent to the client to acquire a first log file sent by the client, and file analysis is carried out based on a corresponding format of the first log file;
comparing the analyzed event ID in the first log file with a preset rule base, determining a first attack event corresponding to the first log file, and determining an associated client of the first log file through the first attack event;
and acquiring a second log file of the associated client, determining a corresponding second attack event based on the second log file, and then determining a corresponding attack scene based on the first attack event and the second attack event and through attack link aggregation.
2. The log analysis method according to claim 1, wherein before the obtaining, based on the preset service layer in the server, the state information of the client corresponding to the server in the preset database, the log analysis method further includes:
determining a log acquisition mode based on a preset interface layer of the server;
and if the log acquisition mode is automatic acquisition, triggering the step of acquiring the state information of the client corresponding to the server in a preset database based on a preset service layer in the server.
3. The method for log analysis according to claim 2, wherein after determining the log collection mode based on the preset interface layer of the server, further comprises:
if the log acquisition mode is automatic acquisition, determining a corresponding target client through the pre-acquired IP address of the equipment to be monitored so as to determine the target acquisition range of the automatic acquisition; the equipment to be monitored is provided with a corresponding client in advance;
correspondingly, the step of obtaining the state information of the client corresponding to the server in the preset database based on the preset service layer in the server includes:
and acquiring state information of the target client corresponding to the target acquisition range in a preset database based on a preset service layer in the server.
4. The method for log analysis according to claim 2, wherein after determining the log collection mode based on the preset interface layer of the server, further comprises:
if the log collection mode is manual uploading, directly receiving a third log file uploaded by a worker through a preset file receiving interface, and analyzing the file based on a corresponding format of the third log file.
5. The method of claim 1, wherein the obtaining the first log file sent by the client includes:
and acquiring a first log file which is sent to the preset shared folder by the client from the preset shared folder for storage.
6. The log analysis method according to any one of claims 1 to 5, wherein the file parsing based on the corresponding format of any one of the log files comprises:
judging the file format of the log file based on the file suffix of the log file;
if the file format of the log file is a compressed package format, decompressing the log file to obtain an evtx log file, and analyzing the evtx log file;
if the file format of the log file is the evtx format, directly analyzing the file of the log file.
7. The method of any one of claims 1 to 5, wherein comparing the event ID in the first log file that is analyzed with a preset rule base, and determining a first attack event corresponding to the first log file includes:
determining an attack behavior corresponding to the first log file according to the event ID in the first log file based on a preset rule base;
analyzing the first log file based on the attack condition corresponding to the attack behavior to obtain a first attack event corresponding to the first log file.
8. A log analysis device, applied to a server, comprising:
the state determining module is used for acquiring state information of a client corresponding to the server in a preset database based on a preset service layer in the server, and judging whether the client is in an online state based on the state information of the client;
the file analysis module is used for sending a log acquisition instruction to the client if the file analysis module is used for acquiring a first log file sent by the client and carrying out file analysis based on a corresponding format of the first log file;
the client determining module is used for comparing the analyzed event ID in the first log file with a preset rule base, determining a first attack event corresponding to the first log file, and determining an associated client of the first log file through the first attack event;
the scene restoration module is used for collecting a second log file of the associated client and determining a corresponding second attack event based on the second log file, and then determining a corresponding attack scene based on the first attack event and the second attack event and through attack link aggregation.
9. An electronic device comprising a processor and a memory; wherein the memory is for storing a computer program that is loaded and executed by the processor to implement the log analysis method of any one of claims 1 to 7.
10. A computer readable storage medium for storing a computer program which when executed by a processor implements the log analysis method of any one of claims 1 to 7.
CN202310105366.4A 2023-02-01 2023-02-01 Log analysis method, device, equipment and storage medium Pending CN116074095A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310105366.4A CN116074095A (en) 2023-02-01 2023-02-01 Log analysis method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310105366.4A CN116074095A (en) 2023-02-01 2023-02-01 Log analysis method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116074095A true CN116074095A (en) 2023-05-05

Family

ID=86174697

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310105366.4A Pending CN116074095A (en) 2023-02-01 2023-02-01 Log analysis method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116074095A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117149787A (en) * 2023-08-31 2023-12-01 广州万融数据服务有限公司 Key information grabbing and displaying method based on big data

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117149787A (en) * 2023-08-31 2023-12-01 广州万融数据服务有限公司 Key information grabbing and displaying method based on big data
CN117149787B (en) * 2023-08-31 2024-03-26 广州万融数据服务有限公司 Key information grabbing and displaying method based on big data

Similar Documents

Publication Publication Date Title
CN109034993B (en) Account checking method, account checking equipment, account checking system and computer readable storage medium
CN112035317B (en) Micro-service link monitoring method, device, equipment and medium
US7370072B2 (en) System and method for collecting electronic evidence data
CN112350854B (en) Flow fault positioning method, device, equipment and storage medium
CN108900374B (en) Data processing method and device applied to DPI equipment
US7913233B2 (en) Performance analyzer
CN107241229B (en) Service monitoring method and device based on interface testing tool
CN111176941B (en) Data processing method, device and storage medium
CN110932918B (en) Log data acquisition method and device and storage medium
EP3364627B1 (en) Adaptive session intelligence extender
CN112835792B (en) Pressure testing system and method
CN114465741B (en) Abnormality detection method, abnormality detection device, computer equipment and storage medium
CN116074095A (en) Log analysis method, device, equipment and storage medium
CN112765103A (en) File analysis method, system, device and equipment
CN112685270A (en) System monitoring log acquisition method and device, electronic equipment and medium
CN112052227A (en) Data change log processing method and device and electronic equipment
CN111667141A (en) Pending task case processing method, device, equipment and storage medium
CN117453280B (en) Code topology and service topology generation method, device, equipment and medium
CN114598622B (en) Data monitoring method and device, storage medium and computer equipment
CN114697205B (en) Log processing method and device
CN111107080B (en) Error information pushing method, device and equipment and readable storage medium
CN113381907A (en) Log collection method and device, electronic equipment and storage medium
CN109634931B (en) Log uploading method and device
CN109586968A (en) The log processing method of big data platform and the log processing system of big data platform
CN116302711B (en) Disaster recovery method and device based on cloud platform mirror image, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination