CN116132260A - Log alarm data suppression method and device, electronic equipment and storage medium - Google Patents
Log alarm data suppression method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116132260A CN116132260A CN202211665384.XA CN202211665384A CN116132260A CN 116132260 A CN116132260 A CN 116132260A CN 202211665384 A CN202211665384 A CN 202211665384A CN 116132260 A CN116132260 A CN 116132260A
- Authority
- CN
- China
- Prior art keywords
- log
- data
- alarm data
- inhibition
- log alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000001629 suppression Effects 0.000 title claims abstract description 70
- 238000000034 method Methods 0.000 title claims abstract description 56
- 230000005764 inhibitory process Effects 0.000 claims abstract description 66
- 238000004458 analytical method Methods 0.000 claims abstract description 28
- 238000004590 computer program Methods 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 4
- 230000010365 information processing Effects 0.000 abstract description 2
- 238000012550 audit Methods 0.000 description 18
- 230000008569 process Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the application provides a log alarm data suppression method, a log alarm data suppression device, electronic equipment and a storage medium, and relates to the technical field of information processing. The method comprises the steps of storing first log alarm data analyzed in a database in a preset inhibition period of a user; in the inhibition period, judging whether the subsequent new flow and the first log alarm data are similar log alarm data or not according to the inhibition condition; and if the log alarm data are similar log alarm data, accumulating the quantity of the first log alarm data, and not carrying out deep analysis on the new flow. According to the method, only one log alarm data is stored, so that occupation of disk space is reduced, and the problem that other alarm log data are submerged and excessive disk space is occupied due to excessive same log alarm data of safety equipment is solved.
Description
Technical Field
The present invention relates to the field of information processing technologies, and in particular, to a method and apparatus for suppressing log alarm data, an electronic device, and a storage medium.
Background
The main functions of the auditing equipment and the detecting equipment are to analyze the messages in the network, record the information and present the information in the form of log and alarm. And after the messages with the same basic information are analyzed by the auditing equipment and the detecting equipment, a large number of logs and alarms with the same information such as source IP, destination IP and the like are generated on the auditing equipment and the detecting equipment.
These logs and alarms are presented with repetitive content to the user, which makes it easy for the customer to fatigue and to miss some other important logs and alarms when viewing them, and also to take up more disk space.
Disclosure of Invention
An object of the embodiments of the present invention is to provide a method, an apparatus, an electronic device, and a storage medium for suppressing log alarm data, which determine that only one log alarm data is stored similarly, reduce occupation of disk space, and solve the problem that security devices are submerged in other alarm log data and occupy too much disk space due to too much same log alarm data.
The embodiment of the application provides a method for suppressing log alarm data, which comprises the following steps:
storing the analyzed first log alarm data into a database in a preset inhibition period of a user;
in the inhibition period, judging whether the subsequent new flow and the first log alarm data are similar log alarm data or not according to the inhibition condition;
and if the log alarm data are similar log alarm data, accumulating the quantity of the first log alarm data, and not carrying out deep analysis on the new flow.
In the implementation process, whether the similar log alarm data are the similar log alarm data or not is judged based on the inhibition conditions and the inhibition period, and only one similar log alarm data are stored, so that the purposes of reducing repeated logs and repeated alarm data in the safety equipment are achieved, occupation of disk space is reduced, the inhibition conditions can be flexibly set, the configuration is convenient, and the problems that other alarm log data are submerged and excessive disk space is occupied due to the fact that the same log alarm data are too many in the safety equipment are solved.
Further, in the suppression period, determining whether the subsequent new flow and the first piece of log alert data are similar log alert data according to a suppression condition includes:
acquiring a first suppression condition field of the first log alarm data based on the suppression condition;
acquiring a second suppression condition field corresponding to the new flow;
and if the content of the first suppression condition field is the same as that of the second suppression condition field, the log alarm data corresponding to the new flow and the first log alarm data are similar log alarm data.
In the implementation process, the judgment is performed through the suppression condition, namely whether the new flow is the same as the field corresponding to the suppression condition in the first log alarm data or not is judged, and the judgment method is simple and quick and does not need to carry out deep analysis on the new flow.
Further, the method further comprises:
if the content of the first suppression condition field is different from that of the second suppression condition field, carrying out deep analysis on the new flow to obtain new alarm log data corresponding to the new flow, and storing the new alarm log data into the database;
and in the inhibition period, comparing the log alarm data generated subsequently with all log alarm data in the database according to the inhibition condition so as to judge whether the log alarm data are similar log alarm data.
In the implementation process, only the dissimilar new log alarm data is subjected to deep analysis and storage, the suppressed log/alarm is not subjected to deep analysis and is directly discarded, and the analysis performance of the safety equipment is improved.
Further, the method further comprises:
and inquiring the database based on the inhibition condition, and obtaining the detailed information of the first piece of log alarm data and the quantity of all similar log alarm data in the inhibition period.
In the implementation process, the data acquired by the query database only has detailed information of the similar log alarm data with earliest time and statistics of times of the non-earliest similar log alarm data in the same period, so that the problems that other alarm log data are submerged and occupy too much disk space due to too much same log alarm data are avoided.
The embodiment of the application also provides a device for suppressing log alarm data, which comprises:
the storage module is used for storing the analyzed first log alarm data into the database in a preset inhibition period of a user;
the judging module is used for judging whether the subsequent new flow and the first log alarm data are similar log alarm data or not according to the inhibition conditions in the inhibition period;
and the counting module is used for accumulating the number of the first log alarm data if the log alarm data are similar log alarm data, and does not carry out deep analysis on the new flow.
In the implementation process, whether the similar log alarm data are the similar log alarm data or not is judged based on the inhibition conditions and the inhibition period, and only one similar log alarm data are stored, so that the purposes of reducing repeated logs and repeated alarm data in the safety equipment are achieved, occupation of disk space is reduced, the inhibition conditions can be flexibly set, the configuration is convenient, and the problems that other alarm log data are submerged and excessive disk space is occupied due to the fact that the same log alarm data are too many in the safety equipment are solved.
Further, the judging module includes:
a first condition field obtaining module, configured to obtain a first suppression condition field of the first log alert data based on the suppression condition;
the second condition field acquisition module is used for acquiring a second suppression condition field corresponding to the new flow;
and the similarity judging module is used for judging that the log alarm data corresponding to the new flow and the first log alarm data are similar log alarm data if the content of the first inhibition condition field is the same as that of the second inhibition condition field.
In the implementation process, the judgment is performed through the inhibition condition, namely whether the fields corresponding to the inhibition condition in the new log alarm data and the first log alarm data are the same is judged, and the judgment method is simple and quick.
Further, the apparatus further comprises:
the deep analysis module is used for carrying out deep analysis on the new flow if the contents of the first inhibition condition field and the second inhibition condition field are different, so as to obtain new alarm log data corresponding to the new flow, and storing the new alarm log data into the database;
and the new data processing module is used for comparing the log alarm data generated subsequently with all log alarm data in the database according to the inhibition condition in the inhibition period so as to judge whether the log alarm data are similar log alarm data.
In the implementation process, only the dissimilar new log alarm data is subjected to deep analysis and storage, the suppressed log/alarm is not subjected to deep analysis and is directly discarded, and the analysis performance of the safety equipment is improved.
Further, the apparatus further comprises:
and the data query module is used for querying the database based on the suppression conditions and obtaining the detailed information of the first piece of log alarm data with the same suppression conditions and the quantity of all similar log alarm data in the suppression period.
In the implementation process, the data acquired by the query database only has detailed information of the similar log alarm data with earliest time and statistics of times of the non-earliest similar log alarm data in the same period, so that the problems that other alarm log data are submerged and occupy too much disk space due to too much same log alarm data are avoided.
The embodiment of the application also provides electronic equipment, which comprises a memory and a processor, wherein the memory is used for storing a computer program, and the processor runs the computer program to enable the electronic equipment to execute the method for suppressing the log alarm data.
The embodiment of the application also provides a readable storage medium, wherein the readable storage medium stores computer program instructions, and when the computer program instructions are read and run by a processor, the method for suppressing log alarm data in any one of the above is executed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for suppressing log alert data according to an embodiment of the present application;
FIG. 2 is a flow chart of a method for suppressing audit logs and alarms provided by an embodiment of the present application;
FIG. 3 is a flowchart of determining similar log alert data according to an embodiment of the present disclosure;
FIG. 4 is a flowchart illustrating a process of dissimilar log alert data provided in an embodiment of the present application;
FIG. 5 is a block diagram of a log alert data suppressing apparatus according to an embodiment of the present application;
fig. 6 is a block diagram of another log alert data suppressing apparatus according to an embodiment of the present application.
Icon:
100-a memory module; 200, a judging module; 201-a first condition field acquisition module; 202-a second condition field acquisition module; 203-a similarity determination module; 211-a depth resolution module; 212-a new data processing module; 300-counting module; 400-data query module.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, fig. 1 is a flowchart of a method for suppressing log alert data according to an embodiment of the present application. The method can be applied to safety equipment, particularly can be applied to a database audit system, a network audit system, an industrial control safety monitoring audit system, an abnormal flow management and rejection service system and the like, and the specific application range is not limited.
The method achieves the purposes of reducing repeated logs and repeated alarms in the safety equipment and reducing the utilization rate of the disk by configuring the inhibition dimension of IP, ports, protocols, other features and the like and configuring the inhibition time period. The method specifically comprises the following steps:
step S100: storing the analyzed first log alarm data into a database in a preset inhibition period of a user;
the user configures the period of alarm suppression according to the own needs. When the security device analyzes the message to generate the log/alarm, it will determine whether the log/alarm in one period is similar to the log/alarm according to the suppression period.
The user configures the inhibition period according to the requirement; and the security equipment stores only one log and alarm with the same content of the inhibition condition field in the same period according to the configured inhibition period, and the rest is counted only.
Step S200: in the inhibition period, judging whether the subsequent new flow and the first log alarm data are similar log alarm data or not according to the inhibition condition;
step S300: and if the log alarm data are similar log alarm data, accumulating the quantity of the first log alarm data, and not carrying out deep analysis on the new flow.
The user configures a suppression condition or a combination of the suppression conditions according to own requirements, wherein the suppression condition comprises a source IP, a destination IP, a source port, a destination port and a protocol; the security device suppresses the log or alarm with the same content of the condition field as similar log/alarm in one period according to the configured condition or condition combination.
When inquiring the log/alarm on the equipment, only the first log/alarm is displayed in detail in each period, the rest log/alarm is counted, and the counted number is displayed in the log number/alarm number parameter. As shown in fig. 2, a flowchart of a method for suppressing audit logs and alarms is shown, wherein as shown in fig. 3, a flowchart of a method for judging similar log alarm data is shown. Specifically, the step S200 specifically includes the steps of:
step S201: acquiring a first suppression condition field of the first log alarm data based on the suppression condition;
step S202: acquiring a second suppression condition field corresponding to the new flow;
step S203: and if the content of the first suppression condition field is the same as that of the second suppression condition field, the log alarm data corresponding to the new flow and the first log alarm data are similar log alarm data.
Illustratively, the conditions or combination of conditions for the user to sort the alarm/log suppression as desired by the user. After the security device analyzes the generated first log/alarm in one period, the detail content of the first log/alarm is stored in the database.
After the new flow enters the analysis flow, the content of the condition/condition combination parameter is judged according to the condition or combination of conditions such as IP, port, protocol and other characteristics or the combination of the characteristics of the alarm/log inhibition, if the content of the parameter of the flow is the same as the stored first log/alarm, the similar log/alarm is judged, the flow can not continue to be deeply analyzed, and only the times are accumulated. If the content of the parameters of the flow is different from the stored log/alarm, judging that the flow is dissimilar to the log/alarm, and continuously analyzing the flow to generate the log/alarm and storing the log/alarm into a database.
As shown in fig. 4, which is a flowchart of the process of dissimilar log alert data, the method further comprises the steps of:
step S211: if the content of the first suppression condition field is different from that of the second suppression condition field, carrying out deep analysis on the new flow to obtain new alarm log data corresponding to the new flow, and storing the new alarm log data into the database;
step S212: and in the inhibition period, comparing the log alarm data generated subsequently with all log alarm data in the database according to the inhibition condition so as to judge whether the log alarm data are similar log alarm data.
The method further comprises the steps of:
and inquiring the database based on the inhibition condition, and obtaining the detailed information of the first piece of log alarm data and the quantity of all similar log alarm data in the inhibition period.
When a user queries the log/alarm on the equipment page, the data acquired by the query database only has detailed information of the similar log/alarm with earliest time and statistics of times of the non-earliest similar log/alarm in the same period.
Illustratively, the method may be applied to log/alarm suppression for industrial control security monitoring audit systems. The method realizes the inhibition of audit alarm by configuring the inhibition condition and period of the audit log in the fully-autonomous defined industrial safety monitoring audit system. Specifically:
step S10: the user configures the inhibition condition combination of the audit log to be a source IP, a destination IP and a destination port on the industrial control security monitoring audit system page, and the period is 10 minutes.
Step S20: and mirroring the network flow into an industrial control safety monitoring audit system, analyzing the flow by the audit system and generating an audit log, wherein the generated audit log is not stored in a database.
Step S30: the audit equipment executes analysis and log storage actions at intervals of 10min according to the configured inhibition period:
step S31: the first log analyzed by the auditing equipment is stored in a database, and the number of the logs is recorded as 1;
step S32: the subsequent flow is firstly analyzed preliminarily and compared with a first log in a database, and whether the source IP, the destination IP and the destination port of the new flow are identical to the first log in the database is judged;
step S33: if the two logs are judged to be the same, the similar logs are regarded as, the deep analysis is not continued, and the number of the logs is only accumulated (at the moment, the field value of the number of the logs after the first log is 2);
step S34: if the flow is different, the flow is considered as a dissimilar log, the flow is continuously analyzed in depth, and the analyzed log is stored in a database;
step S35: comparing the flow which enters the period with all logs stored in a database after the initial analysis of the flow which enters the period, and repeating the step S33 and the step S34;
step S40: when the user queries the audit log on the audit equipment page, only 1 log with the same endogenous IP, destination IP and destination port is obtained every 10 min.
Therefore, the suppression of similar logs or alarms can be realized, and the condition that other logs are submerged and the disk is full in a short time caused by a large number of similar logs by the auditing equipment is avoided.
The method periodically suppresses log/alarms through IP, ports, protocols and other features or combinations thereof; the suppressed log/alarm is not subjected to deep analysis and is directly discarded, so that the analysis performance of the equipment is improved; for the suppressed log/alarm, only the first alarm information is recorded, the rest only counts the triggering times in the period, the detailed content is not recorded in the database, and the disk space is saved.
The method is simple and convenient to configure, and can be used for users to inhibit alarms/logs from different dimensionalities; if the similar logs are judged, the deep analysis is not performed, so that the analysis performance of the equipment is improved; alarm/log suppression is carried out without depending on a feature library, so that maintenance cost is reduced; similar logs/alarms are not entered into the database, reducing disk space usage.
Example 2
An embodiment of the present application provides a log alarm data suppression device, as shown in fig. 5, which is a structural block diagram of the log alarm data suppression device, where the device includes but is not limited to:
the storage module 100 is configured to store the parsed first log alert data into a database in a suppression period preset by a user;
the judging module 200 is configured to judge whether the subsequent new flow and the first log alert data are similar log alert data according to the suppression condition in the suppression period;
and the counting module 300 is configured to accumulate the number of the first log alert data if the first log alert data is similar log alert data, and not deeply analyze the new flow.
The configuration of dimensions (IP, ports, protocols, other characteristics and the like) and time periods is supported by a user according to the needs of the user, the configuration of alarm/log inhibition is simple and convenient, and the dimension and time periods of alarm inhibition are flexible and controllable.
As shown in fig. 6, which is a block diagram of another suppression device for log alarm data, the determining module 200 includes:
a first condition field obtaining module 201, configured to obtain a first suppression condition field of the first log alert data based on the suppression condition;
a second condition field obtaining module 202, configured to obtain a second suppression condition field corresponding to the new flow;
and the similarity determination module 203 is configured to, if the contents of the first suppression condition field and the second suppression condition field are the same, determine that the log alert data corresponding to the new flow and the first log alert data are similar log alert data.
The apparatus further comprises:
the deep parsing module 211 is configured to, if the contents of the first suppression condition field and the second suppression condition field are different, perform deep parsing on the new flow to obtain new alarm log data corresponding to the new flow, and store the new alarm log data in the database;
the new data processing module 212 is configured to compare the log alert data generated subsequently with all log alert data in the database according to the suppression condition in the suppression period, so as to determine whether the log alert data is similar log alert data.
The apparatus further comprises:
the data query module 400 is configured to query the database based on the suppression condition, and obtain detailed information of the first log alert data and the number of all similar log alert data in the suppression period.
By setting the inhibition conditions and the inhibition period, whether similar log alarm data are obtained or not is judged based on the inhibition conditions, and only one similar log alarm data is stored, so that the purposes of reducing repeated logs and repeated alarm data in the safety equipment are achieved, occupation of disk space is reduced, the inhibition conditions can be flexibly set, the configuration is convenient, and the problems that other alarm log data are submerged and excessive disk space is occupied due to excessive same log alarm data of the safety equipment are solved.
The embodiment of the application also provides an electronic device, which comprises a memory and a processor, wherein the memory is used for storing a computer program, and the processor runs the computer program to enable the electronic device to execute the method for suppressing the log alarm data in the embodiment 1.
The embodiment of the present application further provides a readable storage medium, where computer program instructions are stored, where the computer program instructions, when read and executed by a processor, perform the method for suppressing log alert data described in embodiment 1.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A method for suppressing log alert data, the method comprising:
storing the analyzed first log alarm data into a database in a preset inhibition period of a user;
in the inhibition period, judging whether the subsequent new flow and the first log alarm data are similar log alarm data or not according to the inhibition condition;
and if the log alarm data are similar log alarm data, accumulating the quantity of the first log alarm data, and not carrying out deep analysis on the new flow.
2. The method for suppressing log alert data according to claim 1, wherein the determining whether the subsequent new flow and the first piece of log alert data are similar log alert data according to a suppression condition in the suppression period includes:
acquiring a first suppression condition field of the first log alarm data based on the suppression condition;
acquiring a second suppression condition field corresponding to the new flow;
and if the content of the first suppression condition field is the same as that of the second suppression condition field, the log alarm data corresponding to the new flow and the first log alarm data are similar log alarm data.
3. The method of suppressing log alert data according to claim 2, further comprising:
if the content of the first suppression condition field is different from that of the second suppression condition field, carrying out deep analysis on the new flow to obtain new alarm log data corresponding to the new flow, and storing the new alarm log data into the database;
and in the inhibition period, comparing the log alarm data generated subsequently with all log alarm data in the database according to the inhibition condition so as to judge whether the log alarm data are similar log alarm data.
4. The method of suppressing log alert data according to claim 1, further comprising:
and inquiring the database based on the inhibition condition, and obtaining the detailed information of the first piece of log alarm data and the quantity of all similar log alarm data in the inhibition period.
5. A log alert data suppression apparatus, the apparatus comprising:
the storage module is used for storing the analyzed first log alarm data into the database in a preset inhibition period of a user;
the judging module is used for judging whether the subsequent new flow and the first log alarm data are similar log alarm data or not according to the inhibition conditions in the inhibition period;
and the counting module is used for accumulating the number of the first log alarm data if the log alarm data are similar log alarm data, and does not carry out deep analysis on the new flow.
6. The log alert data suppressing apparatus as recited in claim 5, wherein the determining module comprises:
a first condition field obtaining module, configured to obtain a first suppression condition field of the first log alert data based on the suppression condition;
the second condition field acquisition module is used for acquiring a second suppression condition field corresponding to the new flow;
and the similarity judging module is used for judging that the log alarm data corresponding to the new flow and the first log alarm data are similar log alarm data if the content of the first inhibition condition field is the same as that of the second inhibition condition field.
7. The apparatus for suppressing log alert data according to claim 6, wherein the apparatus further comprises:
the deep analysis module is used for carrying out deep analysis on the new flow if the contents of the first inhibition condition field and the second inhibition condition field are different, so as to obtain new alarm log data corresponding to the new flow, and storing the new alarm log data into the database;
and the new data processing module is used for comparing the log alarm data generated subsequently with all log alarm data in the database according to the inhibition condition in the inhibition period so as to judge whether the log alarm data are similar log alarm data.
8. The log alert data suppressing apparatus as recited in claim 5, wherein the apparatus further comprises:
and the data query module is used for querying the database based on the suppression condition and obtaining the detailed information of the first piece of log alarm data and the quantity of all similar log alarm data in the suppression period.
9. An electronic device comprising a memory for storing a computer program and a processor that runs the computer program to cause the electronic device to perform the suppression method of log alert data according to any one of claims 1 to 4.
10. A readable storage medium having stored therein computer program instructions which, when read and executed by a processor, perform the method of suppressing log alert data as claimed in any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211665384.XA CN116132260A (en) | 2022-12-23 | 2022-12-23 | Log alarm data suppression method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211665384.XA CN116132260A (en) | 2022-12-23 | 2022-12-23 | Log alarm data suppression method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116132260A true CN116132260A (en) | 2023-05-16 |
Family
ID=86307243
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211665384.XA Pending CN116132260A (en) | 2022-12-23 | 2022-12-23 | Log alarm data suppression method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116132260A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101247254A (en) * | 2007-02-16 | 2008-08-20 | 大唐移动通信设备有限公司 | Method and device for suppression alarm windstorm |
| CN104753700A (en) * | 2013-12-27 | 2015-07-01 | 中国银联股份有限公司 | Alarm storm processing method and alarm storm processing system |
| CN111245779A (en) * | 2019-12-17 | 2020-06-05 | 北京威努特技术有限公司 | Industrial control firewall alarm message merging method and device |
| CN113992431A (en) * | 2021-12-24 | 2022-01-28 | 北京微步在线科技有限公司 | Linkage blocking method and device, electronic equipment and storage medium |
-
2022
- 2022-12-23 CN CN202211665384.XA patent/CN116132260A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101247254A (en) * | 2007-02-16 | 2008-08-20 | 大唐移动通信设备有限公司 | Method and device for suppression alarm windstorm |
| CN104753700A (en) * | 2013-12-27 | 2015-07-01 | 中国银联股份有限公司 | Alarm storm processing method and alarm storm processing system |
| CN111245779A (en) * | 2019-12-17 | 2020-06-05 | 北京威努特技术有限公司 | Industrial control firewall alarm message merging method and device |
| CN113992431A (en) * | 2021-12-24 | 2022-01-28 | 北京微步在线科技有限公司 | Linkage blocking method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9832214B2 (en) | Method and apparatus for classifying and combining computer attack information | |
| CN111221702B (en) | Log analysis-based exception handling method, system, terminal and medium | |
| CN109639504B (en) | Alarm information processing method and device based on cloud platform | |
| CN113765881A (en) | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium | |
| CN112463553B (en) | System and method for analyzing intelligent alarms based on common alarm association | |
| CN110933115B (en) | Analysis object behavior abnormity detection method and device based on dynamic session | |
| Baron et al. | Efficient monitoring of patterns in data mining environments | |
| CN108306846B (en) | Network access abnormity detection method and system | |
| CN109409113B (en) | Power grid data safety protection method and distributed power grid data safety protection system | |
| CN108418703B (en) | Early warning method and system based on real-time event detection | |
| CN113992340A (en) | User abnormal behavior recognition method, device, equipment, storage medium and program | |
| CN114443429A (en) | Alarm event processing method and device and computer readable storage medium | |
| CN110990245A (en) | Micro-service operation state judgment method and device based on call chain data | |
| CN111970168A (en) | Method and device for monitoring full-link service node and storage medium | |
| US8543552B2 (en) | Detecting statistical variation from unclassified process log | |
| CN114579636A (en) | Data security risk prediction method, device, computer equipment and medium | |
| CN107465652B (en) | Operation behavior detection method, server and system | |
| CN109413108B (en) | WAF detection method and system based on safety | |
| CN111756745B (en) | Alarm method, alarm device, terminal equipment and computer readable storage medium | |
| CN116132260A (en) | Log alarm data suppression method and device, electronic equipment and storage medium | |
| US20140208427A1 (en) | Apparatus and methods for detecting data access | |
| CN112565228A (en) | Client network analysis method and device | |
| CN115801307A (en) | Method and system for carrying out port scanning detection by using server log | |
| CN114968726A (en) | Method and system for monitoring system asset change, electronic device and storage medium | |
| CN114531338A (en) | Monitoring alarm and tracing method and system based on call chain data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |