CN116827830A - Database flow audit processing method and system under multiple database servers - Google Patents
Database flow audit processing method and system under multiple database servers Download PDFInfo
- Publication number
- CN116827830A CN116827830A CN202310810240.7A CN202310810240A CN116827830A CN 116827830 A CN116827830 A CN 116827830A CN 202310810240 A CN202310810240 A CN 202310810240A CN 116827830 A CN116827830 A CN 116827830A
- Authority
- CN
- China
- Prior art keywords
- database
- auditing
- server
- plug
- agent program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012550 audit Methods 0.000 title claims abstract description 54
- 238000003672 processing method Methods 0.000 title claims abstract description 8
- 238000000034 method Methods 0.000 claims abstract description 31
- 238000012545 processing Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 7
- 230000003993 interaction Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 101150067325 DAS1 gene Proteins 0.000 description 2
- 101100516268 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) NDT80 gene Proteins 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 101100008874 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) DAS2 gene Proteins 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000009193 crawling Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005111 flow chemistry technique Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3006—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3089—Monitoring arrangements determined by the means or processing involved in sensing the monitored data, e.g. interfaces, connectors, sensors, probes, agents
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
- G06F9/44526—Plug-ins; Add-ons
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/14—Arrangements for monitoring or testing data switching networks using software, i.e. software packages
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2201/00—Indexing scheme relating to error detection, to error correction, and to monitoring
- G06F2201/80—Database-specific techniques
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Databases & Information Systems (AREA)
- Quality & Reliability (AREA)
- Computer Security & Cryptography (AREA)
- Mathematical Physics (AREA)
- Environmental & Geological Engineering (AREA)
- Data Mining & Analysis (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application discloses a database flow audit processing method and a system under a multi-database server, wherein the method comprises the following steps: acquiring the type of each database of all databases installed on a server; acquiring characteristic information and port numbers of each database according to the type of each database; writing the characteristic information and the port number of each database into a file respectively; and taking the file corresponding to the characteristic information and the port number of each database as a file loaded when the plug-in is started, wherein the plug-in is used for acquiring the database flow between the database client and the database server corresponding to the file, and the database flow is used for carrying out database audit. According to the method and the device, the problem that in the related art, under the condition that different database servers are installed on one server or a plurality of database instances exist, the plug-ins installed on the database clients cannot be distinguished, so that the database audit is affected is solved, and accordingly the smooth running of the database audit can be ensured.
Description
Technical Field
The application relates to the field of databases, in particular to a database flow audit processing method and system under a multi-database server.
Background
Database audit (DBAudio for short) is centered on security events, based on comprehensive audit and accurate audit, database activities on a network are recorded in real time, compliance management of fine-grained audit is performed on database operation, and real-time warning is performed on risk behaviors suffered by the database. The method helps the user to generate compliance reports and accident tracing sources afterwards by recording, analyzing and reporting the behaviors of the user access database, and simultaneously provides high-efficiency inquiry audit reports and positions event reasons through a big data searching technology so as to inquire, analyze and filter the event reasons later, thereby realizing the monitoring and audit of the network behaviors of the internal database and the external database and improving the safety of data assets.
When auditing the database, the flow accessing the database is generally obtained, and the flow is audited. In the process of auditing the database, if the database client and the database server are installed on the same server, a plug-in unit is required to be installed on the database client, and the plug-in unit installed by the database client can acquire the database flow interacted between the database client and the database server and then send the acquired database flow to the auditing equipment for auditing.
In the related art, a plurality of different database servers are sometimes installed on one server, and even for the same database, different database instances exist. For these cases, the plug-ins installed at the client cannot be distinguished, and thus can affect database auditing.
Disclosure of Invention
The embodiment of the application provides a database flow auditing processing method and system under a multi-database server, which at least solve the problem that in the related art, under the condition that different database servers are installed on one server or a plurality of database instances exist, plug-ins installed on a database client cannot be distinguished, so that the database auditing is influenced.
According to one aspect of the present application, there is provided a database traffic audit processing method under a multi-database server, including: acquiring the type of each database of all databases installed on a server, wherein a database client is used for connecting with each database server in all databases; acquiring characteristic information and port numbers of each database according to the type of each database; writing the characteristic information and the port number of each database into a file respectively; and taking the characteristic information of each database and the file corresponding to the port number as the file loaded when the plug-in is started, wherein each file corresponds to one plug-in, the plug-in is used for acquiring the database flow between the database client and the database server corresponding to the file, and the database flow is used for carrying out database audit.
Further, the method further comprises the following steps: the plug-in sends the acquired database flow to an agent program; and the agent program sends the database flow to auditing equipment for auditing, wherein the agent program and the spread are both deployed on the server.
Further, the agent sending the database traffic to the auditing device for auditing includes: the agent program receives information from auditing equipment, wherein the information comprises a port number and an IP address of a database server side; the agent program stores the corresponding relation between the port numbers and the IP addresses of the auditing equipment and the database server; and the agent program sends the database traffic from different port numbers and IP addresses to corresponding auditing equipment according to the corresponding relation.
Further, the agent program storing the correspondence between the port numbers and the IP addresses of the auditing device and the database server side includes: the agent program carries out hash operation on the port number and the IP address to obtain an operation result; and the agent program stores the corresponding relation between the auditing equipment and the operation result.
According to another aspect of the present application, there is also provided a database traffic audit processing system under a multi-database server, including: the first acquisition module is positioned in the deployment program and is used for acquiring the type of each database of all databases installed on a server, wherein one database client is used for connecting with each database server in all databases; the second acquisition module is positioned in the deployment program and is used for acquiring the characteristic information and the port number of each database according to the type of each database; the writing module is positioned in the deployment program and used for writing the characteristic information and the port number of each database into a file respectively; and taking the characteristic information of each database and the file corresponding to the port number as the file loaded when the plug-in is started, wherein each file corresponds to one plug-in, the plug-in is used for acquiring the database flow between the database client and the database server corresponding to the file, and the database flow is used for carrying out database audit.
Further, the method further comprises the following steps: the plug-in is used for sending the acquired database flow to the agent; and the agent program is used for sending the database flow to auditing equipment for auditing, wherein the agent program and the spread are both deployed on the server.
Further, the agent program is used for receiving information from the auditing equipment, wherein the information comprises a port number and an IP address of a database server side; the agent program is used for storing the corresponding relation between the port numbers and the IP addresses of the auditing equipment and the database server; and the agent program is used for transmitting database traffic from different port numbers and IP addresses to corresponding auditing equipment according to the corresponding relation.
Further, the agent is configured to perform hash operation on the port number and the IP address to obtain an operation result; and the agent program is used for storing the corresponding relation between the auditing equipment and the operation result.
According to another aspect of the present application, there is also provided an electronic device including a memory and a processor; wherein the memory is configured to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor to perform the method steps described above.
According to another aspect of the present application there is also provided a readable storage medium having stored thereon computer instructions which when executed by a processor perform the above-mentioned method steps.
In the embodiment of the application, the type of each database of all databases installed on a server is acquired, wherein a database client is used for connecting with each database server in all databases; acquiring characteristic information and port numbers of each database according to the type of each database; writing the characteristic information and the port number of each database into a file respectively; and taking the characteristic information of each database and the file corresponding to the port number as the file loaded when the plug-in is started, wherein each file corresponds to one plug-in, the plug-in is used for acquiring the database flow between the database client and the database server corresponding to the file, and the database flow is used for carrying out database audit. According to the method and the device, the problem that in the related art, under the condition that different database servers are installed on one server or a plurality of database instances exist, the plug-ins installed on the database clients cannot be distinguished, so that the database audit is affected is solved, and accordingly the smooth running of the database audit can be ensured.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application. In the drawings:
FIG. 1 is a schematic diagram of three audit modes according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an audit traffic acquisition mode according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an agent crawling database traffic from a network card according to an embodiment of the present application; the method comprises the steps of,
fig. 4 is a flowchart of a database traffic audit processing method under a multi-database server according to an embodiment of the present application.
Detailed Description
It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other. The application will be described in detail below with reference to the drawings in connection with embodiments.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
Technical terms related to the following embodiments will be first described below.
Socket is a network data transmission technology, uses TCP/ip protocol family as a transmission protocol, and is used for cross-host communication, while unixsocket is used for developing an IPC mechanism (inter-process communication) on the framework of socket, UDS (UNIX DomainSocket) provides two API interfaces facing flow and data packet, similar to TCP and UDP, wherein the message is very reliable, is neither lost nor disordered, has higher efficiency than the traditional socket, is generally twice as high as TCP transmission, and does not need to pass through a network protocol stack, and does not need to pack, unpack, calculate checksum, maintain sequence numbers and responses, and the like, but only copies application layer data from one process to another.
The English of the probe (also called agent) is agent, the English of the plug-in is plug in, and the functions of the probe and the plug-in are described below in connection with the database auditing product. The database audit product is a product which analyzes the database information and performs audit by analyzing the flow between networks. When the database audit is performed, various acquisition modes aiming at different types of database flows are provided, wherein the acquisition modes comprise a mirror image flow, a local audit mode and a local audit plug-in mode, and the three audit modes respectively aim at different scenes. Fig. 1 is a schematic diagram of three auditing modes according to an embodiment of the present application, as shown in fig. 1, the mirror flow mode is to obtain database flow (also referred to as auditing data) to be audited through a switch mirror flow function, and then send the auditing data to an auditing device (also referred to as auditing service) for auditing. The local auditing mode is to obtain the database flow by deploying a small agent program on the equipment where the database is located, obtaining the database access flow on the local network card and returning to the auditing equipment. The local audit plug-in mode is aimed at the scene that the client and the database are directly used in the same equipment, the client can perform data interaction in the modes of shared memory, pipelines, UDS and the like, and at the moment, the flow cannot be acquired from the network card. At this time, the flow is acquired by deploying a plug in to the client, and the acquired flow is sent to the agent program and then sent to the auditing device by the agent program.
Fig. 2 is a schematic diagram of an audit flow obtaining manner according to an embodiment of the present application, as shown in fig. 2, a database client (db-client) and a database server (db-server) are disposed on a database server, where a plug in is installed on the database client, and the plug in captures data of SQL interaction between the database client and the server, and these data are sent as audit data to a agent, and then the agent sends the audit data to an audit device. The auditing equipment provides an interface and a program (which can be called rms program for short) for receiving the auditing data, and then carries out protocol analysis on the received auditing data to obtain a final auditing result.
In fig. 2, plugin is a program, which may be embedded in a database client, to obtain, through interface feature information, an interaction flow between the database client and a database server. In the following embodiments, the plugin may record the obtained feature information of the database client transceiver packet interface into a certain file, and the feature information is different for different client types and different client versions.
When using plugin, several situations may occur:
case a: on a device, there are different versions of databases, each using different port differentiation.
Case b: when multiple databases exist on one device, the plugin needs to support multiple different types of databases and multiple databases.
Case c: a, b, and when multiple different databases exist on one device at the same time and each database has different instances. For the above cases, consideration is given to the use of plugin. Thus, in the following embodiments, problems that arise when a device has multiple different databases and/or multiple instances of a database are solved.
In the following embodiment, a database traffic auditing method under a multi-database server is provided, and fig. 4 is a flowchart of the database traffic auditing method under the multi-database server according to an embodiment of the present application, as shown in fig. 4, and the steps included in the method shown in fig. 4 are described below.
Step S402, obtaining the type of each database of all databases installed on a server, wherein a database client is used for connecting with each database server in all databases;
step S404, obtaining characteristic information and port numbers of each database according to the type of each database;
step S406, the characteristic information and the port number of each database are written into a file respectively;
as an alternative implementation manner, in this folder establishment manner, each different type of database establishes a folder, different examples under the same database use different port numbers, each port number corresponds to a subfolder under the folder of the database, each subfolder stores a plug-in and feature information, and when the plug-in is started, feature information under the same folder is called.
Step S408, the characteristic information of each database and the file corresponding to the port number are used as the files loaded when the plug-in is started, wherein each file corresponds to one plug-in, the plug-in is used for acquiring the database flow between the database client and the database server corresponding to the file, and the database flow is used for performing database audit.
By the steps, the problem that the database audit is affected due to indistinguishable plug-ins installed on the database client under the condition that different database servers are installed on one server or a plurality of database instances exist in the related art is solved, and accordingly smooth running of the database audit can be guaranteed.
In one embodiment, the method further comprises: the plug-in sends the acquired database flow to an agent program; and the agent program sends the database flow to auditing equipment for auditing, wherein the agent program and the spread are both deployed on the server.
In the above step, optionally, the agent sending the database traffic to the auditing device for auditing includes: the agent program receives information from auditing equipment, wherein the information comprises a port number and an IP address of a database server side; the agent program stores the corresponding relation between the port numbers and the IP addresses of the auditing equipment and the database server; and the agent program sends the database traffic from different port numbers and IP addresses to corresponding auditing equipment according to the corresponding relation.
As an optional implementation manner, the agent program obtains the load conditions of different auditing devices according to the period under the condition that the same port number and IP address are sent by different audits, and sends the proportion of the database traffic to different auditing devices in the next period according to the load proportion of each auditing device.
In the above step, optionally, the agent saving the correspondence between the port numbers and the IP addresses of the auditing device and the database server includes: the agent program carries out hash operation on the port number and the IP address to obtain an operation result; and the agent program stores the corresponding relation between the auditing equipment and the operation result.
In the following, linux is taken as an example to describe how to deploy the plugin, and when the plugin is deployed, a deployment program is used to deploy the plugin. The deployment method may comprise the steps of:
step 1, the deployment program obtains the characteristic information of the appointed database, the monitoring port number and the like according to the type of the database. Wherein the characteristic information is used to indicate information used to connect with the database.
And 2, the deployment program stores the characteristic information under a specified path according to the database type and the port number information.
For example, two folders, oracle and mysql, may be saved under the dbtap directory, two folders 1521 and 1522 under the oracle folder, and two folders 3306 and 3307 under the mysql folder, each with a feature information file (feature) and a plug-in (libhook. So) deployed under each folder. Where 1521, 1522, 3306, 3307 each indicate a port number, i.e. each port number creates a folder. In this way, a folder is created for each different type of database, and different instances under the same database use different port numbers, each port number corresponding to a subfolder under the database folder.
And 3, starting the client and loading the plugin according to the type and the port of the database, namely starting the libhook.
And 4, loading the characteristic information by using the plugin and acquiring interaction sql information of the client and the server.
In step 5, the plug in sends the acquired data to the agent by way of inter-process communication (e.g., unixdomaimaensocket), although other modes are also contemplated.
And 6, the agent transmits the acquired data to the auditing equipment in a socket mode.
In the implementation step, the plug in loading mode depends on the LD_PRELOAD environment variable under the linux, and the client is set to load the libhook. And for the steps of loading the characteristic information and acquiring the interaction sql of the client and the server, the interface of the client receiving and transmitting package is realized again in the library file of libhook. The plug-in (or plug-in) implements a data packet transceiver interface of the database client that is used to replace the data packet transceiver interface of the original database client.
After the plug-in sends the data to the agent, if the server where the agent is located only has one database, the flow of the database received by the agent comes from one database, and at this time, the agent obtains the flow and then directly sends the flow to the auditing equipment.
In addition to acquiring the database traffic from the plugin, the Agent also captures the traffic from the network card, fig. 3 is a schematic diagram of the Agent program capturing the database traffic from the network card according to the embodiment of the present application, as shown in fig. 3, the database client and the database server interact through the network card 2, that is, the database traffic between the database client and the database server all passes through the network card 2, the Agent captures the database traffic through the network card, then sends the database traffic to the auditing device through the network card 2, and the auditing device receives the database traffic through the rms program and then performs auditing.
There are several cases for Agent grabbing:
case 1: a plurality of databases exist on one device, all are configured on one design device, and all agents are required to grab and filter.
Case 2: a plurality of databases exist on one device and are respectively configured on different auditing devices, and agents are required to distribute the flow of the different databases to the different auditing devices, so that the purpose of backup is achieved.
Case 3: one or more databases exist on one device, are respectively configured on different auditing devices, need agent to send according to a strategy, and automatically send to a second device when the first device cannot accept auditing data.
In the above case, the number of databases, the device pressure, the disk storage and other information on one audit device reach the upper limit, and a plurality of audit devices have to be used; or a plurality of databases on the database equipment respectively belong to departments with different reality, and audit separation is needed to be kept among the departments; and the flow is respectively sent to different auditing equipment, so that the network pressure of a single device is reduced, and the flow processing pressure of a single database is reduced.
In the following embodiments, a plurality of auditing devices are supported, and a situation of one agent is managed at the same time, so that a situation that a plurality of databases on a single device need auditing at the same time can be processed. The Agent may send different databases to different auditing devices, so that the pressure of a single auditing device is reduced, the network traffic pressure is reduced, and the traffic processing pressure required to be processed by the auditing device is reduced.
And step 11, deploying and starting a agent program on the database, monitoring a designated port by the agent, and starting to receive the connection of all auditing equipment.
And 12, configuring an audit strategy by the client on the audit equipment to issue to the agent, wherein the strategy comprises IP+port information of a database, and the IP+PORT issued by different audit equipment can be repeated.
For example, DAS1 is IP1+ PORT1, DAS1 is IP1+ PORT2, DAS2 is IP1+ PORT3. The IP1+port1 indicates that the database server traffic from the IP address IP1 and the PORT number PORT1 is sent to the auditing device 1 (i.e., DAS 1), and the other two are expressed in the same meaning, which is not described in detail herein.
In another example, if the information of the ip+port of the databases issued by the auditing device 1 and the auditing device 2 is the same, the agent may send the database traffic of the ip+port to the auditing device 1 and/or the auditing device 2, where the agent may determine the sending policy by itself. For example, the agent may obtain the load conditions of different auditing devices according to a period, and send the ratios of the database traffic to the different auditing devices in the next period according to the load ratios of the respective auditing devices.
And 13, analyzing the received strategy by the agent to obtain a hash (hash) structure, so that the agent is convenient to search quickly.
And 14, after the agent catches the data packet, searching by using a hash, acquiring an auditing equipment address to be sent by the data packet, and sending data to the auditing equipment.
And 15, receiving data sent by the rms program on the auditing equipment, auditing, warehousing and other operations.
By the steps, the problem that the database audit is affected due to indistinguishable plug-ins installed on the database client under the condition that different database servers are installed on one server or a plurality of database instances exist in the related art is solved, and accordingly smooth running of the database audit can be guaranteed.
In this embodiment, there is provided an electronic device including a memory in which a computer program is stored, and a processor configured to run the computer program to perform the method in the above embodiment.
The above-described programs may be run on a processor or may also be stored in memory (or referred to as computer-readable media), including both permanent and non-permanent, removable and non-removable media, and information storage may be implemented by any method or technique. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.
These computer programs may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart block or blocks and/or block diagram block or blocks, and corresponding steps may be implemented in different modules.
Such an apparatus or system is provided in this embodiment. The system is called a database flow audit processing system under a multi-database server, and comprises: the first acquisition module is positioned in the deployment program and is used for acquiring the type of each database of all databases installed on a server, wherein one database client is used for connecting with each database server in all databases; the second acquisition module is positioned in the deployment program and is used for acquiring the characteristic information and the port number of each database according to the type of each database; the writing module is positioned in the deployment program and used for writing the characteristic information and the port number of each database into a file respectively; and taking the characteristic information of each database and the file corresponding to the port number as the file loaded when the plug-in is started, wherein each file corresponds to one plug-in, the plug-in is used for acquiring the database flow between the database client and the database server corresponding to the file, and the database flow is used for carrying out database audit.
The system or the device is used for realizing the functions of the method in the above embodiment, and each module in the system or the device corresponds to each step in the method, which has been described in the method, and will not be described herein.
Optionally, the method further comprises: the plug-in is used for sending the acquired database flow to the agent; and the agent program is used for sending the database flow to auditing equipment for auditing, wherein the agent program and the spread are both deployed on the server.
Optionally, the agent is configured to receive information from an auditing device, where the information includes a port number and an IP address of a database server; the agent program is used for storing the corresponding relation between the port numbers and the IP addresses of the auditing equipment and the database server; and the agent program is used for transmitting database traffic from different port numbers and IP addresses to corresponding auditing equipment according to the corresponding relation.
Optionally, the agent is configured to perform hash operation on the port number and the IP address to obtain an operation result; and the agent program is used for storing the corresponding relation between the auditing equipment and the operation result.
By the embodiment, the problem that the database audit is affected due to the fact that the plug-in units installed on the database client cannot be distinguished under the condition that different database servers are installed on one server or a plurality of database instances exist in the related art is solved, and accordingly smooth running of the database audit can be guaranteed.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.
Claims (10)
1. A database flow audit processing method under a multi-database server side is characterized by comprising the following steps:
acquiring the type of each database of all databases installed on a server, wherein a database client is used for connecting with each database server in all databases;
acquiring characteristic information and port numbers of each database according to the type of each database;
writing the characteristic information and the port number of each database into a file respectively;
and taking the characteristic information of each database and the file corresponding to the port number as the file loaded when the plug-in is started, wherein each file corresponds to one plug-in, the plug-in is used for acquiring the database flow between the database client and the database server corresponding to the file, and the database flow is used for carrying out database audit.
2. The method as recited in claim 1, further comprising:
the plug-in sends the acquired database flow to an agent program;
and the agent program sends the database flow to auditing equipment for auditing, wherein the agent program and the spread are both deployed on the server.
3. The method of claim 2, wherein the agent sending the database traffic to the auditing device for auditing includes:
the agent program receives information from auditing equipment, wherein the information comprises a port number and an IP address of a database server side;
the agent program stores the corresponding relation between the port numbers and the IP addresses of the auditing equipment and the database server;
and the agent program sends the database traffic from different port numbers and IP addresses to corresponding auditing equipment according to the corresponding relation.
4. A method according to claim 3, wherein the agent maintaining correspondence between port numbers and IP addresses of the auditing device and the database server comprises:
the agent program carries out hash operation on the port number and the IP address to obtain an operation result;
and the agent program stores the corresponding relation between the auditing equipment and the operation result.
5. A database traffic audit processing system under a multi-database server, comprising:
the first acquisition module is positioned in the deployment program and is used for acquiring the type of each database of all databases installed on a server, wherein one database client is used for connecting with each database server in all databases;
the second acquisition module is positioned in the deployment program and is used for acquiring the characteristic information and the port number of each database according to the type of each database;
the writing module is positioned in the deployment program and used for writing the characteristic information and the port number of each database into a file respectively; and taking the characteristic information of each database and the file corresponding to the port number as the file loaded when the plug-in is started, wherein each file corresponds to one plug-in, the plug-in is used for acquiring the database flow between the database client and the database server corresponding to the file, and the database flow is used for carrying out database audit.
6. The system of claim 5, further comprising: plug-ins, and agents, wherein,
the plug-in is used for sending the acquired database flow to the agent program;
and the agent program is used for sending the database flow to auditing equipment for auditing, wherein the agent program and the spread are both deployed on the server.
7. The system of claim 6, wherein the system further comprises a controller configured to control the controller,
the agent program is used for receiving information from auditing equipment, wherein the information comprises a port number and an IP address of a database server side;
the agent program is used for storing the corresponding relation between the port numbers and the IP addresses of the auditing equipment and the database server;
and the agent program is used for transmitting database traffic from different port numbers and IP addresses to corresponding auditing equipment according to the corresponding relation.
8. The system of claim 7, wherein the system further comprises a controller configured to control the controller,
the agent program is used for carrying out hash operation on the port number and the IP address to obtain an operation result;
and the agent program is used for storing the corresponding relation between the auditing equipment and the operation result.
9. An electronic device includes a memory and a processor; wherein the memory is for storing one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement the method steps of any of claims 1 to 4.
10. A readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the method steps of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310810240.7A CN116827830A (en) | 2023-07-04 | 2023-07-04 | Database flow audit processing method and system under multiple database servers |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310810240.7A CN116827830A (en) | 2023-07-04 | 2023-07-04 | Database flow audit processing method and system under multiple database servers |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116827830A true CN116827830A (en) | 2023-09-29 |
Family
ID=88121901
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310810240.7A Pending CN116827830A (en) | 2023-07-04 | 2023-07-04 | Database flow audit processing method and system under multiple database servers |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116827830A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117093639A (en) * | 2023-10-18 | 2023-11-21 | 北京安华金和科技有限公司 | Socket connection processing method and system based on audit service |
-
2023
- 2023-07-04 CN CN202310810240.7A patent/CN116827830A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117093639A (en) * | 2023-10-18 | 2023-11-21 | 北京安华金和科技有限公司 | Socket connection processing method and system based on audit service |
| CN117093639B (en) * | 2023-10-18 | 2024-01-26 | 北京安华金和科技有限公司 | Socket connection processing method and system based on audit service |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107566463B (en) | Multi-cloud storage management system for improving storage availability | |
| US10027553B2 (en) | Distributed system for self updating agents and analytics | |
| US8898199B2 (en) | Distributed management monitoring system, monitoring method and creating method thereof | |
| US8832023B2 (en) | System for managing distributed assets and metadata | |
| CN112968960A (en) | Micro-service architecture based on open source component | |
| CN116827830A (en) | Database flow audit processing method and system under multiple database servers | |
| TWI709865B (en) | Operation and maintenance data reading device and reading method thereof | |
| CN112202853B (en) | Data synchronization method, system, computer device and storage medium | |
| US20230006898A1 (en) | A Method of Capturing Packets from a Container in a Cluster | |
| CN116841645A (en) | Database flow processing method and system for database audit | |
| CN113536304A (en) | Operation and maintenance audit system-based bypassing prevention method and equipment | |
| CN114756530B (en) | Client information processing method based on bastion machine | |
| CN113010385B (en) | Task state updating method, device, equipment and medium | |
| US20120084264A1 (en) | System for configurable reporting of network data and related method | |
| US11362881B2 (en) | Distributed system for self updating agents and provides security | |
| CN116866209A (en) | Database traffic filtering method and system based on remote call network address | |
| CN116679965A (en) | Database client upgrading method and system | |
| CN115118640B (en) | Database auditing processing method and system in presence of proxy equipment | |
| CN117093639B (en) | Socket connection processing method and system based on audit service | |
| CN114880662B (en) | Database audit processing method and device based on process | |
| CN113905105B (en) | Method and device for establishing application dependency relationship | |
| CN116991674B (en) | High concurrency service architecture for real estate registration information and data processing method thereof | |
| CN110912851B (en) | Method, device and equipment for monitoring flow data | |
| CN115114132A (en) | Performance test method and system for auditing program | |
| CN116318892A (en) | Loose distributed deployment method and device for database auditing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |