CN1889459A - Journal formatting unit and method in safety management center system - Google Patents
Journal formatting unit and method in safety management center system Download PDFInfo
- Publication number
- CN1889459A CN1889459A CN 200610036617 CN200610036617A CN1889459A CN 1889459 A CN1889459 A CN 1889459A CN 200610036617 CN200610036617 CN 200610036617 CN 200610036617 A CN200610036617 A CN 200610036617A CN 1889459 A CN1889459 A CN 1889459A
- Authority
- CN
- China
- Prior art keywords
- security object
- object equipment
- formatting
- journal
- descriptor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
A journal formatting unit in safety management central system consists of storage unit for storing journal formatting description in format corresponding to each safety object device and formatting unit for formatting journal of each safety object device according to journal formatting description information corresponding to each safety object device. The journal formatting method in safety management central system is also disclosed.
Description
Technical field
The present invention relates to the log processing technology, in particular, the present invention relates to journal formatting unit and method in a kind of security management center system.
Background technology
Security management center (Security Operation Center, SOC) system's major function is from various Security Object equipment (main frame, fire compartment wall, IDS, database, WEB server etc.) collector journal, format processing, carry out correlation analysis then, generate security-related daily record.Therefore, the daily record of collecting various Security Object equipment is important process of SOC system.Because the journal format that various Security Object equipment produce is all different, how unifying to handle these daily records becomes an important problem.
Main employing (mainly is SYSLOG at the daily record of the various forms of various Security Objects generations in the prior art, SNMP TRAP), adopt code matches, contents extraction in the various Security Object device logs is come out, and be filled up in the unified format and go, basically at a kind of journal format of Security Object equipment, need write corresponding a kind of code and handle.
As shown in Figure 1, Security Object equipment for every type, for example illustrated category-A type fire compartment wall, category-B type fire compartment wall and router, need write corresponding formatter 1, formatter 2 and formatter 3 and go to format the daily record that respective type equipment reports, the final daily record that generates consolidation form, but there is following shortcoming in this kind scheme:
When the journal format that increased new Security Object equipment or Security Object equipment change, will need to increase and revises corresponding formatter and can accomplish that just correct collection formats daily record, promptly in the SOC system, need corresponding modification code, again issue, can cause the system maintenance amount big like this, cause system upgrade frequent, and change code at every turn and need recompilate system.
Summary of the invention
The technical problem that the present invention solves provides journal formatting unit and the method in a kind of security management center system, increase new Security Object equipment in the security management center system, perhaps the Security Object equipment change during journal format, do not need corresponding modification code, do not need to write again the code compiling system yet, can not cause system frequently to upgrade.
For addressing the above problem, the journal formatting unit in the security management center of the present invention system, described security management center system comprises a plurality of Security Object equipment, described formatting unit comprises:
Memory cell is used to store the journal formatting descriptor of each Security Object equipment correspondence;
Formatting unit is used for according to the journal formatting descriptor of described each Security Object equipment correspondence the daily record of each Security Object equipment being formatd.
Wherein, described formatting unit specifically comprises:
Be written into the unit, be used to be written into the corresponding journal formatting descriptor of each Security Object device log format;
Journal formatting descriptor acquiring unit is used to obtain the journal formatting descriptor of Security Object equipment correspondence;
The format processing unit is used for according to the journal formatting descriptor of this Security Object equipment correspondence the daily record of this Security Object equipment being formatd.
Wherein, described journal formatting descriptor comprises that this Security Object equipment identification information, this Security Object device log format need each field name, each field extraction formula that extracts;
Described journal formatting descriptor acquiring unit specifically comprises:
The query processing unit is used for whether inquiry exists the journal formatting of this Security Object equipment correspondence to extract according to the Security Object equipment identification information each field name and each field and extracts formula;
Extraction unit, the journal formatting of this Security Object equipment correspondence of extraction need extract after query processing unit Query Result is to be each field name and each field are extracted formula.
Wherein, described Security Object equipment identification information is safe corresponding types and/or version information.
Correspondingly, the journal formatting method in a kind of security management center of the present invention system, this method comprises:
Be written into the corresponding journal formatting descriptor of each Security Object device log format;
Receive the daily record of Security Object equipment, obtain the journal formatting descriptor of this Security Object equipment correspondence;
Journal formatting descriptor according to this Security Object equipment correspondence formats the daily record of this Security Object equipment.
Wherein, described journal formatting descriptor comprises that this Security Object equipment identification information, this Security Object device log format need each field name, each field extraction formula that extracts;
The described journal formatting descriptor of obtaining Security Object equipment correspondence specifically comprises:
Whether inquiry exists the journal formatting of this Security Object equipment correspondence to extract according to the Security Object equipment identification information each field name and each field are extracted formula;
The journal formatting of this Security Object equipment correspondence of extraction need extract after query processing unit Query Result is to be each field name and each field are extracted formula.
Wherein, described Security Object equipment identification information is safe corresponding types and/or version information.
Compared with prior art, the present invention has following beneficial effect:
The present invention stores the journal formatting descriptor of each Security Object equipment correspondence in advance; After receiving the daily record of Security Object equipment, the daily record of each Security Object equipment is formatd according to the journal formatting descriptor of this Security Object equipment correspondence.Owing to adopt based on the mode of describing, to carry out formative information to the daily record of various Security Object equipment clearly describes out with the journal formatting descriptor, daily record to each Security Object equipment only needs to carry out journal formatting according to corresponding journal formatting descriptor, when the security management center system increases new Security Object equipment, perhaps the Security Object equipment change during journal format, get final product and only need be written into new journal formatting descriptor, do not need corresponding modification code, do not need to write again the code compiling system yet, reduced the workload that system development is safeguarded, reduced the frequent upgrading of system, effectively save cost, improved the running quality and the stability of system.
Description of drawings
Fig. 1 carries out the journal formatting schematic diagram in the prior art security management center system;
Fig. 2 is the journal formatting unit composition function module map in the security management center of the present invention system;
Fig. 3 is a kind of example schematic diagram that the journal formatting unit in the security management center of the present invention system carries out journal formatting;
Fig. 4 is the main flow chart of journal formatting method in the security management center of the present invention system.
Embodiment
Core of the present invention is based on the mode of describing, to carry out formative information to the daily record of various Security Object equipment clearly describes out with the journal formatting descriptor, daily record to each Security Object equipment only needs to carry out journal formatting according to corresponding journal formatting descriptor, when the security management center system increases new Security Object equipment, perhaps the Security Object equipment change during journal format, do not need corresponding modification code, do not need to write again the code compiling system yet, frequent upgrading, get final product and only need be written into new journal formatting descriptor, describe in detail below.
With reference to figure 2, this figure is the journal formatting unit composition function module map in the security management center of the present invention system.
Security management center system journal formatting unit mainly comprises among the present invention: memory cell 1 and formatting unit 2, wherein
Memory cell 1, be mainly used in the journal formatting descriptor of each Security Object equipment correspondence of storage, during specific implementation, described journal formatting descriptor can comprise that this Security Object equipment identification information (for example Security Object device type, version number etc.), this Security Object device log format need each field name, each field extraction formula that extracts;
Formatting unit 2, the journal formatting descriptor that is mainly used in each Security Object equipment correspondence of storing according to described memory cell 1 formats the daily record of each Security Object equipment, and as a kind of concrete realization, described formatting unit 2 can comprise:
Be written into unit 21, the described unit 21 that is written into is mainly used in the journal formatting descriptor that is written into each Security Object device log format correspondence, journal formatting unit need provide interface among the present invention, allows user's control to reload the daily record description list, to realize the dynamic loading function of system;
Journal formatting descriptor inquiry acquiring unit 22, described journal formatting descriptor inquiry acquiring unit 22 is mainly used in the journal formatting descriptor that Security Object equipment correspondence is obtained in inquiry, during specific implementation, comprise that for the journal formatting descriptor this Security Object equipment identification information, this Security Object device log format need each field name, each field extraction formula that extracts, a kind of specific implementation, described journal formatting descriptor inquiry acquiring unit 22 specifically comprises:
Query processing unit 221 is used for whether inquiry exists the journal formatting of this Security Object equipment correspondence to extract according to the Security Object equipment identification information each field name and each field and extracts formula;
Extraction unit 222, the journal formatting of this Security Object equipment correspondence of extraction need extract after query processing unit Query Result is to be each field name and each field are extracted formula.
Format processing unit 23, the journal formatting descriptor that described format processing unit 23 is mainly used in this Security Object equipment correspondence of obtaining according to described inquiry formats the daily record of this Security Object equipment.
The security management center system is at the journal format of various Security Object equipment and the generation of this Security Object equipment in the invention described above, the journal formatting descriptor of a customizable correspondence, the journal formatting of each Security Object equipment correspondence describe can journal formatting descriptor table the form storage, which field the daily record that described journal formatting descriptor table is used for describing the specific format that each Security Object equipment produces comprises, and the type of field, information such as position and sign, and the field name of the format daily record of this field correspondence and extract formula, for example a kind of journal formatting descriptor table as shown in Table 1:
Table one
| Type | Version number | Field | Extract formula |
| PIX | 5 | ID | .*-S+-(d+):.* |
| PIX | 5 | Source IP | .*s*froms*[host]?s*(d+.d+.d+.d+).* |
Above-mentioned table one is a part how to extract the journal formatting descriptor table of the information in the daily record that certain fire compartment wall reports.After the daily record of receiving this firewall box, can inquire about according to information such as the type of this firewall box, versions and to obtain the relative recording of this equipment correspondence in journal formatting descriptor table, according to these records, can determine to comprise which field in the daily record that this firewall box reports, extracting method according to each field correspondence can format, relevant information is extracted, correspond in the field of format daily record.When increasing new Security Object device type, perhaps certain Security Object device type has changed journal format, such as increasing, delete field, change Field Definition etc., only need just can finish the format work of the daily record of new Security Object equipment, not need to write code, not need to recompilate by upgrading journal formatting descriptor table, even do not need restart routine, illustrate below.
With reference to figure 3, this figure is a kind of example schematic diagram that the journal formatting unit in a kind of security management center system carries out journal formatting.
Comprise 3 kinds of Security Object equipment in the present embodiment in the security management center system: category-A type fire compartment wall, category-B type fire compartment wall and router, need to write corresponding formatter 1 in the prior art, formatter 2 and formatter 3, go to format the daily record that respective type equipment reports, and only need a unified journal formatting unit to get final product among the present invention, described journal formatting unit is after the daily record that receives a Security Object equipment, for example receive the daily record of category-A type fire compartment wall, then obtain the journal formatting descriptor of the category-A type fire compartment wall correspondence of configuration, description according to the journal formatting descriptor of described category-A type fire compartment wall correspondence is formatd, and receive the daily record of category-B type fire compartment wall, then obtain the journal formatting descriptor of the category-B type fire compartment wall correspondence of configuration, description according to the journal formatting descriptor of described category-B type fire compartment wall correspondence is formatd, when the journal format that increases new Security Object equipment or Security Object equipment changes, only need to revise the journal formatting description list, reload new journal formatting description list then and get final product, need not to remodify coding.
With reference to figure 4, this figure is the main flow chart of security management center system journal formatting method of the present invention, and main workflow is as follows:
Step s11 loads journal formatting descriptor table during the journal formatting unit initialization, finish initial work.
Step s12, receive daily record after, according to the type and the version information of the Security Object of daily record correspondence, obtain corresponding journal formatting descriptor record.
Step s13 according to journal formatting descriptor record, extracts related data from daily record, generate corresponding field contents in the format daily record.
Step s14 after a log analysis finished, is filled up to corresponding field in the format daily record with the content of the format daily record that generates, generates the format daily record.
To sum up, the present invention adopts based on the mode of describing, to carry out formative information to the daily record of various Security Object equipment clearly describes out with the journal formatting descriptor, daily record to each Security Object equipment only needs to carry out journal formatting according to corresponding journal formatting descriptor, when the security management center system increases new Security Object equipment, perhaps the Security Object equipment change during journal format, get final product and only need be written into new journal formatting descriptor, do not need corresponding modification code, do not need to write again the code compiling system yet, reduced the workload that system development is safeguarded, reduced the frequent upgrading of system, effectively save cost, improved the running quality and the stability of system.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (7)
1, the journal formatting unit in a kind of security management center system, described security management center system comprises a plurality of Security Object equipment, it is characterized in that, comprising:
Memory cell is used to store the journal formatting descriptor of each Security Object equipment correspondence;
Formatting unit is used for according to the journal formatting descriptor of described each Security Object equipment correspondence the daily record of each Security Object equipment being formatd.
2, the journal formatting unit in the security management center according to claim 1 system is characterized in that described formatting unit specifically comprises:
Be written into the unit, be used to be written into the corresponding journal formatting descriptor of each Security Object device log format;
Journal formatting descriptor acquiring unit is used to obtain the journal formatting descriptor of Security Object equipment correspondence;
The format processing unit is used for according to the journal formatting descriptor of this Security Object equipment correspondence the daily record of this Security Object equipment being formatd.
3, the journal formatting unit in the security management center according to claim 2 system, it is characterized in that described journal formatting descriptor comprises that this Security Object equipment identification information, this Security Object device log format need each field name, each field extraction formula that extracts;
Described journal formatting descriptor acquiring unit specifically comprises:
The query processing unit is used for whether inquiry exists the journal formatting of this Security Object equipment correspondence to extract according to the Security Object equipment identification information each field name and each field and extracts formula;
Extraction unit, the journal formatting of this Security Object equipment correspondence of extraction need extract after query processing unit Query Result is to be each field name and each field are extracted formula.
4, the journal formatting unit in the security management center according to claim 3 system is characterized in that described Security Object equipment identification information is safe corresponding types and/or version information.
5, journal formatting method in a kind of security management center system is characterized in that, comprising:
Be written into the corresponding journal formatting descriptor of each Security Object device log format;
Receive the daily record of Security Object equipment, obtain the journal formatting descriptor of this Security Object equipment correspondence;
Journal formatting descriptor according to this Security Object equipment correspondence formats the daily record of this Security Object equipment.
6, journal formatting method in the security management center according to claim 5 system, it is characterized in that described journal formatting descriptor comprises that this Security Object equipment identification information, this Security Object device log format need each field name, each field extraction formula that extracts;
The described journal formatting descriptor of obtaining Security Object equipment correspondence specifically comprises:
Whether inquiry exists the journal formatting of this Security Object equipment correspondence to extract according to the Security Object equipment identification information each field name and each field are extracted formula;
The journal formatting of this Security Object equipment correspondence of extraction need extract after query processing unit Query Result is to be each field name and each field are extracted formula.
7, journal formatting method in the security management center according to claim 6 system is characterized in that described Security Object equipment identification information is safe corresponding types and/or version information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100366174A CN100514916C (en) | 2006-07-20 | 2006-07-20 | Journal formatting unit and method in safety management center system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100366174A CN100514916C (en) | 2006-07-20 | 2006-07-20 | Journal formatting unit and method in safety management center system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1889459A true CN1889459A (en) | 2007-01-03 |
| CN100514916C CN100514916C (en) | 2009-07-15 |
Family
ID=37578719
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006100366174A Active CN100514916C (en) | 2006-07-20 | 2006-07-20 | Journal formatting unit and method in safety management center system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100514916C (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102065416A (en) * | 2009-11-18 | 2011-05-18 | 成都市华为赛门铁克科技有限公司 | Method, device and system for formatting logs |
| CN103593277A (en) * | 2012-08-15 | 2014-02-19 | 深圳市世纪光速信息技术有限公司 | Log processing method and system |
| CN103929329A (en) * | 2014-04-14 | 2014-07-16 | 百度在线网络技术(北京)有限公司 | Log processing and configuration method, configuration server, service end device and system |
| CN104869022A (en) * | 2015-05-27 | 2015-08-26 | 北京京东尚科信息技术有限公司 | Log acquisition method and system |
| CN107995149A (en) * | 2016-10-26 | 2018-05-04 | 北京国双科技有限公司 | The treating method and apparatus of unexpected message |
| CN109343993A (en) * | 2018-09-28 | 2019-02-15 | 郑州云海信息技术有限公司 | A kind of error message processing method and processing device of cloud platform |
-
2006
- 2006-07-20 CN CNB2006100366174A patent/CN100514916C/en active Active
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102065416A (en) * | 2009-11-18 | 2011-05-18 | 成都市华为赛门铁克科技有限公司 | Method, device and system for formatting logs |
| CN102065416B (en) * | 2009-11-18 | 2014-11-19 | 成都市华为赛门铁克科技有限公司 | Method, device and system for formatting logs |
| CN103593277A (en) * | 2012-08-15 | 2014-02-19 | 深圳市世纪光速信息技术有限公司 | Log processing method and system |
| CN103929329A (en) * | 2014-04-14 | 2014-07-16 | 百度在线网络技术(北京)有限公司 | Log processing and configuration method, configuration server, service end device and system |
| CN104869022A (en) * | 2015-05-27 | 2015-08-26 | 北京京东尚科信息技术有限公司 | Log acquisition method and system |
| CN104869022B (en) * | 2015-05-27 | 2019-01-11 | 北京京东尚科信息技术有限公司 | A kind of log collection method and system |
| CN107995149A (en) * | 2016-10-26 | 2018-05-04 | 北京国双科技有限公司 | The treating method and apparatus of unexpected message |
| CN109343993A (en) * | 2018-09-28 | 2019-02-15 | 郑州云海信息技术有限公司 | A kind of error message processing method and processing device of cloud platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100514916C (en) | 2009-07-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1320455C (en) | Auto version managing system and method for use in software | |
| CN1313923C (en) | A software distribution method and system | |
| CN1297936C (en) | Method and system for comparing files of two computers | |
| CN100521623C (en) | High-performance Syslog processing and storage method | |
| CN1889459A (en) | Journal formatting unit and method in safety management center system | |
| US8185880B2 (en) | Optimizing heap memory usage | |
| CN101056211A (en) | A method and system for auditing the network access behavior of the user | |
| CN1815451A (en) | Log information management method and system | |
| CN1738352A (en) | Document processing device, document processing method, and storage medium recording program therefor | |
| CN1573757A (en) | Automatic task generator method and system | |
| CN101405696A (en) | A method for generating a robust software signature | |
| CN1804840A (en) | Data access layer class generator | |
| CN1472665A (en) | Bill processing device, method and program | |
| CN1555533A (en) | Method and system for delivering dynamic information in a network | |
| CN1609829A (en) | Plug-and-play method for USB equipment under linux operation system | |
| CN1829964A (en) | A method, apparatus and computer program for processing a queue of messages | |
| CN1945530A (en) | Arranging system and method for module having dependence | |
| CN1790397A (en) | Third party logistics data processing method based on online analysis | |
| CN101079767A (en) | An upgrade method and system of Web service system | |
| CN1633080A (en) | Method for implementing log in network management system | |
| CN103177022A (en) | Method and device of malicious file search | |
| CN1547397A (en) | A single board version management method for plug and play | |
| CN1549163A (en) | Across-platform data base researching method | |
| CN1647008A (en) | System and method for digital watermarking of data repository | |
| CN1896957A (en) | Method for leaking memory of positioning virtual operation system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |