WO2010099754A1 - Log information transmission method and apparatus - Google Patents

Log information transmission method and apparatus Download PDF

Info

Publication number
WO2010099754A1
WO2010099754A1 PCT/CN2010/070876 CN2010070876W WO2010099754A1 WO 2010099754 A1 WO2010099754 A1 WO 2010099754A1 CN 2010070876 W CN2010070876 W CN 2010070876W WO 2010099754 A1 WO2010099754 A1 WO 2010099754A1
Authority
WO
WIPO (PCT)
Prior art keywords
log
message
log information
processing
information including
Prior art date
Application number
PCT/CN2010/070876
Other languages
French (fr)
Chinese (zh)
Inventor
樊滑翔
Original Assignee
成都市华为赛门铁克科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 成都市华为赛门铁克科技有限公司 filed Critical 成都市华为赛门铁克科技有限公司
Publication of WO2010099754A1 publication Critical patent/WO2010099754A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/90Buffering arrangements

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for transmitting log information. Background technique
  • Log J! An important means of controlling computer and network security, and an important way to assess computer and network security.
  • the log system often adopts a distributed deployment, which collects logs generated by multiple services and/or devices for analysis and processing.
  • the party that generates the ambition is called the log sender.
  • the party collecting the log is called the log receiver, the log sender transmits the log message to the log receiver, and the log receiver receives the log sender from different geographical locations.
  • Syslog is a widely accepted log standard in the industry.
  • the new Syslog standard developed by the IETF allows for larger volume log messages. While the Syslog/TLS standard and the Syslog-sign standard increase the security and reliability of Syslog, they also increase the number of data transmitted by certificates and signatures. At the same time, some applications, such as the pharmaceutical industry, require large log volumes. All of this increases the amount of Syslog log traffic and increases the likelihood of log latency and network congestion. How to deal with various events that occur during Syslog log transmission in a timely manner is an effective means to ensure the reliability and security of the log system.
  • the log receiver cannot detect the occurrence of log transmission events (such as filtering or disorder) in time
  • log transmission events such as filtering or disorder
  • the embodiment of the invention provides a method and a device for transmitting log information, which can enable the log receiver to timely detect the pre-processing event information of the sender on the log, and improve the accuracy of subsequent auditing and analysis of the log.
  • the embodiment of the invention provides a method for sending log information, including:
  • the log sender When the load of the buffer queue of the log sender reaches a preset abnormal threshold, the log sender generates log information including a pre-process event start message and sends the log information to the log receiver.
  • the log sender When the log sender performs a pre-processing operation on the buffer queue, if it detects that the load of the buffer queue does not reach the preset abnormal threshold, the log information including the pre-processing event end message is generated and sent to the log receiver.
  • the pre-processing operation is performed by the log sender on the log of the buffer queue when the load of the buffer queue of the log sender reaches a preset abnormal threshold.
  • the embodiment of the invention further provides an apparatus for sending log information, including:
  • a buffer unit configured to store a log queue to be sent
  • a detecting unit configured to check whether a load of the log queue of the buffer unit reaches a preset abnormal threshold
  • a first log information generating unit configured to: when the detecting unit detects that the load of the buffer queue of the buffer unit reaches a preset abnormal threshold, generate log information including a pre-process event start message; and send log information
  • the first information generation The unit generates the information including the pre-processing event end message, where the pre-processing operation is that the device that sends the log information detects that the load of the buffer queue of the buffer unit reaches a preset abnormal threshold when the detecting unit detects that the load of the buffer queue of the buffer unit reaches a preset abnormal threshold , made to the log information of the buffer unit;
  • a sending unit for collecting the log information including the pre-process event start message and the package
  • the log information including the pre-processing event end message is sent to the log receiver.
  • the log sender generates the log information including the pre-processing event start message or the pre-processing event end message, and sends the log information to the log receiver, so that the log receiver can obtain the load of the log sender in the buffer queue to reach the preset time.
  • the pre-processing information to be sent to the log when the abnormal value is abnormal, and the loss or out-of-order situation when the load of the buffer queue reaches the preset abnormal threshold is improved, which improves the correctness of subsequent auditing and analysis of the log information. .
  • Figure 1 is a schematic structural diagram of a packet header of a Syslog protocol packet
  • FIG. 2 is a schematic flowchart of a method for sending log information according to Embodiment 1 of the present invention
  • FIG. 3 is a schematic flowchart of a method for sending log information according to Embodiment 2 of the present invention.
  • FIG. 4 is a schematic structural diagram of an apparatus for transmitting log information according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of an apparatus for transmitting log information according to Embodiment 2 of the present invention. detailed description
  • the log information is described by using a Syslog protocol packet as an example.
  • the Syslog protocol uses the client/server (client/server) mode of communication, and the client is the receiver of event packets.
  • the client can be the originator of the event, such as a device or process, or a relay entity.
  • the relayed entity processes the Syslog time received from other senders (event generators or other relay entities). Send it to other recipients.
  • the Syslog protocol packet consists of three parts: packet header and structured data (Structured Data) Element , SDE ) and the message body.
  • the header includes the following fields: PRI, VERSION, TIMESTAMP, HOSTNAME, APP-NAME, PROCID, and MSGID.
  • PRI indicates the priority
  • VERSION indicates the Syslog protocol version number
  • TIMESTAMP indicates the timestamp generated by the log
  • HOSTNAME indicates the host domain name or address of the log sender
  • APP-NAME indicates the application name that generated the log
  • PROCID indicates the process indicating the log system. No., MSGID indicates the message category of the log.
  • the structured data is composed of a series of structured elements, each of which includes a structured element name and a series of parameter names and parameter value pairs.
  • the message body is free-form text information, and a Syslog log message may not include the message body.
  • FIG. 2 it is a schematic flowchart of a method for sending log information according to an embodiment of the present invention, and the steps include:
  • Step S10 Detect whether the load of the buffer queue of the log sender reaches a preset abnormal threshold.
  • the log sender stores the log to be sent in its buffer queue.
  • the log sender detects whether the load of the buffer queue reaches the preset abnormal threshold in real time. For example, if the length of the buffer queue reaches the preset threshold, Then, the process proceeds to step S12.
  • the log sender will perform pre-processing operations on the log information in the buffer queue, such as filtering the secondary log, prioritizing the important log, or overwriting the old one. Logs, etc.
  • Step S12 The log sender generates log information including a pre-process event start message and sends the message to the recipient, the pre-process event start message including a pre-processed start time message and a pre-processing policy message.
  • the sender After detecting that the load of the buffer queue of the log sender reaches the preset abnormal threshold in step S10, the sender sends a log information including a pre-process event start message, and the log information including the pre-process event start message is The format of the log information in the buffer queue of the log sender is the same.
  • the Syslog log information is used as an example for description.
  • the log information including the pre-processing event start message can be implemented by setting structured data (SDE) in the Syslog log information.
  • SDE structured data
  • An SDE consists of a structured element name and a series of parameter names and parameter value pairs.
  • the SD-ID of the structured data is set to preprocess, and the parameter name and its attributes are described as follows:
  • the "pre-processing action” is used to describe the pre-processing actions of the log sender to the log to be sent in the buffer queue: filtering, out-of-order transmission, etc., wherein filtering may include filtering the secondary log, and the out-of-order transmission may include prioritizing the important log transmission. Or overwrite old logs, etc.
  • “Time Type” indicates that the subsequent "time point” is the timestamp of the earliest preprocessed log or the timestamp of the log that was preprocessed at the latest
  • pre-processing strategy is All logs with a severity greater than 3 (minor log) are filtered out. The first filtered log is generated at "2009-02-13 15:00:00".
  • the receiver After receiving the log information including the pre-processing event start message, the receiver can obtain the pre-processing information of the sender in real time after being parsed, and the sender pre-processes the log that can be learned during subsequent auditing and analysis of the log.
  • the time when the time occurs the pre-processing strategy, by analyzing the time when the pre-processing event occurs, and the pre-processing strategy can learn from what time the log sender has processed the log, which can improve the correctness of the audit and analysis;
  • you After obtaining the log information including the pre-process event start message, you can obtain the extreme situation such as network congestion or a large number of log bursts in time, so as to respond in time.
  • Step S14 When the log sender performs a pre-processing operation on the buffer of the buffer queue, if it is detected that the load of the buffer queue does not reach the preset abnormal threshold, the log information including the pre-processing event end message is generated and sent to the log.
  • the receiver, the pre-processing event end message includes a pre-processed end time message and a pre-processing policy message.
  • the log sender When the log sender performs pre-processing operations on the logs of its buffer queue, for example, all logs with a severity greater than 3 (secondary logs) are filtered out. In the pre-processing operation, the logs in the buffer queue will be less and less. After the time has elapsed, it is detected that the load of the buffer queue (for example, the length of the log in the buffer queue) falls below the preset abnormal threshold, that is, if the preset abnormal threshold is not reached, the log sender will end the pre-processing operation. Generate log information including the pre-processing event end message and send it to the log receiver.
  • the load of the buffer queue for example, the length of the log in the buffer queue
  • the preset abnormal threshold that is, if the preset abnormal threshold is not reached
  • the log information including the pre-processing event end message can also be implemented by setting structured data (SDE) in the Syslog log information.
  • SDE structured data
  • the receiving party can obtain the pre-processing information of the sender in real time after being parsed, and the sender pre-processes the log that can be learned during subsequent auditing and analysis of the log.
  • the time at the end of the time, the pre-processing strategy, the time when the pre-processing event ends, and the pre-processing strategy can learn from the time when the log sender has finished pre-processing the log, which can improve the correctness of the audit and analysis.
  • the log sender generates the log information including the pre-processing event start message or the pre-processing event end message, and sends the log information to the log receiver, so that the log receiver can obtain the load of the log sender in the buffer queue to reach the preset time.
  • the pre-processing information to be sent to the log when the abnormal value is abnormal, and the loss or out-of-order situation when the load of the buffer queue reaches the preset abnormal threshold is improved, which improves the correctness of subsequent auditing and analysis of the log information.
  • the log receiver can timely know the occurrence of extreme situations such as network congestion or a large number of log bursts through the log system itself, so as to respond in time.
  • FIG. 3 it is a schematic flowchart of a method for sending log information according to Embodiment 2 of the present invention, which is similar to the method for sending log information according to Embodiment 1 of the present invention, and the difference is that the packet is further encapsulated before step S10.
  • the packet is further encapsulated before step S10.
  • Step S8 The log sender generates log information including a message describing the importance of the log and sends it to the log receiver.
  • the log information including the message describing the importance of the log is used by the log receiver to analyze the importance of the log according to the description. The message is processed accordingly.
  • the log information including the description of the log importance message can also be implemented by setting structured data (SDE) in the Syslog log information.
  • SDE structured data
  • the log receiver After receiving the log information including the message describing the importance of the log, the log receiver obtains the message describing the importance of the log, and the log receiver identifies which log is an important log by using the message describing the importance of the log. For example, if the log sender sends a log with a severity of less than 3, it is an important log. When the log receiver processes a large number of logs at the same time, the important logs with less severity of 3 can be preferentially processed to ensure the safe and reliable reception and processing of important logs.
  • the log sender generates the log information including the pre-processing event start message or the pre-processing event end message and sends the log information to the log receiver, so that the log receiver can obtain the log sender's load in the buffer queue to reach the preset abnormality in time.
  • the log receiver can timely know the occurrence of extreme conditions such as network congestion or a large number of log bursts through the log system itself, and respond in time; and the log sender generates log information including a message describing the importance of the log and sends it to
  • the log receiver can enable the log receiver to identify important logs and ensure the safe and reliable reception and processing of important logs.
  • the apparatus for sending log information may include a client in a Client/Server mode in a Syslog protocol.
  • the apparatus for transmitting log information includes a buffer unit 52, a detecting unit 54, a first log information generating unit 56, and a log transmitting unit 58.
  • the buffer unit 52 is configured to store a log queue to be sent
  • the detecting unit 54 is configured to detect whether the load of the log queue of the buffer unit 52 reaches a preset.
  • the detection unit 54 detects in real time whether the load of the buffer unit 52 reaches a preset abnormal value, for example, whether the length of the log queue in the buffer unit 52 reaches a preset threshold.
  • the first log information generating unit 56 is configured to generate log information including a pre-process event start message when the detecting unit 54 detects that the load of the log queue of the buffer unit 52 reaches a preset abnormal threshold.
  • the pre-processing event start message includes a pre-processed start time message and a pre-processing policy message; the log sending unit 58 is configured to send the log information including the pre-process event start message generated by the first log information generating unit 56. To the log receiver.
  • the log information including the pre-processing event start message is consistent with the format of the log information in the log queue of the buffer unit 52.
  • the Syslog log information is taken as an example for description.
  • the log information including the pre-processing event start message can be implemented by setting structured data (SDE) in the Syslog log information.
  • SDE structured data
  • An SDE consists of a structured element name and a series of parameter names and parameter value pairs. The syntax is as follows:
  • the SD-ID of the structured data is set to preprocess, and the parameter name and its attributes are described as follows:
  • the "pre-processing action” is used to describe the pre-processing actions of the log sender to the log to be sent in the buffer queue: filtering, out-of-order transmission, etc., wherein filtering may include filtering the secondary log, and the out-of-order transmission may include prioritizing the important log transmission. Or overwrite old logs, etc.
  • “Time Type” indicates that the subsequent "time point” is the timestamp of the earliest preprocessed log or the timestamp of the log that was preprocessed at the latest
  • pre-processing strategy is All logs with a severity greater than 3 (minor log) are filtered out. The first filtered log is generated at "2009-02-13 15:00:00".
  • the log receiver After receiving the log information including the pre-processing event start message, the log receiver can obtain the pre-processing information of the sender in real time after being parsed, and the pre-processing time of the sender to the log can be learned during subsequent auditing and analysis of the log.
  • the time of occurrence, the pre-processing strategy by analyzing the time when the pre-processing event occurs, and the pre-processing strategy can learn from what time the log sender has processed the log, which can improve the correctness of the audit and analysis;
  • the log information including the pre-processing event start message After the log information including the pre-processing event start message is obtained, the extreme situation such as network congestion or a large number of log bursts can be timely acquired, thereby responding in time.
  • the first log information generating unit 56 when the device for transmitting the log information performs a pre-processing operation on the log information of the buffer unit 52, when the detecting unit 54 detects the log queue of the buffer unit 52.
  • the log sending unit 58 It is further configured to send log information including the pre-process event end message generated by the first log information generating unit 56 to the log recipient.
  • the device that transmits the log information performs a pre-processing operation on the log information of the buffer unit 52, and the device that transmits the log information detects the buffer unit at the detecting unit 54.
  • the load of the log queue of 52 reaches the preset abnormal threshold, the log information of the buffer unit 52 is made.
  • the device that sends the log information performs a pre-processing operation on the log information of the buffer unit 52, for example, all logs with a severity greater than 3 (secondary logs) are filtered out, and the logs in the buffer queue will be in the pre-processing operation.
  • the less the device detects the load of the buffer queue after a period of time (for example, the length of the log in the buffer queue) drops below the preset abnormal threshold, that is, the device does not reach the preset abnormal threshold.
  • the pre-processing operation before the end will be completed, and log information including the pre-processing event end message is generated and sent to the log receiver.
  • the log information including the pre-processing event end message can also be implemented by setting structured data (SDE) in the Syslog log information.
  • SDE structured data
  • the receiving party can obtain the pre-processing information of the sender in real time after being parsed, and the sender pre-processes the log that can be learned during subsequent auditing and analysis of the log.
  • the time at the end of the time, the pre-processing strategy, the time to analyze the end of the pre-processing event, and the pre-processing strategy can be learned from the time when the log sender has completed the pre-processing of the log, which can improve the correctness of the audit and analysis, improve the audit and analysis. The correctness.
  • the embodiment of the present invention generates the log information including the pre-processing event start message or the pre-processing event end message to be sent to the log receiver by the first log information generating unit 56, so that the log receiver can acquire the load of the buffer unit 52 in time.
  • the pre-processing information to be sent to the log when the preset abnormal threshold is reached, and the loss or out-of-order situation when the load of the buffer unit 52 reaches the preset abnormal threshold is improved, and the subsequent auditing of the log information is improved.
  • the correctness of the analysis in addition, the receiver can timely know the occurrence of extreme situations such as network congestion or a large number of log surges through the log system itself, so as to respond in time.
  • FIG. 5 it is a schematic structural diagram of an apparatus for transmitting log information according to Embodiment 2 of the present invention, which is similar to the structure of an apparatus for transmitting log information according to Embodiment 1 of the present invention, and further includes: a second log information generating unit 60.
  • the second log information generating unit 60 is configured to generate log information including a message describing the importance of the log and send the log information to the log receiver, where the log information including the message describing the importance of the log is used by the receiver after parsing The received log is processed accordingly according to the message describing the importance of the log.
  • the log information including the description of the log importance message can also be implemented by setting structured data (SDE) in the Syslog log information.
  • SDE structured data
  • the log receiver After receiving the log information including the message describing the importance of the log, the log receiver obtains the message describing the importance of the log, and the log receiver identifies which log is an important log by using the message describing the importance of the log. For example, the log sender sends a display severity less than 3. The log is an important log. When the log receiver processes a large number of logs at the same time, it can preferentially process these important logs with a severity less than 3 to ensure the safe and reliable reception and processing of important logs.
  • the embodiment of the present invention generates the log information including the pre-processing event start message or the pre-processing event end message to be sent to the log receiver by the first log information generating unit 56, so that the log receiver can acquire the load of the buffer unit 52 in time.
  • the pre-processing information to be sent to the log when the preset abnormal threshold is reached, and the loss or out-of-order situation when the load of the buffer unit 52 reaches the preset abnormal threshold is improved, and the subsequent auditing of the log information is improved.
  • the receiving party can timely know the occurrence of extreme situations such as network congestion or a large number of log bursts through the log system itself, thereby responding in time; and the second log information generating unit 60 generates a description log including The log information of the importance message is sent to the log receiver, which enables the log receiver to identify the important log and ensure the safe and reliable reception and processing of the important log.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)
  • Computer And Data Communications (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The embodiments of present invention provide a log information transmission method, including: detecting whether the load on the buffer queue of a log transmitter reaches a preset abnormity threshold (10); generating and transmitting the log information including a pre-treatment event starting message by the log transmitter to a log receiver when the load on the buffer queue of the log transmitter reaches the preset abnormity threshold (12); generating and transmitting the log information including a pre-treatment event ending message by the log transmitter to the log receiver if it is detected that the load on the buffer queue does not reach the preset abnormity threshold when the log transmitter performs pre-treatment operation for the log in its buffer queue (14). The embodiments of present invention also provide a log information transmission apparatus. By generating the log information including a pre-treatment event starting message or a pre-treatment event ending message and transmitting it to the log receiver, the embodiments of present invention can increase the subsequent accuracy of auditing and analyzing the log information.

Description

一种发送日志信息的方法及装置 本申请要求于 2009 年 3 月 6 日提交中国专利局, 申请号为 200910105892.0, 发明名称为"一种发送日志信息的方法及装置"的中国专利申 请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  Method and device for transmitting log information This application claims to be filed on March 6, 2009, the Chinese Patent Office, the application number is 200910105892.0, the priority of the Chinese patent application entitled "A method and device for transmitting log information" The entire contents of which are incorporated herein by reference. Technical field
本发明涉及通信技术领域, 尤其涉及一种发送日志信息的方法及装置。 背景技术  The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for transmitting log information. Background technique
日志 J! 控计算机和网络安全的重要手段,同时也是评估计算机和网络安 全的重要途径。 在实际应用中, 日志系统往往采用分布式部署, 即将多种服务 和 /或设备产生的日志收集到一起进行分析和处理, 在这种情形下, 产生曰志 的一方称之为日志发送方, 收集日志的一方称之为日志接收方, 日志发送方将 日志消息传输给日志接收方, 日志接收方则接收来自不同地理位置的日志发送 方。  Log J! An important means of controlling computer and network security, and an important way to assess computer and network security. In practical applications, the log system often adopts a distributed deployment, which collects logs generated by multiple services and/or devices for analysis and processing. In this case, the party that generates the ambition is called the log sender. The party collecting the log is called the log receiver, the log sender transmits the log message to the log receiver, and the log receiver receives the log sender from different geographical locations.
Syslog是被业界广泛接收的日志标准, IETF制订的新的 Syslog标准允许 更大容量的日志消息。 Syslog/TLS标准和 Syslog-sign标准在增加 Syslog安全 性和可靠性的同时, 也增加了大量证书、 签名等传输数据; 与此同时, 一些应 用, 例如医药工业, 需求大日志量的传输。 这一切都增加了 Syslog 日志传输 量, 也增高了日志延迟和网络拥塞的可能性。 如何及时应对 Syslog 日志传输 过程中发生的各种事件是保证日志系统可靠性和安全性的有效手段。  Syslog is a widely accepted log standard in the industry. The new Syslog standard developed by the IETF allows for larger volume log messages. While the Syslog/TLS standard and the Syslog-sign standard increase the security and reliability of Syslog, they also increase the number of data transmitted by certificates and signatures. At the same time, some applications, such as the pharmaceutical industry, require large log volumes. All of this increases the amount of Syslog log traffic and increases the likelihood of log latency and network congestion. How to deal with various events that occur during Syslog log transmission in a timely manner is an effective means to ensure the reliability and security of the log system.
日志发送方在极端情况下 (例如网络拥塞或流量控制或日志产生量突增 时, 将会造成缓冲队列的大负荷甚至溢出), 可能采取一些对日志的预处理措 施, 例如优先发送重要日志或过滤次要日志, 以保证重要日志的及时报警。 这 些措施都不可避免地将造成日志的丢失或乱序, 对日志的完整性有损害。  In extreme cases (such as network congestion or traffic control or bursts of log generation, this will cause a large load or even overflow of the buffer queue), and some pre-processing measures may be taken, such as sending important logs or Filter the secondary logs to ensure timely alarms for important logs. These measures will inevitably result in the loss or out of order of the log, which will damage the integrity of the log.
在实现本发明的过程中, 发明人发现现有技术中至少存在如下问题: 日志接收方不能及时察觉日志传输事件 (例如过滤或者乱序 )的发生, 在 对收集到的日志在日后审计时,不知道日志在上述场景中的丢失情况和乱序情 况, 对日志的审计和分析的正确性有一定的影响。 In the process of implementing the present invention, the inventors have found that at least the following problems exist in the prior art: The log receiver cannot detect the occurrence of log transmission events (such as filtering or disorder) in time, When the collected logs are audited in the future, they do not know the loss and out-of-order conditions of the logs in the above scenarios, and have certain influence on the correctness of the audit and analysis of the logs.
发明内容 Summary of the invention
本发明实施例提供一种发送日志信息的方法及装置,可使得日志接收方能 及时察觉发送方对日志的预处理事件信息,提高后续对日志的审计和分析的正 确性。  The embodiment of the invention provides a method and a device for transmitting log information, which can enable the log receiver to timely detect the pre-processing event information of the sender on the log, and improve the accuracy of subsequent auditing and analysis of the log.
本发明实施例提供一种发送日志信息的方法, 包括:  The embodiment of the invention provides a method for sending log information, including:
检测日志发送方的缓冲队列的负载是否达到预设的异常阔值;  Check whether the load of the buffer queue of the log sender reaches a preset abnormal threshold;
当日志发送方的缓冲队列的负载达到预设的异常阔值时, 日志发送方生成 包括预处理事件开始消息的日志信息并发送至日志接收方;  When the load of the buffer queue of the log sender reaches a preset abnormal threshold, the log sender generates log information including a pre-process event start message and sends the log information to the log receiver.
日志发送方在对其缓冲队列的日志作预处理操作时,若检测到缓冲队列的 负载没有达到预设的异常阔值,则生成包括预处理事件结束消息的日志信息并 发送至日志接收方,所述预处理操作为所述日志发送方在所述日志发送方的缓 冲队列的负载达到预设的异常阔值时, 对所述缓冲队列的日志做出的。  When the log sender performs a pre-processing operation on the buffer queue, if it detects that the load of the buffer queue does not reach the preset abnormal threshold, the log information including the pre-processing event end message is generated and sent to the log receiver. The pre-processing operation is performed by the log sender on the log of the buffer queue when the load of the buffer queue of the log sender reaches a preset abnormal threshold.
本发明实施例还提供一种发送日志信息的装置, 包括:  The embodiment of the invention further provides an apparatus for sending log information, including:
缓冲单元, 用于存储待发送的日志队列;  a buffer unit, configured to store a log queue to be sent;
检测单元,用于检所述测缓冲单元的日志队列的负载是否达到预设的异常 阔值;  a detecting unit, configured to check whether a load of the log queue of the buffer unit reaches a preset abnormal threshold;
第一日志信息生成单元,用于在所述检测单元检测到所述缓冲单元的曰志 队列的负载达到预设的异常阔值时, 生成包括预处理事件开始消息的日志信 息;发送日志信息的装置在对所述缓冲单元的日志信息作预处理操作时, 当所 述检测单元检测到所述缓冲单元的日志队列的负载没有达到预设的异常阔值 时, 所述第一曰志信息生成单元生成包括预处理事件结束消息的曰志信息, 所 述预处理操作为所述发送日志信息的装置在所述检测单元检测到所述缓冲单 元的日志队列的负载达到预设的异常阔值时,对所述缓冲单元的日志信息做出 的;  a first log information generating unit, configured to: when the detecting unit detects that the load of the buffer queue of the buffer unit reaches a preset abnormal threshold, generate log information including a pre-process event start message; and send log information When the device performs a pre-processing operation on the log information of the buffer unit, when the detecting unit detects that the load of the log queue of the buffer unit does not reach a preset abnormal threshold, the first information generation The unit generates the information including the pre-processing event end message, where the pre-processing operation is that the device that sends the log information detects that the load of the buffer queue of the buffer unit reaches a preset abnormal threshold when the detecting unit detects that the load of the buffer queue of the buffer unit reaches a preset abnormal threshold , made to the log information of the buffer unit;
曰志发送单元,用于将所述包括预处理事件开始消息的日志信息及所述包 括预处理事件结束消息的日志信息发送至日志接收方。 a sending unit for collecting the log information including the pre-process event start message and the package The log information including the pre-processing event end message is sent to the log receiver.
本发明实施例通过日志发送方生成包括预处理事件开始消息或预处理事 件结束消息的日志信息发送至日志接收方,可使得日志接收方及时获取日志发 送方在其缓冲队列的负载达到预设的异常阔值时对待发送日志所作的预处理 信息,知道日志其缓冲队列的负载达到预设的异常阔值时的丢失情况或乱序情 况, 提高了后续对日志信息进行审计和分析时的正确性。 附图说明  In the embodiment of the present invention, the log sender generates the log information including the pre-processing event start message or the pre-processing event end message, and sends the log information to the log receiver, so that the log receiver can obtain the load of the log sender in the buffer queue to reach the preset time. The pre-processing information to be sent to the log when the abnormal value is abnormal, and the loss or out-of-order situation when the load of the buffer queue reaches the preset abnormal threshold is improved, which improves the correctness of subsequent auditing and analysis of the log information. . DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施 例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地, 下面描述 中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付 出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor.
图 1是 Syslog协议报文的报文头的结构示意图;  Figure 1 is a schematic structural diagram of a packet header of a Syslog protocol packet;
图 2是本发明实施例一发送日志信息的方法的流程示意图;  2 is a schematic flowchart of a method for sending log information according to Embodiment 1 of the present invention;
图 3是本发明实施例二发送日志信息的方法的流程示意图;  3 is a schematic flowchart of a method for sending log information according to Embodiment 2 of the present invention;
图 4是本发明实施例一发送日志信息的装置的结构示意图;  4 is a schematic structural diagram of an apparatus for transmitting log information according to an embodiment of the present invention;
图 5是本发明实施例二发送日志信息的装置的结构示意图。 具体实施方式  FIG. 5 is a schematic structural diagram of an apparatus for transmitting log information according to Embodiment 2 of the present invention. detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清 楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而不是 全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造 性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。  BRIEF DESCRIPTION OF THE DRAWINGS The technical solutions in the embodiments of the present invention will be described in detail below with reference to the accompanying drawings. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without departing from the inventive scope are the scope of the present invention.
本发明实施例中, 所述日志信息以 Syslog协议报文为例进行说明。  In the embodiment of the present invention, the log information is described by using a Syslog protocol packet as an example.
Syslog协议采用 Client/Server (客户端 /服务器)模式的通信方式, Client 是事件报文的接收者。 Client可以是事件的产生者,比如一个设备或进程, 也可能是一个中继的实体, 中继的实体对从其他发送者 (事件产生者或者其他 中继实体)收到的 Syslog时间进行处理后发给其他的接收者。  The Syslog protocol uses the client/server (client/server) mode of communication, and the client is the receiver of event packets. The client can be the originator of the event, such as a device or process, or a relay entity. The relayed entity processes the Syslog time received from other senders (event generators or other relay entities). Send it to other recipients.
Syslog 协议报文包括三个部分: 报文头、 结构化数据 ( Structured Data Element , SDE )和消息正文。 如图 1所示, 所述 文头包括如下字段: PRI、 VERSION, TIMESTAMP, HOSTNAME, APP-NAME, PROCID和 MSGID。 The Syslog protocol packet consists of three parts: packet header and structured data (Structured Data) Element , SDE ) and the message body. As shown in FIG. 1, the header includes the following fields: PRI, VERSION, TIMESTAMP, HOSTNAME, APP-NAME, PROCID, and MSGID.
其中 PRI表示优先级, VERSION表示 Syslog协议版本号, TIMESTAMP 表示日志产生的时间戳, HOSTNAME表示日志发送方的主机域名或地址, APP-NAME表示表示产生日志的应用名称, PROCID表示表示日志系统的进 程号, MSGID表示日志的消息类别。  PRI indicates the priority, VERSION indicates the Syslog protocol version number, TIMESTAMP indicates the timestamp generated by the log, HOSTNAME indicates the host domain name or address of the log sender, APP-NAME indicates the application name that generated the log, and PROCID indicates the process indicating the log system. No., MSGID indicates the message category of the log.
所述结构化数据是由一系列结构化元素构成,每个结构化元素包括结构化 元素名称以及一系列的参数名和参数值对组成。  The structured data is composed of a series of structured elements, each of which includes a structured element name and a series of parameter names and parameter value pairs.
所述消息正文是自由形式的文本信息, 一条 Syslog 日志信息可以不包括 消息正文。  The message body is free-form text information, and a Syslog log message may not include the message body.
请参考图 2, 为本发明实施例一发送日志信息的方法的流程示意图, 其步 骤包括:  Referring to FIG. 2, it is a schematic flowchart of a method for sending log information according to an embodiment of the present invention, and the steps include:
步骤 S10: 检测日志发送方的缓冲队列的负载是否达到预设的异常阔值。 日志发送方将待发送的日志存储在其缓冲队列中, 日志发送方实时检测其 缓冲队列的负载是否达到预设的异常阔值,例如检测缓冲队列的长度是否达到 预先设置的阔值, 如果达到则进入步骤 S12。  Step S10: Detect whether the load of the buffer queue of the log sender reaches a preset abnormal threshold. The log sender stores the log to be sent in its buffer queue. The log sender detects whether the load of the buffer queue reaches the preset abnormal threshold in real time. For example, if the length of the buffer queue reaches the preset threshold, Then, the process proceeds to step S12.
如果日志发送方的缓冲队列的负载已经达到预设的异常阔值,则日志发送 方将会对缓冲队列中的日志信息进行预处理操作,例如过滤次要日志、将重要 日志优先传输或覆盖旧日志等。  If the load of the buffer queue of the log sender has reached the preset abnormal threshold, the log sender will perform pre-processing operations on the log information in the buffer queue, such as filtering the secondary log, prioritizing the important log, or overwriting the old one. Logs, etc.
步骤 S12: 日志发送方生成包括预处理事件开始消息的日志信息并发送至 曰志接收方,所述预处理事件开始消息包括预处理的开始时间消息及预处理策 略消息。  Step S12: The log sender generates log information including a pre-process event start message and sends the message to the recipient, the pre-process event start message including a pre-processed start time message and a pre-processing policy message.
在步骤 S10检测出日志发送方的缓冲队列的负载达到预设的异常阔值后, 曰志发送方产生一个包括预处理事件开始消息的日志信息,所述包括预处理事 件开始消息的日志信息与所述日志发送方的缓冲队列中的日志信息的格式一 致, 本发明实施例以 Syslog日志信息为例进行说明。  After detecting that the load of the buffer queue of the log sender reaches the preset abnormal threshold in step S10, the sender sends a log information including a pre-process event start message, and the log information including the pre-process event start message is The format of the log information in the buffer queue of the log sender is the same. The Syslog log information is used as an example for description.
所述包括预处理事件开始消息的日志信息可以通过设置 Syslog 日志信息 中的结构化数据 ( SDE )来实现。 一个 SDE由一个结构化元素名称以及一系 列的参数名和参数值对组成, 其语法如下: [SD-ID NAME1: "VALUE 1" NAMEn= "VALUEn"] The log information including the pre-processing event start message can be implemented by setting structured data (SDE) in the Syslog log information. An SDE consists of a structured element name and a series of parameter names and parameter value pairs. The syntax is as follows: [SD-ID NAME1: "VALUE 1" NAMEn= "VALUEn"]
例如将结构化数据的 SD-ID设为 preprocess, 参数名及其属性描述如下:  For example, the SD-ID of the structured data is set to preprocess, and the parameter name and its attributes are described as follows:
Figure imgf000007_0001
Figure imgf000007_0001
"预处理动作 "用以说明日志发送方对其缓冲队列中待发送日志的预处理 动作: 过滤、 乱序传输等, 其中过滤可以包括过滤次要日志, 乱序传输可以包 括将重要日志优先传输或覆盖旧日志等。 "时间类型" 指示后续的 "时间点" 是最早被预处理日志的时间戳或者最迟被预处理的日志的时间戳, "策略类型" 和 "阔值,, 表示重要日志的条件, 例如 Criteria= "severity", Threshold="3"表 示头部字段 PRI所对应的 severity小于 3的日志是重要日志。  The "pre-processing action" is used to describe the pre-processing actions of the log sender to the log to be sent in the buffer queue: filtering, out-of-order transmission, etc., wherein filtering may include filtering the secondary log, and the out-of-order transmission may include prioritizing the important log transmission. Or overwrite old logs, etc. "Time Type" indicates that the subsequent "time point" is the timestamp of the earliest preprocessed log or the timestamp of the log that was preprocessed at the latest, "policy type" and "thickness," indicating the condition of the important log, such as Criteria = "severity", Threshold="3" means that the log corresponding to the severity of the header field PRI is less than 3 is an important log.
例如:  E.g:
[preprocess Type= " filter" timeType= " start" timeValue= " 2009-02-13 15:00:00" Criteria= "severity" Threshold= "3"] , 表示一个预处理事件已经发生, 预处理策略是对所有 severity大于 3的日志(次要日志)过滤掉, 最早被过滤 的日志于 "2009-02-13 15:00:00"产生。  [preprocess Type= " filter" timeType= " start" timeValue= " 2009-02-13 15:00:00" Criteria= "severity" Threshold= "3"] , indicating that a pre-processing event has occurred, the pre-processing strategy is All logs with a severity greater than 3 (minor log) are filtered out. The first filtered log is generated at "2009-02-13 15:00:00".
曰志接收方接收到所述包括预处理事件开始消息的日志信息后,经过解析 可以实时获取发送方的预处理信息,在后续对日志的审计和分析时可获悉的发 送方对日志的预处理时间发生的时间、预处理策略,通过分析预处理事件发生 的时间、 预处理策略可获悉日志发送方从什么时间开始对日志做了什么处理, 可以提高审计和分析的正确性;另外日志接收方获取到包括预处理事件开始消 息的日志信息后, 可以及时获取网络拥塞或大量日志突增等极端情况的发生, 从而及时反应。 步骤 S14: 日志发送方在对其缓冲队列的日志作预处理操作时, 若检测到 缓冲队列的负载没有达到预设的异常阔值,则生成包括预处理事件结束消息的 日志信息并发送至日志接收方,所述预处理事件结束消息包括预处理的结束时 间消息及预处理策略消息。 After receiving the log information including the pre-processing event start message, the receiver can obtain the pre-processing information of the sender in real time after being parsed, and the sender pre-processes the log that can be learned during subsequent auditing and analysis of the log. The time when the time occurs, the pre-processing strategy, by analyzing the time when the pre-processing event occurs, and the pre-processing strategy can learn from what time the log sender has processed the log, which can improve the correctness of the audit and analysis; After obtaining the log information including the pre-process event start message, you can obtain the extreme situation such as network congestion or a large number of log bursts in time, so as to respond in time. Step S14: When the log sender performs a pre-processing operation on the buffer of the buffer queue, if it is detected that the load of the buffer queue does not reach the preset abnormal threshold, the log information including the pre-processing event end message is generated and sent to the log. The receiver, the pre-processing event end message includes a pre-processed end time message and a pre-processing policy message.
日志发送方在对其缓冲队列的日志作预处理操作时, 比如对所有 severity 大于 3的日志(次要日志)过滤掉, 在预处理操作中缓冲队列中的日志会越来 越少,若一段时间过后检测到其缓冲队列的负载(例如换缓冲队列中日志的长 度)下降到预设的异常阔值以下, 即没有达到预设的异常阔值, 则日志发送方 将结束之前的预处理操作,产生包括预处理事件结束消息的日志信息并发送至 日志接收方。  When the log sender performs pre-processing operations on the logs of its buffer queue, for example, all logs with a severity greater than 3 (secondary logs) are filtered out. In the pre-processing operation, the logs in the buffer queue will be less and less. After the time has elapsed, it is detected that the load of the buffer queue (for example, the length of the log in the buffer queue) falls below the preset abnormal threshold, that is, if the preset abnormal threshold is not reached, the log sender will end the pre-processing operation. Generate log information including the pre-processing event end message and send it to the log receiver.
所述包括预处理事件结束消息的日志信息也可以通过设置 Syslog 日志信 息中的结构化数据 ( SDE )来实现。 例如:  The log information including the pre-processing event end message can also be implemented by setting structured data (SDE) in the Syslog log information. E.g:
[preprocess Type= " filter" timeType= " end" timeValue= " 2009-02-13 15:20:00"], 表示当前的预处理事件(过滤) 已经结束, 最迟被过滤的日志于 "2009-02-13 15 :20:00"产生。  [preprocess Type= "filter" timeType= "end" timeValue= " 2009-02-13 15:20:00"], indicating that the current pre-processing event (filtering) has ended, and the latest filtered log is "2009- 02-13 15 :20:00" is generated.
曰志接收方接收到所述包括预处理事件结束消息的日志信息后,经过解析 可以实时获取发送方的预处理信息,在后续对日志的审计和分析时可获悉的发 送方对日志的预处理时间结束的时间、预处理策略, 过分析预处理事件结束的 时间、 预处理策略可获悉日志发送方从什么时间对日志做的预处理已经结束, 可以提高审计和分析的正确性。  After receiving the log information including the pre-processing event end message, the receiving party can obtain the pre-processing information of the sender in real time after being parsed, and the sender pre-processes the log that can be learned during subsequent auditing and analysis of the log. The time at the end of the time, the pre-processing strategy, the time when the pre-processing event ends, and the pre-processing strategy can learn from the time when the log sender has finished pre-processing the log, which can improve the correctness of the audit and analysis.
本发明实施例通过日志发送方生成包括预处理事件开始消息或预处理事 件结束消息的日志信息发送至日志接收方,可使得日志接收方及时获取日志发 送方在其缓冲队列的负载达到预设的异常阔值时对待发送日志所作的预处理 信息,知道日志其缓冲队列的负载达到预设的异常阔值时的丢失情况或乱序情 况,提高了后续对日志信息进行审计和分析时的正确性; 另外日志接收方能够 通过日志系统本身及时获知例如网络拥塞或大量日志突增等极端情况的发生, 从而及时反应。  In the embodiment of the present invention, the log sender generates the log information including the pre-processing event start message or the pre-processing event end message, and sends the log information to the log receiver, so that the log receiver can obtain the load of the log sender in the buffer queue to reach the preset time. The pre-processing information to be sent to the log when the abnormal value is abnormal, and the loss or out-of-order situation when the load of the buffer queue reaches the preset abnormal threshold is improved, which improves the correctness of subsequent auditing and analysis of the log information. In addition, the log receiver can timely know the occurrence of extreme situations such as network congestion or a large number of log bursts through the log system itself, so as to respond in time.
请参考图 3, 为本发明实施例二发送日志信息的方法的流程示意图, 其与 本发明实施例一发送日志信息的方法步骤类似,其不同在于在步骤 S10前还包 括: Referring to FIG. 3, it is a schematic flowchart of a method for sending log information according to Embodiment 2 of the present invention, which is similar to the method for sending log information according to Embodiment 1 of the present invention, and the difference is that the packet is further encapsulated before step S10. Includes:
步骤 S8: 日志发送方生成包括描述日志重要性的消息的日志信息并发送 至日志接收方,所述包括描述日志重要性的消息的日志信息用以日志接收方解 析后根据所述描述日志重要性的消息对接收的日志做相应处理。  Step S8: The log sender generates log information including a message describing the importance of the log and sends it to the log receiver. The log information including the message describing the importance of the log is used by the log receiver to analyze the importance of the log according to the description. The message is processed accordingly.
所述包括描述日志重要性消息的日志信息也可以通过设置 Syslog 日志信 息中的结构化数据 ( SDE )来实现。 例如:  The log information including the description of the log importance message can also be implemented by setting structured data (SDE) in the Syslog log information. E.g:
[preprocess Criteria= "severity" Threshold="3"] , 表示日志发送方发送的显 示 severity小于 3的日志是重要日志。  [preprocess Criteria= "severity" Threshold="3"] , indicating that the log sent by the sender of the log is less than 3 is an important log.
日志接收方接收到所述包括描述日志重要性的消息的日志信息后,经过解 析获得所述描述日志重要性的消息,则日志接收方通过所述描述日志重要性的 消息鉴别哪些日志是重要日志, 例如日志发送方发送的显示 severity小于 3的 日志是重要日志, 当日志接收方同时处理大量日志时, 可以优先处理这些 severity小于 3的重要日志, 保证重要日志的安全可靠的接收和处理。  After receiving the log information including the message describing the importance of the log, the log receiver obtains the message describing the importance of the log, and the log receiver identifies which log is an important log by using the message describing the importance of the log. For example, if the log sender sends a log with a severity of less than 3, it is an important log. When the log receiver processes a large number of logs at the same time, the important logs with less severity of 3 can be preferentially processed to ensure the safe and reliable reception and processing of important logs.
本发明实施例日志发送方生成包括预处理事件开始消息或预处理事件结 束消息的日志信息发送至日志接收方,可使得日志接收方及时获取日志发送方 在其缓冲队列的负载达到预设的异常阔值时对待发送日志所作的预处理信息, 知道日志方是否在其缓冲队列的负载达到预设的异常阔值时的丢失情况或乱 序情况,提高了后续对日志信息进行审计和分析时的正确性; 另外日志接收方 能够通过日志系统本身及时获知例如网络拥塞或大量日志突增等极端情况的 发生,从而及时反应; 而且日志发送方生成包括描述日志重要性的消息的日志 信息并发送至日志接收方,可使得日志接收方识别出重要日志,保证重要日志 的安全可靠的接收和处理。  In the embodiment of the present invention, the log sender generates the log information including the pre-processing event start message or the pre-processing event end message and sends the log information to the log receiver, so that the log receiver can obtain the log sender's load in the buffer queue to reach the preset abnormality in time. The pre-processing information to be sent to the log when the value is wide, knowing whether the log party loses or the out-of-order situation when the load of the buffer queue reaches the preset abnormal threshold, which improves the subsequent auditing and analysis of the log information. Correctness; In addition, the log receiver can timely know the occurrence of extreme conditions such as network congestion or a large number of log bursts through the log system itself, and respond in time; and the log sender generates log information including a message describing the importance of the log and sends it to The log receiver can enable the log receiver to identify important logs and ensure the safe and reliable reception and processing of important logs.
请参考图 4, 为本发明实施例一发送日志信息的装置的结构示意图, 所述 发送日志信息的装置可包括 Syslog协议中 Client/Server (客户端 /服务器 )模式 中的客户端。  Referring to FIG. 4, which is a schematic structural diagram of an apparatus for sending log information according to an embodiment of the present invention, the apparatus for sending log information may include a client in a Client/Server mode in a Syslog protocol.
所述发送日志信息的装置包括缓冲单元 52、 检测单元 54、 第一日志信息 生成单元 56及日志发送单元 58。  The apparatus for transmitting log information includes a buffer unit 52, a detecting unit 54, a first log information generating unit 56, and a log transmitting unit 58.
所述缓冲单元 52, 用于存储待发送的日志队列;  The buffer unit 52 is configured to store a log queue to be sent;
所述检测单元 54, 用于检测缓冲单元 52的日志队列的负载是否达到预设 的异常阔值;所述检测单元 54实时检测缓冲单元 52的负载是否达到预设的异 常值, 例如检测缓冲单元 52中日志队列的长度是否达到预先设置的阔值。 The detecting unit 54 is configured to detect whether the load of the log queue of the buffer unit 52 reaches a preset. The detection unit 54 detects in real time whether the load of the buffer unit 52 reaches a preset abnormal value, for example, whether the length of the log queue in the buffer unit 52 reaches a preset threshold.
所述第一日志信息生成单元 56, 用于在所述检测单元 54检测到所述缓冲 单元 52的日志队列的负载达到预设的异常阔值时, 生成包括预处理事件开始 消息的日志信息,所述预处理事件开始消息包括预处理的开始时间消息及预处 理策略消息;所述日志发送单元 58用于将所述第一日志信息生成单元 56生成 的包括预处理事件开始消息的日志信息发送至日志接收方。  The first log information generating unit 56 is configured to generate log information including a pre-process event start message when the detecting unit 54 detects that the load of the log queue of the buffer unit 52 reaches a preset abnormal threshold. The pre-processing event start message includes a pre-processed start time message and a pre-processing policy message; the log sending unit 58 is configured to send the log information including the pre-process event start message generated by the first log information generating unit 56. To the log receiver.
所述包括预处理事件开始消息的日志信息与所述缓冲单元 52的日志队列 中的日志信息的格式一致, 本发明实施例以 Syslog 日志信息为例进行说明。  The log information including the pre-processing event start message is consistent with the format of the log information in the log queue of the buffer unit 52. The Syslog log information is taken as an example for description.
所述包括预处理事件开始消息的日志信息可以通过设置 Syslog 日志信息 中的结构化数据 ( SDE )来实现。 一个 SDE由一个结构化元素名称以及一系 列的参数名和参数值对组成, 其语法如下:  The log information including the pre-processing event start message can be implemented by setting structured data (SDE) in the Syslog log information. An SDE consists of a structured element name and a series of parameter names and parameter value pairs. The syntax is as follows:
[SD-ID NAME1: "VALUE 1" NAMEn= "VALUEn"]  [SD-ID NAME1: "VALUE 1" NAMEn= "VALUEn"]
例如将结构化数据的 SD-ID设为 preprocess, 参数名及其属性描述如下:  For example, the SD-ID of the structured data is set to preprocess, and the parameter name and its attributes are described as follows:
Figure imgf000010_0001
Figure imgf000010_0001
"预处理动作 "用以说明日志发送方对其缓冲队列中待发送日志的预处理 动作: 过滤、 乱序传输等, 其中过滤可以包括过滤次要日志, 乱序传输可以包 括将重要日志优先传输或覆盖旧日志等。 "时间类型" 指示后续的 "时间点" 是最早被预处理日志的时间戳或者最迟被预处理的日志的时间戳, "策略类型" 和 "阔值,, 表示重要日志的条件, 例如 Criteria= "severity", Threshold="3"表 示头部字段 PRI所对应的 severity小于 3的日志是重要日志。  The "pre-processing action" is used to describe the pre-processing actions of the log sender to the log to be sent in the buffer queue: filtering, out-of-order transmission, etc., wherein filtering may include filtering the secondary log, and the out-of-order transmission may include prioritizing the important log transmission. Or overwrite old logs, etc. "Time Type" indicates that the subsequent "time point" is the timestamp of the earliest preprocessed log or the timestamp of the log that was preprocessed at the latest, "policy type" and "thickness," indicating the condition of the important log, such as Criteria = "severity", Threshold="3" means that the log corresponding to the severity of the header field PRI is less than 3 is an important log.
例如: [preprocess Type= " filter" timeType= " start" timeValue= " 2009-02-13 15:00:00" Criteria= "severity" Threshold= "3"] , 表示一个预处理事件已经发生, 预处理策略是对所有 severity大于 3的日志(次要日志)过滤掉, 最早被过滤 的日志于 "2009-02-13 15:00:00"产生。 E.g: [preprocess Type= "filter" timeType= "start" timeValue= " 2009-02-13 15:00:00" Criteria= "severity" Threshold= "3"] , indicating that a pre-processing event has occurred, the pre-processing strategy is All logs with a severity greater than 3 (minor log) are filtered out. The first filtered log is generated at "2009-02-13 15:00:00".
日志接收方接收到所述包括预处理事件开始消息的日志信息后,经过解析 可以实时获取发送方的预处理信息,在后续对日志的审计和分析时可获悉的发 送方对日志的预处理时间发生的时间、预处理策略,通过分析预处理事件发生 的时间、 预处理策略可获悉日志发送方从什么时间开始对日志做了什么处理, 可以提高审计和分析的正确性;另外日志接收方获取到包括预处理事件开始消 息的日志信息后, 可以及时获取网络拥塞或大量日志突增等极端情况的发生, 从而及时反应。  After receiving the log information including the pre-processing event start message, the log receiver can obtain the pre-processing information of the sender in real time after being parsed, and the pre-processing time of the sender to the log can be learned during subsequent auditing and analysis of the log. The time of occurrence, the pre-processing strategy, by analyzing the time when the pre-processing event occurs, and the pre-processing strategy can learn from what time the log sender has processed the log, which can improve the correctness of the audit and analysis; After the log information including the pre-processing event start message is obtained, the extreme situation such as network congestion or a large number of log bursts can be timely acquired, thereby responding in time.
所述第一日志信息生成单元 56, 还用于发送日志信息的装置在对所述缓 冲单元 52的日志信息作预处理操作时,当所述检测单元 54检测到所述缓冲单 元 52的日志队列的负载没有达到预设的异常阔值时, 生成包括预处理事件结 束消息的曰志信息,所述预处理事件结束消息包括预处理的结束时间消息及预 处理策略消息; 所述日志发送单元 58还用于将所述第一日志信息生成单元 56 生成的包括预处理事件结束消息的日志信息发送至日志接收方。与前面的方法 实施例类似, 在一个实施例中, 发送日志信息的装置在对所述缓冲单元 52的 日志信息做出的预处理操作, 为发送日志信息的装置在检测单元 54检测到缓 冲单元 52的日志队列的负载达到预设的异常阔值时,对缓冲单元 52的日志信 息做出的。  The first log information generating unit 56, when the device for transmitting the log information performs a pre-processing operation on the log information of the buffer unit 52, when the detecting unit 54 detects the log queue of the buffer unit 52. When the load does not reach the preset abnormal threshold, generating the information including the pre-processing event end message, the pre-processing event end message includes the pre-processed end time message and the pre-processing policy message; the log sending unit 58 It is further configured to send log information including the pre-process event end message generated by the first log information generating unit 56 to the log recipient. Similar to the previous method embodiment, in one embodiment, the device that transmits the log information performs a pre-processing operation on the log information of the buffer unit 52, and the device that transmits the log information detects the buffer unit at the detecting unit 54. When the load of the log queue of 52 reaches the preset abnormal threshold, the log information of the buffer unit 52 is made.
发送日志信息的装置在对所述缓冲单元 52的日志信息作预处理操作时, 比如对所有 severity大于 3的日志(次要日志)过滤掉, 在预处理操作中缓冲 队列中的日志会越来越少,若一段时间过后检测到其缓冲队列的负载(例如换 缓冲队列中日志的长度 )下降到预设的异常阔值以下, 即没有达到预设的异常 阔值, 则发送日志信息的装置将结束之前的预处理操作,产生包括预处理事件 结束消息的日志信息并发送至日志接收方。  When the device that sends the log information performs a pre-processing operation on the log information of the buffer unit 52, for example, all logs with a severity greater than 3 (secondary logs) are filtered out, and the logs in the buffer queue will be in the pre-processing operation. The less the device detects the load of the buffer queue after a period of time (for example, the length of the log in the buffer queue) drops below the preset abnormal threshold, that is, the device does not reach the preset abnormal threshold. The pre-processing operation before the end will be completed, and log information including the pre-processing event end message is generated and sent to the log receiver.
所述包括预处理事件结束消息的日志信息也可以通过设置 Syslog 日志信 息中的结构化数据 ( SDE )来实现。 例如: [preprocess Type= " filter" timeType= " end" timeValue= " 2009-02-13 15:20:00"], 表示当前的预处理事件(过滤) 已经结束, 最迟被过滤的日志于 "2009-02-13 15 :20:00"产生。 The log information including the pre-processing event end message can also be implemented by setting structured data (SDE) in the Syslog log information. E.g: [preprocess Type= "filter" timeType= "end" timeValue= " 2009-02-13 15:20:00"], indicating that the current pre-processing event (filtering) has ended, and the latest filtered log is "2009- 02-13 15 :20:00" is generated.
曰志接收方接收到所述包括预处理事件结束消息的日志信息后,经过解析 可以实时获取发送方的预处理信息,在后续对日志的审计和分析时可获悉的发 送方对日志的预处理时间结束的时间、预处理策略, 过分析预处理事件结束的 时间、 预处理策略可获悉日志发送方从什么时间对日志做的预处理已经结束, 可以提高审计和分析的正确性提高审计和分析的正确性。  After receiving the log information including the pre-processing event end message, the receiving party can obtain the pre-processing information of the sender in real time after being parsed, and the sender pre-processes the log that can be learned during subsequent auditing and analysis of the log. The time at the end of the time, the pre-processing strategy, the time to analyze the end of the pre-processing event, and the pre-processing strategy can be learned from the time when the log sender has completed the pre-processing of the log, which can improve the correctness of the audit and analysis, improve the audit and analysis. The correctness.
本发明实施例通过所述第一日志信息生成单元 56生成包括预处理事件开 始消息或预处理事件结束消息的日志信息发送至日志接收方,可使得日志接收 方及时获取所述缓冲单元 52的负载达到预设的异常阔值时对待发送日志所作 的预处理信息, 知道所述缓冲单元 52的负载达到预设的异常阔值时的丢失情 况或乱序情况,提高了后续对日志信息进行审计和分析时的正确性; 另外曰志 接收方能够通过日志系统本身及时获知例如网络拥塞或大量日志突增等极端 情况的发生, 从而及时反应。  The embodiment of the present invention generates the log information including the pre-processing event start message or the pre-processing event end message to be sent to the log receiver by the first log information generating unit 56, so that the log receiver can acquire the load of the buffer unit 52 in time. The pre-processing information to be sent to the log when the preset abnormal threshold is reached, and the loss or out-of-order situation when the load of the buffer unit 52 reaches the preset abnormal threshold is improved, and the subsequent auditing of the log information is improved. The correctness of the analysis; in addition, the receiver can timely know the occurrence of extreme situations such as network congestion or a large number of log surges through the log system itself, so as to respond in time.
请参考图 5, 为本发明实施例二发送日志信息的装置的结构示意图, 其与 本发明实施例一发送日志信息的装置的结构类似,其区别在于还包括: 第二日 志信息生成单元 60。  Referring to FIG. 5, it is a schematic structural diagram of an apparatus for transmitting log information according to Embodiment 2 of the present invention, which is similar to the structure of an apparatus for transmitting log information according to Embodiment 1 of the present invention, and further includes: a second log information generating unit 60.
所述第二日志信息生成单元 60, 用于生成包括描述日志重要性的消息的 日志信息并发送至日志接收方,所述包括描述日志重要性的消息的日志信息用 以曰志接收方解析后根据所述描述日志重要性的消息对接收的日志做相应处 理。  The second log information generating unit 60 is configured to generate log information including a message describing the importance of the log and send the log information to the log receiver, where the log information including the message describing the importance of the log is used by the receiver after parsing The received log is processed accordingly according to the message describing the importance of the log.
所述包括描述日志重要性消息的日志信息也可以通过设置 Syslog 日志信 息中的结构化数据 ( SDE )来实现。 例如:  The log information including the description of the log importance message can also be implemented by setting structured data (SDE) in the Syslog log information. E.g:
[preprocess Criteria= "severity" Threshold="3"] , 表示日志发送方发送的显 示 severity小于 3的日志是重要日志。  [preprocess Criteria= "severity" Threshold="3"] , indicating that the log sent by the sender of the log is less than 3 is an important log.
日志接收方接收到所述包括描述日志重要性的消息的日志信息后,经过解 析获得所述描述日志重要性的消息,则日志接收方通过所述描述日志重要性的 消息鉴别哪些日志是重要日志, 例如日志发送方发送的显示 severity小于 3的 日志是重要日志, 当日志接收方同时处理大量日志时, 可以优先处理这些 severity小于 3的重要日志, 保证重要日志的安全可靠的接收和处理。 After receiving the log information including the message describing the importance of the log, the log receiver obtains the message describing the importance of the log, and the log receiver identifies which log is an important log by using the message describing the importance of the log. For example, the log sender sends a display severity less than 3. The log is an important log. When the log receiver processes a large number of logs at the same time, it can preferentially process these important logs with a severity less than 3 to ensure the safe and reliable reception and processing of important logs.
本发明实施例通过所述第一日志信息生成单元 56生成包括预处理事件开 始消息或预处理事件结束消息的日志信息发送至日志接收方,可使得日志接收 方及时获取所述缓冲单元 52的负载达到预设的异常阔值时对待发送日志所作 的预处理信息, 知道所述缓冲单元 52的负载达到预设的异常阔值时的丢失情 况或乱序情况,提高了后续对日志信息进行审计和分析时的正确性; 另外曰志 接收方能够通过日志系统本身及时获知例如网络拥塞或大量日志突增等极端 情况的发生, 从而及时反应; 而且所述第二日志信息生成单元 60生成包括描 述日志重要性的消息的日志信息并发送至日志接收方,可使得日志接收方识别 出重要日志, 保证重要日志的安全可靠的接收和处理。  The embodiment of the present invention generates the log information including the pre-processing event start message or the pre-processing event end message to be sent to the log receiver by the first log information generating unit 56, so that the log receiver can acquire the load of the buffer unit 52 in time. The pre-processing information to be sent to the log when the preset abnormal threshold is reached, and the loss or out-of-order situation when the load of the buffer unit 52 reaches the preset abnormal threshold is improved, and the subsequent auditing of the log information is improved. The correctness of the analysis; in addition, the receiving party can timely know the occurrence of extreme situations such as network congestion or a large number of log bursts through the log system itself, thereby responding in time; and the second log information generating unit 60 generates a description log including The log information of the importance message is sent to the log receiver, which enables the log receiver to identify the important log and ensure the safe and reliable reception and processing of the important log.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤 是可以通过程序来指令相关的硬件来完成,所述程序可以存储于一计算机可读 取存储介质中, 所述存储介质为 ROM/RAM、 磁碟、 光盘等。  A person skilled in the art can understand that all or part of the steps of implementing the foregoing embodiments can be completed by a program instructing related hardware, and the program can be stored in a computer readable storage medium, where the storage medium is ROM/RAM, disk, CD, etc.
以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局 限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易 想到的变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本发明的保护 范围应该以权利要求的保护范围为准。  The above is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or within the technical scope disclosed by the present invention. Alternatives are intended to be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.

Claims

权 利 要 求 Rights request
1、 一种发送日志信息的方法, 包括: 1. A method for sending log information, including:
检测日志发送方的缓冲队列的负载是否达到预设的异常阔值;  Check whether the load of the buffer queue of the log sender reaches a preset abnormal threshold;
当日志发送方的缓冲队列的负载达到预设的异常阔值时, 日志发送方生成 包括预处理事件开始消息的日志信息并发送至日志接收方;  When the load of the buffer queue of the log sender reaches a preset abnormal threshold, the log sender generates log information including a pre-process event start message and sends the log information to the log receiver.
日志发送方在对其缓冲队列的日志作预处理操作时,若检测到缓冲队列的 负载没有达到预设的异常阔值,则生成包括预处理事件结束消息的日志信息并 发送至日志接收方,所述预处理操作为所述日志发送方在所述日志发送方的缓 冲队列的负载达到预设的异常阔值时, 对所述缓冲队列的日志做出的。  When the log sender performs a pre-processing operation on the buffer queue, if it detects that the load of the buffer queue does not reach the preset abnormal threshold, the log information including the pre-processing event end message is generated and sent to the log receiver. The pre-processing operation is performed by the log sender on the log of the buffer queue when the load of the buffer queue of the log sender reaches a preset abnormal threshold.
2、 如权利要求 1所述的方法, 其特征在于: 所述预处理事件开始消息包 括预处理的开始时间消息及预处理策略消息。  2. The method of claim 1, wherein: the pre-processing event start message includes a pre-processed start time message and a pre-processing policy message.
3、 如权利要求 1所述的方法, 其特征在于: 所述预处理事件结束消息包 括预处理的结束时间消息及预处理策略消息。  3. The method of claim 1, wherein: the pre-processing event end message includes a pre-processed end time message and a pre-processing policy message.
4、 如权利要求 1所述的方法, 其特征在于: 所述包括预处理事件开始消 息的日志信息或者所述包括预处理事件结束消息的日志信息通过设置 Syslog 日志信息的结构化数据来实现。  4. The method according to claim 1, wherein: the log information including the pre-processing event start message or the log information including the pre-processing event end message is implemented by setting structured data of the Syslog log information.
5、 如权利要求 1所述的方法, 其特征在于: 还包括: 日志发送方生成包 括描述日志重要性的消息的日志信息并发送至日志接收方,所述包括描述日志 重要性的消息的日志信息用以日志接收方解析后根据所述描述日志重要性的 消息对接收的日志做相应处理。  5. The method of claim 1, further comprising: the log sender generating log information including a message describing the importance of the log and transmitting to the log recipient, the log including a message describing the importance of the log The information is used by the log receiver to parse the received log according to the message describing the importance of the log.
6、 一种发送日志信息的装置, 包括:  6. A device for transmitting log information, comprising:
缓冲单元, 用于存储待发送的日志队列;  a buffer unit, configured to store a log queue to be sent;
检测单元,用于检所述测缓冲单元的日志队列的负载是否达到预设的异常 阔值;  a detecting unit, configured to check whether a load of the log queue of the buffer unit reaches a preset abnormal threshold;
第一日志信息生成单元,用于在所述检测单元检测到所述缓冲单元的日志 队列的负载达到预设的异常阔值时, 生成包括预处理事件开始消息的日志信 息;发送日志信息的装置在对所述缓冲单元的日志信息作预处理操作时, 当所 述检测单元检测到所述缓冲单元的日志队列的负载没有达到预设的异常阔值 时, 所述第一曰志信息生成单元生成包括预处理事件结束消息的曰志信息, 所 述预处理操作为所述发送日志信息的装置在所述检测单元检测到所述缓冲单 元的日志队列的负载达到预设的异常阔值时,对所述缓冲单元的日志信息做出 的; a first log information generating unit, configured to: when the detecting unit detects that the load of the log queue of the buffer unit reaches a preset abnormal threshold, generate log information including a pre-process event start message; and send the log information When the pre-processing operation is performed on the log information of the buffer unit, when the detecting unit detects that the load of the log queue of the buffer unit does not reach a preset abnormal threshold The first information generating unit generates the information including the pre-processing event end message, and the pre-processing operation is that the device that sends the log information detects the log queue of the buffer unit in the detecting unit. When the load reaches a preset abnormal threshold, the log information of the buffer unit is made;
日志发送单元,用于将所述包括预处理事件开始消息的日志信息及所述包 括预处理事件结束消息的日志信息发送至日志接收方。  And a log sending unit, configured to send the log information including the pre-process event start message and the log information including the pre-process event end message to the log receiver.
7、 如权利要求 6所述的装置, 其特征在于: 所述预处理事件开始消息包 括预处理的开始时间消息及预处理策略消息。  7. The apparatus of claim 6, wherein: the pre-processing event start message includes a pre-processed start time message and a pre-processing policy message.
8、 如权利要求 6所述的装置, 其特征在于: 所述预处理事件结束消息包 括预处理的结束时间消息及预处理策略消息。  8. The apparatus according to claim 6, wherein: the pre-processing event end message includes a pre-processed end time message and a pre-processing policy message.
9、 如权利要求 6所述的装置, 其特征在于: 所述包括预处理事件开始消 息的日志信息或者所述包括预处理事件结束消息的日志信息通过设置 Syslog 日志信息的结构化数据 SDE来实现。  9. The apparatus according to claim 6, wherein: the log information including the pre-processing event start message or the log information including the pre-processing event end message is implemented by setting structured data SDE of Syslog log information. .
10、 如权利要求 6所述的装置, 其特征在于: 还包括第二日志信息生成单 元, 用于生成包括描述日志重要性的消息的日志信息并发送至日志接收方, 所 述包括描述日志重要性的消息的日志信息用以日志接收方解析后根据所述描 述日志重要性的消息对接收的日志做相应处理。  The apparatus according to claim 6, further comprising: a second log information generating unit, configured to generate log information including a message describing the importance of the log and send the log information to the log receiver, wherein the description includes the log important The log information of the sexual message is used by the log receiver to parse the received log according to the message describing the importance of the log.
PCT/CN2010/070876 2009-03-06 2010-03-04 Log information transmission method and apparatus WO2010099754A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910105892.0 2009-03-06
CN2009101058920A CN101505245B (en) 2009-03-06 2009-03-06 Method and apparatus for sending log information

Publications (1)

Publication Number Publication Date
WO2010099754A1 true WO2010099754A1 (en) 2010-09-10

Family

ID=40977325

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/070876 WO2010099754A1 (en) 2009-03-06 2010-03-04 Log information transmission method and apparatus

Country Status (2)

Country Link
CN (1) CN101505245B (en)
WO (1) WO2010099754A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2696536A1 (en) * 2012-08-07 2014-02-12 Broadcom Corporation Buffer statistics tracking

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101505245B (en) * 2009-03-06 2011-01-05 成都市华为赛门铁克科技有限公司 Method and apparatus for sending log information
CN101789174B (en) * 2009-12-29 2013-07-24 北京世纪高通科技有限公司 Journal monitoring method and device
CN101859270A (en) * 2010-04-19 2010-10-13 上海华为技术有限公司 Blog management method, system, master control board and local single-board
CN102347831B (en) * 2010-07-26 2014-12-03 华为技术有限公司 Time message processing method, device and system
CN102594581B (en) * 2011-01-12 2016-03-16 鼎桥通信技术有限公司 A kind of recording method of daily record data
CN103176888B (en) * 2011-12-22 2018-01-23 阿里巴巴集团控股有限公司 A kind of method and system of log recording
CN103338131A (en) * 2013-06-20 2013-10-02 百度在线网络技术(北京)有限公司 Method and equipment for testing log transmitting loss rate
CN103617287A (en) * 2013-12-12 2014-03-05 用友软件股份有限公司 Log management method and device in distributed environment
CN105577431A (en) * 2015-12-11 2016-05-11 青岛云成互动网络有限公司 User information identification and classification method based on internet application and system thereof
CN106126672A (en) * 2016-06-27 2016-11-16 安徽科成信息科技有限公司 A kind of update method of Linking All Classes network monitoring daily record
CN107480277B (en) * 2017-08-22 2021-01-26 北京京东尚科信息技术有限公司 Method and device for collecting website logs
CN110324255B (en) * 2019-07-05 2021-01-29 中南大学 Data center network coding oriented switch/router cache queue management method
CN114422340B (en) * 2020-10-12 2023-10-10 华为技术有限公司 Log reporting method, electronic equipment and storage medium
CN114978729A (en) * 2022-05-27 2022-08-30 重庆长安汽车股份有限公司 Vehicle-mounted intrusion detection method and system based on CAN bus and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006279727A (en) * 2005-03-30 2006-10-12 Nippon Telegr & Teleph Corp <Ntt> Network control system and method therefor
CN101072124A (en) * 2007-06-22 2007-11-14 中兴通讯股份有限公司 Log obtaining method
CN101075256A (en) * 2007-06-08 2007-11-21 北京神舟航天软件技术有限公司 System and method for real-time auditing and analyzing database
CN101505245A (en) * 2009-03-06 2009-08-12 成都市华为赛门铁克科技有限公司 Method and apparatus for sending log information

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006279727A (en) * 2005-03-30 2006-10-12 Nippon Telegr & Teleph Corp <Ntt> Network control system and method therefor
CN101075256A (en) * 2007-06-08 2007-11-21 北京神舟航天软件技术有限公司 System and method for real-time auditing and analyzing database
CN101072124A (en) * 2007-06-22 2007-11-14 中兴通讯股份有限公司 Log obtaining method
CN101505245A (en) * 2009-03-06 2009-08-12 成都市华为赛门铁克科技有限公司 Method and apparatus for sending log information

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2696536A1 (en) * 2012-08-07 2014-02-12 Broadcom Corporation Buffer statistics tracking

Also Published As

Publication number Publication date
CN101505245A (en) 2009-08-12
CN101505245B (en) 2011-01-05

Similar Documents

Publication Publication Date Title
WO2010099754A1 (en) Log information transmission method and apparatus
US7593331B2 (en) Enhancing transmission reliability of monitored data
US7650403B2 (en) System and method for client side monitoring of client server communications
US6965917B1 (en) System and method for notification of an event
US20090024722A1 (en) Proxying availability indications in a failover configuration
CN106471778B (en) Attack detection device and attack detection method
US10735501B2 (en) System and method for limiting access request
US8601065B2 (en) Method and apparatus for preventing outgoing spam e-mails by monitoring client interactions
WO2014101758A1 (en) Method, apparatus and device for detecting e-mail bomb
US20090300153A1 (en) Method, System and Apparatus for Identifying User Datagram Protocol Packets Using Deep Packet Inspection
WO2020119347A1 (en) Message transmission method, apparatus, device and medium
US7478168B2 (en) Device, method and program for band control
CN111988309B (en) ICMP hidden tunnel detection method and system
US8490173B2 (en) Unauthorized communication detection method
US11729184B2 (en) Detecting covertly stored payloads of data within a network
KR20150090216A (en) Monitoring encrypted sessions
EP3038032A1 (en) Service message transmitting method and device
US11700271B2 (en) Device and method for anomaly detection in a communications network
WO2012172171A1 (en) Evaluation of overall performance of interactive application service
CN108076070B (en) FASP (fast open shortest Path protocol) blocking method, device and analysis system
EP3971748A1 (en) Network connection request method and apparatus
WO2016202025A1 (en) Trap message processing method and apparatus
WO2017067224A1 (en) Packet processing method and apparatus
EP2704362A2 (en) Method, apparatus and system for analyzing network transmission characteristics
CN111130993B (en) Information extraction method and device and readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10748344

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 27/01/2012)

122 Ep: pct application non-entry in european phase

Ref document number: 10748344

Country of ref document: EP

Kind code of ref document: A1