CN104951555A - Log information management method and log information management terminal - Google Patents
Log information management method and log information management terminal Download PDFInfo
- Publication number
- CN104951555A CN104951555A CN201510377928.6A CN201510377928A CN104951555A CN 104951555 A CN104951555 A CN 104951555A CN 201510377928 A CN201510377928 A CN 201510377928A CN 104951555 A CN104951555 A CN 104951555A
- Authority
- CN
- China
- Prior art keywords
- log information
- data item
- log
- distance
- information management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/11—File system administration, e.g. details of archiving or snapshots
- G06F16/122—File system administration, e.g. details of archiving or snapshots using management policies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/1805—Append-only file systems, e.g. using logs or journals to store data
- G06F16/1815—Journaling file systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a log information management method and a log information management terminal. The method includes the following steps of obtaining log record information and storing the log record information in data items of a log data table, obtaining the distance between quantized characteristic data in each log record and the clustering center point, comparing the distance with a preset distance, and conducting recognition control on the log record information according to the comparison result. The aim of rapidly recognizing suspicious operation is achieved, and system security is greatly improved.
Description
Technical field
The invention belongs to field of information management, particularly relate to a kind of log information management method and log information management terminal.
Background technology
Prior art provides a kind of clustering method based on user interest and device, and the method comprises: the data receiving the primary attribute of user; According to the predetermined central point affecting the cluster of the primary attribute data that user interest calculates, calculate the distance of the primary attribute data of described user and the central point of cluster; Described distance and the threshold value preset are compared; If described distance is less than default threshold value, judge that described user belongs to the cluster of described interest.
Such scheme provides according to user base data, determines the clustering method of user interest; But in log information management field, because the information of journal file record is very huge, computer system operation is very frequent, therefore, it is possible to how to adopt clustering method to find suspicious service data in mixed and disorderly journal file just seem particularly necessary; Particularly when computing machine is attacked, need a kind of scheme finding suspicious operation note fast especially.
Therefore, in the urgent need to a kind of scheme of the suspicious operation note of fast searching from log recording.
Summary of the invention
The invention provides a kind of log information management method and log information management terminal, to solve the problem.
The invention provides a kind of log information management method.Said method comprises the following steps:
Obtain log information and described log information be stored in the data item of daily record data table;
After obtaining the distance between characteristic and cluster centre point quantized in every bar log recording, compare with predeterminable range and according to comparative result, identification carried out to log information and controls.
The present invention also provides a kind of log information management terminal, comprises acquisition module, identifies control module; Wherein, described acquisition module is connected with described identification control module;
Described acquisition module, for obtaining log information and described log information being stored in the data item of daily record data table, and is sent to described identification control module by described daily record data table;
Described identification control module, after obtaining the distance between characteristic and cluster centre point that quantizes in every bar log recording, compares with predeterminable range and according to comparative result, carries out identification control log information.
By following scheme: obtain log information and described log information be stored in the data item of daily record data table; After obtaining the distance between characteristic and cluster centre point quantized in every bar log recording, compare with predeterminable range and according to comparative result, identification carried out to log information and controls; Achieve the object identifying suspicious operation fast, greatly improve security of system.
By following scheme: described abnormal log recorded information is sent to system manager terminal and is processed by described system manager terminal; Achieve the timely acquisition of system operator to exception record, greatly improve security of system.
By following scheme: by mail or short message mode, described abnormal log recorded information is sent to system manager terminal, makes system operator can obtain relevant abnormalities recorded information in time, for process creates condition in time.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide a further understanding of the present invention, and form a application's part, schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Figure 1 shows that the log information management method processing flow chart of the embodiment of the present invention 1;
Figure 2 shows that the log information management terminal structure figure of the embodiment of the present invention 2.
Embodiment
Hereinafter also describe the present invention in detail with reference to accompanying drawing in conjunction with the embodiments.It should be noted that, when not conflicting, the embodiment in the application and the feature in embodiment can combine mutually.
Figure 1 shows that the log information management method processing flow chart of the embodiment of the present invention 1, comprise the following steps:
Step 101: obtain log information and described log information be stored in the data item of daily record data table;
Further, usage log collects instrument syslog-ng, obtains log information by the configuration file write.
Further, described data item comprises host data item, facility data item, date data item, time data item, program data item, msg data item.
Further, host data item refers to remote access main frame, facility data item refers to log information source, date data item refers to the date, time data item refers to the time, program data item refers to the main body of directly enforcement access, msg data item refers to log information.
Wherein, according to the scope of procedure operation, program data item can judge whether this program has act in excess of authority to occur; In msg data item, log information have recorded concrete access behavior, affecting significantly, including record behavior, target, completion status in msg data item to judging that suspicious operation also has.
Step 102: after obtaining the distance between characteristic and cluster centre point quantized in every bar log recording, compares with predeterminable range and according to comparative result, carries out identification control log information.
Further, described characteristic comprises host data, program data, msg data.
Wherein, carrying out quantification to characteristic refers to as characteristic arranges quantized value; Quantized value size embodies to a certain extent to Cluster Classification importance.
Further, described cluster centre point refers to and to quantize every category feature data and to arrange corresponding benchmark quantized value.
Wherein, such as quantizing host data and arrange corresponding benchmark quantized value is 1.
Further, by Euclidean distance algorithm or manhatton distance algorithm, obtain the distance between characteristic and cluster centre point quantized in every bar log recording.
Further, if the distance between the characteristic quantized in log recording and cluster centre point is less than predeterminable range, then described log information belongs to default cluster classification; Otherwise, then abnormal log recorded information is belonged to.
Further, described abnormal log recorded information be sent to system manager terminal and processed by described system manager terminal.
Wherein, by mail or short message mode, described abnormal log recorded information is sent to system manager terminal.
Figure 2 shows that the log information management terminal structure figure of the embodiment of the present invention 2, comprise acquisition module 201, identify control module 202; Wherein, described acquisition module is connected with described identification control module 202;
Described acquisition module 201, for obtaining log information and described log information being stored in the data item of daily record data table, and is sent to described identification control module 202 by described daily record data table;
Described identification control module 202, after obtaining the distance between characteristic and cluster centre point that quantizes in every bar log recording, compares with predeterminable range and according to comparative result, carries out identification control log information.
By following scheme: obtain log information and described log information be stored in the data item of daily record data table; After obtaining the distance between characteristic and cluster centre point quantized in every bar log recording, compare with predeterminable range and according to comparative result, identification carried out to log information and controls; Achieve the object identifying suspicious operation fast, greatly improve security of system.
By following scheme: described abnormal log recorded information is sent to system manager terminal and is processed by described system manager terminal; Achieve the timely acquisition of system operator to exception record, greatly improve security of system.
By following scheme: by mail or short message mode, described abnormal log recorded information is sent to system manager terminal, makes system operator can obtain relevant abnormalities recorded information in time, for process creates condition in time.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. a log information management method, is characterized in that, comprises the following steps:
Obtain log information and described log information be stored in the data item of daily record data table;
After obtaining the distance between characteristic and cluster centre point quantized in every bar log recording, compare with predeterminable range and according to comparative result, identification carried out to log information and controls.
2. method according to claim 1, is characterized in that, described data item comprises host data item, facility data item, date data item, time data item, program data item, msg data item.
3. method according to claim 2, it is characterized in that, described host data item refers to remote access main frame, described facility data item refers to log information source, described date data item refers to the date, described time data item refers to the time, described program data item refers to the main body of directly enforcement access, described msg data item refers to log information.
4. method according to claim 1, is characterized in that, the configuration file acquisition log information collected instrument syslog-ng by daily record and write.
5. method according to claim 1, is characterized in that, described characteristic comprises host data, program data, msg data.
6. method according to claim 1, is characterized in that, described cluster centre point refers to and to quantize every category feature data and to arrange corresponding benchmark quantized value.
7. method according to claim 1, is characterized in that, by Euclidean distance algorithm or manhatton distance algorithm, obtains the distance between characteristic and cluster centre point quantized in every bar log recording.
8. method according to claim 1, is characterized in that, if the distance between the characteristic quantized in log recording and cluster centre point is less than predeterminable range, then described log information belongs to default cluster classification; Otherwise, then abnormal log recorded information is belonged to.
9. method according to claim 8, is characterized in that, described abnormal log recorded information is sent to system manager terminal and is processed by described system manager terminal.
10. a log information management terminal, is characterized in that, comprises acquisition module, identifies control module; Wherein, described acquisition module is connected with described identification control module;
Described acquisition module, for obtaining log information and described log information being stored in the data item of daily record data table, and is sent to described identification control module by described daily record data table;
Described identification control module, after obtaining the distance between characteristic and cluster centre point that quantizes in every bar log recording, compares with predeterminable range and according to comparative result, carries out identification control log information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510377928.6A CN104951555A (en) | 2015-06-30 | 2015-06-30 | Log information management method and log information management terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510377928.6A CN104951555A (en) | 2015-06-30 | 2015-06-30 | Log information management method and log information management terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104951555A true CN104951555A (en) | 2015-09-30 |
Family
ID=54166213
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510377928.6A Pending CN104951555A (en) | 2015-06-30 | 2015-06-30 | Log information management method and log information management terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104951555A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105183912A (en) * | 2015-10-12 | 2015-12-23 | 北京百度网讯科技有限公司 | Abnormal log determination method and device |
| CN105653427A (en) * | 2016-03-04 | 2016-06-08 | 上海交通大学 | Log monitoring method based on abnormal behavior detection |
| CN107395562A (en) * | 2017-06-14 | 2017-11-24 | 广东网金控股股份有限公司 | A kind of financial terminal security protection method and system based on clustering algorithm |
| CN111240942A (en) * | 2019-12-02 | 2020-06-05 | 华为技术有限公司 | Log abnormity detection method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101325520A (en) * | 2008-06-17 | 2008-12-17 | 南京邮电大学 | Method for locating and analyzing fault of intelligent self-adapting network based on log |
| CN101706791A (en) * | 2009-09-17 | 2010-05-12 | 成都康赛电子科大信息技术有限责任公司 | User preference based data cleaning method |
| CN103581198A (en) * | 2013-11-13 | 2014-02-12 | 浙江中烟工业有限责任公司 | Security log analyzing method based on Apriori algorithm |
| CN103577307A (en) * | 2013-11-07 | 2014-02-12 | 浙江中烟工业有限责任公司 | Method for automatically extracting and analyzing firewall logs based on XML rule model |
| CN103902537A (en) * | 2012-12-25 | 2014-07-02 | 重庆新媒农信科技有限公司 | Multi-service log data storage processing and inquiring system and method thereof |
| CN104462606A (en) * | 2014-12-31 | 2015-03-25 | 中国科学院深圳先进技术研究院 | Method for determining diagnosis treatment measures based on log data |
-
2015
- 2015-06-30 CN CN201510377928.6A patent/CN104951555A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101325520A (en) * | 2008-06-17 | 2008-12-17 | 南京邮电大学 | Method for locating and analyzing fault of intelligent self-adapting network based on log |
| CN101706791A (en) * | 2009-09-17 | 2010-05-12 | 成都康赛电子科大信息技术有限责任公司 | User preference based data cleaning method |
| CN103902537A (en) * | 2012-12-25 | 2014-07-02 | 重庆新媒农信科技有限公司 | Multi-service log data storage processing and inquiring system and method thereof |
| CN103577307A (en) * | 2013-11-07 | 2014-02-12 | 浙江中烟工业有限责任公司 | Method for automatically extracting and analyzing firewall logs based on XML rule model |
| CN103581198A (en) * | 2013-11-13 | 2014-02-12 | 浙江中烟工业有限责任公司 | Security log analyzing method based on Apriori algorithm |
| CN104462606A (en) * | 2014-12-31 | 2015-03-25 | 中国科学院深圳先进技术研究院 | Method for determining diagnosis treatment measures based on log data |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105183912A (en) * | 2015-10-12 | 2015-12-23 | 北京百度网讯科技有限公司 | Abnormal log determination method and device |
| CN105183912B (en) * | 2015-10-12 | 2019-03-01 | 北京百度网讯科技有限公司 | Abnormal log determines method and apparatus |
| CN105653427A (en) * | 2016-03-04 | 2016-06-08 | 上海交通大学 | Log monitoring method based on abnormal behavior detection |
| CN105653427B (en) * | 2016-03-04 | 2019-02-22 | 上海交通大学 | The log monitoring method of Behavior-based control abnormality detection |
| CN107395562A (en) * | 2017-06-14 | 2017-11-24 | 广东网金控股股份有限公司 | A kind of financial terminal security protection method and system based on clustering algorithm |
| CN111240942A (en) * | 2019-12-02 | 2020-06-05 | 华为技术有限公司 | Log abnormity detection method and device |
| WO2021109724A1 (en) * | 2019-12-02 | 2021-06-10 | 华为技术有限公司 | Log anomaly detection method and apparatus |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104951555A (en) | Log information management method and log information management terminal | |
| CN108009928B (en) | Electronic insurance policy signing method and device, computer equipment and storage medium | |
| CN112818398B (en) | Data processing method and big data processing equipment for big data privacy protection | |
| WO2020151320A1 (en) | Data storage method, apparatus, computer device, and storage medium | |
| CN111813845A (en) | ETL task-based incremental data extraction method, device, equipment and medium | |
| CN111368867A (en) | Archive classification method and system and computer readable storage medium | |
| CN110543889A (en) | power load hierarchical clustering method and device, computer equipment and storage medium | |
| CN112965979A (en) | User behavior analysis method and device and electronic equipment | |
| CN115879017A (en) | Automatic classification and grading method and device for power sensitive data and storage medium | |
| CN105824667A (en) | Management method, device and system for storage equipment | |
| CN109800215B (en) | Bidding processing method and device, computer storage medium and terminal | |
| CN103440302B (en) | The method and system of Real Data Exchangs | |
| CN109697155B (en) | IT system performance evaluation method, device, equipment and readable storage medium | |
| CN106156046B (en) | Information management method, device and system and analysis equipment | |
| CN110365642B (en) | Method and device for monitoring information operation, computer equipment and storage medium | |
| CN107332806A (en) | The method to set up and device of mobile device mark | |
| CN114285596A (en) | Transformer substation terminal account abnormity detection method based on machine learning | |
| CN114817518A (en) | License handling method, system and medium based on big data archive identification | |
| CN113705625A (en) | Method and device for identifying abnormal life guarantee application families and electronic equipment | |
| CN111339304A (en) | Text data automatic classification method based on machine learning | |
| CN105224834A (en) | The system and method for access control based roles in mobile network | |
| CN117112846B (en) | Multi-information source license information management method, system and medium | |
| CN105045845A (en) | Document classification management method and apparatus | |
| KR102580865B1 (en) | Confidential document management system between multiple terminals | |
| CN102591863A (en) | Data processing method and device in comparison system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150930 |