CN108418842A - A kind of intranet security log collection method and system - Google Patents

A kind of intranet security log collection method and system Download PDF

Info

Publication number
CN108418842A
CN108418842A CN201810553219.2A CN201810553219A CN108418842A CN 108418842 A CN108418842 A CN 108418842A CN 201810553219 A CN201810553219 A CN 201810553219A CN 108418842 A CN108418842 A CN 108418842A
Authority
CN
China
Prior art keywords
error code
daily record
log
error
log collection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810553219.2A
Other languages
Chinese (zh)
Inventor
于波
雷亚
熊少杰
***
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Xin Da Tian Rui Information Technology Co Ltd
Original Assignee
Zhengzhou Xin Da Tian Rui Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Xin Da Tian Rui Information Technology Co Ltd filed Critical Zhengzhou Xin Da Tian Rui Information Technology Co Ltd
Priority to CN201810553219.2A priority Critical patent/CN108418842A/en
Publication of CN108418842A publication Critical patent/CN108418842A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0766Error or fault reporting or storing
    • G06F11/0778Dumping, i.e. gathering error/state information after a fault for later diagnosis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0766Error or fault reporting or storing
    • G06F11/0787Storage of error reports, e.g. persistent data storage, storage using memory protection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The present invention relates to a kind of intranet security log collection method and system, log collection engine acquires history software systems daily record from each application module;Error code in extraction system daily record is simultaneously compared with the error code to prestore;If the error code in system log is overlapped with the error code to prestore, the corresponding explanation information of error code is extracted;If the error code in system log is different from the error code to prestore, error code is stored;Alarm collection engine analyzes error code, forms daily record type of error model, and training daily record type of error model;Errorlevel matching engine determines the daily record type of error by the matching of real-time logs and daily record errorlevel model and is alerted.The intranet security log collection method, convenient for application is stored, managed, analyzed and searched to daily record.

Description

A kind of intranet security log collection method and system
Technical field
The invention belongs to log collection technical fields, and in particular to a kind of intranet security log collection method and system.
Background technology
Currently, it is all being steeply risen for the threat number amount and type of key message resource in network environment, how in time Active reaction is made to attack, is the research hotspot of network safety filed in recent years.By analyzing journal file pair Network safety situation, which is assessed, has obtained more and more extensive approval.Many enterprises are in order to cope with the safe prestige of network faces The side of body, deploys fire wall, behavior management equipment, anti-virus software, IDS and some other foundation for security in Process of Information Facility, the quasi- network security that enterprise is protected by these security infrastructures.These security infrastructures can monitoring or Some and the relevant daily record data of security protection are generated during defence, these data usually can reflect the network equipment Behavior.For these daily records generated daily, processing in real time needs a large amount of server resources, therefore most of company will not analyze It is only simple to record with processing.But daily record data is deposited when occurring abnormal, is not easy to search.
Invention content
The object of the present invention is to provide a kind of intranet security log collection methods to solve to be not easy to search abnormal log Technical problem.
It is a further object to provide a kind of intranet security Log Collect Systems.
In order to achieve the goal above, the technical solution that the present invention takes is:A kind of intranet security log collection method,
Log collection engine acquires history software systems daily record from each application module;
Error code in extraction system daily record is simultaneously compared with the error code to prestore;
If the error code in system log is overlapped with the error code to prestore, the corresponding solution of error code is extracted Release information;
If the error code in system log is different from the error code to prestore, error code is stored;
Alarm collection engine analyzes error code, forms daily record type of error model, and training daily record mistake class Pattern type;
Errorlevel matches engine and determines the daily record mistake class by the matching of real-time logs and daily record errorlevel model Type is simultaneously alerted.
Further, history of forming daily record data after error code is filtered out, equally preserves history log data file Get off, but will be retained separately with history log data and error code.
Further, the system log of the storage within the storage system is preserved by general-purpose interface into Unicode Journal file, general-purpose interface includes that daily record generates interface, daily record choreography interface and log transmission interface.
Further, the system log includes one or more target components;The target component be daily record keyword, Log timestamp, daily record address, the affiliated business module of daily record or submodule are in the block one or more.
Further, the comparison of the error code and the error code to prestore, the error code list of each application module Solely comparison;The error code of each application module individually stores.
Further, the error code that prestores includes the error code of initial setting up and gradually goes out in the process of running The summation of existing error code.
A kind of intranet security Log Collect System, comprises the following modules:Log collection engine is used for from each application module Part acquires history floppy disk system daily record;Error code is extracted in extraction module, the system log for being acquired from log collection engine; Memory module, the error code for storing the error code to prestore and gradually generating;Contrast module is used for extraction module In the error code that is stored with memory module of the error code extracted compared;Alarm collection engine, for wrong generation Code analysis, and generate and train daily record type of error model;Errorlevel matches engine, and matching pair is carried out to daily record type of error It answers.
Further, further include transmission unit, answered from each for sending the log collection engine to log server The history software systems daily record acquired with module.
Beneficial effects of the present invention:
The intranet security log collection method of the present invention, can individually be stored error code by the comparison of error code, Convenient for searching and using.Alarm collection engine can analyze error code and be established daily record type of error model simultaneously, wrong Accidentally ratings match engine error code can be matched and be distinguished, distinguish different types of error code, convenient for search and It uses.The error code of each type can be alerted simultaneously.
The intranet security Log Collect System of the present invention, is answered convenient for being stored, being managed to daily record, analyzed and searched With.
Description of the drawings
Fig. 1 is intranet security log collection method flow chart schematic diagram in embodiment 1.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, the every other embodiment that those of ordinary skill in the art are obtained belong to what the present invention protected Range.
The embodiment of intranet security log collection method is as shown in Figure 1 in the present invention.
Embodiment 1
A kind of intranet security log collection method of the present embodiment, receives system log using log collection engine Collection.Log collection engine acquires history software systems daily record from each application module.System log includes that one or more targets are joined Number.Target component is daily record keyword, log timestamp, daily record address, the affiliated business module of daily record or one in the block of submodule Or it is multinomial.The system log of storage within the storage system preserves the journal file at Unicode by general-purpose interface, leads to Include that daily record generates interface, daily record choreography interface and log transmission interface with interface.
Error code in extraction system daily record is simultaneously compared with the error code to prestore.If the wrong generation in system log Code is overlapped with the error code to prestore, then extracts the corresponding explanation information of error code.If the wrong generation in system log Code is different from the error code to prestore, then stores error code.History of forming daily record data after error code is filtered out, Equally history log data file is preserved, but will be retained separately with history log data and error code, convenient for looking into It looks for and uses.The comparison of error code and the error code that prestores, the error code of each application module individually compare.It is individually right Than more efficient, it is not easy to mistake occur.The error code of each application module individually stores, and individually storage is convenient for independent It is called and compares.The error code that prestores includes the error code of initial setting up and the mistake that gradually occurs in the process of running The accidentally summation of code.It is that the error code gradually occurred occurs it is corresponding with error code that is prestoring not on error code, will The error code gradually occurred is accumulated, and is used convenient for searching and analyzing.
Alarm collection engine analyzes error code, forms daily record type of error model, and training daily record mistake class Pattern type.Errorlevel matches engine and determines the daily record mistake class by the matching of real-time logs and daily record errorlevel model Type.After determining daily record type of error, convenient for being alerted in conjunction with corresponding daily record type of error.
The intranet security Log Collect System of the present embodiment, comprises the following modules:
Log collection engine, for acquiring history floppy disk system daily record from each application module part;
Error code is extracted in extraction module, the system log for being acquired from log collection engine;
Memory module, the error code for storing the error code to prestore and gradually generating;
Contrast module, for carrying out the error code of the error code extracted in extraction module and memory module storage Comparison;
Alarm collection engine for analyzing error code, and generates and trains daily record type of error model;
Errorlevel matches engine, and matching correspondence is carried out to daily record type of error.
Transmission unit, for sending the history that the log collection engine is acquired from each application module to log server Software systems daily record.

Claims (8)

1. a kind of intranet security log collection method, it is characterised in that:Log collection engine is soft from each application module acquisition history Part system log;Error code in extraction system daily record is simultaneously compared with the error code to prestore;If the mistake in system log Accidentally code is overlapped with the error code to prestore, then extracts the corresponding explanation information of error code;If the mistake in system log Accidentally code is different from the error code to prestore, then stores error code;Alarm collection engine divides error code Analysis forms daily record type of error model, and training daily record type of error model;Errorlevel match engine by real-time logs with The matching of daily record errorlevel model determines the daily record type of error and is alerted.
2. intranet security log collection method according to claim 1, it is characterised in that:It is formed after filtering out error code History log data equally preserves history log data file, but will be with history log data and error code point Open preservation.
3. intranet security log collection method according to claim 1, it is characterised in that:The institute of storage within the storage system State system log by general-purpose interface preserve at Unicode journal file, general-purpose interface include daily record generate interface, Daily record choreography interface and log transmission interface.
4. intranet security log collection method according to claim 1, it is characterised in that:The system log includes one Or multiple target components;The target component is daily record keyword, log timestamp, daily record address, the affiliated business module of daily record Or submodule is in the block one or more.
5. intranet security log collection method according to claim 1, it is characterised in that:It the error code and prestores The error code of the comparison of error code, each application module individually compares;The error code of each application module individually stores.
6. intranet security log collection method according to claim 1 or 5, it is characterised in that:The error code that prestores The summation of error code and the error code gradually occurred in the process of running including initial setting up.
7. a kind of intranet security Log Collect System, it is characterised in that:It comprises the following modules:Log collection engine is used for from each A application module part acquires history floppy disk system daily record;Extraction module, the system log for being acquired from log collection engine carry Take error code;Memory module, the error code for storing the error code to prestore and gradually generating;Contrast module is used It is compared in the error code for storing the error code extracted in extraction module with memory module;Alarm collection engine, For analyzing error code, and generate and train daily record type of error model;Errorlevel matches engine, to daily record mistake class Type carries out matching correspondence.
8. intranet security Log Collect System according to claim 7, it is characterised in that:Further include transmission unit, is used for The history software systems daily record that the log collection engine is acquired from each application module is sent to log server.
CN201810553219.2A 2018-05-31 2018-05-31 A kind of intranet security log collection method and system Pending CN108418842A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810553219.2A CN108418842A (en) 2018-05-31 2018-05-31 A kind of intranet security log collection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810553219.2A CN108418842A (en) 2018-05-31 2018-05-31 A kind of intranet security log collection method and system

Publications (1)

Publication Number Publication Date
CN108418842A true CN108418842A (en) 2018-08-17

Family

ID=63141129

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810553219.2A Pending CN108418842A (en) 2018-05-31 2018-05-31 A kind of intranet security log collection method and system

Country Status (1)

Country Link
CN (1) CN108418842A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105528280A (en) * 2015-11-30 2016-04-27 中电科华云信息技术有限公司 Method and system capable of determining log alarm grades according to relationship between system logs and health monitoring
CN106371986A (en) * 2016-09-08 2017-02-01 上海新炬网络技术有限公司 Log treatment operation and maintenance monitoring system
CN107273269A (en) * 2017-06-12 2017-10-20 北京奇虎科技有限公司 Daily record analysis method and device
CN107291605A (en) * 2017-07-11 2017-10-24 郑州云海信息技术有限公司 The processing method and system of a kind of system journal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105528280A (en) * 2015-11-30 2016-04-27 中电科华云信息技术有限公司 Method and system capable of determining log alarm grades according to relationship between system logs and health monitoring
CN106371986A (en) * 2016-09-08 2017-02-01 上海新炬网络技术有限公司 Log treatment operation and maintenance monitoring system
CN107273269A (en) * 2017-06-12 2017-10-20 北京奇虎科技有限公司 Daily record analysis method and device
CN107291605A (en) * 2017-07-11 2017-10-24 郑州云海信息技术有限公司 The processing method and system of a kind of system journal

Similar Documents

Publication Publication Date Title
CN108683687B (en) Network attack identification method and system
CN108881265B (en) Network attack detection method and system based on artificial intelligence
CN108471429B (en) Network attack warning method and system
CN106790186B (en) Multi-step attack detection method based on multi-source abnormal event correlation analysis
CN112738126B (en) Attack tracing method based on threat intelligence and ATT & CK
CN112114995B (en) Terminal abnormality analysis method, device, equipment and storage medium based on process
CN108881263B (en) Network attack result detection method and system
CN107172022B (en) APT threat detection method and system based on intrusion path
CN105681286A (en) Association analysis method and association analysis system
CN111614696B (en) Network security emergency response method and system based on knowledge graph
CN110519150B (en) Mail detection method, device, equipment, system and computer readable storage medium
CN112788008B (en) Network security dynamic defense system and method based on big data
CN108833185B (en) Network attack route restoration method and system
CN112134877A (en) Network threat detection method, device, equipment and storage medium
CN105376193B (en) The intelligent association analysis method and device of security incident
CN103368979A (en) Network security verifying device based on improved K-means algorithm
Elshoush et al. An improved framework for intrusion alert correlation
CN108259202A (en) A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems
CN109150869A (en) A kind of exchanger information acquisition analysis system and method
CN113381980B (en) Information security defense method and system, electronic device and storage medium
CN107463839A (en) A kind of system and method for managing application program
CN110188538A (en) Using the method and device of sandbox cluster detection data
CN106254125A (en) The method and system of security incident correlation analysiss based on big data
CN105447385A (en) Multilayer detection based application type database honey pot realization system and method
CN115941317A (en) Network security comprehensive analysis and situation awareness platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180817

RJ01 Rejection of invention patent application after publication