CN112346938B

CN112346938B - Operation auditing method and device, server and computer readable storage medium

Info

Publication number: CN112346938B
Application number: CN201910731265.1A
Authority: CN
Inventors: 沈华勇; 刘斌华; 杨琛璟
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2019-08-08
Filing date: 2019-08-08
Publication date: 2023-05-26
Anticipated expiration: 2039-08-08
Also published as: CN112346938A

Abstract

The application discloses an operation auditing method, device and system, a server and a computer readable storage medium, wherein the method comprises the following steps: acquiring an expansion log; determining an audit object according to the extension information, and determining a target extension log corresponding to the audit object; the auditing object comprises any one or a combination of any two of a risk subject, a sensitive object and a sensitive operation type, wherein the risk subject is a subject with a risk degree higher than a first threshold value, the sensitive object is an object with a sensitivity higher than a second threshold value, and the sensitive operation type is an operation type with a sensitivity higher than a third threshold value; and performing operation audit based on the target expansion log to obtain an audit result. According to the operation audit method, the audit object is determined by using the extension information, and the operation audit is performed on the extension log corresponding to the audit object, so that the log audit efficiency is improved.

Description

Operation auditing method and device, server and computer readable storage medium

Technical Field

The present application relates to the field of operation auditing technology, and more particularly, to an operation auditing method, an operation auditing device, a server and a computer readable storage medium.

Background

In the related art, the most common log collection processing method is ELK scheme, i.e., collection, processing, storing of logs and generation of charts for presentation by means of elastsearch+logstack+kibana.

However, ELK solutions only provide tools for collecting, processing, storing logs, and generating charts, which, due to their different formats, create significant inconveniences for subsequent log auditing for the original logs originating from different systems.

Therefore, how to format the original logs of different systems, so as to improve log audit efficiency is a technical problem that needs to be solved by those skilled in the art.

Disclosure of Invention

The invention aims to provide an operation auditing method and device, a server and a computer readable storage medium, which are used for formatting original logs of different systems, so that log auditing efficiency is improved.

To achieve the above object, a first aspect of the present application provides an operation auditing method, including:

acquiring an expansion log; the expansion log comprises an original log and expansion fields, the expansion fields are determined based on a standard report format according to each element in the original log and expansion information corresponding to each element, the expansion information is extracted based on a management system corresponding to the element, the element comprises a standard element and a custom element, and the standard element comprises a subject, an object, time and an operation type;

Determining an audit object according to the extension information, and determining a target extension log corresponding to the audit object; the auditing object comprises any one or a combination of any two of a risk subject, a sensitive object and a sensitive operation type, wherein the risk subject is a subject with a risk degree higher than a first threshold value, the sensitive object is an object with a sensitivity higher than a second threshold value, and the sensitive operation type is an operation type with a sensitivity higher than a third threshold value;

and performing operation audit based on the target expansion log to obtain an audit result.

To achieve the above object, a second aspect of the present application provides an operation auditing apparatus, including:

the acquisition module is used for acquiring the expansion log; the expansion log comprises an original log and expansion fields, the expansion fields are determined based on a standard report format according to each element in the original log and expansion information corresponding to each element, the expansion information is extracted based on a management system corresponding to the element, the element comprises a standard element and a custom element, and the standard element comprises a subject, an object, time and an operation type;

the determining module is used for determining an audit object according to the extension information and determining a target extension log corresponding to the audit object; the auditing object comprises any one or a combination of any two of a risk subject, a sensitive object and a sensitive operation type, wherein the risk subject is a subject with a risk degree higher than a first threshold value, the sensitive object is an object with a sensitivity higher than a second threshold value, and the sensitive operation type is an operation type with a sensitivity higher than a third threshold value;

And the auditing module is used for performing operation auditing based on the target expansion log to obtain an auditing result.

To achieve the above object, a third aspect of the present application provides a server, including:

a processor and a memory;

wherein the processor is configured to execute a program stored in the memory;

the memory is used for storing a program, and the program is used for at least:

To achieve the above object, a fourth aspect of the present application provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the operation audit method as described above.

According to the scheme, the operation auditing method provided by the application comprises the following steps: acquiring an expansion log; the expansion log comprises an original log and expansion fields, the expansion fields are determined based on a standard report format according to each element in the original log and expansion information corresponding to each element, the expansion information is extracted based on a management system corresponding to the element, the element comprises a standard element and a custom element, and the standard element comprises a subject, an object, time and an operation type; determining an audit object according to the extension information, and determining a target extension log corresponding to the audit object; the auditing object comprises any one or a combination of any two of a risk subject, a sensitive object and a sensitive operation type, wherein the risk subject is a subject with a risk degree higher than a first threshold value, the sensitive object is an object with a sensitivity higher than a second threshold value, and the sensitive operation type is an operation type with a sensitivity higher than a third threshold value; and performing operation audit based on the target expansion log to obtain an audit result.

According to the operation auditing method, firstly, a universal operation auditing method is utilized, and unified element marks are extracted from original logs which are collected by various systems and are not formatted, so that original logs which are completely different originally can query key information by adopting the same method, and more important expansion information which is close to a service is expanded into the original logs through element expansion. And determining an audit object by using the extension information, and performing operation audit on an extension log corresponding to the audit object, thereby improving log audit efficiency. The application also discloses an operation auditing device, a server and a computer readable storage medium, and the technical effects can be achieved.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. The accompanying drawings are included to provide a further understanding of the disclosure, and are incorporated in and constitute a part of this specification, illustrate the disclosure and together with the description serve to explain, but do not limit the disclosure. In the drawings:

Fig. 1 is a schematic diagram of an operation audit system according to an embodiment of the present application;

FIG. 2 is a flowchart of an operation audit method provided in an embodiment of the present application;

FIG. 3 is a flow chart of another method of auditing operations provided by embodiments of the present application;

FIG. 4 is a detailed flowchart of step S202 in FIG. 3;

FIG. 5 is a block diagram of an operation auditing device according to an embodiment of the present application;

fig. 6 is a structural diagram of a server according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.

To facilitate an understanding of the operational audit method provided herein, a system for use therewith is described below. Referring to fig. 1, an architecture diagram of an operation audit system provided in an embodiment of the present application is shown, as shown in fig. 1, including a server 60, a log source 20, a target storage 30, a management system, and a terminal 50, where the server 60 is communicatively connected to the log source 20, the server 60 is communicatively connected to the target storage 30, the server 60 is communicatively connected to the management system, and the server 60 is communicatively connected to the terminal 50 via a network 40.

Wherein the number of log sources is not limited herein, i.e., the log source 20 may comprise a plurality of log sources, each of which may be understood as a memory for storing logs, such as a kafka queue or database, etc. Each log source may maintain a system-generated log, or may maintain multiple system-generated logs, which are collectively referred to as the original logs in subsequent embodiments, without limitation.

The server 60 includes a plurality of log source plug-ins, where the plurality of log source plug-ins may be stored in the server 60 in a cluster, and each log source plug-in is configured to obtain an original log in its corresponding log source, and transmit the original log stored in a different log source 20 to the server 60 through the network 40, so that the cluster may be expanded as the types of the log sources 20 increase.

The inventors of the present application studied and found that the original logs from different log sources, due to their different formats, are inconvenient for operating the audit. Thus, in this application, the server 60 further includes a plurality of tag-extracting plugins, where the plurality of tag-extracting plugins may be stored in the server 60 in a cluster, and each tag-extracting plugin is configured to extract an element from an original log of its corresponding log type, and it is understood that, as the log type increases, the cluster in which the tag-extracting plugins are stored is also an extensible cluster.

In order to extract information closer to the service, the server 60 further includes a plurality of element expansion plug-ins for extracting expansion information of each element in the management system corresponding to each element. The management system is used for recording basic information, sensitive information and the like of each element, for example, the subject management system can comprise an HR system and the like, and the object management system can comprise a resource management system and the like.

The server 60 generates an extension field based on the standard reporting format using these elements and their corresponding extension information, and the final extension log includes the original log and the extension field. The same method can be used to query the elements and extension information for each extension log.

The target memory 30 is used to store an expansion log generated by the server 60. The target memory 30 herein may be an elastic search cluster, a relational database such as mysql, a nosql engine, or the like, and is not specifically limited herein.

In addition, the server 60 may perform operation audit on the extension log with the extension field in the unified format stored in the target memory 30, that is, determine a target extension log corresponding to each audit, and perform operation audit based on the target extension log.

The terminal 50 is configured to send operation audit commands to the server 60, display operation audit results, and the like. The terminal 50 may be a mobile terminal such as a mobile phone or a fixed terminal such as a PC (chinese full name: personal computer, english full name: personal computer) terminal, and is not particularly limited herein.

The embodiment of the application discloses an operation auditing method, which formats original logs of different systems, thereby improving log auditing efficiency.

Referring to fig. 2, a flowchart of an operation auditing method provided in an embodiment of the present application, as shown in fig. 2, includes:

s101: the server acquires an original log from a log source;

in this step, the server obtains the original log from the log source, preferably, this step includes: and acquiring an original log from the log source by using a log source plug-in. It should be noted that, the log and other data (including all data in the embodiments) referred to in this application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the relevant data need to comply with relevant laws and regulations and standards of relevant countries and regions.

The server comprises a plurality of log source plug-ins, and each log source plug-in is used for acquiring an original log from one log source, namely the server acquires the original log from a plurality of log sources by using the plurality of log source plug-ins. Specifically, the step may include: acquiring an original log in a kafka queue by using a kafka source plug-in; and/or, obtaining an original log in a database by utilizing a data plug-in; and/or, acquiring the reported original log through the interface by utilizing the reporting interface plug-in.

In an implementation, for an original log stored in the kafka queue, the original log may be read into the server by the kafka source plug-in, and for an original log stored in the database, the original log may be read from the database by the data plug-in. The server can also comprise a reporting interface plug-in, and the reporting interface plug-in can be utilized to report the original log to the server through an interface.

The kafka source plug-in, the data plug-in and the reporting interface plug-in described above may be stored in a server in clusters that are scalable as the log source variety increases.

S102: the server extracts the elements of the original log and extracts the expansion information of the elements based on a management system corresponding to the elements;

the elements comprise standard elements and custom elements, wherein the standard elements comprise a subject, an object, time and an operation type;

preferably, the step of extracting the element of the original log by the server includes: and determining the log type of the original log, and extracting the elements of the original log by using a mark extraction plug-in corresponding to the log type.

In the log source plug-in, the original log is marked with basic labels, for example, a server indicates which system the original log is generated by, a service indicates which service interface the original log is generated by, and the labels can be obtained by the source system of the original log or by simply reading and analyzing the original log. The server may determine the log type of each original log according to the above-mentioned label, where the log type may include a structured type, an sql type, a text type, and the like, and the structured day type, such as json structure, xml structure, and the like, which are not specifically limited herein.

The server comprises a plurality of mark extraction plug-ins, and each mark extraction plug-in is used for extracting elements from the original logs of the corresponding log types, namely the server utilizes different mark extraction plug-ins to extract the elements of the original logs of different log types. The elements herein may include operation audit four-element subject, object, time and operation type, i.e. standard elements in this step, and may also include other user-defined elements.

The plurality of tag-extraction plugins may be stored in the server in a collection, which is scalable. The server may provide a mapping table to indicate which of the mark extraction plugins may be used to process the original logs of different log types, such as shown in table 1:

TABLE 1

It will be appreciated that the log types of the original logs generated by different service interfaces of the same system may be different, and thus, for the original logs of the same system, multiple mark extraction plugins may be simultaneously used for element extraction. Table 1 can be extended to table 2:

TABLE 2

Specifically, the step of extracting the element of the original log by using the mark extraction plug-in corresponding to the log type may include: carrying out structural analysis on the original log, and extracting elements of the original log from an analysis result; and/or resolving the sql statement in the original log through a device library, and extracting the element of the original log from the resolving result; and/or extracting elements of the original log by using a regular expression.

In a specific implementation, if the log type is a json or xml structured type, the structure may be parsed to obtain each element of the original log. If the log type is the sql type, that is, the original log contains the sql statement, the sql statement can be analyzed through a drive library, and then each element of the original log is obtained. Because of the specific labels and keywords in the structured type and sql type of raw log, the elements can be extracted by identifying the labels and keywords. The device is an open-source, distributed, column-stored system suitable for real-time data analysis, and can summarize the basic statistical index, i.e., the elements in this embodiment, can be represented by a field. If the log type is text type, each element of the original log can be obtained by adopting a regular expression mode.

Note that, the mark extraction plug-in this step is not specifically limited to the embodiment, and may be implemented by Java code, python script, or the like, for example.

The original extracted log may include standard elements and custom elements, where the standard elements are operation audit four elements including subject, object, time and operation type. From each original journal, the four elements can be extracted, which define a standard story/event for each original journal, i.e. what person (subject) does what type of operation on what object at what time. The subject represents an executor of the operation, and the object represents an object on which the operation is actually performed, such as a server host, a service, a product configuration, and the like. The following examples are presented for operation:

(1) The system administrator queries information of a user. In the operation, the host is a system administrator, the object is a user ID, and the operation type is query;

(2) The system administrator modifies the configuration of a fund. In the operation, the host is a system administrator, the object is an ID of the fund, and the operation type is modification;

(3) An employee logs into a machine. In the operation, the host is employee ID, the object is the IP address of the machine, and the operation type is login;

it should be noted that the guest elements in one original log may be multiple and multiple types. For example, one employee deployed service S on machine a, machine B, and machine C, respectively, and then the objects include machine a, machine B, and machine C, and service S, which has a total of 4 objects.

For the guest elements, the parameters in the request message recorded in the original log may be extracted. Or may be extracted from parameters in the response message recorded in the original log. That is, the step may include: and extracting the object of the original log by using the mark extraction plug-in corresponding to the log type according to the request message and the response message in the original log.

The extracted object element includes at least an object type (type) and an object name (name). For example, the object is a user ID, type is userId, and name is zhangsan. It should be noted that, in order to facilitate operation audit across multiple log types, naming needs to be uniformly specified for the same object type. For example, for system a, the type of user ID is userId, while in system B, the type of user ID is user_account, which may be unified as userId in this embodiment.

Of course, in addition to the standard elements described above, elements of other business concern may be extracted in the tag extraction plug-in as custom elements. For example, for an original log of configured online activities, additional care may be taken about the configured amount, so the amount may be extracted as a custom element. Of course, the user may set other custom elements, which are not specifically limited herein.

Because different systems and even different operations in the same system can have different log formats, the element for standardizing the original log can provide data support for subsequent operation audit. For example, for an important user, it is necessary to determine whether someone has operated him in all systems. Through the extraction of the object elements in the step, unified standard query can be carried out on the heterogeneous logs to obtain results. Similarly, the method has similar meaning for the main body and the operation type, and the time element can know the time of the operation and the operation sequence of the restoration.

In this step, the server expands the elements based on the management system corresponding to each element. In element expansion, independent plug-ins are not required to be adopted for each heterogeneous log like the previous step, and the same expansion plug-ins can be adopted for heterogeneous logs with different sources, and the expansion plug-ins are distinguished according to different elements. More important marks close to the business can be expanded for the original log through the expansion plug-in, so that the operation audit supports more powerful standardized audit.

For the body element, the step may include: determining a main body management system corresponding to the main body; basic information of the subject is extracted in the subject management system. In particular implementations, the principal mark extension plugin extracts basic information by invoking a principal management system, where the principal management system may include a HR system or an organizational architecture system of a company, depending on individual company IT system differences, including but not limited to the following information:

(1) The status of the subject, e.g., whether the departure is being initiated or has been taken off, whether the subject is tuning off of his post, etc.;

(2) The identity of the subject, e.g., job position (outsider, interne, formal staff, etc.), title, etc.;

(3) The departments, groups and businesses of the main body;

(4) Direct leadership of the subject.

For the guest element, the step may include: determining an object management system and an object sensitive marking system corresponding to the object; and extracting basic information of the object from the object management system, and extracting sensitive information of the object from the object sensitive marking system. In particular implementations, the object tag extension plugin extracts basic information by invoking an object management system, such as a company's resource management system, where the basic information includes, but is not limited to, the following information, depending on the individual company IT system differences:

(1) A responsible person, a responsible group, a business, etc. of the object;

(2) The deployment location of the object, and various attribute information.

The object sensitive marking expansion plug-in adds sensitive information to each object by calling the object sensitive marking system. The object sensitive marking system records sensitive information of all types of objects. The form of presentation of the sensitive information is not specifically limited, and may be whether the object is sensitive, preferably, or may be classified into specific sensitivity levels.

For the operation type element, this step may include: determining an operation type sensitive marking system corresponding to the operation type; and extracting the sensitive information of the operation type from the operation type sensitive marking system. In a specific implementation, the operation type sensitive tag extension plug-in adds sensitive information for each operation type by invoking an operation type sensitive tag system. The operation type sensitive marking system records sensitive information of each operation type, and the sensitive information can be whether the operation type is sensitive or the sensitive level.

It will be appreciated that if the custom element was extracted in the previous step, the custom element may also be expanded in this step. If the custom element comprises an amount, the extension information comprises the risk degree and the approver corresponding to the finance. In implementations, a financial system may be invoked to extend risk and approver labels for amounts, e.g., less than 10 ten thousand yuan risk is low, approver is a general supervisor; the risk of 10 ten thousand to 100 ten thousand is high, and the artificial CFO is approved.

S103: the server determines the extension field of the original log based on the standard report format according to each element and the extension information corresponding to each element to obtain an extension log corresponding to the original log;

in this step, the server adds the extracted elements and the extension information corresponding to each element to the standard report format, and adds the extension field based on the standard report format to the preset position of the original log, where the preset position is not specifically limited, and may be the head or tail of the original log, which is within the protection scope of this embodiment.

Because the formats of the elements stored in each expansion log are the same, the expansion field of each log can be extracted by using the same extraction plug-in the process of the subsequent operation audit, and then the elements of each log can be obtained in the same mode.

S104: the server stores the expansion log into a target memory;

the server processes each original log in a pipeline mode, namely a queue can be maintained, elements of each original log are extracted to obtain an extended log, and the extended log can be put into the queue again and then stored into a target memory. Preferably, other processing links may be added to the pipeline to perform other processing on the log, and those skilled in the art may flexibly select the processing links according to actual situations, which are all within the protection scope of the embodiment, and are not limited herein. It will be appreciated that the target storage is used to store the server generated expansion log, and may be an elastic search cluster, a relational database such as mysql, or a nosql engine, etc., and is not specifically limited herein.

S105: the server acquires the expansion log from the target memory;

in this step, an extended log is obtained from the server target storage so that the subsequent step performs operation audit based on the extended log.

S106: the server determines an audit object according to the extension information in the extension log, and determines a target extension log corresponding to the audit object;

The auditing object comprises any one or a combination of any two of a risk subject, a sensitive object and a sensitive operation type, wherein the risk subject is a subject with a risk degree higher than a first threshold value, the sensitive object is an object with a sensitivity higher than a second threshold value, and the sensitive operation type is an operation type with a sensitivity higher than a third threshold value;

in this embodiment, the server performs operation audit based on the target extension log corresponding to the audit object, so in this step, it is necessary to first determine the audit object and the target extension log. The audit objects may include risk subjects, where the risk subjects are subjects with risk degrees higher than a first threshold, for example, the states in the extended information are off-duty, the identities are interns, or the identities with higher data query authority, such as customer service personnel, etc., and risk degree users of each subject may be set according to the extended information of the subject. The audit object can also comprise a sensitive object, a sensitive operation type and the like, wherein the sensitive object is an object with sensitivity higher than a second threshold value, the sensitive operation type is an operation type with sensitivity higher than a third threshold value, and the first threshold value, the second threshold value and the third threshold value in the step can be set by a user according to actual conditions.

Preferably, the audit object includes a host-guest association degree, and the determining the target expansion log corresponding to the audit object includes: and determining the expansion log with the main client association degree lower than a fourth threshold value as the target expansion log. In a specific implementation, operation audit can be performed on the expansion log with the host-guest association degree lower than the fourth threshold, and the host-guest association degree can be expressed as whether the guest belongs to the subject jurisdiction, whether the guest responsible person belongs to the same group as the subject, or whether the service where the guest belongs to the same service as the subject, and the like. If the association degree of the object and the host is smaller in the organization architecture and the business, the association degree of the host and the object is lower. In this embodiment, the host-guest association degree may be represented numerically. For example, if the object belongs to the subject jurisdiction, the host-object association degree is 100, if the object responsible person belongs to the same group as the subject, the object association degree is 85, and if the service to which the object belongs is the same service as the subject, the object association degree is 60, or the like.

Preferably, the audit object includes an operation frequency, and the determining a target extension log corresponding to the audit object includes: determining the operation frequency corresponding to each expansion log; the operation frequency is the frequency of executing target operation in a target time period, wherein the target operation is the operation with the same type as the subject, the object and the operation of the expansion log; determining the target expansion log according to the operation frequency and the frequency range of the preset operation; the preset operation comprises an operation performed by a preset subject and/or an operation performed on a preset object and/or an operation of a preset operation type, wherein the preset subject comprises the risk subject, the preset object comprises the sensitive object, and the preset type comprises the sensitive operation type.

In specific implementation, logs in a target time period are aggregated, the operation frequency of each operation is determined, and an expansion log with unreasonable operation frequency is determined as a target expansion log so as to carry out operation audit on the expansion log in a subsequent step. For example, if the main body of the expansion log is a preset main body or a risk main body, checking whether the operation frequency of the main body to execute the operation is within a preset frequency range; if the object of the expansion log is a preset object or a sensitive object, checking whether the operation frequency of executing the operation on the object is within a preset frequency range; if the operation type of the expansion log is a sensitive operation type, checking whether the operation frequency of the operation type is in a preset frequency range, and if not, determining the expansion log as a target expansion log.

In the element extraction and expansion step, if the custom element is extracted and expanded, the audit rule may be customized in this step. For example, the amount elements are extracted, the risk degree and the approver are expanded, aggregation can be carried out according to the amounts, and the auditing operator processes the maximum amount.

S107: the server carries out operation audit based on the target expansion log and generates an audit result;

In the step, the server audits the target expansion log determined in the previous step, and an audit result is generated. In implementations, a detailed list can be listed for all target extension logs by query and aggregate statements. Preferably, a presentation chart corresponding to the target expansion log in the target time period can also be generated. The operation within the target time period can be concretely performed, and the graph is displayed by utilizing a histogram, a pie chart and the like for auditing.

S108: the server sends the auditing result to the terminal;

after the audit result is generated, the server sends the audit result to a specific terminal. For example, if the subject of the target expansion log is a risk subject, the audit result may be sent to the terminal where the direct lead of the subject is located; if the object of the target expansion log is a sensitive subject, the auditing result can be sent to the terminal where the responsible person of the object is located.

S109: and displaying the auditing result by the terminal.

According to the operation auditing method provided by the embodiment of the application, firstly, a universal operation auditing method is utilized, and unified element marks are extracted from original logs which are collected by various systems and are not formatted, so that original logs which are completely different originally can query key information by adopting the same method, and more important expansion information close to business is expanded into the original logs through element expansion. And determining an audit object by using the extension information, and performing operation audit on an extension log corresponding to the audit object, thereby improving log audit efficiency.

The embodiment of the application discloses an operation auditing method, which is introduced by taking a server as an execution main body, and specifically comprises the following steps:

referring to fig. 3, a flowchart of another operation auditing method provided in an embodiment of the present application, as shown in fig. 3, includes:

s201: acquiring an expansion log;

the expansion log comprises an original log and expansion fields, the expansion fields are determined based on a standard report format according to each element in the original log and expansion information corresponding to each element, the expansion information is extracted based on a management system corresponding to the element, the element comprises a standard element and a custom element, and the standard element comprises a subject, an object, time and an operation type;

s202: calculating the risk level of each expansion log so as to perform operation audit on all the expansion logs;

the risk level is positively correlated with the risk degree of the subject, the risk level is positively correlated with the sensitivity of the object, the risk level is positively correlated with the sensitivity of the operation type, the risk level is negatively correlated with the association degree of the subject and the object, and the risk level is positively correlated with the operation frequency.

In this embodiment, all the extended logs may be audited, that is, the risk level of each extended log is calculated. It can be appreciated that the higher the risk of the subject, the sensitivity of the subject and the operation type, the lower the subject-to-subject association, the higher the operation frequency, and the higher the idle level of the expansion log.

Preferably, after this step, further comprising: when the first preset condition or the second preset condition is met, sending alarm information to the management terminal; the first preset condition is that a risk expansion log is generated, the risk expansion log is a log with the risk level reaching a preset level or a log with the object being the sensitive object, and the second preset condition is that the operation frequency of the preset operation exceeds the frequency range.

In implementations, a target expansion log may be determined from a mass log and highlighted. Of course, alarm rules are also set to allow the relevant personnel to help identify whether the target expansion log really has a problem. The alarm mode is not particularly limited here, and may be, for example, a mail, a short message, or the like. Conditions for triggering an alarm include, but are not limited to, the following:

(1) Log that risk level reaches preset level appears;

(2) The sensitive object is operated, namely, a log that the sensitive object appears is the sensitive object;

(3) An expansion log that the occurrence subject is a preset subject or a risk subject and the operation frequency of the subject to execute the operation is not within a preset frequency range;

(4) The occurrence object is a preset object or an expansion log which is sensitive to the object and has the operation frequency of the object execution operation not within a preset frequency range;

(5) An extended log that the operation type is a sensitive operation type and the operation frequency of the operation type is not within a preset frequency range appears. And if not, determining the expansion log as a target expansion log.

In this embodiment, the operation audit is performed on each expansion log based on the risk level, and compared with the previous embodiment, the audit is performed only on the target expansion log, and the audit in this embodiment is more comprehensive, so that the risk expansion log can be determined and the risk operation can be found more accurately.

The present embodiment provides a method for calculating a risk level, as shown in fig. 4, step S202 in the previous embodiment includes:

s21: assigning a weight coefficient to each audit related item; wherein the audit related item comprises a risk degree of the subject and/or a sensitivity of the object and/or a sensitivity of the operation type and/or a subject-object association degree and/or the operation frequency;

In this embodiment, the risk level of each expansion log is calculated by scoring and weighting. In this step, a weight coefficient is first assigned to each audit related item, and the sum of all weight coefficients is 1. For example, the risk degree of the subject has a weight coefficient of 0.1, the sensitivity of the subject has a weight coefficient of 0.2, the sensitivity of the operation type has a weight coefficient of 0.2, the subject-to-subject association degree has a weight coefficient of 0.3, and the operation frequency has a weight coefficient of 0.2. Of course, for example, the weight coefficient user of each audit related item may be flexibly allocated, which is not specifically limited herein.

S22: calculating a weighted value of each extended log according to the scoring value and the weighted coefficient of each audit related item in each extended log;

in this step, each audit related item of the extended log is scored, the higher the score is, the lower the risk thereof is, and a weighted value is calculated. For example, for an extended log, the score of the audit related item is a percentile, the score of the risk degree of the subject is 20, the score of the sensitivity of the object is 80, the score of the sensitivity of the operation type is 10, the score of the association degree of the subject and the object is 0, the score of the operation frequency is 80, and the weighting value of the extended log is 36 according to the example of the weighting coefficient of the previous step.

S23: and determining the risk level of each expansion log according to the weighted value.

In this step, a preset relationship between the weighted value interval and the risk level may be preset, where a higher risk level indicates a higher risk level of the extended log. For example, 0-30 is one-level, 30-60 is two-level, 60-90 is three-level, and 90-100 is four-level, and the risk level of the expansion log in the previous step is two-level.

Therefore, the embodiment provides a way for calculating the risk level of the expansion mechanism, namely, the risk level of each expansion log is calculated in a scoring and weighting mode, so that the operation audit of the log is more comprehensive and accurate.

For ease of understanding, the description is presented in connection with one application scenario of the present application. Referring to fig. 1, the log source 20 includes a kafka queue and a database, and the server 60 includes a kafka source plug-in and a data plug-in, and the kafka source plug-in may be used to obtain an original log composition original log set a in the kafka queue and the data plug-in may be used to obtain an original log composition original log set B in the database.

And extracting four elements, namely a subject, an object, an operation type and time, by adopting a mark extraction plug-in A for the original logs in the original log set A, and extracting four elements by adopting a mark extraction plug-in B for the original logs in the original log set B. The execution flow of the mark extraction plug-in A is to perform structural analysis on the original log, four elements are extracted from an analysis result, the execution flow of the mark extraction plug-in B is to analyze sql sentences in the original log through a drive library, and four elements are extracted from the analysis result. The marking expansion plug-in A extracts basic information of each log subject in the original log set A and the original log set B by calling the HR system, the marking expansion plug-in B extracts basic information of each log object by calling the resource management system, and the marking expansion plug-in C adds sensitive information for each object by calling the object sensitive marking system. The tag extension plug-in D adds sensitive information for each operation type by invoking the operation type sensitive tag system. And determining an extension field based on a standard report format according to four elements of each original log and corresponding extension information, obtaining an extension log corresponding to each original log, and storing the extension log into the target memory 30.

The user may input a target object of interest in the terminal 50, and the server 60 may perform matching of object fields on all the expansion logs stored in the target memory 30, obtain all the expansion logs with the object as the target object, calculate risk levels corresponding to all the performed operations, and determine the expansion log with the risk level greater than the preset level as the risk expansion log. The subject, object, time, and operation type of each risk expansion log are presented in the form of a table in the terminal 50.

An operation auditing apparatus provided in the embodiments of the present application is described below, and an operation auditing apparatus described below and an operation auditing method described above may be referred to each other.

Referring to fig. 5, a structure diagram of an operation auditing apparatus provided in an embodiment of the present application, as shown in fig. 5, includes:

an obtaining module 501, configured to obtain an expansion log; the expansion log comprises an original log and expansion fields, the expansion fields are determined based on a standard report format according to each element in the original log and expansion information corresponding to each element, the expansion information is extracted based on a management system corresponding to the element, the element comprises a standard element and a custom element, and the standard element comprises a subject, an object, time and an operation type;

A determining module 502, configured to determine an audit object according to the extension information, and determine a target extension log corresponding to the audit object; the auditing object comprises any one or a combination of any two of a risk subject, a sensitive object and a sensitive operation type, wherein the risk subject is a subject with a risk degree higher than a first threshold value, the sensitive object is an object with a sensitivity higher than a second threshold value, and the sensitive operation type is an operation type with a sensitivity higher than a third threshold value;

and an auditing module 503, configured to perform operation audit based on the target extension log, and obtain an audit result.

According to the operation auditing device provided by the embodiment of the application, firstly, a universal operation auditing method is utilized, and unified element marks are extracted from original logs which are collected by various systems and are not formatted, so that original logs which are completely different originally can query key information by adopting the same method, and more important expansion information which is close to a service is expanded into the original logs through element expansion. And determining an audit object by using the extension information, and performing operation audit on an extension log corresponding to the audit object, thereby improving log audit efficiency.

Based on the foregoing embodiment, as a preferred implementation manner, the auditing module 503 specifically generates a module of a presentation chart corresponding to the target expansion log in a target time period.

Based on the foregoing embodiment, as a preferred implementation manner, the audit object includes a host-client association degree, and the determining module 502 includes:

an audit object determining unit for determining an audit object according to the extension information;

the target extension log determining unit is used for determining a target extension log corresponding to the audit object;

the audit object determining unit is specifically a unit for determining the expansion log with the main client association degree lower than a fourth threshold value as the target expansion log.

On the basis of the foregoing embodiment, as a preferred implementation manner, the audit object includes an operation frequency, and the determining audit object unit includes:

the first determining subunit is used for determining the operation frequency corresponding to each expansion log; the operation frequency is the frequency of executing target operation in a target time period, wherein the target operation is the operation with the same type as the subject, the object and the operation of the expansion log;

A second determining subunit, configured to determine the target expansion log according to the operation frequency and a frequency range of a preset operation; the preset operation comprises an operation performed by a preset subject and/or an operation performed on a preset object and/or an operation of a preset operation type, wherein the preset subject comprises the risk subject, the preset object comprises the sensitive object, and the preset type comprises the sensitive operation type.

On the basis of the above embodiment, as a preferred implementation manner, the method further includes:

the calculation module is used for calculating the risk level of each expansion log so as to carry out operation audit on all the expansion logs; the risk level is positively correlated with the risk degree of the subject, the risk level is positively correlated with the sensitivity of the object, the risk level is positively correlated with the sensitivity of the operation type, the risk level is negatively correlated with the association degree of the subject and the object, and the risk level is positively correlated with the operation frequency.

On the basis of the above embodiment, as a preferred implementation manner, the computing module includes:

the distribution unit is used for distributing a weight coefficient for each audit related item; wherein the audit related item comprises a risk degree of the subject and/or a sensitivity of the object and/or a sensitivity of the operation type and/or a subject-object association degree and/or the operation frequency;

The calculation unit is used for calculating the weighted value of each extended log according to the scoring value and the weighted coefficient of each audit related item in each extended log;

and the determining unit is used for determining the risk level of each expansion log according to the weighted value.

the alarm module is used for sending alarm information to the management terminal when the first preset condition or the second preset condition is met; the first preset condition is that a risk expansion log is generated, the risk expansion log is a log with the risk level reaching a preset level or a log with the object being the sensitive object, and the second preset condition is that the operation frequency of the preset operation exceeds the frequency range.

The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.

The present application also provides a server, referring to fig. 6, and a structure diagram of a server 60 provided in an embodiment of the present application, as shown in fig. 6, may include a processor 61 and a memory 62.

Processor 61 may include one or more processing cores, such as a 4-core processor, an 8-core processor, etc. The processor 61 may be implemented in at least one hardware form of DSP (Digital Signal Processing ), FPGA (Field-Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array ). The processor 61 may also include a main processor, which is a processor for processing data in an awake state, also called a CPU (Central Processing Unit ), and a coprocessor; a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, the processor 61 may integrate a GPU (Graphics Processing Unit, image processor) for rendering and drawing of content required to be displayed by the display screen. In some embodiments, the processor 61 may also include an AI (Artificial Intelligence ) processor for processing computing operations related to machine learning.

Memory 62 may include one or more computer-readable storage media, which may be non-transitory. Memory 62 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 62 is at least used for storing a computer program 621, where the computer program, after being loaded and executed by the processor 61, can implement relevant steps in the test supervision method performed by the terminal side as disclosed in any of the foregoing embodiments. In addition, the resources stored by the memory 62 may also include an operating system 622, data 623, and the like, and the storage manner may be transient storage or permanent storage. The operating system 622 may include Windows, unix, linux, among others.

In some embodiments, the server 60 may further include a display 63, an input-output interface 64, a communication interface 65, a sensor 66, a power supply 67, and a communication bus 68.

Of course, the structure of the server shown in fig. 6 does not limit the server in the embodiment of the present application, and the server may include more or fewer components than shown in fig. 6 or may combine some components in practical applications.

In another exemplary embodiment, a computer readable storage medium is also provided that includes program instructions that, when executed by a processor, implement the steps of the operation audit method performed by any of the embodiments servers described above.

In the description, each embodiment is described in a progressive manner, and each embodiment is mainly described by the differences from other embodiments, so that the same similar parts among the embodiments are mutually referred. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section. It should be noted that it would be obvious to those skilled in the art that various improvements and modifications can be made to the present application without departing from the principles of the present application, and such improvements and modifications fall within the scope of the claims of the present application.

It should also be noted that in this specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Claims

1. An operational audit method, comprising:

acquiring an expansion log; the expansion log comprises an original log and expansion fields, the expansion fields are determined based on a standard report format according to each element in the original log and expansion information corresponding to each element, the expansion information is extracted based on a management system corresponding to the element, the element comprises a standard element and a custom element, and the standard element comprises a subject, an object, time and an operation type; the custom element includes an amount; in each expansion log, the format of each element stored is the same;

listing detailed lists for each target expansion log through inquiry and aggregation sentences, or generating a display list corresponding to the target expansion log in a target time period to obtain an audit result;

when the audit object includes a host-guest association, the determining a target extension log corresponding to the audit object includes:

determining an expansion log with the main client association degree lower than a fourth threshold value as the target expansion log;

when the audit object includes operation frequency, determining a target extension log corresponding to the audit object includes:

determining the operation frequency corresponding to each expansion log; the operation frequency is the frequency of executing target operation in a target time period, wherein the target operation is the operation with the same type as the subject, the object and the operation of the expansion log;

Determining the target expansion log according to the operation frequency and the frequency range of the preset operation; the preset operation comprises an operation performed by a preset host and/or an operation performed on a preset object and/or an operation of a preset operation type, wherein the preset host comprises the risk host, the preset object comprises the sensitive object, and the preset operation type comprises the sensitive operation type.

2. The operational audit method according to claim 1 further comprising:

calculating the risk level of each expansion log so as to perform operation audit on all the expansion logs; the risk level is positively correlated with the risk degree of the subject, the risk level is positively correlated with the sensitivity of the object, the risk level is positively correlated with the sensitivity of the operation type, the risk level is negatively correlated with the association degree of the subject and the object, and the risk level is positively correlated with the operation frequency.

3. The operational audit method of claim 2 wherein said calculating a risk level for each of said extended logs includes:

assigning a weight coefficient to each audit related item; wherein the audit related item comprises a risk degree of the subject and/or a sensitivity of the object and/or a sensitivity of the operation type and/or a subject-object association degree and/or the operation frequency;

Calculating a weighted value of each extended log according to the scoring value and the weighted coefficient of each audit related item in each extended log;

and determining the risk level of each expansion log according to the weighted value.

4. The operational audit method according to claim 2 further comprising:

when the first preset condition or the second preset condition is met, sending alarm information to the management terminal; the first preset condition is that a risk expansion log is generated, the risk expansion log is a log with the risk level reaching a preset level or a log with the object being the sensitive object, and the second preset condition is that the operation frequency of the preset operation exceeds the frequency range.

5. An operation auditing device, comprising:

the acquisition module is used for acquiring the expansion log; the expansion log comprises an original log and expansion fields, the expansion fields are determined based on a standard report format according to each element in the original log and expansion information corresponding to each element, the expansion information is extracted based on a management system corresponding to the element, the element comprises a standard element and a custom element, and the standard element comprises a subject, an object, time and an operation type; the custom element includes an amount; in each expansion log, the format of each element stored is the same;

the auditing module is used for listing detailed lists for each target expansion log through inquiry and aggregation sentences or generating a display list corresponding to the target expansion log in a target time period to obtain an auditing result;

when the audit object includes a host-guest association, the determining module is specifically configured to:

when the audit object includes an operation frequency, the determining module is specifically configured to:

6. A server, comprising:

a processor and a memory;

wherein the processor is configured to execute a program stored in the memory;

the memory is used for storing a program, and the program is used for at least:

7. A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the operational audit method according to any of claims 1 to 4.