CN112491593B - Network element alarm processing method and device - Google Patents

Network element alarm processing method and device Download PDF

Info

Publication number
CN112491593B
CN112491593B CN202011259804.5A CN202011259804A CN112491593B CN 112491593 B CN112491593 B CN 112491593B CN 202011259804 A CN202011259804 A CN 202011259804A CN 112491593 B CN112491593 B CN 112491593B
Authority
CN
China
Prior art keywords
alarm
information
original
alarm information
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011259804.5A
Other languages
Chinese (zh)
Other versions
CN112491593A (en
Inventor
班瑞
马季春
邹雨佳
陈泉霖
郝宇飞
王鹏
张振超
王迪
王佳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
China Information Technology Designing and Consulting Institute Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
China Information Technology Designing and Consulting Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd, China Information Technology Designing and Consulting Institute Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202011259804.5A priority Critical patent/CN112491593B/en
Publication of CN112491593A publication Critical patent/CN112491593A/en
Application granted granted Critical
Publication of CN112491593B publication Critical patent/CN112491593B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a network element alarm processing method and device, relates to the field of communication, and can support large-scale network alarm processing and improve alarm processing efficiency. The method comprises the following steps: acquiring a plurality of simple network management protocol trap SNMP trap messages received by a data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID); determining at least one piece of target alarm information according to a first rule according to an original alarm OID and an original alarm equipment IP address corresponding to a plurality of pieces of original alarm information; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information; and determining an alarm node according to the target parameter information. The invention is used for processing the network element alarm.

Description

Network element alarm processing method and device
Technical Field
The present invention relates to the field of communications, and in particular, to a method and an apparatus for processing a network element alarm.
Background
An alarm is a notification of a particular event, typically caused by a difference between the actual state and the expected value of a managed resource or the termination of servicing of a managed resource with a particular function. The processing of the alarm comprises the definition and classification of the explicit alarm; and adopting different processing schemes according to different categories of alarms. The alarm processing comprises alarm acquisition, alarm analysis and alarm storage. Alarm collection is realized through a Simple Network Management Protocol (SNMP), and alarm information can be carried in an SNMP trap data packet; the alarm analysis comprises the identification, combination, filtration and the like of the alarm. At present, although the alarm acquisition mode using the SNMP trap can meet the alarm analysis of an enterprise network or a metropolitan area network, the method cannot support the acquisition of big data when facing a large-scale network; for the information acquisition mode, the corresponding alarm analysis generally adopts a post analysis mode, the timeliness of the alarm analysis is poor, and the daily network maintenance requirement is difficult to meet.
Disclosure of Invention
Embodiments of the present invention provide a network element alarm processing method and apparatus, which can support alarm processing of a large-scale network and improve alarm processing efficiency.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, a method for processing a network element alarm is provided, including: acquiring a plurality of simple network management protocol trap SNMP trap messages received by a data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID); determining at least one piece of target alarm information according to a first rule according to an original alarm OID and an original alarm equipment IP address corresponding to a plurality of pieces of original alarm information; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information; and determining the alarm node according to the target parameter information.
In a second aspect, an apparatus for processing a network element alarm is provided, including: the acquisition module is used for acquiring a plurality of simple network management protocol trap SNMP trap messages received by the data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID); the processing module is used for determining at least one piece of target alarm information according to a first rule according to the original alarm OID and the original alarm equipment IP address corresponding to the plurality of pieces of original alarm information acquired by the acquisition module; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information; and the determining module is used for determining the alarm node according to the target parameter information determined by the processing module.
In a third aspect, an apparatus for processing a network element alarm is provided, including: a memory, a processor, a bus, and a communication interface; the memory is used for storing computer execution instructions, and the processor is connected with the memory through a bus; when the network element alarm processing apparatus is in operation, the processor executes computer-executable instructions stored in the memory, so as to cause the network element alarm processing apparatus to execute the network element alarm processing method according to the first aspect.
In a fourth aspect, a computer-readable storage medium is provided, which includes computer-executable instructions, which, when executed on a computer, cause the computer to perform the network element alarm processing method as provided in the first aspect.
The network element alarm processing method provided by the embodiment of the invention comprises the following steps: acquiring a plurality of simple network management protocol trap (SNMP) trap messages received by a data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID); determining at least one piece of target alarm information according to a first rule according to an original alarm OID and an original alarm equipment IP address corresponding to a plurality of pieces of original alarm information; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information; and determining an alarm node according to the target parameter information. The alarm information of the embodiment of the invention can be obtained by the data acquisition program, and because the embodiment of the invention realizes the deployment of the program through the docker mirror image of the data acquisition program, the data acquisition program can be conveniently deployed at a plurality of acquisition nodes, thereby forming a data acquisition cluster and realizing the acquisition of big data; and after acquiring a large amount of alarm information, the embodiment of the invention can aggregate and filter the alarm information according to the preset rule, thereby reducing redundant alarm information and improving the processing efficiency of the alarm information.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic structural diagram of a network element alarm processing system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a data acquisition architecture according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an architecture for data forwarding according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a network element alarm processing method according to an embodiment of the present invention;
fig. 5 is a second schematic flowchart of a method for processing an alarm of a network element according to an embodiment of the present invention;
fig. 6 is a third schematic flowchart of a method for processing an alarm of a network element according to an embodiment of the present invention;
fig. 7 is a fourth schematic flowchart of a network element alarm processing method according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a network element alarm processing apparatus according to an embodiment of the present invention;
fig. 9 is a second schematic structural diagram of a network element alarm processing apparatus according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of another network element alarm processing apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that, in the embodiments of the present invention, words such as "exemplary" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present relevant concepts in a concrete fashion.
For the convenience of clearly describing the technical solutions of the embodiments of the present invention, in the embodiments of the present invention, the words "first", "second", and the like are used for distinguishing the same items or similar items with basically the same functions and actions, and those skilled in the art can understand that the words "first", "second", and the like are not limited in number or execution order.
For the classification of the alarms, the alarms can be classified into attention-free alarms, flash oscillation alarms and associated alarms from the dimension of the influence surface according to the characteristics of the communication network. The warning without attention means that the terminal service is not influenced, the terminal is not sensed, the maintenance priority is low, and the requirement on recovery time is low; the flash oscillation alarm refers to an alarm with time correlation, the flash alarm refers to an alarm which is short in time, continuous in flash and repeatedly appears, and the oscillation alarm has the characteristic of a large number of outbreaks within a certain time (oscillation period) besides the characteristic of the flash alarm. The association alarm refers to an alarm with spatial correlation, that is, an alarm generated on different network elements due to the same fault has a large relationship with a network topology. For the definition of the alarm, different network element device manufacturers may adopt different definitions for the alarm, such as an alarm level, an alarm description, and an Object Identifier (OID).
At present, the processing of network element alarm includes three aspects, one is that at the network element equipment side, a triggering mechanism and a reporting mechanism of alarm are set; secondly, designing an alarm correlation mechanism among different network element devices at the network management side of a manufacturer; thirdly, multi-source heterogeneous alarms are subjected to standardization processing on the comprehensive network management side (such as a network management system provided by a mobile operator), and cross-professional and cross-manufacturer alarm optimization processing is performed. The method for processing the network element alarm at the present stage is to receive the alarm sent by the network element by using the SNMP trap message and analyze the alarm, and specifically comprises the following steps: monitoring an SNMP trap message of a specified port (default is 162 ports), acquiring alarm information through analysis after receiving the SNMP trap message, and storing the alarm information into a database by a data acquisition program; the alarm analysis is to implement the identification of the alarm information by performing operations such as aggregation, filtering and the like on the alarm information in the database. However, in the current stage of alarm processing, the alarm data acquisition program and the alarm analysis program are generally single programs, which can only support alarm processing in the scene with a small number of network elements, such as an enterprise network and a metropolitan area network, but cannot support alarm processing on a large-scale network; because the analysis program generally adopts a post analysis mode, the timeliness of alarm analysis is poor, and after the alarm analysis is completed, the analysis result is directly stored in the database, so that a third party cannot acquire related alarm data, and the openness of the alarm data is poor.
An embodiment of the present invention provides a network element alarm processing system, which is shown in fig. 1 and includes a data acquisition layer, a data forwarding layer, a data analysis layer, and a data storage layer.
The data acquisition layer performs docker transformation on the data acquisition program through a containerization docker technology, so that the data acquisition program is deployed on each network element by using a docker mirror image of the data acquisition program to realize data acquisition; the data collected by the data collection layer may be SNMP messages, xFlow logs, domain Name System (DNS) logs, authentication Authorization Accounting (AAA) logs, and the like, and the data collection layer may support data collection for networks such as a metropolitan area network, a backbone network, and a bearer network. The docker mirror image based on the data acquisition program can deploy the data acquisition program in a plurality of servers in a cluster mode to realize cluster acquisition of data.
The data forwarding layer is used for forwarding the data acquired by the data acquisition layer, in the embodiment of the invention, the data forwarding layer can be deployed with a distributed message middleware, and the distributed message middleware can be realized by KAFKA; in order to support data forwarding of a large-scale network, the distributed message middleware KAFKA herein may be deployed in a cluster, which may include one or more servers, and data collected by the data collection layer may be stored in a distributed manner to any server in the cluster.
It should be noted that, for the data acquisition layer, based on the distributed deployment mode of the message middleware KAFKA, the message middleware KAFKA can collect data by the data acquisition cluster, and by increasing the number of servers of the acquisition cluster and the number of servers of the message middleware KAFKA cluster, the number of network elements supported by the network element alarm processing system can be greatly increased, and based on the clustered deployment mode, the horizontal expansion of the data acquisition layer and the data forwarding layer is facilitated.
For the data analysis layer, the data forwarding layer is deployed to realize the decoupling of the data acquisition layer and the data analysis layer, and the data analysis layer is not connected with the data acquisition layer any more, but acquires data from the data forwarding layer in a uniform mode; and the third party can obtain data from the data forwarding layer only by supporting the message middleware KAFKA without adapting to a specific communication protocol, so that the data forwarding layer provides better open service for the network element alarm processing system. The distributed message middleware KAFKA of the data forwarding layer can avoid the problem that the network element alarm processing system is unavailable due to single-point faults, and the availability of the system is improved.
The data analysis layer is used for analyzing and processing the data collected by the data collection layer, and the data analysis layer can comprise a data analysis module and a data storage module. The data analysis module comprises a data preprocessing submodule, an SPARK real-time calculation submodule and a stream type calculation submodule, wherein the data preprocessing submodule is used for converting data in a text format into an entity class object identified by a program according to the data analysis requirement; and the data preprocessing submodule is also used for aggregating and filtering the data acquired by the data acquisition layer and reducing the data volume of data analysis. The SPARK real-time computing submodule is used for batch processing of the preprocessed data, the processing period of the SPARK real-time computing submodule can be several seconds or minutes, and the like, so that real-time data analysis with the delay of second level is achieved, the processing of the data comprises the occurrence frequency of statistical data, the data generation time and the like, and the submodule can be used for analyzing network element alarm information. The flow type calculation submodule is used for processing the preprocessed data and storing the processing result into a database, wherein the transmission of the data comprises the occurrence times of statistical data and the like, and the submodule can be used for monitoring the network element performance in real time. The data storage module comprises a memory database, an on-line analytical processing (OLAP) database and a relational database, wherein the memory database is used for storing structured or unstructured data, the storage capacity of the memory database is limited by a system memory, and the memory database can support the query service of the SPARK real-time computing submodule and the streaming computing submodule; the OLAP database is used for distributively storing the structured data, the storage capacity of the OLAP database can be increased along with the increase of cluster resources in the network element alarm system, and the increase, deletion, modification and check of the stored data can be realized; the relational database is used for storing structured data, performing Structured Query Language (SQL) query on the data, and storing result data after aggregation statistics. It should be noted that the OLAP database may be an HBase database, and the relational database may be a MYSQL database.
The data store layer includes an on-line transaction processing (OLTP) database, an OLTP database, for distributed storage of structured data, such as data that has been parsed and processed.
It should be noted that the data collected and analyzed by the network element alarm processing system may be network element alarm information, traffic analysis data, and the like, and therefore, the network element alarm processing system may also be applied to other data processing scenarios. The streaming computation submodule can process the alarm information in time when the network element alarm processing system generates an alarm storm, and the alarm processing efficiency is improved. The alarm storm means that when a network element is abnormal, a large number of alarms are generated and reported in a short time, so that an alarm server of a network management system is blocked, and normal reporting of the alarms of other network elements is influenced.
Based on the network element alarm processing system shown in fig. 1, an embodiment of the present invention provides an architectural diagram of data acquisition, which is shown in fig. 2 and includes: the system comprises a network element alarm processing system, a data acquisition node 1, data acquisition nodes 2, … and a data acquisition node n.
The network element alarm processing system is used for analyzing the data acquired by the data acquisition node and determining the data association relation; the network element data acquisition system comprises a data acquisition node 1, data acquisition nodes 2, … and a data acquisition node n, wherein the data acquisition nodes are used for acquiring network element data. The data collection node may be deployed in a server, and the server may collect, through a data collection program of the data collection node, alarm information, log information, and the like of a network element connected to the server.
It should be noted that, the data acquisition node bottom layer is based on an openstack architecture, and a docker mirror image encapsulated with a data acquisition program is managed and deployed by using kubernets, where the data acquisition node may be a server deployed with the data acquisition program.
Corresponding to the architecture of data acquisition, an embodiment of the present invention may further provide an architecture diagram of data forwarding, as shown in fig. 3, including: the system comprises a network element alarm processing system, a data acquisition node 1, data acquisition nodes 2, …, a data acquisition node n, a data forwarding node 1, data forwarding nodes 2, … and a data forwarding node m.
The network element alarm processing system, the data acquisition node 1, the data acquisition node 2, the data acquisition node … and the data acquisition node n are the same as the network element alarm processing system, the data acquisition node 1, the data acquisition node 2, the … and the data acquisition node n in fig. 1. The data forwarding nodes 1, 2, … and m are used for distributively storing data acquired by the data acquisition nodes so as to be analyzed and processed by the network element alarm processing system; the data forwarding nodes 1, 2, … and m are also used for providing data open service for a third party.
It should be noted that, the data forwarding node here may be a server deployed with KAFKA-based message middleware, and may store the data collected by the data collection node in a distributed manner. The data forwarding architecture shown in fig. 3 is only an example, the data forwarding node may also receive data collected by multiple data collection nodes, and correspondingly, the data collected by the data collection nodes may also be stored in multiple data forwarding nodes.
Based on the above network element alarm processing system, the embodiment of the invention provides a network element alarm processing method, which can be applied to alarm processing of large-scale networks, improve alarm processing efficiency, and facilitate expansion of data acquisition range. As shown in fig. 4, the method includes:
s101, acquiring a plurality of simple network management protocol trap SNMP trap messages received by the data acquisition node.
The data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap packet includes original alarm information, which includes an original alarm device Internet Protocol (IP) address and an original alarm OID.
Specifically, the network elements in the communication network may actively report an alarm in the form of an SNMP trap message, where the data collection node is configured to receive the SNMP trap message reported by the network elements. Because the number of the data acquisition nodes can be set according to the number of the network elements in the communication network, when the number of the network elements is large, the number of the data acquisition nodes can be correspondingly increased to meet the data acquisition requirements of the network elements.
Because different network element manufacturers may have different definitions of alarms, such as alarm levels, alarm interpretations and the like, the data acquisition node can determine the original alarm information of the network elements corresponding to the SNMP trap messages by analyzing the SNMP trap messages according to the alarm definitions prestored in the database, so that the original alarm information is converted into the format of standard alarm information.
Further, the determination of the original alarm information of the network element corresponding to the SNMP trap message may be implemented by the first-level OID and the second-level OID carried in the SNMP trap message, where the first-level OID and the second-level OID may be defined by international organization for standardization negotiation and used to indicate different network element objects. For example, the primary OID "1.3.6.1.2.1.1" is used to indicate system parameters, and its corresponding secondary OID "1.3.6.1.2.1.1.1.0" is used to indicate to acquire system basic information; the primary OID "1.3.6.1.2.1.2" is used to indicate the network interface, and its corresponding secondary OID "1.3.6.1.2.1.2.1.0" is used to indicate the number of network interfaces.
In a possible implementation manner, the OID carried by the SNMP trap message may also be defined by each network element manufacturer, but it should be noted that the definition of the OID by the network element manufacturer also needs to comply with the specification negotiated by the international standardization organization, for example, the network element manufacturer defines a first-level OID corresponding to a system parameter, and since the first-level OID is already negotiated and defined by the international standardization organization, the network element manufacturer may directly use the OID; when the object defined by the network element manufacturer is not defined by negotiation of the international standardization organization, the network element manufacturer can define the corresponding OID by itself.
After the first-level OID and the second-level OID are determined, the data acquisition node can query the alarm definition stored in the database according to the first-level OID and the second-level OID, and convert the original alarm information carried by the SNMP trap message into a text format of standard alarm information. When the data acquisition node queries the alarm definition in the database, because the second-level OID is usually a specific object under the first-level OID, the data acquisition node may query the corresponding alarm definition in the database only through the second-level OID, and the second-level OID may be the original alarm OID included in the original alarm information.
The conversion of the original alarm information into the standard alarm information can be performed according to alarm parameters, which may include the name of the alarm device, the type of the device, the model of the device, location information, an alarm header, alarm time, alarm recovery time, the type of the alarm, the original alarm level, a unified alarm level, possible reasons for the alarm, and the like, where the location information is used to indicate the location information (such as interface information and board information) of the alarm, the alarm header is used to indicate brief information of the alarm, the alarm time is used to indicate the time when the alarm information is generated, the alarm recovery time is used to indicate the time when the alarm information is generated, the alarm type is used to indicate that attention is not needed to be paid to the alarm, flash oscillation type alarm and associated alarm (or other alarm types set by technicians in the field), the original alarm level is used to indicate that the alarm information corresponds to the alarm level established by each network element manufacturer, the unified alarm level is used to indicate that the alarm information corresponds to the alarm level defined by the international organization, and possible reasons for the alarm are used to indicate possible reasons for generating the alarm information.
The original alarm information carried by each SNMP trap message may include one or more of the alarm parameters, and the data acquisition node may combine one or more of the alarm parameters to form a unified format of standard alarm information. As shown in table 1 below, the standard alarm information may include a device type, an alarm name, an alarm level, an alarm device IP address, an alarm description, and the like.
TABLE 1
Figure BDA0002774273390000091
It should be noted that the alarm information collection and the alarm information standardization of this step can be implemented by the data collection layer shown in fig. 1. The function of the data acquisition node in the embodiment of the invention is actually realized by a data acquisition program, the data acquisition program is deployed at the data acquisition node through a docker mirror image encapsulated with the data acquisition program, and the process of deploying the data acquisition program through the docker mirror image is a conventional technical means in the field and is not described herein again. It should be noted that, in the embodiment of the present invention, a database needs to be configured for the data acquisition program, and is used for storing the alarm definitions of the network elements by each network element manufacturer, and when the alarm definitions are subjected to the operations of addition, deletion, modification and check, the operation can be performed through the configured database, and the data acquisition program does not need to be operated any more. Because the data acquisition program is configured with the database, when the data acquisition program is subjected to docker operation, the configured database is also required to be subjected to docker operation, and docker images in which the data acquisition program and the database are encapsulated are respectively generated.
The data acquisition program is also configured with a configuration file for initializing the data acquisition program. The data acquisition program can receive the SNMP trap message through the monitoring port 162, the port 162 can be mapped to a physical server port, and the configuration file of the data acquisition program can be mapped to a file on the physical server. The mapping of the port and the configuration file can be set by a person skilled in the art when the container is generated, when the data acquisition program is upgraded, the mapping can be realized only by replacing the image file of the data acquisition program, and the port mapping and the configuration file mapping can be kept unchanged. Similarly, the database configured by the data acquisition program and the initialization file configured by the database can also generate mirror images and map the mirror images to files on the server, so that the service is provided for the data acquisition program; the upgrading of the database can also be realized by replacing the corresponding image file. Because the data acquisition program and the database container can be generated respectively, and the data acquisition program container and the database container can adopt different ports and file mapping, a plurality of acquisition examples can be deployed on the same physical server, and the acquisition examples are not affected with each other, and the performance of the physical server is fully utilized; of course, the harvesting instances may also be deployed on different physical servers.
S102, determining at least one piece of target alarm information according to the original alarm OID and the original alarm device IP address corresponding to the plurality of pieces of original alarm information and the first rule.
The target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating the alarm part corresponding to the target alarm information.
Specifically, the analysis processing on the original alarm information may be implemented by a SPARK framework, and this step may be implemented by a data analysis module of the data analysis layer shown in fig. 1. After the data acquisition node converts the alarm information into standard alarm information, the standard alarm information may include parameters shown in table 1, and may also include other parameters, such as an alarm OID. For example, the standard alarm information may further include parameters as shown in table 2 below:
TABLE 2
Figure BDA0002774273390000111
After the data analysis module obtains the standard alarm information converted by the data acquisition layer, because the standard alarm information is in a text format, the standard alarm information in the text format can be subjected to format conversion by the data preprocessing submodule in the data analysis module, so that an entity object can be identified by a data analysis program of the data analysis layer. For example, when the standard alarm information is shown in table 2 above, the entity object converted by the data preprocessing sub-module may be as follows:
Figure BDA0002774273390000112
Figure BDA0002774273390000121
the data preprocessing submodule converts the standard alarm information in the text format into the entity field through a map function of SPARK. After the format conversion of the standard alarm information is completed, all the original alarm information can be processed, so that the data volume during the subsequent data analysis is reduced, and the data processing efficiency is improved.
It should be noted that the original alarm device IP address and the original alarm OID in the original alarm information in step S101 are the alarm device IP address and the alarm OID in table 2. In the following, the present embodiment still refers to the converted standard alarm information with the original alarm information.
Optionally, the first rule includes a first aggregation sub-rule and a first filtering sub-rule, as shown in fig. 5, step S102 includes;
and S1021, determining at least one piece of first alarm information according to the original alarm OID and the original alarm device IP address corresponding to the plurality of pieces of original alarm information and the first aggregation sub-rule.
Wherein the first alarm information comprises a first alarm level.
Specifically, the data collection node can collect a large amount of original alarm information, and after standardizing the original alarm information and converting the original alarm information into an entity object identified by a data analysis program, the original alarm information can be reduced according to various rules, so that the alarm processing efficiency is improved. The reduction of the original alarm information may be performed by operations such as aggregation and filtering according to corresponding rules, for example, the first rule may include a first aggregation sub-rule, and the first aggregation sub-rule is used to aggregate the same original alarm information generated by the same network element into one piece of first alarm information. Further, the first aggregation sub-rule may aggregate the same original alarm information generated by the same network element into one piece of first alarm information according to the parameters, such as the original alarm device IP address, the original alarm OID, and the original alarm header, carried by the original alarm information.
Illustratively, if the entity object of the first original alarm information is as follows:
Figure BDA0002774273390000122
Figure BDA0002774273390000131
the entity objects of the second original alarm message are as follows:
Figure BDA0002774273390000132
the entity objects of the third original alarm message are as follows:
Figure BDA0002774273390000133
the above shows some entity objects of the first, second and third pieces of original alarm information, but a person skilled in the art can recognize that the first and second pieces of original alarm information are the same original alarm information generated by the same network element according to the first aggregation sub-rule, so that the data preprocessing sub-module can aggregate the first and second pieces of original alarm information into one piece of first alarm information; although the third original alarm message is the same as part of the alarm parameters of the first original alarm message, it can be determined that the two original alarm messages are generated by different network elements according to the IP addresses of the alarm devices, so that the two original alarm messages cannot be aggregated.
Similarly, the data preprocessing submodule may implement aggregation of the original alarm information by traversing all the original alarm information, thereby determining at least one piece of first alarm information.
It should be noted that the above-mentioned first aggregation sub-rule is only exemplary, and those skilled in the art may set it as needed, so as to aggregate the original alarm information into different first alarm information. The data preprocessing submodule can realize the aggregation of the original alarm information through a reduce function of SPARK.
S1022, determining at least one piece of target alarm information according to the first alarm level corresponding to at least one piece of first alarm information and the first filtering sub-rule.
Specifically, the alarm levels of the alarm information may include an alarm, a secondary alarm, a major alarm, and because the alarm information of different alarm levels has different influences on the network element and the communication network, some alarm information that does not affect the network element and the communication network may be filtered according to the alarm levels of the alarm information. Of course, the alarm level of the alarm information may also be represented by a first-level alarm, a second-level alarm, a third-level alarm, and the like, where the alarm information corresponding to the first-level alarm has the smallest influence on the network element and the communication network, and the higher the alarm level is, the greater the influence of the corresponding alarm information on the network element and the communication network is.
The first filtering sub-rule may be that the first alarm information corresponding to the first-level alarm is filtered according to the alarm level corresponding to the first alarm information, the first alarm information corresponding to the alarm above the second-level alarm is retained, and the first alarm information filtered by the first filtering sub-rule may be determined as the target alarm information.
Illustratively, if the entity object of the first piece of first warning information is as follows:
Figure BDA0002774273390000141
the entity objects of the second piece of first alarm information are as follows:
Figure BDA0002774273390000142
Figure BDA0002774273390000151
according to the alarm levels of the first alarm information and the second alarm information, the data preprocessing submodule can filter the first alarm information and reserve the second first alarm information, namely, the second first alarm information is determined as target alarm information. Similarly, the data preprocessing submodule may filter the first alarm information by traversing all the first alarm information, so as to determine at least one piece of target alarm information.
It should be noted that, different from aggregation of the original alarm information, in this step, the first filtering sub-rule for filtering the first alarm information may be obtained from the relational database by the data preprocessing sub-module, and the first filtering sub-rule is sent to a corresponding worker node of the SPARK in a broadcast variable manner, and the filtering of the first alarm information is implemented by the SPARK through a filter function. The relational database here may be a relational database within a data storage module in the data analysis layer shown in fig. 1.
S103, determining an alarm node according to the target parameter information.
Specifically, the target parameter information here is the same as the alarm parameter described above, and may include positioning information, an alarm header, an alarm time, an alarm recovery time, an alarm type, and the like. The network element of the alarm can be determined according to the IP address of the alarm device in the target parameter information, the specific alarm system, such as a network interface, a Central Processing Unit (CPU), a load, etc., can be determined according to the target alarm OID, and the specific alarm part can be determined according to the positioning information. The alarm node refers to a network element, an interface or a board card, and the like, and the determined alarm node is that the determined target alarm information is a network element alarm, an interface alarm or a board card alarm, and the like.
For example, if the entity object of the target parameter information is as follows:
Figure BDA0002774273390000152
Figure BDA0002774273390000161
according to the entity object of the target parameter information, the alarm node can be determined to be a 3055 port of the network element corresponding to the IP address 1.2.1.0.
This step can be implemented by the SPARK real-time computation submodule in fig. 1 through a map function. Similarly, the SPARK real-time calculation sub-module can realize the classification of the target alarm information by traversing all the target alarm information, and the alarm node corresponding to each target alarm information.
The alarm information of the embodiment of the invention can be acquired by the data acquisition program, and because the embodiment of the invention realizes the deployment of the program through the docker mirror image of the data acquisition program, the data acquisition program can be conveniently deployed at a plurality of acquisition nodes, thereby forming a data acquisition cluster and realizing the acquisition of big data; and after acquiring a large amount of alarm information, the embodiment of the invention can aggregate and filter the alarm information according to the preset rule, thereby reducing redundant alarm information and improving the processing efficiency of the alarm information.
Optionally, the first rule further includes an alarm pairing sub-rule, as shown in fig. 6, after step S1022, the method may further include:
and S1023, determining target alarm information in the target time period.
Specifically, the original alarm information processed in the above steps S1021 to S1022 is data obtained in one acquisition period, and if the acquisition period is 2S, the original alarm information is the original alarm information acquired by all data acquisition nodes in 2S. When a person skilled in the art needs to analyze the original alarm information of the network element in the target time period, the original alarm information processed by the data preprocessing submodule and the original alarm information acquired by the data acquisition node can be acquired through the streaming calculation submodule, and the alarm information is processed (the processed original alarm information and the processed original alarm information) through the first aggregation sub-rule and the first filtering sub-rule, so that the reduction of the alarm information is completed, and the efficiency of analyzing the subsequent alarm information is improved.
It should be noted that the target time period may be set by a person skilled in the art, for example, the target time period may be 10min, and the processed original alarm information may be the original alarm information processed in step S1022, or may be the original alarm information acquired by the data acquisition node, and the relationship between the alarm generated by the network element and the time may be determined by processing the alarm information in the target time period, and if more alarm information is generated in the first time, the network element fault condition at the time may be analyzed in a key manner.
The stream type calculation submodule can acquire the alarm information of the target time period through a window function, and can aggregate the alarm information again through a reduce function when aggregating the processed original alarm information and the original alarm information acquired by the data acquisition node, so that the data volume of data analysis is reduced. The streaming sub-module here is the streaming sub-module shown in fig. 1.
S1024, determining at least one alarm event according to the corresponding relation between the at least one piece of first alarm information and the alarm pairing sub-rule.
The alarm event comprises target alarm information, or target alarm information and target alarm recovery information.
Specifically, the alarm event refers to a complete alarm process, including alarm information and alarm recovery information corresponding to the alarm information; of course, the alarm event may include only alarm information when the alarm is not recovered. The alarm pairing sub-rule may include multiple types according to the type of the alarm, but there exists a corresponding relationship between the alarm trigger and the alarm recovery between the paired alarm information and the alarm recovery information, for example, the alarm information pairs corresponding to the interface down and the interface up, and the alarm information pairs corresponding to the CPU utilization exceeding the threshold and the CPU utilization falling to the threshold are equal.
The alarm pairing sub-rule can be obtained from a relational database by an SPARK real-time calculation sub-module, the alarm pairing sub-rule is sent to a corresponding worker node of the SPARK in a broadcasting variable mode, the SPARK labels alarm information and alarm recovery information through a map function, and pairs the alarm information and corresponding alarm recovery information through a repartition and SortWithPartion function and a mapPartion function, so that one alarm event is determined. Of course, when there is no corresponding alarm recovery information in the alarm information, the individual alarm information may also be determined as an alarm event. The relational database may be a relational database in the data storage module in the data analysis layer shown in fig. 1.
It should be noted that step S1024 may be executed after step S1023, or after step S1022, and those skilled in the art may set the steps as needed. When S1024 is executed after S1023, this step may be performed by the streaming sub-module; when S1024 is executed after S1022, this step may be performed by the SPARK real-time computation submodule.
In this embodiment, the step S1023 can reduce the original alarm information in a period of time, improve the efficiency of subsequently analyzing the original alarm information in the period of time, and determine the association of different alarms in time; through the step S1024, the corresponding relationship between the alarm information and the alarm recovery information can be established, and the subsequent analysis of the recovered alarm is not needed, so that the analysis efficiency of the alarm information can be further improved.
Optionally, as shown in fig. 7, after step S101, the method further includes:
s201, storing the original alarm information to a message middleware.
Specifically, the message middleware here, i.e., the message middleware in the data forwarding layer shown in fig. 1, since the message middleware is a distributed storage system, the storage space of the message middleware can be expanded as the original alarm information increases. Meanwhile, the message middleware can provide a data interface for the outside, so that a third-party information processor can directly access the data interface of the message middleware to acquire related original alarm information, and the process of repeatedly acquiring the original alarm information can be avoided.
After step S1021, the method further includes:
s301, storing at least one piece of first alarm information to a first database.
Specifically, the first database may be a memory database in the data storage module shown in fig. 1, and after the first warning information is determined in step S1021, the first warning information may be stored in the memory database in a serialized manner, and when subsequent analysis is performed, if the same first warning information needs to be obtained, the first warning information may be directly obtained from the memory data, so that repeated pre-processing of the first warning information is avoided.
In a possible implementation manner, after step S1021, the first alarm information may be further converted into a DataFrame format, and the first alarm information in the DataFrame format is stored in a persistent manner in the OLAP database, so as to be used by other offline data analysis programs and online data analysis programs, such as the processed original alarm information obtained in step S1023. The OLAP database is an OLAP database in the data storage module shown in fig. 1, and the OLAP database can support high-speed writing, has a high data compression rate, and can effectively utilize the continuity of data when reading a large amount of data, thereby reducing the disk overhead.
In a possible implementation manner, after step S103 or S1024, the method may further include:
and S104, storing the analysis result.
Specifically, the analysis result may be the alarm node determined in step S103, or the alarm event determined in step S1024, and the analysis result may be stored in an OLTP database. It should be noted that the analysis result here also needs to be converted into a DataFrame format and then stored in a persistent manner in an OLTP database, i.e., the OLTP database of the data storage layer shown in fig. 1.
The network element alarm processing method provided by the embodiment of the invention comprises the following steps: acquiring a plurality of simple network management protocol trap (SNMP) trap messages received by a data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID); determining at least one piece of target alarm information according to a first rule according to an original alarm OID and an original alarm equipment IP address corresponding to a plurality of pieces of original alarm information; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information; and determining an alarm node according to the target parameter information. The alarm information of the embodiment of the invention can be acquired by the data acquisition program, and because the embodiment of the invention realizes the deployment of the program through the docker mirror image of the data acquisition program, the data acquisition program can be conveniently deployed at a plurality of acquisition nodes, thereby forming a data acquisition cluster and realizing the acquisition of big data; and after acquiring a large amount of alarm information, the embodiment of the invention can aggregate and filter the alarm information according to the preset rule, thereby reducing redundant alarm information and improving the processing efficiency of the alarm information.
As shown in fig. 8, an embodiment of the present invention provides a network element alarm processing apparatus 40, including:
an obtaining module 401, configured to obtain multiple SNMP trap messages received by a data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap message includes original alarm information including an original alarm device internet protocol IP address and an original alarm object identifier OID.
A processing module 402, configured to determine at least one piece of target alarm information according to a first rule according to an original alarm OID and an original alarm device IP address that correspond to multiple pieces of original alarm information acquired by the acquisition module 401; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating the alarm part corresponding to the target alarm information.
And a determining module 403, configured to determine an alarm node according to the target parameter information determined by the processing module 402.
Optionally, the first rule includes a first aggregation sub-rule and a first filtering sub-rule. The processing module 402 is specifically configured to: determining at least one piece of first alarm information according to original alarm OIDs corresponding to a plurality of pieces of original alarm information and an IP address of original alarm equipment and a first aggregation sub-rule; the first alarm information comprises a first alarm level; and determining at least one piece of target alarm information according to a first alarm grade corresponding to at least one piece of first alarm information and a first filtering sub-rule.
Optionally, the first rule further includes an alarm pairing sub-rule. The processing module 402 is further configured to determine at least one alarm event according to the at least one first alarm information and the alarm pairing sub-rule; the alarm event includes target alarm information, or target alarm information and target alarm recovery information.
Optionally, as shown in fig. 9, the network element alarm processing apparatus 40 further includes a first storage module 404, a second storage module 405, and a third storage module 406.
The first storage module 404 is configured to store at least one piece of first warning information in a first database.
And a second storage module 405, configured to store the original alarm information in the message middleware.
And a third storage module 406, configured to store information corresponding to the alarm node.
The network element alarm processing device provided by the embodiment of the invention comprises: the acquisition module is used for acquiring a plurality of simple network management protocol trap (SNMP) trap messages received by the data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring an SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID); the processing module is used for determining at least one piece of target alarm information according to a first rule according to the original alarm OID and the original alarm equipment IP address corresponding to the plurality of pieces of original alarm information acquired by the acquisition module; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information; and the determining module is used for determining the alarm node according to the target parameter information determined by the processing module. The alarm information of the embodiment of the invention can be acquired by the data acquisition program, and because the embodiment of the invention realizes the deployment of the program through the docker mirror image of the data acquisition program, the data acquisition program can be conveniently deployed at a plurality of acquisition nodes, thereby forming a data acquisition cluster and realizing the acquisition of big data; and after acquiring a large amount of alarm information, the embodiment of the invention can aggregate and filter the alarm information according to the preset rule, thereby reducing redundant alarm information and improving the processing efficiency of the alarm information.
Referring to fig. 10, an embodiment of the present invention further provides another network element alarm processing apparatus, including a memory 51, a processor 52, a bus 53, and a communication interface 54; the memory 51 is used for storing computer execution instructions, and the processor 52 is connected with the memory 51 through a bus 53; when the network element alarm processing device is operating, the processor 52 executes the computer executable instructions stored in the memory 51 to make the network element alarm processing device execute the network element alarm processing method provided in the above embodiment.
In particular implementations, processor 52 (52-1 and 52-2) may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 10, as one embodiment. And as an example, the network element alarm processing means may comprise a plurality of processors 52, such as the processor 52-1 and the processor 52-2 shown in fig. 10. Each of the processors 52 may be a single-Core Processor (CPU) or a multi-Core Processor (CPU). Processor 52 may refer herein to one or more devices, circuits, and/or processing cores that process data (e.g., computer program instructions).
The memory 51 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that may store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that may store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disk read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 51 may be self-contained and coupled to the processor 52 via a bus 53. The memory 51 may also be integrated with the processor 52.
In a specific implementation, the memory 51 is used for storing data in the present application and computer-executable instructions corresponding to software programs for executing the present application. The processor 52 may perform various functions of the network element alarm processing device by running or executing software programs stored in the memory 51 and invoking data stored in the memory 51.
The communication interface 54 is any device, such as a transceiver, for communicating with other devices or communication networks, such as a control system, a Radio Access Network (RAN), a Wireless Local Area Network (WLAN), and the like. The communication interface 54 may include a receiving unit implementing a receiving function and a transmitting unit implementing a transmitting function.
The bus 53 may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an extended ISA (enhanced industry standard architecture) bus, or the like. The bus 53 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 10, but this is not intended to represent only one bus or type of bus.
An embodiment of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium includes a computer execution instruction, and when the computer execution instruction runs on a computer, the computer is enabled to execute the network element alarm processing method provided in the foregoing embodiment.
The embodiment of the present invention further provides a computer program, where the computer program may be directly loaded into the memory and contains a software code, and the computer program is loaded and executed by a computer, so as to implement the network element alarm processing method provided in the above embodiment.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules or units is only one logical function division, and there may be other division ways in actual implementation. For example, various elements or components may be combined or may be integrated into another device, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form. Units described as separate parts may or may not be physically separate, and parts displayed as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed to a plurality of different places. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit. The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partially contributed to by the prior art, or all or part of the technical solutions may be embodied in the form of a software product, where the software product is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (8)

1. A network element alarm processing method is characterized by comprising the following steps:
acquiring a plurality of simple network management protocol trap (SNMP) trap messages received by a data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring the SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID);
determining at least one piece of target alarm information according to a first rule according to an original alarm OID and an original alarm equipment IP address corresponding to a plurality of pieces of original alarm information; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information;
determining an alarm node according to the target parameter information;
the first rule comprises a first aggregation sub-rule and a first filtering sub-rule; the determining at least one piece of target alarm information according to the original alarm OID and the original alarm device IP address corresponding to the plurality of pieces of original alarm information and the first rule comprises:
determining at least one piece of first alarm information according to original alarm OIDs corresponding to a plurality of pieces of original alarm information and an IP address of original alarm equipment and a first aggregation sub-rule; the first alarm information comprises a first alarm level;
determining at least one piece of target alarm information according to a first alarm grade corresponding to at least one piece of first alarm information and a first filtering sub-rule;
the first rule further comprises an alarm pairing sub-rule; after determining at least one piece of target alarm information according to a first filtering sub-rule according to a first alarm level corresponding to at least one piece of first alarm information, the method further includes:
determining at least one alarm event according to at least one corresponding relation between the first alarm information and an alarm pairing sub-rule; the alarm event includes the target alarm information, or the target alarm information and target alarm recovery information.
2. The method for processing the alarm of the network element according to claim 1, wherein after determining at least one first alarm message according to a first aggregation sub-rule according to an original alarm OID and an original alarm device IP address corresponding to a plurality of pieces of the original alarm messages, the method further comprises:
and storing at least one piece of first alarm information to a first database.
3. The method for processing the network element alarm according to claim 1 or 2, wherein after the acquiring the plurality of SNMP trap messages received by the data acquisition node, the method further comprises:
and storing the original alarm information to message middleware.
4. A network element alarm processing apparatus, comprising:
the acquisition module is used for acquiring a plurality of simple network management protocol trap SNMP trap messages received by the data acquisition node; the data acquisition node comprises a docker mirror image, the docker mirror image comprises a data acquisition program, and the data acquisition program is used for acquiring the SNMP trap message; the SNMP trap message comprises original alarm information, wherein the original alarm information comprises an original alarm equipment Internet Protocol (IP) address and an original alarm Object Identifier (OID);
the processing module is used for determining at least one piece of target alarm information according to a first rule and the original alarm OID and the original alarm equipment IP address corresponding to the plurality of pieces of original alarm information acquired by the acquisition module; the target alarm information comprises a target alarm OID and target parameter information; the target parameter information is used for indicating an alarm part corresponding to the target alarm information;
the determining module is used for determining an alarm node according to the target parameter information determined by the processing module;
the first rule comprises a first aggregation sub-rule and a first filtering sub-rule; the processing module is specifically configured to:
determining at least one piece of first alarm information according to original alarm OIDs corresponding to a plurality of pieces of original alarm information and an IP address of original alarm equipment and a first aggregation sub-rule; the first alarm information comprises a first alarm level;
determining at least one piece of target alarm information according to a first alarm grade corresponding to at least one piece of first alarm information and a first filtering sub-rule;
the first rule further comprises an alarm pairing sub-rule; the processing module is further configured to determine at least one alarm event according to an alarm pairing sub-rule according to a correspondence between at least one piece of the first alarm information; the alarm event includes the target alarm information, or the target alarm information and target alarm recovery information.
5. The network element alarm processing device of claim 4, further comprising a first storage module;
the first storage module is used for storing at least one piece of first alarm information to a first database.
6. The network element alarm processing device according to claim 4 or 5, further comprising a second storage module;
and the second storage module is used for storing the original alarm information to a message middleware.
7. A network element alarm processing device is characterized by comprising a memory, a processor, a bus and a communication interface; the memory is used for storing computer execution instructions, and the processor is connected with the memory through the bus; when the network element alarm processing device is in operation, the processor executes the computer-executable instructions stored in the memory to cause the network element alarm processing device to perform the network element alarm processing method according to any one of claims 1 to 3.
8. A computer-readable storage medium, comprising computer-executable instructions that, when executed on a computer, cause the computer to perform the network element alarm handling method of any of claims 1-3.
CN202011259804.5A 2020-11-12 2020-11-12 Network element alarm processing method and device Active CN112491593B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011259804.5A CN112491593B (en) 2020-11-12 2020-11-12 Network element alarm processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011259804.5A CN112491593B (en) 2020-11-12 2020-11-12 Network element alarm processing method and device

Publications (2)

Publication Number Publication Date
CN112491593A CN112491593A (en) 2021-03-12
CN112491593B true CN112491593B (en) 2022-10-25

Family

ID=74929949

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011259804.5A Active CN112491593B (en) 2020-11-12 2020-11-12 Network element alarm processing method and device

Country Status (1)

Country Link
CN (1) CN112491593B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113608839A (en) * 2021-08-10 2021-11-05 曙光信息产业(北京)有限公司 Cluster alarm method and device, computer equipment and storage medium
CN114501502B (en) * 2022-02-10 2024-01-05 中盈优创资讯科技有限公司 Alarm normalization method and device for 5G core network equipment
CN114826881A (en) * 2022-04-15 2022-07-29 北京科杰科技有限公司 Intelligent operation and maintenance method based on correlation analysis and computer readable storage medium
CN116088381B (en) * 2023-01-31 2024-02-06 惠州市海葵信息技术有限公司 Equipment alarm data processing method, controller and storage medium
CN116599820B (en) * 2023-05-26 2024-03-19 北京天融信网络安全技术有限公司 Alarm filtering processing method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106603317A (en) * 2017-02-20 2017-04-26 山东浪潮商用***有限公司 Alarm monitoring strategy analysis method based on data mining technology
CN107979495A (en) * 2017-12-04 2018-05-01 斯凯文软件技术(广东)有限公司 A kind of gradient processing method of network management alarm storm
CN110719194A (en) * 2019-09-12 2020-01-21 中国联合网络通信集团有限公司 Network data analysis method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100357636B1 (en) * 2000-12-01 2002-10-25 삼성전자 주식회사 Method for managing alarm information in nms

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106603317A (en) * 2017-02-20 2017-04-26 山东浪潮商用***有限公司 Alarm monitoring strategy analysis method based on data mining technology
CN107979495A (en) * 2017-12-04 2018-05-01 斯凯文软件技术(广东)有限公司 A kind of gradient processing method of network management alarm storm
CN110719194A (en) * 2019-09-12 2020-01-21 中国联合网络通信集团有限公司 Network data analysis method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
云环境下网络告警管理***;张柳;《中国优秀硕士学位论文电子期刊》;20160515;第20-22,61-66页 *

Also Published As

Publication number Publication date
CN112491593A (en) 2021-03-12

Similar Documents

Publication Publication Date Title
CN112491593B (en) Network element alarm processing method and device
US10154053B2 (en) Method and apparatus for grouping features into bins with selected bin boundaries for use in anomaly detection
US9438493B2 (en) Monitoring network entities via a central monitoring system
CN111885012A (en) Network situation perception method and system based on information acquisition of various network devices
CN105868075A (en) System and method for monitoring and analyzing large amount of logs in real time
CN103220167B (en) A kind of distributed monitoring system and date storage method thereof
CN111970386B (en) Internet of things communication data processing method of intelligent lamp pole
CN111010378B (en) Method for rapidly accessing various sensors and various protocols to cloud platform
CN109271243B (en) Cluster task management system
CN109639648A (en) A kind of acquisition strategies generation method and system based on acquisition data exception
US20160021188A1 (en) Generic Network Trace with Distributed Parallel Processing and Smart Caching
CN111049673A (en) Method and system for counting and monitoring API call in service gateway
CN111177193A (en) Flink-based log streaming processing method and system
US20190104084A1 (en) Managing access to logical objects in software defined networks
KR100984282B1 (en) An enterprise security management system using an memory cache
CN115712646A (en) Alarm strategy generation method, device and storage medium
KR20190017947A (en) Hierarchical data collector and related techniques for use in real-time data collection
CN113766363B (en) Fault monitoring method and device and computing equipment
CN115964418A (en) Multi-source heterogeneous data access system and method for Internet of things
CN117667327A (en) Job scheduling method, scheduler and related equipment
CN115114316A (en) Processing method, device, cluster and storage medium for high-concurrency data
CN114726854B (en) Service request processing method and device and cloud service system
CN117255005B (en) CDN-based service alarm processing method, device, equipment and medium
CN114422324B (en) Alarm information processing method and device, electronic equipment and storage medium
CN115987827B (en) Equipment monitoring method and device, electronic equipment and readable medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant