Log event correlation analysis method and device capable of concurrent and interrupted analysis

Abstract

The invention discloses a log event correlation analysis method and a device capable of concurrent and interrupted analysis. The method comprises the following steps: firstly defining an analysis rule and uploading the rule to an event correlation analysis module; acquiring a log message of each log source in sequence, and uploading the log messages to the event correlation analysis module; analyzing logs by the event correlation analysis module; storing intermediate state variables of the existing event correlation analysis to a state storage module in the analysis process; and if certain correlated event is triggered in the analysis process, sending an alarming signal of the correlated event outwards. The device comprises a rule definition module, a log message acquisition module, an alarm output module and an event correlation analysis module. According to the invention, the concurrent and interrupted analysis can be carried out on the multiple logs, thus strengthening the log audit function of network monitoring and a network management system, improving the accuracy of network early warming, and ensuring the safety of the network monitoring and the network management system.

Description

technical field [0001] The invention relates to the technical field of event correlation analysis in the field of information security, in particular to a log event correlation analysis method and device for performing concurrent and intermittent analysis on multiple different logs. Background technique [0002] In recent years, due to the rapid development of information technology, the scale of enterprise information technology infrastructure construction has continued to expand, and IT monitoring and operation and maintenance systems have also been widely used. Such systems are aimed at network equipment, hosts, operating systems, database systems and various application systems. The technical means of monitoring is mainly to collect various log data, and through effective analysis of these data, users or administrators can discover and avoid disasters in advance, and find the root cause of security incidents. The log here refers to certain operations of the system on som...

AI Technical Summary

Problems solved by technology

This method has fast extraction speed, but has no analysis function, simple function and low intelligence

(2) Regular expression method: use regular expressions to analyze log files. Regular expressions are actually a regular expression. This method can realize complex string analysis in a single log, but it cannot be applied to multiple logs. conjoint analysis

[0004] However, the current event correlation analysis methods do not consider the concurrent analysis and discontinuous analysis of multiple logs. The concurrent analysis of logs means that a single analysis module can analyze logs from multiple different sources within the same time Perform event correlation analysis between logs. Log intermittent analysis means that the analysis module can save the state of the previous log analysis. When a new log fragment arrives, it can continue to run in combination with the saved previous analysis state.

Existing methods do not provide enlightenment to realize the above functions

Images