Log processing method and device

[0021] In order to make the above objectives, features, and advantages of the application more obvious and understandable, the application will be further described in detail below with reference to the drawings and specific implementations.

[0022] One of the inventive concepts of the embodiments of the present application is to use the field sequence tree to match the field sequence to be identified in the log message, and to identify the field sequence to be identified that cannot be matched, and after the identification is completed The corresponding preset field sequence is added to the field sequence tree. In this way, when another log message with the same sequence of fields to be identified as the log message is received next time, the sequence of fields to be identified can be successfully matched with the preset field sequence in the field sequence tree, that is, the new The log message with increasing field sequence is identified. Therefore, the embodiment of the present application only needs to add a recognizable field sequence to the field sequence tree to automatically recognize the log message of the newly added format. Compared with the prior art that requires code or script modification to identify log messages in newly-added formats, the embodiment of the present application simplifies the operation process of log identification and can improve the efficiency of log identification.

[0023] Reference figure 1 , Shows a flowchart of the steps of a log processing method in one of the embodiments of the present application. In the embodiment of the present application, the log processing method includes:

[0024] Step 101: Extract a sequence of fields to be identified in a log message;

[0025] The embodiments of the present application can be used to analyze and process log messages generated by network equipment, security equipment, hosts, or application systems of different equipment vendors deployed in the network, and automatically identify the format of unknown log messages, compared to the requirements in the prior art By manually identifying the format of the unknown log message, the embodiment of the present application can save a lot of human resources and improve the efficiency of log processing.

[0026] The embodiments of this application do not impose restrictions on the types of log messages. For example, according to the types, it may include: attack logs, data request logs, query logs, etc. For ease of description, the embodiments of this application mainly take attack logs as an example for description. Other types of log processing procedures can be cross-referenced.

[0027] In a specific application, when a log message is received, the sequence of fields to be identified corresponding to the log message can be extracted. The sequence of fields to be identified can be used to represent the sequence of fields of the log message. Generally, a log message can correspond to A sequence of fields. The sequence of fields to be identified is identified to determine whether the log message is an unknown log message. Wherein, the sequence of fields to be identified may include the field name of each field in the log message.

[0028] Here, the log message of the syslog (system log) standard log protocol is taken as an example to illustrate the extraction process of the sequence of fields to be identified. Specifically, the step of extracting the sequence of fields to be identified in the log message may include the following sub-steps:

[0029] Sub-step S11: segment the log message according to the segmentation symbol in the log message to obtain the fields of the log message;

[0030] Sub-step S12: segment the field according to the separator in the log message to obtain the field name;

[0031] Sub-step S13: Obtain the field sequence to be identified according to the field name.

[0032] In specific applications, for log messages of the syslog standard log protocol, the log content carried in the log message usually appears in pairs in the form of "field name + field content", for example, the format of the log content carried in the log message It can be as follows:

[0033]

[0034] Among them, Tag1 and Tag2 represent the field name, Content1 and Content2 represent the field content, the segmentation character is used to separate two fields, and the separator is used to separate the field name and field content in a field. In specific applications, you can scan the log message and segment the log message according to the segmentation character to obtain each field, and then segment each field according to the separator to obtain the field name and field content. Extract the field name of each field, and compose the field sequence from the extracted field names. In specific applications, most log messages usually include segment characters and separators. The embodiment of the present application extracts the sequence of fields to be identified by scanning the segment characters and separators, and the extraction efficiency is high. It can be understood that the above-mentioned scanning of the segmentation character and the separator in the log message to obtain the field sequence to be identified is only used as an application example of this application. In a specific application, the embodiment of this application is for extracting the field sequence to be identified The specific method is not limited. For example, for special log messages without delimiters and segmentation characters, the sequence of fields to be identified can also be extracted directly by matching specific field names.

[0035] In practical applications, since different equipment manufacturers can use log messages in different formats, that is, log messages from different manufacturers can have different field names and field contents, and therefore, the extracted field sequences may also be different. Taking an attack log as an example, referring to Table 1, it shows a field sequence obtained by extracting an attack log message in a standard format according to the present application. And referring to Table 2, it shows a field sequence extracted from the attack log message of vendor A in this application, and referring to Table 3, it shows a field sequence extracted from the attack log message of vendor B in this application The sequence of fields. Among them, the second row of Table 1, Table 2 and Table 3 is the extracted field name, and the first row is the Chinese meaning corresponding to the field name.

[0036] Table 1

[0037] Source IP

[0038] Table 2

[0039]

[0040] table 3

[0041]

[0042] Step 102: Match the sequence of fields to be identified with a preset field sequence in the field sequence tree;

[0043] Wherein, the preset field sequence can be used to indicate an identifiable field sequence, that is, the embodiment of the present application may use a tree structure to store the identifiable field sequence, so that automatic matching of the field sequence to be identified can be realized according to the field sequence tree . In a specific application, if the sequence of fields to be identified matches the preset field sequence in the field sequence tree, it can be determined that the sequence of fields to be identified is an identifiable field sequence; otherwise, the sequence of fields to be identified can be determined If the field sequence is not recognized, the log message corresponding to the field sequence to be recognized is an unknown log message.

[0044] Step 103: For the field sequence to be identified that does not match the preset field sequence, identify the log type corresponding to the log message, and add a corresponding preset in the field sequence tree after the identification is completed Field sequence.

[0045] When the sequence of fields to be identified does not match the sequence of preset fields, it can be determined that the log message is an unknown log message, and the log type corresponding to the log message can be identified, and after the identification is completed Then, a corresponding preset field sequence is added to the field sequence tree. Therefore, the log message of the same format can be recognized next time the log message is received, thereby simplifying the operation process of identifying the log message of the newly-added format and improving the efficiency of log recognition.

[0046] In an optional embodiment of the present application, the log type corresponding to the log message is identified for the field sequence to be identified that does not match the preset field sequence, and after the identification is completed The step of adding a corresponding preset field sequence to the field sequence tree may specifically include the following sub-steps:

[0047] Sub-step S21, marking the unidentified field sequence that does not match the preset field sequence as an unidentified field sequence, and adding the unidentified field sequence to the field sequence tree;

[0048] Sub-step S22, reporting the field sequence to be identified that does not match the preset field sequence and its corresponding log message, so as to identify the log type corresponding to the log message;

[0049] Sub-step S23, after the identification is completed, mark the corresponding unidentified field sequence in the field sequence tree as a preset field sequence.

[0050] Specifically, when it is determined that the sequence of fields to be identified does not match the sequence of preset fields, the sequence of fields to be identified may be added to the existing field sequence tree, and the newly added field sequence to be identified may be The sequence sets the flag bit to identify the field sequence to be identified as an unrecognized field sequence; then, the field sequence to be identified and the corresponding log message are reported to the administrator so that the administrator can log the corresponding log message Type identification; for example, the sequence of fields to be identified and the corresponding log message are automatically notified to the administrator in a more prominent way (such as a work order), and the administrator can identify the corresponding log type (such as Attack log), and return the identified log type as the identification result; according to the received identification result, the flag bit of the corresponding unidentified field sequence in the field sequence tree can be modified to a preset field sequence to identify The sequence of fields to be identified is a sequence of identifiable fields.

[0051] It can be understood that, in this embodiment of the present application, the field sequence to be identified may be marked as an unidentified field sequence and added to the field sequence tree, and then the field sequence to be identified can be identified. Alternatively, the unrecognized field sequence to be identified can also be identified first, and after the identification process, the field sequence to be identified is marked as a preset field sequence and added to the field sequence tree. The embodiment of the present application does not limit the sequence of adding or identifying the field sequence to be identified that does not match the preset field sequence.

[0052] In this embodiment of the application, when the sequence of fields to be identified matches the sequence of preset fields, the sequence of fields to be identified can also be standardized, so that the unification of log messages in different formats can be achieved Management. In an optional embodiment of the present application, the method may further include the following step: for the field sequence to be identified that matches the preset field sequence, query the field sequence tree to obtain the preset The index value corresponding to the field sequence; query the mapping relationship between the standard field sequence and the preset field sequence according to the index value; replace the field in the to-be-identified field sequence corresponding to the standard field in the standard field sequence with The standard field.

[0053] Wherein, the standard field sequence may specifically be a field sequence extracted from a log message in a standard format. In practical applications, because different equipment manufacturers can correspond to log messages in different formats, log messages in different formats are often unrecognizable, but different equipment manufacturers can recognize log messages in standard formats. Therefore, the embodiments of this application can Establish the mapping relationship between the standard field sequence and the preset field sequence, so that when the field sequence to be identified is a recognizable field sequence, the field sequence to be identified can be standardized, so that the unification of log messages in different formats can be realized Management.

[0054] In an application example of the present application, the mapping relationship between the field sequence of the attack log message in a standard format and other preset field sequences (such as the field sequence of the attack log message of the identified vendor A) can be stored. Referring to Table 4, the mapping relationship between the field sequence of an attack log message in a standard format of the present application and the preset field sequence of the attack log message of vendor A is shown. The same column in Table 4 represents fields with the same meaning. For example, the ProtocalType field of vendor A in the fifth column has the same meaning as the standard field ProType. In this way, the attack log message of vendor A can be converted into a standard field format for recording according to the mapping relationship. , To facilitate subsequent unified analysis and search.

[0055] Table 4

[0056] Index 1

[0057] In the embodiment of the present application, the index value corresponding to the field sequence may be stored in the last node of each preset field sequence in the field sequence tree. When matching a sequence of fields to be identified, if a preset field sequence that matches the sequence of fields to be identified is found in the field sequence tree, the index corresponding to the preset sequence can be obtained through the last node of the preset field sequence The preset field sequence and the standard field corresponding to each field in the preset field sequence can be found in the mapping relationship shown in Table 4 through the index value, so that the field sequence to be identified can be standardized deal with. Specifically, each field in the attack log message of vendor A can be replaced with a corresponding standard field, and the field content of each field in the attack log message of vendor A can be recorded in a standard field sequence.

[0058] In the embodiment of this application, assuming that after matching the sequence of fields to be identified corresponding to the log message of manufacturer B, it is determined that the log message of manufacturer B is an unknown log message, then the log message of manufacturer B is corresponding to the to-be-identified The field sequence is marked as an unidentified field sequence and added to the field sequence tree. At this time, the field sequence to be identified and the log message of manufacturer B can be reported to the system administrator, and the system administrator can identify the corresponding according to the log message of manufacturer B After the log type (such as attack log), the corresponding unidentified field sequence in the field sequence tree is marked as a preset field sequence, and the field sequence corresponding to the log message of the identified manufacturer B and the standard field sequence can also be established The mapping relationship, and adding the mapping relationship in Table 4 above, you can get Table 5.

[0059] table 5

[0060] Index 1

[0061] Since the system administrator has completed the identification process for the unidentified field sequence, the corresponding unidentified field sequence in the field sequence tree can be marked as a preset field sequence. In subsequent applications, if an attack log message from vendor B is received, it can automatically match the corresponding preset field sequence in the field sequence tree, and automatically standardize the log message and convert it to a standard format. The unified management of log messages can be realized, so that the convenience of management of log messages can be provided.

[0062] In an application example of the present invention, it is assumed that according to the mapping relationship shown in Table 5, the attack log messages of vendor A and vendor B have been converted into a standard field format. In the process of log analysis, assuming that you need to count the source IP addresses in the attack log messages of vendor A and vendor B, you only need to look up the field content corresponding to the field name SrcIP to obtain the attack logs of vendor A and vendor B Source IP address in the message. Instead of separately querying the field content corresponding to the field name SrcIP and the field content corresponding to the field name SIP, the query operation can be simplified. Through the embodiment of the present invention, log messages of different manufacturers that originally have different field formats can be converted into the same standard field format, and log processing efficiency can be improved in the subsequent log analysis and log search processes.

[0063] To sum up, in the embodiment of the present application, first, extract the field sequence to be identified from the received log message, and match the field sequence to be identified with the preset field sequence in the field sequence tree; When the field sequence to be identified does not match the preset field sequence, a newly identified field sequence is added to the field sequence tree. In this way, when another log message with the same field sequence to be identified as the log message is received next time, the field sequence can be successfully matched with the preset field sequence in the field sequence tree, that is, the newly added field can be matched Sequence of log messages are identified. Therefore, the embodiment of the present application only needs to add a recognizable field sequence to the field sequence tree to automatically recognize the log message of the newly added format. Compared with the prior art that requires code or script modification to identify log messages in newly-added formats, the embodiment of the present application simplifies the operation process of log identification and can improve the efficiency of log identification.

[0064] In addition, the embodiment of the present application can also establish a mapping relationship between the standard field sequence and the preset field sequence, so that when the log message is an identifiable log message, the log message can be processed according to the standard field sequence, so that Standardized processing of log messages in different formats from different equipment manufacturers can realize unified management of log messages to improve log processing efficiency.

[0065] In another embodiment of the present application, in order to enable those skilled in the art to more clearly understand the log processing method of the present application, this embodiment describes in detail the process of adding a field sequence to the field sequence tree. Reference figure 2 , Shows a flow chart of the steps of adding a sequence of fields to be identified into the field sequence tree in one of the embodiments of the present application. In the embodiment of the present application, the step of marking the unidentified field sequence that does not match the preset field sequence as an unidentified field sequence, and adding the unidentified field sequence to the field sequence tree , Which can specifically include:

[0066] Step 201: Search sequentially for nodes at the next level of the root node of the field sequence tree whether there is a node corresponding to the first field in the sequence of fields to be identified that does not match the preset field sequence, and if it does not exist, Go to step 202, if it exists, go to step 203;

[0067] Step 202: Create a new node corresponding to the first field under the root node, and sequentially create a node corresponding to the next field under the newly created node, until the establishment of the node corresponding to the last field is completed;

[0068] Step 203: sequentially search for whether there is a node corresponding to the next field among the nodes of the next layer of the node corresponding to the first field;

[0069] Step 204: Repeat the above steps until the node corresponding to the last field in the sequence of fields to be identified that does not match the sequence of preset fields is found.

[0070] In an application example of this application, it is assumed that the field sequence of the standard format shown in Table 1 is added to the field sequence tree in advance, refer to image 3 , Shows a structural diagram of a field sequence tree of the present application, and the field sequence tree stores a standard format field sequence. Now that the attack log message from vendor A is received, the field sequence to be identified as shown in Table 2 is extracted through extraction, and the field sequence to be identified is an unidentified field sequence, then the field sequence to be identified is added to the field sequence tree. The process can be as follows:

[0071] In turn, look up whether there is a node corresponding to the field name SrcIP in the nodes hung under the root node Root of the field sequence tree. If it does not exist, construct the SrcIP node to hang under the Root node, and construct and attach the DstIP node under the SrcIP node in turn, SrcPort node until the last AttTime node. Since the SrcPort node already exists under the Root node, it is possible to find out whether there is a DstIP node in the nodes under the SrcPort node in turn. Since there are already DstIP nodes under the SrcPort node, it is possible to find out whether there is a ProxyIP node in the nodes under the DstIP node in sequence. Since there is no ProxyIP node in the nodes linked to the DstIP node, the ProxyIP node can be constructed to be linked to the DstIP node. Following the same steps, the ProtocalType node, SrcPort node, DstType node, AttackName node, AttL node, and AttTime can be constructed and constructed in sequence. Node, in this way, the process of adding the to-be-identified field sequence shown in Table 2 into the field sequence tree can be completed. Reference Figure 4 , Showing the structure diagram of another field sequence tree of this application, the field sequence tree is in image 3 On the basis of, the sequence of fields to be identified as shown in Table 2 is added.

[0072] In an optional embodiment of the present application, the step of matching the sequence of fields to be identified with a preset field sequence in the field sequence tree may specifically include:

[0073] Sequentially look up whether there is a node corresponding to the first field in the field sequence to be identified in the node at the next level of the root node of the field sequence tree. If it does not exist, the matching fails; if it exists, the current node is taken as the root node, Traverse whether there is a node corresponding to the second field in the sequence of fields to be identified in the next layer of nodes, and loop recursively until the node corresponding to the last field in the sequence of fields to be identified is found. If the node corresponding to the last field is a leaf node , The match is successful; if the node corresponding to the last field is not a leaf node, the match fails.

[0074] When matching the sequence of the field to be identified with the preset field sequence in the field sequence tree, a tree-structured breadth-first search algorithm can be adopted, starting from the root node, traversing all the nodes hanging under the root to find whether there is The node corresponding to the first field in the sequence of fields to be identified. If it does not exist, the matching fails. If it exists, the current node is used as the root node, and all the nodes hanging under it are traversed to find whether there is the second field in the sequence of fields to be identified. Corresponding nodes, loop recursively until the node corresponding to the last field in the sequence of fields to be identified is found. If this node is a leaf node, the matching is successful, and the log message corresponding to the sequence of fields to be identified is an identifiable log message; if this node is not a leaf node, the matching fails, and the log corresponding to the sequence of fields to be identified The message is an unrecognizable log message.

[0075] In the embodiment of the present application, in the process of matching the sequence of the field to be identified with the preset field sequence in the field sequence tree, the process of adding the sequence of the field to be identified to the field sequence tree can be completed, that is, the field to be identified The sequence identification and joining process can be performed synchronously, which can further improve the efficiency of log processing.

[0076] In an application example of this application, it is assumed that the established field sequence tree is such as Figure 4 As shown, at this time, when an attack log message from vendor B is received, first, extract the corresponding sequence of fields to be identified as shown in Table 3; then, the sequence of fields to be identified is compared with Figure 4 The preset field sequence in the field sequence tree in is matched, and if it does not match, the field sequence to be identified is marked as an unidentified field sequence and added to the field sequence tree. Specifically, the step of marking the to-be-identified field sequence of vendor B as an unidentified field sequence and adding it to the field sequence tree may be as follows:

[0077] Step S31: Find out whether there is a node corresponding to the first field (Time) of the sequence of fields to be identified in the nodes hanging under the root node Root, if not, perform step S32; otherwise, perform step S33;

[0078] Step S32: Construct a Time node to be hung under the Root node. Similarly, construct and hook the nodes corresponding to subsequent fields in the sequence of fields to be identified under the Time node in turn, and perform step S34;

[0079] Step S33: If the node corresponding to the first field (Time) is found, then take this node as the root node and continue to find whether there is a second field (SIP) corresponding to the sequence of fields to be identified in the nodes linked to it. Nodes, in turn, until the node corresponding to the field in the sequence of fields to be identified cannot be found. At this time, construct and hook the node corresponding to the field under the current root node, and the nodes corresponding to all subsequent fields after the field, execute Step S34;

[0080] Step S34: Mark the added field sequence to be identified as an unidentified field sequence.

[0081] Specifically, an unidentified flag may be set in the node corresponding to the last field in the newly-added sequence of fields to be identified to identify the sequence of fields as an unidentified field sequence.

[0082] In summary, the embodiment of this application identifies the field sequence to be identified that does not match the preset field sequence, and adds the corresponding preset field sequence to the field sequence tree after the identification is completed. It is necessary to add a recognizable field sequence to the field sequence tree to automatically recognize the log message in the newly added format. The embodiment of the present application adopts a tree structure to complete the matching and adding process of the field sequence to be identified. Since the tree structure has the characteristics of fast insertion and search speed, the embodiment of the present invention can improve the recognition speed of unknown messages and The speed of newly recognizable field sequence can further improve the recognition efficiency of log messages.

[0083] It should be noted that for the foregoing method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should know that this application is not limited by the described sequence of actions, because According to this application, some steps can be performed in other order or simultaneously. Secondly, those skilled in the art should also be aware that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required by this application.

[0084] Reference Figure 5 , Shows a structural block diagram of a log processing apparatus according to one embodiment of the present application. In the embodiment of the present application, the log processing device includes:

[0085] The extraction module 501 is used to extract the sequence of fields to be identified in the log message;

[0086] The matching module 502 is configured to match the sequence of fields to be identified with a preset field sequence in the field sequence tree;

[0087] A new module 503 is used to identify the log type corresponding to the log message for the field sequence to be identified that does not match the preset field sequence, and add a new entry in the field sequence tree after the identification is completed The corresponding preset field sequence.

[0088] In an optional embodiment of the present application, the newly added module 503 may specifically include:

[0089] Adding a sub-module for marking the unidentified field sequence that does not match the preset field sequence as an unidentified field sequence, and adding the unidentified field sequence to the field sequence tree;

[0090] A reporting sub-module, configured to report the field sequence to be identified that does not match the preset field sequence and its corresponding log message, so as to identify the log type corresponding to the log message;

[0091] The setting sub-module is used to mark the corresponding unidentified field sequence in the field sequence tree as a preset field sequence after the identification is completed.

[0092] In another optional embodiment of the present invention, the adding submodule may specifically include:

[0093] The first searching unit is configured to sequentially search for nodes at the next level of the root node of the field sequence tree whether there is a node corresponding to the first field in the sequence of fields to be identified that does not match the preset field sequence, If it does not exist, create a node corresponding to the first field under the root node, and sequentially create a node corresponding to the next field under the newly created node, until the establishment of the node corresponding to the last field is completed;

[0094] The second searching unit is configured to, if the node corresponding to the first field exists in the node at the next level of the root node, sequentially search for whether there is a node at the next level of the node corresponding to the first field. The node corresponding to a field;

[0095] The third searching unit is configured to repeatedly execute the above steps until the node corresponding to the last field in the sequence of fields to be identified that does not match the sequence of preset fields is found.

[0096] In yet another optional embodiment of the present invention, the matching module 602 may specifically include:

[0097] The matching sub-module is used to sequentially search for the node at the next level of the root node of the field sequence tree whether there is a node corresponding to the first field in the field sequence to be identified, if it does not exist, the matching fails; if it exists, it is The current node is the root node, traverse whether there is a node corresponding to the second field in the sequence of fields to be identified in the next layer of nodes, and loop recursively until the node corresponding to the last field in the sequence of fields to be identified is found. If the last field corresponds to If the node of is a leaf node, the matching is successful; if the node corresponding to the last field is not a leaf node, the matching fails.

[0098] In still another optional embodiment of the present invention, the extraction module 601 may specifically include:

[0099] The first molecular module is used to segment the log message according to the segmentation symbol in the log message to obtain the fields of the log message;

[0100] The second segmentation module is used to segment the field according to the separator in the log message to obtain the field name;

[0101] The obtaining sub-module is used to obtain the sequence of fields to be identified according to the field names.

[0102] In still another optional embodiment of the present invention, the device may further include:

[0103] An index query module, configured to query the field sequence tree to obtain the index value corresponding to the preset field sequence for the field sequence to be identified that matches the preset field sequence;

[0104] The standard field search module is used to query the mapping relationship between the standard field sequence and the preset field sequence according to the index value;

[0105] The standard field replacement module is used to replace the field in the sequence of fields to be identified that corresponds to the standard field in the sequence of standard fields with the standard field.

[0106] As for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment.

[0107] The various embodiments in this specification are described in a progressive manner. Each embodiment focuses on the differences from other embodiments, and the same or similar parts between the various embodiments can be referred to each other. As for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment.

[0108] Those skilled in the art should understand that the embodiments of the present application can be provided as methods, systems, or computer program products. Therefore, this application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.

[0109] This application is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of this application. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment can be generated In the process Figure one Process or multiple processes and/or boxes Figure one A device with functions specified in a block or multiple blocks.

[0110] These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device is implemented in the process Figure one Process or multiple processes and/or boxes Figure one Functions specified in a box or multiple boxes.

[0111] These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. Instructions are provided to implement the process Figure one Process or multiple processes and/or boxes Figure one Steps of functions specified in a box or multiple boxes.

[0112] Although the preferred embodiments of the present application have been described, those skilled in the art can make additional changes and modifications to these embodiments once they learn the basic creative concept. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and all changes and modifications falling within the scope of the present application.

[0113] The log processing method and device provided by this application are described in detail above. Specific examples are used in this article to explain the principles and implementation of this application. The description of the above examples is only used to help understand the method of this application. And its core ideas; at the same time, for those of ordinary skill in the art, according to the ideas of this application, there will be changes in the specific implementation and the scope of application. In summary, the content of this specification should not be construed as a reference to this application limits.