Log integrity protection method and device without application service modification, equipment and medium

This log integrity protection system, which generates message authentication codes using the Log4j framework and cryptographic algorithms, solves the transformation problem of log integrity protection in existing technologies, achieves seamless log formatting output and integrity protection, and improves system performance and security.

CN122174283APending Publication Date: 2026-06-09CETC CYBERSPACE SECURITY TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CETC CYBERSPACE SECURITY TECH CO LTD
Filing Date
2026-03-05
Publication Date
2026-06-09

Smart Images

  • Figure CN122174283A_ABST
    Figure CN122174283A_ABST
Patent Text Reader

Abstract

The application discloses a log integrity protection method and device without application service modification, equipment and medium, relates to the technical field of information security, and comprises the following steps: triggering log integrity protection system initialization operation after the application system starts; when the application system calls a log framework to record service logs, obtaining original log data through a preset log integrity protection component in the log integrity protection system which has completed initialization, performing field extraction on the original log data based on a framework configuration file of the log framework to determine original formatted data; performing integrity protection processing on the original formatted data through the preset log integrity protection component and a password resource component, determining target formatted data based on obtained target integrity protection field values, and completing service log output based on the log framework and the target formatted data. The application can solve the problems in the prior art, and ensures the integrity and authenticity of logs.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of information security technology, and in particular to a method, apparatus, device, and medium for log integrity protection without modification of application services. Background Technology

[0002] Currently, to protect the integrity of logs in application systems, existing solutions include: 1) Some use hash algorithms to generate log fingerprints for protection, but attackers can modify both the logs and the corresponding hash values, making it impossible for integrity checks to detect anomalies; 2) Some use custom-developed logging frameworks or integrate third-party logging frameworks for log integrity protection, which requires additional modifications to the application system's business logic and existing log output formats, resulting in low integration efficiency, high adaptation difficulty, and high modification costs; 3) Some use asymmetric encryption algorithms to digitally sign logs, but this may lead to performance bottlenecks, reducing log processing latency and impacting system performance. Summary of the Invention

[0003] In view of this, the purpose of this invention is to provide a method, apparatus, device, and medium for log integrity protection that requires no modification to application services. This solution addresses the problems existing in current related solutions, enabling configuration to take effect immediately and providing seamless log formatting and integrity protection without the service being aware of it. This ensures the integrity and authenticity of logs and improves the performance, security, and scenario adaptability of the application system. The specific solution is as follows: Firstly, this application provides a method for log integrity protection that requires no modification to application services, including: After the application system starts, the initialization operation of the log integrity protection system corresponding to the application system is triggered and completed; When the application system calls the logging framework to record business logs, it obtains the corresponding original log data through the preset log integrity protection component in the log integrity protection system that has been initialized. The preset log integrity protection component, based on the framework configuration file corresponding to the log framework, extracts the formatted fields from the original log data to determine the original formatted data. The original formatted data is subjected to integrity protection processing through the preset log integrity protection component and password resource component in the log integrity protection system to obtain the target integrity protection field value. The preset log integrity protection component is used to determine the target formatted data based on the target integrity protection field value and the original formatted data, so as to complete the business log output operation based on the log framework and the target formatted data.

[0004] Optionally, triggering and completing the initialization operation of the log integrity protection system corresponding to the application system includes: Trigger the preset log integrity protection converter initialization operation to obtain the preset log integrity protection converter; Based on the framework configuration file corresponding to the log framework, the pattern string of the preset log integrity protection converter is parsed and instantiated, and the resulting instantiated object is loaded into the converter chain of the log framework. During the initialization of the logging framework, the preset log integrity protection converter is loaded through the instantiated object to complete the plugin loading operation; The default log integrity protection policy configuration file is parsed, and the password resources are initialized using the corresponding second file parsing results. Generate temporary key pairs based on preset cryptographic algorithm components; Based on the integrity protection key identifier in the second file parsing result and the public key in the temporary key pair, obtain the integrity protection key ciphertext from the preset key management system; Based on the private key in the temporary key pair, the ciphertext of the integrity protection key is imported into a preset cryptographic device to obtain an integrity protection key object; Based on the preset cryptographic algorithm components, an integrity protection cryptographic computation object is created to complete the distribution and preparation of the integrity protection key; The integrity protection key object and the integrity protection password calculation object are saved to the integrity protection converter object corresponding to the preset log integrity protection converter to complete the log integrity protection system initialization operation.

[0005] Optionally, the step of parsing and instantiating the pattern string of the preset log integrity protection converter based on the framework configuration file corresponding to the log framework, and loading the resulting instantiated object into the converter chain of the log framework, includes: The framework configuration file of the log framework is parsed to determine the parsing result of the first file; Based on the parsing result of the first file, the log integrity protection converter is registered as a plugin of the log framework; Based on the log format rule string order information in the framework configuration file, the pattern string parsing and instantiation of the preset log integrity protection converter is completed to determine the instantiation object; The instantiated object is loaded into the converter chain of the logging framework so that, during the initialization of the logging framework, the preset log integrity protection converter is loaded through the instantiated object to complete the plugin loading operation.

[0006] Optionally, when the application system calls the logging framework to record business logs, it obtains the corresponding original log data through a preset log integrity protection component in the pre-initialized log integrity protection system, including: When the application system calls the logging framework to encapsulate the raw log data into log events, it uses a preset log integrity protection component in the initialized log integrity protection system and, based on the integrity protection converter object, calls a preset formatting function to process the log events to obtain the raw log data.

[0007] Optionally, the step of extracting formatted fields from the original log data using the preset log integrity protection component and based on the framework configuration file corresponding to the log framework includes: The preset log integrity protection component in the log integrity protection system is used to parse the pattern string in the framework configuration file corresponding to the log framework in order to construct a pattern string parsing tree. Based on the pattern string parsing tree, the formatted fields of the original log data are extracted to determine the original formatted data.

[0008] Optionally, the step of performing integrity protection processing on the original formatted data through the preset log integrity protection component and password resource component in the log integrity protection system includes: The integrity protection key object is obtained from the integrity protection converter object through the preset log integrity protection component; The integrity protection password calculation object is obtained from the integrity protection converter object through the preset log integrity protection component; The message authentication code corresponding to the original formatted data is determined by using the preset password algorithm component and password resource component, and by utilizing the integrity protection converter object and the integrity protection password calculation object; The message authentication code is written to the target placeholder field corresponding to the target placeholder name by the preset log integrity protection component and based on the target placeholder name configured in the framework configuration file, so as to obtain the target integrity protection field value to be output.

[0009] Optionally, determining the target formatted data using the preset log integrity protection component and based on the target integrity protection field value and the original formatted data includes: The target integrity protection field value is rewritten into the original formatted data using the preset log integrity protection component and based on the pattern string policy corresponding to the framework configuration file, in order to determine the target formatted data.

[0010] Secondly, this application provides a log integrity protection device that requires no modification to application services, comprising: The system initialization module is used to trigger and complete the initialization operation of the log integrity protection system corresponding to the application system after the application system starts. The log data acquisition module is used to acquire the corresponding raw log data through the preset log integrity protection component in the initialized log integrity protection system when the application system calls the log framework to record business logs. The data extraction module is used to extract the formatted fields from the original log data through the preset log integrity protection component and based on the framework configuration file corresponding to the log framework, so as to determine the original formatted data. The integrity protection module is used to perform integrity protection processing on the original formatted data through the preset log integrity protection component and password resource component in the log integrity protection system to obtain the target integrity protection field value; The log output module is used to determine the target formatted data based on the preset log integrity protection component, the target integrity protection field value, and the original formatted data, so as to complete the business log output operation based on the log framework and the target formatted data.

[0011] Thirdly, this application provides an electronic device, comprising: Memory, used to store computer programs; A processor is used to execute the computer program to implement the steps of the aforementioned application service log integrity protection method without modification.

[0012] Fourthly, this application provides a computer-readable storage medium for storing a computer program, which, when executed by a processor, implements the steps of the aforementioned application service log integrity protection method without modification.

[0013] As can be seen, in this application, after the application system starts, the initialization operation of the log integrity protection system corresponding to the application system is triggered and completed; when the application system calls the log framework to record business logs, the corresponding original log data is obtained through the preset log integrity protection component in the initialized log integrity protection system; the formatted fields of the original log data are extracted through the preset log integrity protection component and based on the framework configuration file corresponding to the log framework to determine the original formatted data; the original formatted data is subjected to integrity protection processing through the preset log integrity protection component and the password resource component in the log integrity protection system to obtain the target integrity protection field value; the target formatted data is determined through the preset log integrity protection component and based on the target integrity protection field value and the original formatted data, so as to complete the business log output operation based on the log framework and the target formatted data. In other words, this application first triggers the initialization operation of the log integrity protection system after the application system starts. Then, when the application system records business logs, it obtains the original log data through the preset log integrity protection component in the log integrity protection system. Next, it determines the target integrity protection field value corresponding to the original formatted data through the preset log integrity protection component and the password resource component. Finally, it determines the target formatted data based on the target integrity protection field value and the original formatted data through the preset log integrity protection component, so as to complete the application system's business log output operation based on the log framework and the target formatted data. In this way, it can solve the problems existing in the existing related solutions, realize the configuration takes effect immediately and the business is unaware of the log formatting output and log integrity protection throughout the process, thereby ensuring the integrity and authenticity of the logs and improving the performance, security and scenario adaptability of the application system. Attached Figure Description

[0014] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on the provided drawings without creative effort.

[0015] Figure 1 A flowchart of a log integrity protection method for application services that requires no modification, provided in this application; Figure 2 This application provides a schematic diagram of the initialization process of a log integrity protection system; Figure 3 A schematic diagram of the structure of a log integrity protection system provided in this application; Figure 4 A schematic diagram illustrating the configuration process of an integrity protection strategy provided in this application; Figure 5 A schematic diagram of the log event processing flow of an application system provided in this application; Figure 6 This application provides a flowchart illustrating a log integrity protection process. Figure 7 A schematic diagram of a log integrity protection device for application services that requires no modification, provided in this application; Figure 8 This application provides a structural diagram of an electronic device. Detailed Implementation

[0016] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0017] Currently, to protect the integrity of logs in application systems, existing solutions include: 1) Some use hash algorithms to generate log fingerprints for protection, but attackers can modify both the logs and the corresponding hash values, making it impossible for integrity checks to detect anomalies; 2) Some use custom-developed logging frameworks or integrate third-party logging frameworks for log integrity protection, which requires additional modifications to the application system's business logic and existing log output formats, resulting in low integration efficiency, high adaptation difficulty, and high modification costs; 3) Some use asymmetric encryption algorithms to digitally sign logs, but this may lead to performance bottlenecks, reducing log processing latency and impacting system performance.

[0018] To address this, this application provides a log integrity protection solution that requires no modification to application services. This solution solves the problems existing in related solutions, enabling configuration to take effect immediately and providing log formatting and integrity protection without the business being aware of it. This ensures the integrity and authenticity of logs and improves the performance, security, and scenario adaptability of the application system.

[0019] See Figure 1 As shown in the figure, this invention discloses a log integrity protection method for application services without modification, including: Step S11: After the application system starts, trigger and complete the initialization operation of the log integrity protection system corresponding to the application system.

[0020] In this embodiment, firstly, after starting the application system, the corresponding log integrity protection system is initialized. Specifically: a preset log integrity protection converter initialization operation is triggered to obtain the preset log integrity protection converter; based on the framework configuration file corresponding to the log framework, the pattern string of the preset log integrity protection converter is parsed and instantiated, and the obtained instantiated object is loaded into the converter chain of the log framework; during the initialization of the log framework, the preset log integrity protection converter is loaded through the instantiated object to complete the plugin loading operation; the preset log integrity protection policy configuration file is parsed, and the password resources are initialized using the corresponding second file parsing result; based on the preset log integrity protection policy configuration file, the pattern string of the preset log integrity protection converter is parsed and instantiated using the corresponding second file parsing result; based on the preset log integrity protection policy configuration file, the pattern string of the preset log integrity protection converter is parsed and instantiated using the pattern string of the preset log integrity protection converter; based on the pattern string, the pattern string of the preset log integrity protection converter is parsed and instantiated using the pattern string of the preset log integrity protection converter; based on the pattern string, the pattern string is parsed and instantiated using the pattern string ... A cryptographic algorithm component generates a temporary key pair. Based on the integrity protection key identifier in the second file parsing result and the public key in the temporary key pair, it obtains the ciphertext of the integrity protection key from a preset key management system. Based on the private key in the temporary key pair, it imports the ciphertext of the integrity protection key into a preset cryptographic device to obtain an integrity protection key object. Based on the preset cryptographic algorithm component, it creates an integrity protection cryptographic computation object to complete the distribution and preparation of the integrity protection key. The integrity protection key object and the integrity protection cryptographic computation object are saved to the integrity protection converter object corresponding to the preset log integrity protection converter to complete the log integrity protection system initialization operation. The log framework can be the Log4j framework.

[0021] Furthermore, regarding the string parsing and instantiation of the preset log integrity protection converter: the framework configuration file of the log framework is parsed to determine the parsing result of the first file; based on the parsing result of the first file, the log integrity protection converter is registered as a plugin of the log framework; based on the log format rule string order information in the framework configuration file, the pattern string parsing and instantiation of the preset log integrity protection converter is completed to determine the instantiation object; the instantiation object is loaded into the converter chain of the log framework so that during the initialization of the log framework, the preset log integrity protection converter is loaded through the instantiation object to complete the plugin loading operation.

[0022] In other words, combining Figure 2 As shown, the initialization process of the log integrity protection system may include the following steps: 1) Initialize the integrity protection converter: After the application system starts, initialize the Log4j framework, trigger the initialization of the log integrity protection converter, complete the execution of static code blocks, annotation parsing, dependency verification, etc., and create a log integrity protection object, namely MacLogPatternConverterObject; 2) Register the log integrity protection converter as a Log4j plugin: parse the integrity protection converter package path, custom placeholders, and scan annotations in Log4j.xml (the Log4j framework's XML (Extensible Markup Language) format configuration file), register it as a Log4j plugin, and complete the plugin loading operation; 3) Parse the pattern string: Based on the log format rule string order configured in Log4j.xml, complete the parsing and instantiation of the log integrity protection converter pattern string, and add this instantiated object to the Log4j converter chain; 4) Parse the integrity protection policy configuration file: Parse the URL (Uniform Resource Locator) address, tenant and application authorization information, cryptographic module type, integrity protection key identifier, integrity protection algorithm, etc. of the cryptographic service resources in MacLog.xml (log integrity protection XML format configuration file) to complete the initialization of cryptographic resources; 5) Integrity Protection Key Distribution: Through the cryptographic algorithm component, an SM2 temporary key pair, a public key PubKey and a private key PrKey, is generated. Using the public key PubKey and the integrity protection key identifier, the integrity protection key ciphertext, i.e., MacKeyCipher, is obtained from the key management system. Then, using the private key PrKey, the key ciphertext MacKeyCipher is imported into the cryptographic device to obtain the integrity protection key object, i.e., MacKeyObject. Through the integrity protection calculation method provided by the cryptographic algorithm component, an integrity protection cryptographic calculation object, i.e., MacOperationObject, is created, completing the integrity protection key distribution and preparation work. 6) Complete initialization: Save the integrity protection key object MacKeyObject and the integrity protection password calculation object MacOperationObject to the integrity protection converter object, namely MacLogPatternConverterObject, to complete system initialization.

[0023] It is important to understand that, in combination Figure 3 As shown, the log integrity protection system includes the following four modules: (1) LOG4J log converter module; This includes the LogEventPatternConverter component. This module encapsulates the logic for extracting and formatting log data, decoupling format configuration from raw data. It supports plug-in extensions to meet the needs of custom log fields and business logic. Through the combination of multiple converters, it achieves flexible and configurable log output formats. (2) Log integrity protection converter module; This includes the log integrity protection converter, namely the MacLogPatternConverter component. This module is based on the pluggable extension mechanism of the LOG4J log converter module, implementing a custom log converter. Through annotation programming, the log integrity protection converter module is injected into the Log4j framework. During the initialization of the log framework, the log integrity protection converter is loaded, completing the initialization operations related to the log integrity protection module and password resources. (3) Log integrity protection module, i.e., preset log integrity protection component; This module provides functions such as policy configuration, key distribution, pattern string parsing, log event processing, log integrity protection algorithm, and log formatted output. It combines log recording events to obtain the original log data, performs log integrity protection on the formatted information, and generates formatted output data with integrity protection fields. (4) Cryptographic resource module, i.e., cryptographic resource component; It is used to provide cryptographic resource support, including: configuration management, key management, cryptographic operations and other functions. Configuration management provides policy configuration and cryptographic resource configuration for application systems. Key management provides key distribution, key storage and other functions. Cryptographic operations provide integrity protection key import, message authentication code operation and other functions. Cryptographic operations can be cryptographic modules, cryptographic devices, cryptographic computing services, etc.

[0024] Further information needs to be understood regarding the implementation details of the MacLogPatternConverter component: (1) Implement the key methods of the LogEventPatternConverter parent class; MacLogPatternConverter implements the format method in the parent class, defines the data extraction and formatting logic, and declares the converter name and style identifier through the parent class constructor for internal identification and classification within the Log4j framework; (2) Mark it as a Log4j plugin using the @Plugin annotation; In the MacLogPatternConverter source code file, add the @Plugin annotation. The relevant code is as follows: Where name represents the plugin name and category represents the plugin type; (3) Bind custom placeholders using the @ConverterKeys annotation; In the MacLogPatternConverter source code file, add the @ConverterKeys annotation. The relevant code statements to add are as follows: MacLogPatternConverterId is a custom placeholder that corresponds to the placeholder name in the Log4j.xml configuration file; (4) Static instantiation of the entry point is achieved through the @PluginFactory annotation; Implement the static factory method newInstance in the MacLogPatternConverter class and annotate the newInstance method with the @PluginFactory annotation, which serves as the sole entry point for Log4j to instantiate the log integrity protection converter; (5) Configure the driver via Log4j.xml; Specify the log integrity protection converter scan package path and custom placeholders in the Log4j.xml configuration file. Then, upon system startup, it will automatically scan annotations, register plugins, and instantiate the converter, taking effect without modifying application business code. The fields that need to be specified in the Log4j.xml configuration file are: Specify the package path where the log integrity protection converter is located. In PatternLayout, add a custom placeholder [mac=%mac] to record the integrity protection field in the formatted log output.

[0025] In addition, combined Figure 4 As shown, the pre-executed integrity protection policy configuration process may include the following steps: (1) Configure password service policy; Users configure the password service URL, tenant ID, application ID, working path, password device / module name, integrity protection key ID, integrity protection algorithm, etc. through the password service policy configuration instructions. If no password service policy is configured, the system default password service policy will be used. (2) Configure the pattern string strategy; Users can define custom pattern strings based on the log format rule strings provided by Log4j. The relevant code statements can be: If no pattern string strategy is configured, the system default pattern string strategy will be used. (3) Configure the formatted output strategy; Users can add a custom placeholder [mac=%mac] in the PatternLayout field according to the formatted output requirements of the application system. mac represents the log integrity protection record value. If no formatted output strategy is configured, the system's default formatted output strategy will be used. (4) Generate the log integrity protection policy configuration file; Based on the rules of Log4j's XML configuration file, generate the Log4j.xml file corresponding to the pattern string strategy and formatted output strategy, and generate the MacLog.xml file corresponding to the password service resource configuration based on the rules of the integrity protection module configuration file.

[0026] Step S12: When the application system calls the log framework to record business logs, it obtains the corresponding original log data through the preset log integrity protection component in the log integrity protection system that has been initialized.

[0027] In this embodiment, after initialization is completed, protection can be initiated by acquiring log events through the preset log integrity protection component in the initialized log integrity protection system. Specifically, when the application system calls the log framework to encapsulate the original log data into log events, the preset log integrity protection component in the initialized log integrity protection system, based on the integrity protection converter object, calls the preset formatting function to process the log events and obtain the original log data.

[0028] Understandably, in combination Figure 5 As shown, regarding the acquisition of log events, in this embodiment, when the application system calls Log4j to record logs, the Log4j framework will encapsulate the raw log data into a LogEvent log event. The log integrity protection converter object MacLogPatternConverterObject will trigger the call to the format method to process the log event. In the format method, the raw log data LogData1 is obtained.

[0029] Step S13: Using the preset log integrity protection component and based on the framework configuration file corresponding to the log framework, extract the formatted fields from the original log data to determine the original formatted data.

[0030] In this embodiment, after obtaining the original log data LogData1, fields are extracted according to the preset log integrity protection component. Specifically, the preset log integrity protection component in the log integrity protection system is used to parse the pattern string of the framework configuration file corresponding to the log framework to construct a pattern string parsing tree. Based on the pattern string parsing tree, the formatting fields of the original log data are extracted to determine the original formatted data.

[0031] Understandably, in combination Figure 5 As shown, regarding the extraction of formatted fields, firstly, the pattern string is parsed: the user-pre-configured custom pattern string in the Log4j.xml configuration file is extracted. The pattern string is constructed into a parse tree; then, the information is extracted and formatted: the specified formatting fields in the pattern string are extracted from the original log data LogData1 through the pattern string parse tree. These fields include information such as date, time, thread, and line number to obtain the original formatted information LogFormatData1.

[0032] Step S14: Perform integrity protection processing on the original formatted data using the preset log integrity protection component and password resource component in the log integrity protection system to obtain the target integrity protection field value.

[0033] In this embodiment, after obtaining the original formatted data LogFormatData1, integrity protection is performed according to the preset log integrity protection component and the password resource component. Specifically: the preset log integrity protection component obtains the integrity protection key object from the integrity protection converter object; the preset log integrity protection component obtains the integrity protection password calculation object from the integrity protection converter object; the preset password algorithm component and the password resource component, along with the integrity protection converter object and the integrity protection password calculation object, determine the message authentication code corresponding to the original formatted data; the preset log integrity protection component, based on the target placeholder name configured in the framework configuration file, writes the message authentication code to the target placeholder field corresponding to the target placeholder name to obtain the target integrity protection field value to be output.

[0034] It is important to understand that, in combination Figure 5 Regarding the integrity protection of formatted information: [The following is an example of a method / approach] Figure 6The log integrity protection process shown performs integrity protection on the formatted information LogFormatData1 to obtain the formatted information MacFormatData of the integrity protection field, which is the target integrity protection field value.

[0035] about Figure 6 The log integrity protection process shown may include the following steps: 1) Obtain the formatted information to be output; The format method of the log integrity protection converter object MacLogPatternConverterObject is called to extract the raw formatted data to be output, OutPutData, from the LogEvent; 2) Obtain the integrity protection key object; Obtain the password integrity protection key object MacKeyObject from the log integrity protection converter object MacLogPatternConverterObject; 3) Obtain the integrity protection computation object; Obtain the password integrity protection computed object MacOperationObject from the log integrity protection converter object MacLogPatternConverterObject; 4) Perform integrity protection on formatted information; Using the cryptographic algorithm component, an integrity protection converter object and a cryptographic integrity protection compute object are used to perform a message authentication code operation on the output raw formatted data OutputData to obtain the message authentication code MacData; 5) Output the values ​​of the integrity protection fields; According to the pattern string parsing rules, the message authentication code MacData is written into the mac=%mac field to obtain the formatted data to be output after log integrity protection, MacFormatData, thus completing the log integrity protection operation.

[0036] In summary, the implementation of log integrity protection can be understood as follows: Log integrity protection calculations are performed using cryptographic resources such as a commercially compliant key management system and cryptographic devices / computing services. A custom log integrity protection converter component integrates cryptographic algorithm components (providing functions such as encryption, decryption, signing, signature verification, and hashing). These components access the key management system and cryptographic devices / computing services to complete the creation, distribution, and message authentication code calculation of integrity protection keys. The MacLog.xml configuration file configures the URL of cryptographic service resources, tenant and application authorization information, cryptographic module types, integrity protection key identifiers, etc., providing both default and custom configuration options to achieve configuration-driven operation, ensuring that application services are unaware of the integrity protection calculations.

[0037] In other words, regarding the plugin extension of the preset log integrity protection component: The solution proposed in this implementation is based on the LogEventPatternConverter abstract class of the log converter component provided by the log framework, and derives and implements a custom log integrity protection converter component class MacLogPatternConverter. Combined with the key management system and cryptographic operation module, it completes key distribution and integrity protection. It adopts annotation programming and Log4j.xml configuration to convert the raw log data into an output format with integrity protection. The configuration takes effect immediately throughout the process, and the application business is unaware of the log integrity protection formatted output.

[0038] Step S15: Using the preset log integrity protection component, and based on the target integrity protection field value and the original formatted data, determine the target formatted data so as to complete the business log output operation based on the log framework and the target formatted data.

[0039] In this embodiment, after determining the target integrity protection field value, the log format output will be generated. Specifically, the target integrity protection field value will be rewritten into the original format data through the preset log integrity protection component and based on the pattern string strategy corresponding to the framework configuration file, so as to determine the target format data.

[0040] Understandably, in combination Figure 5 As shown, regarding the generation of formatted log output: following the pattern string rules, the integrity protection field formatting information MacFormatData is rewritten into the original formatting information LogFormatData1, ultimately generating formatted information with integrity protection, namely the target formatted data LogFormatData2. The log output is completed by the Log4j framework, achieving seamless integration with the application business.

[0041] In summary, in this embodiment: (1) Solve the problem of formatted log output of application systems by using application business without modification, and ensure compliance and controllability of logs throughout their entire lifecycle, including generation, transmission, storage and use; (2) By using an application business without modification, combined with a key management system and cryptographic modules / cryptographic services, the generation, distribution, storage and use of keys are automatically realized, ensuring the security of integrity keys throughout their entire lifecycle; (3) By using the application business without modification, it supports log integrity protection for different cryptographic devices. The types of cryptographic devices include, but are not limited to: cryptographic machines, encryption cards, security chips, software cryptographic modules, cryptographic calculation services, etc. (4) By using the application business without modification, it supports flexible configuration of message authentication code algorithms such as SM3 HMAC and SM4 CMAC, and automatically completes the password calculation for log integrity protection; (5) The application system uses this log integrity protection method and system, uses Log4j standardized configuration and log recording process, and does not need to make additional modifications to the system business. It automatically completes the integrity protection of key logs throughout the process, improving the efficiency of application system transformation, reducing the difficulty of adaptation and transformation cost; (6) The key distribution methods involved include, but are not limited to: asymmetric public key protection of symmetric key, symmetric key protection of symmetric key, key derivation, etc. The sources of the protection key include, but are not limited to: key management system key, cryptographic device key, cryptographic service key, temporary session key, etc. (7) The asymmetric encryption algorithms and asymmetric key management involved shall adopt the SM2 standard algorithm that meets the commercial cryptography specifications, and the integrity protection algorithms involved shall adopt the SM3 and SM4 standard algorithms that meet the commercial cryptography specifications.

[0042] It is understood that the solution proposed in this embodiment has the following beneficial effects: (1) Provides default and custom configuration methods, flexibly generates log formatting policies and password resource policies, and realizes log formatting output and log integrity protection that takes effect immediately upon configuration and is transparent to business processes; (2) By combining the key identification management and cryptographic module of the key management system, the generation, distribution and use of keys are automatically completed in collaboration, ensuring the security of the key throughout its life cycle and preventing attackers from forging log content and generating valid message authentication codes; (3) During the process of logging, the application system solves the performance bottleneck problem caused by integrity protection, reduces log processing latency, and improves the performance of the application business system. (4) Through the configuration of cryptographic resources, heterogeneous access of different cryptographic devices can be automatically realized, which can meet the security requirements of cryptographic devices in multiple scenarios; (5) Using Log4j's standardized file configuration and standardized logging process, no additional modifications are required to the system business. The entire process of protecting the integrity of critical logs is completed automatically, improving the efficiency of application system transformation, reducing the difficulty of adaptation and transformation costs. (6) Adopting SM2, SM3 and SM4 standard algorithms that comply with commercial cryptography specifications, the security is guaranteed and the interactive data security is compliant. At the same time, it meets the application system's security assessment and information security requirements, thereby improving the security of the application system.

[0043] Therefore, in this embodiment, firstly, after the application system starts, the log integrity protection system initialization operation is triggered. Then, when the application system records business logs, the original log data is obtained through the preset log integrity protection component in the log integrity protection system. Next, the target integrity protection field value corresponding to the original formatted data is determined through the preset log integrity protection component and the password resource component. Finally, the target formatted data is determined through the preset log integrity protection component, based on the target integrity protection field value and the original formatted data, so that the application system's business log output operation can be completed based on the log framework and the target formatted data. This solves the problems existing in current related solutions, achieving configuration-instantaneous and business-unobtrusive log formatting output and log integrity protection, thereby ensuring the integrity and authenticity of logs and improving the performance, security, and scenario adaptability of the application system.

[0044] See Figure 7 As shown in the figure, this application also discloses a log integrity protection device that requires no modification to application services, including: The system initialization module 11 is used to trigger and complete the initialization operation of the log integrity protection system corresponding to the application system after the application system starts. The log data acquisition module 12 is used to acquire the corresponding original log data through the preset log integrity protection component in the log integrity protection system that has been initialized when the application system calls the log framework to record business logs. The data extraction module 13 is used to extract the formatted fields of the original log data through the preset log integrity protection component and based on the framework configuration file corresponding to the log framework, so as to determine the original formatted data. The integrity protection module 14 is used to perform integrity protection processing on the original formatted data through the preset log integrity protection component and password resource component in the log integrity protection system to obtain the target integrity protection field value; The log output module 15 is used to determine the target formatted data based on the preset log integrity protection component, the target integrity protection field value, and the original formatted data, so as to complete the business log output operation based on the log framework and the target formatted data.

[0045] In some specific embodiments, the system initialization module 11 may specifically include: The converter initialization unit is used to trigger the preset log integrity protection converter initialization operation to obtain the preset log integrity protection converter; The string parsing unit is used to parse and instantiate the pattern string of the preset log integrity protection converter based on the framework configuration file corresponding to the log framework, and load the obtained instantiated object into the converter chain of the log framework. The plugin loading unit is used to load the preset log integrity protection converter through the instantiated object during the initialization of the log framework to complete the plugin loading operation. The password resource initialization unit is used to parse the preset log integrity protection policy configuration file and use the corresponding second file parsing results to complete the initialization of password resources. The key pair generation unit is used to generate temporary key pairs based on a preset cryptographic algorithm component; The key ciphertext acquisition unit is used to obtain the integrity protection key ciphertext from the preset key management system based on the integrity protection key identifier in the second file parsing result and the public key in the temporary key pair; The first object determination unit is used to import the integrity protection key ciphertext into a preset cryptographic device based on the private key in the temporary key pair to obtain an integrity protection key object. The second object determination unit is used to create an integrity protection cryptographic calculation object based on the preset cryptographic algorithm component, so as to complete the distribution and preparation of the integrity protection key; The object storage unit is used to save the integrity protection key object and the integrity protection password calculation object to the integrity protection converter object corresponding to the preset log integrity protection converter, so as to complete the log integrity protection system initialization operation.

[0046] In some specific embodiments, the string parsing unit may specifically include: The first file parsing subunit is used to parse the framework configuration file of the log framework to determine the first file parsing result; The plugin registration subunit is used to register the log integrity protection converter as a plugin of the log framework based on the parsing result of the first file. The string parsing subunit is used to complete the parsing and instantiation of the pattern string of the preset log integrity protection converter based on the log format rule string order information in the framework configuration file, so as to determine the instantiated object; The instantiation object loading subunit is used to load the instantiation object into the converter chain of the logging framework, so that during the initialization of the logging framework, the preset log integrity protection converter is loaded through the instantiation object to complete the plugin loading operation.

[0047] In some specific embodiments, the log data acquisition module 12 may specifically include: The log data acquisition unit is used to process the log events by calling a preset log integrity protection component in the initialized log integrity protection system and, based on the integrity protection converter object, calling a preset formatting function to obtain the original log data when the application system calls the log framework to encapsulate the original log data into log events.

[0048] In some specific embodiments, the data extraction module 13 may specifically include: The parse tree construction unit is used to parse the pattern string of the framework configuration file corresponding to the log framework through the preset log integrity protection component in the log integrity protection system, so as to construct a pattern string parse tree. The field extraction unit is used to extract formatted fields from the original log data based on the pattern string parse tree, so as to determine the original formatted data.

[0049] In some specific embodiments, the integrity protection module 14 may specifically include: The first object acquisition unit is used to acquire the integrity protection key object from the integrity protection converter object through the preset log integrity protection component; The second object acquisition unit is used to acquire the integrity protection password calculation object from the integrity protection converter object through the preset log integrity protection component; The authentication code determination unit is used to determine the message authentication code corresponding to the original formatted data by using the preset password algorithm component and password resource component, and by utilizing the integrity protection converter object and the integrity protection password calculation object; The field value determination unit is used to write the message authentication code into the target placeholder field corresponding to the target placeholder name through the preset log integrity protection component and based on the target placeholder name configured in the framework configuration file, so as to obtain the target integrity protection field value to be output.

[0050] In some specific embodiments, the log output module 15 may specifically include: The rewrite unit is used to rewrite the target integrity protection field value into the original formatted data through the preset log integrity protection component and based on the pattern string policy corresponding to the framework configuration file, so as to determine the target formatted data.

[0051] Furthermore, embodiments of this application also disclose an electronic device, Figure 8 This is a structural diagram of an electronic device 20 according to an exemplary embodiment. The content of the diagram should not be construed as limiting the scope of this application.

[0052] Figure 8 This is a schematic diagram of the structure of an electronic device 20 provided in an embodiment of this application. Specifically, the electronic device 20 may include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input / output interface 25, and a communication bus 26. The memory 22 stores a computer program, which is loaded and executed by the processor 21 to implement the relevant steps in the application service log integrity protection method disclosed in any of the foregoing embodiments. Alternatively, the electronic device 20 in this embodiment may specifically be an electronic computer.

[0053] In this embodiment, the power supply 23 is used to provide operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and external devices, and the communication protocol it follows can be any communication protocol applicable to the technical solution of this application, and is not specifically limited here; the input / output interface 25 is used to acquire external input data or output data to the outside world, and its specific interface type can be selected according to specific application needs, and is not specifically limited here.

[0054] In addition, the memory 22, as a carrier for resource storage, can be a read-only memory, random access memory, disk or optical disk, etc. The resources stored thereon can include operating system 221, computer program 222, etc., and the storage method can be temporary storage or permanent storage.

[0055] The operating system 221 is used to manage and control the various hardware devices on the electronic device 20 and the computer program 222, which may be Windows Server, Netware, Unix, Linux, etc. In addition to including a computer program capable of performing the application service log integrity protection method without modification as disclosed in any of the foregoing embodiments, the computer program 222 may further include computer programs capable of performing other specific tasks.

[0056] Furthermore, this application also discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, it implements the aforementioned application service log integrity protection method without modification. Specific steps of this method can be found in the corresponding content disclosed in the foregoing embodiments, and will not be repeated here.

[0057] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on its differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. For the apparatus disclosed in the embodiments, since it corresponds to the method disclosed in the embodiments, the description is relatively simple; relevant parts can be referred to in the method section.

[0058] Those skilled in the art will further recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

[0059] The steps of the methods or algorithms described in conjunction with the embodiments disclosed herein can be implemented directly by hardware, a software module executed by a processor, or a combination of both. The software module can be located in random access memory (RAM), main memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art.

[0060] Finally, it should be noted that in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0061] The technical solutions provided in this application have been described in detail above. Specific examples have been used to illustrate the principles and implementation methods of this application. The descriptions of the above embodiments are only for the purpose of helping to understand the methods and core ideas of this application. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of this application. Therefore, the content of this specification should not be construed as a limitation of this application.

Claims

1. A method for log integrity protection without modifying application services, characterized in that, include: After the application system starts, the initialization operation of the log integrity protection system corresponding to the application system is triggered and completed; When the application system calls the logging framework to record business logs, it obtains the corresponding original log data through the preset log integrity protection component in the log integrity protection system that has been initialized. The preset log integrity protection component, based on the framework configuration file corresponding to the log framework, extracts the formatted fields from the original log data to determine the original formatted data. The original formatted data is subjected to integrity protection processing through the preset log integrity protection component and password resource component in the log integrity protection system to obtain the target integrity protection field value. The preset log integrity protection component is used to determine the target formatted data based on the target integrity protection field value and the original formatted data, so as to complete the business log output operation based on the log framework and the target formatted data.

2. The application service log integrity protection method without modification according to claim 1, characterized in that, The triggering and completion of the log integrity protection system initialization operation corresponding to the application system includes: Trigger the preset log integrity protection converter initialization operation to obtain the preset log integrity protection converter; Based on the framework configuration file corresponding to the log framework, the pattern string of the preset log integrity protection converter is parsed and instantiated, and the resulting instantiated object is loaded into the converter chain of the log framework. During the initialization of the logging framework, the preset log integrity protection converter is loaded through the instantiated object to complete the plugin loading operation; The default log integrity protection policy configuration file is parsed, and the password resources are initialized using the corresponding second file parsing results. Generate temporary key pairs based on preset cryptographic algorithm components; Based on the integrity protection key identifier in the second file parsing result and the public key in the temporary key pair, obtain the integrity protection key ciphertext from the preset key management system; Based on the private key in the temporary key pair, the ciphertext of the integrity protection key is imported into a preset cryptographic device to obtain an integrity protection key object; Based on the preset cryptographic algorithm components, an integrity protection cryptographic computation object is created to complete the distribution and preparation of the integrity protection key; The integrity protection key object and the integrity protection password calculation object are saved to the integrity protection converter object corresponding to the preset log integrity protection converter to complete the log integrity protection system initialization operation.

3. The application service log integrity protection method without modification according to claim 2, characterized in that, The step of parsing and instantiating the pattern string of the preset log integrity protection converter based on the framework configuration file corresponding to the log framework, and loading the resulting instantiated object into the converter chain of the log framework, includes: The framework configuration file of the log framework is parsed to determine the parsing result of the first file; Based on the parsing result of the first file, the log integrity protection converter is registered as a plugin of the log framework; Based on the log format rule string order information in the framework configuration file, the pattern string parsing and instantiation of the preset log integrity protection converter is completed to determine the instantiation object; The instantiated object is loaded into the converter chain of the logging framework so that, during the initialization of the logging framework, the preset log integrity protection converter is loaded through the instantiated object to complete the plugin loading operation.

4. The application service log integrity protection method without modification according to claim 3, characterized in that, When the application system calls the logging framework to record business logs, it obtains the corresponding raw log data through the preset log integrity protection component in the pre-initialized log integrity protection system, including: When the application system calls the logging framework to encapsulate the raw log data into log events, it uses a preset log integrity protection component in the initialized log integrity protection system and, based on the integrity protection converter object, calls a preset formatting function to process the log events to obtain the raw log data.

5. The application service log integrity protection method without modification according to any one of claims 1 to 4, characterized in that, The step of extracting formatted fields from the original log data using the preset log integrity protection component and based on the framework configuration file corresponding to the log framework includes: The preset log integrity protection component in the log integrity protection system is used to parse the pattern string in the framework configuration file corresponding to the log framework in order to construct a pattern string parsing tree. Based on the pattern string parsing tree, the formatted fields of the original log data are extracted to determine the original formatted data.

6. The application service log integrity protection method without modification according to claim 4, characterized in that, The process of performing integrity protection on the original formatted data through the preset log integrity protection component and password resource component in the log integrity protection system includes: The integrity protection key object is obtained from the integrity protection converter object through the preset log integrity protection component; The integrity protection password calculation object is obtained from the integrity protection converter object through the preset log integrity protection component; The message authentication code corresponding to the original formatted data is determined by using the preset password algorithm component and password resource component, and by utilizing the integrity protection converter object and the integrity protection password calculation object; The message authentication code is written to the target placeholder field corresponding to the target placeholder name by the preset log integrity protection component and based on the target placeholder name configured in the framework configuration file, so as to obtain the target integrity protection field value to be output.

7. The application service log integrity protection method without modification according to claim 1, characterized in that, The step of determining the target formatted data through the preset log integrity protection component, based on the target integrity protection field value and the original formatted data, includes: The target integrity protection field value is rewritten into the original formatted data using the preset log integrity protection component and based on the pattern string policy corresponding to the framework configuration file, in order to determine the target formatted data.

8. A log integrity protection device that requires no modification to application services, characterized in that, include: The system initialization module is used to trigger and complete the initialization operation of the log integrity protection system corresponding to the application system after the application system starts. The log data acquisition module is used to acquire the corresponding raw log data through the preset log integrity protection component in the initialized log integrity protection system when the application system calls the log framework to record business logs. The data extraction module is used to extract the formatted fields from the original log data through the preset log integrity protection component and based on the framework configuration file corresponding to the log framework, so as to determine the original formatted data. The integrity protection module is used to perform integrity protection processing on the original formatted data through the preset log integrity protection component and password resource component in the log integrity protection system to obtain the target integrity protection field value; The log output module is used to determine the target formatted data based on the preset log integrity protection component, the target integrity protection field value, and the original formatted data, so as to complete the business log output operation based on the log framework and the target formatted data.

9. An electronic device, characterized in that, include: Memory, used to store computer programs; A processor is configured to execute the computer program to implement the application service log integrity protection method as described in any one of claims 1 to 7.

10. A computer-readable storage medium, characterized in that, Used to store computer programs, which, when executed by a processor, implement the application service log integrity protection method as described in any one of claims 1 to 7.