互联设备每天都会产生大量的日志数据，日志数据包含了硬件和应用程序的运行状态、错误信息、用户行为、等重要信息，而通常情况之下各类设备产生的日志格式并不相通。导致日志之间信息不能统一数据无法有效获取，所以需要对日志进行解析，将不同格式的日志解析为结构化的数据，便于数据的统计和分析等。Internet devices generate a large amount of log data every day. The log data contains important information such as the operating status of hardware and applications, error messages, user behaviors, etc. However, usually the log formats generated by various devices are not the same. As a result, the information between the logs cannot be unified and the data cannot be effectively obtained. Therefore, the logs need to be parsed and logs in different formats can be parsed into structured data to facilitate data statistics and analysis.

解析后的日志内容可以帮助企业和组织更好地理解其硬件设备和应用程序的运行情况，并且基于统一的规范内容可以将特定日志进行统一处理使其用户可快速感知到日志内容的关键内容，从而提高系统与设备的可靠性、性能和安全性。The parsed log content can help enterprises and organizations better understand the operation of their hardware devices and applications, and specific logs can be processed uniformly based on unified specification content so that users can quickly perceive the key content of the log content. Thereby improving the reliability, performance and safety of systems and equipment.

当前对日志进行日志解析和处理的主要为以下方案：Currently, the main solutions for log parsing and processing are as follows:

结合设备日志格式的说明文件与日志的内容/格式字段编写日志解析文件，其文件中包含日志原始字段与日志平台定义的规范字段之间的对应关系，再将解析文件与日志发送源IP进行绑定后按日志接收时间顺序匹配对应日志格式的解析文件后，将日志中原始信息解析未日志平台所规范的字段，再将解析完成后的日志内容进行分析提取关键内容生成告警或进行其他处理。Compile a log parsing file based on the description file of the device log format and the content/format fields of the log. The file contains the correspondence between the original fields of the log and the canonical fields defined by the log platform, and then bind the parsing file to the log sending source IP. After the analysis files are matched in the corresponding log format in the order of log reception time, the original information in the log is parsed into fields standardized by the log platform, and then the parsed log content is analyzed to extract key content to generate alarms or perform other processing.

这种方案的好处是可保障日志分析数据源的可靠性，确保每一条日志的接入和解析都是在计划之内的，同时日志的解析的逻辑构造也相对简单，但是所带来的问题包括:The advantage of this solution is that it can ensure the reliability of the log analysis data source and ensure that the access and analysis of each log is within plan. At the same time, the logical structure of log analysis is relatively simple, but it brings problems. include:

(1)在每一次接入一个设备时需提前了解的其日志格式与解析规则，才能配置对应解析文件进行日志解析，否则无法对日志进行解析；(1) Each time you access a device, you need to know its log format and parsing rules in advance before you can configure the corresponding parsing file for log parsing, otherwise the log cannot be parsed;

(2)若某一时间段之内中发送的日志较大，会导致日志解析的速率跟不上日志发送的速度形成日志的堆积，从而影响到整体解析与接收日志的速度；(2) If the logs sent within a certain period of time are large, the speed of log parsing will not keep up with the speed of log sending, resulting in the accumulation of logs, thus affecting the overall speed of parsing and receiving logs;

(3)全部日志都需先解析后才能去分析提取关键内容，而根据解析的前后顺序会导致若出现一些异常信息无法第一时间得知；(3) All logs need to be parsed first before key content can be analyzed and extracted. Depending on the order of parsing, if some abnormal information occurs, it will not be known immediately;

(4)在解析过程中数据之间的逻辑关联紧密若某一环节出现错误会导致整体系统运行产生偏差。(4) During the analysis process, the data are closely logically related. If an error occurs in one link, it will cause deviations in the overall system operation.

发明内容Contents of the invention

为了解决当前日志解析中存在的解析通用性差、解析速度慢、效率低的技术问题，本发明提出一种日志解析方法及系统，方法包括以下步骤：In order to solve the technical problems of poor parsing versatility, slow parsing speed and low efficiency in current log parsing, the present invention proposes a log parsing method and system. The method includes the following steps:

S1、创建解析规则库，所述解析规则库中保存日志内容与解析文件对照表；S1. Create a parsing rule base, which stores a comparison table between log content and parsing files;

S2、设置日志预处理规则，根据日志原始内容生成预处理规则词库；S2. Set log preprocessing rules and generate a preprocessing rule dictionary based on the original content of the log;

S3、获取待解析日志，利用所述预处理规则词库对待解析日志进行处理，得到待解析日志的类型；S3. Obtain the log to be parsed, use the preprocessing rule dictionary to process the log to be parsed, and obtain the type of the log to be parsed;

S4、将不同类型的待解析日志，分为多个不同的独立线路，并利用解析文件进行日志解析；S4. Divide different types of logs to be parsed into multiple independent lines, and use parsing files for log parsing;

S5、利用解析后的内容校正更新所述预处理规则词库。S5. Use the parsed content to correct and update the preprocessing rule dictionary.

一种日志解析系统，包括：A log parsing system including:

解析规则构建模块：创建解析规则库，所述解析规则库中保存日志内容与解析文件对照表；Parsing rule building module: Create a parsing rule base, which stores a comparison table between log content and parsing files;

预处理规则设置模块：设置日志预处理规则，根据日志原始内容生成预处理规则词库；Preprocessing rule setting module: Set log preprocessing rules and generate a preprocessing rule dictionary based on the original content of the log;

日志分类模块：获取待解析日志，利用所述预处理规则词库对待解析日志进行处理，得到待解析日志的类型；Log classification module: obtains the log to be parsed, uses the preprocessing rule dictionary to process the log to be parsed, and obtains the type of the log to be parsed;

日志解析模块：将不同类型的待解析日志，分为多个不同的独立线路，并利用解析文件进行日志解析；Log parsing module: Divide different types of logs to be parsed into multiple independent lines, and use parsed files for log parsing;

优化更新模块：利用解析后的内容校正更新所述预处理规则词库。Optimization and update module: Use the parsed content to correct and update the preprocessing rule dictionary.

本发明提供的有益效果是：The beneficial effects provided by the present invention are:

1、安全监控：各类设备的日志信息中会包含事件信息，基于发送的日志信息可以监控系统的安全事件，及时发现和应对安全威胁，避免关键日志淹没在海量日志信息之中，导致发生更大的事故，同时针对各类日志均可以进行解析。1. Security monitoring: The log information of various devices will contain event information. Based on the sent log information, the security events of the system can be monitored, and security threats can be discovered and responded to in a timely manner to avoid key logs being submerged in the massive log information, causing more changes to occur. For large accidents, all types of logs can be analyzed at the same time.

2、记录设备运行信息，将各设备的日志进行存储解析之后，不仅是在设备发生故障时可快速的定位到故障问题所在，在日常工作时有可优化系统的性能和响应时间。2. Record equipment operation information. After storing and analyzing the logs of each equipment, not only can the fault location be quickly located when a equipment failure occurs, but the performance and response time of the system can be optimized in daily work.

3、数据分析：通过日志解析出来大量数据，可以分析现数据中的规律和趋势，提高解析效率，同时掌握网络体系建设的水平和安全管理能力建设的水平。3. Data analysis: By parsing a large amount of data through logs, you can analyze the patterns and trends in the existing data, improve the efficiency of analysis, and at the same time grasp the level of network system construction and security management capability building.

4、优化资源利用，通过设备的运行情况可了解系统资源的利用情况，优化资源的分配和利用，提高系统的利用率。4. Optimize resource utilization. Through the operation of the equipment, you can understand the utilization of system resources, optimize the allocation and utilization of resources, and improve the utilization of the system.

附图说明Description of drawings

图1是本发明方法流程示意图；Figure 1 is a schematic flow diagram of the method of the present invention;

图2是一个日志经过本发明方法处理的详细过程示意图。Figure 2 is a detailed process diagram of a log processed by the method of the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚，下面将结合附图对本发明实施方式作进一步地描述。In order to make the purpose, technical solutions and advantages of the present invention clearer, the embodiments of the present invention will be further described below in conjunction with the accompanying drawings.

请参考图1，图1是本发明方法流程示意图。Please refer to Figure 1, which is a schematic flow chart of the method of the present invention.

本发明提供了一种日志解析方法及系统，包括：The invention provides a log parsing method and system, including:

方法包括以下步骤：The method includes the following steps:

需要说明的是，步骤S1具体为：It should be noted that step S1 is specifically:

获取历史解析文件，对某一类解析文件的特定值进行归纳，得到关键参数；Obtain historical analysis files, summarize specific values of a certain type of analysis files, and obtain key parameters;

对之前未绑定日志IP源所发送的日志，将日志原始内容与所述关键参数进行匹配，若匹配成功，则表示该日志与该类解析文件相对应，形成对照表。For logs sent by previously unbound log IP sources, match the original content of the log with the key parameters. If the match is successful, it means that the log corresponds to the parsed file of this type, forming a comparison table.

作为一种实施例，本发明对解析文件的特定值进行归纳形成一些关键性参数，对未绑定解析文件的日志源IP所发送的日志，则将日志原始内容与进行文件的关键参数进行匹配，匹配完成后使用对应的解析文件进行解析。As an embodiment, the present invention summarizes the specific values of the parsed file to form some key parameters. For logs sent by the log source IP that is not bound to the parsed file, the original content of the log is matched with the key parameters of the file. , use the corresponding parsing file to parse after the matching is completed.

具体的说，特定值指的是解析文件中表达式中对原始日志中的某一个值的内容进行解析的内例如：原始日志中告警等级以leve l进行表示，而通过进行解析文件解析后会将leve l转化为告警等级。Specifically, the specific value refers to the expression in the parsing file that parses the content of a certain value in the original log. For example: the alarm level in the original log is represented by level l, and after parsing the parsing file, it will Convert level l into alarm level.

而原始日志中对于leve l其字段的值可能存在1、2、3、4，在解析文件中需要映射为平台中的告警等级。The value of the level l field in the original log may be 1, 2, 3, or 4, which needs to be mapped to the alarm level in the platform in the parsed file.

因此，leve l4为一组关键词，当原始日志中包含此内容以对应关键词的解析文件进行解析。Therefore, level l4 is a set of keywords. When the original log contains this content, the parsing file corresponding to the keywords will be parsed.

需要说明的是，步骤S2具体为：提取日志原始内容中的关键部分，作为预处理规则词库。It should be noted that step S2 specifically includes: extracting key parts of the original content of the log as a preprocessing rule dictionary.

作为一种实施例，本发明提取日志原始信息中解析相对关键的内容总结为预处理规则词库，再基于规则词库内容与日志源之间的与或非的关系生成预处理规则。As an embodiment, the present invention extracts and summarizes relatively key content in the original log information into a preprocessing rule dictionary, and then generates preprocessing rules based on the AND or non-relationship between the rule dictionary content and the log source.

关于预处理规则的形成的具体过程如下：The specific process of forming preprocessing rules is as follows:

1、首先为预处理规则添加关键词做为条件形成词库，其中添加的关键词是日志原始信息内容可能会出现的内容，同时可设置关键词其用于何种规则之下才允许被引用，条件包括：日志源IP1. First, add keywords to the preprocessing rules as conditions to form a thesaurus. The keywords added are the content that may appear in the original information content of the log. At the same time, you can set the rules under which the keywords are used before they are allowed to be quoted. , conditions include: log source IP

2、创建预处理规则：基于所添加的关键词库的内容与日志传输附带信息创建预置规则，用户可选中多类信息进行“与或非”的组合，具体说明如下：2. Create preprocessing rules: Create preset rules based on the content of the added keyword library and the information attached to the log transmission. The user can select multiple types of information for "AND or NOT" combinations. The specific instructions are as follows:

请参考表1和表2，表1是日志传输的附带信息，表2是信息组合方式的说明。Please refer to Table 1 and Table 2. Table 1 is the incidental information of log transmission, and Table 2 is the description of the information combination method.

表1日志传输的附带信息Table 1 Accompanying information of log transfer

表2信息组合方式的说明Table 2 Description of information combination methods

3、为预处理规则设定执行范围/条件，以上述的日志传输附带信息相互组合设定其规则执行的范围，当接收的日志其附带信息符合对某一条规则设置的执行条件时则执行此规则。3. Set the execution scope/conditions for the preprocessing rules, and set the execution scope of the rules by combining the above log transmission incidental information. This will be executed when the incidental information of the received log meets the execution conditions set for a certain rule. rule.

4、设置当前日志符合所设置的预处理规则之后的执行方式，分为两种1、将此日志标记为告警日志或其他特殊事件进入解析环节，2、直接抛弃此条日志不进行解析。4. Set the execution method after the current log meets the set preprocessing rules. There are two types of execution methods: 1. Mark this log as an alarm log or other special event and enter the parsing stage; 2. Directly discard this log without parsing.

需要说明的是，所述不同类型的待解析日志包括：正常日志和告警日志。在日志进行解析环节之前，对其原始内容去执行预处理规则，根据其规则设置的处理方式将日志抛弃不进行解析或标记为告警日志并进入告警解析环节(不与正常日志解析在同一线路中)。It should be noted that the different types of logs to be parsed include: normal logs and alarm logs. Before the log is parsed, preprocessing rules are executed on the original content. According to the processing method set by the rules, the log is discarded without parsing or marked as an alarm log and enters the alarm parsing stage (not in the same line as normal log parsing). ).

需要说明的是，对于正常解析的日志，当解析完成之后对其解析的日志内容进行分析提取关键信息基于分析规则进行告警生成或其他处理。It should be noted that for normally parsed logs, after the parsing is completed, the parsed log content will be analyzed to extract key information for alarm generation or other processing based on analysis rules.

需要说明的是，对正常日志，当其解析后，对解析后的内容进行关键信息提取，并将其关键信息作为告警日志解析时的告警评判标准。It should be noted that for normal logs, after parsing, key information is extracted from the parsed content, and the key information is used as the alarm evaluation criterion when parsing alarm logs.

基于正常日志解析后生成的内容，若该内容最后又被认定为告警内容，则将该正常日志触发预处理规则的字段内容在原始日志的值生成预处理关键词，并填充预处理规则词库。Based on the content generated after parsing the normal log, if the content is finally identified as alarm content, the field content of the normal log that triggers the preprocessing rule will be used to generate preprocessing keywords in the value of the original log, and the preprocessing rule vocabulary will be filled in. .

将经过预处理标记为告警的日志在日志解析完成后未匹配到分析规则的预处理关键词从预处理规则词库中移除。For logs marked as alarms by preprocessing, preprocessing keywords that do not match the analysis rules after log parsing is completed are removed from the preprocessing rule lexicon.

作为一种实施例，请参考图2，图2是对一个新日志的处理详细过程。As an embodiment, please refer to Figure 2, which is a detailed process of processing a new log.

1、当日志平台接收到新的日志时，都会对其日志进行存储后基于对发送日志的附带属性与其原始内容触发不同的处理路径，以达到到不同类型日志分步解析更快的获知其日志信息内容和对其进行处理的目的1. When the log platform receives a new log, it will store the log and trigger different processing paths based on the attached attributes of the sent log and its original content, so as to achieve step-by-step analysis of different types of logs and obtain the logs faster Content of the information and the purposes for which it is processed

2、具体过程为：当日志接收后先根据其日志发送源IP地址判断是否绑定了解析文件，，若绑定则以对应解析文件进行解析，若未绑定解析文件则对原始日志内容与全部解析文件的特定值进行匹配，若匹配成功则以此特定值对应的解析文件对此日志进行解析，若未匹配则不对此日志进行解析。当日志都已关联到解析文件时进入对日志的预处理环节，根据规则所设置的执行范围筛选日志是否需要执行预处理，若无需执行预处理则直接进入正常日志解析通道进行日志解析(按时间先后顺序)，若日志需执行预处理规则当日志未满足预处理规则时则同样进入正常解析通道，若满足时则根据其规则执行方式进行不同处理分别为：1、不进行解析直接放弃此日志，2、将此日志标记为告警日志进入日志解析环节不与正常日志为一个解析通道(告警解析通道)。当通过正常解析通道解析的日志解析完成后除了存储至数据库之外还需要和解析日志告警规则相互匹配，若满足规则同样会生成告警日志，同时当日志告警生成之后还会将匹配中的解析日志告警规则日志信息内容的在未解析之前的原始内容填充至预处理关键词库之中。2. The specific process is: after receiving the log, first determine whether the parsing file is bound based on the log sending source IP address. If it is bound, the corresponding parsing file will be used for parsing. If the parsing file is not bound, the original log content will be compared with the parsing file. The specific values of all parsed files are matched. If the match is successful, the parsed file corresponding to the specific value will parse the log. If there is no match, the log will not be parsed. When the logs are all associated with the parsing file, the log preprocessing step is entered. The logs are filtered according to the execution scope set by the rules to see whether preprocessing is required. If no preprocessing is required, the normal log parsing channel is directly entered for log parsing (by time). order), if the log needs to execute preprocessing rules, when the log does not meet the preprocessing rules, it will also enter the normal parsing channel. If it meets the rules, it will be processed differently according to its rule execution method: 1. Abandon the log without parsing. , 2. Mark this log as an alarm log and enter the log parsing process, which is not the same parsing channel (alarm parsing channel) as the normal log. When the log parsed through the normal parsing channel is completed, in addition to being stored in the database, it also needs to match the parsing log alarm rules. If the rules are met, an alarm log will also be generated. At the same time, when the log alarm is generated, the matching parsing log will be The original content of the alarm rule log information before parsing is filled into the preprocessing keyword library.

一种日志解析系统,包括：A log parsing system, including:

最后，通过一种实施例描述整个方法的处理过程。Finally, the processing process of the entire method is described through an embodiment.

比如一条正常日志为：leve l5 Fr i Ju l 21 2023 09:32:04 192.168.184.145科来网络全流量安全分析系统-服务器:触发时间：2023-07-21 09:32:04链路名称：烽火创新谷警报名称：挖矿数据流特征值警报警报等级：高警报种类：信息收集触发条件：HTTPOPTIONS方法警报类型：数据流特征值警报源IP地址：31.208.190.177源端口：25074目标IP地址：192.168.201.211目标端口：4413累计触发次数：1；For example, a normal log is: level l5 Fr i Ju l 21 2023 09:32:04 192.168.184.145 Kelai Network Full Traffic Security Analysis System-Server: Trigger Time: 2023-07-21 09:32:04 Link Name: FiberHome Innovation Valley Alarm Name: Mining Data Flow Characteristic Value Alarm Alarm Level: High Alert Category: Information Collection Trigger Condition: HTTPOPTIONS Method Alert Type: Data Flow Characteristic Value Alarm Source IP Address: 31.208.190.177 Source Port: 25074 Target IP Address: 192.168.201.211 Target port: 4413 Cumulative number of triggers: 1;

一条告警日志为leve l3 Fr i Ju l 21 2023 09:32:04 192.168.184.145科来网络全流量安全分析系统-服务器:触发时间：2023-07-21 09:32:04链路名称：烽火创新谷警报名称：挖矿数据流特征值警报警报等级：高警报种类：信息收集触发条件：HTTPOPTIONS方法警报类型：数据流特征值警报源IP地址：31.208.190.177源端口：25074目标IP地址：192.168.201.211目标端口：4413累计触发次数：1；An alarm log is level l3 Fr i Ju l 21 2023 09:32:04 192.168.184.145 Kelai Network Full Traffic Security Analysis System-Server: Trigger Time: 2023-07-21 09:32:04 Link Name: FiberHome Innovation Valley Alert Name: Mining Data Flow Characteristic Value Alarm Alarm Level: High Alert Category: Information Collection Trigger Condition: HTTPOPTIONS Method Alert Type: Data Flow Characteristic Value Alarm Source IP Address: 31.208.190.177 Source Port: 25074 Destination IP Address: 192.168. 201.211 Target port: 4413 Cumulative number of triggers: 1;

解析文件特定值为：科来网络全流量安全分析系统The specific value of the parsed file is: Kelai Network Full Traffic Security Analysis System

预处理规则库为leve l3、leve l4；预处理规则为；进入告警日志解析通道The preprocessing rule base is level l3, level l4; the preprocessing rules are; enter the alarm log parsing channel

经过解析后的内容为；日志级别：高日志接收时间：2023/12/02 20：13:25字段1：......................The parsed content is; Log level: High Log receiving time: 2023/12/02 20:13:25 Field 1: ........................

经过解析后更新后的预处理规则为；leve l3、leve l4、leve l5。The updated preprocessing rules after parsing are; level l3, level l4, level l5.

本发明的有益效果是：The beneficial effects of the present invention are:

以上所述仅为本发明的较佳实施例，并不用以限制本发明，凡在本发明的精神和原则之内，所作的任何修改、等同替换、改进等，均应包含在本发明的保护范围之内。The above are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present invention shall be included in the protection of the present invention. within the range.

Claims

Translated fromChinese

1.一种日志解析方法，其特征在于：包括以下步骤：1. A log parsing method, characterized by: including the following steps:

S2、设置日志预处理规则，根据日志原始内容生成预处理规则词库，并基于预处理规则词库生成预处理规则；S2. Set log preprocessing rules, generate a preprocessing rule lexicon based on the original content of the log, and generate preprocessing rules based on the preprocessing rule lexicon;

2.如权利要求1所述的一种日志解析方法，其特征在于：步骤S1具体为：2. A log parsing method as claimed in claim 1, characterized in that step S1 is specifically:

3.如权利要求1所述的一种日志解析方法，其特征在于：步骤S2具体为：提取日志原始内容中的关键部分，作为预处理规则词库。3. A log parsing method as claimed in claim 1, characterized in that step S2 specifically includes: extracting key parts of the original content of the log as a preprocessing rule lexicon.

4.如权利要求1所述的一种日志解析方法，其特征在于：所述不同类型的待解析日志包括：正常日志和告警日志。4. A log parsing method according to claim 1, wherein the different types of logs to be parsed include: normal logs and alarm logs.

5.如权利要求1所述的一种日志解析方法，其特征在于：对正常日志，当其解析后，对解析后的内容进行关键信息提取，并将其关键信息作为告警日志解析时的告警评判标准。5. A log parsing method as claimed in claim 1, characterized in that: after parsing the normal log, key information is extracted from the parsed content, and the key information is used as an alarm when parsing the alarm log. Judgment criteria.

6.如权利要求1所述的一种日志解析方法，其特征在于：步骤S5中校正更新所述预处理规则词库的具体过程为：基于正常日志解析后生成的内容，若该内容最后又被认定为告警内容，则将该正常日志触发预处理规则的字段内容在原始日志的值生成预处理关键词，并填充预处理规则词库。6. A log parsing method as claimed in claim 1, characterized in that: the specific process of correcting and updating the preprocessing rule dictionary in step S5 is: based on the content generated after normal log parsing, if the content is finally If it is identified as alarm content, the field content of the normal log that triggers the preprocessing rule will be used to generate a preprocessing keyword based on the value of the original log, and the preprocessing rule dictionary will be filled in.

7.如权利要求1所述的一种日志解析方法，其特征在于：步骤S5中校正更新所述预处理规则词库的具体过程还包括：将经过预处理标记为告警的日志在日志解析完成后未匹配到分析规则的预处理关键词从预处理规则词库中移除。7. A log parsing method as claimed in claim 1, characterized in that: the specific process of correcting and updating the preprocessing rule dictionary in step S5 also includes: preprocessing the logs marked as alarms after the log parsing is completed. Preprocessing keywords that do not match the analysis rules are removed from the preprocessing rule dictionary.

8.一种日志解析系统，其特征在于：包括：8. A log parsing system, characterized by: including: