Design And Implementation Of Security Event System Based On Log Acquisition Technology

The Internet era has driven the rapid development of the social economy.At the same time,the scale of the data center for operators carrying the Internet and its applications is constantly expanding.Not only the information construction has developed rapidly,and also the data size in the network transmission,the island response of data,the types and quantities of network equipment,the potential security risks of the network,etc.have also undergone earth-shaking changes.The network maintained by the operation staff of the data center is getting larger and larger,and the network element nodes in the network also getting larger and larger.The massive log information generated by various devices imposes a great burden on the operation staff,and at the same time the security equipment fighting each other,which cause a large number of repeated and invalid information squeezes the valuable time of the operation staff.The market urgently needs a product to collect and integrate the log information of various devices in the target network,and perform centralized paradigm processing and inventory storage on the collected logs,and perform data mining to the stored data logs through association analysis technologies.Analyzing the potential security risks and alarm the security operation staff to reduce the work pressure of the operation staff and improve the work efficiency.Based on the analysis of market demand,this paper designs and implements a security event system.And through the functional architecture design,define the boundary and scope of the system,the key components and core functions of the security event system which include log collection module,asset management module and association analysis module and so on.At the same time,after researching the present situation of domestic and international mature products and open source projects,it was found that the same type of products regards the range of log collection and the depth of log correlation analysis as the core competitiveness of the products.Therefore,this paper takes these two as the key technology to make breakthroughs.Through the theoretical research and the deployment practice of open source projects,designs and implements the log collection module and the correlation analysis module.The log collection module is responsible for collecting,summarizing,normalizing,filtering of different locations and types of log information.And the normalized log can be seen as a standard format that can be provided to the association analysis.At the same time,associating and analyzing the computation model by using the support design of the association analysis module algorithm.To form a unified threat and risk management based on assets.In the log collection module,two date acquisition methods are proposed to meet the collection requirements of different devices,namely,agentless and proxy mode.The agentless mode sends the log directly to the log collection module through syslog.In the proxy mode,the collection agent is installed on the device which needs date collection.Establish communications between the collection agent and the log collection module to solve log collection and transmission problem.In the association analysis module,the normalized formatted log data is submitted to the correlation engine for calculation.The mature analysis algorithm is used to solve the problem of data analyzing and mining to meet the real-time visibility of the customer risk and to find the risk hidden in the data.With timely security warning for customers,and finally combine the asset management module with the asset attributes to make targeted security alarm to the asset.In summary,the security event system is a practical product combined with the theory of software engineering,based on the experience of satisfying market demand and absorbing domestic and foreign mature products.The security event system simplifies the operation process of operation staff such as daily equipment log monitoring and retrieval,and improves the efficiency of operation and maintenance,and ensures the safe and stable operation of the data center,and finally supporting the rapid development of the Internet era.