376 lines
46 KiB
Plaintext
376 lines
46 KiB
Plaintext
2026-03-09 18:20:29.258 [main] INFO com.syslogApplication - Starting syslogApplication using Java 1.8.0_121 on LAPTOP-ARDUR3N0 with PID 31516 (E:\GIT_GOSAME\ai-security-xdr\haobang-security-xdr\syslog-consumer\target\classes started by chenc in E:\GIT_GOSAME\ai-security-xdr\haobang-security-xdr)
|
||
2026-03-09 18:20:29.258 [background-preinit] INFO o.h.validator.internal.util.Version - HV000001: Hibernate Validator 6.2.5.Final
|
||
2026-03-09 18:20:29.264 [main] INFO com.syslogApplication - No active profile set, falling back to 1 default profile: "default"
|
||
2026-03-09 18:20:32.501 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
|
||
2026-03-09 18:20:32.504 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Elasticsearch repositories in DEFAULT mode.
|
||
2026-03-09 18:20:33.247 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 735 ms. Found 1 Elasticsearch repository interfaces.
|
||
2026-03-09 18:20:33.255 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
|
||
2026-03-09 18:20:33.256 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Reactive Elasticsearch repositories in DEFAULT mode.
|
||
2026-03-09 18:20:33.435 [main] INFO o.s.d.r.c.RepositoryConfigurationExtensionSupport - Spring Data Reactive Elasticsearch - Could not safely identify store assignment for repository candidate interface com.common.service.AppLogRepository; If you want this repository to be a Reactive Elasticsearch repository, consider annotating your entities with one of these annotations: org.springframework.data.elasticsearch.annotations.Document (preferred), or consider extending one of the following types with your repository: org.springframework.data.elasticsearch.repository.ReactiveElasticsearchRepository
|
||
2026-03-09 18:20:33.435 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 179 ms. Found 0 Reactive Elasticsearch repository interfaces.
|
||
2026-03-09 18:20:33.460 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
|
||
2026-03-09 18:20:33.461 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Redis repositories in DEFAULT mode.
|
||
2026-03-09 18:20:33.643 [main] INFO o.s.d.r.c.RepositoryConfigurationExtensionSupport - Spring Data Redis - Could not safely identify store assignment for repository candidate interface com.common.service.AppLogRepository; If you want this repository to be a Redis repository, consider annotating your entities with one of these annotations: org.springframework.data.redis.core.RedisHash (preferred), or consider extending one of the following types with your repository: org.springframework.data.keyvalue.repository.KeyValueRepository
|
||
2026-03-09 18:20:33.643 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 167 ms. Found 0 Redis repository interfaces.
|
||
2026-03-09 18:20:34.518 [main] INFO o.s.b.w.e.tomcat.TomcatWebServer - Tomcat initialized with port(s): 8089 (http)
|
||
2026-03-09 18:20:34.530 [main] INFO o.a.coyote.http11.Http11NioProtocol - Initializing ProtocolHandler ["http-nio-8089"]
|
||
2026-03-09 18:20:34.531 [main] INFO o.a.catalina.core.StandardService - Starting service [Tomcat]
|
||
2026-03-09 18:20:34.531 [main] INFO o.a.catalina.core.StandardEngine - Starting Servlet engine: [Apache Tomcat/9.0.65]
|
||
2026-03-09 18:20:34.885 [main] INFO o.a.c.c.C.[.[.[/xdrservice] - Initializing Spring embedded WebApplicationContext
|
||
2026-03-09 18:20:34.885 [main] INFO o.s.b.w.s.c.ServletWebServerApplicationContext - Root WebApplicationContext: initialization completed in 5554 ms
|
||
2026-03-09 18:20:34.950 [main] INFO o.s.b.f.a.AutowiredAnnotationBeanPostProcessor - Autowired annotation is not supported on static fields: private static com.common.service.DmColumnService com.syslogApplication.dmColumnService
|
||
2026-03-09 18:20:37.863 [main] INFO com.influx.InfluxDBClient - InfluxDB connection successful: ready for queries and writes
|
||
2026-03-09 18:20:38.381 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.insert] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.Insert]
|
||
2026-03-09 18:20:38.394 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.update] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.Update]
|
||
2026-03-09 18:20:38.410 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.deleteById] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.DeleteById]
|
||
2026-03-09 18:20:38.414 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.selectById] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.SelectById]
|
||
2026-03-09 18:20:38.469 [main] ERROR c.b.m.core.MybatisConfiguration - mapper[com.common.mapper.SecExceptionAlgorithmMapper.findById] is ignored, because it exists, maybe from xml file
|
||
2026-03-09 18:20:44.376 [main] INFO c.c.s.RealtimeAnalysisScheduler - ========== 初始化实时分析调度器 ==========
|
||
2026-03-09 18:20:44.398 [main] INFO com.zaxxer.hikari.HikariDataSource - HikariPool-SyslogConsumer - Starting...
|
||
2026-03-09 18:20:45.062 [main] INFO com.zaxxer.hikari.HikariDataSource - HikariPool-SyslogConsumer - Start completed.
|
||
2026-03-09 18:20:45.249 [main] INFO c.c.s.RealtimeAnalysisScheduler - 查询到 0 个实时分析规则
|
||
2026-03-09 18:20:45.250 [main] INFO c.c.s.RealtimeAnalysisScheduler - ========== 实时分析调度器初始化完成 ==========
|
||
2026-03-09 18:20:45.256 [main] INFO o.s.b.f.a.AutowiredAnnotationBeanPostProcessor - Autowired annotation is not supported on static fields: public static com.common.service.DeviceDeviceService com.common.service.AccessLogAlertService.deviceDeviceService
|
||
2026-03-09 18:20:45.296 [main] INFO c.c.service.AccessLogAlertService - 初始化AccessLogAlertService,上次处理时间: 2026-03-09T18:19:45.296
|
||
2026-03-09 18:20:45.457 [main] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:20:46.497 [main] INFO com.influx.InfluxDBClient - InfluxDB connection successful: ready for queries and writes
|
||
2026-03-09 18:20:46.694 [main] INFO com.common.util.MyBatisUtil - MyBatis 初始化成功
|
||
2026-03-09 18:20:47.630 [main] INFO org.quartz.impl.StdSchedulerFactory - Using default implementation for ThreadExecutor
|
||
2026-03-09 18:20:47.642 [main] INFO o.quartz.core.SchedulerSignalerImpl - Initialized Scheduler Signaller of type: class org.quartz.core.SchedulerSignalerImpl
|
||
2026-03-09 18:20:47.643 [main] INFO org.quartz.core.QuartzScheduler - Quartz Scheduler v.2.3.2 created.
|
||
2026-03-09 18:20:47.644 [main] INFO org.quartz.simpl.RAMJobStore - RAMJobStore initialized.
|
||
2026-03-09 18:20:47.644 [main] INFO org.quartz.core.QuartzScheduler - Scheduler meta-data: Quartz Scheduler (v2.3.2) 'quartzScheduler' with instanceId 'NON_CLUSTERED'
|
||
Scheduler class: 'org.quartz.core.QuartzScheduler' - running locally.
|
||
NOT STARTED.
|
||
Currently in standby mode.
|
||
Number of jobs executed: 0
|
||
Using thread pool 'org.quartz.simpl.SimpleThreadPool' - with 10 threads.
|
||
Using job-store 'org.quartz.simpl.RAMJobStore' - which does not support persistence. and is not clustered.
|
||
|
||
2026-03-09 18:20:47.644 [main] INFO org.quartz.impl.StdSchedulerFactory - Quartz scheduler 'quartzScheduler' initialized from an externally provided properties instance.
|
||
2026-03-09 18:20:47.644 [main] INFO org.quartz.impl.StdSchedulerFactory - Quartz scheduler version: 2.3.2
|
||
2026-03-09 18:20:47.645 [main] INFO org.quartz.core.QuartzScheduler - JobFactory set to: org.springframework.scheduling.quartz.SpringBeanJobFactory@25297d52
|
||
2026-03-09 18:20:47.838 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka version: 3.4.0
|
||
2026-03-09 18:20:47.838 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka commitId: 2e1947d240607d53
|
||
2026-03-09 18:20:47.838 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka startTimeMs: 1773051647836
|
||
2026-03-09 18:20:47.859 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka version: 3.4.0
|
||
2026-03-09 18:20:47.859 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka commitId: 2e1947d240607d53
|
||
2026-03-09 18:20:47.859 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka startTimeMs: 1773051647859
|
||
2026-03-09 18:20:47.861 [main] INFO o.a.coyote.http11.Http11NioProtocol - Starting ProtocolHandler ["http-nio-8089"]
|
||
2026-03-09 18:20:47.878 [main] INFO o.s.b.w.e.tomcat.TomcatWebServer - Tomcat started on port(s): 8089 (http) with context path '/xdrservice'
|
||
2026-03-09 18:20:47.879 [main] INFO o.s.s.quartz.SchedulerFactoryBean - Starting Quartz Scheduler now
|
||
2026-03-09 18:20:47.880 [main] INFO org.quartz.core.QuartzScheduler - Scheduler quartzScheduler_$_NON_CLUSTERED started.
|
||
2026-03-09 18:20:47.897 [main] INFO com.syslogApplication - Started syslogApplication in 19.043 seconds (JVM running for 24.576)
|
||
2026-03-09 18:20:48.685 [org.springframework.kafka.KafkaListenerEndpointContainer#0-1-C-1] INFO o.s.k.l.KafkaMessageListenerContainer - test-group-app: partitions assigned: []
|
||
2026-03-09 18:20:48.753 [org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1] INFO o.s.k.l.KafkaMessageListenerContainer - test-group-app: partitions assigned: [test-topic-0]
|
||
2026-03-09 18:21:00.012 [scheduling-1] INFO com.common.schedule.ETLOrchestrator - ETL任务开始执行,开始时间:2026-03-09 18:15:00,结束时间:2026-03-09 18:20:00
|
||
2026-03-09 18:21:00.017 [scheduling-1] INFO com.common.service.DataExtractor - 开始处理告警类型指定时间范围内数据,时间范围: 2026-03-09T18:15 - 2026-03-09T18:20
|
||
2026-03-09 18:21:00.017 [log-processor-1] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:21:00.017 [scheduling-5] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:21:00.099 [scheduling-6] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备统计更新任务...
|
||
2026-03-09 18:21:00.186 [scheduling-6] INFO c.c.service.DeviceStatsUpdateService - 设备统计更新完成,处理设备数:0,耗时:87ms
|
||
2026-03-09 18:21:00.186 [scheduling-6] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备采集探针任务时间更新,时间: 2026-03-09T18:21:00.186
|
||
2026-03-09 18:21:00.191 [scheduling-6] INFO c.c.s.DeviceCollectTaskUpdateService - 开始批量更新设备采集任务时间,当前时间: 2026-03-09T18:21:00.191
|
||
2026-03-09 18:21:00.243 [log-processor-1] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:21:00.243 [scheduling-5] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:21:00.250 [scheduling-1] INFO com.common.service.DataExtractor - 指定时间范围分组数据量: 0 组
|
||
2026-03-09 18:21:00.250 [scheduling-1] INFO com.common.service.DataExtractor - 没有需要处理的数据
|
||
2026-03-09 18:21:00.250 [scheduling-1] INFO com.common.schedule.ETLOrchestrator - 定时ETL任务执行完成,耗时: 0 秒
|
||
2026-03-09 18:21:00.250 [scheduling-1] INFO c.c.s.NormalizeRuleHitTimeService - 开始执行泛化规则命中时间更新任务,时间:2026-03-09T18:21:00.250
|
||
2026-03-09 18:21:00.672 [scheduling-6] INFO c.c.s.DeviceCollectTaskUpdateService - 批量更新完成,总计: 48,已更新: 1
|
||
2026-03-09 18:21:00.672 [scheduling-6] INFO c.c.service.DeviceStatsUpdateService - 设备采集探针任务时间更新完成,耗时: 484ms
|
||
2026-03-09 18:21:00.833 [scheduling-5] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:19:45.296
|
||
2026-03-09 18:21:00.833 [log-processor-1] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:19:45.296
|
||
2026-03-09 18:21:00.915 [scheduling-1] INFO c.c.s.NormalizeRuleHitTimeService - 从 syslog_normal_data 表统计到 0 条规则命中记录
|
||
2026-03-09 18:21:00.915 [scheduling-1] INFO c.c.s.NormalizeRuleHitTimeService - 从 syslog_normal_alarm 表统计到 0 条规则命中记录
|
||
2026-03-09 18:21:00.915 [scheduling-1] INFO c.c.s.NormalizeRuleHitTimeService - 合并后需要更新的规则数量:0
|
||
2026-03-09 18:21:01.069 [scheduling-1] INFO c.c.s.NormalizeRuleHitTimeService - 当前启用状态的规则数量:173
|
||
2026-03-09 18:21:01.069 [scheduling-1] INFO c.c.s.NormalizeRuleHitTimeService - 开始批量更新,规则总数:173,分批数:1
|
||
2026-03-09 18:21:01.070 [scheduling-1] INFO c.c.s.NormalizeRuleHitTimeService - 泛化规则命中时间更新任务完成,更新规则数:0,耗时:820ms
|
||
2026-03-09 18:21:32.055 [http-nio-8089-exec-1] INFO o.s.web.servlet.DispatcherServlet - Initializing Servlet 'dispatcherServlet'
|
||
2026-03-09 18:21:32.060 [http-nio-8089-exec-1] INFO o.s.web.servlet.DispatcherServlet - Completed initialization in 5 ms
|
||
2026-03-09 18:21:32.233 [http-nio-8089-exec-1] INFO com.controllers.SyslogPushController - 收到syslog发送请求: SyslogRequest{ip='192.168.1.19', port=514, logContent='<0> 2026-01-12T14:37:53+08:00 ubuntu log_forward[3419]: {"flow_id": 1028204815001825, "serial_num": "CJFBT92", "src_ip": "120.238.245.132", "src_port": 60838, "dest_ip": "211.136.192.6", "dest_port": 53, "proto": "UDP", "app_proto": "dns", "direction": "CTS", "attacker_ip": "120.238.245.132", "victim_ip": "211.136.192.6", "rule_id": "0x20001e", "rule_name": "发现带外域名DNS请求行为", "attack_type": "网络嗅探", "severity": "1", "bulletin": "确认受害者以及其他信息,及时清除恶意链接", "detail_info": "发现主机正在请求DNSLOG服务器地址", "vuln_type": "网络嗅探", "vuln_desc": "发现主机正在请求DNSLOG服务器地址", "vuln_harm": "发现主机正在请求DNSLOG服务器地址", "tags": "dnslog", "cnnvd_id": null, "cve_id": null, "killchain": "侦查跟踪", "enable": "启用", "attack_result": "企图", "attack_method": "远程", "site_app": null, "code_language": "通用", "att_ck": "TA0002", "timestamp": "2026-01-12T14:37:53.588+0800", "custom": "{}", "feature_field": "", "feature_payload": "", "": null, "payload": "SQkBAAABAAAAAAAAB3BvbGxpbmcHb2FzdGlmeQNjb20AAAEAAQ==", "packet_size": 37, "pcap_file": ""}', protocol='TCP', facility='USER', severity='INFO'}
|
||
2026-03-09 18:21:32.234 [http-nio-8089-exec-1] INFO com.common.service.SyslogService - 开始发送syslog消息: IP=192.168.1.19, Port=514
|
||
2026-03-09 18:21:32.235 [http-nio-8089-exec-1] INFO com.common.service.SyslogService - TCP Syslog消息发送成功: 192.168.1.19:514
|
||
2026-03-09 18:21:32.235 [http-nio-8089-exec-1] INFO com.controllers.SyslogPushController - Syslog消息发送成功: IP=192.168.1.19, Port=514
|
||
2026-03-09 18:21:34.502 [org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1] INFO c.Modules.NormalData.SysLogProcessor - 开始处理批次消息,数量: 1
|
||
2026-03-09 18:21:34.502 [log-processor-2] INFO c.Modules.NormalData.SysLogProcessor - 收到syslogmessage:[receive_time=20260309182133303 device_id=103 device_name=公司开发内部测试探针 vendor=null data_type=json device_collect_id=1]<0> 2026-01-12T14:37:53+08:00 ubuntu log_forward[3419]: {"flow_id": 1028204815001825, "serial_num": "CJFBT92", "src_ip": "120.238.245.132", "src_port": 60838, "dest_ip": "211.136.192.6", "dest_port": 53, "proto": "UDP", "app_proto": "dns", "direction": "CTS", "attacker_ip": "120.238.245.132", "victim_ip": "211.136.192.6", "rule_id": "0x20001e", "rule_name": "???????????DNS???????", "attack_type": "???????", "severity": "1", "bulletin": "??????????????????????????????????", "detail_info": "????????????????DNSLOG?????????", "vuln_type": "???????", "vuln_desc": "????????????????DNSLOG?????????", "vuln_harm": "????????????????DNSLOG?????????", "tags": "dnslog", "cnnvd_id": null, "cve_id": null, "killchain": "??????", "enable": "????", "attack_result": "???", "attack_method": "???", "site_app": null, "code_language": "???", "att_ck": "TA0002", "timestamp": "2026-01-12T14:37:53.588+0800", "custom": "{}", "feature_field": "", "feature_payload": "", "": null, "payload": "SQkBAAABAAAAAAAAB3BvbGxpbmcHb2FzdGlmeQNjb20AAAEAAQ==", "packet_size": 37, "pcap_file": ""}
|
||
2026-03-09 18:21:40.696 [log-processor-2] ERROR c.M.NormalData.LogNormalProcessor - OrginalColumnMap 对象获取为空
|
||
2026-03-09 18:21:41.051 [log-processor-2] ERROR c.M.NormalData.LogNormalProcessor - OrginalColumnMap 对象获取为空
|
||
2026-03-09 18:21:41.062 [log-processor-2] ERROR c.M.NormalData.LogNormalProcessor - OrginalColumnMap 对象获取为空
|
||
2026-03-09 18:21:41.153 [log-processor-2] WARN c.c.service.LogDataFilterService - 泛化规则-数据过滤规则为空,默认不处理!
|
||
2026-03-09 18:21:41.611 [log-processor-2] ERROR c.c.service.LogDataFilterService - 解析过滤规则失败或filters_params为空: null
|
||
2026-03-09 18:21:41.797 [org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1] INFO c.Modules.NormalData.SysLogProcessor - 批次处理完成,总数: 1
|
||
2026-03-09 18:22:00.006 [scheduling-1] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:22:00.006 [scheduling-4] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备统计更新任务...
|
||
2026-03-09 18:22:00.007 [log-processor-3] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:22:00.168 [scheduling-4] INFO c.c.service.DeviceStatsUpdateService - 设备统计更新完成,处理设备数:1,耗时:162ms
|
||
2026-03-09 18:22:00.168 [scheduling-4] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备采集探针任务时间更新,时间: 2026-03-09T18:22:00.168
|
||
2026-03-09 18:22:00.168 [scheduling-4] INFO c.c.s.DeviceCollectTaskUpdateService - 开始批量更新设备采集任务时间,当前时间: 2026-03-09T18:22:00.168
|
||
2026-03-09 18:22:00.236 [log-processor-3] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:22:00.238 [scheduling-1] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:22:00.602 [scheduling-4] INFO c.c.s.DeviceCollectTaskUpdateService - 批量更新完成,总计: 48,已更新: 1
|
||
2026-03-09 18:22:00.602 [scheduling-4] INFO c.c.service.DeviceStatsUpdateService - 设备采集探针任务时间更新完成,耗时: 434ms
|
||
2026-03-09 18:22:00.638 [scheduling-1] INFO c.c.service.AccessLogAlertService - 获取到 1 条新的日志数据,时间范围: 2026-03-09T18:19:45.296 到 2026-03-09T18:22:00.238
|
||
2026-03-09 18:22:00.638 [scheduling-1] INFO c.c.service.AccessLogAlertService - 开始处理算法: 测试算法3 (ID: 2004083121877696514)
|
||
2026-03-09 18:22:00.720 [scheduling-1] INFO c.c.service.AccessLogAlertService - 算法 测试算法3 未检测到告警
|
||
2026-03-09 18:22:00.722 [scheduling-1] INFO c.c.service.AccessLogAlertService - 访问日志告警处理任务完成,下次将从 2026-03-09T18:22:00.238 开始处理
|
||
2026-03-09 18:22:00.785 [log-processor-3] INFO c.c.service.AccessLogAlertService - 获取到 1 条新的日志数据,时间范围: 2026-03-09T18:22:00.238 到 2026-03-09T18:22:00.236
|
||
2026-03-09 18:22:00.785 [log-processor-3] INFO c.c.service.AccessLogAlertService - 开始处理算法: 测试算法3 (ID: 2004083121877696514)
|
||
2026-03-09 18:22:01.137 [log-processor-3] INFO c.c.service.AccessLogAlertService - 算法 测试算法3 未检测到告警
|
||
2026-03-09 18:22:01.137 [log-processor-3] INFO c.c.service.AccessLogAlertService - 访问日志告警处理任务完成,下次将从 2026-03-09T18:22:00.236 开始处理
|
||
2026-03-09 18:23:00.003 [scheduling-6] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:23:00.003 [log-processor-4] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:23:00.084 [scheduling-7] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备统计更新任务...
|
||
2026-03-09 18:23:00.235 [scheduling-6] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:23:00.235 [scheduling-7] INFO c.c.service.DeviceStatsUpdateService - 设备统计更新完成,处理设备数:1,耗时:151ms
|
||
2026-03-09 18:23:00.235 [log-processor-4] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:23:00.235 [scheduling-7] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备采集探针任务时间更新,时间: 2026-03-09T18:23:00.235
|
||
2026-03-09 18:23:00.236 [scheduling-7] INFO c.c.s.DeviceCollectTaskUpdateService - 开始批量更新设备采集任务时间,当前时间: 2026-03-09T18:23:00.236
|
||
2026-03-09 18:23:00.444 [log-processor-4] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:23:00.452 [scheduling-6] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:23:00.684 [scheduling-7] INFO c.c.s.DeviceCollectTaskUpdateService - 批量更新完成,总计: 48,已更新: 1
|
||
2026-03-09 18:23:00.684 [scheduling-7] INFO c.c.service.DeviceStatsUpdateService - 设备采集探针任务时间更新完成,耗时: 448ms
|
||
2026-03-09 18:23:01.145 [scheduling-2] INFO c.c.s.RealtimeAnalysisScheduler - 执行规则: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=告警降噪分析规则-测试-V2, nextTime=2026-03-05T19:12, now=2026-03-09T18:23:00.971
|
||
2026-03-09 18:23:01.145 [scheduling-2] INFO c.c.s.impl.AnalysisRuleServiceImpl - 执行实时分析规则: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765
|
||
2026-03-09 18:23:01.608 [scheduling-2] INFO c.c.s.impl.RealtimeAnalysisEngine - 滚动窗口查询范围: 窗口大小=5m,查询时间范围=[2026-03-09 18:18:00, 2026-03-09 18:23:00]
|
||
2026-03-09 18:23:01.608 [scheduling-2] INFO c.c.s.impl.RealtimeAnalysisEngine - 开始执行实时规则: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=告警降噪分析规则-测试-V2, batchNo=20260309182301302, windowType=tumble, dataStartTime=2026-03-09 18:18:00, dataEndTime=2026-03-09 18:23:00
|
||
2026-03-09 18:23:03.009 [scheduling-2] INFO c.c.s.impl.RealtimeAnalysisEngine - 生成的SQL: SELECT src_ip AS attack_ip,
|
||
dest_ip AS victim_ip,
|
||
origin_event_name AS alarm_name,
|
||
ARRAY_AGG(DISTINCT src_port) AS attack_port,
|
||
ARRAY_AGG(DISTINCT dest_port) AS victim_port,
|
||
MAX(event_level) AS alarm_level,
|
||
MODE() WITHIN GROUP (ORDER BY dest_domain) AS dns_info,
|
||
MODE() WITHIN GROUP (ORDER BY origin_event_type) AS alarm_type,
|
||
COUNT(dest_ip) AS log_count,
|
||
MAX(attack_result) AS attack_result,
|
||
ARRAY_AGG(DISTINCT http_req_header) AS http_req_header,
|
||
ARRAY_AGG(DISTINCT http_req_body) AS http_req_body,
|
||
ARRAY_AGG(DISTINCT http_resp_header) AS http_resp_header,
|
||
ARRAY_AGG(DISTINCT http_resp_body) AS http_resp_body,
|
||
ARRAY_AGG(DISTINCT http_url) AS victim_web_url,
|
||
ARRAY_AGG(DISTINCT id) AS origin_log_ids,
|
||
MIN(log_time) AS log_start_at,
|
||
MAX(log_time) AS log_end_at,
|
||
ARRAY_AGG(DISTINCT device_id) AS device_id,
|
||
ARRAY_AGG(DISTINCT payload) AS payload,
|
||
TUMBLE(log_time, INTERVAL '5 MINUTE') AS window_time
|
||
FROM syslog_normal_alarm AS t
|
||
WHERE log_time >= '2026-03-09 18:18:00' AND log_time < '2026-03-09 18:23:00' AND src_ip != '127.0.0.1' AND event_level >= 1
|
||
GROUP BY src_ip, dest_ip, origin_event_name, TUMBLE(log_time, INTERVAL '5 MINUTE')
|
||
|
||
2026-03-09 18:23:03.655 [scheduling-2] INFO c.c.s.impl.RealtimeAnalysisEngine - 规则执行成功: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, processedCount=1, alarmCount=1
|
||
2026-03-09 18:23:03.970 [scheduling-2] INFO c.c.s.i.RuleExecutionTimeServiceImpl - 更新规则下次执行时间,ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=告警降噪分析规则-测试-V2, windowType=tumble, nextExecuteTime=2026-03-09 18:28:00
|
||
2026-03-09 18:23:03.970 [scheduling-2] INFO c.c.s.RealtimeAnalysisScheduler - 本次调度执行规则数: 1, 跳过规则数: 0
|
||
2026-03-09 18:24:00.001 [scheduling-5] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:24:00.001 [log-processor-5] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:24:00.077 [scheduling-9] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备统计更新任务...
|
||
2026-03-09 18:24:00.226 [scheduling-5] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:24:00.229 [scheduling-9] INFO c.c.service.DeviceStatsUpdateService - 设备统计更新完成,处理设备数:1,耗时:152ms
|
||
2026-03-09 18:24:00.229 [log-processor-5] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:24:00.229 [scheduling-9] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备采集探针任务时间更新,时间: 2026-03-09T18:24:00.229
|
||
2026-03-09 18:24:00.229 [scheduling-9] INFO c.c.s.DeviceCollectTaskUpdateService - 开始批量更新设备采集任务时间,当前时间: 2026-03-09T18:24:00.229
|
||
2026-03-09 18:24:00.419 [log-processor-5] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:24:00.423 [scheduling-5] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:24:00.673 [scheduling-9] INFO c.c.s.DeviceCollectTaskUpdateService - 批量更新完成,总计: 48,已更新: 1
|
||
2026-03-09 18:24:00.673 [scheduling-9] INFO c.c.service.DeviceStatsUpdateService - 设备采集探针任务时间更新完成,耗时: 444ms
|
||
2026-03-09 18:25:00.003 [scheduling-3] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:25:00.003 [log-processor-6] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:25:00.079 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备统计更新任务...
|
||
2026-03-09 18:25:00.230 [log-processor-6] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:25:00.230 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - 设备统计更新完成,处理设备数:1,耗时:151ms
|
||
2026-03-09 18:25:00.230 [scheduling-3] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:25:00.230 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备采集探针任务时间更新,时间: 2026-03-09T18:25:00.230
|
||
2026-03-09 18:25:00.230 [scheduling-2] INFO c.c.s.DeviceCollectTaskUpdateService - 开始批量更新设备采集任务时间,当前时间: 2026-03-09T18:25:00.230
|
||
2026-03-09 18:25:00.420 [log-processor-6] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:25:00.420 [scheduling-3] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:25:00.667 [scheduling-2] INFO c.c.s.DeviceCollectTaskUpdateService - 批量更新完成,总计: 48,已更新: 1
|
||
2026-03-09 18:25:00.667 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - 设备采集探针任务时间更新完成,耗时: 437ms
|
||
2026-03-09 18:26:00.003 [scheduling-2] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:26:00.003 [scheduling-7] INFO com.common.schedule.ETLOrchestrator - ETL任务开始执行,开始时间:2026-03-09 18:20:00,结束时间:2026-03-09 18:25:00
|
||
2026-03-09 18:26:00.003 [scheduling-7] INFO com.common.service.DataExtractor - 开始处理告警类型指定时间范围内数据,时间范围: 2026-03-09T18:20 - 2026-03-09T18:25
|
||
2026-03-09 18:26:00.003 [log-processor-7] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:26:00.080 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备统计更新任务...
|
||
2026-03-09 18:26:00.229 [log-processor-7] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:26:00.229 [scheduling-7] INFO com.common.service.DataExtractor - 指定时间范围分组数据量: 1 组
|
||
2026-03-09 18:26:00.229 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - 设备统计更新完成,处理设备数:1,耗时:149ms
|
||
2026-03-09 18:26:00.229 [scheduling-2] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:26:00.229 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备采集探针任务时间更新,时间: 2026-03-09T18:26:00.229
|
||
2026-03-09 18:26:00.229 [scheduling-10] INFO c.c.s.DeviceCollectTaskUpdateService - 开始批量更新设备采集任务时间,当前时间: 2026-03-09T18:26:00.229
|
||
2026-03-09 18:26:00.420 [scheduling-2] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:26:00.424 [log-processor-7] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:26:00.656 [scheduling-7] INFO com.common.service.DataLoader - 告警数据入库完成,成功: 1 条,总数: 1 条
|
||
2026-03-09 18:26:00.668 [scheduling-10] INFO c.c.s.DeviceCollectTaskUpdateService - 批量更新完成,总计: 48,已更新: 1
|
||
2026-03-09 18:26:00.668 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - 设备采集探针任务时间更新完成,耗时: 439ms
|
||
2026-03-09 18:26:00.737 [scheduling-7] INFO com.common.service.DataExtractor - 分组数据处理进度: 1/1 (100.00%)
|
||
2026-03-09 18:26:00.737 [scheduling-7] INFO com.common.service.DataExtractor - 分组数据处理完成,共处理 1 组数据
|
||
2026-03-09 18:26:00.737 [scheduling-7] INFO com.common.schedule.ETLOrchestrator - 定时ETL任务执行完成,耗时: 0 秒
|
||
2026-03-09 18:26:00.737 [scheduling-7] INFO c.c.s.NormalizeRuleHitTimeService - 开始执行泛化规则命中时间更新任务,时间:2026-03-09T18:26:00.737
|
||
2026-03-09 18:26:01.294 [scheduling-7] INFO c.c.s.NormalizeRuleHitTimeService - 从 syslog_normal_data 表统计到 1 条规则命中记录
|
||
2026-03-09 18:26:01.294 [scheduling-7] INFO c.c.s.NormalizeRuleHitTimeService - 从 syslog_normal_alarm 表统计到 1 条规则命中记录
|
||
2026-03-09 18:26:01.294 [scheduling-7] INFO c.c.s.NormalizeRuleHitTimeService - 合并后需要更新的规则数量:2
|
||
2026-03-09 18:26:01.444 [scheduling-7] INFO c.c.s.NormalizeRuleHitTimeService - 当前启用状态的规则数量:173
|
||
2026-03-09 18:26:01.444 [scheduling-7] INFO c.c.s.NormalizeRuleHitTimeService - 开始批量更新,规则总数:173,分批数:1
|
||
2026-03-09 18:26:01.761 [scheduling-7] INFO c.c.s.NormalizeRuleHitTimeService - 泛化规则命中时间更新任务完成,更新规则数:2,耗时:1024ms
|
||
2026-03-09 18:27:00.005 [scheduling-6] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:27:00.005 [log-processor-8] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:27:00.078 [scheduling-5] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备统计更新任务...
|
||
2026-03-09 18:27:00.233 [scheduling-6] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:27:00.234 [scheduling-5] INFO c.c.service.DeviceStatsUpdateService - 设备统计更新完成,处理设备数:1,耗时:156ms
|
||
2026-03-09 18:27:00.234 [scheduling-5] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备采集探针任务时间更新,时间: 2026-03-09T18:27:00.234
|
||
2026-03-09 18:27:00.234 [scheduling-5] INFO c.c.s.DeviceCollectTaskUpdateService - 开始批量更新设备采集任务时间,当前时间: 2026-03-09T18:27:00.234
|
||
2026-03-09 18:27:00.480 [scheduling-6] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:27:00.494 [log-processor-8] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:27:00.704 [scheduling-5] INFO c.c.s.DeviceCollectTaskUpdateService - 批量更新完成,总计: 48,已更新: 1
|
||
2026-03-09 18:27:00.704 [scheduling-5] INFO c.c.service.DeviceStatsUpdateService - 设备采集探针任务时间更新完成,耗时: 470ms
|
||
2026-03-09 18:27:00.755 [log-processor-8] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:28:00.004 [scheduling-3] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:28:00.004 [log-processor-9] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:28:00.081 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备统计更新任务...
|
||
2026-03-09 18:28:00.231 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - 设备统计更新完成,处理设备数:1,耗时:150ms
|
||
2026-03-09 18:28:00.231 [log-processor-9] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:28:00.231 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备采集探针任务时间更新,时间: 2026-03-09T18:28:00.231
|
||
2026-03-09 18:28:00.231 [scheduling-10] INFO c.c.s.DeviceCollectTaskUpdateService - 开始批量更新设备采集任务时间,当前时间: 2026-03-09T18:28:00.231
|
||
2026-03-09 18:28:00.231 [scheduling-3] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:28:00.429 [log-processor-9] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:28:00.529 [scheduling-3] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:28:00.637 [scheduling-10] INFO c.c.s.DeviceCollectTaskUpdateService - 批量更新完成,总计: 48,已更新: 1
|
||
2026-03-09 18:28:00.638 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - 设备采集探针任务时间更新完成,耗时: 406ms
|
||
2026-03-09 18:28:00.865 [scheduling-8] INFO c.c.s.RealtimeAnalysisScheduler - 执行规则: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=告警降噪分析规则-测试-V2, nextTime=2026-03-09T18:28, now=2026-03-09T18:28:00.711
|
||
2026-03-09 18:28:00.865 [scheduling-8] INFO c.c.s.impl.AnalysisRuleServiceImpl - 执行实时分析规则: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765
|
||
2026-03-09 18:28:01.335 [scheduling-8] INFO c.c.s.impl.RealtimeAnalysisEngine - 滚动窗口查询范围: 窗口大小=5m,查询时间范围=[2026-03-09 18:23:00, 2026-03-09 18:28:00]
|
||
2026-03-09 18:28:01.335 [scheduling-8] INFO c.c.s.impl.RealtimeAnalysisEngine - 开始执行实时规则: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=告警降噪分析规则-测试-V2, batchNo=20260309182801024, windowType=tumble, dataStartTime=2026-03-09 18:23:00, dataEndTime=2026-03-09 18:28:00
|
||
2026-03-09 18:28:02.580 [scheduling-8] INFO c.c.s.impl.RealtimeAnalysisEngine - 生成的SQL: SELECT src_ip AS attack_ip,
|
||
dest_ip AS victim_ip,
|
||
origin_event_name AS alarm_name,
|
||
ARRAY_AGG(DISTINCT src_port) AS attack_port,
|
||
ARRAY_AGG(DISTINCT dest_port) AS victim_port,
|
||
MAX(event_level) AS alarm_level,
|
||
MODE() WITHIN GROUP (ORDER BY dest_domain) AS dns_info,
|
||
MODE() WITHIN GROUP (ORDER BY origin_event_type) AS alarm_type,
|
||
COUNT(dest_ip) AS log_count,
|
||
MAX(attack_result) AS attack_result,
|
||
ARRAY_AGG(DISTINCT http_req_header) AS http_req_header,
|
||
ARRAY_AGG(DISTINCT http_req_body) AS http_req_body,
|
||
ARRAY_AGG(DISTINCT http_resp_header) AS http_resp_header,
|
||
ARRAY_AGG(DISTINCT http_resp_body) AS http_resp_body,
|
||
ARRAY_AGG(DISTINCT http_url) AS victim_web_url,
|
||
ARRAY_AGG(DISTINCT id) AS origin_log_ids,
|
||
MIN(log_time) AS log_start_at,
|
||
MAX(log_time) AS log_end_at,
|
||
ARRAY_AGG(DISTINCT device_id) AS device_id,
|
||
ARRAY_AGG(DISTINCT payload) AS payload,
|
||
TUMBLE(log_time, INTERVAL '5 MINUTE') AS window_time
|
||
FROM syslog_normal_alarm AS t
|
||
WHERE log_time >= '2026-03-09 18:23:00' AND log_time < '2026-03-09 18:28:00' AND src_ip != '127.0.0.1' AND event_level >= 1
|
||
GROUP BY src_ip, dest_ip, origin_event_name, TUMBLE(log_time, INTERVAL '5 MINUTE')
|
||
|
||
2026-03-09 18:28:03.047 [scheduling-8] INFO c.c.s.impl.RealtimeAnalysisEngine - 规则执行成功: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, processedCount=0, alarmCount=0
|
||
2026-03-09 18:28:03.362 [scheduling-8] INFO c.c.s.i.RuleExecutionTimeServiceImpl - 更新规则下次执行时间,ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=告警降噪分析规则-测试-V2, windowType=tumble, nextExecuteTime=2026-03-09 18:33:00
|
||
2026-03-09 18:28:03.362 [scheduling-8] INFO c.c.s.RealtimeAnalysisScheduler - 本次调度执行规则数: 1, 跳过规则数: 0
|
||
2026-03-09 18:29:00.006 [scheduling-5] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:29:00.006 [log-processor-10] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:29:00.081 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备统计更新任务...
|
||
2026-03-09 18:29:00.236 [scheduling-5] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:29:00.236 [log-processor-10] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:29:00.240 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - 设备统计更新完成,处理设备数:1,耗时:159ms
|
||
2026-03-09 18:29:00.240 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备采集探针任务时间更新,时间: 2026-03-09T18:29:00.240
|
||
2026-03-09 18:29:00.240 [scheduling-2] INFO c.c.s.DeviceCollectTaskUpdateService - 开始批量更新设备采集任务时间,当前时间: 2026-03-09T18:29:00.240
|
||
2026-03-09 18:29:00.487 [scheduling-5] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:29:00.488 [log-processor-10] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:29:00.702 [scheduling-2] INFO c.c.s.DeviceCollectTaskUpdateService - 批量更新完成,总计: 48,已更新: 1
|
||
2026-03-09 18:29:00.702 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - 设备采集探针任务时间更新完成,耗时: 462ms
|
||
2026-03-09 18:30:00.005 [scheduling-2] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:30:00.005 [log-processor-1] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:30:00.081 [scheduling-8] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备统计更新任务...
|
||
2026-03-09 18:30:00.233 [scheduling-2] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:30:00.233 [log-processor-1] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:30:00.235 [scheduling-8] INFO c.c.service.DeviceStatsUpdateService - 设备统计更新完成,处理设备数:1,耗时:154ms
|
||
2026-03-09 18:30:00.235 [scheduling-8] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备采集探针任务时间更新,时间: 2026-03-09T18:30:00.235
|
||
2026-03-09 18:30:00.235 [scheduling-8] INFO c.c.s.DeviceCollectTaskUpdateService - 开始批量更新设备采集任务时间,当前时间: 2026-03-09T18:30:00.235
|
||
2026-03-09 18:30:00.430 [log-processor-1] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:30:00.501 [scheduling-2] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:30:00.639 [scheduling-8] INFO c.c.s.DeviceCollectTaskUpdateService - 批量更新完成,总计: 48,已更新: 1
|
||
2026-03-09 18:30:00.639 [scheduling-8] INFO c.c.service.DeviceStatsUpdateService - 设备采集探针任务时间更新完成,耗时: 404ms
|
||
2026-03-09 18:31:00.006 [scheduling-3] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:31:00.006 [log-processor-2] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:31:00.006 [scheduling-8] INFO com.common.schedule.ETLOrchestrator - ETL任务开始执行,开始时间:2026-03-09 18:25:00,结束时间:2026-03-09 18:30:00
|
||
2026-03-09 18:31:00.006 [scheduling-8] INFO com.common.service.DataExtractor - 开始处理告警类型指定时间范围内数据,时间范围: 2026-03-09T18:25 - 2026-03-09T18:30
|
||
2026-03-09 18:31:00.084 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备统计更新任务...
|
||
2026-03-09 18:31:00.235 [scheduling-8] INFO com.common.service.DataExtractor - 指定时间范围分组数据量: 0 组
|
||
2026-03-09 18:31:00.235 [log-processor-2] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:31:00.235 [scheduling-3] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:31:00.235 [scheduling-8] INFO com.common.service.DataExtractor - 没有需要处理的数据
|
||
2026-03-09 18:31:00.235 [scheduling-8] INFO com.common.schedule.ETLOrchestrator - 定时ETL任务执行完成,耗时: 0 秒
|
||
2026-03-09 18:31:00.235 [scheduling-8] INFO c.c.s.NormalizeRuleHitTimeService - 开始执行泛化规则命中时间更新任务,时间:2026-03-09T18:31:00.235
|
||
2026-03-09 18:31:00.236 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - 设备统计更新完成,处理设备数:1,耗时:152ms
|
||
2026-03-09 18:31:00.236 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备采集探针任务时间更新,时间: 2026-03-09T18:31:00.236
|
||
2026-03-09 18:31:00.236 [scheduling-10] INFO c.c.s.DeviceCollectTaskUpdateService - 开始批量更新设备采集任务时间,当前时间: 2026-03-09T18:31:00.236
|
||
2026-03-09 18:31:00.515 [scheduling-3] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:31:00.519 [log-processor-2] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:31:00.629 [scheduling-10] INFO c.c.s.DeviceCollectTaskUpdateService - 批量更新完成,总计: 48,已更新: 1
|
||
2026-03-09 18:31:00.629 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - 设备采集探针任务时间更新完成,耗时: 393ms
|
||
2026-03-09 18:31:00.758 [scheduling-8] INFO c.c.s.NormalizeRuleHitTimeService - 从 syslog_normal_data 表统计到 1 条规则命中记录
|
||
2026-03-09 18:31:00.758 [scheduling-8] INFO c.c.s.NormalizeRuleHitTimeService - 从 syslog_normal_alarm 表统计到 1 条规则命中记录
|
||
2026-03-09 18:31:00.758 [scheduling-8] INFO c.c.s.NormalizeRuleHitTimeService - 合并后需要更新的规则数量:2
|
||
2026-03-09 18:31:00.910 [scheduling-8] INFO c.c.s.NormalizeRuleHitTimeService - 当前启用状态的规则数量:173
|
||
2026-03-09 18:31:00.910 [scheduling-8] INFO c.c.s.NormalizeRuleHitTimeService - 开始批量更新,规则总数:173,分批数:1
|
||
2026-03-09 18:31:00.910 [scheduling-8] INFO c.c.s.NormalizeRuleHitTimeService - 泛化规则命中时间更新任务完成,更新规则数:0,耗时:675ms
|
||
2026-03-09 18:32:00.001 [scheduling-8] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:32:00.001 [log-processor-3] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:32:00.077 [scheduling-1] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备统计更新任务...
|
||
2026-03-09 18:32:00.226 [scheduling-8] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:32:00.226 [log-processor-3] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:32:00.232 [scheduling-1] INFO c.c.service.DeviceStatsUpdateService - 设备统计更新完成,处理设备数:1,耗时:155ms
|
||
2026-03-09 18:32:00.232 [scheduling-1] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备采集探针任务时间更新,时间: 2026-03-09T18:32:00.232
|
||
2026-03-09 18:32:00.233 [scheduling-1] INFO c.c.s.DeviceCollectTaskUpdateService - 开始批量更新设备采集任务时间,当前时间: 2026-03-09T18:32:00.233
|
||
2026-03-09 18:32:00.461 [scheduling-8] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:32:00.505 [log-processor-3] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:32:00.640 [scheduling-1] INFO c.c.s.DeviceCollectTaskUpdateService - 批量更新完成,总计: 48,已更新: 1
|
||
2026-03-09 18:32:00.640 [scheduling-1] INFO c.c.service.DeviceStatsUpdateService - 设备采集探针任务时间更新完成,耗时: 408ms
|
||
2026-03-09 18:33:00.002 [scheduling-10] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:33:00.002 [log-processor-4] INFO c.c.service.AccessLogAlertService - 开始执行访问日志告警处理任务
|
||
2026-03-09 18:33:00.078 [scheduling-3] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备统计更新任务...
|
||
2026-03-09 18:33:00.228 [log-processor-4] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:33:00.228 [scheduling-10] INFO c.c.service.AccessLogAlertService - 加载了 1 个启用的算法配置
|
||
2026-03-09 18:33:00.230 [scheduling-6] INFO c.c.s.RealtimeAnalysisScheduler - 执行规则: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=告警降噪分析规则-测试-V2, nextTime=2026-03-09T18:33, now=2026-03-09T18:33:00.002
|
||
2026-03-09 18:33:00.230 [scheduling-6] INFO c.c.s.impl.AnalysisRuleServiceImpl - 执行实时分析规则: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765
|
||
2026-03-09 18:33:00.232 [scheduling-3] INFO c.c.service.DeviceStatsUpdateService - 设备统计更新完成,处理设备数:1,耗时:154ms
|
||
2026-03-09 18:33:00.232 [scheduling-3] INFO c.c.service.DeviceStatsUpdateService - 开始执行设备采集探针任务时间更新,时间: 2026-03-09T18:33:00.232
|
||
2026-03-09 18:33:00.232 [scheduling-3] INFO c.c.s.DeviceCollectTaskUpdateService - 开始批量更新设备采集任务时间,当前时间: 2026-03-09T18:33:00.232
|
||
2026-03-09 18:33:00.426 [scheduling-10] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:33:00.494 [log-processor-4] INFO c.c.service.AccessLogAlertService - 没有发现新的日志数据,上次处理时间: 2026-03-09T18:22:00.236
|
||
2026-03-09 18:33:00.634 [scheduling-3] INFO c.c.s.DeviceCollectTaskUpdateService - 批量更新完成,总计: 48,已更新: 1
|
||
2026-03-09 18:33:00.634 [scheduling-3] INFO c.c.service.DeviceStatsUpdateService - 设备采集探针任务时间更新完成,耗时: 402ms
|
||
2026-03-09 18:33:00.688 [scheduling-6] INFO c.c.s.impl.RealtimeAnalysisEngine - 滚动窗口查询范围: 窗口大小=5m,查询时间范围=[2026-03-09 18:28:00, 2026-03-09 18:33:00]
|
||
2026-03-09 18:33:00.688 [scheduling-6] INFO c.c.s.impl.RealtimeAnalysisEngine - 开始执行实时规则: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=告警降噪分析规则-测试-V2, batchNo=20260309183300381, windowType=tumble, dataStartTime=2026-03-09 18:28:00, dataEndTime=2026-03-09 18:33:00
|
||
2026-03-09 18:33:01.943 [scheduling-6] INFO c.c.s.impl.RealtimeAnalysisEngine - 生成的SQL: SELECT src_ip AS attack_ip,
|
||
dest_ip AS victim_ip,
|
||
origin_event_name AS alarm_name,
|
||
ARRAY_AGG(DISTINCT src_port) AS attack_port,
|
||
ARRAY_AGG(DISTINCT dest_port) AS victim_port,
|
||
MAX(event_level) AS alarm_level,
|
||
MODE() WITHIN GROUP (ORDER BY dest_domain) AS dns_info,
|
||
MODE() WITHIN GROUP (ORDER BY origin_event_type) AS alarm_type,
|
||
COUNT(dest_ip) AS log_count,
|
||
MAX(attack_result) AS attack_result,
|
||
ARRAY_AGG(DISTINCT http_req_header) AS http_req_header,
|
||
ARRAY_AGG(DISTINCT http_req_body) AS http_req_body,
|
||
ARRAY_AGG(DISTINCT http_resp_header) AS http_resp_header,
|
||
ARRAY_AGG(DISTINCT http_resp_body) AS http_resp_body,
|
||
ARRAY_AGG(DISTINCT http_url) AS victim_web_url,
|
||
ARRAY_AGG(DISTINCT id) AS origin_log_ids,
|
||
MIN(log_time) AS log_start_at,
|
||
MAX(log_time) AS log_end_at,
|
||
ARRAY_AGG(DISTINCT device_id) AS device_id,
|
||
ARRAY_AGG(DISTINCT payload) AS payload,
|
||
TUMBLE(log_time, INTERVAL '5 MINUTE') AS window_time
|
||
FROM syslog_normal_alarm AS t
|
||
WHERE log_time >= '2026-03-09 18:28:00' AND log_time < '2026-03-09 18:33:00' AND src_ip != '127.0.0.1' AND event_level >= 1
|
||
GROUP BY src_ip, dest_ip, origin_event_name, TUMBLE(log_time, INTERVAL '5 MINUTE')
|
||
|
||
2026-03-09 18:33:02.410 [scheduling-6] INFO c.c.s.impl.RealtimeAnalysisEngine - 规则执行成功: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, processedCount=0, alarmCount=0
|
||
2026-03-09 18:33:02.717 [scheduling-6] INFO c.c.s.i.RuleExecutionTimeServiceImpl - 更新规则下次执行时间,ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=告警降噪分析规则-测试-V2, windowType=tumble, nextExecuteTime=2026-03-09 18:38:00
|
||
2026-03-09 18:33:02.718 [scheduling-6] INFO c.c.s.RealtimeAnalysisScheduler - 本次调度执行规则数: 1, 跳过规则数: 0
|