CN109284268A - A kind of method, system and the electronic equipment of fast resolving log - Google Patents
A kind of method, system and the electronic equipment of fast resolving log Download PDFInfo
- Publication number
- CN109284268A CN109284268A CN201811272135.8A CN201811272135A CN109284268A CN 109284268 A CN109284268 A CN 109284268A CN 201811272135 A CN201811272135 A CN 201811272135A CN 109284268 A CN109284268 A CN 109284268A
- Authority
- CN
- China
- Prior art keywords
- log
- resolution rules
- resolved
- target
- assets information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 238000005457 optimization Methods 0.000 claims abstract description 105
- 238000004458 analytical method Methods 0.000 claims abstract description 12
- 238000004590 computer program Methods 0.000 claims description 6
- 230000003247 decreasing effect Effects 0.000 abstract 1
- 238000003860 storage Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 8
- 238000012545 processing Methods 0.000 description 7
- 238000012550 audit Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 3
- 230000007423 decrease Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The present invention provides a kind of methods of fast resolving log, system and electronic equipment, in this method, after receiving target log to be resolved, first by target resolution rules carry out sequence matching corresponding to the assets information to be matched in target log to be resolved and current optimization property match regular record table, if matching unsuccessful, enter back into progress resolution rules matching in resolution rules library, and, the assets information recorded in current optimization property match regular record table, resolution rules ID, corresponding relationship between matching times is arranged according to the descending of matching times corresponding to same assets information, in this way, when sequence matches, matching times are decreased to a certain extent, substantially increase the probability of successful match, and then accelerate the speed of log parsing, simultaneously without sacrificing parsing granularity, so log parsing can By property height, the technical issues of it is slow to alleviate existing log analytic method resolution speed, poor reliability.
Description
Technical field
The present invention relates to the technical field of network security, more particularly, to a kind of method of fast resolving log, system and
Electronic equipment.
Background technique
As increasingly developed log audit needs, requirement of the people for log audit is also higher and higher.Log storage
It is also increasing with parsing amount.The log type of parsing is also set from single host, the network equipment to application log, all kinds of safety
Standby log.The complexity of log parsing also increasingly increases, and parses required performance and is also gradually increased, and produces to the high speed processing of log
Raw very big pressure.
Existing log processing system is all that log and resolution rules library are carried out full dose matching.This method is in a small amount of day
A small amount of performance is occupied in the case where will to be completed to parse to log, but will result in the case where a large amount of logs very big
Waist performance.When resolution rules entry number is only 10, the parsing matching times of every log may be less than ten times, but such as
When resolution rules entry number reaches 10W, system may will reach tens of thousands of times very for the parsing matching of each log
To 9W more times, and the log that each enters requires the matching by the process, then will result in the process very
The big wasting of resources, influences resolution speed.So will generate, resolution speed is slow or sacrifice parsing granularity solves to reach to be promoted
The problem of analysing speed.
To sum up, the technical issues of that there are resolution speeds is slow for existing log analytic method, poor reliability.
Summary of the invention
In view of this, the purpose of the present invention is to provide method, system and the electronic equipment of a kind of fast resolving log, with
Alleviate existing log analytic method there are resolution speeds it is slow, the technical issues of poor reliability.
In a first aspect, the embodiment of the invention provides a kind of methods of fast resolving log, comprising:
Target log to be resolved is obtained, and obtains the assets information to be matched of target log to be resolved, wherein is described
Assets information to be matched includes at least Asset ID, Asset IP, port numbers;
The assets to be matched in target log to be resolved and current optimization property match regular record table are believed
The corresponding target resolution rules carry out sequence matching of breath, wherein the current optimization property match regular record table includes: to work as
Preceding moment assets information, and the corresponding relationship between resolution rules ID and matching times, and the current optimization property match rule
Then in record sheet, the corresponding relationship is arranged according to the descending of matching times corresponding to same assets information;
If the target log to be resolved matches with the sub-goal resolution rules in the target resolution rules, lead to
The sub-goal resolution rules are crossed to parse target log to be resolved;
If all sub-goal resolution rules in the target log to be resolved and the target resolution rules mismatch,
Alternatively, the record of the assets information to be matched is not present in the current optimization property match regular record table, then it will be described
Target log to be resolved is matched one by one with the resolution rules in resolution rules library, and the resolution rules pair obtained according to matching
The target log to be resolved is parsed, wherein the resolution rules ID in the current optimization property match regular record table
Represented resolution rules are the subset of resolution rules in the resolution rules library.
With reference to first aspect, the embodiment of the invention provides the first possible embodiments of first aspect, wherein obtains
The target log to be resolved is taken to include:
Log to be resolved is obtained, and obtains the assets information of the log to be resolved;
Judge whether the assets information of the log to be resolved matches with default assets information;
If the assets information of the log to be resolved matches with the default assets information, it is determined that described to be resolved
Log is target log to be resolved.
With reference to first aspect, the embodiment of the invention provides second of possible embodiments of first aspect, wherein
It will be corresponding to the assets information to be matched in target log to be resolved and current optimization property match regular record table
Target resolution rules carry out sequence matching before, the method also includes:
Judge the record that whether there is the assets information to be matched in the current optimization property match regular record table;
If it is present by the institute in target log to be resolved and the current optimization property match regular record table
State target resolution rules carry out sequence matching corresponding to assets information to be matched;
If it does not exist, then the resolution rules in target log to be resolved and the resolution rules library are carried out one by one
Matching.
With reference to first aspect, the embodiment of the invention provides the third possible embodiments of first aspect, wherein
After sub-goal resolution rules in the target log to be resolved and the target resolution rules match, the method is also wrapped
It includes:
To assets information and sub-goal resolution rules to be matched described in the current optimization property match regular record table
Matching times corresponding to ID are updated, and obtain updated matching times, wherein the sub-goal resolution rules ID is institute
State ID corresponding to sub-goal resolution rules;
Based on the updated matching times to the corresponding relationship in the current optimization property match regular record table
Sequence be updated, updated optimization property match regular record table is obtained, by the updated optimization assets
Log with regular record table for subsequent time parses.
With reference to first aspect, the embodiment of the invention provides the 4th kind of possible embodiments of first aspect, wherein
After being parsed according to the resolution rules that matching obtains to target log to be resolved, the method also includes:
It is described to match resolution rules ID corresponding to obtained resolution rules and matching time by the assets information to be matched
Number is as new corresponding relationship and the principle that arranges according to matching times descending corresponding to same assets information to be matched is by institute
It states new corresponding relationship to be added in the current optimization property match regular record table, obtains updated optimization property match
Regular record table parses the log that the updated optimization property match regular record table is used for subsequent time.
Second aspect, the embodiment of the invention also provides a kind of systems of fast resolving log, comprising:
Module is obtained, for obtaining target log to be resolved, and obtains the assets to be matched of target log to be resolved
Information, wherein the assets information to be matched includes at least Asset ID, Asset IP, port numbers;
Matching module, for will be described in target log to be resolved and current optimization property match regular record table
Target resolution rules carry out sequence matching corresponding to assets information to be matched, wherein the current optimization property match rule
Record sheet includes: the corresponding relationship between current time assets information, with resolution rules ID and matching times, and described current excellent
Change in property match regular record table, the corresponding relationship is arranged according to the descending of matching times corresponding to same assets information
Column;
First parsing module is advised if the sub-goal in target log to be resolved and the target resolution rules parses
Then match, then target log to be resolved is parsed by the sub-goal resolution rules;
Second parsing module, if all sub-goal solutions in target log to be resolved and the target resolution rules
Analysis rule mismatches, alternatively, there is no the assets informations to be matched in the current optimization property match regular record table
Record, then matched target log to be resolved with the resolution rules in resolution rules library one by one, and according to matching
To resolution rules target log to be resolved is parsed, wherein the current optimization property match regular record table
In resolution rules ID represented by resolution rules be the resolution rules library in resolution rules subset.
In conjunction with second aspect, the embodiment of the invention provides the first possible embodiments of second aspect, wherein institute
Stating acquisition module includes:
Acquiring unit for obtaining log to be resolved, and obtains the assets information of the log to be resolved;
Judging unit, for judging whether the assets information of the log to be resolved matches with default assets information;
Determination unit, if the assets information of the log to be resolved matches with the default assets information, it is determined that
The log to be resolved is target log to be resolved.
In conjunction with second aspect, the embodiment of the invention provides second of possible embodiments of second aspect, wherein institute
The system of stating is also used to:
Judge the record that whether there is the assets information to be matched in the current optimization property match regular record table;
If it is present by the institute in target log to be resolved and the current optimization property match regular record table
State target resolution rules carry out sequence matching corresponding to assets information to be matched;
If it does not exist, then the resolution rules in target log to be resolved and the resolution rules library are carried out one by one
Matching.
In conjunction with second aspect, the embodiment of the invention provides the third possible embodiments of second aspect, wherein institute
State system further include:
First update module, for assets information to be matched described in the current optimization property match regular record table
It is updated with matching times corresponding to sub-goal resolution rules ID, obtains updated matching times, wherein the specific item
Marking resolution rules ID is ID corresponding to the sub-goal resolution rules;
Second update module, for being remembered based on the updated matching times to the current optimization property match rule
The sequence of corresponding relationship in record table is updated, and obtains updated optimization property match regular record table, by described in more
Log of the optimization property match regular record table for subsequent time after new parses.
The third aspect, the embodiment of the invention also provides a kind of electronic equipment, including memory, processor, the storages
The computer program that can be run on the processor is stored on device, the processor is realized when executing the computer program
The step of method described in above-mentioned first aspect.
The embodiment of the present invention bring it is following the utility model has the advantages that
In the present embodiment, target log to be resolved is first obtained, and obtains the assets to be matched letter of target log to be resolved
Breath;It then, will be corresponding to the assets information to be matched in target log to be resolved and current optimization property match regular record table
Target resolution rules carry out sequence matching;If the sub-goal resolution rules in target log to be resolved and target resolution rules
Match, then target log to be resolved is parsed by sub-goal resolution rules;If target log to be resolved and target
All sub-goal resolution rules in resolution rules mismatch, alternatively, being currently not present in optimization property match regular record table
The record of assets information to be matched is then matched target log to be resolved with the resolution rules in resolution rules library one by one,
And target log to be resolved is parsed according to the resolution rules that matching obtains.As can be seen from the above description, in the present embodiment
In, it, first will be in target log to be resolved and current optimization property match regular record table after receiving target log to be resolved
Assets information to be matched corresponding to target resolution rules carry out sequence matching, if matching is unsuccessful, enter back into parsing rule
Resolution rules matching, also, the assets information recorded in current optimization property match regular record table, parsing rule are then carried out in library
Then ID, the corresponding relationship between matching times is arranged according to the descending of matching times corresponding to same assets information, this
Sample decreases matching times to a certain extent, substantially increases the probability of successful match, Jin Erjia when sequence matches
The fast speed of log parsing, while without sacrificing parsing granularity, so the high reliablity of log parsing, alleviates existing day
The technical issues of will analytic method resolution speed is slow, poor reliability.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification
It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention are in specification, claims
And specifically noted structure is achieved and obtained in attached drawing.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, preferred embodiment is cited below particularly, and cooperate
Appended attached drawing, is described in detail below.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art
Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below
Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor
It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of the method for fast resolving log provided in an embodiment of the present invention;
Fig. 2 is the method flow diagram provided in an embodiment of the present invention for obtaining target log to be resolved;
Fig. 3 is the method flow diagram of determining matching position provided in an embodiment of the present invention;
Fig. 4 is a kind of schematic diagram of the system of fast resolving log provided in an embodiment of the present invention;
Fig. 5 is the schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing to the present invention
Technical solution be clearly and completely described, it is clear that described embodiments are some of the embodiments of the present invention, rather than
Whole embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise
Under every other embodiment obtained, shall fall within the protection scope of the present invention.
For convenient for understanding the present embodiment, first to a kind of fast resolving log disclosed in the embodiment of the present invention
Method describes in detail.
Embodiment one:
According to embodiments of the present invention, the embodiment of a kind of method of fast resolving log is provided, it should be noted that
The step of process of attached drawing illustrates can execute in a computer system such as a set of computer executable instructions, also,
It, in some cases, can be to be different from shown in sequence execution herein although logical order is shown in flow charts
The step of out or describing.
Fig. 1 is a kind of flow chart of the method for fast resolving log according to an embodiment of the present invention, as shown in Figure 1, the party
Method includes the following steps:
Step S102 obtains target log to be resolved, and obtains the assets information to be matched of target log to be resolved,
In, assets information to be matched includes at least Asset ID, Asset IP, port numbers;
In embodiments of the present invention, the method for the fast resolving log can be applied in Log Audit System, the log
Auditing system is independent development, for receiving, handling, parsing the log (i.e. target log to be resolved) to audit device.
Step S104 believes the assets to be matched in target log to be resolved and current optimization property match regular record table
The corresponding target resolution rules carry out sequence matching of breath, wherein when current optimization property match regular record table includes: current
Carve the corresponding relationship between assets information, with resolution rules ID and matching times, and current optimization property match regular record table
In, corresponding relationship is arranged according to the descending of matching times corresponding to same assets information;
It, will be in target log to be resolved and current optimization property match regular record table after obtaining target log to be resolved
Assets information to be matched corresponding to target resolution rules carry out sequence matching.
Specifically, currently optimization property match regular record table is current time assets information, resolution rules ID, matching time
What the corresponding relationship between number was arranged according to the descending of matching times corresponding to same assets information.The embodiment of the present invention
In current optimization property match regular record table form it is following (embodiment of the present invention is to it without concrete restriction):
| Asset ID | Resolution rules ID | Matching times |
| id1 | ID5 | 1200 |
| id1 | ID3 | 800 |
| id2 | ID5 | 1000 |
| id2 | ID4 | 600 |
| id3 | ID2 | 200 |
| ... | … | … |
| idn | ID6 | 600 |
| … | … | … |
Step S106, if target log to be resolved matches with the sub-goal resolution rules in target resolution rules,
Target log to be resolved is parsed by sub-goal resolution rules;
Step S108, if all sub-goal resolution rules in target log to be resolved and target resolution rules are not
Match, alternatively, the record of assets information to be matched is currently not present in optimization property match regular record table, then it is target is to be resolved
Log is matched one by one with the resolution rules in resolution rules library, and to be resolved to target according to the resolution rules that matching obtains
Log is parsed, wherein currently resolution rules represented by the resolution rules ID in optimization property match regular record table are
The subset of resolution rules in resolution rules library.
Specifically, resolution rules library is for storing the resolution rules parsed to log, and in resolution rules library
The resolution rules of storage are the rules of full dose.Wherein, resolution rules are the rule files of inventor's independent development, in log audit
When system initialization, rule file can be loaded onto resolution rules library automatically, and then according to demand, can will determine in rule file
The resolution rules of control equipment are directed into resolution rules library, and the corresponding unique ID of every resolution rules.Following table is this hair
The resolution rules library of bright embodiment:
| Serial number | Resolution rules ID | Resolution rules |
| 1 | ID1 | Rule 1 |
| 2 | ID2 | Rule 2 |
| 3 | ID3 | Rule 3 |
| 4 | ID4 | Rule 4 |
| 5 | ID5 | Rule 5 |
| … | … | … |
| n | IDn | Regular n |
| … | … | … |
And currently optimizing resolution rules represented by the resolution rules ID in property match regular record table is resolution rules
The subset of resolution rules in library.
In the present embodiment, target log to be resolved is first obtained, and obtains the assets to be matched letter of target log to be resolved
Breath;It then, will be corresponding to the assets information to be matched in target log to be resolved and current optimization property match regular record table
Target resolution rules carry out sequence matching;If the sub-goal resolution rules in target log to be resolved and target resolution rules
Match, then target log to be resolved is parsed by sub-goal resolution rules;If target log to be resolved and target
All sub-goal resolution rules in resolution rules mismatch, alternatively, being currently not present in optimization property match regular record table
The record of assets information to be matched is then matched target log to be resolved with the resolution rules in resolution rules library one by one,
And target log to be resolved is parsed according to the resolution rules that matching obtains.As can be seen from the above description, in the present embodiment
In, it, first will be in target log to be resolved and current optimization property match regular record table after receiving target log to be resolved
Assets information to be matched corresponding to target resolution rules carry out sequence matching, if matching is unsuccessful, enter back into parsing rule
Resolution rules matching, also, the assets information recorded in current optimization property match regular record table, parsing rule are then carried out in library
Then ID, the corresponding relationship between matching times is arranged according to the descending of matching times corresponding to same assets information, this
Sample decreases matching times to a certain extent, substantially increases the probability of successful match, Jin Erjia when sequence matches
The fast speed of log parsing, while without sacrificing parsing granularity, so the high reliablity of log parsing, alleviates existing day
The technical issues of will analytic method resolution speed is slow, poor reliability.
Above content has carried out brief introduction to the process of the method for fast resolving log of the invention, is related to below to it
To other contents be introduced.
In an optional embodiment of the invention, with reference to Fig. 2, obtains target log to be resolved and include the following steps:
Step S201 obtains log to be resolved, and obtains the assets information of log to be resolved;
Step S202, judges whether the assets information of log to be resolved matches with default assets information;
Specifically, assets information is configured in Log Audit System in advance, comprising: Asset ID, Asset IP, port numbers.Match
Set complete assets information after, if after acquiring log to be resolved, judge the log to be resolved assets information whether with
Default assets information (i.e. preconfigured assets information) matches.
Step S203, if the assets information of log to be resolved matches with default assets information, it is determined that day to be resolved
Will is target log to be resolved.
It is to be resolved to abandon this if the assets information of log to be resolved and default assets information mismatch by step S204
Log.
In an optional embodiment of the invention, with reference to Fig. 3, target log to be resolved is being optimized into assets with current
Before target resolution rules carry out sequence matching corresponding to assets information to be matched in matching rule record sheet, this method is also
Include the following steps:
Step S301 judges the note that whether there is assets information to be matched in current optimization property match regular record table
Record;
Step S302, if it is present by target log to be resolved and current optimization property match regular record table
Target resolution rules carry out sequence matching corresponding to assets information to be matched;
Step S303, if it does not exist, then by the resolution rules in target log to be resolved and resolution rules library carry out by
Item matching.
Sub-goal in an optional embodiment of the invention, in target log to be resolved and target resolution rules
After resolution rules match, this method further includes following (1) and (2):
(1) right to assets information and sub-goal resolution rules ID institute to be matched in current optimization property match regular record table
The matching times answered are updated, and obtain updated matching times, wherein sub-goal resolution rules ID is sub-goal parsing rule
Then corresponding ID;
(2) sequence based on updated matching times to the corresponding relationship in current optimization property match regular record table
It is updated, obtains updated optimization property match regular record table, by updated optimization property match regular record
Log of the table for subsequent time parses.
In an optional embodiment of the invention, in the resolution rules obtained according to matching to target log to be resolved
After being parsed, this method further include:
By assets information to be matched, resolution rules ID corresponding to the resolution rules that match and matching times are as new
Corresponding relationship and corresponding closed according to the principle of the arrangement of matching times descending corresponding to same assets information to be matched by new
System is added in current optimization property match regular record table, obtains updated optimization property match regular record table, will
Log of the updated optimization property match regular record table for subsequent time parses.
It is introduced below with the process that a specific embodiment parses log:
Optimize the original state of property match regular record table are as follows:
| Asset ID | Resolution rules ID | Matching times |
It 1) is id when receiving Asset ID1A target log to be resolved, target log matches to be resolved are above-mentioned
Optimize property match regular record table, because not having Asset ID in optimization property match regular record table is id1Corresponding solution
Analyse rule ID, therefore, into resolution rules library by the resolution rules in target log to be resolved and target log to be resolved into
Row matches one by one, if matching obtains resolution rules 5, is parsed with resolution rules 5 to target log to be resolved, and will money
Production ID is id1, resolution rules ID is ID5, the corresponding relationship that matching times are 1, which is added to, to be optimized in property match regular record table,
And corresponding relationship is ranked up according to the principle that matching times descending corresponding to same assets information arranges, it obtains for the first time
Optimization property match regular record table.
| Asset ID | Resolution rules ID | Matching times |
| id1 | ID5 | 1 |
It 2) is id when receiving Asset ID again1A target log to be resolved, will be on target log matches to be resolved
Optimization property match regular record table is stated, because Asset ID is id in optimization property match regular record table1Corresponding parsing
Rule ID is ID5, then target log to be resolved is matched with resolution rules 5, it is right with resolution rules 5 if matched
Target log to be resolved is parsed, while updating id1And ID5Corresponding matching times (i.e. matching times add 1), and to right
It should be related to and be ranked up according to the principle of the arrangement of matching times descending corresponding to same assets information, obtain secondary optimization
Property match regular record table.
| Asset ID | Resolution rules ID | Matching times |
| id1 | ID5 | 2 |
It 3) is id when receiving Asset ID again1A target log to be resolved, will be on target log matches to be resolved
Optimization property match regular record table is stated, because Asset ID is id in optimization property match regular record table1Corresponding parsing
Rule ID is ID5, then target log to be resolved is matched with resolution rules 5, if it does not match, into resolution rules library
It is middle to be matched target log to be resolved one by one with the resolution rules in target log to be resolved, if matching obtains parsing rule
Then 3, then target log to be resolved is parsed with resolution rules 3, and be id by Asset ID1, resolution rules ID is ID3, matching
The corresponding relationship that number is 1 is added in optimization property match regular record table, and to corresponding relationship according to same assets information
The principle of corresponding matching times descending arrangement is ranked up, and obtains the optimization property match regular record table of third time.
| Asset ID | Resolution rules ID | Matching times |
| id1 | ID5 | 2 |
| id1 | ID3 | 1 |
It 4) is id when receiving Asset ID again2A target log to be resolved, will be on target log matches to be resolved
Optimization property match regular record table is stated, because not having Asset ID in optimization property match regular record table is id2Corresponding
Resolution rules ID, therefore, into resolution rules library by the resolution rules in target log to be resolved and target log to be resolved
It is matched, if matching obtains resolution rules 5, target log to be resolved is parsed with resolution rules 5 one by one, and will
Asset ID is id2, resolution rules ID is ID5, the corresponding relationship that matching times are 1, which is added to, optimizes property match regular record table
In, and corresponding relationship is ranked up according to the principle that matching times descending corresponding to same assets information arranges, obtain
Four optimization property match regular record tables.
| Asset ID | Resolution rules ID | Matching times |
| id1 | ID5 | 2 |
| id1 | ID3 | 1 |
| id2 | ID5 | 1 |
....
With the increase of log parsing amount, optimize property match regular record table and gradually enrich, gradually tends to be comprehensively complete,
In this way when parsing to new log, the resolution rules matching of Asset ID is corresponded in optimised property match regular record table
Successful probability approach absolutely, without being matched one by one in each resolution rules library, greatly improves matching efficiency,
Also, corresponding relationship therein is arranged according to matching times descending, and sequence can greatly reduce the matching time of resolution rules when matching
Number, further improves matching efficiency.
Embodiment two:
The embodiment of the invention also provides a kind of system of fast resolving log, the system of the fast resolving log is mainly used
In the method for executing fast resolving log provided by above content of the embodiment of the present invention, below to provided in an embodiment of the present invention
The system of fast resolving log does specific introduction.
Fig. 4 is a kind of schematic diagram of the system of fast resolving log according to an embodiment of the present invention, as shown in figure 4, this is fast
The system of speed parsing log mainly includes obtaining module 10, matching module 20, the first parsing module 30 and the second parsing module 40,
Wherein:
Module is obtained, for obtaining target log to be resolved, and obtains the assets information to be matched of target log to be resolved,
Wherein, assets information to be matched includes at least Asset ID, Asset IP, port numbers;
Matching module, for by the money to be matched in target log to be resolved and current optimization property match regular record table
Produce target resolution rules carry out sequence matching corresponding to information, wherein current optimization property match regular record table includes: to work as
Preceding moment assets information, and the corresponding relationship between resolution rules ID and matching times, and current optimization property match rule note
It records in table, corresponding relationship is arranged according to the descending of matching times corresponding to same assets information;
First parsing module, if target log to be resolved and the sub-goal resolution rules phase in target resolution rules
Match, then target log to be resolved is parsed by sub-goal resolution rules;
Second parsing module, if all sub-goal resolution rules in target log to be resolved and target resolution rules are not
Target then is waited solving by matching alternatively, the record of assets information to be matched is currently not present in optimization property match regular record table
Analysis log is matched one by one with the resolution rules in resolution rules library, and waits solving to target according to the resolution rules that matching obtains
Analysis log is parsed, wherein resolution rules represented by the resolution rules ID in current optimization property match regular record table
For the subset of resolution rules in resolution rules library.
In the present embodiment, target log to be resolved is first obtained, and obtains the assets to be matched letter of target log to be resolved
Breath;It then, will be corresponding to the assets information to be matched in target log to be resolved and current optimization property match regular record table
Target resolution rules carry out sequence matching;If the sub-goal resolution rules in target log to be resolved and target resolution rules
Match, then target log to be resolved is parsed by sub-goal resolution rules;If target log to be resolved and target
All sub-goal resolution rules in resolution rules mismatch, alternatively, being currently not present in optimization property match regular record table
The record of assets information to be matched is then matched target log to be resolved with the resolution rules in resolution rules library one by one,
And target log to be resolved is parsed according to the resolution rules that matching obtains.As can be seen from the above description, in the present embodiment
In, it, first will be in target log to be resolved and current optimization property match regular record table after receiving target log to be resolved
Assets information to be matched corresponding to target resolution rules carry out sequence matching, if matching is unsuccessful, enter back into parsing rule
Resolution rules matching, also, the assets information recorded in current optimization property match regular record table, parsing rule are then carried out in library
Then ID, the corresponding relationship between matching times is arranged according to the descending of matching times corresponding to same assets information, this
Sample decreases matching times to a certain extent, substantially increases the probability of successful match, Jin Erjia when sequence matches
The fast speed of log parsing, while without sacrificing parsing granularity, so the high reliablity of log parsing, alleviates existing day
The technical issues of will analytic method resolution speed is slow, poor reliability.
Optionally, obtaining module includes:
Acquiring unit for obtaining log to be resolved, and obtains the assets information of log to be resolved;
Judging unit, for judging whether the assets information of log to be resolved matches with default assets information;
Determination unit, if the assets information of log to be resolved matches with default assets information, it is determined that day to be resolved
Will is target log to be resolved.
Optionally, which is also used to:
It whether there is the record of assets information to be matched in the current optimization property match regular record table of judgement;
If it is present by the assets to be matched in target log to be resolved and current optimization property match regular record table
Target resolution rules carry out sequence matching corresponding to information;
If it does not exist, then target log to be resolved is matched one by one with the resolution rules in resolution rules library.
Optionally, the system further include:
First update module, for assets information and sub-goal to be matched in current optimization property match regular record table
Matching times corresponding to resolution rules ID are updated, and obtain updated matching times, wherein sub-goal resolution rules ID
For ID corresponding to sub-goal resolution rules;
Second update module, for being optimized in property match regular record table based on updated matching times to current
The sequence of corresponding relationship is updated, and obtains updated optimization property match regular record table, and updated optimization is provided
The log that matching rule record sheet is produced for subsequent time parses.
Optionally, the system further include:
Adding module, for by assets information to be matched, resolution rules ID corresponding to the resolution rules that match and
Matching times are as new corresponding relationship and according to the original of the arrangement of matching times descending corresponding to same assets information to be matched
Then new corresponding relationship is added in current optimization property match regular record table, obtains updated optimization property match rule
Then record sheet parses the log that updated optimization property match regular record table is used for subsequent time.
The technical effect and preceding method embodiment phase of system provided by the embodiment of the present invention, realization principle and generation
Together, to briefly describe, system embodiment part does not refer to place, can refer to corresponding contents in preceding method embodiment.
Embodiment three:
The embodiment of the invention provides a kind of electronic equipment, and with reference to Fig. 5, which includes: processor 50, memory
51, bus 52 and communication interface 53, processor 50, communication interface 53 and memory 51 are connected by bus 52;Processor 50 is used
The executable module stored in execution memory 51, such as computer program.Processor is realized such as when executing extreme and program
Described in embodiment of the method the step of method.
Wherein, memory 51 may include high-speed random access memory (RAM, Random Access Memory),
It may further include non-labile memory (non-volatile memory), for example, at least a magnetic disk storage.By extremely
A few communication interface 53 (can be wired or wireless) is realized logical between the system network element and at least one other network element
Letter connection, can be used internet, wide area network, local network, Metropolitan Area Network (MAN) etc..
Bus 52 can be isa bus, pci bus or eisa bus etc..It is total that bus can be divided into address bus, data
Line, control bus etc..Only to be indicated with a four-headed arrow in Fig. 5, it is not intended that an only bus or one convenient for indicating
The bus of seed type.
Wherein, memory 51 is for storing program, and processor 50 executes program after receiving and executing instruction, and aforementioned
Method performed by the system that the stream process that inventive embodiments any embodiment discloses defines can be applied in processor 50, or
Person is realized by processor 50.
Processor 50 may be a kind of IC chip, the processing capacity with signal.During realization, above-mentioned side
Each step of method can be completed by the integrated logic circuit of the hardware in processor 50 or the instruction of software form.Above-mentioned
Processor 50 can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network
Processor (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital Signal
Processing, abbreviation DSP), specific integrated circuit (Application Specific Integrated Circuit, referred to as
ASIC), ready-made programmable gate array (Field-Programmable Gate Array, abbreviation FPGA) or other are programmable
Logical device, discrete gate or transistor logic, discrete hardware components.It may be implemented or execute in the embodiment of the present invention
Disclosed each method, step and logic diagram.General processor can be microprocessor or the processor is also possible to appoint
What conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present invention, can be embodied directly in hardware decoding processing
Device executes completion, or in decoding processor hardware and software module combination execute completion.Software module can be located at
Machine memory, flash memory, read-only memory, programmable read only memory or electrically erasable programmable memory, register etc. are originally
In the storage medium of field maturation.The storage medium is located at memory 51, and processor 50 reads the information in memory 51, in conjunction with
Its hardware completes the step of above method.
The computer program of a kind of method of fast resolving log, system provided by the embodiment of the present invention and electronic equipment
Product, the computer readable storage medium including storing program code, the instruction that said program code includes can be used for executing
Previous methods method as described in the examples, specific implementation can be found in embodiment of the method, and details are not described herein.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description
Specific work process, can refer to corresponding processes in the foregoing method embodiment, details are not described herein.
In addition, in the description of the embodiment of the present invention unless specifically defined or limited otherwise, term " installation ", " phase
Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;It can
To be mechanical connection, it is also possible to be electrically connected;It can be directly connected, can also can be indirectly connected through an intermediary
Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition
Concrete meaning in invention.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially in other words
The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter
Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a
People's computer, server or network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention.
And storage medium above-mentioned includes: that USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited
The various media that can store program code such as reservoir (RAM, Random Access Memory), magnetic or disk.
In the description of the present invention, it should be noted that term " center ", "upper", "lower", "left", "right", "vertical",
The orientation or positional relationship of the instructions such as "horizontal", "inner", "outside" be based on the orientation or positional relationship shown in the drawings, merely to
Convenient for description the present invention and simplify description, rather than the device or element of indication or suggestion meaning must have a particular orientation,
It is constructed and operated in a specific orientation, therefore is not considered as limiting the invention.In addition, term " first ", " second ",
" third " is used for descriptive purposes only and cannot be understood as indicating or suggesting relative importance.
Finally, it should be noted that embodiment described above, only a specific embodiment of the invention, to illustrate the present invention
Technical solution, rather than its limitations, scope of protection of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair
It is bright to be described in detail, those skilled in the art should understand that: anyone skilled in the art
In the technical scope disclosed by the present invention, it can still modify to technical solution documented by previous embodiment or can be light
It is readily conceivable that variation or equivalent replacement of some of the technical features;And these modifications, variation or replacement, do not make
The essence of corresponding technical solution is detached from the spirit and scope of technical solution of the embodiment of the present invention, should all cover in protection of the invention
Within the scope of.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. a kind of method of fast resolving log characterized by comprising
Obtain target log to be resolved, and obtain the assets information to be matched of target log to be resolved, wherein it is described to
Asset ID, Asset IP, port numbers are included at least with assets information;
By the assets information institute to be matched in target log to be resolved and current optimization property match regular record table
Corresponding target resolution rules carry out sequence matching, wherein when the current optimization property match regular record table includes: current
Carve the corresponding relationship between assets information, with resolution rules ID and matching times, and the current optimization property match rule note
It records in table, the corresponding relationship is arranged according to the descending of matching times corresponding to same assets information;
If the target log to be resolved matches with the sub-goal resolution rules in the target resolution rules, pass through institute
Sub-goal resolution rules are stated to parse target log to be resolved;
If all sub-goal resolution rules in the target log to be resolved and the target resolution rules mismatch, or
Person, the current record optimized in property match regular record table there is no the assets information to be matched, then by the mesh
It marks log to be resolved to be matched one by one with the resolution rules in resolution rules library, and the resolution rules obtained according to matching are to institute
It states target log to be resolved to be parsed, wherein the resolution rules ID institute in the current optimization property match regular record table
The resolution rules of expression are the subset of resolution rules in the resolution rules library.
2. the method according to claim 1, wherein acquisition target log to be resolved includes:
Log to be resolved is obtained, and obtains the assets information of the log to be resolved;
Judge whether the assets information of the log to be resolved matches with default assets information;
If the assets information of the log to be resolved matches with the default assets information, it is determined that the log to be resolved
For target log to be resolved.
3. the method according to claim 1, wherein target log to be resolved is optimized assets with current
It is described before target resolution rules carry out sequence matching corresponding to the assets information to be matched in matching rule record sheet
Method further include:
Judge the record that whether there is the assets information to be matched in the current optimization property match regular record table;
If it is present by described in target log to be resolved and the current optimization property match regular record table to
Match target resolution rules carry out sequence matching corresponding to assets information;
If it does not exist, then the resolution rules in target log to be resolved and the resolution rules library are carried out one by one
Match.
4. the method according to claim 1, wherein being advised in target log to be resolved and target parsing
After sub-goal resolution rules in then match, the method also includes:
To assets information and sub-goal resolution rules ID to be matched institute described in the current optimization property match regular record table
Corresponding matching times are updated, and obtain updated matching times, wherein the sub-goal resolution rules ID is the son
ID corresponding to target resolution rules;
Based on the updated matching times to the row of the corresponding relationship in the current optimization property match regular record table
Sequence is updated, and obtains updated optimization property match regular record table, and the updated optimization property match is advised
Then record sheet is parsed for the log of subsequent time.
5. the method according to claim 1, wherein waiting in the resolution rules obtained according to matching the target
After parsing log is parsed, the method also includes:
It is described to match resolution rules ID corresponding to obtained resolution rules and matching times work by the assets information to be matched
For new corresponding relationship and according to matching times descending corresponding to same assets information to be matched arrangement principle will it is described newly
Corresponding relationship be added in the current optimization property match regular record table, obtain updated optimization property match rule
Record sheet parses the log that the updated optimization property match regular record table is used for subsequent time.
6. a kind of system of fast resolving log characterized by comprising
Module is obtained, for obtaining target log to be resolved, and obtains the assets information to be matched of target log to be resolved,
Wherein, the assets information to be matched includes at least Asset ID, Asset IP, port numbers;
Matching module, for by described in target log to be resolved and current optimization property match regular record table to
With target resolution rules carry out sequence matching corresponding to assets information, wherein the current optimization property match regular record
Table includes: the corresponding relationship between current time assets information, with resolution rules ID and matching times, and the current optimization provides
It produces in matching rule record sheet, the corresponding relationship is arranged according to the descending of matching times corresponding to same assets information;
First parsing module, if target log to be resolved and the sub-goal resolution rules phase in the target resolution rules
Matching, then parse target log to be resolved by the sub-goal resolution rules;
Second parsing module is advised if all sub-goals in target log to be resolved and the target resolution rules parse
Then mismatch, alternatively, the record of the assets information to be matched is not present in the current optimization property match regular record table,
The solution for then target log to be resolved being matched one by one with the resolution rules in resolution rules library, and being obtained according to matching
Analysis rule parses target log to be resolved, wherein the solution in the current optimization property match regular record table
Analyse the subset that resolution rules represented by rule ID are resolution rules in the resolution rules library.
7. system according to claim 6, which is characterized in that the acquisition module includes:
Acquiring unit for obtaining log to be resolved, and obtains the assets information of the log to be resolved;
Judging unit, for judging whether the assets information of the log to be resolved matches with default assets information;
Determination unit, if the assets information of the log to be resolved matches with the default assets information, it is determined that described
Log to be resolved is target log to be resolved.
8. system according to claim 6, which is characterized in that the system is also used to:
Judge the record that whether there is the assets information to be matched in the current optimization property match regular record table;
If it is present by described in target log to be resolved and the current optimization property match regular record table to
Match target resolution rules carry out sequence matching corresponding to assets information;
If it does not exist, then the resolution rules in target log to be resolved and the resolution rules library are carried out one by one
Match.
9. system according to claim 6, which is characterized in that the system also includes:
First update module, for assets information and son to be matched described in the current optimization property match regular record table
Matching times corresponding to target resolution rules ID are updated, and obtain updated matching times, wherein the sub-goal solution
Analysing rule ID is ID corresponding to the sub-goal resolution rules;
Second update module, for being based on the updated matching times to the current optimization property match regular record table
In the sequence of corresponding relationship be updated, updated optimization property match regular record table is obtained, after the update
Optimization property match regular record table for subsequent time log parse.
10. a kind of electronic equipment, including memory, processor, it is stored with and can runs on the processor on the memory
Computer program, which is characterized in that the processor is realized in the claims 1 to 5 when executing the computer program
The step of described in any item methods.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811272135.8A CN109284268B (en) | 2018-10-29 | 2018-10-29 | Method, system and electronic equipment for rapidly analyzing logs |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811272135.8A CN109284268B (en) | 2018-10-29 | 2018-10-29 | Method, system and electronic equipment for rapidly analyzing logs |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109284268A true CN109284268A (en) | 2019-01-29 |
| CN109284268B CN109284268B (en) | 2020-11-24 |
Family
ID=65174378
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811272135.8A Active CN109284268B (en) | 2018-10-29 | 2018-10-29 | Method, system and electronic equipment for rapidly analyzing logs |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109284268B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113992364A (en) * | 2021-10-15 | 2022-01-28 | 湖南恒茂高科股份有限公司 | Network data packet blocking optimization method and system |
| CN115102848A (en) * | 2022-07-13 | 2022-09-23 | 上海中广核工程科技有限公司 | Log data extraction method, system, device and medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101237326A (en) * | 2008-02-29 | 2008-08-06 | 华为技术有限公司 | Method, device and system for real time parsing of device log |
| CN103618692A (en) * | 2013-10-28 | 2014-03-05 | 中国航天科工集团第二研究院七〇六所 | A method for constructing log fast matching |
| CN103873441A (en) * | 2012-12-12 | 2014-06-18 | 中国电信股份有限公司 | Firewall safety rule optimization method and device thereof |
| CN105760274A (en) * | 2016-01-27 | 2016-07-13 | 杭州安恒信息技术有限公司 | Dynamically activated and adjusted log analyzing method and system |
| CN106105112A (en) * | 2014-03-19 | 2016-11-09 | 日本电信电话株式会社 | Analysis rule adjusting apparatus, analysis rule adjust system, analysis rule method of adjustment and analysis rule adjustment programme |
| CN108462717A (en) * | 2018-03-21 | 2018-08-28 | 北京理工大学 | The firewall rule sets under discrimination optimization method of rule-based match hit rate and distribution variance |
-
2018
- 2018-10-29 CN CN201811272135.8A patent/CN109284268B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101237326A (en) * | 2008-02-29 | 2008-08-06 | 华为技术有限公司 | Method, device and system for real time parsing of device log |
| CN103873441A (en) * | 2012-12-12 | 2014-06-18 | 中国电信股份有限公司 | Firewall safety rule optimization method and device thereof |
| CN103618692A (en) * | 2013-10-28 | 2014-03-05 | 中国航天科工集团第二研究院七〇六所 | A method for constructing log fast matching |
| CN106105112A (en) * | 2014-03-19 | 2016-11-09 | 日本电信电话株式会社 | Analysis rule adjusting apparatus, analysis rule adjust system, analysis rule method of adjustment and analysis rule adjustment programme |
| US20170013018A1 (en) * | 2014-03-19 | 2017-01-12 | Nippon Telegraph And Telephone Corporation | Analysis rule adjustment device, analysis rule adjustment system, analysis rule adjustment method, and analysis rule adjustment program |
| CN105760274A (en) * | 2016-01-27 | 2016-07-13 | 杭州安恒信息技术有限公司 | Dynamically activated and adjusted log analyzing method and system |
| CN108462717A (en) * | 2018-03-21 | 2018-08-28 | 北京理工大学 | The firewall rule sets under discrimination optimization method of rule-based match hit rate and distribution variance |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113992364A (en) * | 2021-10-15 | 2022-01-28 | 湖南恒茂高科股份有限公司 | Network data packet blocking optimization method and system |
| CN113992364B (en) * | 2021-10-15 | 2024-06-07 | 湖南恒茂高科股份有限公司 | Network data packet blocking optimization method and system |
| CN115102848A (en) * | 2022-07-13 | 2022-09-23 | 上海中广核工程科技有限公司 | Log data extraction method, system, device and medium |
| CN115102848B (en) * | 2022-07-13 | 2024-05-28 | 中广核数字科技有限公司 | Log data extraction method, system, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109284268B (en) | 2020-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108595157B (en) | Block chain data processing method, device, equipment and storage medium | |
| US10885056B2 (en) | Data standardization techniques | |
| US8903868B2 (en) | Processing of categorized product information | |
| CN108334609B (en) | Method, device, equipment and storage medium for realizing JSON format data access in Oracle | |
| EP2930629A1 (en) | Accessing non-relational data stores using structured query language queries | |
| CN111562965B (en) | Page data verification method and device based on decision tree | |
| CN110019298B (en) | Data processing method and device | |
| US11836331B2 (en) | Mathematical models of graphical user interfaces | |
| US20230205755A1 (en) | Methods and systems for improved search for data loss prevention | |
| CN110263311A (en) | A kind of generation method and equipment of Webpage | |
| CN111159016A (en) | Standard detection method and device | |
| CN109388614A (en) | A kind of method, system and the equipment of catalogue file number quota | |
| CN111523849A (en) | Resource transaction auditing method and device and server | |
| CN117493309A (en) | Standard model generation method, device, equipment and storage medium | |
| CN109284268A (en) | A kind of method, system and the electronic equipment of fast resolving log | |
| CN107368500A (en) | Data pick-up method and system | |
| CN111026737A (en) | Task processing method and device | |
| CN112671878B (en) | Block chain information subscription method, device, server and storage medium | |
| CN110516258B (en) | Data verification method and device, storage medium and electronic device | |
| CN110765100B (en) | Label generation method and device, computer readable storage medium and server | |
| CN113342647A (en) | Test data generation method and device | |
| CN107844490A (en) | A kind of database divides storehouse method and device | |
| CN110244954A (en) | A kind of Compilation Method and equipment of application program | |
| CN109426720B (en) | Interface parameter verification method and related device | |
| CN113760863A (en) | Database configuration method and device, computer equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 188 Lianhui street, Xixing street, Binjiang District, Hangzhou, Zhejiang Province Applicant after: Dbappsecurity Co.,Ltd. Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310000 and 15 layer Applicant before: Dbappsecurity Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220914 Address after: Room 709, 7th Floor, No. 188, Lianhui Street, Xixing Street, Binjiang District, Hangzhou City, Zhejiang Province 310000 Patentee after: Hangzhou Anheng Vehicle Network Security Technology Co.,Ltd. Address before: No. 188, Lianhui street, Xixing street, Binjiang District, Hangzhou City, Zhejiang Province Patentee before: Dbappsecurity Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240709 Address after: No. 188, Lianhui street, Xixing street, Binjiang District, Hangzhou, Zhejiang Province, 310000 Patentee after: Dbappsecurity Co.,Ltd. Country or region after: China Address before: Room 709, 7th Floor, No. 188, Lianhui Street, Xixing Street, Binjiang District, Hangzhou City, Zhejiang Province 310000 Patentee before: Hangzhou Anheng Vehicle Network Security Technology Co.,Ltd. Country or region before: China |
|
| TR01 | Transfer of patent right |