STORING LOG DATA EFFICIENTLY WHILE SUPPORTING QUERYING TO ASSIST IN COMPUTER NETWORK SECURITY
First Claim
1. A method for processing log data, comprising:
- receiving log data that comprises a plurality of events, an event including one or more fields; and
for each event in the plurality of events;
storing, in a buffer, the event; and
updating a metadata structure that comprises information about contents of the buffer, wherein information about contents of the buffer includes a first minimum value that reflects a minimum value of a first field of all of the events stored in the buffer.
11 Assignments
0 Petitions
Accused Products
Abstract
A logging system includes an event receiver and a storage manager. The receiver receives log data, processes it, and outputs a data “chunk.” The manager receives data chunks and stores them so that they can be queried. The receiver includes buffers that store events and a metadata structure that stores metadata about the contents of the buffers. The metadata includes a unique identifier associated with the receiver, the number of events in the buffers, and, for each “field of interest,” a minimum value and a maximum value that reflect the range of values of that field over all of the events in the buffers. A chunk includes the metadata structure and a compressed version of the contents of the buffers. The metadata structure acts as a search index when querying event data. The logging system can be used in conjunction with a security information/event management (SIEM) system.
194 Citations
18 Claims
-
1. A method for processing log data, comprising:
-
receiving log data that comprises a plurality of events, an event including one or more fields; and for each event in the plurality of events; storing, in a buffer, the event; and updating a metadata structure that comprises information about contents of the buffer, wherein information about contents of the buffer includes a first minimum value that reflects a minimum value of a first field of all of the events stored in the buffer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer program product for processing log data, the computer program product comprising a computer-readable medium containing computer program code for performing a method, the method comprising:
-
receiving log data that comprises a plurality of events, an event including one or more fields; and for each event in the plurality of events; storing, in a buffer, the event; and updating a metadata structure that comprises information about contents of the buffer, wherein information about contents of the buffer includes a first minimum value that reflects a minimum value of a first field of all of the events stored in the buffer.
-
-
18. An apparatus for processing log data, comprising:
-
a receiving module configured to receive log data that comprises a plurality of events, an event including one or more fields; a buffer module configured to store, for each event in the plurality of events, the event in a buffer; and a metadata module configured to update, for each event in the plurality of events, a metadata structure that comprises information about contents of the buffer, wherein information about contents of the buffer includes a first minimum value that reflects a minimum value of a first field of all of the events stored in the buffer.
-
Specification