Storing log data efficiently while supporting querying to assist in computer network security

US 9,031,916 B2
Filed: 12/28/2007
Issued: 05/12/2015
Est. Priority Date: 12/28/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for processing log data, comprising:

receiving log data that comprises a plurality of events, an event including one or more fields; and

for each event in the plurality of events;

storing, in a buffer, the event;

identifying a first value of a first field of the event;

identifying a first minimum value that indicates a minimum value of the first field of all of the events stored in the buffer, wherein the first minimum value is stored in a metadata structure that comprises information about contents of the buffer;

determining whether the first minimum value exceeds the first value; and

responsive to determining that the first minimum value exceeds the first value, updating the metadata structure by replacing the first minimum value with the first value.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A logging system includes an event receiver and a storage manager. The receiver receives log data, processes it, and outputs a data “chunk.” The manager receives data chunks and stores them so that they can be queried. The receiver includes buffers that store events and a metadata structure that stores metadata about the contents of the buffers. The metadata includes a unique identifier associated with the receiver, the number of events in the buffers, and, for each “field of interest,” a minimum value and a maximum value that reflect the range of values of that field over all of the events in the buffers. A chunk includes the metadata structure and a compressed version of the contents of the buffers. The metadata structure acts as a search index when querying event data. The logging system can be used in conjunction with a security information/event management (SIEM) system.

40 Citations

View as Search Results

18 Claims

1. A computer-implemented method for processing log data, comprising:
- receiving log data that comprises a plurality of events, an event including one or more fields; and
  
  for each event in the plurality of events;
  
  storing, in a buffer, the event;
  
  identifying a first value of a first field of the event;
  
  identifying a first minimum value that indicates a minimum value of the first field of all of the events stored in the buffer, wherein the first minimum value is stored in a metadata structure that comprises information about contents of the buffer;
  
  determining whether the first minimum value exceeds the first value; and
  
  responsive to determining that the first minimum value exceeds the first value, updating the metadata structure by replacing the first minimum value with the first value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein information about contents of the buffer further includes a first maximum value that indicates a maximum value of the first field of all of the events stored in the buffer.
  - 3. The method of claim 1, wherein information about contents of the buffer further includes a second minimum value that indicates a minimum value of a second field of all of the events stored in the buffer.
  - 4. The method of claim 1, wherein information about contents of the buffer further includes a number of events stored in the buffer.
  - 5. The method of claim 1, further comprising:
    - in response to a first trigger condition, generating a data chunk based on contents of the metadata structure and further based on contents of the buffer.
  - 6. The method of claim 5, wherein the first trigger condition is based on a buffer usage threshold or based on a timeout window.
  - 7. The method of claim 5, further comprising:
    - in response to a second trigger condition, reclaiming storage space used by the data chunk.
  - 8. The method of claim 7, wherein the second trigger condition is based on a retention policy associated with the data chunk.
  - 9. The method of claim 7, wherein the second trigger condition is based on a disk-space usage threshold or based on a maximum time to retain the chunk.
  - 10. The method of claim 1, further comprising:
    - for each event in the plurality of events;
      
      determining when the event was received; and
      
      storing, in the buffer, a timestamp that reflects when the event was received.
  - 11. The method of claim 1, wherein storing the event in the buffer comprises appending the event to contents of the buffer.
  - 12. The method of claim 1, further comprising generating a data chunk that includes contents of the metadata structure and a compressed version of contents of the buffer.
  - 13. The method of claim 12, wherein the data chunk further includes a file signature or a version identifier.
  - 14. The method of claim 12, wherein the data chunk further includes a message digest of contents of the buffer.
  - 15. The method of claim 12, further comprising:
    - receiving a search query that includes a set of one or more search terms;
      
      identifying one or more search terms, from the set of search terms, that concern information that is contained in the metadata structure; and
      
      searching one or more data chunks by comparing, for each data chunk, the identified search terms to contents of the metadata structure included within the data chunk.
  - 16. The method of claim 15, further comprising:
    - for each data chunk that satisfies the identified search terms;
      
      disassembling the data chunk into a plurality of events; and
      
      comparing, for each event in the plurality of events, the set of search terms to the event.

17. A computer program product for processing log data, the computer program product comprising a non-transitory computer-readable medium containing computer program code for performing a method, the method comprising:
- receiving log data that comprises a plurality of events, an event including one or more fields; and
  
  for each event in the plurality of events;
  
  storing, in a buffer, the event;
  
  identifying a first value of a first field of the event;
  
  identifying a first minimum value that indicates a minimum value of the first field of all of the events stored in the buffer, wherein the first minimum value is stored in a metadata structure that comprises information about contents of the buffer;
  
  determining whether the first minimum value exceeds the first value; and
  
  responsive to determining that the first minimum value exceeds the first value, updating the metadata structure by replacing the first minimum value with the first value.

18. An apparatus for processing log data, comprising:
- a processor; and
  
  a computer-readable storage medium coupled to the processor and storing instructions executed by the processor to perform operations comprising;
  
  receiving log data that comprises a plurality of events, an event including one or more fields;
  
  for each event in the plurality of events;
  
  storing, in a buffer, the event;
  
  identifying a first value of a first field of the event;
  
  identifying a first minimum value that indicates a minimum value of the first field of all of the events stored in the buffer, wherein the first minimum value is stored in a metadata structure that comprises information about contents of the buffer;
  
  determining whether the first minimum value exceeds the first value; and
  
  responsive to determining that the first minimum value exceeds the first value, updating the metadata structure by replacing the first minimum value with the first value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Huang, Wei, Tang, Wenting, Beedgen, Christian F.
Primary Examiner(s)
CHEEMA, AZAM M

Application Number

US11/966,078
Publication Number

US 20080162592A1
Time in Patent Office

2,692 Days
Field of Search
US Class Current

707/674
CPC Class Codes

G06F 11/3476   Data logging G06F11/14, G06...

G06F 16/22   Indexing; Data structures t...

G06F 21/552   involving long-term monitor...

G06F 2201/835   Timestamp

G06F 2201/86   Event-based monitoring

H04L 41/0686   Additional information in t...

H04L 41/069   using logs of notifications...

Y10S 707/99953   Recoverability

Storing log data efficiently while supporting querying to assist in computer network security

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Storing log data efficiently while supporting querying to assist in computer network security

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others