日志分析器 基于 RAPHL(Recursive Analysis Pattern for Hierarchical Logs)的全维度智能日志分析技能。流式处理,内存占用低,100M+ 日志秒级分析。 核心能力 | 能力 | 说明 | |------|------| | 自动识别 | 自动识别日志类型:Java App / MySQL Binlog / Nginx / Trace / Alert | | 实体提取 | IP、thread id、trace id、user id、session id、bucket、URL、表名等 20+ 种 | | 操作分析 | DELETE/UPDATE/INSERT/DROP 等敏感操作检测 | | 关联分析 | 时间线、因果链、操作链构建 | | 智能洞察 | 自动生成分析结论、证据、建议 | 支持的日志类型 | 类型 | 识别特征 | 提取内容 | |------|----------|----------| | Java App | ERROR/WARN + 堆栈 | 异常类型、堆栈、logger、时间 | | MySQL Binlog | server id、GTID、Table map | 表操作、thread id、server id、数据变更 | | Nginx Access | IP + HTTP 方法 + 状态码 | 请求I…

\n )\n stack_pattern = re.compile(r'^\\s+at\\s+')\n exception_pattern = re.compile(r'^([a-zA-Z_$][\\w.$]*(?:Exception|Error|Throwable)):\\s*(.*)

日志分析器 基于 RAPHL(Recursive Analysis Pattern for Hierarchical Logs)的全维度智能日志分析技能。流式处理,内存占用低,100M+ 日志秒级分析。 核心能力 | 能力 | 说明 | |------|------| | 自动识别 | 自动识别日志类型:Java App / MySQL Binlog / Nginx / Trace / Alert | | 实体提取 | IP、thread id、trace id、user id、session id、bucket、URL、表名等 20+ 种 | | 操作分析 | DELETE/UPDATE/INSERT/DROP 等敏感操作检测 | | 关联分析 | 时间线、因果链、操作链构建 | | 智能洞察 | 自动生成分析结论、证据、建议 | 支持的日志类型 | 类型 | 识别特征 | 提取内容 | |------|----------|----------| | Java App | ERROR/WARN + 堆栈 | 异常类型、堆栈、logger、时间 | | MySQL Binlog | server id、GTID、Table map | 表操作、thread id、server id、数据变更 | | Nginx Access | IP + HTTP 方法 + 状态码 | 请求I…

)\n \n with open(self.input_path, 'r', encoding='utf-8', errors='ignore') as f:\n for line_num, line in enumerate(f, 1):\n self.total_lines += 1\n line = line.rstrip()\n \n # 提取实体\n self._extract_entities(line, line_num)\n \n error_match = error_pattern.match(line)\n if error_match:\n time_str, level, logger, message = error_match.groups()\n self._update_time_range(time_str)\n \n if level in ('ERROR', 'FATAL', 'WARN', 'WARNING'):\n if current_exception:\n self._finalize_exception(current_exception)\n \n current_exception = {\n 'line_num': line_num,\n 'time': time_str,\n 'level': level,\n 'logger': logger,\n 'message': message,\n 'stack': [],\n 'context': list(context_buffer),\n 'entities': [],\n }\n context_buffer.clear()\n elif current_exception:\n if stack_pattern.match(line) or exception_pattern.match(line):\n current_exception['stack'].append(line)\n elif line.startswith('Caused by:'):\n current_exception['stack'].append(line)\n else:\n self._finalize_exception(current_exception)\n current_exception = None\n context_buffer.append(line)\n else:\n context_buffer.append(line)\n if len(context_buffer) > 5:\n context_buffer.pop(0)\n \n if line_num % 50000 == 0:\n print(f\" 已处理 {line_num:,} 行...\")\n \n if current_exception:\n self._finalize_exception(current_exception)\n \n def _finalize_exception(self, exc: dict):\n \"\"\"完成异常记录\"\"\"\n level_map = {'FATAL': 'CRITICAL', 'ERROR': 'HIGH', 'WARN': 'MEDIUM', 'WARNING': 'MEDIUM'}\n \n self.alerts.append(Alert(\n line_num=exc['line_num'],\n time=exc['time'],\n level=level_map.get(exc['level'], 'LOW'),\n source=exc['logger'],\n message=exc['message'],\n entities=exc.get('entities', [])\n ))\n \n if exc['stack']:\n self.stats['exceptions'][exc['stack'][0].split(':')[0] if ':' in exc['stack'][0] else exc['level']] += 1\n \n def _scan_general(self):\n \"\"\"通用日志扫描\"\"\"\n with open(self.input_path, 'r', encoding='utf-8', errors='ignore') as f:\n for line_num, line in enumerate(f, 1):\n self.total_lines += 1\n \n # 提取时间\n for pattern, fmt in self.TIME_PATTERNS:\n match = pattern.search(line)\n if match:\n self._update_time_range(match.group(1))\n break\n \n # 提取实体\n self._extract_entities(line, line_num)\n \n # 识别告警\n for level, pattern in self.ALERT_PATTERNS.items():\n if pattern.search(line):\n self.stats['alert_levels'][level] += 1\n break\n \n # 识别敏感操作\n for op_type, pattern in self.SENSITIVE_OPS.items():\n if pattern.search(line):\n self.stats['sensitive_ops'][op_type] += 1\n \n if line_num % 50000 == 0:\n print(f\" 已处理 {line_num:,} 行...\")\n \n def _extract_entities(self, line: str, line_num: int):\n \"\"\"提取行内实体\"\"\"\n for entity_type, pattern in self.ENTITY_PATTERNS.items():\n for match in pattern.finditer(line):\n value = match.group(1) if match.lastindex else match.group(0)\n self._add_entity(entity_type, value, line_num, line[:200])\n \n def _add_entity(self, entity_type: str, value: str, line_num: int, context: str = \"\"):\n \"\"\"添加实体\"\"\"\n # 过滤无效值\n if entity_type == 'ip' and value in ('0.0.0.0', '127.0.0.1', '255.255.255.255'):\n return\n if entity_type == 'duration_ms' and float(value) == 0:\n return\n \n self.entities[entity_type].append(Entity(\n type=entity_type,\n value=value,\n line_num=line_num,\n context=context\n ))\n self.stats[f'{entity_type}_count'][value] += 1\n \n def _update_time_range(self, time_str: str):\n \"\"\"更新时间范围\"\"\"\n if not self.time_range['start'] or time_str \u003c self.time_range['start']:\n self.time_range['start'] = time_str\n if not self.time_range['end'] or time_str > self.time_range['end']:\n self.time_range['end'] = time_str\n \n def _correlate(self):\n \"\"\"关联分析\"\"\"\n # 操作按时间排序\n if self.operations:\n self.operations.sort(key=lambda x: x.time)\n print(f\" ✓ 操作时间线: {len(self.operations)} 条\")\n \n # 聚合相同操作\n if self.log_type == LogType.MYSQL_BINLOG:\n op_summary: dict[str, dict] = {}\n for op in self.operations:\n key = op.op_type\n if key not in op_summary:\n op_summary[key] = {'count': 0, 'tables': Counter(), 'thread_ids': set()}\n op_summary[key]['count'] += 1\n op_summary[key]['tables'][op.target] += 1\n for e in op.entities:\n if e.type == 'thread_id':\n op_summary[key]['thread_ids'].add(e.value)\n \n for op_type, data in op_summary.items():\n tables_count = len(data['tables'])\n thread_count = len(data['thread_ids'])\n print(f\" ✓ {op_type}: {data['count']} 次, 涉及 {tables_count} 个表, {thread_count} 个 thread_id\")\n \n # IP 活动分析\n if 'ip' in self.entities:\n ip_activity = Counter(e.value for e in self.entities['ip'])\n top_ips = ip_activity.most_common(5)\n if top_ips:\n print(f\" ✓ Top IP:\")\n for ip, count in top_ips:\n print(f\" {ip}: {count} 次\")\n \n def _generate_insights(self):\n \"\"\"生成智能洞察\"\"\"\n \n # Binlog 洞察\n if self.log_type == LogType.MYSQL_BINLOG:\n # 大批量删除检测\n delete_count = self.stats['operations'].get('DELETE', 0)\n if delete_count > 100:\n tables = self.stats['tables'].most_common(5)\n thread_ids = list(set(e.value for e in self.entities.get('thread_id', [])))\n server_ids = list(set(e.value for e in self.entities.get('server_id', [])))\n \n self.insights.append(Insight(\n category='security',\n severity='high',\n title=f'大批量删除操作检测',\n description=f'检测到 {delete_count} 条 DELETE 操作',\n evidence=[\n f\"时间范围: {self.time_range['start']} ~ {self.time_range['end']}\",\n f\"涉及表: {', '.join(f'{t[0]}({t[1]}次)' for t in tables)}\",\n f\"Server ID: {', '.join(server_ids)}\",\n f\"Thread ID: {', '.join(thread_ids[:5])}{'...' if len(thread_ids) > 5 else ''}\",\n ],\n recommendation='确认操作来源:1. 根据 thread_id 查询应用连接 2. 检查对应时间段的应用日志 3. 确认是否为正常业务行为'\n ))\n \n # 操作来源分析\n if self.entities.get('server_id'):\n unique_servers = set(e.value for e in self.entities['server_id'])\n if len(unique_servers) == 1:\n server_id = list(unique_servers)[0]\n self.insights.append(Insight(\n category='audit',\n severity='medium',\n title='操作来源确认',\n description=f'所有操作来自同一数据库实例 server_id={server_id}',\n evidence=[\n f\"Server ID: {server_id}\",\n f\"这是数据库主库的标识,不是客户端 IP\",\n f\"Binlog 不记录客户端 IP,需查 general_log 或审计日志\",\n ],\n recommendation='如需确认操作者 IP,请检查:1. MySQL general_log 2. 审计插件日志 3. 应用服务连接日志'\n ))\n \n # 异常洞察\n if self.alerts:\n critical_count = sum(1 for a in self.alerts if a.level == 'CRITICAL')\n if critical_count > 0:\n self.insights.append(Insight(\n category='error',\n severity='critical',\n title=f'严重异常检测',\n description=f'检测到 {critical_count} 个严重级别异常',\n evidence=[f\"L{a.line_num}: {a.message[:100]}\" for a in self.alerts if a.level == 'CRITICAL'][:5],\n recommendation='立即检查相关服务状态'\n ))\n \n # IP 异常检测\n if 'ip' in self.entities:\n ip_counter = Counter(e.value for e in self.entities['ip'])\n for ip, count in ip_counter.most_common(3):\n if count > 100:\n self.insights.append(Insight(\n category='anomaly',\n severity='medium',\n title=f'高频 IP 活动',\n description=f'IP {ip} 出现 {count} 次',\n evidence=[e.context[:100] for e in self.entities['ip'] if e.value == ip][:3],\n recommendation='确认该 IP 的活动是否正常'\n ))\n \n print(f\" ✓ 生成 {len(self.insights)} 条洞察\")\n for insight in self.insights:\n print(f\" [{insight.severity.upper()}] {insight.title}\")\n \n def _generate_reports(self):\n \"\"\"生成报告\"\"\"\n self._write_summary()\n self._write_entities()\n self._write_operations()\n self._write_insights()\n self._write_json()\n \n print(f\"\\n输出文件:\")\n for f in sorted(self.output_dir.iterdir()):\n size = f.stat().st_size\n print(f\" - {f.name} ({size/1024:.1f} KB)\")\n \n def _write_summary(self):\n \"\"\"写入摘要报告\"\"\"\n path = self.output_dir / \"summary.md\"\n with open(path, 'w', encoding='utf-8') as f:\n f.write(f\"# 日志分析报告\\n\\n\")\n \n f.write(f\"## 概览\\n\\n\")\n f.write(f\"| 项目 | 内容 |\\n|------|------|\\n\")\n f.write(f\"| 文件 | {self.input_path.name} |\\n\")\n f.write(f\"| 大小 | {self.file_size_mb:.2f} MB |\\n\")\n f.write(f\"| 类型 | {self.log_type.value} |\\n\")\n f.write(f\"| 总行数 | {self.total_lines:,} |\\n\")\n f.write(f\"| 时间范围 | {self.time_range['start']} ~ {self.time_range['end']} |\\n\\n\")\n \n # 实体统计\n if self.entities:\n f.write(f\"## 实体统计\\n\\n\")\n f.write(f\"| 类型 | 唯一值 | 出现次数 | Top 值 |\\n|------|--------|----------|--------|\\n\")\n for entity_type, entities in sorted(self.entities.items()):\n counter = Counter(e.value for e in entities)\n unique = len(counter)\n total = len(entities)\n top = counter.most_common(1)[0] if counter else ('', 0)\n f.write(f\"| {entity_type} | {unique} | {total} | {top[0][:30]}({top[1]}) |\\n\")\n f.write(f\"\\n\")\n \n # 操作统计\n if self.stats['operations']:\n f.write(f\"## 操作统计\\n\\n\")\n f.write(f\"| 操作类型 | 次数 |\\n|----------|------|\\n\")\n for op, count in self.stats['operations'].most_common():\n f.write(f\"| {op} | {count:,} |\\n\")\n f.write(f\"\\n\")\n \n if self.stats['tables']:\n f.write(f\"## 表操作统计\\n\\n\")\n f.write(f\"| 表名 | 操作次数 |\\n|------|----------|\\n\")\n for table, count in self.stats['tables'].most_common(10):\n f.write(f\"| {table} | {count:,} |\\n\")\n f.write(f\"\\n\")\n \n # 洞察\n if self.insights:\n f.write(f\"## 分析洞察\\n\\n\")\n for i, insight in enumerate(self.insights, 1):\n f.write(f\"### {i}. [{insight.severity.upper()}] {insight.title}\\n\\n\")\n f.write(f\"{insight.description}\\n\\n\")\n if insight.evidence:\n f.write(f\"**证据:**\\n\")\n for e in insight.evidence:\n f.write(f\"- {e}\\n\")\n f.write(f\"\\n\")\n if insight.recommendation:\n f.write(f\"**建议:** {insight.recommendation}\\n\\n\")\n f.write(f\"---\\n\\n\")\n \n def _write_entities(self):\n \"\"\"写入实体详情\"\"\"\n path = self.output_dir / \"entities.md\"\n with open(path, 'w', encoding='utf-8') as f:\n f.write(f\"# 实体详情\\n\\n\")\n \n for entity_type, entities in sorted(self.entities.items()):\n counter = Counter(e.value for e in entities)\n f.write(f\"## {entity_type} ({len(counter)} 个唯一值)\\n\\n\")\n f.write(f\"| 值 | 出现次数 | 首次行号 |\\n|-----|----------|----------|\\n\")\n \n first_occurrence = {}\n for e in entities:\n if e.value not in first_occurrence:\n first_occurrence[e.value] = e.line_num\n \n for value, count in counter.most_common(50):\n f.write(f\"| {value[:50]} | {count} | {first_occurrence[value]} |\\n\")\n f.write(f\"\\n\")\n \n def _write_operations(self):\n \"\"\"写入操作详情\"\"\"\n if not self.operations:\n return\n \n path = self.output_dir / \"operations.md\"\n with open(path, 'w', encoding='utf-8') as f:\n f.write(f\"# 操作详情\\n\\n\")\n f.write(f\"共 {len(self.operations)} 条操作记录\\n\\n\")\n \n # 按表分组\n by_table = defaultdict(list)\n for op in self.operations:\n by_table[op.target].append(op)\n \n for table, ops in sorted(by_table.items(), key=lambda x: len(x[1]), reverse=True):\n f.write(f\"## {table} ({len(ops)} 次操作)\\n\\n\")\n \n op_types = Counter(op.op_type for op in ops)\n f.write(f\"操作类型: {dict(op_types)}\\n\\n\")\n \n thread_ids = set()\n for op in ops:\n for e in op.entities:\n if e.type == 'thread_id':\n thread_ids.add(e.value)\n \n if thread_ids:\n f.write(f\"Thread IDs: {', '.join(sorted(thread_ids))}\\n\\n\")\n \n f.write(f\"时间范围: {ops[0].time} ~ {ops[-1].time}\\n\\n\")\n f.write(f\"---\\n\\n\")\n \n def _write_insights(self):\n \"\"\"写入洞察报告\"\"\"\n if not self.insights:\n return\n \n path = self.output_dir / \"insights.md\"\n with open(path, 'w', encoding='utf-8') as f:\n f.write(f\"# 分析洞察\\n\\n\")\n \n # 按严重程度分组\n by_severity = defaultdict(list)\n for insight in self.insights:\n by_severity[insight.severity].append(insight)\n \n for severity in ['critical', 'high', 'medium', 'low']:\n if severity not in by_severity:\n continue\n \n f.write(f\"## {severity.upper()} 级别\\n\\n\")\n for insight in by_severity[severity]:\n f.write(f\"### {insight.title}\\n\\n\")\n f.write(f\"**类别:** {insight.category}\\n\\n\")\n f.write(f\"**描述:** {insight.description}\\n\\n\")\n \n if insight.evidence:\n f.write(f\"**证据:**\\n\")\n for e in insight.evidence:\n f.write(f\"- {e}\\n\")\n f.write(f\"\\n\")\n \n if insight.recommendation:\n f.write(f\"**建议:** {insight.recommendation}\\n\\n\")\n \n f.write(f\"---\\n\\n\")\n \n def _write_json(self):\n \"\"\"写入 JSON 数据\"\"\"\n path = self.output_dir / \"analysis.json\"\n \n data = {\n 'file': str(self.input_path),\n 'size_mb': self.file_size_mb,\n 'log_type': self.log_type.value,\n 'total_lines': self.total_lines,\n 'time_range': self.time_range,\n 'entities': {\n k: {\n 'unique': len(set(e.value for e in v)),\n 'total': len(v),\n 'top': Counter(e.value for e in v).most_common(10)\n }\n for k, v in self.entities.items()\n },\n 'stats': {k: dict(v) for k, v in self.stats.items()},\n 'insights': [\n {\n 'category': i.category,\n 'severity': i.severity,\n 'title': i.title,\n 'description': i.description,\n 'evidence': i.evidence,\n 'recommendation': i.recommendation\n }\n for i in self.insights\n ]\n }\n \n with open(path, 'w', encoding='utf-8') as f:\n json.dump(data, f, ensure_ascii=False, indent=2)\n \n def _get_summary(self) -> dict:\n return {\n 'log_type': self.log_type.value,\n 'total_lines': self.total_lines,\n 'entity_types': len(self.entities),\n 'operation_count': len(self.operations),\n 'insight_count': len(self.insights),\n 'output_dir': str(self.output_dir)\n }\n\n\ndef main():\n parser = argparse.ArgumentParser(description='RAPHL 智能日志分析器')\n parser.add_argument('input', help='输入日志文件')\n parser.add_argument('-o', '--output', default='./log_analysis', help='输出目录')\n \n args = parser.parse_args()\n \n analyzer = SmartLogAnalyzer(args.input, args.output)\n result = analyzer.run()\n \n print(f\"\\n请查看 {result['output_dir']}/summary.md\")\n\n\nif __name__ == '__main__':\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":34982,"content_sha256":"961cc397fd1c4fd29165b43d36ec100a48e8bb0e2e70f503c362b03e72abcc42"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"日志分析器","type":"text"}]},{"type":"paragraph","content":[{"text":"基于 RAPHL(Recursive Analysis Pattern for Hierarchical Logs)的全维度智能日志分析技能。流式处理,内存占用低,100M+ 日志秒级分析。","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"核心能力","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"能力","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"说明","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"自动识别","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"自动识别日志类型:Java App / MySQL Binlog / Nginx / Trace / Alert","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"实体提取","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"IP、thread_id、trace_id、user_id、session_id、bucket、URL、表名等 20+ 种","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"操作分析","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DELETE/UPDATE/INSERT/DROP 等敏感操作检测","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"关联分析","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"时间线、因果链、操作链构建","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"智能洞察","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"自动生成分析结论、证据、建议","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"支持的日志类型","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"类型","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"识别特征","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"提取内容","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Java App","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ERROR/WARN + 堆栈","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"异常类型、堆栈、logger、时间","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"MySQL Binlog","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"server id、GTID、Table_map","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"表操作、thread_id、server_id、数据变更","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Nginx Access","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"IP + HTTP 方法 + 状态码","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"请求IP、URL、状态码、耗时","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Trace","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"trace_id、span_id","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"链路追踪、调用关系、耗时","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Alert","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CRITICAL/告警","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"告警级别、来源、消息","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"General","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"通用","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"时间、IP、关键词","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"使用方法","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"python .opencode/skills/log-analyzer/scripts/preprocess.py \u003c日志文件> -o ./log_analysis","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"输出文件","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"文件","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"内容","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"用途","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"summary.md","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"完整分析报告","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"优先阅读","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"entities.md","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"实体详情(IP、用户、表名等)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"追溯操作来源","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"operations.md","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"操作详情","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"查看具体操作","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"insights.md","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"智能洞察","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"问题定位和建议","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"analysis.json","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"结构化数据","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"程序处理","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"实体提取清单","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"网络/连接类","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"IP 地址、IP:Port、URL、MAC 地址","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"追踪/会话类","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"trace_id、span_id、request_id、session_id、thread_id","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"用户/权限类","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"user_id、ak(access_key)、bucket","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"数据库类","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"database.table、server_id","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"性能/状态类","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"duration(耗时)、http_status、error_code","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"敏感操作检测","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"类型","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"检测模式","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"风险级别","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"数据删除","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DELETE, DROP, TRUNCATE","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"HIGH","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"数据修改","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"UPDATE, ALTER, MODIFY","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"MEDIUM","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"权限变更","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"GRANT, REVOKE, chmod","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"HIGH","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"认证操作","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"LOGIN, LOGOUT, AUTH","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"MEDIUM","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"智能洞察类型","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"类型","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"说明","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"security","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"大批量删除/修改、权限变更","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"anomaly","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"高频 IP、异常时间段操作","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"error","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"严重异常、错误聚类","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"audit","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"操作来源、用户行为","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"分析流程","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Phase 1: 日志类型识别(采样前100行)\n ↓\nPhase 2: 全量扫描提取(流式处理)\n ↓\nPhase 3: 关联分析(时间排序、聚合统计)\n ↓\nPhase 4: 智能洞察(异常检测、生成结论)\n ↓\nPhase 5: 生成报告(Markdown + JSON)","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"技术特点","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"特点","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"说明","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"流式处理","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"逐行读取,100M 文件只占几 MB 内存","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"正则预编译","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"20+ 种实体模式预编译,匹配快","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"一次遍历","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"提取 + 统计 + 分类一次完成","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"类型适配","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"不同日志类型用专用解析器","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"注意事项","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Binlog 不记录客户端 IP","type":"text","marks":[{"type":"strong"}]},{"text":":只有 server_id 和 thread_id,需结合 general_log 确认操作者","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"敏感信息脱敏","type":"text","marks":[{"type":"strong"}]},{"text":":报告中注意不要暴露密码、密钥","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"结合多源日志","type":"text","marks":[{"type":"strong"}]},{"text":":binlog + 应用日志 + 审计日志 才能完整还原","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"log-analyzer","author":"@skillopedia","source":{"stars":215,"repo_name":"opencode-skills","origin_url":"https://github.com/zrt-ai-lab/opencode-skills/blob/HEAD/log-analyzer/SKILL.md","repo_owner":"zrt-ai-lab","body_sha256":"db65ee1f9bfded8c428b9f471ce0ac3c86a6396c3e9f4a1b7fe62331d88b2a71","cluster_key":"4c4ec1cc610eea4c38b11f4a237cb3bc36d3a072dc942051803588bfc408a638","clean_bundle":{"format":"clean-skill-bundle-v1","source":"zrt-ai-lab/opencode-skills/log-analyzer/SKILL.md","attachments":[{"id":"09dfc58c-7bdc-50af-9666-1b6718734069","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/09dfc58c-7bdc-50af-9666-1b6718734069/attachment.md","path":"README.md","size":447,"sha256":"d363371c12ef96d8f9d0e5693b7c88ec8a9f281cfd9483ef869e4c788afe076c","contentType":"text/markdown; charset=utf-8"},{"id":"fd06c14f-2694-5a51-9cdb-dcfe6b89f41a","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/fd06c14f-2694-5a51-9cdb-dcfe6b89f41a/attachment.py","path":"scripts/preprocess.py","size":34982,"sha256":"961cc397fd1c4fd29165b43d36ec100a48e8bb0e2e70f503c362b03e72abcc42","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"a37222df3b21407d56b66b04370b84147328a659047448f728f92141bf030241","attachment_count":2,"text_attachments":2,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"log-analyzer/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"data-analytics","category_label":"Data"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"data-analytics","import_tag":"clean-skills-v1","description":"全维度日志分析技能。自动识别日志类型(Java应用/MySQL Binlog/Nginx/Trace/告警),提取关键实体(IP、thread_id、trace_id、用户、表名等),进行根因定位、告警分析、异常洞察。支持100M+大文件。触发词:分析日志、日志排查、根因定位、告警分析、异常分析。"}},"renderedAt":1782979830168}

日志分析器 基于 RAPHL(Recursive Analysis Pattern for Hierarchical Logs)的全维度智能日志分析技能。流式处理,内存占用低,100M+ 日志秒级分析。 核心能力 | 能力 | 说明 | |------|------| | 自动识别 | 自动识别日志类型:Java App / MySQL Binlog / Nginx / Trace / Alert | | 实体提取 | IP、thread id、trace id、user id、session id、bucket、URL、表名等 20+ 种 | | 操作分析 | DELETE/UPDATE/INSERT/DROP 等敏感操作检测 | | 关联分析 | 时间线、因果链、操作链构建 | | 智能洞察 | 自动生成分析结论、证据、建议 | 支持的日志类型 | 类型 | 识别特征 | 提取内容 | |------|----------|----------| | Java App | ERROR/WARN + 堆栈 | 异常类型、堆栈、logger、时间 | | MySQL Binlog | server id、GTID、Table map | 表操作、thread id、server id、数据变更 | | Nginx Access | IP + HTTP 方法 + 状态码 | 请求I…