monitoring | design
Summary: This paper presents a real-time monitoring system based on OS kernel service and multithread technology, which solves the problem that the previous monitoring system can not recover the abnormal webpage in time. The Transmission control part and monitoring part of the system are introduced emphatically.
Key Words: real-time monitoring; multithreading; API
Introduction
The more mature technology for web monitoring is timed monitoring, that is, the user set time interval, the system on time to monitor the Web page file polling, to determine whether the file was illegally deleted or tampered with. If found, restore the backup file on the backup disk immediately. There is a flaw in such monitoring: pages that are illegally deleted or tampered with cannot be recovered in a timely manner.
This article introduces the website real-time Monitoring system creatively utilizes the system service and the multithreading technology which the operating system core provides, all file illegal change events will be notified by the operating system timely monitoring program, the mechanism is completely different from the scanning technology, do not need to compare and analysis of the cumbersome process of backup database, can be monitored real-time and low consumption. 2 system Working principle
In order to realize the real-time automatic recovery of the website, the system needs three parts: Website Monitor, website backup, Transmission control. Site monitoring is responsible for monitoring changes within the Web server, the discovery of illegal tampering of web page files; Web site backup is a Web server within the image of the file system, as well as the database system, Transmission control of the site monitoring part of the implementation of control and maintenance of the page, but also responsible for the production of audit records, alarm information. These three parts form an organic whole, the working principle is as follows: The website Monitor discovers the anomaly and analyzes the anomaly point, then informs the Transmission control part; The Transmission control part controls the website backup part to transmit the correct content which relates to the anomaly point to the Web server to overwrite the unusual part, simultaneously produces the corresponding audit record and the alarming information.
Transfer Control Section
When using this system, users first select the Web page files to be monitored by customizing the Monitoring directory. When real-time monitoring, the system starts multiple concurrent monitoring threads to implement real-time monitoring of multiple directories, and a thread monitors a directory. The Transfer Control section is responsible for starting the monitoring thread, receiving the message that the monitor line Cheng the directory change, and overwriting the exception file according to the message, generating alarm and audit information.
1, monitor the start of the thread
Because the number of user-tailored web pages is not fixed, so the number of directories to be monitored is not fixed, so the number of threads to start will also be not fixed. In view of this, we use a linked list structure to represent the directory to be monitored. The list structure includes a directory name and a pointer to the next monitoring directory structure: struct list{
String dirname; A string that records the name of the directory
struct list *next;} A pointer to the next node
As shown in Figure 1
Fig. 13 The linked list of nodes
The data source for a linked list can be a static user profile or a dynamic user action selection. When a node in a linked list points to a null pointer to the next node, the node is the distal point of the list. According to the linked list, start a number of threads, the linked list has a node, on behalf of a directory needs to monitor, you need to start a monitoring thread, traversing the entire list, can be based on user needs to start all threads, monitor all customized directories. The implementation process is shown in Figure 2.
The initial address of the linked list àp
P=null?
CreateThread (Null,0,monitor,p,0,&threadid)
P=pànext
Terminate
Y
N
In Figure 2 p is a pointer to a node in the list, initially pointing to the first node of the list, each starting a thread, and p moving back one node. P is also passed as a parameter to the control function of the thread, and the control function can know which directory is being monitored by the pointer p. Windows system functions CreateThread (NULL,0,MONITOR,P,0,&THREADID) starts the monitoring thread, which is the starting address for the thread control function.
2, change the message processing
In the Transfer Control section, define a dealfun function specifically for handling directory change messages sent by the SITE monitoring section. The SITE Monitoring section sends a change message with three parameters: what has changed, the file name that has changed, and the directory where the file changed. The Dealfun function finds the file's backup file based on the file name and directory name to the file backup database, overwrites the file with the backup file, and generates the appropriate alarm information based on the type of change (such as file deletion, file modification, etc.). Write each change to the log database at the same time.
website Monitoring Section
The website monitoring part is responsible for implementing the control function in the monitoring thread, monitoring the specified directory, and sending the change information to the transfer control part when the file is changed. Windows provides system services for file and directory monitoring, and provides two API functions for applications: FindFirstChangeNotification and READDIRECTORYCHANGESW. Because the FindFirstChangeNotification function can only be monitored to a directory to change the file, and can not monitor the specific file is changed, so the system chooses the READDIRECTORYCHANGESW function. The function is defined as:
BOOL READDIRECTORYCHANGESW (
HANDLE Hdirectory,
LPVOID lpbuffer,
DWORD Nbufferlength,
BOOL Bwatchsubtree,
DWORD Dwnotifyfilter,
Lpdword lpbytesreturned,
lpoverlapped lpoverlapped,
Lpoverlapped_completion_routine lpCompletionRoutine
);
The first parameter hdirectory is to monitor the handle of the directory, which can be obtained by specifying the directory name, using the return value of the CreateFile function. The user code informs the operating system by the second and third parameters that the directory change notification should be placed in a memory area with a first address of lpbuffer and a length of nbufferlength. But how is this memory organized? The operating system is putting them in the structure of the file_notify_information:
typedef struct _FILE_NOTIFY_INFORMATION {
DWORD Nextentryoffset;
DWORD Action;
DWORD filenamelength;
WCHAR Filename[1];
} file_notify_information, *pfile_notify_information;
This is a list structure where the first field stores the number of bytes that need to be skipped to get the next record, and if its value is 0, it means that the record is already the last record in the list. The field can actually be viewed as a pointer to the next record. The second field means: What type of directory change is notified this time. The third field represents the length of the changed file name. The fourth field is the first address of a Unicode character array that holds the changed file names.
Another parameter related to this system is dwnotifyfilter. It is the directory change notification filter. To monitor file name changes, this parameter should be set to file_notify_change_file_name, files are illegally rewritten as file_notify_change_last_write, and so on. Depending on the filter settings, the READDIRECTORYCHANGESW function can monitor changes in file name changes, file attribute changes, file size changes, file content being overwritten, file deletion, and more.
The control function of the monitoring thread is to monitor a directory by using the READDIRECTORYCHANGESW function. The practice is to first use CreateFile to get the handle of the directory to be monitored, then call readdirectorychangesw in a while loop, and pass the memory address, memory length, and directory handle that you assigned to the directory change notification to the function. The user code waits synchronously in the call to the function. When a file is changed in the directory, the control function stores the directory change notification in the specified memory area and transmits the changed file name, the directory of the file and the change mode to the transfer control function in the manner of the message. The specific code is as follows:
Static DWORD WINAPI Monitor (list LParam)//Entry parameter is the linked list pointer described in section 3.1
{HANDLE hdir;
Hdir = CreateFile (
Lparamà.c_str (),
generic_read| Generic_write,
file_share_read| file_share_write| File_share_delete,
Null
Open_existing,
File_flag_backup_semantics,
Null
); Gets the handle of the directory to be monitored. The directory name is specified by the entry parameter
if (Invalid_handle_value = = Hdir) return false;
Char buf[2* (sizeof (file_notify_information) +max_path)];
file_notify_information* pnotify= (file_notify_information *) buf; Specifies the area of memory where directory change notifications are stored
DWORD bytesreturned;
while (true)//Enter loop monitoring
{if (ReadDirectoryChangesW (Hdir,
Pnotify,
sizeof (BUF),
True,//monitor subdirectories
Set Filter
file_notify_change_file_name|
file_notify_change_dir_name|
file_notify_change_attributes|
file_notify_change_size|
file_notify_change_last_write|
file_notify_change_last_access|
file_notify_change_creation|
File_notify_change_security,
&bytesreturned,
Null
NULL))
{if (0!= pnotify->nextentryoffset)
{pfile_notify_information p = (pfile_notify_information) ((char*) pnotify+pnotify->nextentryoffset);
}
Monitorcontrol obj;//Transfer Control class, defined in the Transfer Control section
Objàdealfun (ACTION) pnotify->action, pnotifyàfilename,lparamàdirname)//Send directory change notification as message to the Transfer Control Section
}
Else
{break;
}
}
return 0;
}
The model of the system is represented in the UML activity diagram as shown in Figure 3:
Fig. 3 System Model
Conclusions
In this paper, the traditional Web site monitoring system can not recover illegally deleted and tampered with the problem, design and implementation of the operating system based on the core of the service and Multithread Technology Web site real-time monitoring system. When the illegal tampering of the event occurs, the system can be a millisecond alarm and automatic recovery, even if the alarm delay and restore time added, the sum can still remain in the millisecond level, fundamentally eliminate the hacker use of alarm and restore the delay to publish illegal information possible. The disadvantage is that the system can only operate under the Windows operating system, we are studying a cross-platform Web site real-time monitoring system.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.