2026-06-23 04:51:23 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： 本文系统解析SIEM（安全信息与事件管理）平台的四层架构：数据来源层涵盖终端、网络、云服务等日志类型；采集层通过代理、API等方式收集数据；处理层进行标准化解析和事件富化；分析引擎通过关联规则实现威胁检测。文档包含C语言代码示例演示日志传输、CEF格式解析及暴力破解检测规则，为安全运营提供实操参考。 综合评分： 87 文章分类： 安全运营,解决方案,技术标准,应用安全,网络安全

cover_image

SIEM架构解析：从日志采集到威胁响应

原创

钟智强钟智强

哪吒网络安全

2026年6月17日 11:37 马来西亚

在小说阅读器读本章

去阅读

安全信息与事件管理（SIEM） 是一种平台，用于收集、标准化、关联并分析企业基础设施中的安全日志数据，以检测威胁并支持事件响应。

架构总览

第一层 — 数据来源

第二层 — 采集层

日志通过以下四种机制传输到 SIEM：

代理程序（Agent）

— 安装在终端上的轻量级软件（如 Elastic Beats、Splunk UF）
无代理（Agentless）

— SIEM 通过 SNMP、WMI 或 SSH 主动轮询设备
API 拉取

— 定时调用云服务商的日志接口
转发器 / 消息中间件

— Fluentd、Logstash、Kafka 等，用于缓冲和路由高并发日志流

C 代码示例 — 通过 UDP 发送 Syslog 消息（RFC 5424）

#include&nbsp;<stdio.h>#include&nbsp;<string.h>#include&nbsp;<time.h>#include&nbsp;<sys/socket.h>#include&nbsp;<arpa/inet.h>#include&nbsp;<unistd.h>#define&nbsp;SIEM_HOST&nbsp;"192.168.1.100"&nbsp; &nbsp;/* SIEM 采集器 IP */#define&nbsp;SIEM_PORT 514 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* 标准 Syslog 端口 *//* 构建并发送一条 RFC-5424 格式的 Syslog 消息 */int&nbsp;send_syslog_event(const&nbsp;char&nbsp;*hostname,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;const&nbsp;char&nbsp;*app_name,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;const&nbsp;char&nbsp;*message){&nbsp; &nbsp;&nbsp;int&nbsp;sock;&nbsp; &nbsp;&nbsp;struct&nbsp;sockaddr_in&nbsp;dest;&nbsp; &nbsp;&nbsp;char&nbsp;buf[1024];&nbsp; &nbsp;&nbsp;time_t&nbsp;now =&nbsp;time(NULL);&nbsp; &nbsp;&nbsp;struct&nbsp;tm&nbsp;*t =&nbsp;gmtime(&now);&nbsp; &nbsp;&nbsp;/* PRI = (facility * 8) + severity：14*8+6 = 118（信息级别） */&nbsp; &nbsp;&nbsp;int&nbsp;pri =&nbsp;118;&nbsp; &nbsp;&nbsp;snprintf(buf,&nbsp;sizeof(buf),&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"<%d>1 %04d-%02d-%02dT%02d:%02d:%02dZ %s %s - - - %s",&nbsp; &nbsp; &nbsp; &nbsp; pri,&nbsp; &nbsp; &nbsp; &nbsp; t->tm_year +&nbsp;1900, t->tm_mon +&nbsp;1, t->tm_mday,&nbsp; &nbsp; &nbsp; &nbsp; t->tm_hour, t->tm_min, t->tm_sec,&nbsp; &nbsp; &nbsp; &nbsp; hostname, app_name, message);&nbsp; &nbsp; sock =&nbsp;socket(AF_INET, SOCK_DGRAM,&nbsp;0);&nbsp; &nbsp;&nbsp;if&nbsp;(sock <&nbsp;0) {&nbsp;perror("socket");&nbsp;return&nbsp;-1; }&nbsp; &nbsp;&nbsp;memset(&dest,&nbsp;0,&nbsp;sizeof(dest));&nbsp; &nbsp; dest.sin_family &nbsp; &nbsp; &nbsp;= AF_INET;&nbsp; &nbsp; dest.sin_port &nbsp; &nbsp; &nbsp; &nbsp;=&nbsp;htons(SIEM_PORT);&nbsp; &nbsp; dest.sin_addr.s_addr =&nbsp;inet_addr(SIEM_HOST);&nbsp; &nbsp;&nbsp;sendto(sock, buf,&nbsp;strlen(buf),&nbsp;0,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;(struct&nbsp;sockaddr *)&dest,&nbsp;sizeof(dest));&nbsp; &nbsp;&nbsp;close(sock);&nbsp; &nbsp;&nbsp;return&nbsp;0;}int&nbsp;main(void){&nbsp; &nbsp;&nbsp;/* 模拟两条来自 Web 服务器的安全日志 */&nbsp; &nbsp;&nbsp;send_syslog_event("web-server-01",&nbsp;"nginx",&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"User login failed: user=admin src=10.0.0.55");&nbsp; &nbsp;&nbsp;send_syslog_event("web-server-01",&nbsp;"nginx",&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"File read: /etc/passwd src=10.0.0.55");&nbsp; &nbsp;&nbsp;return&nbsp;0;}

第三层 — 处理层

3a. 标准化与解析

不同来源的原始日志格式各异，SIEM 需将所有字段映射到统一模式（如 CEF 通用事件格式，或厂商自定义的 Splunk CIM）。

#include&nbsp;<stdio.h>#include&nbsp;<string.h>#include&nbsp;<stdlib.h>/* CEF 通用事件格式字段定义 */typedef&nbsp;struct&nbsp;{&nbsp; &nbsp;&nbsp;char&nbsp;timestamp[32];&nbsp; &nbsp;&nbsp;char&nbsp;src_ip[16];&nbsp; &nbsp;&nbsp;char&nbsp;dst_ip[16];&nbsp; &nbsp;&nbsp;int&nbsp; src_port;&nbsp; &nbsp;&nbsp;int&nbsp; dst_port;&nbsp; &nbsp;&nbsp;char&nbsp;action[32]; &nbsp;&nbsp;/* 例如："ALLOW"、"DENY" */&nbsp; &nbsp;&nbsp;char&nbsp;severity[8]; &nbsp;/* "LOW"、"MED"、"HIGH" */&nbsp; &nbsp;&nbsp;char&nbsp;message[256];} CefEvent;/* 将一行防火墙 Syslog 解析为 CEF 结构体 */int&nbsp;parse_firewall_log(const&nbsp;char&nbsp;*raw, CefEvent *out){&nbsp; &nbsp;&nbsp;memset(out,&nbsp;0,&nbsp;sizeof(*out));&nbsp; &nbsp;&nbsp;/* 原始日志示例：&nbsp; &nbsp; &nbsp; &nbsp;"2024-06-15T12:01:05Z DENY src=10.0.0.5:4432 dst=192.168.1.1:22 msg=SSH_attempt" */&nbsp; &nbsp;&nbsp;if&nbsp;(sscanf(raw,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"%31s %31s src=%15[^:]:%d dst=%15[^:]:%d msg=%255s",&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;out->timestamp, out->action,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;out->src_ip, &nbsp; &out->src_port,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;out->dst_ip, &nbsp; &out->dst_port,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;out->message) ==&nbsp;7)&nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* 根据目标端口判断严重程度 */&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(out->dst_port ==&nbsp;22&nbsp;|| out->dst_port ==&nbsp;3389)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;strcpy(out->severity,&nbsp;"HIGH");&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;else&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;strcpy(out->severity,&nbsp;"LOW");&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;0;&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;return&nbsp;-1;&nbsp;/* 解析失败 */}int&nbsp;main(void){&nbsp; &nbsp;&nbsp;const&nbsp;char&nbsp;*raw =&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"2024-06-15T12:01:05Z DENY "&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"src=10.0.0.5:4432 dst=192.168.1.1:22 msg=SSH_attempt";&nbsp; &nbsp; CefEvent ev;&nbsp; &nbsp;&nbsp;if&nbsp;(parse_firewall_log(raw, &ev) ==&nbsp;0) {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("时间戳 &nbsp;: %s\n", ev.timestamp);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("动作 &nbsp; &nbsp;: %s\n", ev.action);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("源地址 &nbsp;: %s:%d\n", ev.src_ip, ev.src_port);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("目标地址: %s:%d\n", ev.dst_ip, ev.dst_port);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("严重程度: %s\n", ev.severity);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("消息 &nbsp; &nbsp;: %s\n", ev.message);&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;return&nbsp;0;}

3b. 事件富化

解析后，SIEM 会为事件附加上下文信息：地理位置（GeoIP）、资产归属、用户部门、漏洞评分等。

#include&nbsp;<stdio.h>#include&nbsp;<string.h>/* 地理位置记录 */typedef&nbsp;struct&nbsp;{&nbsp;char&nbsp;ip[16];&nbsp;char&nbsp;country[32];&nbsp;char&nbsp;city[32]; } GeoRecord;/* 资产记录 */typedef&nbsp;struct&nbsp;{&nbsp;char&nbsp;ip[16];&nbsp;char&nbsp;owner[64]; &nbsp;&nbsp;char&nbsp;role[32]; } AssetRecord;/* 简化的内存查找表（生产环境应使用真实数据库或 API） */static&nbsp;GeoRecord geo_db[] = {&nbsp; &nbsp; {"10.0.0.5", &nbsp; &nbsp;"内部网络", &nbsp;&nbsp;"总部"},&nbsp; &nbsp; {"203.0.113.5",&nbsp;"马来西亚",&nbsp;"吉隆坡"},};static&nbsp;AssetRecord asset_db[] = {&nbsp; &nbsp; {"192.168.1.1", &nbsp;"IT 部门", &nbsp;"网关路由器"},&nbsp; &nbsp; {"192.168.1.50",&nbsp;"财务部", &nbsp;&nbsp;"工作站"},};const&nbsp;char&nbsp;*geo_lookup(const&nbsp;char&nbsp;*ip,&nbsp;char&nbsp;*city_out){&nbsp; &nbsp;&nbsp;for&nbsp;(int&nbsp;i =&nbsp;0; i <&nbsp;2; i++) {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(strcmp(geo_db[i].ip, ip) ==&nbsp;0) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;strcpy(city_out, geo_db[i].city);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;geo_db[i].country;&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;strcpy(city_out,&nbsp;"未知");&nbsp; &nbsp;&nbsp;return&nbsp;"未知";}const&nbsp;char&nbsp;*asset_lookup(const&nbsp;char&nbsp;*ip){&nbsp; &nbsp;&nbsp;for&nbsp;(int&nbsp;i =&nbsp;0; i <&nbsp;2; i++)&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(strcmp(asset_db[i].ip, ip) ==&nbsp;0)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;asset_db[i].role;&nbsp; &nbsp;&nbsp;return&nbsp;"未知资产";}int&nbsp;main(void){&nbsp; &nbsp;&nbsp;const&nbsp;char&nbsp;*src =&nbsp;"203.0.113.5";&nbsp; &nbsp;&nbsp;const&nbsp;char&nbsp;*dst =&nbsp;"192.168.1.1";&nbsp; &nbsp;&nbsp;char&nbsp;city[32];&nbsp; &nbsp;&nbsp;printf("源 GeoIP : %s，%s\n",&nbsp;geo_lookup(src, city), city);&nbsp; &nbsp;&nbsp;printf("目标资产 : %s\n",&nbsp;asset_lookup(dst));&nbsp; &nbsp;&nbsp;return&nbsp;0;}

第四层 — 分析引擎

4a. 关联规则

当事件序列或计数在时间窗口内匹配某种模式时，规则触发告警。

#include&nbsp;<stdio.h>#include&nbsp;<string.h>#include&nbsp;<time.h>#define&nbsp;MAX_EVENTS &nbsp; &nbsp; &nbsp; 1024#define&nbsp;BRUTE_THRESHOLD &nbsp;5 &nbsp; &nbsp;/* 失败登录次数阈值 */#define&nbsp;WINDOW_SECONDS &nbsp; 60 &nbsp;&nbsp;/* 时间窗口：60 秒 */typedef&nbsp;struct&nbsp;{&nbsp; &nbsp;&nbsp;time_t&nbsp; ts;&nbsp; &nbsp;&nbsp;char&nbsp; &nbsp; src_ip[16];&nbsp; &nbsp;&nbsp;char&nbsp; &nbsp; event_type[32];&nbsp;/* "LOGIN_FAIL"、"LOGIN_OK" 等 */} LogEvent;static&nbsp;LogEvent event_store[MAX_EVENTS];static&nbsp;int&nbsp; &nbsp; &nbsp; event_count =&nbsp;0;void&nbsp;ingest_event(time_t&nbsp;ts,&nbsp;const&nbsp;char&nbsp;*src,&nbsp;const&nbsp;char&nbsp;*type){&nbsp; &nbsp;&nbsp;if&nbsp;(event_count >= MAX_EVENTS)&nbsp;return;&nbsp; &nbsp; event_store[event_count].ts = ts;&nbsp; &nbsp;&nbsp;strncpy(event_store[event_count].src_ip, &nbsp; &nbsp; src, &nbsp;15);&nbsp; &nbsp;&nbsp;strncpy(event_store[event_count].event_type, type,&nbsp;31);&nbsp; &nbsp; event_count++;}/* 规则：暴力破解 — 同一 IP 在 T 秒内出现 N 次 LOGIN_FAIL */void&nbsp;run_brute_force_rule(time_t&nbsp;now){&nbsp; &nbsp;&nbsp;char&nbsp;seen[64][16];&nbsp; &nbsp;&nbsp;int&nbsp; seen_count =&nbsp;0;&nbsp; &nbsp;&nbsp;for&nbsp;(int&nbsp;i =&nbsp;0; i < event_count; i++) {&nbsp; &nbsp; &nbsp; &nbsp; LogEvent *e = &event_store[i];&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(strcmp(e->event_type,&nbsp;"LOGIN_FAIL") !=&nbsp;0)&nbsp;continue;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;((now - e->ts) > WINDOW_SECONDS) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;continue;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;int&nbsp;failures =&nbsp;0;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;for&nbsp;(int&nbsp;j =&nbsp;0; j < event_count; j++) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(strcmp(event_store[j].event_type,&nbsp;"LOGIN_FAIL") ==&nbsp;0&nbsp;&&&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;strcmp(event_store[j].src_ip, e->src_ip) ==&nbsp;0&nbsp;&&&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (now - event_store[j].ts) <= WINDOW_SECONDS)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; failures++;&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;int&nbsp;already =&nbsp;0;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;for&nbsp;(int&nbsp;k =&nbsp;0; k < seen_count; k++)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(strcmp(seen[k], e->src_ip) ==&nbsp;0) { already =&nbsp;1;&nbsp;break; }&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(failures >= BRUTE_THRESHOLD && !already) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("[告警] 检测到暴力破解：src=%s 失败次数=%d\n",&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;e->src_ip, failures);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;strncpy(seen[seen_count++], e->src_ip,&nbsp;15);&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; }}int&nbsp;main(void){&nbsp; &nbsp;&nbsp;time_t&nbsp;base =&nbsp;time(NULL);&nbsp; &nbsp;&nbsp;ingest_event(base, &nbsp; &nbsp; &nbsp;"10.0.0.5",&nbsp;"LOGIN_FAIL");&nbsp; &nbsp;&nbsp;ingest_event(base +&nbsp;5, &nbsp;"10.0.0.5",&nbsp;"LOGIN_FAIL");&nbsp; &nbsp;&nbsp;ingest_event(base +&nbsp;10,&nbsp;"10.0.0.5",&nbsp;"LOGIN_FAIL");&nbsp; &nbsp;&nbsp;ingest_event(base +&nbsp;15,&nbsp;"10.0.0.5",&nbsp;"LOGIN_FAIL");&nbsp; &nbsp;&nbsp;ingest_event(base +&nbsp;20,&nbsp;"10.0.0.5",&nbsp;"LOGIN_FAIL");&nbsp; &nbsp;&nbsp;ingest_event(base +&nbsp;25,&nbsp;"10.0.0.5",&nbsp;"LOGIN_OK");&nbsp; &nbsp;&nbsp;run_brute_force_rule(base +&nbsp;30);&nbsp; &nbsp;&nbsp;return&nbsp;0;}

4b. UEBA — 用户与实体行为分析

UEBA 为每个用户 / 实体建立统计基线，并对偏差发出告警（例如：异常时段登录）。

#include&nbsp;<stdio.h>#include&nbsp;<math.h>#include&nbsp;<string.h>/* 基于 Z 分数的登录时段异常检测 */typedef&nbsp;struct&nbsp;{&nbsp; &nbsp;&nbsp;char&nbsp; &nbsp;user[32];&nbsp; &nbsp;&nbsp;double&nbsp;mean_hour; &nbsp;&nbsp;/* 平均登录时段（0–23） */&nbsp; &nbsp;&nbsp;double&nbsp;std_hour; &nbsp; &nbsp;/* 标准差 */} UserBaseline;static&nbsp;UserBaseline baselines[] = {&nbsp; &nbsp; {"alice",&nbsp;9.0,&nbsp;1.2},&nbsp; &nbsp; {"bob", &nbsp;&nbsp;8.5,&nbsp;0.9},};double&nbsp;z_score(double&nbsp;value,&nbsp;double&nbsp;mean,&nbsp;double&nbsp;std){&nbsp; &nbsp;&nbsp;if&nbsp;(std <&nbsp;0.01)&nbsp;return&nbsp;0.0;&nbsp; &nbsp;&nbsp;return&nbsp;fabs((value - mean) / std);}void&nbsp;check_login(const&nbsp;char&nbsp;*user,&nbsp;int&nbsp;hour){&nbsp; &nbsp;&nbsp;for&nbsp;(int&nbsp;i =&nbsp;0; i <&nbsp;2; i++) {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(strcmp(baselines[i].user, user) ==&nbsp;0) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;double&nbsp;z =&nbsp;z_score(hour,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;baselines[i].mean_hour,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;baselines[i].std_hour);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("用户=%-8s &nbsp;时段=%02d:00 &nbsp;z=%.2f &nbsp;%s\n",&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;user, hour, z,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;z >&nbsp;3.0&nbsp;?&nbsp;"[告警] 登录时段异常！"&nbsp;:&nbsp;"正常");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return;&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;printf("用户=%-8s &nbsp;[告警] 未知用户！\n", user);}int&nbsp;main(void){&nbsp; &nbsp;&nbsp;check_login("alice", &nbsp;&nbsp;9); &nbsp;&nbsp;/* 正常 */&nbsp; &nbsp;&nbsp;check_login("alice", &nbsp;23); &nbsp;&nbsp;/* 异常 */&nbsp; &nbsp;&nbsp;check_login("bob", &nbsp; &nbsp;&nbsp;8); &nbsp;&nbsp;/* 正常 */&nbsp; &nbsp;&nbsp;check_login("mallory",&nbsp;2); &nbsp;&nbsp;/* 未知用户 */&nbsp; &nbsp;&nbsp;return&nbsp;0;}/* 编译：gcc ueba.c -lm -o ueba */

第五层 — 存储

| 层级 | 保留期限 | 查询速度 | 用途 | | — | — | — | — | | 热层（Hot） | 0–30 天 | 快速（RAM/SSD） | 实时调查、仪表盘 | | 暖层（Warm） | 30–90 天 | 适中 | 事件复盘 | | 冷层（Cold） | 90 天 – 7 年 | 较慢（对象存储） | 合规留存、取证 |

第六层 — 响应层

SOAR 联动（C 风格伪代码）

#include&nbsp;<stdio.h>#include&nbsp;<string.h>typedef&nbsp;enum&nbsp;{ SEV_LOW, SEV_MED, SEV_HIGH, SEV_CRITICAL } Severity;typedef&nbsp;struct&nbsp;{&nbsp; &nbsp;&nbsp;char&nbsp; &nbsp; &nbsp;rule_name[64];&nbsp; &nbsp;&nbsp;char&nbsp; &nbsp; &nbsp;src_ip[16];&nbsp; &nbsp; Severity severity;} Alert;/* 模拟 SOAR 动作 */void&nbsp;block_ip(const&nbsp;char&nbsp;*ip){&nbsp;printf(" &nbsp;[SOAR] 防火墙已添加规则：阻断 %s\n", ip); }void&nbsp;isolate_host(const&nbsp;char&nbsp;*ip){&nbsp;printf(" &nbsp;[SOAR] 主机 %s 已从网络隔离\n", ip); }void&nbsp;create_ticket(const&nbsp;char&nbsp;*rule,&nbsp;const&nbsp;char&nbsp;*ip){&nbsp;printf(" &nbsp;[SOAR] 工单已创建：规则='%s' 来源=%s\n", rule, ip); }void&nbsp;notify_soc(const&nbsp;char&nbsp;*msg){&nbsp;printf(" &nbsp;[SOAR] 已通知 SOC：%s\n", msg); }/* SOAR 剧本调度器 */void&nbsp;run_playbook(const&nbsp;Alert *a){&nbsp; &nbsp;&nbsp;printf("执行剧本，告警：%s\n", a->rule_name);&nbsp; &nbsp;&nbsp;switch&nbsp;(a->severity) {&nbsp; &nbsp;&nbsp;case&nbsp;SEV_CRITICAL:&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;isolate_host(a->src_ip);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;block_ip(a->src_ip);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;create_ticket(a->rule_name, a->src_ip);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;notify_soc("严重告警 — 主机已隔离");&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;&nbsp; &nbsp;&nbsp;case&nbsp;SEV_HIGH:&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;block_ip(a->src_ip);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;create_ticket(a->rule_name, a->src_ip);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;&nbsp; &nbsp;&nbsp;case&nbsp;SEV_MED:&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;create_ticket(a->rule_name, a->src_ip);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;&nbsp; &nbsp;&nbsp;default:&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf(" &nbsp;[SOAR] 仅记录日志（低严重程度）\n");&nbsp; &nbsp; }}int&nbsp;main(void){&nbsp; &nbsp; Alert a1 = {"暴力破解-SSH", &nbsp;&nbsp;"10.0.0.5", &nbsp; SEV_HIGH};&nbsp; &nbsp; Alert a2 = {"勒索软件-C2", &nbsp; &nbsp;"203.0.113.5", SEV_CRITICAL};&nbsp; &nbsp;&nbsp;run_playbook(&a1);&nbsp; &nbsp;&nbsp;putchar('\n');&nbsp; &nbsp;&nbsp;run_playbook(&a2);&nbsp; &nbsp;&nbsp;return&nbsp;0;}

关键标准与框架

主流 SIEM 产品

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：哪吒网络安全钟智强钟智强《SIEM架构解析：从日志采集到威胁响应》