The invention discloses a real-time security early warning method based on complex event processing. The method specifically comprises the following steps: step (1), using a formalized engine to perform log field segmentation on collected security data, performing normalization on fields according to field requirements, and associating knowledge base information according to the fields that are expected to be outputted; step (2), using a data flow semantic analysis engine to perform data context analysis according to a complex event instance to be modeled as a scene, and analyzing mapping stream data based on a standardized analysis field template; and step (3), using a security analysis model calculation engine, in an analysis rule calculation module, analyzing according to scenes based on a point event, an edge event and an interval event, and generating an early warning event. The real-time security early warning method based on the complex event processing provided by the invention realizes the multi-angle association analysis of original log data through a configurable normalization rule, a semantic recognition rule and a security analysis rule, and discovers unknown threats and carries out early warning timely.