JP2000163374A - Log management system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a log management system capable of suppressing and monitoring illegality on a holiday or in the night, when a system manager is absent and monitoring is not complete, by making it difficult to conceal the illegality by revising the contents of a log file. SOLUTION: This log management system is provided with a main managing means for recording the manipulation and/or operation of a computer system and preserving it as a main log file and a subordinate managing means for recording the manipulation and/or operation of the computer system and preserving it as a subordinate log file and for collating the main log file with a subordinate log file and discriminating whether recorded data are coincident or not.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention belongs to the technical field of computer systems. In particular, it belongs to the technical field of recording the operation and / or operation of a computer system in a log file in order to prevent unauthorized use.

[0002]

2. Description of the Related Art In a computer system, an event, which is a main event occurring in a system or an application, is monitored and recorded (recorded in a log). In the event of a particularly important event, such as a server disk full or a power failure, a message is sent to a computer system connected to the network as well as recording a log. Will be For example, Windows, which is a Microsoft operating system (OS), includes a “system log” for loading system drivers and other components at startup, a “security log” for security such as logon and file access, and an application. The recording of an “application log” related to the logging or the like is performed by the “event viewer”.

[0003]

SUMMARY OF THE INVENTION In a computer system, particularly in a computer system in which a user can connect to a network and use a logon,
In order to prevent the destruction of the environment settings, etc., monitoring of unauthorized use of the computer system by the user is performed. Recording and leaving a log as described above also monitors its unauthorized use. That is, unauthorized use can be monitored by recording a log of the application used by the user in the computer system, and later confirming the operation history on the display, performing file output, printout, and the like. However, the contents of the log file can be falsified by the user, and it can be hidden that the user who falsifies the contents of the log file and falsifies the contents.

Accordingly, it is an object of the present invention to suppress and monitor unauthorized use on holidays, nights, and the like where it is difficult to falsify the contents of a log file to hide fraud, and a system administrator is absent and monitoring is not possible. It is to provide a log management system capable of performing the above.

[0005]

According to a first aspect of the present invention, there is provided a log management system which records operation and / or operation of a computer system and stores the operation and / or operation as a main log file, and operation of the computer system. And / or sub-management means for recording the operation and storing it as a sub-log file, collating the main log file with the sub-log file, and judging whether or not the record data matches. Things.

According to the present invention, the operation and / or operation of the computer system is recorded by the main management means and stored as a main log file, and the operation and / or operation of the computer system is recorded by the sub management means and the sub log file is recorded. The main log file and the sub log file are collated to determine whether or not the record data matches. That is, even if the main log file is falsified, it is found that the falsification has been performed by checking the sub log files. Therefore, it is difficult to tamper with the contents of log files to hide fraud, and there is a log management system that can suppress and monitor unauthorized use on holidays and nights where monitoring is not possible due to the absence of a system administrator. Provided.

In the log management system according to a second aspect of the present invention, in the log management system according to the first aspect, the sub-management unit collates the main log file and the sub-log file to match the record data. If there is no match, a mismatch display means for displaying this on the screen is provided. According to the present invention, the main log file and the sub log file are collated by the sub management unit by the non-coincidence display unit, and when the record data does not match, the fact is displayed on the screen. Therefore, it is possible to determine whether the log file has been tampered with by displaying the screen.

The log management system according to a third aspect of the present invention is the log management system according to the first or second aspect, wherein the main management means is explicitly operated for a user of the computer system, and the sub management is performed. It is designed to operate without specifying the means. According to the present invention, the existence of the sub-management means is not easily known to the user, and it is very difficult to falsify the contents of the log file to hide the fraud.

A log management system according to a fourth aspect of the present invention is the log management system according to any one of the first to third aspects, wherein the operation of the computer system recorded by the main management means and the sub management means is performed. And / or actions include a start time associated with the start of the application, an operator, an application name, and / or display and input contents associated with a keyboard input, and / or
Display contents and input contents according to mouse input, and / or display contents and input contents according to error / warning display, and / or end time, operator, and application name upon application termination. is there. According to the present invention, the start time, the operator, the application name,
And / or display content and input content associated with keyboard input, and / or display content and input content associated with mouse input, and / or display content and input content associated with error / warning display, and / or application termination The end time, operator, and application name are recorded in the log file.

[0010]

Next, the present invention will be described with reference to embodiments. The log management system of the present invention operates in a computer system. Usually, the log management system is started at the same time when the computer system is started. The log management system operates in parallel with an operating system (OS) or as a part of the OS. When the application operates, monitoring is always performed.

FIG. 1 shows an example of the operation of the log management system when the application is operated. In FIG. 1, a user A logs on a computer system 1 and runs an application. By logging on, it is specified that the operator is the user A. The application displays a message on the display device of the computer system according to the situation. For example, a message “Are you sure?” Is displayed. In response to this display, the user A operates the mouse or the keyboard and inputs, for example, “OK”.

The log management system records this event in a log file. 1, an event number (NO.), Display contents, operation, time, and operator are recorded in the log file 2 by the log management system. In the event described above, the event number is “00”.
1 ”, display content is“ ... is it OK? ”, Operation is“ [OK] PUSH ”, time is“ 98/06 / 17AM12: 58: 09 ”,
The operator is “user A”. In the example shown in FIG. 1, an event with an event number of “002” is also recorded. The display content of the event is “Are you sure?”, The operation is “[CANCEL] PUSH”, the time is “98/06 / 17AM12: 58: 31”, and the operator is “User A”.

The above-described operation of recording an event in a log file is performed by the main management unit and the sub management unit of the log management system. The main management means records the operation and / or operation (event) of the computer system and stores it as a main log file. The sub-management unit records the operation and / or operation of the computer system, stores the operation and / or operation as a sub-log file, and compares the main log file with the sub-log file to determine whether or not the record data matches.

Next, a process in which the main management means stores the event as a main log file will be described. FIG. 2 shows an example of a process in which the main management means stores the event as a main log file. In FIG. 2, steps on the left side (S11 to S15) indicate processing in the application. Steps on the right (S21 to S25)
Indicates processing in the main management means. In the steps on the left side (S11 to S15), S12 to S14 sandwiched between S11 and S15 are shown in FIG.
Although illustrated as a series of flows, it is actually a process that is repeatedly performed an arbitrary number of times in an arbitrary order. The main management means constantly monitors the operation and operation when a user performs an operation or an application operates in the computer system. That is, the processing in the left steps (S11 to S15) is constantly monitored by the main management unit. Then, the main management unit performs the processing corresponding to the processing in each of the left steps (S11 to S15), that is, the right steps (S21 to S25).

First, in step S11, the user A logs on to the computer system and executes an application. For example, place the mouse pointer on the icon of a document file being created on the desktop and double-click the mouse button. As a result, the application associated with the document file is started, and the document file is opened in the application. For example, when installing an application, the user points the mouse at the icon for setting up the application and double-clicks the mouse button. As a result, a process of preparing to install the application is performed. In response to the operation in step S11, the main management unit of the log management system performs the processing in step S21.
, The start time, the operator, and the application name are recorded in the main log file.

Next, in step S12, the user A
Performs a keyboard input, the user A performs a mouse input in step S13, and the application performs an error / warning display in step S14. For example, in the case of document creation, the document being created is edited by adding a new part to the document being created, changing a certain part of the created document, deleting a certain part, and the like. . In the editing, the user A performs a keyboard input and a mouse input in order to input the edit contents. Further, for example, in the case of installation, an instruction to start installation, an input to permit a software use contract, an input of a user name, designation of an option, and the like are performed. In addition, in response to the error / warning display displayed by the application according to the situation, the user A inputs a keyboard,
Perform mouse input.

In response to the keyboard input in step S12, the main management means of the log management system
At 22, the display contents and the contents input by the user A are recorded in the main log file. Further, upon receiving the mouse input in step S13, the main management unit:
In step S23, the display contents and the name of the button pressed by the user A are recorded in the main log file.
Further, in response to the error / warning display in step S14, the main management unit records the display contents and the name of the button pressed by the user A in the main log file in step S24.

Next, in step S15, the user A ends the application in the computer system. In response to the operation in step S15,
In step S25, the main management unit of the log management system records the end time and the operator in the main log file.

Steps S21 to S21 by the main management means described above.
The same processing as the processing in S25 is performed in parallel by the sub-management unit of the log management system. That is, the processing by the sub-management unit of the log management system will be described by replacing the main management unit with the sub-management unit and the main log file with the sub-log file. Therefore, repetition of the description is avoided, but this does not mean that there is no difference. That is, for the user A of the computer system, the operation of the above-mentioned main management means can be specified, but at least the operation of the above-mentioned sub-management means is not specified. For example, a display indicating that the main management unit is operating is clearly displayed on the display device. On the other hand, the fact that the sub-management unit is operating is hidden. By doing so, the existence of the sub-management means is not easily known to the user, and it is very difficult to falsify the contents of the log file to hide the fraud.

The operation and / or operation of the computer system is recorded in the main log file by the main management means and in the sub log file by the sub management means, as described above. Next, when starting up the computer system or executing or terminating the application, the sub-management unit of the log management system checks the main log file with the sub-log file to determine whether the record data matches. Is determined. FIG. 3 is an explanatory diagram relating to the collation of the main log file and the sub log file by the sub management means.
Shown in

In FIG. 3, 1 is a computer system, 2a is a main log file, and 2b is a sub log file. As shown in an example in FIG. 3, the main log file 2a and the sub log file 2b have event numbers (NO.), Display contents, operations, time, and operators by the main management unit and the sub management unit of the log management system. Be recorded. In the example shown in FIG. 3, "00" of the event number of the main log file 2a is set.
For "1", is the display content "? ”,
The operation is “[OK] PUSH” and the time is “98/06 / 17AM12: 58: 0
9 and the user is recorded as “user A.” In the event number “002”, the display content is “.
・ Are you sure? ”, Operation is“ [CANCEL] PU
SH ”, the time is“ 98/06 / 17AM12: 58: 31 ”, and the operator is“ user A ”.

The collation between the main log file 2a and the sub log file 2b is performed by the sub management means. In the example shown in FIG. 3, in the event number "001" of the sub log file 2b, the display content is "Are you sure ...", the operation is "[OK] PUSH", and the time is "98/06". / 17AM
12:58:09 ”, the operator is recorded as“ User A. ”Is the display content“… ”acceptable for the event number“ 002 ”? ”, The operation is“ [CANCE
L] PUSH ”, the time is“ 98/06 / 17AM12: 58: 31 ”, and the operator is“ user A. ”That is, the data of the main log file 2a and the data of the sub log file 2b completely match. ing.

As described above, when the computer system is started up, or when the application is executed or terminated, the above-described collation is performed. If the data is completely matched, the log management system is switched to the computer system. Is determined to be in a normal state. And record the operation and / or operation of the computer system,
Start the normal operation of saving to the main and secondary log files. On the other hand, if the data does not match, the log management system determines that the computer system is in an abnormal state. At this time, the mismatch display means of the log management system displays the fact on the screen of the display device, for example, the application name and the contents of the error / warning. In addition to the error / warning display, the operation of a general user cannot be continued in the computer system or application.
The cancellation of the error / warning display state is performed by inputting the registered system administrator password on the screen on which the mismatch display means displays the abnormal state.

Next, the process of data processing in the log management system of the present invention will be summarized. FIG. 4 is a flowchart showing a data processing process in the log management system of the present invention. First, in step S41 of FIG. 4, the computer system is started and the OS is started. Next, in step S42, the management system (main management means, sub-management means) of the present invention is started. next,
In step S43, the main log file and the sub log file are collated.

If the data in the main log file and the data in the sub log file do not match, the flow advances to step S48, where an error / warning is displayed by the management system, and the operation is forcibly terminated. On the other hand, if the data of the main log file and the data of the sub log file match, the process proceeds to step S44 to execute the application. While the application is running, the management system records it in a log file. Next, in step S45, the application ends.

Next, in step S46 (similar to step S43), the main log file and the sub log file are collated. In step S46, the main log file and the sub log file are collated. If the data in the main log file and the sub log file do not match, the process proceeds to step S48, where an error / warning is displayed by the management system, The work shall be forcibly terminated. On the other hand, when the data of the main log file and the data of the sub log file match, the process proceeds to step S47 (similar to step S44) to execute the application. Thereafter, the same operation is repeated.

[0027]

As described above, according to the log management system of the first aspect of the present invention, it is difficult to falsify the contents of the log file to hide the fraud, and the system administrator is absent and monitoring is not possible. There is provided a log management system capable of suppressing and monitoring unauthorized use on unscheduled holidays or at night. Further, according to the log management system of the second aspect of the present invention, it is possible to determine whether the log file has been tampered with by displaying the screen. Further, according to the log management system of the third aspect of the present invention, the existence of the sub-management means is not easily recognized for the user, and it is very difficult to falsify the contents of the log file to hide the fraud. is there. Further, according to the log management system according to the fourth aspect of the present invention, the start time, the operator, the application name, and / or the display content and the input content associated with the keyboard input, and / or the mouse input associated with the application start. Display contents and input contents associated with the display, and / or display contents and input contents associated with the error / warning display, and / or an end time, an operator, and an application name associated with the end of the application are recorded in a log file.

[Brief description of the drawings]

FIG. 1 is a diagram illustrating an example of an operation of a log management system when an application is operated.

FIG. 2 is a diagram illustrating an example of a process in which a main management unit stores an event as a main log file.

FIG. 3 is an explanatory diagram relating to collation between a main log file and a sub log file by a sub management unit.

FIG. 4 is a flowchart showing a process of data processing in the log management system of the present invention.

[Explanation of symbols]

 1 Computer system 2 Log file 2a Main log file 2b Secondary log file

Claims (4)

[Claims] A main management means for recording the operation and / or operation of the computer system and storing the operation and / or operation of the computer system as a main log file; And a sub-management unit that collates the main log file with the sub-log file to determine whether or not the record data matches. 2. A log management system according to claim 1, wherein said main log file and said sub log file are compared by said sub management means, and when the record data does not match, the fact is displayed on a screen. A management system having display means. 3. The log management system according to claim 1, wherein the user of the computer system explicitly operates the main management unit and operates the sub-management unit without specifying it. Log management system. 4. The log management system according to claim 1, wherein the operation and / or operation of the computer system recorded by the main management unit and the sub-management unit is started at the start of an application. time,
Display content and input content associated with operator, application name, and / or keyboard input, and / or display content and input content associated with mouse input, and / or display content and input content associated with error / warning display; And / or a log management system characterized by an end time, an operator, and an application name accompanying the end of the application.