JP2012146271A - Log management system, log management method, log management device, and log management program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To record trail information on various operations by an operator as a log.SOLUTION: A log management system stores operation contents representing an operation performed on a predetermined computer system, a log item to be acquired as a log item to be acquired when the operation is performed, log output presence or absence indicative of whether the computer system outputs the log item to be acquired when the operation is performed, and log acquisition means as means of acquiring the log item to be acquired. Then the log management system when accepting predetermined operation contents to the computer system determines whether the computer system outputs the log item to be acquired corresponding to the predetermined operation contents according to the log output presence or absence. The log management system acquires the log item to be acquired by the log acquisition means corresponding to the predetermined operation contents when the computer system does not output the log item to be acquired.

Description

  The present invention relates to a log management system, a log management method, a log management apparatus, and a log management program.

  Conventionally, a virtualization technology for operating a virtual machine on a physical machine is known. For example, in recent years, a virtualization technology that operates multiple virtual machines for cloud computing (hereinafter referred to simply as “cloud”) in which multiple users share resources on the network. May apply.

  In a computer system using such a virtualization technology, one or more virtual machines are generated and controlled on a physical machine by a hypervisor. An OS called a guest OS (Operating System) is operated on the virtual machine under the control of the hypervisor. The hypervisor may be called a virtual machine monitor or the like.

  Here, the construction, maintenance, operation management, and the like of the computer system as described above may be performed by a plurality of system administrators. Specifically, multiple system administrators log in to the administrator screen, start and stop the hypervisor, create, start, move, delete, duplicate and rename virtual machines, and assign them to virtual machines The resource may be changed.

Akinori Tanaka et al., “PC Operation History Collection System“ Memory Retriever ””, NTT Technical Journal, Vol.22, No.7, 2010.

  However, in the above conventional computer system, trail information of various operations by the operator is not always recorded as a log. For example, even in a computer system in which various operations are performed by a plurality of system administrators as described above, information for identifying the system administrator who performed the operation, operation date and time, operation details, information on the operation target device, operation Information such as results is not always recorded as a log. In other words, in conventional computer systems, trail information of various operations performed by a plurality of system administrators is not always recorded as a log. This is not preferable from the viewpoint of ensuring the security of the computer system, and there is a possibility that the system management side cannot fulfill accountability when a failure occurs.

  In the above description, the computer system to which the virtualization technology is applied has been described as an example. However, the event that the detailed log is not necessarily recorded is not limited to the computer system using the virtualization technology. This may occur in a computer system in which various operations are performed by a plurality of operators.

  The log management system according to the embodiment of the present invention includes an operation content indicating an operation performed on a predetermined computer system, an acquisition target log item which is a log item to be acquired when the operation is performed, and In addition, a log output presence / absence indicating whether or not the computer system outputs an acquisition target log item when such an operation is performed, and a log acquisition method that is a method of acquiring the acquisition target log item are stored. When the log management system receives a predetermined operation content for the computer system, the log management system determines whether the computer system outputs an acquisition target log item corresponding to the predetermined operation content based on whether or not the log is output. . When the computer system does not output the acquisition target log item, the log management system acquires the acquisition target log item by a log acquisition method corresponding to a predetermined operation content.

  The trail information can be recorded as a log.

FIG. 1 is a diagram illustrating a configuration example of a log management system according to the first embodiment. FIG. 2 is a diagram illustrating a configuration example of the log management unit according to the first embodiment. FIG. 3 is a diagram illustrating an example of the log attribute storage unit. FIG. 4 is a diagram illustrating a configuration example of the login wrap unit. FIG. 5 is a flowchart illustrating a processing procedure performed by the log management unit according to the first embodiment. FIG. 6 is a diagram illustrating a computer that executes a log management program.

  Hereinafter, embodiments of a log management system, a log management method, a log management apparatus, and a log management program according to the present invention will be described in detail with reference to the drawings. In addition, this invention is not limited by this embodiment.

[Configuration of Log Management System according to Embodiment 1]
First, the log management system according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram illustrating a configuration example of a log management system according to the first embodiment. As illustrated in FIG. 1, the log management system 1 according to the first embodiment includes an information processing apparatus 10, a computer system 100, and a log management unit 200.

  The information processing apparatus 10 is a personal computer, for example, and is operated by a network administrator who manages the computer system 100. The network administrator operates the information processing apparatus 10 to construct, maintain, and manage the computer system 100.

  The computer system 100 is constructed by one or more information processing apparatuses and performs various information processing. The computer system 100 according to the first embodiment is a cloud in which a plurality of users share resources on a network, and a virtualization technology that operates a virtual machine is applied. The computer system 100 according to the first embodiment is an existing system, and various operations are performed by a plurality of system administrators.

  In the first embodiment, the computer system 100 that is a cloud to which the virtualization technology is applied will be described as an example. However, the computer system 100 is not limited to the cloud to which the virtualization technology is applied, and includes a plurality of operators. Any computer system may be used as long as various operations are performed.

  The computer system 100 includes a hypervisor 111 and a hypervisor management unit 120 as illustrated in FIG. The hypervisor 111 generates and controls one or more virtual machines on the physical machine, and operates the guest OS on the virtual machine. In the example illustrated in FIG. 1, the hypervisor 111 generates virtual machines 21, 22, 23, and 24 on a physical machine (not shown), operates the guest OS 31 on the virtual machine 21, and operates the guest OS 32 on the virtual machine 22. , The guest OS 33 is operated on the virtual machine 23, and the guest OS 34 is operated on the virtual machine 24.

  Note that the hypervisor 111 according to the first embodiment generates virtual machines on a plurality of physical machines included in the computer system 100. At this time, the hypervisor 111 may generate a plurality of virtual machines in one physical machine. For example, the hypervisor 111 generates a virtual machine 21 on the physical machine A, generates a virtual machine 22 on the physical machine B, generates a virtual machine 23 on the physical machine C, and generates a virtual machine 24 on the physical machine D. Alternatively, the virtual machines 21 and 22 may be generated on the physical machine A, and the virtual machines 23 and 24 may be generated on the physical machine B.

  The hypervisor management unit 120 manages various processes by the hypervisor 111. Specifically, the hypervisor management unit 120 receives various operations performed by the network administrator from the information processing apparatus 10 and causes the hypervisor 111 to execute the received various operations. The processing performed by the hypervisor management unit 120 will be described later with reference to FIG.

  The hypervisor 111 and the hypervisor management unit 120 are realized by a predetermined information processing apparatus included in the computer system 100. Hereinafter, an information processing apparatus that implements the hypervisor 111 and the hypervisor management unit 120 may be referred to as “host”.

  In the example illustrated in FIG. 1, the computer system 100 includes an example of the hypervisor 111 and the hypervisor management unit 120. However, the computer system 100 includes the number of hypervisors and hypervisor management units. It is not limited to this. For example, the computer system 100 may include a plurality of hypervisors and a hypervisor management unit. That is, the computer system 100 may include a plurality of hosts, and a plurality of hypervisors and hypervisor management units may be realized by the plurality of hosts.

  As illustrated in FIG. 1, the log management unit 200 is connected between the information processing apparatus 10 and a computer system 100 that is an existing system, and is transmitted and received between the information processing apparatus 10 and the computer system 100. Relay information. The log management unit 200 manages detailed logs related to various processes performed by the computer system 100.

  Specifically, for each operation performed on the computer system 100 by the network administrator, the log management unit 200 stores a log item to be acquired as trail information and a method for acquiring the log item. Then, when a predetermined operation is performed on the computer system 100, the log management unit 200 acquires log items that are not output by the computer system 100 from among the acquisition target log items corresponding to the operation. At this time, the log management unit 200 specifies a log item acquisition method based on an operation performed on the computer system 100, and acquires a log item by the specified acquisition method. Then, the log management unit 200 synthesizes (merges) the acquired log items and the log items output by the computer system 100, and holds them as a log for operations performed by the network administrator.

  As described above, the log management unit 200 according to the first embodiment supplements log items output by the computer system 100. Thereby, in the log management system 1 according to the first embodiment, detailed logs regarding various processes performed by the computer system 100 according to various operations by the system administrator can be recorded. In other words, the log management system 1 can record trail information of various operations by a plurality of system administrators as a log.

  In addition, the log management unit 200 is connected between the information processing apparatus 10 and the computer system 100, and complements log items by relaying various types of information transmitted and received between the information processing apparatus 10 and the computer system 100. To do. Thereby, the log management system 1 according to the first embodiment can be realized without improving the computer system 100 which is an existing system.

[Configuration of Log Management Unit in Embodiment 1]
Next, the log management unit 200 illustrated in FIG. 1 will be described with reference to FIG. FIG. 2 is a diagram illustrating a configuration example of the log management unit 200 according to the first embodiment. FIG. 2 also shows a configuration example of the computer system 100. Below, the structure of the computer system 100 relevant to the process by the log management part 200 is demonstrated first, and the log management part 200 is demonstrated after that.

  As illustrated in FIG. 2, the computer system 100 includes a log storage unit 110 and a hypervisor management unit 120. As illustrated in FIG. 1, the computer system 100 also includes the hypervisor 111 and the like, but illustration thereof is omitted in FIG.

  The log storage unit 110 stores a log output when the computer system 100 performs various processes. Specifically, the log storage unit 110 stores a log output by each processing unit included in the hypervisor management unit 120 described later.

  Here, the hypervisor management unit 120 does not always output a detailed log as trail information of various operations by the operator. For this reason, the system management side of the computer system 100 may not be able to fulfill accountability only when a failure occurs, using only the log output by the hypervisor management unit 120. Specifically, in order for the system management side to fulfill accountability, the processing date and time when the computer system 100 performed processing, operator information regarding the network administrator who performed operations on the computer system 100, and the operation target It may be necessary to log items such as the host name of the host, operation details, change information changed by the operation, and operation results. However, the hypervisor management unit 120, for all operation contents received from the information processing apparatus 10, has detailed logs regarding the processing date and time, operator information, host name, operation contents, change information, operation results, and the like as in the above example. Does not necessarily output items.

  As illustrated in FIG. 2, the hypervisor management unit 120 includes a login unit 121, a logout unit 122, a hypervisor activation unit 123, a new virtual machine creation unit 124, a virtual machine name change unit 125, a virtual machine name change unit 125, and a virtual machine name change unit 125. Machine start unit 126, virtual machine stop unit 127, virtual machine move unit 128, virtual machine copy unit 129, virtual machine delete unit 130, virtual machine export unit 131, virtual machine import unit 132, CPU ( Central Processing Unit) resource changing unit 133, memory resource changing unit 134, disk resource changing unit 135, and hypervisor stopping unit 136.

  Briefly describing each processing unit included in the hypervisor management unit 120, the login unit 121 performs a login process in which a user such as a network administrator logs in to the hypervisor 111. The logout unit 122 performs logout processing in which a user such as a network administrator logs out from the hypervisor 111. The hypervisor activation unit 123 performs a hypervisor activation process that activates the hypervisor 111.

  The new virtual machine creation unit 124 performs a new virtual machine creation process for creating a new virtual machine on a physical machine. In other words, the new virtual machine creation unit 124 performs processing for creating a new virtual machine on the hypervisor 111. The virtual machine name changing unit 125 performs a virtual machine name changing process for changing the name of the virtual machine. The virtual machine activation unit 126 performs a virtual machine activation process for activating a virtual machine that has been stopped. The virtual machine stop unit 127 performs a virtual machine stop process for stopping the active virtual machine.

  The virtual machine moving unit 128 performs a virtual machine moving process for moving a virtual machine on the hypervisor 111 to another hypervisor. The virtual machine replication unit 129 performs a virtual machine replication process for replicating a created virtual machine. The virtual machine deletion unit 130 performs a virtual machine deletion process for deleting a created virtual machine. The virtual machine export unit 131 performs a virtual machine export process for exporting a created virtual machine and acquiring a virtual machine image. The virtual machine import unit 132 performs a virtual machine import process for creating a new virtual machine by importing the exported virtual machine image onto the hypervisor 111.

  The CPU resource changing unit 133 performs a CPU resource changing process for changing the CPU resource assigned to each virtual machine on the hypervisor 111. The memory resource changing unit 134 performs a memory resource changing process for changing a memory resource allocated to each virtual machine on the hypervisor 111. The disk resource changing unit 135 performs a disk resource changing process for changing the disk resource allocated to each virtual machine on the hypervisor 111. The hypervisor stop unit 136 performs a hypervisor stop process for stopping the active hypervisor 111.

  Each processing unit included in the hypervisor management unit 120 receives the operation content from the log management unit 200 when various operations are performed via the information processing apparatus 10 by the network administrator. Various processes are performed according to the contents. In the above, each processing unit included in the hypervisor management unit 120 has been briefly described, but will be described in detail together with a wrap unit 220 to be described later.

  As illustrated in FIG. 2, the log management unit 200 includes a log attribute storage unit 211, a trail log storage unit 212, and a wrap unit 220.

  The log attribute storage unit 211 includes an operation content indicating an operation performed on the computer system 100, an acquisition target log item that is a log item to be acquired when the operation is performed, and the operation is performed. When the computer system 100 outputs an acquisition target log item, a log output presence / absence indicating whether or not the acquisition target log item is output and a log acquisition method as a method of acquiring the acquisition target log item are stored.

  Here, FIG. 3 shows an example of the log attribute storage unit 211. As illustrated in FIG. 3, the log attribute storage unit 211 includes items such as “operation content”, “acquisition target log item”, “log output presence / absence”, “log acquisition method”, and “acquisition log breakdown”.

  “Operation content” indicates the content of an operation performed on the computer system 100. In FIG. 3, “Login”, “Logout”, “Hypervisor activation”, “New virtual machine creation”, and the like are stored as “operation contents” in the log attribute storage unit 211 as operations performed on the computer system 100. An example is shown.

  The “acquisition target log item” indicates a log item to be acquired when an operation is performed on the computer system 100. The “log item to be acquired” here refers to a detailed log item including a log item other than the log item output by the computer system 100 which is an existing system, in other words, various operations by the operator. Indicates the log item that becomes the trail information. FIG. 3 shows an example in which a plurality of log items are stored in the “acquisition target log item” of the log attribute storage unit 211. For example, when “A, B, C, D, E” is stored in the “acquisition target log item”, it indicates that the log items to be acquired are five log items A to E. ing. Here, the log items A to E are, for example, the processing date and time when the computer system 100 performed processing, operator information regarding the network administrator who performed the operation, the host name of the target host, the operation content, and the operation Information such as results.

  “Log output presence / absence” indicates whether or not the computer system 100 outputs an acquisition target log item when an operation is performed on the computer system 100. In the example shown in FIG. 3, when a log item that is not output by the computer system 100 is included in the “acquisition target log item”, “none” is stored in the “log output presence / absence”. When “acquisition target log item” is output, “present” is stored in “log output presence / absence”.

  “Log acquisition method” indicates a method of acquiring an acquisition target log item. In the example illustrated in FIG. 3, the “log acquisition method” of the log attribute storage unit 211 stores a log item acquisition method that is not output by the computer system 100 among the log items included in the “acquisition target log item”. Shall be. In addition, “screen capture” stored in the “log acquisition method” illustrated in FIG. 3 includes, for example, a method of saving a screen output by the hypervisor management unit 120 or the like as an image file, or an imaged screen. A method for converting the text into a text by optical character recognition (OCR) or the like will be described. Further, “API-N (N is a number)” stored in the “log acquisition method” illustrated in FIG. 3 is a log item by an API (Application Program Interface) included in the hypervisor management unit 120 or the computer system 100. The technique to acquire is shown.

  FIG. 3 shows an example in which the screen capture or API acquisition method is stored in the “log acquisition method”, but the “log acquisition method” stores acquisition methods other than the screen capture and API acquisition methods. May be. For example, the “log acquisition method” may store an acquisition method indicating that a log item is acquired from the log storage unit 110 of the computer system 100.

  The “acquisition log breakdown” stores the acquisition method of the log item for each log item acquired by the log management unit 200 among the acquisition target log items. For example, in the example illustrated in FIG. 3, “M: API-2 / N: API-3” stored in “acquisition log breakdown” has the acquisition method of the log item M as API-2, and the log item It shows that the acquisition method of N is API-3.

  That is, the log attribute storage unit 211 illustrated in FIG. 3 indicates that all acquisition target log items are output by the computer system 100 when the operation content is “login”. In FIG. 3, when all the acquisition target log items are output by the computer system 100, an example in which no information is stored in “acquisition target log item”, “log acquisition method”, and “acquisition log breakdown”. Show. However, even when all the acquisition target log items are output by the computer system 100, the “acquisition target log item” may be stored in the log attribute storage unit 211.

  Further, in the log attribute storage unit 211 illustrated in FIG. 3, when the operation content is “logout”, the acquisition target log item is “A, B, C, D, E”, and the acquisition target log item A to E indicate that log items that are not output by the computer system 100 are included, and the log acquisition technique of the acquisition target log items A to E is “screen capture”. In other words, the log attribute storage unit 211 illustrated in FIG. 3 indicates that the acquisition target log items A to E are not output by the computer system 100 when the operation content is “logout”.

  Further, in the log attribute storage unit 211 illustrated in FIG. 3, when the operation content is “Hypervisor activation”, the acquisition target log item is “A, B, X, Y, Z”, and the acquisition target The log items A, B, X, Y, and Z indicate that log items that are not output by the computer system 100 are included, and the log acquisition method for the acquisition target log items X to Z is “API-1”. Is shown. In other words, the log attribute storage unit 211 illustrated in FIG. 3 outputs log items A and B by the computer system 100 when the operation content is “Hypervisor activation”. Is not output.

  In the example illustrated in FIG. 3, “acquisition of log” includes information on “log acquisition method”. Therefore, the log attribute storage unit 211 may not store the “log acquisition method” illustrated in FIG.

  Returning to the description of FIG. 2, the trail log storage unit 212 stores log items acquired by a wrap unit 220 described later and log items output by the computer system 100. That is, the trail log storage unit 212 stores the log items complemented by the wrap unit 220 and the log items output by the computer system 100 as logs serving as trail information of various operations by the operator.

  The wrap unit 220 transmits the operation content received by the information processing apparatus 10 from the network administrator to the hypervisor management unit 120 and collects detailed log items regarding various processes performed by the hypervisor management unit 120 according to the operation content. To do.

  In the example illustrated in FIG. 3, the wrap unit 220 includes a login wrap unit 221, a logout wrap unit 222, a hypervisor activation wrap unit 223, a new virtual machine creation wrap unit 224, and a virtual machine name change wrap unit 225. , A virtual machine start lap unit 226, a virtual machine stop lap unit 227, a virtual machine move lap unit 228, a virtual machine duplication lap unit 229, a virtual machine deletion lap unit 230, a virtual machine export lap unit 231, The machine import wrap unit 232, the CPU resource change wrap unit 233, the memory resource change wrap unit 234, the disk resource change wrap unit 235, and the hypervisor stop wrap unit 236 are included.

  The login wrap unit 221 collects log items related to login processing performed by the login unit 121 when the operation content received from the information processing apparatus 10 is login. Here, FIG. 4 shows a configuration example of the login wrap unit 221. As illustrated in FIG. 4, the login wrap unit 221 includes a relay unit 221a, a determination unit 221b, and a log acquisition unit 221c.

  The relay unit 221 a receives various operation information related to the login operation from the information processing apparatus 10, and transmits the received various operation information to the login unit 121. Specifically, the network administrator performs a login operation using the information processing apparatus 10 when logging in to the hypervisor 111 realized by the host in the computer system 100. In such a case, the information processing apparatus 10 accepts an input of an operator name (login name), a password, a name of a login target host, and the like after accepting an operation for logging in from the network administrator. The contents (operation for logging in), the login name, the password, the host name, and the like are transmitted to the log management unit 200. Then, the relay unit 221a of the login wrap unit 221 transmits a login name, a password, and the like to the login unit 121 included in the login target host based on the operation content received from the information processing apparatus 10.

  As a result, the login unit 121 performs login processing using the login name and password received from the login wrap unit 221. For example, the login unit 121 determines whether the combination of the login name and password received from the login wrap unit 221 satisfies the login condition. The login unit 121 stores various logs related to the login process in the log storage unit 110. For example, the login unit 121 includes a process start date and time when the login process is started, a process end date and time when the login process is ended, an operation content indicating that the login process has been performed, a login name, a host name, and whether or not login is possible. And the like are stored in the log storage unit 110.

  The determination unit 221b determines whether the computer system 100 outputs an acquisition target log item corresponding to the login operation based on the log output presence / absence stored in the log attribute storage unit 211. Specifically, the determination unit 221b acquires, from the log attribute storage unit 211, various types of information corresponding to the operation content “login” when the relay unit 221a receives various types of operation information related to the login operation from the information processing apparatus 10. To do. Then, the determination unit 221b determines whether or not the login unit 121 of the computer system 100 outputs the acquisition target log item based on the log output presence / absence acquired from the log attribute storage unit 211.

  For example, when the log attribute storage unit 211 is in the state illustrated in FIG. 3, the determination unit 221 b acquires the log output presence / absence “present” corresponding to the operation content “login” from the log attribute storage unit 211. The determination unit 221b determines that the acquisition target log item is output by the login unit 121 of the computer system 100 because the presence / absence of log output is “present”.

  When the determination unit 221b determines that the login unit 121 of the computer system 100 does not output the acquisition target log item, the log acquisition unit 221c uses the log acquisition method stored in the log attribute storage unit 211 to perform the acquisition target. Get log items. Specifically, when the determination unit 221b determines that the login unit 121 does not output the acquisition target log item, the log acquisition unit 221c receives various information corresponding to the operation content “login” from the log attribute storage unit 211. get. Then, the determination unit 221b acquires the acquisition target log item based on the log acquisition method and the acquisition log breakdown acquired from the log attribute storage unit 211. Then, the determination unit 221b combines the acquired log item and the log item output by the login unit 121 and stores the synthesized log item in the trail log storage unit 212.

  In addition, when the determination unit 221b determines that the login unit 121 outputs the acquisition target log item, the log acquisition unit 221c acquires the log item output by the login unit 121 from the login unit 121 and acquires the acquired log The item is stored in the trail log storage unit 212.

  When the log attribute storage unit 211 is in the state illustrated in FIG. 3, the determination unit 221 b determines that the login unit 121 outputs the acquisition target log item. The output process start date / time, process end date / time, operation content, login name, host name, login availability, and the like are acquired from the login unit 121, and the acquired various types of information are stored in the trail log storage unit 212.

  As described above, the login wrap unit 221 includes the relay unit 221a, the determination unit 221b, and the log acquisition unit 221c, and relays various operation information such as operation contents received from the information processing apparatus 10 to the login unit 121. The log items output by the login unit 121 are complemented.

  Each processing unit other than the login wrap unit 221 included in the lap unit 220 illustrated in FIG. 2 has the same configuration as the login wrap unit 221 illustrated in FIG. 4, and includes a relay unit, a determination unit, and a log acquisition unit. Have. Hereinafter, although illustration of the configuration example of each processing unit included in the wrap unit 220 is omitted, each processing unit includes a relay unit in which “a” is added to the reference numeral attached to the processing unit, and the processing. Suppose that the determination part which added "b" to the code | symbol attached | subjected to the part, and the log acquisition part which added "c" to the code | symbol attached | subjected to this process part shall be provided. For example, the logout wrap unit 222 includes a relay unit 222a, a determination unit 222b, and a log acquisition unit 222c.

  The logout wrap unit 222 collects log items related to logout processing performed by the logout unit 122 when the operation content received from the information processing apparatus 10 is logout. Specifically, the information processing apparatus 10 receives and accepts input from the network administrator such as an operator name (login name), a password, and the name of the host to be logged out after accepting an operation to log out. The operation details (operation for logging out), login name, password, host name, and the like are transmitted to the log management unit 200.

  Then, the relay unit 222 a included in the logout wrap unit 222 of the log management unit 200 transmits a login name, a password, and the like to the logout unit 122 included in the logout target host based on the operation content received from the information processing apparatus 10. . As a result, the logout unit 122 performs logout processing using the login name and password received from the logout wrap unit 222.

  Further, the determination unit 222b of the logout wrap unit 222 receives various types of information corresponding to the operation content “logout” when the relay unit 222a receives various types of operation information related to the logout operation from the information processing apparatus 10. Get from. Then, the determination unit 222b determines whether or not the logout unit 122 outputs an acquisition target log item based on the log output presence / absence acquired from the log attribute storage unit 211. When the log attribute storage unit 211 is in the state illustrated in FIG. 3, the determination unit 222 b acquires the log output presence / absence “none” corresponding to the operation content “logout” from the log attribute storage unit 211. The unit 122 determines that the acquisition target log item is not output.

  Further, the log acquisition unit 222c of the logout wrap unit 222, when the determination unit 222b determines that the logout unit 122 does not output the acquisition target log item, the operation content “logout” stored in the log attribute storage unit 211. The acquisition target log item is acquired based on the log acquisition method and the acquisition log breakdown corresponding to. Then, the determination unit 222b combines the acquired log item and the log item output by the logout unit 122 and stores the synthesized log item in the trail log storage unit 212.

  When the log attribute storage unit 211 is in the state illustrated in FIG. 3, the determination unit 222b determines that the logout unit 122 does not output the acquisition target log item, and thus the log acquisition unit 222c includes the log attribute storage unit 211. Acquisition log breakdown “AE: screen capture”. Thereby, the log acquisition unit 222c acquires log items A to E by screen capture. For example, the log acquisition unit 222c can save an image file by capturing a logout completion screen output by the logout unit 122. Further, for example, the log acquisition unit 222c can save the character information included in the logout completion screen by converting the image obtained by capturing the logout completion screen into text by optical character recognition or the like.

  For example, it is assumed that the logout unit 122 does not perform log output during logout processing. In such a case, the log acquisition unit 222c displays the process start date and time when the logout process is started by the logout unit 122, the process end date and time when the logout process ends, the operation content indicating that the logout process has been performed, the operator who logged out The log-in name, the host name on which log-out processing has been performed, the log-out availability as a result of the log-out processing, and the like are acquired from the log-out unit 122, and the acquired various information is stored in the trail log storage unit 212.

  The hypervisor activation lap unit 223 collects log items related to the hypervisor activation process performed by the hypervisor activation unit 123 when the operation content received from the information processing apparatus 10 is hypervisor activation. Specifically, the information processing apparatus 10 receives an operation to start the hypervisor 111 from the network administrator, and then receives an input of the operator name, the name of the hypervisor to be started, and the received operation. The contents (operation to activate the hypervisor 111), the operator name, the name of the hypervisor to be activated, and the like are transmitted to the log management unit 200.

  Then, the relay unit 223a included in the hypervisor activation lap unit 223 of the log management unit 200 transmits the operator name, the hypervisor name, and the like to the hypervisor activation unit 123. Thereby, the hypervisor activation unit 123 performs a process of activating the hypervisor indicated by the hypervisor name received from the hypervisor activation lap unit 223.

  Further, the determination unit 223b of the hypervisor activation lap unit 223 determines whether or not the hypervisor activation unit 123 outputs the acquisition target log item based on the log output presence / absence stored in the log attribute storage unit 211. . Then, the log acquisition unit 223 c of the hypervisor activation lap unit 223 stores the detailed log in the trail log storage unit 212 by complementing the log items output by the hypervisor activation unit 123.

  For example, the hypervisor activation unit 123 outputs, at the time of hypervisor activation processing, a log indicating processing start time, processing end time, operation content, name of activated hypervisor, and hypervisor activation availability as a result of the hypervisor activation processing. It is assumed that the operator name and the host name on which the hypervisor is activated are not logged. Further, it is assumed that “operator name, host name: API-1” is stored in the acquisition log breakdown corresponding to the operation content “hypervisor activation” in the log attribute storage unit 211. In such a case, the log acquisition unit 223c acquires the operator name and host name from the hypervisor activation unit 123 using API-1 according to the acquisition log breakdown stored in the log attribute storage unit 211, and acquires the acquired operator. The name and host name are combined with the processing start time, processing end time, operation content, hypervisor name, and hypervisor activation availability output by the hypervisor activation unit 123 and stored in the trail log storage unit 212. In this way, the log acquisition unit 223c acquires log items that are not output from the hypervisor activation unit 123 via, for example, an API included in the hypervisor management unit 120, and stores the acquired log items in the trail log storage unit 212. can do.

  The new virtual machine creation wrap unit 224 collects log items related to the virtual machine new creation process performed by the virtual machine new creation unit 124 when the operation content received from the information processing apparatus 10 is creation of a new virtual machine. Specifically, after receiving an operation for creating a new virtual machine from the network administrator, the information processing apparatus 10 receives the operator name, the name of the virtual machine to be created, and the hypervisor in which the virtual machine is created. An input of a name or the like is received, and the received operation content (operation to create a new virtual machine), operator name, virtual machine name, hypervisor name, and the like are transmitted to the log management unit 200.

  Then, the relay unit 224 a included in the new virtual machine creation wrap unit 224 of the log management unit 200 transmits the operator name, virtual machine name, hypervisor name, and the like to the new virtual machine creation unit 124. As a result, the new virtual machine creation unit 124 newly adds a virtual machine having the virtual machine name received from the virtual machine new creation lap unit 224 on the hypervisor indicated by the hypervisor name received from the new virtual machine creation lap unit 224. To create.

  Also, the determination unit 224b of the new virtual machine creation wrap unit 224 determines whether the new virtual machine creation unit 124 outputs the acquisition target log item based on the log output presence / absence stored in the log attribute storage unit 211. judge. Then, the log acquisition unit 224 c of the new virtual machine creation wrap unit 224 stores the detailed log in the trail log storage unit 212 by complementing the log items output by the new virtual machine creation unit 124. For example, the log acquisition unit 224c displays the process start time, process end time, operation content, operator name, virtual machine name, hypervisor name, host name of the host on which the virtual machine is created, and the result of the new virtual machine creation process. Whether or not a new virtual machine can be created is stored in the trail log storage unit 212.

  The virtual machine name change wrap unit 225 collects log items related to the virtual machine name change process performed by the virtual machine name change unit 125. Specifically, the relay unit 225a of the virtual machine name change wrap unit 225 receives from the information processing apparatus 10 an operation content indicating that the virtual machine name is changed, an operator name, and a virtual machine whose virtual machine name is to be changed. , The name of the virtual machine after the change, the name of the hypervisor in which the virtual machine whose virtual machine name is to be changed are received, and the received various information is transmitted to the virtual machine name changing unit 125. As a result, the virtual machine name changing unit 125 performs a process of changing the virtual machine name using various information received from the virtual machine name changing lap unit 225.

  Also, the determination unit 225b of the virtual machine name change wrap unit 225 determines whether the virtual machine name change unit 125 outputs the acquisition target log item based on the log output presence / absence stored in the log attribute storage unit 211. judge. Then, the log acquisition unit 225 c of the virtual machine name change wrap unit 225 stores the detailed log in the trail log storage unit 212 by complementing the log items output by the virtual machine name change unit 125. For example, the log acquisition unit 225c is the result of processing start time, processing end time, operation content, operator name, virtual machine name before change, virtual machine name after change, hypervisor name, and virtual machine name change processing. Whether or not the virtual machine name can be changed is stored in the trail log storage unit 212.

  The virtual machine activation lap unit 226 collects log items related to the virtual machine activation process performed by the virtual machine activation unit 126. Specifically, the relay unit 226a of the virtual machine activation lap unit 226 performs an operation content indicating that the virtual machine is activated from the information processing apparatus 10, the operator name, the virtual machine name of the virtual machine to be activated, and the activation target. The name of the hypervisor in which the virtual machine is generated is received, and the received various information is transmitted to the virtual machine activation unit 126. As a result, the virtual machine activation unit 126 performs a process of activating the virtual machine using various information received from the virtual machine activation lap unit 226.

  Further, the determination unit 226b of the virtual machine activation lap unit 226 determines whether the virtual machine activation unit 126 outputs the acquisition target log item based on the log output presence / absence stored in the log attribute storage unit 211. . Then, the log acquisition unit 226 c of the virtual machine activation lap unit 226 stores the detailed log in the trail log storage unit 212 by complementing the log items output by the virtual machine activation unit 126. For example, the log acquisition unit 226c, the process start time, the process end time, the operation content, the operator name, the virtual machine name of the virtual machine to be started, the hypervisor name, whether or not the virtual machine can be started as a result of the virtual machine starting process, etc. Is stored in the trail log storage unit 212.

  The virtual machine stop lap unit 227 collects log items related to the virtual machine stop process performed by the virtual machine stop unit 127. Specifically, the relay unit 227a of the virtual machine stop lap unit 227 receives, from the information processing apparatus 10, an operation content indicating that the virtual machine is to be stopped, an operator name, a virtual machine name of the virtual machine to be stopped, and a stop target. The name of the hypervisor in which the virtual machine is generated is received, and the received various information is transmitted to the virtual machine stopping unit 127. Thereby, the virtual machine stop unit 127 performs a process of stopping the virtual machine using various information received from the virtual machine stop lap unit 227.

  Further, the determination unit 227b of the virtual machine stop lap unit 227 determines whether or not the virtual machine stop unit 127 outputs the acquisition target log item based on the log output presence / absence stored in the log attribute storage unit 211. . Then, the log acquisition unit 227 c of the virtual machine stop lap unit 227 stores the detailed log in the trail log storage unit 212 by complementing the log items output by the virtual machine stop unit 127. For example, the log acquisition unit 227c, the process start time, the process end time, the operation content, the operator name, the virtual machine name of the virtual machine to be stopped, the hypervisor name, whether or not the virtual machine can be stopped as a result of the virtual machine stop process, etc. Is stored in the trail log storage unit 212.

  The virtual machine movement lap unit 228 collects log items related to the virtual machine movement process performed by the virtual machine movement unit 128. Specifically, the relay unit 228a of the virtual machine moving lap unit 228 operates from the information processing apparatus 10 to indicate the operation contents indicating that the virtual machine is to be moved, the operator name, the path of the virtual machine to be moved, and the virtual machine after the movement. The machine path and the like are received, and the received various information is transmitted to the virtual machine moving unit 128. Note that the “virtual machine path” includes a hypervisor name. Accordingly, the virtual machine moving unit 128 performs a process of moving the virtual machine by changing the virtual machine path to be moved using various information received from the virtual machine moving lap unit 228.

  Further, the determination unit 228b of the virtual machine movement lap unit 228 determines whether or not the virtual machine movement unit 128 outputs the acquisition target log item based on the log output presence / absence stored in the log attribute storage unit 211. . Then, the log acquisition unit 228 c of the virtual machine movement wrap unit 228 stores the detailed log in the trail log storage unit 212 by complementing the log items output by the virtual machine movement unit 128. For example, the log acquisition unit 228c, the process start time, the process end time, the operation content, the operator name, the path of the virtual machine to be moved, the path of the virtual machine after the movement, the virtual machine movement that is the result of the virtual machine movement process The availability is stored in the trail log storage unit 212.

  The virtual machine replication wrap unit 229 collects log items related to virtual machine replication processing performed by the virtual machine replication unit 129. Specifically, the relay unit 229a of the virtual machine duplication wrap unit 229 copies, from the information processing apparatus 10, the operation content indicating that the virtual machine is duplicated, the operator name, the virtual machine name of the virtual machine to be duplicated, The virtual machine name of the virtual machine is received, and the received various information is transmitted to the virtual machine duplicating unit 129. As a result, the virtual machine replication unit 129 performs processing for newly generating a virtual machine from the virtual machine to be replicated, using various information received from the virtual machine replication lap unit 229.

  Further, the determination unit 229b of the virtual machine replication wrap unit 229 determines whether or not the virtual machine replication unit 129 outputs the acquisition target log item based on the log output presence / absence stored in the log attribute storage unit 211. . Then, the log acquisition unit 229 c of the virtual machine replication lap unit 229 stores the detailed log in the trail log storage unit 212 by complementing the log items output by the virtual machine replication unit 129. For example, the log acquisition unit 229c displays the processing start time, the processing end time, the operation content, the operator name, the virtual machine name of the virtual machine to be replicated, the virtual machine name of the virtual machine after the replication, and the hyper machine on which the virtual machine is replicated. The name of the visor, the virtual machine duplication availability as a result of the virtual machine duplication processing, and the like are stored in the trail log storage unit 212.

  The virtual machine deletion wrap unit 230 collects log items related to the virtual machine deletion process performed by the virtual machine deletion unit 130. Specifically, the relay unit 230a of the virtual machine deletion lap unit 230 performs an operation content indicating that the virtual machine is deleted from the information processing apparatus 10, an operator name, a name of the virtual machine to be deleted, a virtual machine to be deleted. The name of the hypervisor in which the machine is generated is received, and the received various information is transmitted to the virtual machine deletion unit 130. As a result, the virtual machine deletion unit 130 performs a process of deleting the virtual machine to be deleted using various information received from the virtual machine deletion wrap unit 230.

  Further, the determination unit 230b of the virtual machine deletion wrap unit 230 determines whether or not the virtual machine deletion unit 130 outputs the acquisition target log item based on the log output presence / absence stored in the log attribute storage unit 211. . Then, the log acquisition unit 230 c of the virtual machine deletion wrap unit 230 stores the detailed log in the trail log storage unit 212 by complementing the log items output by the virtual machine deletion unit 130. For example, the log acquisition unit 230c includes a process start time, a process end time, an operation content, an operator name, a name of a virtual machine to be deleted, a name of a hypervisor in which the virtual machine to be deleted is generated, and a virtual machine deletion process Are stored in the trail log storage unit 212.

  The virtual machine export wrap unit 231 collects log items related to virtual machine export processing performed by the virtual machine export unit 131. Specifically, the relay unit 231a of the virtual machine export wrap unit 231 performs an operation content indicating that the virtual machine is to be exported from the information processing apparatus 10, an operator name, an export target virtual machine name, an export target virtual machine, and the like. The name of the hypervisor in which the machine is generated is received, and the received various information is transmitted to the virtual machine export unit 131. As a result, the virtual machine export unit 131 performs a process of exporting the virtual machine using various information received from the virtual machine export wrap unit 231.

  The determination unit 231b of the virtual machine export wrap unit 231 determines whether the virtual machine export unit 131 outputs the acquisition target log item based on the log output presence / absence stored in the log attribute storage unit 211. . Then, the log acquisition unit 231c of the virtual machine export lap unit 231 stores the detailed log in the trail log storage unit 212 by complementing the log items output by the virtual machine export unit 131. For example, the log acquisition unit 231c includes a process start time, a process end time, an operation content, an operator name, an export target virtual machine name, a file name generated by export, a path of the file, an export target virtual machine. Are stored in the trail log storage unit 212. The name of the hypervisor in which the virtual machine is generated, the export availability as a result of the virtual machine export process, and the like are stored.

  The virtual machine import wrap unit 232 collects log items related to the virtual machine import process performed by the virtual machine import unit 132. Specifically, the relay unit 232a of the virtual machine import wrap unit 232 operates from the information processing apparatus 10 to indicate the operation content indicating that the virtual machine is to be imported, the operator name, the name of the file to be imported, the name of the file to be imported. The path, the name of the hypervisor in which the virtual machine to be imported is generated, and the like are received, and the received various information is transmitted to the virtual machine import unit 132. As a result, the virtual machine import unit 132 performs a process of importing the virtual machine using various information received from the virtual machine import wrap unit 232.

  Also, the determination unit 232b of the virtual machine import wrap unit 232 determines whether the virtual machine import unit 132 outputs the acquisition target log item based on the log output presence / absence stored in the log attribute storage unit 211. . Then, the log acquisition unit 232 c of the virtual machine import wrap unit 232 stores the detailed log in the trail log storage unit 212 by complementing the log items output by the virtual machine import unit 132. For example, the log acquisition unit 232c determines the process start time, process end time, operation content, operator name, import target file name, import target file path, virtual machine name generated by import, virtual machine The name of the hypervisor to be imported, the importability as a result of the virtual machine import process, and the like are stored in the trail log storage unit 212.

  The CPU resource change wrap unit 233 collects log items related to the CPU resource change process performed by the CPU resource change unit 133. Specifically, the relay unit 233a of the CPU resource change wrap unit 233 changes the operation contents, the operator name, and the CPU resource assignment indicating that the CPU resource assigned to the virtual machine is changed from the information processing apparatus 10. The name of the virtual machine to be assigned, the CPU resource amount to be newly allocated, the name of the hypervisor in which the virtual machine to be changed is generated, and the received various information is transmitted to the CPU resource changing unit 133. As a result, the CPU resource changing unit 133 uses the various information received from the CPU resource change wrapping unit 233 to perform processing for changing the CPU resource to be allocated to the virtual machine.

  Further, the determination unit 233b of the CPU resource change wrap unit 233 determines whether or not the CPU resource change unit 133 outputs the acquisition target log item based on the log output presence / absence stored in the log attribute storage unit 211. . Then, the log acquisition unit 233 c of the CPU resource change wrap unit 233 stores the detailed log in the trail log storage unit 212 by complementing the log items output by the CPU resource change unit 133. For example, the log acquisition unit 233c includes a process start time, a process end time, an operation content, an operator name, a CPU resource amount before change, a CPU resource amount after change, a name of a virtual machine that is a CPU resource change target, a CPU resource change The name of the hypervisor in which the target virtual machine is generated, CPU resource change availability as a result of the CPU resource change process, and the like are stored in the trail log storage unit 212.

  The memory resource change wrap unit 234 collects log items related to the memory resource change process performed by the memory resource change unit 134. Specifically, the relay unit 234a of the memory resource change wrap unit 234 changes the operation content, the operator name, and the memory resource allocation indicating that the memory resource to be allocated to the virtual machine is changed from the information processing apparatus 10. The name of the virtual machine to be assigned, the amount of memory resources to be newly allocated, the name of the hypervisor in which the virtual machine subject to memory resource change is generated, and the received various information are transmitted to the memory resource changing unit 134. As a result, the memory resource changing unit 134 performs a process of changing the memory resource allocated to the virtual machine, using various information received from the memory resource changing wrap unit 234.

  Further, the determination unit 234b of the memory resource change wrap unit 234 determines whether or not the memory resource change unit 134 outputs the acquisition target log item based on the log output presence / absence stored in the log attribute storage unit 211. . Then, the log acquisition unit 234 c of the memory resource change wrap unit 234 stores the detailed log in the trail log storage unit 212 by complementing the log items output by the memory resource change unit 134. For example, the log acquisition unit 234c displays the process start time, the process end time, the operation content, the operator name, the memory resource amount before the change, the memory resource amount after the change, the name of the virtual machine to which the memory resource is changed, and the memory resource change. The name of the hypervisor in which the target virtual machine is generated, the memory resource change availability as a result of the memory resource change process, and the like are stored in the trail log storage unit 212.

  The disk resource change wrap unit 235 collects log items related to the disk resource change process performed by the disk resource change unit 135. Specifically, the relay unit 235a of the disk resource change wrap unit 235 changes the operation content, the operator name, and the disk resource allocation indicating that the information processing apparatus 10 changes the disk resource allocated to the virtual machine. The name of the virtual machine to be assigned, the amount of the newly allocated disk resource, the name of the hypervisor in which the virtual machine to be changed is created, and the received various information is transmitted to the disk resource changing unit 135. As a result, the disk resource changing unit 135 performs processing for changing the disk resource to be allocated to the virtual machine, using various information received from the disk resource change wrapping unit 235.

  Also, the determination unit 235b of the disk resource change wrap unit 235 determines whether the disk resource change unit 135 outputs the acquisition target log item based on the log output presence / absence stored in the log attribute storage unit 211. . The log acquisition unit 235c of the disk resource change wrap unit 235 stores the detailed log in the trail log storage unit 212 by complementing the log items output by the disk resource change unit 135. For example, the log acquisition unit 235c performs processing start time, processing end time, operation content, operator name, disk resource amount before change, disk resource amount after change, name of virtual machine for which disk resource is changed, disk resource change The name of the hypervisor in which the target virtual machine is generated, the disk resource change availability as a result of the disk resource change process, and the like are stored in the trail log storage unit 212.

  The hypervisor stop lap unit 236 collects log items related to the hypervisor stop process performed by the hypervisor stop unit 136. Specifically, the relay unit 236a of the hypervisor stop lap unit 236 receives, from the information processing apparatus 10, an operation content indicating that the hypervisor is to be stopped, an operator name, a name of the hypervisor to be stopped, and the like. The received various information is transmitted to the hypervisor stop unit 136. Thereby, the hypervisor stop unit 136 performs a process of stopping the hypervisor using various information received from the hypervisor stop lap unit 236.

  Further, the determination unit 236b of the hypervisor stop lap unit 236 determines whether or not the hypervisor stop unit 136 outputs the acquisition target log item based on the log output presence / absence stored in the log attribute storage unit 211. . Then, the log acquisition unit 236c of the hypervisor stop lap unit 236 stores the detailed log in the trail log storage unit 212 by complementing the log items output by the hypervisor stop unit 136. For example, the log acquisition unit 236c displays the process start time, the process end time, the operation content, the operator name, the name of the hypervisor to be stopped, whether or not the hypervisor can be stopped as a result of the hypervisor stop process, and the like. To store.

[Processing Procedure by Log Management Unit in Embodiment 1]
Next, a processing procedure performed by the log management unit 200 according to the first embodiment will be described with reference to FIG. FIG. 5 is a flowchart illustrating a processing procedure performed by the log management unit 200 according to the first embodiment.

  As illustrated in FIG. 5, the wrap unit 220 of the log management unit 200 determines whether various types of information regarding operations on the computer system 100 have been received from the information processing apparatus 10 (step S101). Here, when the lap unit 220 does not accept various types of information related to operations on the computer system 100 (No in step S101), the lap unit 220 enters a standby state.

  On the other hand, when the wrap unit 220 receives various types of information related to operations on the computer system 100 (Yes in step S101), the lap unit 220 transmits the various types of information to the hypervisor management unit 120 of the computer system 100 (step S102).

  Further, the wrap unit 220 acquires various information corresponding to the operation content received from the information processing apparatus 10 from the log attribute storage unit 211 (step S103). Specifically, the wrap unit 220 acquires from the log attribute storage unit 211 the acquisition target log item, log output presence / absence, log acquisition method, and acquisition log breakdown corresponding to the operation content received from the information processing apparatus 10.

  Then, the wrap unit 220 determines whether the log output presence / absence acquired from the log attribute storage unit 211 is “No” (Step S104). At this time, when the log output presence / absence is “No” (Yes in step S104), the wrap unit 220 determines that the hypervisor management unit 120 of the computer system 100 does not output the acquisition target log item.

  In such a case, the wrap unit 220 acquires the acquisition target log item according to the log acquisition method and the acquisition log breakdown acquired from the log attribute storage unit 211 (step S105). Further, the wrap unit 220 acquires the log item output by the hypervisor management unit 120 of the computer system 100 (step S106). For example, the wrap unit 220 acquires various log items from the hypervisor management unit 120 and the log storage unit 110.

  The wrap unit 220 combines the log item acquired in step S105 and the log item acquired in step S106, and stores the combined log item in the trail log storage unit 212 (step S107).

  On the other hand, when the log output presence / absence acquired from the log attribute storage unit 211 is not “No” (No in step S104), the wrap unit 220 determines that the hypervisor management unit 120 of the computer system 100 outputs the acquisition target log item. To do.

  In such a case, the wrap unit 220 acquires the log item output by the hypervisor management unit 120 of the computer system 100 (step S108). The wrap unit 220 stores the log item acquired in step S108 in the trail log storage unit 212 (step S109).

[Effect of Example 1]
As described above, in the log management system 1 according to the first embodiment, the log management unit 200 acquires log items that are not output by the computer system 100. Thereby, the log management system 1 according to the first embodiment can record trail information of various operations on the computer system 100 by a plurality of system administrators as a log. As a result, the log management system 1 can ensure the security of the computer system 100 by confirming the log recorded as the trail information by the network administrator or the like. Accountability can be fulfilled by checking the log recorded as trail information when a failure occurs.

  In the log management system 1 according to the first embodiment, the log management unit 200 acquires log items, and combines (merges) the acquired log items and the log items output by the computer system 100 to generate a trail log. Store in the storage unit 212. Thereby, the log management system 1 according to the first embodiment can centrally manage the log, which is trail information, in the trail log storage unit 212.

  In addition, the log management unit 200 according to the first embodiment is connected between the information processing apparatus 10 and the computer system 100 that is an existing system, and transmits various information transmitted and received between the information processing apparatus 10 and the computer system 100. By relaying, the log items output by the computer system 100 are complemented. Thereby, the log management system 1 according to the first embodiment can be realized without improving the computer system 100 which is an existing system.

  By the way, the log management system 1 according to the first embodiment may be implemented in various different forms other than the above-described embodiments. Thus, in the second embodiment, another embodiment in the log management system 1 will be described.

[Example of computer system]
As described in the first embodiment, the computer system 100 illustrated in FIGS. 1 and 2 is not limited to the cloud to which the virtualization technology is applied, and any computer system can be used as long as various operations are performed by a plurality of operators. It may be a thing. That is, the log management unit 200 illustrated in FIGS. 1 and 2 is connected between a computer system in which various operations are performed by a plurality of operators and an information processing apparatus used by the operators, so that the computer system The log items output by can be complemented.

[Device that implements the log management unit]
The log management unit 200 illustrated in FIGS. 1 and 2 may be realized by an information processing apparatus connected to the computer system 100 as illustrated in FIG. May be integrated. For example, the log management unit 200 may be realized by an information processing device that implements the hypervisor 111 and the hypervisor management unit 120. The log management unit 200 may be connected to a plurality of computer systems 100 when realized by an information processing apparatus connected to the computer system 100.

[Configuration of log attribute storage]
The log attribute storage unit 211 is not limited to the data structure illustrated in FIG. For example, the log attribute storage unit 211 may store the presence / absence of log output for each log item included in the acquisition target log item.

[Composition of lap part]
In the above description, the example in which the configuration of each processing unit included in the wrap unit 220 is the configuration illustrated in FIG. For example, each of the processing units included in the wrap unit 220 does not have to have a determination unit, and the wrap unit 220 may have one determination unit. Similarly, each processing unit included in the wrap unit 220 does not have to have a log acquisition unit, and the lap unit 220 may have one log acquisition unit. In such a case, one determination unit and log acquisition unit included in the lap unit 220 perform determination processing and log acquisition processing according to instructions from each processing unit such as the login lap unit 221.

[Log Management Program]
The processing executed by the log management unit 200 in the first embodiment is realized by a log management program described in a language that can be executed by a computer. In such a case, the effect described in the first embodiment can be obtained by the computer executing the log management program. The log management program is recorded on a computer-readable recording medium, and the log management program recorded on the recording medium is read by the computer and executed, thereby realizing the same processing as in the first embodiment. Also good. Hereinafter, an example of a computer that executes a log management program that realizes the same function as that of the log management unit 200 will be described with reference to FIG.

  FIG. 6 is a diagram illustrating a computer 1000 that executes a log management program. As illustrated in FIG. 6, the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1031. The disk drive interface 1040 is connected to the disk drive 1041. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041. For example, a mouse 1051 and a keyboard 1052 are connected to the serial port interface 1050. For example, a display 1061 is connected to the video adapter 1060.

  Here, as shown in FIG. 6, the hard disk drive 1031 stores, for example, a program for realizing an OS (Operating System) 1091, an application program 1092, a program module 1093, and program data 1094. That is, the log management program is stored in, for example, the hard disk drive 1031 as a program module in which a command executed by the computer 1000 is described.

  In addition, data used for information processing realized by the log management program, such as data stored in the log attribute storage unit 211 and the trail log storage unit 212 described in the first embodiment, is, for example, memory as program data. 1010 and the hard disk drive 1031. Then, the CPU 1020 reads the program module and program data stored in the hard disk drive 1031 to the RAM 1012 as necessary, and executes the wrapping procedure.

  Note that the log management program is not limited to being stored in the hard disk drive 1031, and may be stored in a removable storage medium and read by the CPU 1020 via the disk drive 1041 or the like, for example. Alternatively, the log management program may be stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network) and read by the CPU 1020 via the network interface 1070. .

[Others]
In addition, among the processes described in the above embodiment, all or a part of the processes described as being automatically performed can be manually performed, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedures, specific names, and information including various data and parameters shown in the document and drawings can be arbitrarily changed unless otherwise specified.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. Each processing function performed in each device may be realized in whole or in part by a CPU and a program that is analyzed and executed by the CPU, or may be realized as hardware by wired logic.

DESCRIPTION OF SYMBOLS 1 Log management system 10 Information processing apparatus 100 Computer system 110 Log storage part 111 Hypervisor 120 Hypervisor management part 200 Log management part 211 Log attribute storage part 212 Trail log storage part 220 Lap part 221 Login wrap part 221a Relay part 221b Judgment part 221c Log acquisition unit

Claims (6)

Operation contents indicating an operation performed on a predetermined computer system, an acquisition target log item that is a log item to be acquired when the operation is performed, and the computer system when the operation is performed A log attribute storage unit that stores log output presence / absence indicating whether or not to output the acquisition target log item, and a log acquisition method that is a method of acquiring the acquisition target log item;
When a predetermined operation content for the computer system is received, the computer system outputs an acquisition target log item corresponding to the predetermined operation content based on the log output presence / absence stored in the log attribute storage unit A determination unit for determining whether or not
When the determination unit determines that the computer system does not output the acquisition target log item, the acquisition target log is stored by the log acquisition method stored in the log attribute storage unit in association with the predetermined operation content. A log management system comprising: a log acquisition unit that acquires items. The log attribute storage unit
A plurality of acquisition target log items are stored for one operation content, and log output presence / absence is stored for each of the plurality of acquisition target log items,
The determination unit
Based on the presence or absence of log output stored in the log attribute storage unit, the computer system determines whether to output each acquisition target log item corresponding to the predetermined operation content,
The log acquisition unit
Among the acquisition target log items corresponding to the predetermined operation content, an acquisition target log item determined by the determination unit that the computer system does not output is acquired, and the acquired log item and the log output by the computer system The log management system according to claim 1, wherein items are associated with each other and stored in a predetermined storage unit. A log management device having the log attribute storage unit, the determination unit, and the log acquisition unit is connected between the computer system and an information processing device that operates the computer system,
The log management device includes:
The log management system according to claim 1, further comprising: a relay unit that receives operation information for operating the computer system from the information processing apparatus and relays the received operation information to the computer system. . A log management method in a log management system including a predetermined computer system and a log management device,
The computer as the log management device is:
Operation content indicating an operation performed on the computer system, an acquisition target log item that is a log item to be acquired when the operation is performed, and the computer system performs the operation when the operation is performed Functions as a log attribute storage unit that stores log output presence / absence indicating whether or not to acquire an acquisition target log item and a log acquisition method that is a method of acquiring the acquisition target log item;
When a predetermined operation content for the computer system is received, the computer system outputs an acquisition target log item corresponding to the predetermined operation content based on the log output presence / absence stored in the log attribute storage unit A determination step of determining whether or not,
When it is determined in the determination step that the computer system does not output the acquisition target log item, the acquisition target log is stored by the log acquisition method stored in the log attribute storage unit in association with the predetermined operation content. A log management method comprising: a log acquisition step of acquiring items. Operation contents indicating an operation performed on a predetermined computer system, an acquisition target log item that is a log item to be acquired when the operation is performed, and the computer system when the operation is performed A log attribute storage unit that stores log output presence / absence indicating whether or not to output the acquisition target log item, and a log acquisition method that is a method of acquiring the acquisition target log item;
When a predetermined operation content for the computer system is received, the computer system outputs an acquisition target log item corresponding to the predetermined operation content based on the log output presence / absence stored in the log attribute storage unit A determination unit for determining whether or not
When the determination unit determines that the computer system does not output the acquisition target log item, the acquisition target log is stored by the log acquisition method stored in the log attribute storage unit in association with the predetermined operation content. A log management apparatus comprising: a log acquisition unit that acquires items. A log management program for causing a log management device to execute,
The computer as the log management device is:
Operation contents indicating an operation performed on a predetermined computer system, an acquisition target log item that is a log item to be acquired when the operation is performed, and the computer system when the operation is performed Functions as a log attribute storage unit that stores presence / absence of log output indicating whether to output the acquisition target log item and a log acquisition method that is a method of acquiring the acquisition target log item;
The log management program is:
When a predetermined operation content for the computer system is received, the computer system outputs an acquisition target log item corresponding to the predetermined operation content based on the log output presence / absence stored in the log attribute storage unit A determination procedure for determining whether or not,
When it is determined in the determination procedure that the computer system does not output an acquisition target log item, the acquisition target log is stored by the log acquisition method stored in the log attribute storage unit in association with the predetermined operation content. A log management program for causing the log management apparatus to execute a log acquisition procedure for acquiring items.

Images