JP7110063B2 - LOG ANALYSIS SUPPORT SYSTEM AND LOG ANALYSIS SUPPORT METHOD - Google Patents

Description

The present invention relates to a log analysis support system and a log analysis support method.

In recent years, there have been reports of various damages caused by increasingly active cybercrime, such as the leakage of confidential information and customer information due to targeted attacks, system destruction due to the spread of ransomware, and the resulting service outages. External cyberattacks use methods such as sending malware through websites, e-mails, etc., exploiting vulnerabilities in systems, gaining authority, and proceeding with attacks.

Security incidents caused by fraudulent actions by insiders of organizations have also become a major problem. Cases of internal improprieties have been reported in multiple organizations, and organizations that have suffered internal improprieties have suffered great damage, including loss of credibility and a large amount of compensation for damages. Under these circumstances, there is growing interest in countermeasures against internal improprieties.

In such attacks, malware customized specifically for a specific organization is used, or unauthorized operations are performed by insiders of the organization with authority. Conventional countermeasures such as Therefore, it is important to collect various logs and comprehensively analyze the situation to understand the attack situation and take appropriate countermeasures. However, in these methods, characteristic logs, malware, etc. are often clues to detect attacks, but especially in the case of fraud by an insider of an organization, the insider has authority from the beginning. There are many cases, and the difference between fraudulent activity and normal business is not clear.

Although there are products suitable for log analysis such as SIEM (Security Information and Event Management), there are not many organizations that have the know-how to analyze internal improprieties, making it difficult to utilize logs. ing. Due to lack of skills and equipment, trying to analyze huge logs requires a lot of effort and ends up with no meaningful information.

Therefore, what is important is a technology that appropriately aggregates a huge amount of logs and makes it possible to handle them in a form that is easy to interpret and reuse. In this respect, for the purpose of ensuring accountability in an IT (Information Technology) system, a technology has been disclosed in which logs are aggregated into higher concepts in units that meet specific conditions and reported (see Patent Literature 1). With this technology, it is difficult to interpret individual logs, but by prescribing meaningful units in advance and reporting in accordance with them, the point of focus becomes clear and the logs are easy to interpret. Become.

Japanese Patent No. 4667359

However, the technology described in Patent Literature 1 aggregates logs in units that meet specific conditions set in advance. This aggregation unit and its conditions must be set in advance and are fixed in principle. This method is considered to be effective under certain conditions, but in practice, appropriate aggregation units and their conditions depend on the purpose of log analysis, method, characteristics of logs to be handled, available log items, It is considered that it depends on various factors such as computer resources and human resources. For this reason, it is desirable to be able to flexibly adjust for each organization and for each phase. Attempting to achieve this manually would require a great deal of labor for customization, which is not realistic.

SUMMARY OF THE INVENTION The present invention has been made in consideration of the above points, and intends to propose a log analysis support system capable of easily and appropriately aggregating logs.

In order to solve this problem, in the present invention, based on the aggregation condition element information that defines the application targets that can classify the data of the log data items, among the log data items related to the analysis target, the application target A specifying unit for specifying corresponding data items as aggregation conditions and an output unit for outputting the aggregation conditions specified by the specifying unit are provided.

In the above configuration, for example, by a simple operation such as specifying a log related to the analysis target, among the data items of the log related to the analysis target, the data item corresponding to the application target is specified as the aggregation condition and output. be. Also, for example, even if the name of the data item to be analyzed is changed, if the classification of the data is the same, the data item is appropriately identified as the aggregation condition.

According to the present invention, logs can be collected easily and appropriately.

It is a figure showing an example of composition concerning a log analysis support system by a 1st embodiment. 2 illustrates an example hardware configuration of a server according to the first embodiment; FIG. FIG. 4 is a diagram showing an example of non-aggregated log information according to the first embodiment; FIG. FIG. 7 is a diagram illustrating an example of post-aggregation log information according to the first embodiment; FIG. FIG. 7 is a diagram illustrating an example of post-aggregation log detailed information according to the first embodiment; It is a figure which shows an example of the aggregation condition element information by 1st Embodiment. FIG. 4 is a diagram showing an example of post-aggregation item element information according to the first embodiment; FIG. 4 is a diagram showing an example of aggregation condition information according to the first embodiment; FIG. It is a figure which shows an example of the post-aggregation item information by 1st Embodiment. FIG. 4 is a diagram showing an example of aggregate template information according to the first embodiment; FIG. FIG. 6 is a diagram showing an example of a flowchart relating to log aggregation processing according to the first embodiment; FIG. 7 is a diagram showing an example of a flowchart relating to aggregation template update processing according to the first embodiment; FIG. 7 is a diagram showing an example of input/output related to updating of an aggregation template according to the first embodiment;

One embodiment of the present invention will be described in detail below with reference to the drawings. In the following embodiments, mainly for log analysis, a configuration is described in which log aggregation units can be adjusted to meet various requirements with little effort by utilizing the knowledge accumulated during operation. do. However, the present invention is not limited to the following embodiments, and can be configured in various modifications and applications.

In the following description, when the same type of elements are described without distinguishing between them, common parts (parts excluding the branch numbers) of the reference numerals including the branch numbers are used to distinguish between the same types of elements. In some cases, reference signs with branch numbers are used. For example, when the operation targets are described without distinguishing them, the term “operation target 304” is used. Operation target 304_2" may be described.

(1) First Embodiment In FIG. 1, 1 indicates a log analysis support system according to the first embodiment as a whole.
(System configuration example)
FIG. 1 is a diagram showing an example of the configuration of a log analysis support system 1. As shown in FIG. An example in which the log analysis support system 1 includes a plurality of programs installed in the server 100 and operating on the server 100 and a plurality of data stored in the server 100 will be described below. Server 100 is communicably connected to each of one or more terminals 120 (denoted as terminal 120_N) and management terminal 130 via network 140 .

Server 100, for example, the log of terminal 120_N used by one or more users 150 (denoted as user 150_N), the log of equipment (for example, switch, router, firewall) related to network 140, the log of server 100 itself, etc. is a computer used by the administrator 160 to analyze the

The functions of the server 100 (the storage unit 101, the log acquisition unit 102, the log aggregation unit 103, the template update unit 104, the communication unit 105, etc.) are stored in the storage device 203 by the CPU (Central Processing Unit) 201 shown in FIG. It may be realized by reading the stored program into the memory 202 and executing it (software), it may be realized by hardware such as a dedicated circuit, or it may be realized by combining software and hardware. good too. Also, part of the functions of the server 100 may be implemented by another computer that can communicate with the server 100 .

The storage unit 101 stores unaggregated log information 111, aggregated log information 112, aggregated log detailed information 113, aggregated condition element information 114, aggregated item element information 115, aggregated condition information 116, aggregated item information 117, and aggregated log information 111. It manages the template information 118 (for example, stores it in the storage device 203 which will be described later).

The unaggregated log information 111 is information of logs of internal or external devices (for example, logs of the server 100, logs of the terminal 120_N, logs of devices related to the network 140).

Aggregated log information 112 is information in which a part of the log stored in the aggregated log information 111 is aggregated and replaced.

Aggregated log detailed information 113 is detailed information of aggregated logs (aggregated logs) among the information included in the aggregated log information 112 .

Aggregation condition element information 114 is information serving as a basic element for creating a template (aggregation template) for aggregating logs stored in unaggregated log information 111 and aggregated log information 112, and is an analysis target. This is information about log identification conditions (abstract identification conditions). The aggregation condition element information 114 defines, for example, application targets (for example, data types) that can classify the data of log data items (log items). Data types include, for example, classification (number data, character data, etc.), data type (INTEGER, CHARACTER, etc.), data type code (241 (decimal number), 197 (decimal number), etc.), data storage length (8 bytes, n bytes, etc.), and data formats (integers, fixed-length character strings, etc.).

Post-aggregation item element information 115 is information serving as basic elements for creating an aggregation template, and is information on a calculation method (abstraction calculation method) for calculating the value of the data item of the post-aggregation log.

Aggregation condition information 116 contains, for abstracted identification conditions stored in aggregation condition element information 114, identification conditions (concrete identification conditions).

Post-aggregation item information 117 is a calculation method (specifically This is information about the standardized calculation method).

Aggregation template information 118 includes information (aggregation template) for aggregating logs stored in unaggregated log information 111 and information (aggregation template) for aggregating logs stored in post-aggregation log information 112. information that can be included.

Examples of such information will be described later with reference to FIGS. 3 to 10. FIG.

The log acquisition unit 102 acquires, for example, various logs generated in the terminal 120_N via the communication unit 105 and stores them as unaggregated log information 111 via the storage unit 101 . Note that the log acquisition unit 102 may acquire a log by transmitting an instruction to the terminal 120_N, or may receive a log transmitted from the terminal 120_N at an appropriate timing (when a log occurs, periodically, etc.). It may be obtained by , or may be obtained by other methods.

The log aggregation unit 103 refers to, for example, the aggregation condition element information 114, the post-aggregation item element information 115, the aggregation condition information 116, the post-aggregation item information 117, and the aggregation template information 118, and aggregates the logs of the unaggregated log information 111. and stored as post-aggregation log information 112 and post-aggregation log detailed information 113 via the storage unit 101 . Further, the log aggregating unit 103, for example, refers to the aggregation condition element information 114, the post-aggregation item element information 115, the aggregation condition information 116, the post-aggregation item information 117, and the aggregation template information 118, and collects the post-aggregation log information 112. Logs are aggregated and stored as post-aggregation log information 112 and post-aggregation log detailed information 113 via the storage unit 101 .

The template updating unit 104 updates the aggregation condition information based on, for example, logs related to analysis targets (for example, logs selected by the administrator 160, logs created by the administrator 160, and logs collected by the administrator 160). 116, post-aggregation item information 117, and aggregation template information 118 are updated. Further, the template updating unit 104 creates, for example, candidates for updating the aggregation condition information 116, the post-aggregation item information 117, and the aggregation template information 118, presents them to the administrator 160, and furthermore, based on the judgment of the administrator 160. Then, the aggregation condition information 116, the post-aggregation item information 117, and the aggregation template information 118 are updated.

More specifically, template updating unit 104 includes specifying unit 106 , output unit 107 , and receiving unit 108 .

For example, based on the aggregation condition element information 114, the specifying unit 106 specifies the data item corresponding to the application target among the data items of the log related to the analysis target as the aggregation condition.

The output unit 107 outputs the aggregation conditions specified by the specifying unit 106, for example. Here, the output may be output to the output device 206 shown in FIG. It may be transmission of an e-mail to a mail address, recording via the storage unit 101, or other output. The administrator 160 can easily adjust the aggregation conditions to match the operation by grasping the output aggregation conditions.

For example, the receiving unit 108 receives log information selected via the management terminal 130 as a log to be analyzed. For example, the administrator 160 can obtain the aggregation conditions by selecting logs to be analyzed from the acquired data.

Further, the output unit 107 outputs the aggregation conditions specified by the specifying unit 106 to the management terminal 130 as aggregation condition candidates, and the reception unit 108 selects from the aggregation condition candidates via the management terminal 130. Accepts conditions for aggregated aggregates. According to such a configuration, the aggregation conditions can be adjusted more appropriately in view of the operation.

The communication unit 105 communicates with the terminal 120_N via the network 140 . Also, the communication unit 105 communicates with the management terminal 130 via the network 140 .

The functions of the terminal 120_N (communication unit 121, log collection unit 122, input/output unit 123, etc.) are realized by, for example, a CPU (not shown) reading a program stored in a storage device into a memory and executing it (software) be done. The communication unit 121 communicates with the server 100 via the network 140 . The log collection unit 122 collects information (time, operation type, operation target, process name, etc.) related to operations and processes performed on the terminal 120_N, and records the information as a log. The input/output unit 123 inputs and outputs data via an interface capable of accepting operations by the user 150_N.

The functions of the management terminal 130 (communication unit 131, input/output unit 132, etc.) are implemented by, for example, a CPU (not shown) reading a program stored in a storage device into a memory and executing the program (software). The communication unit 131 communicates with the server 100 via the network 140 . The input/output unit 132 inputs and outputs data via an interface capable of accepting operations by the administrator 160 .

(Hardware configuration example)
Next, the hardware configuration of the server 100 will be explained. FIG. 2 is a diagram showing an example of the hardware configuration of the server 100. As shown in FIG.

The server 100 includes a CPU 201 , a memory 202 , a storage device 203 , a communication device 204 , an input device 205 , an output device 206 and a bus 207 .

The CPU 201 is a central processing unit, and implements functions necessary for the server 100 by executing programs held in the memory 202 or the storage device 203 . The memory 202 is a main memory used when the CPU 201 executes processing, and is composed of a volatile memory element such as a RAM (Random Access Memory). A storage device 203 is an auxiliary storage device for storing input data to be input to the CPU 201 and output data to be output from the CPU 201. The storage device 203 is composed of appropriate nonvolatile storage elements such as a hard disk drive and an SSD (Solid State Drive). . The communication device 204 is a communication device used by the server 100 to communicate with an external device, and is configured by a network interface card (NIC) or the like. The input device 205 is an interface that receives input from an operator, and is composed of a keyboard, touch panel, card reader, voice input device, and the like. The output device 206 is an interface that outputs data to the operator, and is composed of a display, a speaker, a printer, and the like. A bus 207 is a communication path that connects the CPU 201 , memory 202 , storage device 203 , communication device 204 , input device 205 and output device 206 .

(Data structure example)
Next, data used by the log analysis support system 1 will be described.

FIG. 3 is a diagram showing an example of the unaggregated log information 111 (unaggregated log table 300). The unaggregated log table 300 is a table for storing logs (log data) transmitted from the terminal 120_N. The unaggregated log table 300 has log ID (identification) 301, time 302, operation type 303, first operation target 304_1, second operation target 304_2, and process name 305 as data items.

A log ID 301 is identification information uniquely assigned to a log (each record). The time 302 is the time when the log was recorded, which is set for the log. The operation type 303 indicates the operation type of the log. Operation types include, for example, operations such as opening a file, updating a file, copying a file, and communicating. The operation target 304 is an item that stores parameter values related to the operation. For example, when the operation type 303 is file copy, the first operation target 304_1 corresponds to the copy source file path, and the second operation target 304_2 corresponds to the copy destination file path. The process name 305 is the name of the process that performed the operation (process) that caused the log to be recorded.

In this embodiment, the data items included in the log data acquired by the terminal 120_N and transmitted to the server 100 are stored in the unaggregated log table 300 as log ID 301, time 302, operation type 303, operation target 304, and process name 305. is shown as a configuration example. However, these data items may be changed appropriately according to the available log items. In addition, logs in the server 100, logs of devices on the network 140, etc. may be used instead of the logs acquired by the terminal 120_N. Further, when using a plurality of types of logs, a configuration may be adopted in which a plurality of tables corresponding to the unaggregated log table 300 are prepared and the logs are stored in separate tables for each type.

Note that when the target of log aggregation is a terminal 120 unit, the unaggregated log table 300 may be provided for each terminal 120, and the data items of the unaggregated log table 300 may be terminal IDs (for terminals 120). uniquely assigned identification) may be provided.

FIG. 4 is a diagram showing an example of the aggregated log information 112 (aggregated log table 400). The post-aggregation log table 400 is a table that stores a result obtained by aggregating and replacing part of the logs stored in the unaggregated log table 300 . The aggregated log table 400 has log ID 401, time 402, and operation type 403 as data items.

The log ID 401 is identification information uniquely assigned to a log or identification information uniquely assigned to an aggregated log. The time 402 is the time when the log was recorded or the time when the aggregated log was recorded. Note that the post-aggregation log is the time when the log representative of the post-aggregation log was recorded. The operation type 403 indicates the operation type of logs or the operation type of aggregated logs.

FIG. 5 is a diagram showing an example of the aggregated log detail information 113 (aggregated log detail table 500). The post-aggregation log detail table 500 is a table that stores detailed information on the post-aggregation log among the logs included in the post-aggregation log table 400 . Aggregated log detail table 500 has log ID 501, log item 502, and value 503 as data items.

The log ID 501 is identification information for linking the post-aggregation log stored in the post-aggregation log table 400 and the detailed information of the post-aggregation log. The log item 502 is the name of the data item (item name) of the post-aggregation log. A value 503 is the value of the data item of the post-aggregation log.

FIG. 6 is a diagram showing an example of the aggregation condition element information 114 (aggregation condition element template table 600). The aggregation condition element template table 600 is information serving as basic elements for creating an aggregation template, and is a table for storing information on identification conditions (abstract identification conditions) of logs to be analyzed. The aggregate conditional element template table 600 has conditional element ID 601, application target 602, description 603, and calculation code 604 as data items.

A condition element ID 601 is identification information uniquely assigned to an element of conditions for aggregation (each record of the aggregation condition element template table 600). The applicable object 602 is the type of data for which the condition can be determined. A description 603 is a description of the content of the condition. The calculation code 604 indicates the storage location of the program for determining the condition.

FIG. 7 is a diagram showing an example of the post-aggregation item element information 115 (post-aggregation item element template table 700). The post-aggregation item element template table 700 is information serving as basic elements for creating an aggregation template, and is a table for storing information on a calculation method (abstraction calculation method) of post-aggregation log items. The aggregated item element template table 700 has item element IDs 701, application targets 702, descriptions 703, and calculation codes 704 as data items.

The item element ID 701 is identification information uniquely assigned to a data item element (each record of the post-aggregation item element template table 700). The applicable target 702 is the type of data for which the value of the data item can be calculated. The description 703 describes how to calculate the value of the data item. The calculation code 704 indicates the storage location of the program for calculating the value of the data item.

FIG. 8 is a diagram showing an example of the aggregation condition information 116 (aggregation condition table 800). The aggregation condition table 800 contains, for the abstracted identification conditions stored in the aggregation condition element template table 600, identification conditions (specific This is a table for storing the converted identification conditions). The aggregation condition table 800 has condition IDs 801, targets 802, aggregation condition elements 803, application target items 804, and parameters 805 as data items.

A condition ID 801 is identification information uniquely assigned to a specific condition of aggregation (each record of the aggregation condition table 800). The target 802 indicates the type of log to be identified according to the conditions. The aggregation condition element 803 is a value that designates a template stored in the aggregation condition element template table 600 that defines the determination method of the condition. This value is set based on the conditional element ID 601 . The application target item 804 is a value that specifies the item name of the log item that is the target of the condition determination. A parameter 805 designates a specific value as a criterion for the condition.

FIG. 9 is a diagram showing an example of the post-aggregation item information 117 (post-aggregation item table 900). The post-aggregation item table 900 contains, for the abstracted calculation methods stored in the post-aggregation item element template table 700, a calculation method ( This is a table for storing information on a specific calculation method). The post-aggregation item table 900 has item IDs 901, targets 902, post-aggregation item elements 903, application target items 904, and new item names 905 as data items.

The item ID 901 is identification information uniquely assigned to a specific data item to be aggregated (each record of the post-aggregation item table 900). The target 902 indicates the type of log that is an input source of information to the calculation method of the value of the data item. The post-aggregation item element 903 is a value specifying a template stored in the post-aggregation item element template table 700 that defines the calculation method. This value is set based on the item element ID 701 . The applicable item 904 is a value that specifies a log item that serves as an input source of information to the calculation method. The new item name 905 designates the item name of the log item after aggregation of the value calculated by the calculation method.

FIG. 10 is a diagram showing an example of the aggregation template information 118 (aggregation template table 1000). Aggregation template table 1000 is a table for storing aggregation templates. Aggregation template table 1000 has aggregation ID 1001, operation type 1002, aggregation condition 1003, and post-aggregation item 1004 as data items.

Aggregation ID 1001 is identification information uniquely assigned to an aggregation template (each record of aggregation template table 1000). The operation type 1002 is the name of a new operation type assigned to the post-aggregation log. Aggregation conditions 1003 specify conditions for identifying logs to be aggregated by the aggregation template. As for this condition, the condition stored in the aggregation condition table 800 is specified by the condition ID 801 . The post-aggregation item 1004 designates the log item aggregated by the aggregation template and the method for calculating the value thereof. Regarding this calculation method, the calculation method stored in the post-aggregation item table 900 is specified by the item ID 901 .

(Processing flow example)
Next, processing related to log aggregation (log aggregation processing) will be described with reference to FIG. 11 . FIG. 11 is a diagram illustrating an example of a flowchart relating to log aggregation processing. The log aggregation process is started at a predetermined timing (for example, periodically, at a predetermined time, at a timing instructed by the administrator 160 or the like).

In step S1101, the log acquisition unit 102 acquires a log from the terminal 120_N (for example, receives a log transmitted from the terminal 120_N).

In step S<b>1102 , the log acquisition unit 102 stores the acquired log in the unaggregated log table 300 .

The log aggregation unit 103 is activated, for example, when the unaggregated log table 300 is updated by the log acquisition unit 102, and executes log aggregation processing (steps S1103 to S1110).

In step S<b>1103 , the log aggregation unit 103 refers to the aggregation template table 1000 and acquires all records (list of aggregation templates) stored in the aggregation template table 1000 .

In step S1104, the log aggregation unit 103 performs the processing of steps S1105 to S1110 for each acquired record (aggregation template).

In step S1105, the log aggregation unit 103 refers to the aggregation condition table 800 to obtain the aggregation condition record having the condition ID 801 corresponding to the aggregation condition 1003 of the aggregation template. A record of the post-aggregation item having the item ID 901 corresponding to the post-aggregation item 1004 of the aggregation template is acquired.

For example, when the log aggregation unit 103 processes a record whose aggregation ID 1001 is "G1", as shown in FIG. By referring to the aggregation condition table 800, the record with the condition ID 801 of "S1", the record with the condition ID 801 of "S2", and the record with the condition ID 801 of "S3" are acquired. In addition, since "K1, K2, K3, K4, K5" are set in the post-aggregation item 1004, the log aggregation unit 103 refers to the post-aggregation item table 900 to find the record whose item ID 901 is "K1". , the record with the item ID 901 of "K2", the record with the item ID 901 of "K3", the record with the item ID 901 of "K4", and the record with the item ID 901 of "K5" are acquired.

In step S1106, the log aggregation unit 103 refers to the aggregation condition element template table 600 to obtain records of aggregation condition elements having condition element IDs 601 corresponding to the aggregation condition elements 803 of the acquired aggregation condition records. The post-aggregation item element template table 700 is referenced to acquire the post-aggregation item element record having the item element ID 701 corresponding to the post-aggregation item element 903 of the post-aggregation item record.

For example, when the log aggregation unit 103 acquires a record of the aggregation condition with the condition ID 801 of “S1”, as shown in FIG. By referring to the element template table 600, the record of the aggregate condition element whose condition element ID 601 is "R1" is acquired. In addition, when the log aggregation unit 103 acquires a record with the condition ID 801 of “S2” and an aggregation condition with the condition ID 801 of “S3”, the log aggregation unit 103 acquires a record with the aggregation condition element with the condition element ID 601 of “R2” and an aggregation condition with the condition element ID 601 of “R3”. Similarly, retrieve the records of the aggregate condition element of .

For example, when the log aggregating unit 103 acquires the record of the post-aggregation item whose item ID 901 is “K1”, “C1” is set in the post-aggregation item element 903 as shown in FIG. Therefore, the post-aggregation item element template table 700 is referenced, and the record of the post-aggregation item element having the item element ID 701 of "C1" is acquired. In other words, when the log aggregating unit 103 acquires the record of the post-aggregation item whose item ID 901 is “K2”, it similarly acquires the record of the post-aggregation item element whose item element ID 701 is “C2”. acquires the record of the post-aggregation item of "K3" and the record of the post-aggregation item of "K4", similarly acquires the record of the post-aggregation item of which the item element ID 701 is "C3", and the record of the post-aggregation item whose item ID 901 is "K5 , the record of the post-aggregation item element whose item element ID 701 is "C4" is similarly acquired.

In step S1107, the log aggregation unit 103 refers to the calculation code 604 of the acquired aggregation condition element record, accesses the calculation program file specified by the calculation code 604, and acquires the calculation program file. , refers to the calculation code 704 of the record of the post-aggregation item element, accesses the calculation program file specified by the calculation code 704, and acquires the calculation program file.

In step S<b>1108 , the log aggregation unit 103 refers to the unaggregated log table 300 and searches for a matching portion in the aggregation template stored in the aggregation template table 1000 . More specifically, based on the conditions set in the aggregation condition 1003 of the aggregation template, the non-aggregated log table 300 is scanned for the log items specified by the application target item 804, and the item is specified by the parameter 805. It is determined by executing the program specified by the calculation code 604 whether or not the above conditions are satisfied.

For example, when the log aggregation unit 103 is to process the record with the aggregation ID 1001 of "G1", in step S1105, the log aggregation unit 103 acquires the record with the condition ID 801 of "S1", "S2", and "S3". is doing. Further, the log aggregation unit 103 acquires the calculation program files “C:\r1.exe” to “C:\r3.exe” specified by the calculation code 604 in step S1107.

In the log aggregation unit 103, in the record with the condition ID 801 of "S1", the application target item 804 is "time". Execute the program "C:\r1.exe" of the calculation code 604, and check whether the obtained result satisfies "max: 10" of the parameter 805 (in this example, the operation performed within 10 seconds ) is determined for each record.

In addition, since the application target item 804 is "operation type" in the record with the condition ID 801 of "S2", the log aggregation unit 103 determines that the operation type 303 of the unaggregated log table 300 is The program "C:\r2.exe" of the calculation code 604 indicated in the record is executed, and whether or not the obtained result satisfies the parameter 805 "file copy" is determined for each record.

In addition, since the application target item 804 is “process name” in the record with the condition ID 801 of “S3”, the log aggregation unit 103 determines that the process name 305 of the unaggregated log table 300 is Execute the program "C:\r3.exe" of the calculation code 604 shown in the record, and check whether the obtained result satisfies "-" of the parameter 805 (in this example, whether the process name is the same or not) is determined for each record.

In the above example, the conditions for consolidation are that the logs are acquired within 10 seconds from the immediately preceding log, the operation type is "file copy", and the process name is the same. Therefore, in this example, the log aggregating unit 103 identifies the record with the log ID 301 of "Raw1", the record of "Raw2", and the record of "Raw3" as records that satisfy the aggregation conditions (all conditions).

However, it is not limited to the above processing. For example, when a plurality of conditions are set as conditions for aggregation, records that satisfy the conditions for aggregation may be specified if the rate of satisfying the conditions is higher than a threshold value. Further, for example, a weight is set for each condition (for example, a weight item is provided in the data item of the aggregation condition table 800 and a weight is set), and if the sum of the weights is higher than the threshold, the aggregation It may be identified as a record that satisfies the conditions of In other words, the log aggregating unit 103 may aggregate logs satisfying part of the conditions for aggregation. In this way, when judging logs to be aggregated, it is possible to increase robustness against lack of information while maintaining the significance of aggregation by allowing some information to be missing and values to fluctuate slightly. can.

In step S1109, the log aggregation unit 103 determines whether or not there is a matching portion (whether or not there are a plurality of logs satisfying the aggregation conditions set in the aggregation conditions 1003 of the aggregation template). If the log aggregating unit 103 determines that there is a matching portion, the process proceeds to step S1110, and if it determines that there is no matching portion, and if there is an unprocessed record (aggregation template), the processing target is shifted to the next record. When there is no unprocessed record, the log aggregation process ends.

In step S1110, the log aggregating unit 103 generates a log by aggregating the logs satisfying the conditions, updates the post-aggregation log table 400 and the post-aggregation log detail table 500, and unprocessed records (aggregation templates) are generated. If there is, the processing target is moved to the next record, and if there is no unprocessed record, the log aggregation processing ends.

More specifically, the log aggregating unit 103 refers to the log items specified in the application target item 904 based on the contents described in the post-aggregation item 1004 of the aggregation template, and calculates the value by referring to logs that satisfy the conditions. By acquiring and inputting to the program specified by the calculation code 704, the item value after aggregation is obtained. The log aggregation unit 103 creates a new record in the post-aggregation log table 400, creates a new ID in the log ID 401, and stores in time 402 the time of the log that satisfies the above conditions and has the smallest value. , the value specified by the operation type 1002 is newly stored in the operation type 403 . In addition, the log aggregation unit 103 creates new records by the number specified in the post-aggregation item 1004 in the post-aggregation log detail table 500, stores the new ID generated in the log ID 401 in the log ID 501, The value specified by the new item name 905 is stored in the log item 502, and the item value after aggregation is stored in the value 503. FIG.

For example, when the record with the aggregation ID 1001 of "G1" is to be processed, the log aggregation unit 103 aggregates the record with the log ID 301 of "Raw1", "Raw2", and "Raw3" in step S1108. Identifies records that meet the criteria. Further, in step S1105, the log aggregating unit 103 acquires the records with the item ID 901 of "K1" to "K5". Further, the log aggregation unit 103 acquires the calculation program files “C:\c1.exe” to “C:\c4.exe” specified by the calculation code 704 in step S1107.

In the record with the item ID 901 of "K1", the application target item 904 is "time". :\c1.exe” to obtain the minimum value “00:00:01” of the time 302 as the value of the “start time” of the new item name 905 .

In the record with the item ID 901 of "K2", the application target item 904 is "time". :\c2.exe” to acquire the maximum value “00:00:05” of the time 302 as the value of the “end time” of the new item name 905 .

In the record with the item ID 901 of "K3", the application target item 904 is the "first operation target". Execute the program "C:\c3.exe" of the calculation code 704 and set the common part "C:\a\" of the first operation target 304_1 as the value of the "first operation target" of the new item name 905. get.

In the record with the item ID 901 of "K4", the application target item 904 is the "second operation target". Execute the program "C:\c3.exe" of the calculation code 704 and set the common part "D:\b\" of the second operation target 304_2 as the value of the "second operation target" of the new item name 905. get.

In the record with the item ID 901 of "K5", the application target item 904 is "- (not specified)". C:\c4.exe" is executed to acquire the aggregate number "3" as the value of the "number of occurrences" of the new item name 905.

The above is an example of log aggregation processing. That is, the storage unit 101 stores the aggregation conditions specified by the specifying unit 106 as the aggregation condition information 116, and the log aggregation unit 103 aggregates the logs based on the aggregation condition information 116 stored in the storage unit 101. . Further, based on the aggregation condition element information 114, the specifying unit 106 specifies the value of the specified data item from the log related to the analysis target as a parameter. , and the parameters and the application targets related to the conditions of aggregation are associated with each other and stored as aggregation condition information 116 . Further, the log aggregating unit 103 executes a program associated with the application target related to the aggregation condition specified by the specifying unit 106, and extracts, from the analysis target logs, logs satisfying the aggregation condition as aggregation targets. do. In this way, by configuring aggregation conditions with fixed conditions (e.g., application target, program file for calculation) and variable conditions (e.g., parameters), the aggregation conditions are given a degree of freedom. while being able to easily adjust. Also, for example, by grasping the extracted log, the administrator 160 can perform analysis more easily than when extracting the log using the aggregation condition output by the administrator 160 himself.

In addition, the identifying unit 106 determines the data items of the logs related to the analysis target based on the post-aggregation item element information 115 that defines the applicable targets that can classify the data of the data items of the logs after aggregation into which the logs are aggregated. Among them, the data item corresponding to the application target is specified as a calculation target for calculating the value of the data item, and the storage unit 101 identifies the calculation target data item specified by the specifying unit 106 and the application target related to the data item. It is stored as post-aggregation item information 117 in association with it. Further, the log aggregating unit 103 executes the program associated with the application target related to the calculation target data item specified by the specifying unit 106 to calculate the value of the data item. By calculating the values of the aggregated logs in this way, the administrator 160 does not need to calculate the item values of the extracted logs, and can more easily analyze the logs.

Next, a process (aggregate template update process) related to update of aggregate templates will be described with reference to FIG. 12 . FIG. 12 is a diagram illustrating an example of a flowchart relating to aggregation template update processing.

Aggregation template update processing is started, for example, when the management terminal 130 accesses the server 100 via the network 140 based on an operation by the administrator 160 . The template update unit 104 refers to the unaggregated log table 300 or the aggregated log table 400 based on the designation by the administrator 160, and transmits a list of stored logs (logs to be analyzed) to the management terminal 130. do. Note that FIG. 12 will be described with reference to the unaggregated log table 300 as an example.

In step S1201, the management terminal 130 refers to the list of logs transmitted from the server 100, and the administrator 160 selects logs to be aggregated (logs related to analysis targets) from the log list (selection result). Send to server 100 . Input/output examples will be described later with reference to FIG.

In step S1202, the template updating unit 104 receives the selection result, and for each combination of the selected log data item and the application target 602 (aggregation condition element template) of the aggregation condition element template table 600, steps S1203 to step The processing of S1207 is performed.

In step S1203, the template updating unit 104 attempts to apply the processing target application target 602 of the aggregation condition element template table 600 to the processing target data items of the selected series of logs.

For example, the template update unit 104 determines that the data item to be processed in the selected log is the time 302, and the application target 602 to be processed in the aggregation condition element template table 600 is the "numerical value" of the condition element ID 601 "R1". , it is determined that the combination to be processed has a format to which the aggregation condition element template can be applied.

Further, for example, the template update unit 104 determines that the data item to be processed in the selected log is the time 302, and the application target 602 to be processed in the aggregation condition element template table 600 is the "character string , it is determined that the combination to be processed has a format in which the aggregation condition element template cannot be applied.

In step S1204, the template updating unit 104 determines whether or not it is possible to apply the processing target application target (aggregation condition element template) to the processing target data item. If the template updating unit 104 determines that the format is applicable, the process proceeds to step S1205, and if it determines that the format is not applicable, and there is an unprocessed combination, the template update unit 104 selects the next combination as the processing target. Then, the process moves to step S1203, and when there is no unprocessed combination, the process moves to step S1208.

In step S1205, the template updating unit 104 searches for suitable parameters. More specifically, the template updating unit 104 calculates the minimum range of parameters that are determined to match by the condition determination of the program specified by the calculation code 604 .

For example, the template update unit 104 determines that the data item to be processed in the selected log is the time 302, and the application target 602 to be processed in the aggregation condition element template table 600 is the "numerical value" of the condition element ID 601 "R1". , the difference in time from the previous log is the difference "1" between "Raw1" of the log ID 301 and "Raw2" of the log ID 301, and the difference "3" between "Raw2" of the log ID 301 and "Raw3" of the log ID 301. ” is calculated, and the upper limit value “3” and the lower limit value “1” of the difference from the previous log are searched as appropriate parameters.

Further, for example, the template update unit 104 determines that the data item to be processed in the selected log is the first operation target 304_1, and the application target 602 to be processed in the aggregation condition element template table 600 is the condition element ID 601 "R2". , a specific character string common to the log IDs 301 of "Raw1" to "Raw3", "C:\a\", is searched as an appropriate parameter.

In step S1206, the template updating unit 104 determines whether or not parameters exist. If the template update unit 104 determines that the parameter exists, the process proceeds to step S1207, and if it determines that the parameter does not exist, and there is an unprocessed combination, the template update unit 104 sets the next combination as the processing target, and moves the process to step S1203. , when there is no unprocessed combination, the process moves to step S1208.

In step S1207, the template updating unit 104 converts the combination of the data item in which the parameter exists and the application target 602 (aggregation condition element template) of the aggregation condition element template table 600 into candidates for aggregation conditions used by the new aggregation template ( Candidates for aggregation conditions).

Note that the processing is not limited to the above-described processing, and if there is no parameter or if the configuration does not search for an appropriate parameter, the template updating unit 104 updates the aggregation condition element template table applicable to the data item to be processed. An application target 602 (aggregation condition element template) of 600 may be held as a candidate for aggregation condition (aggregation condition candidate) used by a new aggregation template.

In step S<b>1208 , the template updating unit 104 transmits aggregation condition candidates to the management terminal 130 . When the management terminal 130 receives the aggregation condition candidates, it presents the aggregation condition candidates to the administrator 160 . An input/output example will be described later with reference to FIG.

In step S<b>1209 , the management terminal 130 transmits to the server 100 the results of selection of aggregation conditions and adjustment of parameters by the administrator 160 referring to the presented aggregation condition candidates (aggregation condition determination results).

In step S<b>1210 , the template updating unit 104 receives the aggregation condition determination result from the management terminal 130 and adds a new record to the aggregation condition table 800 . The number to be added is the number of aggregation conditions of the new aggregation template determined by the administrator 160 . The condition ID 801 is newly created, the target 802 stores a value according to the log type selected by the administrator 160 , and the aggregation condition element 803 and application target item 804 store the aggregation A condition candidate is stored, and a value adjusted by the administrator 160 is stored in the parameter 805 .

In step S1211, the template updating unit 104 updates the application target 702 (post-aggregation item element template) of the post-aggregation item element template table 700 applicable to the data item selected by the administrator 160, as in steps S1202 to S1207. are extracted from the post-aggregation item element template table 700, and the combination is transmitted to the management terminal 130 as a candidate for the post-aggregation data item (post-aggregation item candidate) used by the new post-aggregation item element template. The management terminal 130 presents the post-aggregation item candidates to the administrator 160 . Input/output examples will be described later with reference to FIG.

In step S1212, the management terminal 130 selects the data items necessary for log analysis from the presented combinations by the administrator 160, and sends the results of inputting new item names (post-aggregation item determination results) to the server 100. Send to

In step S1213, the template updating unit 104 adds a record to the post-aggregation item table 900 in the same manner as in step S1210, and combines the selected data item with the application target 702 applicable to the data item (post-aggregation item candidate) are stored in the post-aggregation item element 903 and the application target item 904 , and the new item name input by the administrator 160 is stored in the new item name 905 .

In step S1214, the template update unit 104 updates the aggregation template table 1000, and terminates the aggregation template update process. A record is added to the aggregation template table 1000, the operation type of the aggregation template is stored in the operation type 1002, the ID of the record of the newly created aggregation condition table 800 is stored in the aggregation condition 1003, and the newly created post-aggregation item is stored. The ID of the record of the table 900 is stored in the post-aggregation item 1004 . For the operation type 1002, an input may be received from the administrator 160, and the received input value may be used.

Also, in FIG. 12, the case of referring to the non-aggregated log table 300 has been described as an example, but the present invention is not limited to this, and the aggregation template update process is performed similarly even when the post-aggregation log table 400 is referred to. be able to. In this case, in step S1202, the template updating unit 104 refers to the aggregated log detail table 500, and uses the log ID of the selected aggregated log as a key to update data items of the aggregated log (record corresponding to the log ID). identify. Then, steps S1203 to S1207 are performed for each combination of the specified data item and the application target 602 (aggregation condition element template) of the aggregation condition element template table 600. FIG. That is, the storage unit 101 stores the aggregated log in which the logs are aggregated by the log aggregation unit, and the specifying unit 106 aggregates the analysis target stored in the storage unit 101 based on the aggregation condition element information 114. Among the data items of the post-log, the data item corresponding to the application target is specified as the aggregation condition. With such a configuration, it is possible to further aggregate the logs after aggregation, and by performing aggregation step by step, it is possible to simplify the conditions for individual aggregation. In addition, as an aggregation template, the conditions for aggregation and the method of calculating the value of the data item in the log after aggregation are defined, and by clarifying the input and output of aggregation, multi-stage aggregation is realized. .

(Example of screen configuration)
Next, input/output related to update of aggregation templates will be described with reference to FIG. 13 . FIG. 13 is a diagram showing an example of input/output (aggregation template update screen 1300) related to update of aggregation templates.

Aggregation template update screen 1300 includes an aggregation target log designation area 1310 , an aggregation condition designation area 1320 , an after-aggregation item designation area 1330 , and an OK and Cancel button 1340 .

The aggregation target log designation area 1310 is an area for the administrator 160 to select (designate) logs in step S1201. In the aggregation target log specification area 1310, a list of logs (records) of the unaggregated log table 300 or the aggregated log table 400 is displayed, and the logs related to the analysis target are specified in the form of check boxes.

The aggregation condition designation area 1320 is an area where the administrator 160 selects (designates) an aggregation condition candidate in step S1209. Aggregation condition designation area 1320 displays combinations of data items in which parameters exist and application targets 602 (aggregation condition element templates) applicable to the data items as candidates for aggregation conditions used by new aggregation templates. In the aggregation condition designation area 1320, selection of aggregation conditions and adjustment of parameters are performed, and addition/non-addition to the aggregation template is designated in a check box format.

Post-aggregation item designation area 1330 is an area where administrator 160 selects post-aggregation item candidates in step S1212. Post-aggregation item designation area 1330 displays candidates for log items after aggregation. In the post-aggregation item designation area 1330, a new item name is entered, and whether or not to add it to the aggregation template is specified in a check box format.

A decision and cancel button 1340 is used to specify whether or not to send the decision to each step to the server 100 .

In the configuration described above, an aggregation template for aggregating logs into higher-level concepts is expressed as a combination of conditions for determining logs to be analyzed and calculation methods for log items after aggregation, and each of these is expressed as a general-purpose process. Defined by a combination of sets and parameters. Furthermore, by semi-automatically estimating these combinations from operational results, it is possible to create and update aggregate templates without much effort.

According to the present embodiment, it is possible to easily set an appropriate log aggregation unit according to constraints such as the purpose of log analysis, usable log data items, computer resources, and human resources. can.

(2) Other Embodiments In the above-described embodiment, the case where the present invention is applied to the log analysis support system was described, but the present invention is not limited to this, and various other systems, It can be widely applied to devices, methods and programs.

In the above embodiment, for convenience of explanation, XX tables and XX files have been used to describe various types of data, but the data structure is not limited and may be expressed as XX information or the like.

In the above description, information such as programs, tables, and files that implement each function is stored in memory, hard disks, SSD (Solid State Drives), and other storage devices, or IC cards, SD cards, DVDs, and other recording media. can be placed in

Moreover, the above-described configurations may be appropriately changed, rearranged, combined, or omitted within the scope of the present invention.

1... Log analysis support system, 100... Server, 101... Storage unit, 102... Log acquisition unit, 103... Log aggregation unit, 104... Template update unit, 105... Communication unit.

Claims (11)

Operations related to the analysis target based on the aggregation condition element information that defines applicable targets that can classify the data items of the operation log generated by the process performing the operation on the user terminal, which is the terminal used by the user a specifying unit that specifies a data item corresponding to an application target from among a plurality of log data items as a condition for aggregating;
a storage unit that stores, as aggregation condition information, an aggregation condition that includes the name of the process specified by the specifying unit;
a log aggregation unit that aggregates a plurality of operation logs having the same process name into one operation log based on the aggregation condition information stored in the storage unit;
an output unit that outputs the aggregation condition specified by the specifying unit;
A log analysis support system comprising: The specifying unit specifies, as a parameter, the value of the specified data item from the log related to the analysis target based on the aggregation condition element information,
The storage unit associates the aggregation conditions and parameters specified by the specifying unit with the application targets related to the aggregation conditions and stores them as aggregation condition information.
The log analysis support system according to claim 1 , characterized by: A program that determines conditions for aggregation is associated with the application target of the aggregation condition element information,
The log aggregating unit executes a program associated with an application target related to the aggregation condition specified by the specifying unit, and extracts, from the logs to be analyzed, logs satisfying the aggregation condition as aggregation targets. ,
The log analysis support system according to claim 1 , characterized by: The specifying unit, based on the post-aggregation item element information that defines applicable targets that can classify the data of the data items of the post-aggregation log in which the logs are aggregated, among the data items of the log related to the analysis target, Identify the data item corresponding to the applicable target as a calculation target for calculating the value of the data item,
The storage unit associates the calculation target data item specified by the specifying unit with the application target related to the data item, and stores them as post-aggregation item information.
The log analysis support system according to claim 1 , characterized by: A program for calculating a value of a data item related to the application target is associated with the application target of the post-aggregation item element information,
The log aggregating unit calculates the value of the data item by executing the program associated with the application target related to the calculation target data item specified by the specifying unit.
5. The log analysis support system according to claim 4 , characterized by: Equipped with a log acquisition unit that acquires a terminal log as a log to be analyzed,
The log analysis support system according to claim 1 , characterized by: A reception unit that receives information of a log selected via a management terminal as a log related to the analysis target,
The log analysis support system according to claim 1, characterized by: The output unit outputs the aggregation condition specified by the specifying unit to the management terminal as an aggregation condition candidate,
a reception unit that receives an aggregation condition selected from the aggregation condition candidates via the management terminal;
a storage unit that stores the conditions for aggregation received by the reception unit as aggregation condition information;
a log aggregation unit that aggregates logs based on the aggregation condition information stored in the storage unit;
The log analysis support system according to claim 1, characterized by comprising: The storage unit stores aggregated logs aggregated by the log aggregation unit;
The specifying unit specifies, as a condition for aggregation, a data item corresponding to the application target among the data items of the post-aggregation log related to the analysis target stored in the storage unit, based on the aggregation condition element information.
The log analysis support system according to claim 1 , characterized by: The log aggregating unit extracts, from the logs to be analyzed, logs that satisfy all of the conditions for aggregation specified by the specifying unit and logs that satisfy some of the conditions for aggregation, as targets for aggregation.
The log analysis support system according to claim 1 , characterized by: The identifying unit performs analysis based on aggregation condition element information that defines applicable targets for classifying the data of the data items of the operation log generated by the process performing the operation on the user terminal, which is the terminal used by the user . a first step of identifying a data item corresponding to an application target from among a plurality of data items of operation logs related to the target as a condition for aggregation;
a second step in which the storage unit stores, as aggregation condition information, conditions for aggregation specified by the specifying unit and including the name of the process;
a third step in which a log aggregation unit aggregates a plurality of operation logs having the same process name into one operation log based on the aggregation condition information stored in the storage unit;
a fourth step in which the output unit outputs the aggregation condition specified by the specifying unit;
A log analysis support method comprising:

Images