JP2002318734A - Method and system for processing communication log - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a method and a system for processing communication log, with which unauthorized access or the like can be discovered without requesting application or experience to a security manager. SOLUTION: This method has a process (a) for converting each of analysis object log files outputted by an application capable of recording a plurality of communication logs to a prescribed format as needed, a process (b) for merging a plurality of analysis object logs converted into the prescribed format and a process (c) for judging the presence/absence of the unauthorized access by analyzing the merged log.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a communication log processing method for analyzing a communication log recorded in a communication server and a system therefor, and more particularly to a communication log processing method for outputting a plurality of log outputs. The present invention relates to a method for analyzing communication logs in a unified manner.

[0002]

2. Description of the Related Art Recently, there have been many cases in which networks and servers of companies and government offices are attacked by crackers and the like. For this reason, attention has been focused on strengthening network security. To strengthen network security, you must first monitor and analyze network security. For monitoring network security, it is effective to record and analyze a communication log of a device such as a server constituting a network.

[0003] The communication log is a record of a communication history of a server or the like. By analyzing the communication log, all events that have occurred in the server can be detected. For example, an unauthorized access can be detected based on an unnatural access from outside to the server. Therefore, by taking some measures in response to this, it is possible to enhance the security of the network.

[0004]

However, logs output from a server are usually recorded in different formats depending on the OS of the computer and the application used, and are various. In addition, the network is generally operated in a state where there is a problem in system management that the amount of information is so large that it is not possible to check the contents or to secure time for checking. .

[0005] In addition, a cracker who attacks the network may alter or delete the log in order to erase the trace of the entry into the network. In this case, such an unauthorized access is found. It is extremely difficult.

[0006] The present invention has been made in view of such circumstances, and provides a log processing method and system capable of finding unauthorized access without requiring a sophisticated level of knowledge and experience from a security administrator. The purpose is to do.

[0007]

According to a first main aspect of the present invention, there is provided a method for solving the above-mentioned problems, wherein (a) analyzing each log file to be analyzed output by an application capable of recording a plurality of communication logs; Converting, if necessary, into a predetermined format; and (b) integrating a plurality of analysis target logs converted into the predetermined format,
(C) analyzing the logs after the integration to determine the presence or absence of unauthorized access.

According to such a configuration, the format of a plurality of log files is unified by a method determined for each log file, and by integrating them, unauthorized access that cannot be determined by a single log file is performed. Can be detected.

Here, according to one embodiment of the present invention, it is preferable that the plurality of analysis target log files are recorded for the same system. Also,
In this case, it is preferable that the method further includes a step of (d) determining consistency between the plurality of analysis target logs before the step (a) or the step (b) and outputting a result of the determination. .

[0010] According to such a configuration, when the logs of the same system (including the mirroring server) are recorded in a plurality of log files, these are integrated, and the event in the system is integrated. Can be determined to include unauthorized access. Further, by determining the consistency between a plurality of files, it is possible to detect that some of the files have been tampered with.

According to another embodiment of the present invention, in the step (a), the analysis target log file is converted by using a conversion procedure prepared in advance for each application that outputs the analysis target log file. And a step of converting the file into a predetermined format. Preferably, the method further includes a step of updating, at a predetermined timing, a conversion procedure prepared in advance for each application.

By using a procedure prepared in advance for each log file to be analyzed, it is possible to analyze the log efficiently. Also, by updating this procedure as appropriate,
It is possible to improve the accuracy of log analysis.

According to yet another embodiment, (e)
Before the step (a) or (b), the method further includes a step of classifying rows belonging to the same session from the analysis target log. In this case, it is preferable that the step (e) is to determine to which session a line whose session cannot be determined belongs to based on a line whose session can be determined in the log to be analyzed.

According to such a configuration, it is possible to classify a line into an appropriate session even if the line does not seem to belong to which session. Therefore, the following log analysis can be performed efficiently and effectively.

According to yet another embodiment, the step (b) integrates the plurality of logs to be analyzed for each same session. In this case, the step (c) is to determine the presence or absence of unauthorized access for each analysis target log integrated for the same session. In this case, it is preferable that the step (c) displays the possibility of unauthorized access in different colors for each session.

According to such a configuration, by integrating the logs for each session at the time of log integration, it is possible to effectively determine an unauthorized access and to easily display the result.

According to a second main aspect of the present invention, (a) each analysis target log file output by an application capable of recording a plurality of communication logs is converted into a predetermined format if necessary. Means, (b) means for integrating a plurality of analysis target logs converted into the predetermined format, and (c) means for judging the presence or absence of unauthorized access by analyzing the integrated logs. A communication log processing system is provided.

According to such a configuration, it is possible to obtain a system capable of executing the method according to the first aspect.

Further, according to a third main aspect of the present invention, there is provided a computer software program product for analyzing a communication log in cooperation with an operation system installed in a computer system,
A storage medium, and (a) means for converting each analysis target log file stored in the storage medium and output by an application capable of recording a plurality of communication logs into a predetermined format if necessary; Stored on a storage medium,
Means for integrating the plurality of analysis target logs converted into the predetermined format; and (c) stored in the storage medium,
Means for analyzing the integrated logs to determine the presence or absence of unauthorized access.

According to such a configuration, the same effect as that of the method according to the first main aspect can be obtained.

The other features and remarkable effects of the present invention will be more clearly understood by referring to the following embodiments of the present invention and the accompanying drawings.

[0022]

Embodiments of the present invention will be described below with reference to the drawings.

First, in FIG. 1, reference numeral 1 denotes a log analysis system of this embodiment, and reference numeral 2 denotes a server to be monitored. The log analysis system 1 of this embodiment has a function of receiving and analyzing a communication log output by the server 2 online in order to detect, for example, an unauthorized access from a cracker.

That is, the server 2 records and outputs the communication processing of the various server applications 3 using the log recording program 4. Then, the log transfer program 5 similarly installed in the server 2 transfers the communication log to the log analysis system 1 in real time through a LAN, a public line, or another communication network. The log analysis system 1 stores the received communication log in an analysis target log storage unit 7 provided in the log analysis system 1.

The log analysis system 1 retrieves the communication log stored in the analysis target log storage unit 7 at a predetermined timing and analyzes it to search for unauthorized access (step indicated by 8 in FIG. 1). ). Then, the analysis result is output in, for example, a list format (step indicated by 9 in FIG. 1).
It has become.

Also, the log analysis system 1 of the present invention
It is characterized in that various communication logs are integratedly processed. To cope with this, in the server 2 of this embodiment, the same event is recorded in a plurality of log files and transferred to the log analysis system 1. FIGS. 2A and 2B show an example of such a communication log recording method.

That is, in this case, as shown in FIG. 2A, the server 2 uses a plurality of log recording programs 4A and 4B to record communication logs of a plurality of server applications A and B for the same event. May be recorded in different communication log files A and B, or as shown in FIG.
The data may be recorded in different communication log files A and B using a single log recording program 4A.

In this case, it is preferable that the plurality of log files are prepared for different facilities. For example, in this embodiment, a communication log for each facility for the same event is recorded in “/ var / log / facility name.log”. Also, in this embodiment,
For reference matching with the communication log file of each facility, the communication logs of all facilities for the same event are also recorded in one file “/var/log/all.log”.

Next, a log analysis system 1 according to this embodiment will be described with reference to FIG.

This system, as shown in FIG.
A program storage unit 16 and a data storage unit 17 are connected to a bus 15 to which a CPU 11, a RAM 12, a communication device 13, and other input / output devices 14 are connected.

The data storage unit 17 stores the analysis target log storage unit 7, an analysis condition storage unit 19 for storing various conditions of analysis to be executed by this analysis system, and a log after the format is unified. The integrated log storage unit 21 stores an integrated analysis target log, an integrated analysis target log storage unit 22 that stores integrated analysis target logs, and an analysis result storage unit 23 that stores log analysis results.

In the analysis condition storage section 19, an updated default analysis condition file 24a provided by a security company such as the applicant of the present application and a user of this system are set based on the default analysis condition file. Stored user setting analysis condition file 24b.

In the program storage unit 16, if only the present invention is concerned, the analysis condition setting unit 25 for setting the various analysis conditions and the analysis target log file can be compared with each other. A log format conversion processing unit 26 that converts the data into a predetermined unified format so as to be connectable and stores it in the unified log storage unit 21, and a consistency determination unit 2 that determines consistency between a plurality of logs to be analyzed.
7, a log integration processing unit 28 that integrates a plurality of analysis target logs converted into the predetermined format, a log classification processing unit 29 that separates lines belonging to the same facility from the integrated analysis target logs, A log analysis processing unit 30 that determines the presence or absence of unauthorized access by analyzing the divided analysis target logs; an analysis result reflection processing unit 36 for reflecting the analysis result by the log analysis processing unit 30 in the analysis setting; Having.

The log integration processing unit 28 has a session discriminating unit 31 for discriminating which session in the log to be analyzed cannot be discriminated based on the classifiable row.

The log analysis processing unit 30 includes a connection IP analysis unit 33 for determining an unauthorized access based on a connection IP address, a connection time analysis unit 34 for determining an unauthorized access based on a connection time, and A pattern analysis unit 35 that determines whether there is an unauthorized access by comparing with a connection pattern prepared in advance.

These components are actually a fixed area secured in the storage medium of the computer system and a program installed in this area.
By being called and executed by the U11 on the RAM 12, the functions of the present invention are achieved in cooperation with an OS (operation system).

Hereinafter, the functions and operations of the above components will be described together with the processing procedure of this system.

FIG. 3 shows a schematic processing procedure by the analysis system 1.

As shown in this figure, the analysis system 1
The analysis of the communication log using is performed, for example, in a wizard format. When the wizard is started (step S1), first, the analysis condition setting unit 25 executes step S2.
In steps S6 to S6, analysis conditions are set. The setting of the analysis condition includes the setting of the analysis policy (step S2), the permission IP
And rejection IP setting (step S3), pattern setting (step S4), analysis target file selection (step S3)
5), it is preferable to sequentially execute the analysis item selection and the report output type selection (step S6).

Here, the setting of the analysis policy (step S2) is for reducing the burden on an operator who is not familiar with network security when setting the steps S3 to S6. As shown in Fig. 5, the "validation" is the setting that is currently in effect.
38, "Basic setting" 39 for analyzing unauthorized access as a whole, "General Web related" 40 for analyzing unauthorized access related to CGI and other WEB, "ftp operation analysis" for checking items related to Ftp 41, "root access analysis" 42 for analyzing records operated with administrator authority, "scan operation analysis" 43 for analyzing preparatory operations before receiving unauthorized access, "email environment analysis" for analyzing abnormal operations in the mail environment 44 and the like can be selected. By selecting each setting, an analysis item or the like set as a default for each setting can be automatically set as described later. Therefore, the operator only needs to correct these.

Further, in this embodiment, the security policy other than the "regulation" can be set using the latest updated default analysis condition file 24a prepared by a security company such as the applicant of the present application. It has become. Therefore, when selecting an option other than the “regulation”, the operator can use the latest security policy without being conscious of it.

Next, in the setting of the permitted IP and the rejected IP (step S3), the IP for permitting access (permitted IP) and the IP for rejecting access (reject I
P) can be set. In this embodiment, the rejected IP added by the security agent to the updated default analysis condition file 24a or the rejected IP determined by the analysis result reflection processing unit 36 to be appropriate as a result of the security diagnosis of the system is the above. It automatically appears as the default based on the policy you select.

In the pattern setting (step S4), a pattern to be monitored can be set for each facility. For example, in the APP, a pattern to be monitored for a boot force attack, a port scan, and the like can be set. Such a pattern,
The default analysis condition file 24a provided by the security company always provides the latest one as a default according to each policy. For this reason, the operator can perform the optimal setting by basically applying the default pattern.

Next, an analysis target file is selected (step S5). In this example, the analysis target log storage unit 7 is used.
And the files in that directory can be individually specified.

In the analysis item selection and report output type selection (step S6), the connection IP analysis unit 33, the connection time analysis unit 34, and the pattern analysis unit 35 correspond to the connection IP Analysis, connection time analysis, and pattern analysis can be selected. In the report output items, it is possible to specify whether items to be output in a report, for example, when displaying the communication log, whether to display items such as a time and a facility name.

The items set as described above are stored in the user setting analysis condition 24b of the analysis condition storage unit 19, and the analysis shown in step S7 in FIG. 4 is subsequently performed.

Hereinafter, this procedure will be described with reference to the flowchart of FIG.

First, the format conversion processing section 26
Extracts the communication log to be analyzed set under the analysis conditions, converts the communication log into a predetermined format, and stores the communication log after the conversion processing in the unified log storage unit 21 (step S7-1). In this format conversion, for example, different formats depending on the target facility and the log recording program, such as a display position, a display order, and a position of a time stamp, are arranged in a unified format.

For example, the first log (syslog) that records the ftp operation is shown in FIG. 7A, and the second log (xferlo) that records the movement of the file in ftp.
g) is as shown in FIG. 7 (b). Here, the first log is {month, day, time, server, daemon, [P
ID] operation (including connection IP and account)}, whereas the second log contains {day, month, day,
The format is time, year, connection IP, file size, file name, transfer mode, input / output, account, protocol #. In this case, even if the integration processing described later is performed, the analysis is difficult as shown in FIG. 8. Therefore, in this embodiment, the format conversion processing unit 26 converts these as shown in FIG. Align with a proper format. In this format, the display position of the connection IP and the display position of the account are aligned by matching the time stamp formats of the formats of FIG. 7A and FIG. 7B.

Next, the consistency discriminating unit 27 discriminates the consistency between logs for the same event stored in the unified log storage unit 21 (step S7-2).

For example, as the same event, all logs (/var/log/all.log) recorded on the ftp operation are as shown in FIG. 10A, and the log (/ var
/log/auth.log) is as shown in FIG. Here, the format of FIG. 10 (a) is {month, day, time,
Server, daemon (or service), [PID] operation (including connection IP and account)}, for the sake of convenience of description, before the above-mentioned format unification. In this case, the log of FIG.
When applied to the description of the log in (a), lines 9, 16, and 17 are obtained.

The consistency discriminating unit 27 stores all the logs
The log is recorded by the most appropriate method according to the type of the log recording program 4 and compared with the log for each facility. In this example, as shown in FIG.
Are cut out and compared with FIG. 10B.
As a result, if they do not match, it can be determined that one of the logs has been tampered with. Here, all logs are cut out by the daemon name because the daemon name (or service name) is fixed for each facility. On the other hand, the PID (process ID)
In the recording for each facility, the description of the same PID is undesirably distributed to a plurality of logs.

Since such an optimum cutting method differs depending on the log format, in this embodiment, this step (step S7-2) is actually replaced with the format unifying step (step S7-1). Will do it later.
This makes it possible to perform the comparison and matching in a certain manner.

Next, the log integration processing unit 28 integrates a plurality of analysis target logs converted into the predetermined format (step S7-3). Here, the integration is
This is because the presence or absence of an unauthorized attack may not be known from individual log files.

For example, of the system log (syslog) for the same event, the first log (/var/log/info.lo
g) is shown in FIG. 11A, and the second log (/ va
(r / log / auth.log) is shown in FIG. 11B. In this case, the session PID [242
The ftp session of [5] is suspected of unauthorized access.
However, as far as the first log is seen, the trace is PID
It only slightly remains in the three inputs of [2421], and even that does not have a clear association with PID [2425]. Conversely, in the second log, a record of the failure of PID [2421] remains, and it can be clearly seen that p51-dn09. ***. Ne.jp has set a brute force. However, it cannot be determined from this log whether the attack was successful. Also, this log contains the PID
There is no display of [2421].

However, these movements appear clearly in the entire log (/var/log/all.log) shown in FIG. That is, this series of attacks is 2/16 15: 0
Starting at 9:04, the trick is a brute force attack on ftp using Telnet.

Such an analysis is shown in FIGS.
It cannot be obtained from the individual logs in (b). Therefore, it is necessary to combine and analyze these two logs.

The log combining method according to this embodiment will be described below.

The log integration processing unit 28 unifies the formats of the logs in the format unification step described above, and combines them to obtain a combined log as shown in FIG. That is, as described above, for example, for ftp, its own operation and the movement of the file are recorded in separate log files (FIGS. 8A and 8B). Since these two logs have different formats, it is difficult to analyze them simply by combining them. Therefore, the formats of the two logs are unified by the above-described method, and then they are combined.

However, in such an example, the problem is that the log of FIG. 8B has no description for specifying the ftp operation. In the examples of FIGS. 8 and 9, the specification is easy because there is only one ftp. However, for example, when there are a plurality of ftp sessions in the same time range, it is not possible to specify the ftp session. You will not be able to do it.

For this reason, in this embodiment, the log integration processing unit 28 determines to which session each line of the log file belongs, and performs a process of allocating a line whose unknown session belongs to an appropriate session.

FIG. 13A shows an example of a first log (syslog) when there are a plurality of sessions in the same time range.
(B) is an example of a second log (xferlog). The two logs are unified by the log format conversion processing unit 26 in the same manner as described above, and then integrated by the log integration processing unit 28 and arranged in the order of time stamp.
It is.

In the integrated log shown in FIG. 14, it is quite difficult to analyze because there are duplicate sessions at the same time or sessions from the same IP.

Therefore, the log integration processing unit 28
First, the session attributes are determined (step S7-
4). In this case, if the log in FIG. 13A is divided for each PID and the lines that can be determined to be the same session are classified, as shown in FIGS. 15A to 15C, there are three sessions. I understand. Therefore, from this result,
It is determined that the PID, IP, and connection time of each session are as shown in FIG. 16 (step S7-5).

By utilizing this data, the above-mentioned FIG.
The log shown in FIG. 17B can be classified into any one of the sessions as shown in FIGS.

The log integration processing unit 28 obtains the results shown in FIGS. 18A to 18C by arranging FIGS. 15 and 17 in the order of the time stamp for each session (step S7-).
6). Such integrated logs are stored in the integrated analysis target log storage unit 22.

Next, the sorting section 29 sorts the integrated log for each facility (step S7-7). In this embodiment, a log stored in the integrated analysis target log storage unit is extracted, and each line in the log is sorted by paying attention to a daemon name (service name).

Next, the log analysis processing unit 30 executes an analysis process for the presence or absence of unauthorized access using the log file processed as described above (steps S7-8 to S7).
7-10). As described above, since each log is grouped and divided so as to be easily analyzed, the following analysis can be efficiently performed.

First, in the connection IP analysis processing in step S7-8, the "permitted IP" or "deny I"
P ”is detected. The IP and domain set as the permitted IP are excluded from the following other analysis targets. Then, an IP other than the permitted IP or the rejected IP
Among the detected IPs, the IP that has established the connection is detected, and a log related to this IP is extracted.

Next, in the unauthorized connection time detection processing in step S7-9, a connection other than the time zone set as the connection time zone is detected as the unauthorized connection time, and a log relating to the unauthorized connection time is extracted.

Next, in the pattern analysis of step S7-10, it is determined whether the log matches the pattern stored in the analysis condition storage unit, and if the pattern matches, it is detected as an unauthorized access. This pattern is preferably updated on a daily basis. Therefore, in this embodiment, the updated pattern is supplied from a security company as the updated default analysis condition file 24a. The pattern used in this embodiment is about 4
00 types.

Finally, the analysis result is output in step S8 of FIG. The output of the analysis result is preferably displayed in a different color such as red or yellow depending on the possibility of unauthorized access. The analysis result is stored in the analysis result storage unit 23 with a flag set for each session according to the possibility of unauthorized access.

The results of the analysis performed in this manner are reflected in the updated default analysis condition file 24a by the analysis result reflection processing unit 36. For example, as a result of the analysis, when there is an IP determined to have been accessed illegally, the IP is stored in the default analysis condition file 24a as a rejected IP.

According to such a configuration, by unifying the formats of a plurality of log files and integrating them, it is possible to detect unauthorized access that cannot be determined by a single log file. In addition, since these processes are performed based on the latest format unification method and integration method updated by the security company at a predetermined timing, for example, unauthorized access without requiring advanced knowledge and experience from the security administrator. Can be found.

The present invention is not limited to the above-described embodiment, but can be variously modified without changing the gist of the invention.

For example, in the above-described embodiment, the server 2 is a monitoring target. However, the present invention is not limited to this, and a router or the like may be monitored.

In the above embodiment, the present invention is provided as a system and a method.
The functions of the present invention may be provided by being provided as package software stored in a computer system and installed in a computer system.

[0078]

According to the configuration described above, it is possible to obtain a log processing method and system capable of detecting unauthorized access without requiring a high level of knowledge and experience from a security manager.

[Brief description of the drawings]

FIG. 1 is a schematic configuration diagram showing an embodiment of the present invention.

FIG. 2 is an explanatory diagram illustrating a log recording method according to the embodiment;

FIG. 3 is a schematic configuration diagram illustrating a log analysis system according to the embodiment;

FIG. 4 is a flowchart showing schematic processing steps of the embodiment.

FIG. 5 is a view for explaining options of an analysis policy.

FIG. 6 is a flowchart showing processing steps of an analysis processing.

FIG. 7 is a diagram showing a processing example of a communication log.

FIG. 8 is a diagram showing a processing example of a communication log.

FIG. 9 is a diagram showing a processing example of a communication log.

FIG. 10 is a diagram showing a processing example of a communication log.

FIG. 11 is a diagram showing a processing example of a communication log.

FIG. 12 is a diagram showing a processing example of a communication log.

FIG. 13 is a diagram showing a processing example of a communication log.

FIG. 14 is a diagram showing a processing example of a communication log.

FIG. 15 is a diagram showing a processing example of a communication log.

FIG. 16 is a diagram showing a processing example of a communication log.

FIG. 17 is a diagram showing a processing example of a communication log.

FIG. 18 is a diagram illustrating a processing example of a communication log.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 1 ... Log analysis system 2 ... Server 3 ... Server application 4 ... Log recording program 5 ... Log transfer program 7 ... Analysis log storage unit 11 ... CPU 12 ... RAM 13 ... Communication device 14 ... I / O device 15 ... Bus 16 ... Program Storage unit 17 Data storage unit 19 Analysis condition storage unit 21 Unified log storage unit 22 Integrated analysis target log storage unit 23 Analysis result storage unit 24a Updated default analysis condition file 24b User setting analysis condition file 25 analysis condition setting unit 26 log format conversion processing unit 27 consistency determination unit 28 log integration processing unit 29 log classification processing unit 30 log analysis processing unit 31 session determination unit 33 IP analysis unit 34 connection Time analysis unit 35: Pattern analysis unit 36: Analysis result reflection processing unit

Claims (30)

[Claims] (A) converting each analysis target log file output by an application capable of recording a plurality of communication logs into a predetermined format if necessary;
(B) integrating a plurality of logs to be analyzed converted into the predetermined format, and (c) determining the presence or absence of unauthorized access by analyzing the integrated logs. Communication log processing method 2. The log communication processing method according to claim 1, wherein the plurality of log files to be analyzed are recorded for the same system. 3. The communication log processing method according to claim 2, wherein (d) determining consistency between the plurality of analysis target logs before the step (a) or the step (b), and determining the determination result. A communication log processing method, further comprising a step of outputting. 4. The communication log processing method according to claim 1, wherein in the step (a), the analysis target log file is converted using a conversion procedure prepared in advance for each application that outputs the analysis target log file. A communication log processing method, which comprises a step of converting the data into a predetermined format. 5. The communication log processing method according to claim 1, wherein a conversion procedure prepared in advance for each application is
A communication log processing method, further comprising a step of updating at a predetermined timing. 6. The communication log processing method according to claim 1, further comprising: (e) classifying rows belonging to the same session from the analysis target log before the step (a) or the step (b). A communication log processing method comprising: 7. The communication log processing method according to claim 6, wherein, in the step (e), in the analysis target log, a line whose session cannot be determined is assigned to any session based on a line whose session can be determined. A communication log processing method, further comprising a step of determining whether the communication log belongs. 8. The communication log processing method according to claim 1, wherein the step (b) integrates the plurality of analysis target logs for each same session. 9. The communication log processing method according to claim 8, wherein the step (c) determines whether there is an unauthorized access for each analysis target log integrated for each of the same sessions. Communication log processing method. 10. The communication log processing method according to claim 9, wherein in the step (c), the possibility of unauthorized access is displayed in different colors for each session. Method. (A) Each analysis target log file output by an application capable of recording a plurality of communication logs is
Means for converting to a predetermined format if necessary;
(B) means for integrating a plurality of logs to be analyzed converted into the predetermined format, and (c) means for judging the presence or absence of unauthorized access by analyzing the integrated logs. Communication log processing system. 12. The log communication processing system according to claim 11, wherein the plurality of analysis target log files are recorded for the same system. 13. The communication log processing system according to claim 12, further comprising: (d) means for determining consistency between the plurality of logs to be analyzed and outputting a result of the determination. Processing system. 14. The communication log processing system according to claim 11, wherein the means (a) uses a conversion procedure prepared in advance for each application that outputs the analysis target log file, and uses the conversion procedure. A communication log processing system having means for converting the data into a predetermined format. 15. The communication log processing system according to claim 11, wherein a conversion procedure prepared in advance for each application is
A communication log processing system further comprising means for updating at a predetermined timing. 16. The communication log processing system according to claim 11, further comprising: (e) means for classifying rows belonging to the same session from the analysis target log. 17. The communication log processing system according to claim 16, wherein said means (e) determines which line in the analysis target log has a line whose session cannot be determined based on a line whose session can be determined. A communication log processing system further comprising a unit for determining whether the communication log belongs. 18. The communication log processing system according to claim 11, wherein said means (b) integrates said plurality of analysis target logs for each same session. 19. The communication log processing system according to claim 18, wherein said means (c) determines presence / absence of unauthorized access for each analysis target log integrated for each said same session. Communication log processing system. 20. The communication log processing system according to claim 19, wherein said means (c) displays the possibility of unauthorized access in different colors for each session. system. 21. A computer software program product for analyzing a communication log in cooperation with an operation system installed in a computer system, comprising: a storage medium; and (a) a plurality of communication programs stored in the storage medium. Means for converting each analysis target log file output by the application capable of recording a log into a predetermined format if necessary; (b) stored in the storage medium;
Means for integrating the plurality of analysis target logs converted into the predetermined format; and (c) stored in the storage medium,
Means for judging the presence or absence of unauthorized access by analyzing the integrated logs. 22. The log communication processing system according to claim 21, wherein the plurality of log files to be analyzed are recorded for the same system. 23. The computer software program product according to claim 22, further comprising: (d) means for storing the storage medium, determining consistency between the plurality of analysis target logs, and outputting the determination result. A computer software program product, characterized in that: 24. The computer software program product according to claim 21, wherein the means (a) uses a conversion procedure prepared in advance for each application that has output the log file to be analyzed. A computer software program product having means for converting a file into a predetermined format. 25. The computer software program product according to claim 21, wherein the conversion procedure prepared in advance for each application is performed by:
A computer software program product further comprising means for updating at a predetermined timing. 26. The computer software program product according to claim 21, further comprising: (e) means for classifying, from the log to be analyzed, lines belonging to the same session, stored in the storage medium. Software program product. 27. The computer software program product according to claim 26, wherein said means (e) determines which session in said analysis target log has a line whose session cannot be determined based on a line whose session can be determined. A computer software program product, further comprising means for determining whether the user belongs. 28. A computer software program product according to claim 21, wherein said means (b) integrates said plurality of analysis target logs for each same session. 29. The computer software program product according to claim 28, wherein said means (c) determines presence or absence of unauthorized access for each analysis target log integrated for each said same session. A computer software program product. 30. A computer software program product according to claim 29, wherein said means (c) displays the possibility of unauthorized access in different colors for each session. Product.