JP2003099295A - Processing method for communication log, computer software program for implementing the same method on computer system and communication log processing system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable a security administrator to safely save or store a communication log including information on illegal access, etc., without having high-level knowledge nor experience. SOLUTION: A system has a log format standardizing process part which obtains communication logs from servers, OSs, and applications for all uses, sends them to a remote location one after another, and re-forms the logs having different formats to a specific standardized format, a 1st log saving process part which saves the respective lines of the logs sent to the remote location as one or more records of a data file on a 1st storage medium, and a 2nd log saving process part which performs allocation control over the respective lines of the data file in specific timing according to properties in the specific format and saves and stores the respective lines on a plurality of different 2nd storage mediums.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a communication log processing method for analyzing a communication log recorded by a communication server and a computer software program or system thereof, and more particularly, a plurality of logs can be output. The present invention relates to a technique for transferring and storing a communication log output from an application in real time by a desired method.

[0002]

2. Description of the Related Art Recently, there have been many cases where a cracker or the like attacks networks and servers of companies and government offices. Due to this, attention is focused on strengthening network security. To strengthen network security, it is first necessary to monitor and analyze network security. For network security monitoring, it is effective to record and analyze communication logs of devices such as servers that configure the network.

This communication log is a record of the communication history of the server and the like, and by analyzing this, all events that have occurred in this server can be detected. For example, it is possible to detect an unauthorized access based on an unnatural access to the server from the outside. Therefore, the security of the network can be strengthened by taking some measures according to this.

[0004]

However, the logs normally output from the server are recorded in different formats depending on the OS of the computer and the applications used, and there are various types. In addition, since the amount is too large, it is general that the network is operated in a state where there is a problem in system management that it is impossible to secure time for checking whether the contents can be checked. .

Also, a cracker who mounts an attack on the network may falsify or delete the log in order to erase the trace of the intrusion of the network by itself. In this case, such unauthorized access is discovered. Things will be extremely difficult.

The present invention has been made in view of such circumstances, and safely saves or keeps a communication log including information such as unauthorized access without requiring the security administrator to have a high level of knowledge and experience. It is an object of the present invention to provide a log processing method and a computer software program or system for the log processing method.

[0007]

In order to solve the above-mentioned problems, according to a first main aspect of the present invention, there is provided a communication log processing method, comprising: A step of acquiring from an OS or an application, sequentially transmitting the logs to a remote location, and forming logs of different formats into a unified predetermined format; (b)
Each line of the log sent to the remote location is first recorded as one or more records in a data file.
And (c) each line of the data file is distributed and controlled based on the attribute in the predetermined format at a predetermined timing, and each of the plurality of different second storage media is stored. The method further comprises the step of storing and accumulating in a storage medium.

With such a configuration, the log output from each server can be transferred to the remote location in real time, and each log is converted into a unified format. As a result, the log of each server can be monitored in a unified manner, and the log can be sorted and stored in a predetermined second recording medium according to a predetermined rule. As a result, the communication log including information such as unauthorized access can be safely stored in a desired form before being tampered with or deleted by a cracker or the like.

According to one embodiment of the present invention, the method further comprises (d) detecting the presence or absence of unauthorized access by applying a predetermined unauthorized access pattern to each line of the stored log. It is a thing. in this case,
(E) It is preferable that the method further includes the step of generating a setting change instruction of each of the servers, OSs, and applications based on the detection of the unauthorized access.

According to this structure, since unauthorized access is detected in the process of transferring the log in real time, it is possible to detect this unauthorized access in real time.

According to one embodiment of the present invention,
In the step (a), the logs of different formats may be formed into a uniform predetermined format before being transmitted to the remote location. Further, at the remote location, the logs of different formats may be formed into a unified predetermined format.

Further, according to one embodiment, the second storage medium in the step (c) is a portable storage medium, and the storage and storage of data in the second storage medium is performed at a predetermined data transfer timing. To be executed. In this case, it is desirable to further include a step of determining whether or not the second storage medium needs to be replaced based on the remaining storage capacity of the second storage medium and the remaining time until the next transfer timing.

According to a further embodiment, the step (a) includes a step of converting the log into a predetermined format by using a conversion procedure prepared in advance for each application that outputs the log. It is a thing. Further, it is preferable to further include a step of updating a conversion procedure prepared in advance for each application at a predetermined timing.

Here, in the step (c), it is preferable to sort the logs as follows, for example. : 1) When the first storage medium contains a mixture of servers, OSs, and application logs relating to a plurality of individuals / corporations, each line of the data file is based on the attribute in the predetermined format. , The data is stored and stored in a second storage medium that differs depending on the individual / corporation.

2) When the logs of a plurality of servers are mixed in the first storage medium, each line of the data file is different for each server based on the attribute in the predetermined format. Save and accumulate in the storage medium.

3) Each line of the data file is stored and stored in a second storage medium which is different for each log file type based on the attribute in the predetermined format.

4) Each line of the data file is stored and accumulated in a second storage medium which differs according to recording date or time based on the attribute in the predetermined format.

5) Each line of the data file is stored and stored in the second storage medium which is different for each service based on the attribute in the predetermined format.

According to a second main aspect of the present invention, a computer software program for causing a computer system to process a communication log,
(A) A log format unification processing unit that obtains communication logs from servers, OSs, and applications for all purposes, sequentially sends them to remote locations, and forms logs of different formats into a unified predetermined format.
(B) a first log save processing unit that saves each line of the log transmitted to the remote location as one or more records of a data file in a first storage medium; and (c) a predetermined timing. And a second log saving processing unit that controls each line of the data file based on the attribute in the predetermined format and saves and stores each line in a plurality of different second storage media. A computer software program is provided.

With this configuration, it is possible to cause the computer system to execute the method according to the first aspect.

According to a third main aspect of the present invention, there is provided a communication log processing system, wherein (a) a communication log is acquired from a server, an OS or an application for all purposes and is sequentially transmitted to a remote location. And (b) storing each line of the log transmitted to the remote location in the first storage medium as one or more records of a data file. Means to go, (c)
Means for controlling distribution of each line of the data file based on an attribute in the predetermined format at a predetermined timing and storing and storing each line in a plurality of different second storage media. System is provided.

With such a configuration, it is possible to obtain a system capable of executing the method according to the first aspect and the computer program according to the second aspect.

The other features and remarkable effects of the present invention will be more clearly understood with reference to the following embodiments of the invention and the accompanying drawings.

[0024]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below with reference to the drawings.

First, in FIG. 1, 1 is a log monitoring system of this embodiment, and 2a and 2b are a company A system and a company B system to be monitored. These company A system 2a and company B system 2b have WW
Various servers 3a to 3d (server 1 to server 4) such as W, Ftp, and Mail are provided. The log monitoring system 1 of this embodiment receives and stores the communication logs output by the various servers 3a to 3d in real time for the purpose of discovering an unauthorized access to the server groups 3a to 3d from a cracker, for example. It has a function.

That is, in the servers 3a to 3d, the communication processing in each of them is performed by a log recording unit (program).
4 is used to record and output. Then, the log transfer unit (program) 5, which is also installed in each of the servers 3a to 3c, transfers the communication log to the LAN,
The data is transferred to the log monitoring system 1 in real time through a public line or other communication network.

Next, the log monitoring system 1 will be described in detail with reference to FIG.

The log monitoring system 1 temporarily stores the logs transferred from the company systems 2a and 2b in a log DB server shown in FIG.
The log stored in the B server 8 is stored in a plurality of portable media 9a.
9d to 9d are sorted according to a predetermined rule and stored.

Therefore, this log monitoring system 1 stores the log received in real time in the log DB server 8 and the log stored in the log DB server 8 into a plurality of portable media 9a to 9d. A log distribution agent 11 that distributes a predetermined rule to
Rules and schedule (timing) for log distribution
And a schedule management agent 12 for monitoring and controlling the.

Of these, the log monitor 10 has a log format unification processing unit 14, a log storage processing unit 15, a log deletion processing unit 16, a media replacement determination unit 17, and an unauthorized access detection unit 18. The log format unification processing unit 14 controls each company system 2a, 2b (server 3a-
It has a function of converting the format of the log received from 3d) into a predetermined unified format. The log storage processing unit 15 is used by each server 3
It has a function of sequentially storing each line of the logs received from a to 3d in the log DB server 8 as one record of the DB file. The log deletion processing unit 16 has a function of deleting, from the DB server 8, a log that has already been distributed to any of the portable media 9a to 9d based on a command from the schedule management agent 12.
The media replacement determination unit 17 uses the log DB server 8
The replacement time of each of the media 9a to 9d is determined based on the amount of logs accumulated in the media and the remaining capacity of each of the media 9a to 9d.

The unauthorized access detection unit 18 has a function of detecting the presence or absence of unauthorized access from the protocol waveform (abnormal waveform) of the log received by the log monitor 10. If the unauthorized access detection unit 18 detects an unauthorized access, this information is sent to the server setting creation unit 19 shown in FIG. The server setting creation unit 19 creates new settings of the server or the server program in which the unauthorized access is detected based on the detection of the unauthorized access, and sends the new settings to the servers 3a to 3d.

Next, the schedule management agent 12
Has a log distribution condition storage unit 21, a log distribution schedule storage unit 22, and a log distribution instruction unit 23. The log distribution condition storage unit 21 stores information about which condition or rule the log data centrally stored in the log DB server 8 is distributed to which portable media 9a to 9d. is there. Distribution schedule storage unit 22
Is the capacity of each medium 9a-9d and the DB server 8
The transfer timing or the interval determined in advance is stored according to the capacity of the file stored in. The log distribution instruction unit 23 issues a distribution processing instruction to the log distribution agent 11 based on the log distribution condition 21 and the log distribution schedule 22.

On the basis of this instruction, the log distribution agent 11 distributes and stores each line of the log forming each record of the log DB server 8 to predetermined portable media 9a to 9d based on its attribute. . When this distribution is completed, the log distribution agent 11 notifies the log monitor 10 of this. As a result, the log deletion processing unit 16 deletes the transferred log from the log DB server 8 and deletes this log DB.
It is designed to increase server capacity.

Each of the above-mentioned components is actually composed of a storage medium such as a hard disk provided in the computer system and a computer software program stored in this storage medium, and is called up on the memory by a CPU (not shown). By being executed, each function of the present invention is achieved.

Next, more detailed functions of each component will be described based on an actual operation example.

First, as described above, each server 3a
A communication log is output from 3d and transmitted to the log monitor 10 in real time. Each line of the logs received from each of the servers 3a to 3d is converted into a predetermined unified format by the log format unified processing unit 14 of the log monitor 10 so that they can be compared or combined with each other. This makes it possible to integrate the logs received from the plurality of servers 3a to 3d in the log DB server 8 as described later. This format conversion aligns different formats such as a display position, a display order, and a time stamp position depending on the target facility or the log recording program into a unified format.

For example, the first log (syslog) recording the FTP operation is shown in FIG. 2A, and the second log (xferlo) recording the movement of the file in the FTP is recorded.
It is assumed that g) is as shown in FIG. Here, the first log is {month, day, time, server, daemon, [P
ID] operation (including connection IP, account)}, while the second log is {day of week, month, day,
The format is time, year, connection IP, file size, file name, transfer mode, input / output, account, protocol}. Since it is difficult to integrate and analyze as it is, the log format unification processing unit 14 arranges them in a format as shown in FIG. 3 in this embodiment. In this format, the time stamp formats of the formats of FIG. 2A and FIG. 2B are matched, and the display position of the connection IP and the display position of the account are aligned.

Next, the log storage processing unit 15 sequentially stores each line of the log converted into the unified format in the log DB server 8 as one record of the database file. As a result, logs recorded by a plurality of servers or a plurality of server applications are integrated.

The log transfer from each of the servers 3a to 3d is performed in real time, and the conversion of the log format and the storage in the log DB server 8 are sequentially performed in the order received. Go. Further, the unauthorized access detection unit 18 detects whether or not there is an abnormality in the protocol waveform every time each line of the log is received from each of the servers 3a to 3d, and determines whether there is an unauthorized access.

Next, at a predetermined timing according to the distribution schedule, the log distribution agent 1
The log stored in the log DB server 8 is sorted by 1. This distribution is performed by the distribution instruction unit 23 of the schedule management agent 12 issuing an instruction to the log distribution agent 11 according to the log distribution condition 21 and the distribution schedule 22.

Hereinafter, a plurality of different log distribution conditions will be given.
The distribution procedure according to them will be described in detail with reference to schematic diagrams of FIG.

As shown in FIG. 4, the system configuration according to this embodiment is an environment in which servers of two companies are mixed,
Each company has a total of four servers 3a to 3d (SERVER
1-4) are provided. The logs output from the four servers 3a to 3d are centrally stored in the log DB server 8 in a unified format, and then the portable media 9a to 9d (SAVE DEVICE) are stored at a predetermined timing.
It will be distributed to 1-4).

Here, the image of the log file output from each of the servers 3a to 3d is as shown in FIG. 5, for example. Here, specific log contents (such as those shown in FIG. 2) are omitted, and only the attributes of each log are shown.

The logs output from the servers 3a to 3d are integrated and stored in the log DB server 8 as shown in FIG. In this figure, only the attribute information of the log is displayed and the contents of the log are omitted. However, each line (record) of the log stored in this DB server 8 has a date and time 31, a server type 32, as shown in FIG. , Event 33
In addition to the attribute information consisting of (service) and log file type 34, it has fields of the above-mentioned format-unified log 35 (see FIG. 3) and raw log 36 (see FIG. 2) before format unification. There is.

Next, a plurality of different log distribution conditions will be given.
The corresponding processing will be sequentially described. Note that, in the following, for simplification of description, the illustration of the format-completed log 35 and the raw log 36 before format unification is omitted.

(Example 1: When distributing by company) When the logs in the log DB server 8 are stored by company,
The log distribution condition 21 of the schedule management agent 12 is, for example, as shown by 41 in FIG.
EVICE1 (first medium 9a) has a log of company A,
B in SAVEDEVICE2 (second medium 9b)
The company logs, SAVE DEVICE 3 and 4 (third and fourth media 9c and 9d) are set as unused. In this case, the log distribution agent 11 may use the log DB based on the “company” field in the attribute information.
The logs 42 in the server 8 are sorted, and the log 43 of company A is recorded on the medium 9a and the log 44 of company B is sorted as shown in this figure.
Is stored in the medium 9b. Although omitted in this figure as described above, the format-completed log 35 (see FIGS. 7 and 3) is naturally transferred to each of the media 9a to 9d. Regarding the raw log 36, each medium 9a-9
The data may be stored in d, or may be collectively stored in another dedicated medium in order to save the storage capacity. At the time of this transfer, some of the attribute information may be erased to effectively use the capacity of the media 9a to 9d.

(Example 2: Saving by Server) When the unified log 42 in the log DB server 8 is saved by server, the log distribution condition 21 of the schedule management agent 12 is, for example, 45 in FIG. As shown in
The AVE DEVICE 1 (first medium 9 a) has the log of the server 1, the SAVE DEVICE 2 (second medium 9 b) has the server 2 log, and the SAVE DEVIC
The log of the server 3 and the SAVE DEVICE 4 (fourth medium 9d) are set in E3 (third medium 9c). In this case, the log distribution agent 1
1 is the log DB based on the server type in the attribute information
The log 42 in the server 8 is sorted and the log 46 in the server 1 is sorted.
To the medium 9a and the log 47 of the server 2 to the medium 9b.
Then, the log 48 of the server 3 is stored in the medium 9c and the log 49 of the server 4 is stored in the medium 9d.

(Example 3: Saving by Log File Type) When saving the unified log 42 in the log DB server 8 by log file type, the log distribution condition 21 of the schedule management agent 12 is, for example, As shown at 51 in FIG. 10, SAVE DEVICE1
The log of the log file type 1 is stored in the (first medium 9a) and the SAVE DEVICE2 (second medium 9b).
Is a log of type 2 log file, SAVE DEVI
A log of log file type 3 is set in CE3 (third medium 9c), and SAVE DEVICE4 (fourth medium 9d) is set as unused. In this case, the log distribution agent 11 sorts the logs 42 based on the server type in the attribute information, the log 52 of the log file type 3 as the medium 9a, and the log 53 of the log file type 3 as the medium. 9b, log file type 3
The log 54 of FIG.

(Example 4: Saving by Date) When saving the logs 42 in the log DB server 8 by date, as shown by 55 in FIG. 11 as the log distribution condition of the schedule management agent 12. , SAVE DE
VICE1 (first medium 9a) has a log of June 1, 2001, SAVE DEVICE2 (second medium 9b) has a log of June 2, 2001, SAVE D
6th 2001 in EVICE3 (3rd media 9c)
The log on the third day of the month and SAVE DEVICE4 (fourth medium 9d) are described as unused. In this case,
The log distribution agent sorts the logs based on the date in the attribute information, and logs 5 June 1, 2001.
7 is saved in the medium 9a, the log 58 of June 2, 2001 is saved in the medium 9b, and the log 59 of June 3, 2001 is saved in the medium 9c.

(Example 5: Saving by Service) When saving the log in the log DB server by service, as shown by 61 in FIG. 12, as a log distribution condition of the schedule management agent, SAVE DEV
The CE1 (first medium 9a) has a web service log, and the SAVE DEVICE2 (second medium 9b).
Ftp service log, SAVE DEVICE3
In the (third media 9c), the Mail service log,
And SAVE DEVICE4 (4th media 9d)
Is set as unused. In this case, the log distribution agent 11 sorts the logs 42 based on the event type in the attribute information, and logs the WEB service logs 62.
To the media 9a, the FTP service log 63 to the media 9b, and the MAIL service log 64 to the media 9c.
Save to.

(Example 6: When the conditions of Examples 1 to 5 are designated in combination) As in the above Examples 1 to 5, not only the attributes of each log are individually designated, but also the conditions of Examples 1 to 5 are set. It is also possible to specify in combination in multiple ways. For example, as the log distribution condition 21 of the schedule management agent 12, as shown at 65 in FIG. 13, SAVE DEVICE
1 (first medium 9a) is a web service of company A, the log of June 1, 2001, SAVE DEVICE2
(Second media 9b) has 2 web services of company A
June 2, 001 log, SAVE DEVICE3
(3rd media 9c) 6th June 2001 6
It is possible to set the logs up to the third day of the month and all logs of the FTP service and the MAIL service in the SAVE DEVICE 4 (fourth medium 9d).

As described above, each of the media 9
When the logs in the log DB server 8 are distributed to a to 9d, the log distribution agent 11 transmits a signal indicating which log has been distributed to the log monitor 10. As a result, the log deletion processing unit 16 deletes the sorted logs from the log DB server 8 and logs D
The free capacity of the B server 8 is increased.

Further, the media replacement judging section 17 determines the amount of logs accumulated in the log DB server 8, information about the previous media replacement time, the storage file capacity at the previous transfer, and the next time received from the schedule management agent. Based on the remaining time until the transfer schedule, each media 9
It has a function of determining the replacement time of a to 9d. That is, until the remaining time becomes less than or equal to a certain value, the above determination is performed at a certain interval, and only the media 9a to 9d that need to be replaced are issued with a replacement command.

According to such a configuration, each server 3a ...
The logs output from 3d can be transferred to a secure remote location in real time, and each log is converted into a unified format. By this,
The logs of each of the servers 3a to 3d can be monitored in a unified manner, and the logs are carried by the portable media 9a to 9 according to a predetermined rule.
It can be sorted and stored in d. As a result, the communication log including information such as unauthorized access can be safely stored in a desired form before being tampered with or deleted by a cracker or the like.

The present invention is not limited to the above-mentioned one embodiment, but can be variously modified without changing the gist of the invention.

For example, in the above-described embodiment, the format of the logs is unified on the remote location side (the log monitoring system 1 side), but it may be unified on the log transfer section 5 of each of the servers 3a to 3d. Furthermore, the log distribution condition 21 is not limited to that of the one embodiment, and the user can set other desired conditions.

Further, although the server 2 is targeted for monitoring in the above-described embodiment, the present invention is not limited to this, and a router or the like may be monitored. Further, although the security-related log is monitored in the one embodiment, the present invention is not limited to this, and various logs can be monitored.

Further, in the above-mentioned one embodiment, the present invention is provided as a system and a method.
The function of the present invention may be achieved by being provided as packaged software stored in a computer or the like and installed in a computer system.

[0059]

According to the configuration described above, a log processing method capable of safely storing or storing a communication log including information such as unauthorized access without requiring the security administrator to have a high level of knowledge or experience. The computer software program or system can be obtained.

[Brief description of drawings]

FIG. 1 is a schematic configuration diagram showing an embodiment of the present invention.

FIG. 2 is a diagram showing an example of a log transferred from each server or the like.

FIG. 3 is a diagram showing a log after unifying formats.

FIG. 4 is a schematic diagram showing an operation example of this embodiment.

FIG. 5 is a schematic diagram showing an operation example.

FIG. 6 is a schematic diagram showing an operation example.

FIG. 7 is a schematic diagram showing an operation example.

FIG. 8 is a schematic diagram showing an operation example.

FIG. 9 is a schematic diagram showing an operation example.

FIG. 10 is a schematic diagram showing an operation example.

FIG. 11 is a schematic diagram showing an operation example.

FIG. 12 is a schematic diagram showing an operation example.

FIG. 13 is a schematic diagram showing an operation example.

[Explanation of symbols]

1 ... Log monitoring system 2a, 2b ... Company system 3a-3d ... server 4 ... Log recording program 5 ... Log transfer program 8 ... Log DB server 9a to 9d ... Portable media 10 ... Log monitor 11 ... Log distribution agent 12 ... Schedule management agent 14 ... Log format unified processing unit 15 ... Log storage processing unit 16 ... Log deletion processing unit 17 ... Media replacement determination unit 18 ... Unauthorized access detection unit 19 ... Server setting creation section 21 ... Log distribution condition storage unit 22 ... Log distribution schedule storage unit 23 ... Log distribution instruction unit

Claims (42)

[Claims] 1. A method of processing a communication log, comprising: (a)
A step of acquiring communication logs from servers, OSs, and applications for all purposes, sequentially transmitting the logs to remote locations, and shaping logs of different formats into a uniform predetermined format; and (b) transmitting the logs to the remote locations. Saving each line of the log as one or more records of the data file in the first storage medium, and (c) setting each line of the data file to an attribute in the predetermined format at a predetermined timing. Distribution control based on the above, and storing and accumulating each in a plurality of different second storage media. 2. The method according to claim 1, wherein (d)
The method further comprising the step of detecting the presence or absence of unauthorized access by applying a predetermined unauthorized access pattern to each line of the stored log. 3. The method according to claim 2, wherein (e)
The method further comprising generating a setting change instruction for each of the servers, OSs, and applications based on detecting the unauthorized access. 4. The method according to claim 1, wherein in the step (a), the logs of different formats are formed into a uniform predetermined format before being transmitted to the remote location. how to. 5. The method according to claim 1, wherein in the step (a), the logs of different formats are formed into a uniform predetermined format at the remote location. 6. The method according to claim 1, wherein the second storage medium in the step (c) is a portable storage medium, and data is stored and stored in the second storage medium by a predetermined data transfer. A method characterized by being performed at a timing. 7. The method according to claim 6, further comprising the step of determining whether or not to replace the second storage medium based on the remaining storage capacity of the second storage medium and the remaining time until the next transfer timing. The method further comprising. 8. The method according to claim 1, wherein the step (a) comprises a step of converting the log into a predetermined format by using a conversion procedure prepared in advance for each application that outputs the log. The method of having. 9. The method according to claim 8, wherein a conversion procedure prepared in advance for each application is
The method further comprising a step of updating at a predetermined timing. 10. The method according to claim 1, wherein in the step (c), logs of servers, OSs, and applications relating to a plurality of individuals / corporations are mixed in the first storage medium, Each line of the data file is assigned to the individual / person based on the attributes in the predetermined format.
A method of storing and accumulating in a second storage medium which differs for each corporation. 11. The method according to claim 1, wherein in the step (c), when the logs of a plurality of servers are mixed in the first storage medium, each line of the data file is set to the predetermined number. Based on the attributes in the format of
A method of storing and accumulating in a different second storage medium for each server. 12. The method according to claim 1, wherein in the step (c), each line of the data file is stored in a second storage medium that is different for each log file type based on an attribute in the predetermined format. A method characterized by being accumulated. 13. The method according to claim 1, wherein in the step (c), each line of the data file is stored in a second storage medium that differs according to recording date or time based on an attribute in the predetermined format. A method characterized by being stored and accumulated. 14. The method according to claim 1, wherein in the step (c), each line of the data file is stored and stored in a second storage medium that is different for each service based on an attribute in the predetermined format. The method characterized by being the one that goes on. 15. A computer software program for causing a computer system to process a communication log, comprising: (a) obtaining a communication log from a server, an OS, or an application for all purposes and sequentially transmitting the log to a remote location. And a log format unification processing unit for shaping logs of different formats into a unified predetermined format, and (b) first storage of each line of the log transmitted to the remote location as one or more records of a data file. The first to save on the medium
(C) Each line of the data file is distributed and controlled based on an attribute in the predetermined format at a predetermined timing, and each line is stored and stored in a plurality of different second storage media. A computer software program having a second log storage processing unit. 16. The computer software program according to claim 15, wherein (d) an unauthorized access detection unit that detects the presence or absence of unauthorized access by applying a predetermined unauthorized access pattern to each line of the stored log. And a computer software program comprising: 17. The computer software program according to claim 16, further comprising: (e) a setting change creating unit that generates a setting change instruction for each of the servers, OSs, and applications based on detection of the unauthorized access. A computer software program having. 18. The computer software program according to claim 15, wherein the log format unification processing unit forms the logs of different formats into a uniform predetermined format before transmitting to the remote location. A computer software program characterized in that 19. The computer software program according to claim 15, wherein the log format unification processing unit forms the logs of the different formats into a uniform predetermined format at the remote location. A computer software program to run. 20. The computer software program according to claim 15, wherein the second storage medium in which the second log storage processing unit stores a log is a portable storage medium, and the second storage medium. A software program for storing and storing data in a computer at a predetermined data transfer timing. 21. The computer software program according to claim 20, wherein the necessity of replacement of the second storage medium is determined based on the remaining storage capacity of the second storage medium and the remaining time until the next transfer timing. A computer software program, further comprising: 22. The computer software program according to claim 15, wherein the log format unification processing unit converts the log into a predetermined format by using a conversion procedure prepared in advance for each application that outputs the log. A computer software program characterized by being converted. 23. The computer software program according to claim 22, wherein the log format unification processing unit further includes means for updating a conversion procedure prepared in advance for each of the applications at a predetermined timing. A computer software program to run. 24. The computer software program according to claim 15, wherein the second log storage processing unit mixes logs of servers, OSs, and applications relating to a plurality of individuals / corporations in the first storage medium. If each of the lines of the data file is based on the attributes in the predetermined format,
A computer software program, which is stored and stored in a second storage medium that differs for each individual / corporation. 25. The computer software program according to claim 15, wherein the second log storage processing unit includes the data file when the logs of a plurality of servers are mixed in the first storage medium. A computer software program for storing each line of the above in a second storage medium different for each server based on the attribute in the predetermined format. 26. The computer software program according to claim 15, wherein the second log storage processing unit changes each line of the data file for each log file type based on an attribute in the predetermined format. A computer software program characterized by being stored and accumulated in a second storage medium. 27. The computer software program according to claim 15, wherein the second log storage processing unit changes each line of the data file according to a recording date or time based on an attribute in the predetermined format. A computer software program characterized by being stored and stored in a second storage medium. 28. The computer software program according to claim 15, wherein the second log storage processing unit changes each line of the data file for each service based on an attribute in the predetermined format. A computer software program characterized by being stored and stored in a storage medium. 29. A communication log processing system, comprising:
(A) A means for acquiring a communication log from a server, an OS, or an application for all purposes, sequentially transmitting the logs to a remote location, and forming logs of different formats into a predetermined predetermined format, and (b) transmitting to the remote location. A means for saving each line of the log as one or more records of the data file in the first storage medium, and (c) each line of the data file being processed in the predetermined format at a predetermined timing. And a means for performing distribution control based on the attribute of, and storing and accumulating each in a plurality of different second storage media. 30. The system according to claim 29,
(D) The system further comprising means for detecting the presence or absence of unauthorized access by applying a predetermined unauthorized access pattern to each line of the stored log. 31. The system of claim 30, wherein
(E) On the basis of detecting the unauthorized access,
A system further comprising means for generating a setting change instruction of each of the servers, OS, and applications. 32. The system according to claim 29, wherein the (a) means forms logs of different formats into a uniform predetermined format before transmitting to the remote location. System to do. 33. The system according to claim 29, wherein the (a) means forms the logs of different formats into a unified predetermined format at the remote location. 34. The system according to claim 29, wherein the second storage medium in the (c) means is a portable storage medium, and the storage and storage of data in the second storage medium is a predetermined data transfer. A system characterized by being executed at a timing. 35. The system according to claim 34, further comprising means for determining necessity of replacement of the second storage medium based on the remaining storage capacity of the second storage medium and the remaining time until the next transfer timing. A system characterized by further having. 36. The system according to claim 29, wherein the (a) means converts the log into a predetermined format by using a conversion procedure prepared in advance for each application that outputs the log. The system that has. 37. The system according to claim 36, wherein a conversion procedure prepared in advance for each application is
The system further comprising means for updating at a predetermined timing. 38. The system according to claim 29, wherein the (c) means mixes a plurality of individual / corporate server, OS, and application logs in the first storage medium. Each line of the data file is assigned to the individual / person based on the attributes in the predetermined format.
A system characterized by being stored and stored in a second storage medium that differs depending on the corporation. 39. The system according to claim 29, wherein when the first storage medium contains logs of a plurality of servers, the (c) means sets each line of the data file to the predetermined line. Based on the attributes in the format of
A system for storing and accumulating in a second storage medium different for each server. 40. The system according to claim 29, wherein the (c) means stores each line of the data file in a second storage medium that is different for each log file type based on an attribute in the predetermined format. A system characterized by being accumulated. 41. The system according to claim 29, wherein the (c) means stores each line of the data file in a second storage medium that differs according to recording date or time based on an attribute in the predetermined format. A system characterized by being stored and accumulated. 42. The system according to claim 29, wherein the (c) means stores and stores each line of the data file in a second storage medium that is different for each service based on an attribute in the predetermined format. A system characterized by the fact that