JP2007272774A - Event information management system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To attain a log management device which performs electronic signature at proper timing according to significance of event information (logs) to the logs which appear on a computer system. <P>SOLUTION: The significance of the logs is classified according to appearance probability, the log with low appearance probability is considered to have high significance, on the contrary, the log with high appearance probability is considered to have low significance and the electronic signature is preferentially performed on the log with high significance. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to operation of a computer system, and is a method for managing event information (log) which is a record of device operation or communication between networks, and performs appropriate management according to the importance of the log. .

  Conventionally, in computer systems and network management systems, various events such as access records to system files and databases, access request records, communication records between devices, and communication error records are recorded as logs along with their appearance times. There are many things.

  This log is recorded so that the past history can be referred to for the purpose of investigating the cause when an unexpected situation such as a suspicion of unauthorized intrusion or system shutdown occurs. However, simply recording the history may cause the log time and contents to be deliberately altered, added, deleted, etc., or damaged.

  In recent years, a time stamp technique using an electronic signature technique has been established as a technique for guaranteeing the non-tampering of time and contents of logs and the like. The time stamp is issued to the digital data held by the issuer by sending it to a trusted third party through a network, etc., and issuing the digital data with an electronic signature along with the correct time. Is.

  In this time stamp technology, the issuer can request the time stamp for each log or a plurality of logs to guarantee non-tampering of the log, but the log itself is deleted, or There is a risk of unauthorized insertion between logs.

On the other hand, Japanese Patent Laid-Open No. 2004-228561 has a technique for assuring the continuity of data by assembling the current log as a stored data by pairing the log that appeared immediately before and performing an electronic signature on the stored data. It is disclosed.
JP 2003-14139 A

  The fact that the log appearance time and contents are not falsified and that the continuity of the log is guaranteed can be realized by using the conventional technique described above.

  However, recent computer systems are configured by connecting many computers and communication devices, and the logs of requests, errors, warnings, and execution records generated by each device become enormous. In addition, logs that usually appear in such computer systems have no substantial problem in the operation of the system, and most of them do not need to guarantee time information strictly. On the other hand, since a time stamp issuance is required, the cost for this is not negligible.

  In addition, it is possible to reduce the cost by requesting the issuance of time stamps for a plurality of logs collectively at predetermined intervals, but logs that are important for system operation appear during the predetermined intervals. There was a problem that there was a risk of tampering with the log.

  In order to solve this problem, the first invention is an event history management system for storing and managing a history of event information appearing on a computer system, and acquiring event information appearing on the computer system The event information monitoring unit, the importance level determination means for determining and setting the importance level so that the lower the occurrence probability of the acquired event information, the lower the higher the appearance probability, and the lower the occurrence probability, and the importance level determination of the event information A holding means that holds the information according to importance set by the means, and event information for each importance level held in the holding means, when a predetermined number is accumulated for each importance level, an electronic signature is applied for each importance level. An event history management system comprising an electronic signature means and a storage unit for storing the electronically signed event information, wherein the electronic signature means sets the predetermined number to be smaller for event information having higher importance To provide.

  In such a configuration, the appearance probability may be an appearance probability for the entire event information that has appeared in the past, or may be an appearance probability in a predetermined period. Further, the processing status of the electronic signature may be requested to an external third party through a network. In this case, a transmission / reception unit for transmitting / receiving event information for requesting an electronic signature is provided, an electronic signature is applied by a third-party organization, and the reply is stored again to store the signed circumstance information. In addition, event information that has been digitally signed by a third party organization may be stored in a different receiving destination by dividing the sending destination and the receiving destination.

  With this configuration, the first invention frequently applies electronic signatures to highly important event information with a relatively low appearance probability, and collects low priority event information with a relatively high appearance probability. An electronic signature can be applied. For this reason, it is possible to apply a digital signature to a necessary number of pieces of event information in accordance with the importance, and it is possible to improve processing efficiency.

  The second invention is an event history management system for storing and managing a history of event information that has appeared on a computer system, an event information monitoring unit that acquires event information that has appeared on a computer system, and Importance determination means for determining and setting importance so that the lower the appearance probability of the acquired event information is higher and the lower the appearance probability is, and the importance information set by the importance determination means. A holding means that holds the information in a separable manner, and an electronic signature means that applies an electronic signature for each importance level after a predetermined time has elapsed since the first holding of each importance level with respect to the event information for each importance level held in the holding means The electronic signature means provides an event history management system that sets a shorter predetermined time for event information having a higher importance level.

  In such a configuration, the appearance probability may be an appearance probability for the entire event information that has appeared in the past, or may be an appearance probability in a predetermined period. Further, the processing status of the electronic signature may be requested to an external third party through a network. In this case, a transmission / reception unit for transmitting / receiving event information for requesting an electronic signature is provided, an electronic signature is applied by a third-party organization, and the reply is stored again to store the signed circumstance information. In addition, event information that has been digitally signed by a third party organization may be stored in a different receiving destination by dividing the sending destination and the receiving destination.

  With this configuration, in the second invention, high-priority event information with a low occurrence probability is digitally signed in a short time from the appearance of the event, and low-importance event information with a high appearance probability is after a relatively long time has passed. Thus, it is possible to apply an electronic signature at an appropriate timing according to the importance of event information. For this reason, it becomes impossible to falsify as important event information, and it becomes possible to improve processing efficiency.

  Furthermore, the first or second invention holds unsigned information that is event information that has not been digitally signed by the holding means, and signed information that is signed event information that has been digitally signed, and the electronic signature means However, it is preferable that at least a part of the signed information and the unsigned information are combined and an electronic signature is applied.

  As a result, the continuity of event information is guaranteed, and it becomes easy to detect tampering such as insertion or deletion of event information by a Service-to-Self while individual event information and event information are generated.

  As described above, according to the present invention, the event information (log) is classified according to the importance determined based on the appearance probability, and the condition for applying the electronic signature (time stamp) is changed according to the importance. It is possible to manage event information history appropriately according to the degree.

A log management apparatus according to the present invention will be described below with reference to the drawings.
FIG. 10 is a diagram showing an overall system configuration including the log management apparatus 1. In the figure, the log management apparatus 1 is realized as a part of a program that runs on the server computer 14, for example, with respect to a plurality of applications 12 such as a mail server and a web server that run on the server computer 14. An access record or the like that occurs when an access or the like is made from the mobile phone 17 via the Internet 15 is recorded as a log. The recorded log is further digitally signed by the time stamp issuing authority 13 and stored in the log management device 1.

  First, logs handled in the present invention will be described. The log handled in the present invention is a record of when, where, and what has occurred for an event that has occurred on a computer system. For example, in the system shown in FIG. 10, when a web server is accessed, the information of the access record is stored in the log management apparatus 1 as a log together with the application name and time information. Although the entire system configuration has been described with reference to FIG. 10, applications such as a mail server and a web server may be realized in another server computer.

Next, the configuration of the log management apparatus 1 according to the present invention will be described with reference to FIG.
The log management apparatus 1 includes a control unit 2 that controls each unit, a storage unit 3 that stores a log file, a log appearance monitoring unit 4, a transmission / reception unit 10, and a display unit 11.

  The control unit 2 includes an importance level determination unit 5 that reads and executes various programs stored in the storage unit 3, a grouping unit 6, a hash value calculation unit 7, an appearance probability calculation unit 8, and a verification unit 9.

  In the storage unit 3, a log file 31 for storing an appearance log, log appearance probability information 32 calculated by the appearance probability calculation unit 8, a time stamp token 33 issued by the time stamp issuing station 13, and the log management device 1 are executed. Various programs 34 such as a verification program for verifying whether or not a program for calculating the hash value by determining the importance of the log and the falsification of the log have been performed, and the log generated by the connected application Log management information 35 such as a data structure is stored.

  The log appearance monitoring unit 4 monitors in real time whether an event in which a device connected via a network or the like appears is input as a log. The log generation unit 12 in FIG. 1 is an output of an application such as a mail server or a web server.

  The importance determination unit 5 determines the importance of the log based on a predetermined importance determination criterion for the appearing log, and assigns an importance classification label to each log. The log to which importance is given is stored in the log file 31 of the storage unit 3 together with the log ID given in the order of appearance.

  The grouping unit 6 accumulates the log classified by the importance determination unit 5 by the importance as the log ID of the log that has not yet been requested to issue the time stamp as the unsigned log. When the threshold set for each importance level is reached, a group for making a time stamp issue request is created using the unsigned log.

  The hash value calculation unit 7 calculates a hash value for the group created by the grouping unit 6. The hash value is calculated because it makes it easier to detect log tampering and, at the same time, the data length of the hash value is constant even when the group size is different, which is advantageous in terms of calculation and storage costs. is there.

  The appearance probability calculation unit 8 calculates the appearance probability for each type of log that has appeared, and updates the log appearance probability information 32 stored in the storage unit 3.

  The verification unit 9 verifies whether the stored log is falsified or damaged. The log of the unit grouped by the grouping unit 6 described later is read from the stored log file 31, the hash value is recalculated for the log, and the time stamp token 33 stored in the storage unit 3 The comparison is performed, and the verification result is displayed on the display unit 10 realized by a liquid crystal display or the like.

  The transmission / reception unit 10 makes a time stamp issue request to the time stamp issuing station 13 for the hash value calculated by the hash value calculation unit 7, and sends the issued time stamp token 33 to the time stamp token 33 in the storage unit 3. Remember. Such a time stamp token corresponds to a log (event information) signed electronically.

  The log management device 1 and the time stamp issuing station 13 are connected via a network. For this reason, the transmission / reception unit 10 includes transmission / reception means for communicating with the time stamp issuing station 13 via the network. In this embodiment, the transmission / reception unit is integrated and the reception side is the log management device 1. However, the reception unit is placed in a different location from the transmission unit, and the storage location of the time stamp token 33 is different. You may make it let.

  The time stamp issuing station 13 is a third party that receives time distribution from a time distribution station that distributes a strictly reliable time, and is connected to the log management apparatus 1 via a network or the like.

  By receiving the digital signature for the hash value at the time stamp issuing station 13 that holds the reliable time in this way, it is proved that the hash value sent from the transmission / reception unit 10 was present when the time stamp token 33 was issued. It is possible to verify whether or not tampering or damage has occurred.

Next, data stored in the storage unit 3 will be described.
The storage unit 3 stores a log that appears as an operation record of another device connected to the log management apparatus 1 and a communication record with another device connected via a network or the like. As shown in FIG. 6, log IDs are assigned to the individual logs in the order of appearance, and are sequentially stored in the log file 31 together with the determination result of importance.

An example of the configuration of each log is shown in FIG. In the example shown in FIG. 3, each log includes time information 301 and event contents 302.
The time information 301 is time information given at the time of log acquisition by a clock (not shown) of the log management apparatus 1. The event content 302 indicates what kind of operation or communication is performed by which application or device. Such event contents generally include one or more classification information 304 that is commonly used in various logs and various applications and connected devices, and additional information 305 used uniquely for each application. Note that the additional information 305 is not necessarily included.

The classification information 304 includes information indicating the type of application (function), classification of operation records according to the function (login record, work record, error information, etc.), and information obtained by subdividing the classification of operation records (successful login record). , Unsuccessful). In the log management system, a plurality of classification information 304 excluding time information 301 and additional information 305 is extracted from the obtained log and processed. The log configuration and which part of the log information is extracted and processed as classification information are stored in advance in the log management information 35 of the storage unit 3.
The appearing logs are additionally stored in the log file 31 sequentially in the storage unit 3 and stored.

Next, the log appearance probability information 32 stored in the storage unit 3 will be described.
In the present invention, the importance is classified based on the appearance probability. Specifically, a log with a low appearance probability has a high importance, and a log with a high appearance probability has a low importance.

The storage unit 3 stores the table shown in FIG. 5 as the log appearance probability information 32.
In the table shown in FIG. 5, event content classification information 303 obtained by extracting a part obtained by removing the log-specific additional information 305 from the event content 302 according to the log management information 35 stored in advance as shown in FIG. 4 is listed. ing.

  Note that the log appearance probability in the present invention corresponds to the appearance probability of the event content classification information 303 in the present embodiment. The log appearance probability information 32 stores a list of appearing logs (event content classification information 303), the number of appearances of each log, and the appearance probability for the total number of logs that appeared in the past. For example, in the content shown in FIG. 5, “AAA” of the event content classification information 303 has the appearance count information “15”, which is the number of appearances, and the appearance probabilities are 20 occurrences (“AAA” “BBB”). “Total number of occurrences of“ CCC ”) is 15 times, so it is 75%.

A specific criterion for determining importance is determined by the importance determining unit 5. For example, a log with an appearance probability of 0.001 (0.1%) or less is “high”, and a log with an appearance probability greater than 0.001 and 0.005 (0.5%) is “medium”. A log having an appearance probability greater than 0.005 is set as “low”. When a certain log appears, the importance level determination unit 5 refers to the appearance probability information 32 in the storage unit 3, and if the appearance probability of the log that has appeared in the table of FIG. The degree is determined to be “low”.
Thus, the importance of the log is set so as to be automatically determined according to the log appearance probability information 32.

  Here, the reason for connecting the importance of the log to the appearance probability will be described. A log with high importance is a log that has a high degree of influence on the operation of the system. For example, high-significant logs include abnormal stop notifications for important functions provided by devices, intrusion information of unauthorized third parties, start notifications for other functions not intended by the administrator, etc. Equivalent to.

Such highly important information is an event that is unlikely to appear as long as system operation management is appropriately performed. In other words, a situation in which events of high importance frequently occur is a situation in which system operation management is not properly performed in the first place. In such a situation, it is extremely rare for the system administrator to appropriately set or deal with such a situation so that such an event does not occur frequently due to a complaint from the system user.
Therefore, when the entire operation period is taken into consideration, the appearance probability of highly important information is lowered by an appropriate setting or countermeasure by the administrator.

On the other hand, in general devices, warning and error information usually appears frequently even when there is no problem in actual operation. Such a log having a high appearance probability has no problem in actual operation of the system and can be said to be information with low importance.

Logs that appear as described above are classified according to importance, and appropriate processing is performed according to each importance. Specifically, in the case of a log with high importance, in order to prevent falsification by Service-to-Self, etc., the frequency of requesting the issuance of a time stamp, which is one aspect of an electronic signature, is increased. Emphasis is placed on reducing the cost associated with time stamp issuance, and after a predetermined number of logs are accumulated, time stamp issuance requests are collectively made.

  Next, with reference to the flowchart of the process in the log management apparatus 1 in FIG. 2, a process in which the log management apparatus 1 issues a time stamp issuance request for the appearing log and stores the issued time stamp token will be described. To do.

  When the log management apparatus 1 starts operation, first, in step S1, whether or not a new log has appeared by communication with the operation or communication of a device connected to the log management apparatus 1 directly or via a network or the like. Is performed by the log appearance monitoring unit 4.

  When the log appearance monitoring unit 4 confirms the appearance of the log, the importance level determination unit 5 determines the importance level of the log that has appeared based on the condition set in advance in step S2.

Specifically, the importance level determination unit 5 first determines whether or not the log that has appeared is stored in the log appearance probability information 32 of the storage unit 3. Depending on the probability, the importance is classified into three levels of “high”, “medium”, and “low”, and the log is stored in the log file 31 of the storage unit 3. In the present embodiment, it goes without saying that the importance can be classified into a plurality of other stages.
If the log does not appear in the past, the degree of importance is determined with a past appearance probability of 0%, and the log is similarly stored in the log file 31 of the storage unit 3.

  In step S3, the log appearance probability information 32 in the storage unit 3 is updated based on the information of the newly appearing log. Specifically, if it is already stored in the log appearance probability information 32, the appearance number information and the total number information S of the logs are increased by “1”, and the value of the appearance probability is updated. If it is not stored in the log appearance probability information 32, a new line of the event content classification information is newly added, the appearance frequency information is set to “1”, and the appearance probability is obtained and stored.

  Although the appearance probability in the present embodiment is the appearance ratio with respect to the total number of logs, a different table may be used for each time zone as the log appearance probability information 32. In this way, it is possible to perform appropriate processing even for logs whose appearance frequency is significantly different depending on the time zone.

  In addition, since the total number information S of logs is small in the initial state when the system starts to operate, the existing appearance probability changes greatly by inputting one log, and even if the same log continues twice, Since the importance levels may be extremely separated from “high” and “low”, and operation near normal is difficult, a test operation for a sufficiently long time is performed in actual operation, and the log appearance probability information 32 It is desirable to accumulate data.

  Furthermore, the log appearance probability information 32 is sequentially updated with the appearance of the log as in the present embodiment. However, when there is sufficient data accumulation, the change in the appearance probability is small with one log input. In addition, the log appearance probability information 32 may be recalculated at predetermined intervals.

  Next, in step S4, the grouping unit 6 determines whether or not a time stamp issue request condition determined for each importance is satisfied.

  Specifically, in the grouping unit 6, an unprocessed log accumulation number that is the start number of grouping processing is set in advance for each importance level. In the present embodiment, “1” is assigned to a log having a high importance level, “2” is assigned to a log having a medium importance level, and “low” is assigned to a log having a low importance level. 4 ”pieces are set. An appropriate number may be set for the accumulated number depending on the system.

When a new log appears, when the number of logs accumulated by importance reaches a threshold value (predetermined accumulation) determined in advance by importance, the process proceeds to step S6 for creating group information for making a signature issue request.
On the other hand, if the predetermined number of unprocessed logs is not accumulated, the ID of the log is stored in step S5, and the process returns to step S1.

  In step S6, using the log IDs grouped in step S5, the log information is read from the log file 31 of the storage unit 3 and a group of log information to be subjected to electronic signature is created.

  In step S7, the hash value calculation unit 7 calculates a hash value for the unprocessed log belonging to the group created in S6. The calculation of the hash value as described above makes it easy to detect log tampering, and at the same time, the data length of the hash value is constant even when the size of the group differs depending on the importance. This is because there is a merit in terms of cost.

  In step S8, after calculating the hash value, the group is released and the number of unprocessed logs having the corresponding importance level is initialized. In step S 9, a time stamp issuance request is created from the calculated hash value, and the issuance request is transmitted from the transmitting / receiving unit 10 to the time stamp issuing station 13.

  In step S10, the transmission / reception unit 10 waits until a time stamp token issued from the time stamp issuing station 13 is received according to the issue request.

  In step S11, the time stamp token is received and stored in the time stamp token 33 of the storage unit 3.

Note that the processing of step 10 and step 11 may be performed independently of the processing of time stamp issue request (S1 to S9).
Finally, if the system is operating in step S12, the process returns to step S1.

  Next, the processing of the grouping unit 6 in steps S4 to S6 will be described in detail with reference to FIG. FIG. 7 is a diagram illustrating the operation of grouping processing by arranging logs in the order of occurrence. This figure shows the order of log generation in the vertical direction, and shows the number of logs stored for each importance level and the presence / absence of grouping processing in the horizontal direction.

First, it is assumed that the unprocessed log accumulation number is “0” for all importance levels.
Next, when a log (ID0001: high) for which the importance level is determined to be high in step S2 is input, “1” is added to the accumulated number of unprocessed logs having the importance level “high”. Specifically, the number of unprocessed accumulations of importance “high” that was “0” is set to “1”. Since the start number of the grouping process with the importance “high” is “1”, ID0001 is set as a grouping target, and the process proceeds to the grouping process in step S6. At this time, the number of unprocessed log accumulations of other importance “medium” and importance “low” is “0” as it is. It should be noted that the number of unprocessed log storages of importance “high” is set to “0” by the group release processing in step 8.

  Subsequently, when the log (ID0002: low) for which the importance level is determined to be low in step S2 is input, “1” is added to the number of unprocessed log storages having the importance level “low”. Specifically, the number of unprocessed log accumulations with the importance “low” that was “0” is set to “1”. Since the start number of the grouping process with the importance “low” is “4”, the process proceeds to the group information holding process in step S5. At this time, the number of unprocessed log accumulations of other importance “medium” and importance “low” is “0” as it is.

  For ID0003 and ID0004, the same processing as ID0002 is repeated. For ID 0005, since the importance is “medium”, the only difference is that the number of unprocessed logs stored with importance “medium” is set to “1”.

  Next, when ID 0006 is input, the log accumulation number of importance “low” becomes “4”, so the start number of the grouping process with importance “low” is “4”, so ID 0002, ID 0003, ID 0004 , ID0005 is set as a grouping target, and the process proceeds to the grouping process in step S6. At this time, the number of unprocessed log storages of other importance “medium” and importance “low” remains the same. Note that the number of unprocessed logs with the importance level “low” is set to “0” by the group release processing in step 8.

  When ID 0007 is input, the same processing as described above is performed, the number of unprocessed log storages of importance “low” is set to “1”, and the process proceeds to step 5.

When ID 0008 is input, the log accumulation number of importance “medium” becomes “2”, and the start number of the grouping process of importance “medium” is “2”, so ID 0005 and ID 0008 are subject to grouping Then, the process proceeds to the grouping process in step S6. At this time, the number of unprocessed log accumulations of other importance “high” and importance “low” remains as they are. Note that the number of unprocessed logs of “medium” importance level is set to “0” by the group release processing in step 8.
The grouping unit 6 repeatedly executes such processing.

  In this embodiment, when grouping, only unprocessed logs are grouped. However, the present invention is not limited to this. For example, one log included in the previous grouping is classified according to importance. A group may be formed by including the above. That is, in the example of FIG. 7, ID0004 and ID0006 first grouped with importance “low” can be grouped together with importance “low” to be grouped next time.

  In this case, if the threshold value for grouping is n, it is preferable to include n / 2 logs at the time of the previous grouping when verifying by the verification unit 9 described later. However, if the grouping size is 1, one log from the previous grouping is included.

  In this embodiment, the time stamp request is issued when the number of logs set according to the importance level is accumulated. However, the present invention is not limited to this method. A time stamp request can be issued as time elapses according to the time.

  The operation when time elapses will be described with respect to another embodiment of the grouping unit 6 with reference to FIG.

  The difference from the above-described embodiment is that the processing in step S4, the transition to step S6 is output from the timer, the processing of storing and updating the number of unprocessed log accumulations that are no longer necessary, and for each importance level This is the point that a timer is newly provided that starts counting from the first occurrence log and outputs a predetermined time. For this reason, it demonstrates centering on the process of step S4. Here, a timer with a high importance level is output when one minute has elapsed since activation, a timer with a medium importance level has elapsed after 10 minutes since activation, and a timer with a low importance level is output when 60 minutes have elapsed since activation. The predetermined time is appropriately selected and set when designing the system.

  First, in FIG. 8, it is assumed that all the timers provided for each importance are in an OFF state.

  Next, when the log (ID0001: high) for which the importance level is determined to be high in step S2 is input, the grouping unit 6 assigns the importance level to the log ID, and the importance level is “high”. It is determined whether or not the timer is activated. Since the timer is not activated this time, the timer having the high importance level is activated. When the timer is activated, the process proceeds to step S5 which is a group information holding process.

  The importance “high” timer is output when one minute elapses, so that the process of step S6 is started when one minute elapses. In step 6, based on ID0001 which is the group information stored in step S5, a log is read from the log file 31 of the storage unit 3 with ID0001 to create grouping information. Subsequent processing is basically the same as the processing described above. However, the difference is that the timer is reset in the group cancellation in step S8.

  Subsequently, when a log (ID0002: low) in which the importance level is determined to be low in step S2 is input, since the current importance level “low” timer has not yet been started, the importance level is “low”. A timer (60 minute timer) is started, and then the process proceeds to step S5.

  Unlike the case of ID0002, ID0003, ID0004, ID0006, ID0007, ID0009, and ID0012, which are logs of importance “low”, are counting the time of importance “low” timer, so that each of them as grouping information in step S5 Store the log ID.

  Then, when the importance “low” timer is output after 60 minutes, the process of step S6 is started. In step 6, based on ID0002, ID0003, ID0004, ID0006, ID0007, ID0009, and ID0012, which are the group information stored in step S5, the log is read from the log file 31 of the storage unit 3 to create grouping information. Subsequent processing is the same as that described above. However, the difference is that the timer is reset in the group cancellation in step S8.

For ID 0005, since the importance is “medium”, the “medium” importance timer (10-minute timer) is started. Thereafter, when there is an output of a “medium” importance timer, the process of step S6 is started. In step 6, based on the ID 0005, the log is read from the log file 31 in the storage unit 3 to create grouping information. Subsequent processing is the same as that described above. However, the point that the timer is reset differs in the group cancellation in step S8.
The grouping unit 6 of the present embodiment repeats and executes such processing.

Next, verification of whether or not the log information in the verification unit 9 has been tampered with will be described.
When the verification unit 9 receives the verification command, the verification unit 9 recalculates the time stamp token for the log stored in the log file 31 of the storage unit 3, and the comparison result with the time stamp token generated when the log appears. It is displayed on the display unit 11. If the comparison results are different, the corresponding part is displayed.

  As a result of verification by the verification unit 9, if the logs that have been falsified or damaged overlap, the hash values of both the previous hash value and the current hash value are different.

  Specifically, the verification unit 9 extracts the log grouped by the grouping unit 6 to be verified from the log file 31 stored in the storage unit 3 and recalculates the hash value from the extracted log. Then, the hash value included in the time stamp token 33 stored in the storage unit 3 is compared, and if they are the same, it can be confirmed that the log has not been falsified or damaged since the time stamp was issued. In this case, it can be confirmed that the log is falsified or damaged. Since the ID issued by the time stamp authority, such as falsification and deletion of the time stamp token itself, is given, it can be detected.

In the example of FIG. 9 (a), there is one overlapping portion, and if the log with falsification or breakage is this overlapping portion, it can be reliably identified. However, there are three parts where the logs that have been falsified or damaged do not overlap, and if the logs that have been falsified do not overlap, there will be variations in the parts that do not overlap with the parts that have overlapped location accuracy. It will be. On the other hand, as shown in FIG. 9B, by making the same number of overlapping and non-overlapping parts, the position when falsification or the like cannot be completely specified, but the same degree of certainty can be obtained in any part. A certainty can be secured.
That is, in the present embodiment, falsification or the like has occurred as described above by performing grouping including n / 2 logs from the group created immediately before the predetermined accumulation number n determined for each importance. In this case, the position identification accuracy is made uniform.

It is a figure which shows the relationship between the structure of the log management apparatus by this invention, and the time stamp issuing station. It is a flowchart explaining operation | movement of this invention. It is a figure which shows the structure of a log. It is a figure which shows the structure of event content classification information. It is a table for managing log appearance probability information. It is a figure which shows the data structure of a log file. It is a figure which shows the processing operation of the grouping part. It is a figure which shows operation | movement of another embodiment of the grouping part 6. FIG. It is a figure explaining the overlap of data when performing grouping. It is a figure which shows the whole system structure containing a log management apparatus.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Log management apparatus 2 Control part 3 Storage part 31 Log file 32 Log appearance probability information 33 Time stamp token 34 Various programs 35 Log management information 4 Log appearance monitoring part 5 Importance judgment part 6 Grouping part 7 Hash value calculation part 8 Appearance Probability calculation unit 9 Verification unit 10 Transmission / reception unit 11 Display unit 12 Log generation unit (application)
13 Time stamp issuing authority 14 Server computer 15 Internet 16 Personal computer 17 Mobile phone

Claims (3)

An event history management system for storing and managing a history of event information appearing on a computer system,
An event information monitoring unit for acquiring the event information;
Importance level determination means for determining and setting the importance level so that the appearance probability of the acquired event information is lower and the higher the appearance probability is,
Holding means for holding the event information in a distinguishable manner according to the importance set by the importance determination means;
Electronic signature means for applying an electronic signature when a predetermined number of event information for each importance level stored in the holding means is accumulated for each importance level;
A storage unit for storing the electronically signed event information;
The event history management system characterized in that the electronic signature means sets the predetermined number to be smaller for event information having higher importance. An event history management system for storing and managing a history of event information appearing on a computer system,
An event information monitoring unit for acquiring the event information;
Importance level determination means for determining and setting the importance level so that the appearance probability of the acquired event information is lower and the higher the appearance probability is,
Holding means for holding the event information severable by importance set by the importance determination means;
Electronic signature means for applying an electronic signature when a predetermined time elapses from the first holding of each importance level with respect to the event information for each importance level held in the holding means,
A storage unit for storing the electronically signed event information;
The event history management system characterized in that the electronic signature means sets the predetermined time to be shorter for event information having higher importance. In the event history management system according to claim 1 or claim 2,
The holding means holds unsigned information that is event information that has not been digitally signed and signed information that is signed event information that has been digitally signed,
The event history management system in which the electronic signature unit applies an electronic signature by combining at least a part of the signed information and the unsigned information.

Images