JP2007279835A - Operation information acquisition device, method, and computer program for server - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a mechanism for acquiring an operation log from a client regardless of a model or an OS of a server or the like without imposing any labor on the server and a client. <P>SOLUTION: This operation information acquisition device is provided with a method for showing an operation to a server from a client terminal; a definition storage part for storing a command corresponding to the method; an acquisition processing part for acquiring a packet to be transmitted/received between the server and a client terminal; a filtering processing part for discriminating a protocol from the data of the acquired packet, and for selecting the packet pertinent to the predetermined protocol, an analysis processing part for specifying information for specifying a client from the selected packet, and for specifying the method corresponding to the command of the acquired packet by referring to the definition information storage part; and an analysis result storage part for storing log data including the date when the method has been generated and the information for specifying the client and the analyzed method. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention is a technique for acquiring log data of operations performed on a server from a client in a client-server system, and in particular, does not place a load on the server side and is a special computer on the server or client side. Even if a program is not installed, it is suitable as a mechanism for acquiring log data by simply connecting to a network without worrying about the OS (Operating System) on the server side.

Recently, in organizations such as companies, the data recorded in the computer is taken out without permission, or unauthorized employees access the computer to obtain the data, There is a social problem of illegal leakage.
To prevent this situation, which client accessed the file management server that stores and manages the files in the organization, and which files on the file management server were created, modified, or deleted A mechanism is provided to obtain operation log data such as

As such a mechanism, in general, a computer program for access monitoring is executed on a server, which client has accessed, and what operation the client has performed on which file. A mechanism for obtaining log data has been proposed.
Further, as an example of a mechanism for acquiring a log, for example, an access count statistics processing unit having a log file in a Web server records the access status from each user in the log file, and based on the recorded contents of the log file A technique for performing statistical processing on the number of accesses for each user has been proposed (see, for example, Patent Document 1).

JP 2002-288069

However, in the conventional mechanism as described above, it is necessary to execute an access monitoring program on the server, so that the server traffic is taken up by the access management process, and the server processing speed decreases. There was a problem that.
Also, when monitoring on a server, it is necessary to set information such as files and clients to be monitored on the server side, and it is necessary to change the management program used depending on the server model and OS. There was a problem that we had to prepare a monitoring program according to the situation.
In addition, when monitoring is performed on the server, there is a problem that the number of clients that can be monitored is limited.
In addition, when monitoring on the server side, the monitoring log data is recorded on the server, so there is a risk that this log data may be illegally accessed or tampered with. There was a problem with reliability.

  The present invention has been made to solve the above-described problems, and acquires an operation log from a client without imposing a load on the server and the client, regardless of the model of the server or the OS and the OS. It aims to provide a mechanism that can do this.

  In order to achieve the above object, an operation information storage device according to one aspect of the present invention includes a file management server for storing a plurality of files, and a plurality of client terminals connected to the file management server via a network. In the system, a device connected to the network and for acquiring log data related to the operation from the client terminal to the file management server, corresponding to each method and a method representing the operation from the client terminal to the file management server A command definition storage means for storing the necessary commands, a packet acquisition processing means for acquiring packets transmitted and received between the file management server and the client terminal, and a communication protocol from the acquired packet data. And pre-determined Filtering processing means for selecting a packet corresponding to a protocol, and information for specifying a client from the selected packet, and referring to the command definition information storage means, and included in the acquired packet. Analysis processing means for specifying a method corresponding to the command being received, analysis result storage means for storing at least the date and time when the method occurs, information for specifying the client, and information including the analyzed method as log data It is characterized by having.

  The command definition storage means stores a command sequence necessary for executing the method, and the analysis processing means performs a response packet combining process for the request packet and a request packet combining process for the response packet. Thus, response request combining processing may be performed, and the corresponding method may be specified based on the command sequence of the combined packet with reference to the command definition storage means.

  Further, the apparatus further includes temporary storage means for temporarily storing a response wait or a request wait command, and the analysis processing means refers to the temporary storage means when acquiring the request command or the response command, and waits for the response or It may be determined whether there is a command corresponding to the request waiting command, and the request-response combination processing may be performed when the corresponding command exists.

  It further has ID correspondence information storage means for indicating the correspondence between the type of ID included in the acquired packet and the management item on the file management server, and the analysis processing means refers to the ID correspondence information storage means. Thus, the corresponding management item on the file management server may be specified from the ID type in the acquired packet and stored in the analysis result storage means.

  The analysis processing means may update the data corresponding to the ID and file name stored in the file management means each time a packet including ID and file name information arrives.

  The server operation information storage method according to one aspect of the present invention includes a file management server for storing a plurality of files, and a system including a plurality of client terminals connected to the file management server via a network. Is performed by an apparatus having a method for storing operations from the client terminal to the file management server, a command definition storing unit for storing necessary commands corresponding to each method, and an analysis result storing unit for storing log data. A method for acquiring a packet transmitted / received between the file management server and the client terminal, and determining a communication protocol from data of the acquired packet and corresponding to a predetermined protocol The process of selecting a packet and the above selected A process for identifying information identifying a client from among the packets and identifying a method corresponding to the command included in the acquired packet with reference to the command definition information storage unit, and at least the method And a process of storing information including the analyzed method and information including the analyzed method in the analysis result storage means as log data.

  A computer program according to one aspect of the present invention is connected to the network in a system including a file management server for storing a plurality of files and a plurality of client terminals connected to the file management server via the network, A computer having a method that represents an operation from the client terminal to the file management server, a command definition storage unit that stores necessary commands corresponding to each method, and an analysis result storage unit that stores log data functions as an operation information storage device A computer program for acquiring a packet transmitted to and received from the file management server and the client terminal, and determining a communication protocol from the acquired packet data. , Processing for selecting a packet corresponding to a predetermined protocol, and specifying information for specifying a client from the selected packets, and referring to the command definition information storage means, the acquired packet Processing for specifying a method corresponding to a command included in the command, at least the date and time when the method occurred, information for specifying the client, and information including the analyzed method are stored as log data in the analysis result storage means It is characterized in that the processing is executed.

According to the present invention, operation records accumulated in a server can be stored without imposing a load on the server, and monitoring of whether a file on the server has leaked to the outside, has been tampered with, or has been deleted. it can.
Further, all files on the server can be monitored without depending on the server model or OS.
In addition, since monitoring can be performed simply by connecting the apparatus to a client-server network, it is not necessary to change server settings even when the number of clients increases, and the labor of setting changes can be saved.
Furthermore, since the operation log data is not recorded on the monitoring target server but is stored on the device side that stores the log, it is possible to prevent the operation log data from being illegally accessed or falsified.

Hereinafter, an embodiment according to the present invention will be described with reference to the drawings.
FIG. 1 shows the overall configuration of the system according to the present embodiment.
FIG. 1 shows the overall configuration of a system using a server operation information storage device according to the present invention. A server 1 to be monitored and a LAN (Local Area Network) or WAN (Wide) are connected to the server 1. A plurality of client terminals 3 configured to be connectable via a predetermined network such as an area network), a switch 2 for switching communication data between the server 1 and the client terminal 3, and the switch 2 The access log acquisition device 4 is configured to be connectable to a network.

The server 1 is a computer capable of storing files that can be used by a plurality of client terminals 3.
The server 1 sends and receives files to and from each client terminal 3 by executing a predetermined OS and an application program installed as necessary, and according to an operation from the client terminal 3, You can create, change, and delete folders and files.
The server 1 may manage access authority for each client. In this case, the server 1 determines whether or not each client has an access right to the server 1 and the right for the client to perform processing such as new creation, change, and deletion for each folder or file for which the access right is set. Manage the authority of whether or not you have.

The client terminal 3 is a computer that can access the server 1 and perform operations such as creating, changing, deleting, and acquiring data of folders and files on the server 1.
The client terminal 3 is constituted by a so-called personal computer or the like, as long as it can be connected to the server 1 via the switch 2, and the OS and application program installed in the client terminal 3 are not particularly limited.
Data is transmitted / received between the server 1 and the client terminal 3 using packets.

The switch 2 is a so-called line concentrator, and performs processing for switching data between the server 1 and the client terminal 3 to perform data communication with each other.
The switch 2 may be a mirror port system that allows all data passing through a normal port of the switch to be copied and passed, a tap system, or a bridge system that is bridge-connected.
The switch 2 duplicates the packet data transmitted and received between the client and the server, and the access log obtaining device 4 obtains the duplicated packet data.

The access log acquisition device 4 is a device that acquires an access log from the client terminal 3 to the server 1.
The access log acquisition device 4 is composed of a CPU (Central Processing Unit) and storage means such as a computer program executed by the CPU, a RAM (Random Access Memory) for storing computer programs and other data, and the like. The functional block shown in FIG. 2 is realized.
The functional block shown in FIG. 2 includes an ID correspondence information storage unit 41, a sequence processing information storage unit 42, an access record database 43, a network interface (I / F) 44, a primary filter 45, a protocol analysis processing unit 46, and a database registration. The processing unit 47 and the management screen display processing unit 48 are included.

The ID correspondence information storage unit 41 is a table that stores correspondences between the types of IDs included in the packets and the names of actual volumes, folders, and files in the server 1 according to the type of protocol. .
For example, in AFP (AppleTalk Filing Protocol), the volume, folder, and file are specified by ID in the numerical value set for each session, but when recording the monitoring log, the ID is recorded as it is. If this happens, the correspondence relationship between volumes, folders, and files in the file system of the server 1 will not be known. Therefore, the correspondence between IDs and actual volumes, folders, and files is previously defined in the ID correspondence information storage unit 41 It is a thing.
As data stored in the ID correspondence information storage unit 41, for example, as shown in FIG. 3, in the case of AFP, an ID type, a target AFP command packet, and a management item are stored in association with each other. As an example, in the case of a volume ID, the target AFP command packet is “FPGetVolParms”, “FPGetFileDirParms”, “FPEnumerate”, and the management items are ID and name.
The data stored in the ID correspondence information storage unit 41 is updated each time an AFP packet including ID and name information arrives, and corresponds to the actual file system data on the server 1. It is like that.

The sequence processing information storage unit 42 is a storage unit that stores a correspondence between a method to be stored and a command to be extracted according to the type of protocol.
For example, in AFP, reading and writing of a file is performed using a reference number (RefNo) for two forks of the file, that is, a data fork and a resource fork. Then, the file is accessed by performing FPRead or FPWrite with the acquired RefNo, and the RefNo is released with the FPCCloseFork.
Therefore, in order to monitor file access, it is necessary to trace the AFP command package sequence of FPopenFork, FPRead, FPWrite, and FPCCloseFork, and thus a command to be subjected to the sequence processing is defined.
As an example, FIG. 4 shows the case of AFP, and FIG. 5 shows the case of SMB protocol.
For example, as shown in FIG. 4, in the case of reading a file, AFP can record a log obtained by performing reading processing on a certain file by tracing in order of FPopenFork, FPRead, and FPCcloseFork.

The access record database 43 is a database of access log data. In the access record database 43, as shown in FIG. 6, item names and descriptions thereof can be stored in association with each other.
As item names, date, session, user, and method (method type and attached information, status code) can be stored.
Date, time, hour, minute, and microsecond can be stored.
A MAC address and an IP address can be stored in the session.
As a method, a status code (0 = OK, non-zero = NG) such as a method name, a full path name as attached information, and a target name at the time of renaming can be stored.
As the method name, as shown in the method list, new file creation, reading, writing, renaming, moving, deleting, creating a new folder, renaming, moving, deleting, logging in, and logging out.

The network interface 44 is an interface for the access log monitoring device 4 to connect to the network.
The network interface 44 is connected to the switching device 3 via a predetermined port, and performs processing for acquiring a packet flowing in the network by a logical interface based on a predetermined data format.

The primary filter 45 performs processing for discarding unnecessary packets from the acquired packets.
The primary filter 45 determines session information (MAC address, IP address), protocol (port), packet size, determines a packet to be discarded, and performs processing for discarding other unnecessary packets.
Thereby, since unnecessary packets can be filtered in advance, the processing can be made more efficient.

The protocol analysis processing unit 46 performs processing for analyzing a packet and acquiring a log according to a protocol.
The protocol analysis processing unit 46 acquires an access log from a client login, or acquires a log in which each client accesses a file.
Further, in order to make the access log to the file easier to understand, processing such as associating the ID in the packet with the volume, folder, and file in the server file system is performed.

  The database registration processing unit 47 performs processing for storing the log data analyzed by the protocol analysis processing unit 46 in the access record database 43.

  The management screen display processing unit 48 generates output screen data to be displayed on the management screen based on the access log data stored in the access record database 43, and performs processing to display this on a display (not shown). .

Next, the flow of processing of the entire system will be described with reference to FIG.
In FIG. 7, first, when a file acquisition request is made from the client terminal 3 to the server 1 (S1), this acquisition request is transmitted to the server 1 via the switch 2 (S2).
At the same time, the file acquisition request data is also transmitted to the access log acquisition device 4 by the mirroring function of the switch 2 (S3).
Thereby, the access log acquisition device 4 acquires packets via the network interface 44, filters the packets acquired by the primary filter 45, discards unnecessary packets, and the protocol analysis processing unit 46 determines which client Is accessed, and the log of which file or the like has been operated is analyzed, and the database registration processing unit 47 performs processing of storing the analyzed log data in the access record database 43.

The server 1 transmits a file acquisition response to the switch 2 in response to the acquisition request from the client terminal 3 (S4). The client terminal 2 receives a file acquisition response via the switch 2 and performs a predetermined process (S5).
At the same time, the switch 2 transmits a file acquisition response from the server 1 to the access log acquisition device 4 by the mirroring function (S6).
Thereby, the access log acquisition device 4 acquires packets via the network interface 44, filters the packets acquired by the primary filter 45, discards unnecessary packets, and the protocol analysis processing unit 46 determines which client The terminal 3 accesses the server 1 to analyze a log indicating which file or the like has been operated, and the database registration processing unit 47 performs processing of storing the analyzed log data in the access record database 43.
Then, the database registration processing unit 47 of the server 1 records the analyzed access log in the access record database 43 (S7). At this time, at least the date and time when the method was performed, the user, the contents of the method, and the like are stored.

  By repeatedly performing the processes from S1 to S7 between the server 1 and the client terminal 3, an access log to the server 1 is stored.

On the other hand, when an administrator views the access log recorded in the access log acquisition device 4 at a certain point in time, the administrator first displays the management screen from the server 1 or an administrator terminal connected to a network (not shown). A request is made (S11).
Thereby, the access record database 43 is referred to search for data corresponding to the designated item (S12).
When the search is completed, the management screen display processing unit 48 of the server 1 acquires search result data from the access record database 43 (S13), and displays the management screen on a display (not shown) (S14).

As the screen display, as shown in FIG. 8, the number of pages created for each operator corresponding to the client terminal 3 during a predetermined period (for example, every month) may be displayed. In this case, the number of pages created per week may be displayed separately.
Further, as shown in FIG. 9, it may be displayed when and who has accessed and what operation is performed for each file. In this example, when (for example, operator A) who performed what operation (for example, newly created) on “file A” (for example, February 3, 2006, 16:38) May be displayed as a list.
Furthermore, as shown in FIG. 10, the reference count of a specific file may be displayed in a graph for each week.

Next, a detailed processing flow of the primary filter 45 of the access log acquisition device 4 in the processing of S3 and S6 described above will be described. At this point, the network interface 44 has acquired a packet from the switch 2.
In FIG. 11, the primary filter 45 first determines whether or not there is session information from the acquired packets, and sets a packet that does not include these as a discarded packet. (S101).
Specifically, this process is performed by determining whether the packet includes a MAC address or an IP address.

If the session information is present as a result of the discrimination, the primary filter 45 discriminates the protocol, and those not applicable are discarded packets (S102).
This process is performed by extracting the port number included in the packet and determining whether the port number matches a predetermined port number. Note that a protocol (port) that can be supported in advance is stored and defined in a memory or the like, so that only packets corresponding to the protocol are extracted.

If the session information can be confirmed as a result of the determination, the primary filter 45 determines whether or not the packet size is equal to or larger than a certain size, and discards the packet larger than the certain size (S103).
Thereby, for example, a packet having a relatively large size, such as a data file that is not directly related to acquiring a file operation log, is discarded.

  As a result of the determination, if the packet size is equal to or smaller than a certain size, the primary filter 45 determines whether the packet is a TCP control packet, and discards the TCP control packet (S104).

The primary filter 45 determines whether or not the packet is a protocol-specific packet and is unnecessary for log analysis (S105).
Packets unnecessary for this log analysis are defined in advance and stored in the memory, and packets corresponding to the defined packets are discarded.

The primary filter 45 determines whether or not there is a fragmented packet, discards the second and subsequent packets of the fragmented packet (S106), and performs a process of filtering only the selected packet. . As a result, if fragmented, the operation log can be acquired if the first packet can be acquired, and the second and subsequent packets are discarded.
Thus, log analysis can be efficiently performed by discarding packets unnecessary for log analysis through the primary filter.

Next, the processing flow of the protocol analysis processing unit 46 in the above-described processing of S3 and S6 will be described with reference to FIG.
In FIG. 12, first, among the packets selected by the primary filter 45, the protocol analysis processing unit 46 performs a process of combining a request (Request) and a response (Reply) (S201).
As a result, the request and the response are combined, and it is possible to specify that one operation has been performed on the server 1.
Then, the protocol analysis processing unit 46 performs a protocol sequence analysis process (S202). As a result, a method for a file or the like on the server 1 can be specified.
Finally, the database registration processing unit 47 generates log registration items (S203), and ends the process.

Next, detailed processing of the protocol analysis processing unit 46 in the processing flow of FIG. 13 will be described.
First, a detailed processing flow when the protocol analysis processing unit 46 performs a request and reply combining process will be described with reference to FIG.
FIG. 13A shows the entire processing flow of request-join processing. In FIG. 13 (a), first, a command included in a packet is referred to and it is determined whether or not it is a request packet (S30).
If it is determined that the packet is a request packet, the process proceeds to a response combining process (S31).

As the response combining process, as shown in FIG. 13B, it is determined whether or not there is a corresponding response with reference to the memory storing the response waiting queue (S311).
As a result of the determination, if there is a corresponding response, a response combining process is performed (S312).
As a result of the determination, if there is no corresponding response, it is stored in the memory as a response waiting queue (S313), and the process is terminated.

If it is determined that the packet is not a request packet in the above-described processing of S30, it is determined whether or not the packet is a response packet with reference to a command included in the packet (S32).
If the packet is not a response packet as a result of the determination, the process ends by discarding the packet as not related to log acquisition.
If it is determined as a response packet as a result of the determination, the process proceeds to a request combining process (S33).

As the request combining process, as shown in FIG. 13C, first, it is determined whether or not there is a corresponding request by referring to the memory storing the request waiting queue (S331).
As a result of the determination, if there is a corresponding request, a request combining process is performed (S332).
If there is no corresponding request as a result of the determination, the request is registered in the request waiting queue (S333), and the process is terminated.

Next, processing when the protocol analysis processing unit 46 performs protocol sequence analysis processing will be described with reference to FIG.
In FIG. 14, first, a login sequence process of the client terminal 3 is performed to determine which client terminal 3 has logged in (S401).
For example, in the AFP protocol, login is performed in two stages, and there are two types of AFP command packets, FPLogin and FPCount. Therefore, this command is received and the client is identified by determining who it is. . These are analyzed as a login sequence and recorded in the access record database 43.

When the login sequence is completed, the ID held in the packet is associated with the name, and the correspondence table is updated as necessary (S402).
This processing refers to the ID correspondence information storage unit 41 shown in FIG. 3 and performs processing for specifying the names of volumes, folders, and files in the actual file system of the server 1 based on the ID in the packet.
For example, when a file is deleted by the AFP command FPDelete, the target file is given by “volume ID”, “parent folder ID”, and “file ID”. By drawing the correspondence table with these IDs, the complete path name of the file system on the server 1 can be acquired, and the complete path name can be recorded in the log.
Note that character code conversion processing may be performed for displaying Japanese names.

Finally, a file access sequence process is performed (S403), and the access analysis process ends.
In this sequence process, the sequence process information storage unit 42 shown in FIG. 4 or 5 is referred to, a command in the method list is extracted from the packet, and a process corresponding to which method is specified.
For example, in the case of reading a file in AFP, if the AFP command package sequence is FPOpenFork, FPRead, or FPCCloseFork, it is specified that this file reading process has been performed.
In addition, the time in the packet is extracted to specify the time at which the process was performed. Note that the correspondence table between the command and the log recording method may be held for each protocol. In the case of SMB, FIG. And a sequence process is executed for the corresponding command with reference to this table.

As described above, according to the above-described embodiment, the operation log data to the server 1 is acquired by the access log acquisition device 4 that is different from the server 1 without executing the access monitoring program on the server 1. Therefore, log data can be acquired without imposing a load on the server 1, and logs such as unauthorized access to the server 1 and creation, modification, and deletion of files can be acquired and monitored.
In addition, since the program is not executed on the server 1 and a packet on the network is acquired by the access log acquisition device 4 of another device and the log analysis is performed, it does not depend on the model or OS of the server 1. In both cases, log analysis according to various protocols can be performed on the access log acquisition device 4 side. As a result, regardless of the model of the server 1 and the OS, an operation log can be acquired as long as the communication protocol is compatible.

Since the monitoring can be performed simply by connecting the access acquisition device 4 to the network, there is no need to change the setting of the server 1 and the setting change can be saved.
Furthermore, since the acquired log data is recorded in the access log acquisition device 4 and does not exist in the server 1, the operation log data is illegally accessed by unauthorized access to the server 1. Or being tampered with.

  The above-described embodiment is an example, and can be appropriately changed without departing from the present invention.

It is a figure showing the whole system composition concerning one embodiment of the present invention. The functional block diagram concerning this embodiment. The figure which showed an example of the data memorize | stored in ID corresponding | compatible information storage part. The figure which showed an example of the data memorize | stored in a sequence process information storage part. The figure which showed an example of the data memorize | stored in a sequence process information storage part. The figure which showed an example of the data memorize | stored in an access record database. The figure which showed the flow of the process of the whole system. The figure which showed an example of the display of log data. The figure which showed another example of the display of log data. The figure which showed another example of the display of log data. The processing flow which showed the detailed process of the primary filter. A processing flow showing processing of the protocol analysis processing unit. The flowchart of a request-response combination process. Detailed processing flow of the protocol analysis processing unit.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Server, 2 ... Switch, 3 ... Client terminal, 4 ... Access log acquisition apparatus, 41 ... ID corresponding | compatible information storage part, 42 ... Sequence processing information storage part, 43. ..Access record database, 44... Network interface, 45... Primary filter, 46... Protocol analysis processing section, 47... Database registration processing section, 48.

Claims (7)

In a system comprising a file management server for storing a plurality of files and a plurality of client terminals connected to the file management server via a network, logs relating to operations from the client terminals connected to the network and to the file management server A device for acquiring data,
A method that represents an operation from the client terminal to the file management server, and a command definition storage unit that stores a necessary command corresponding to each method;
Packet acquisition processing means for acquiring packets transmitted and received between the file management server and the client terminal;
Filtering processing means for determining a communication protocol from the acquired packet data and selecting a packet corresponding to a predetermined protocol;
Analysis processing means for specifying information for specifying the client from among the selected packets and for specifying a method corresponding to the command included in the acquired packet with reference to the command definition information storage means When,
Analysis result storage means for storing at least the date and time when the method occurs, information identifying the client, and information including the analyzed method as log data;
A server operation information acquisition apparatus comprising: The command definition storage means stores a command sequence necessary for executing the method,
The analysis processing means performs response request combining processing by performing response packet combining processing for request packets and request packet combining processing for response packets, and refers to the command definition storage means to Identify the appropriate method based on the command sequence,
The server operation information acquisition apparatus according to claim 1. A temporary storage means for temporarily storing a response wait or request wait command;
When the analysis processing unit acquires the request command or the response command, the analysis processing unit refers to the temporary storage unit to determine whether there is a command corresponding to the response waiting or request waiting command, and when the corresponding command exists Request-response combination processing
The server operation information acquisition apparatus according to claim 2. An ID correspondence information storage means for indicating correspondence between the type of ID included in the acquired packet and the management item on the file management server;
The analysis processing means refers to the ID correspondence information storage means, identifies a corresponding management item on the file management server from the type of ID in the acquired packet, and stores it in the analysis result storage means. ,
The operation information acquisition apparatus for a server according to any one of claims 1 to 3. The analysis processing means updates the data corresponding to the ID and file name stored in the file management means each time a packet including ID and file name information arrives.
The server operation information acquisition apparatus according to claim 4. In a system comprising a file management server for storing a plurality of files and a plurality of client terminals connected to the file management server via a network, a method connected to the network and representing an operation on the file management server from the client terminal A command definition storing means for storing necessary commands corresponding to each method, and an analysis result storing means for storing log data.
A process of acquiring packets transmitted and received between the file management server and the client terminal;
A process of determining a communication protocol from the acquired packet data and selecting a packet corresponding to a predetermined protocol;
A process for identifying information for identifying a client from the selected packets, referring to the command definition information storage unit, and identifying a method corresponding to a command included in the acquired packet;
Processing for storing at least the date and time when the method occurs, information for identifying the client, and information including the analyzed method in the analysis result storage unit as log data;
A server operation information acquisition method characterized by comprising: In a system comprising a file management server for storing a plurality of files and a plurality of client terminals connected to the file management server via a network, a method connected to the network and representing an operation on the file management server from the client terminal And a computer program for causing a computer having a command definition storage means for storing necessary commands corresponding to each method and an analysis result storage means for storing log data to function as an operation information acquisition device,
For the above computer
A process of acquiring packets transmitted and received between the file management server and the client terminal;
A process of determining a communication protocol from the acquired packet data and selecting a packet corresponding to a predetermined protocol;
A process for identifying information for identifying a client from the selected packets, referring to the command definition information storage unit, and identifying a method corresponding to a command included in the acquired packet;
Processing for storing at least the date and time when the method occurs, information for identifying the client, and information including the analyzed method in the analysis result storage unit as log data;
A computer program that executes