JP2009075940A - Log analyzing apparatus and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To manage an access log whether the access is proper or not with respect to an application. <P>SOLUTION: A flow management part 202 acquires job information containing the kind of an application and a work time registered in a work flow; a log acquisition part 201 acquires the access log of an application server. Definition information which defines an access command used for access to the application server for each kind of applications is held in a data holding part 206. A log analysis part 203 acquires the definition information of a work specified by the application information from the data holding part 206 and analyzes whether an access command recorded in the access log at a work time specified by the application information corresponds to the definition information. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a technique for managing and analyzing an access log to a server.

  In an information processing system using a computer, it is generally performed to save an access log because of system management and security requirements. In companies and the like, it is important to manage the access log of the business server from the viewpoint of internal control.

  As this type of prior art, Patent Document 1 discloses that, while maintaining versatility, an unauthorized accessor can be identified during system operation, and the cause of information leakage can be accurately pursued. An access log management system for preventing the above is disclosed. The system described in this document obtains request data and response data sent and received via a Web server by a monitoring program, extracts predetermined information from the request data and response data, and extracts the extracted information as an access log. Is accumulated in the access log database. Then, an access log is analyzed by the log analysis unit.

On the other hand, there is a system for managing a workflow (business flow) with a computer in order to perform business efficiently.
As another conventional technology of this type, Patent Document 2 discloses a workflow from operation request to an operation target device that requires an approval procedure when performing an operation, application for approval, operation execution, operation result report, and log retention management. An automated system is disclosed. In the system described in this document, the operation information management PC requests the approval PC to confirm whether or not the operation request information of the operation target PC requested from the personal terminal can be approved. The operation request information is reflected by instructing the operation target PC to execute the corresponding operation, and the operation request information transmitted from the personal terminal, the approval result of the operation request information, and the reflection result of the operation request information are displayed in the operation application form. A configuration for storing and managing the database is provided.

JP 2006-120130 A JP 2005-202931 A

  In managing access logs for business servers, it is important to analyze stored access logs and detect inappropriate access. Here, inappropriate access includes not only (unauthorized) access based on a legitimate access authority but also access that has access authority but is not assumed in business. However, in the log management system, although the history of accesses made to the server is saved, the relationship between the access made and the business is unknown.

  Today, a workflow is managed by a computer for the purpose of performing business efficiently. In this type of workflow management system, information such as progress status, status, execution time, execution subject (when and who performed), and the like are managed for business. However, even in this type of system, access to the server for executing a predetermined work is not managed.

  The present invention has been made in view of the above problems, and associates an access log stored in a log management system with information on work managed by a workflow so that the access log can be managed from the viewpoint of suitability for business. The purpose is to.

  In order to achieve such an object, the present invention is realized as the following log analysis apparatus. This device is specified by business information acquisition means for acquiring business information including the type of work and work time, log acquisition means for acquiring the access log of the business server, and business information at the work time specified by the business information. And detecting means for detecting an access command other than the access command for the work to be performed from the access log.

More specifically, the detection means detects an access command that is described at the work time specified by the business information in the access log and is unnecessary for the work specified by the business information.
Alternatively, the detecting means detects an access command described in a time zone not corresponding to the work time specified by the business information in the access log.

  Further, another log analysis apparatus according to the present invention includes a business information acquisition unit that acquires business information including a business type and a work time, a log acquisition unit that acquires an access log of a business server, and a business type for each business type. Definition information holding means that holds the definition information that defines the access command used to access the server, and work definition information that is obtained from the definition information holding means that is obtained from the definition information holding means. And analyzing means for analyzing whether or not the access command recorded in the access log at the time is an access command corresponding to the definition information.

  More preferably, the log analysis apparatus further includes a notification unit that performs notification when the analysis unit detects an access command that does not correspond to the work specified by the business information at the work time specified by the business information. .

More specifically, this notification means does not notify a specific access command set in advance even if it is detected as an access command that does not correspond to the work specified by the business information.
Further, the notification means notifies the preset specific access command even when it is detected as an access command corresponding to the work specified by the business information.

  The present invention is also realized as a program for realizing the log analysis device configured as described above by a computer. This program can be provided by being stored and distributed in a magnetic disk, an optical disk, a semiconductor memory, or other recording medium, or distributed via a network.

  According to the present invention configured as described above, it is possible to check an access log based on business information managed by a workflow and manage the access log from the viewpoint of suitability for business.

The best mode for carrying out the present invention (hereinafter referred to as an embodiment) will be described below in detail with reference to the accompanying drawings.
<System configuration>
FIG. 1 is a diagram showing an overall configuration of a log management system according to the present embodiment.
As shown in FIG. 1, the log management system of this embodiment includes a business server 100 for performing various business operations, and a log analysis server 200 that acquires and analyzes access logs from the business server 100. The log analysis server 200 has a function as a log management server that manages access logs and a function as a workflow management server that manages workflows of business operations performed by business personnel. Therefore, when work is performed by the business server 100, first, the business person registers a work application in the log analysis server 200, and after the business person in charge approves the work application (work approval), the business person in charge Work using the business server 100.

FIG. 2 is a diagram illustrating a hardware configuration example of a computer that implements the log analysis server 200 according to the present embodiment.
The computer 10 shown in FIG. 2 includes a CPU (Central Processing Unit) 10a that is a calculation means, a main memory 10c that is a storage means, and a magnetic disk device (HDD: Hard Disk Drive) 10g. In addition, a network interface 10f for connecting to an external device via a network, a display mechanism 10d for performing display output to the display device, and an audio mechanism 10h for performing sound output are provided. Furthermore, an input device 10i such as a keyboard or a mouse is provided.

  As shown in FIG. 2, the main memory 10c and the display mechanism 10d are connected to the CPU 10a via an M / B (motherboard) chip set 10b. The network interface 10f, the magnetic disk device 10g, the audio mechanism 10h, and the input device 10i are connected to the M / B chip set 10b via the bridge circuit 10e. Each component is connected by various buses such as a system bus and an input / output bus. For example, the CPU 10a and the main memory 10c are connected by a system bus or a memory bus. Between the CPU 10a and the magnetic disk device 10g, the network interface 10f, the display mechanism 10d, the sound mechanism 10h, the input device 10i, and the like, PCI (Peripheral Components Interconnect), PCI Express, serial ATA (AT Attachment), USB (Universal) It is connected by an input / output bus such as Serial Bus) or AGP (Accelerated Graphics Port).

  2 merely illustrates a hardware configuration of a computer suitable for realizing the log analysis server 200, and it is needless to say that the configuration is not limited to the illustrated configuration. For example, in addition to the magnetic disk device 10g as an auxiliary storage device, a drive using various optical disks and flexible disks as media may be provided. Further, the audio mechanism 10h may be provided as a function of the M / B chipset 10b without being an independent configuration.

FIG. 3 is a diagram illustrating a functional configuration of the log analysis server 200.
As illustrated in FIG. 3, the log analysis server 200 includes a log acquisition unit 201, a flow management unit 202, a log analysis unit 203, an alert management unit 204, a master management unit 205, and a data holding unit 206. . Here, for example, in the computer 10 illustrated in FIG. 2, the log acquisition unit 201 is realized by the CPU 10 a executing the program read into the main memory 10 c and controlling the network interface 10 f. The flow management unit 202, the log analysis unit 203, the alert management unit 204, and the master management unit 205 are functions realized by the CPU 10a executing a program read into the main memory 10c. The data holding unit 206 is realized by a storage unit such as the main memory 10c or the magnetic disk device 10g. As described above, each functional block of the log analysis server 200 illustrated in FIG. 3 is a unit realized by cooperation of software and hardware resources.

  The log acquisition unit 201 is a log acquisition unit that acquires an access log recorded in each business server 100. The business server 100 is realized by a computer 10 as shown in FIG. 2, for example, and takes an access log according to the operation and holds it in a storage means such as a magnetic disk device 10g. Access log acquisition by the log acquisition unit 201 may be performed by accessing the business servers 100 from the log acquisition unit 201 and instructing transmission of access logs, or by log analysis from the business server 100 periodically or at a predetermined timing. It may be transmitted to the server 200 and accepted by the log acquisition unit 201. The acquired access log of each business server 100 is stored in the data holding unit 206.

  The flow management unit 202 receives a work application and its approval as information related to work (hereinafter, work information), and registers and manages it in a workflow. That is, the flow management unit 202 functions as business information acquisition means. In the work application, work information such as the scheduled time for work, the person in charge of the work, the work server 100 used for the work, and the content (type) of work is registered. The workflow data in which the business information is registered is stored in the data holding unit 206.

  The log analysis unit 203 compares the access log of the business server 100 acquired by the log acquisition unit 201 with the workflow managed by the flow management unit 202, and the access recorded in the access log is based on a valid business. It is a log analysis means for analyzing whether or not. Specifically, first, for each business, a pattern (combination and order) of access commands (hereinafter simply referred to as commands) used for accessing the business server 100 is mastered as definition information. Based on this definition information, the task specified by the workflow is compared with the access command group recorded in the access log to determine whether or not they correspond. For example, if there is a command group having a pattern corresponding to a specific job in the access log, but the work application and approval for the job do not exist in the workflow, it can be determined that the access is inappropriate. Further, if there is a command that is not used in the job in the access log corresponding to the job specified by the workflow, it can be determined that the access is inappropriate. The processing of the log analysis unit 203 will be described in more detail later with a specific example.

  The alert management unit 204 notifies the administrator of work determined to be inappropriate based on the analysis result by the log analysis unit 203. As a notification method, for example, a message or a warning sound can be output by the display mechanism 10d or the sound mechanism 10h shown in FIG. Further, the alert management unit 204 stores a notification history in the data holding unit 206, and manages information such as whether or not an investigation or a countermeasure for the notification has been performed as a status. Furthermore, the alert management unit 204 outputs a message or report that prompts the administrator to investigate or respond according to the elapsed time and status after notification.

  The master management unit 205 is used for processing of the flow management unit 202 and the log analysis unit 203 such as a node (business server 100) managed by the log analysis server 200, a type of business, an account for logging in to the business server 100, and the like. Manage information. The master management unit 205 also manages the definition information of the use command for each job described above.

  The data holding unit 206 holds the access log acquired by the log acquisition unit 201, the workflow in which the business information received by the flow management unit 202 is registered, and the various types of information managed by the master management unit 205.

<Data structure>
4A to 4C are diagrams showing a screen image of work application and work approval and a data structure of the workflow.
FIG. 4A shows a screen image for application used when a business person makes a work application. The person in charge of business accesses the log analysis server 200 from his / her terminal device, displays the application screen as shown in FIG. 4A, and inputs necessary information. In the example shown in FIG. 4A, information such as scheduled work time (scheduled start time and scheduled end time), a person in charge (code), a node that performs the work (code of the business server 100), work contents, and remarks are input. The application screen is configured to do so. Although not shown, the application screen has a submit button for executing registration of the application, and the information entered on the application screen by the operation such as clicking the submit button is the workflow data. Registered as

  FIG. 4B shows a screen image for approval used when the business manager approves the work. The person in charge of business accesses the log analysis server 200 from his / her terminal device, and approves the work by displaying an approval screen as shown in FIG. In the example shown in FIG. 4B, the information input on the application screen in FIG. 4A is displayed, and the approval screen is configured so that a comment at the time of approval can be input. Although not shown, there is a submit button for executing approval registration on the approval screen, and information indicating that the work is approved by an operation such as clicking the submit button is displayed in the workflow. Registered as data. When the business manager uses the approval screen, the business manager is authenticated by the login operation, and the code of the business manager who performed the approval is also registered.

  FIG. 4C shows an example of the data structure of registered workflow data. Referring to the data in the first line of FIG. 4C, in order from the left, work ID (J070508-012), data type (application), worker (USR001), scheduled work time (070508 1400, 070508 1800) ), Node (SVR025), work content (backup), application time (070506 100239), and remarks (Yyyyyy). The application time is the time when an operation such as clicking the submit button is performed on the application screen. Also, referring to the data on the second line in FIG. 4C, the work ID (J070508-012), data type (approval), approver (USRA09), approval time (070506 130225), remarks (Hoge), etc. Information is recorded. The approval time is the time when an operation such as clicking the submit button is performed on the approval screen.

FIG. 5 is a diagram illustrating a configuration example of definition information of a use command for each business.
In the definition information, the type and order of commands used for each job are recorded. Therefore, if the commands described in the definition information of a specific task are recorded in the order described in the definition information in the access log, it is understood that the task has been executed. In the definition information shown in FIG. 5, items of business type, command order, platform type, and command type are recorded. In the option, work setting information such as a backup destination directory is recorded according to the type of command.

  In the example shown in FIG. 5, examples of commands used in backup work and commands used in life and death monitoring work are described. For backup operations, different command definition information is set depending on the platform type. Even in the same business, depending on the business server 100 to be used, combinations of commands used may differ depending on platforms such as OS (Operating System) and applications. In this case, as shown in FIG. It is necessary to set definition information.

  In the command shown in FIG. 5, “login” is a command used when logging into the OS. “Sqlplus” is a command used to operate an Oracle database using an SQL statement. “Connect” is a command used when logging into a DBMS (Data Base Management System). “Backup” is a command used when backing up information stored in the DBMS. “Exit” is a command used when logging out from the DBMS or the OS. “Export” is a command used when backing up information stored in the DBMS. “Copy” is a command used when copying a file. “Ps” is a command used when browsing a list of active processes.

  Referring to FIG. 5, for example, in the operation “backup operation 2 in the database server”, it is understood that four commands “login”, “export”, “copy”, and “exit” are executed in this order. . Therefore, if “backup job 2 in the database server” is executed in a specific node, these four commands are recorded in this order in the access log of the node. That is, the type of work and the work time (corresponding to the scheduled work time in FIG. 4A) are specified by the work information registered in the workflow, and the command defined by the definition information of the work in the access log at this time If the groups are recorded in the order in which they are defined, you know that the work was performed properly.

<Example of log analysis>
Next, the log analysis processing by the log analysis unit 203 will be described in detail with a specific example.
FIG. 6 is a diagram illustrating an example of an access log acquired from a predetermined business server 100.
From the access log in FIG. 6, command groups corresponding to three tasks are extracted. Work performed at time 02: 21: 43-02: 26: 00 (work 1), work performed at time 05: 43: 22-05: 44: 21 (work 2), time 08:12:43 It is the work (work 3) performed at ~ 08: 15: 21. In the command described in FIG. 6, “cd” is a command used when changing the current directory. “Cp” is the same command as “copy”. “Passwd” is a command used when changing the password.

  Of the operations configured by the command group illustrated in FIG. 6, it is assumed that the operations corresponding to operations 1 and 3 are registered in the workflow, and the operation corresponding to operation 2 is not registered in the workflow. Further, the command group of the work 3 includes commands (“cp” and “passwd”) that are not included in the definition information specified based on the registered business information (that is, not used in the business). It shall be assumed.

  In this case, the log analysis unit 203, for the work 1, since the corresponding work is registered in the workflow and the command group of the access log matches the definition information specified based on the work, to decide. Regarding work 2, since the corresponding work is not registered in the workflow, it is determined that the work is not appropriate (unsuitable). Regarding work 3, although the corresponding work is registered in the workflow, it includes a command that is not used in the work, so it is determined that the work is not appropriate (unsuitable).

  By the way, as a general rule, access in operations that are not registered in the workflow or access by commands that are not used in the business even if the business itself is registered in the workflow are inappropriate access as described above. However, depending on the contents of the processing to be executed, there is access with no particular problem in terms of security and system operation. For example, an access such as browsing directory information has no effect on the system, and it is considered that no problem occurs even if it is executed regardless of the business during the business. Therefore, such a command is managed as a white list command, and even if it is detected as a command that is not used in a work that is not registered in the workflow or a task that is registered in the workflow, the notification by the alert management unit 204 is notified. It is good not to do.

  On the other hand, it is preferable to notify the administrator of commands that are not used in normal operations and that have a large impact on the system when they are used, regardless of whether they are used in appropriate operations. Conceivable. Therefore, such a command may be managed as a blacklist command, and if the command exists in the access log, the alert management unit 204 may notify immediately.

FIG. 7 is a diagram illustrating an example of a white list command and a black list command.
In FIG. 7, commands are classified into three types: normal commands, white list commands, and black list commands. The normal command is not notified by the alert management unit 204 when used in an appropriate job registered in the workflow, and is notified by the alert management unit 204 in other cases. As described above, the alert management unit 204 does not notify the white list command regardless of the usage mode. Further, as described above, the alert management unit 204 notifies the blacklist command if it is used regardless of its usage.

  A command list as shown in FIG. 7 (or a command list listing only whitelist commands and blacklist commands) is stored in the data holding unit 206. The log analysis unit 203 refers to the command list when analyzing the access log, and checks whether a white list command or a black list command is recorded in the access log.

  In the command described in FIG. 7, “pwd” is a command used when browsing the current directory. “Ls” is a command used when browsing directory information. “Chown” is a command used when changing the owner of a file or directory. Also, “login” is a command that is normally executed at the start of various operations performed on the business server 100. However, by adding a condition such as login by a specific account or login by an account other than the specific account and making it a blacklist command, it is possible to effectively detect login by a person who does not have a legitimate authority.

  In the access log shown in FIG. 6, as described above, work 2 is a notification target (hereinafter referred to as an alert target) by the alert management unit 204 because the corresponding job is not registered in the workflow. . However, if “login” on the first line matches the conditions of the blacklist command, this is also an alert target. In addition, as described above, the work 3 includes a command that is not used in the registered job, and is therefore an alert target. However, since “passwd” on the fourth line is a blacklist command, this is also an alert target.

  In the above-described log analysis, the method of extracting the command corresponding to the work specified by the business information and the work time from the access log has been described. However, the log analysis method is not limited to this. For example, for a given task, even if the command itself corresponds to the task specified by the task information, the command is specified by the task person registered in the task information and the account authentication log in the access log. When the access subject is different, it can be determined that the work is not appropriate (unsuitable). In addition, although the node (business server) on which the work is performed is registered in the business information, the access log of the business server registered in the business information prior to the log analysis described with reference to FIG. Needless to say, is selected for analysis.

<Log analysis procedure>
Next, an operation procedure of log analysis by the log analysis unit 203 will be described.
FIG. 8 is a flowchart illustrating an operation example of the log analysis unit 203.
As a pre-operation, it is assumed that the access log of the business server 100 has already been collected by the log acquisition unit 201. Registration of work information in the workflow (including work application and approval) has also been completed.

  The log analysis unit 203 first selects one of the tasks registered in the workflow as a processing target (step 801), and reads definition information corresponding to the task from the data holding unit 206 based on the selected task information (step 801). 802). Next, the log analysis unit 203 identifies the business server 100 on which the work was performed and the work time based on the work information of the workflow. Then, it is searched whether or not a command group corresponding to the definition information read in step 802 exists in the access log at the time in the access log of the business server 100 (step 803).

  Here, in actual work, the time at which the work is executed does not always coincide with the scheduled time applied at the time of the work application. Therefore, the corresponding command group is searched with a certain time width. What range should be given may be determined arbitrarily based on operational standards for business. In actual work, the same command may be repeated several times due to an operation error or the procedure may be repeated retroactively. In addition, there are operations that are inserted for information confirmation or the like, although they are not particularly related to business. Therefore, even when determining whether or not the command group in the access log corresponds to the definition information, the repetition of individual commands or combinations of several commands is allowed up to several times, or the existence of whitelist commands is allowed. You may give a certain degree of ambiguity to the judgment.

  When the command group corresponding to the definition information does not exist in the access log (No in step 804), the log analysis unit 203 notifies the alert management unit 204 of the search result. Then, the alert management unit 204 notifies the administrator that there is a possibility of business default (step 805). On the other hand, when a command group corresponding to the definition information exists in the access log (Yes in step 804), the log analysis unit 203 checks whether a blacklist command exists in the searched command group. If a blacklist command is included (Yes in step 806), the log analysis unit 203 notifies the alert management unit 204 that a blacklist command has been detected. Then, the alert management unit 204 notifies the administrator that there is a possibility that inappropriate access has been performed (step 811).

  When the blacklist command is not included in the retrieved command group (No in step 806), the log analysis unit 203 checks whether there is a command not included in the definition information in the command group corresponding to the definition information. When there is a command not included in the definition information (Yes in Step 807), the log analysis unit 203 checks whether the command is a white list command. If the command is not a whitelist command (No in step 808), the log analysis unit 203 notifies the alert management unit 204 that a suspicious command has been detected. Then, the alert management unit 204 notifies the administrator that there is a possibility that inappropriate access has been performed (step 811). On the other hand, when the command found in step 807 is a white list command (Yes in step 808), the alert management unit 204 does not perform notification.

  When there is no command not included in the definition information in the command group corresponding to the definition information, that is, when the detected command group matches the command group of the definition information (No in step 807), and the command not included in the definition information Is a whitelist command (No in step 808), the log analysis unit 203 checks whether there is an unsearched one among the tasks registered in the workflow. If there is an unsearched job (Yes in Step 809), the log analysis unit 203 returns to Step 801, selects one of the unsearched jobs as a processing target, and repeats the subsequent operations.

  If the processing is completed for all tasks registered in the workflow and there is no unsearched task (No in step 809), then the log analysis unit 203 determines whether there is a command not registered in the workflow. Investigate. Here, the commands that are not registered in the workflow include a series of commands that constitute a specific work, a command that exists independently, a set of several commands, and the like. If there is a command that is not registered in the workflow (Yes in Step 810), the log analysis unit 203 notifies the alert management unit 204 that an unregistered command has been detected. Then, the alert management unit 204 notifies the administrator that there is a possibility that inappropriate access has been performed (step 811). On the other hand, if there is no command registered in the workflow, the process ends (No in step 810). At this time, the administrator may be notified that there is no possibility of inappropriate access.

  Note that the operation procedure of the log analysis unit 203 described above is merely an example, and if it is a method for detecting a suspicious command that does not correspond to a task registered in the workflow by comparing the workflow task information and the access log, It goes without saying that other procedures may be used. For example, since the black list command is a target of notification by the alert management unit 204 regardless of the usage mode, the presence or absence of the black list command may be checked first after obtaining the access log. In step 803, an access account is extracted from the access log of the work server 100 that is the work target. If the access account is different from the person in charge registered in the work information, the alert management unit 204 is inappropriate. It may be possible to notify the administrator that there has been a possibility that various accesses have been made.

<Other system configuration>
In the system configuration of the embodiment shown in FIGS. 1 and 3, the log analysis server 200 has the functions of the log management server and the workflow management server. Therefore, the log analysis server 200 acquires the access log directly from the business server 100 and accepts input of business information to be registered in the workflow. On the other hand, you may comprise as a system provided with one or both of a log management server and a workflow management server as an independent server. In the configuration including the log management server independently, the access logs of each business server 100 are collected and managed in the log management server. Then, the log analysis server 200 acquires an access log from the log management server and performs analysis. Further, in a configuration having an independent workflow management server, business information is registered to the workflow management server through work application and work approval. Then, the log analysis server 200 acquires business information or workflow data itself from the workflow management server, and analyzes an access log based on the business information. Such a configuration is effective when this embodiment is introduced into a system in which a log management server and a workflow management server already exist.

It is a figure which shows the whole structure of the log management system by this embodiment. It is a figure which shows the hardware structural example of the computer which implement | achieves the log analysis server of this embodiment. It is a figure which shows the function structure of the log analysis server of this embodiment. It is a figure which shows the screen image of the work application in this embodiment. It is a figure which shows the screen image of the work approval in this embodiment. It is a figure which shows the data structure of the workflow in this embodiment. It is a figure which shows the structural example of the definition information of the use command for every work in this embodiment. It is a figure which shows the example of an access log. It is a figure which shows the example of the white list command and black list command of this embodiment. It is a flowchart which shows the operation example of the log analysis part of this embodiment.

Explanation of symbols

10a ... CPU, 10c ... main memory, 10d ... display mechanism, 10f ... network interface, 10g ... magnetic disk device, 10h ... audio mechanism, 10i ... input device, 100 ... business server, 200 ... log analysis server, 201 ... log acquisition , 202 ... Flow management unit, 203 ... Log analysis unit, 204 ... Alert management unit, 205 ... Master management unit, 206 ... Data holding unit

Claims (8)

Business information acquisition means for acquiring business information including business type and work time;
Log acquisition means for acquiring the access log of the business server;
A log analyzing apparatus comprising: a detecting unit that detects, from the access log, an access command other than an access command for a work specified by the work information at the work time specified by the work information.   2. The detection unit according to claim 1, wherein the detection unit detects an access command described in the work time specified by the work information and unnecessary for the work specified by the work information in the access log. The log analysis device described.   The log analysis apparatus according to claim 1, wherein the detection unit detects an access command described in a time zone not corresponding to the work time specified by the business information in the access log. . Business information acquisition means for acquiring business information including business type and work time;
Log acquisition means for acquiring the access log of the business server;
Definition information holding means for holding definition information defining an access command used for accessing the business server for each type of business;
The definition information of the work specified by the business information is acquired from the definition information holding unit, and the access command recorded in the access log at the work time specified by the business information corresponds to the definition information. A log analysis apparatus comprising: analysis means for analyzing whether or not the command is issued.   The analysis means further comprises a notification means for notifying when an access command not corresponding to the work specified by the work information is detected at the work time specified by the work information. Item 5. The log analysis device according to item 4.   6. The notification unit according to claim 5, wherein the notification unit does not notify a preset specific access command even if it is detected as an access command that does not correspond to a work specified by the business information. Log analyzer.   6. The log according to claim 5, wherein the notifying unit notifies a preset specific access command even when it is detected as an access command corresponding to a work specified by the business information. Analysis equipment. Business information acquisition means for acquiring business information including the type of work and work time;
Log acquisition means for acquiring the access log of the business server;
For each type of business, obtain the definition information of the work specified by the business information from the definition information holding means that holds the definition information that defines the access command used to access the business server, and specify it by the business information A program that functions as an analysis unit that analyzes whether or not an access command recorded in the access log at the working time is an access command corresponding to the definition information.

Images