JP2009169474A - System log management support device and system log management support method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a system log management support device that can store a system log recorded and kept by an IT system while reducing the capacity thereof, and reproduce the system log in the original complete form. <P>SOLUTION: The system log management support device 20 includes a normalization condition setting reflection unit 25 which aggregates output keys of data which appear above a predetermined rate and have the same contents among a plurality of output keys of the system log comprising predetermined output keys to decrease the amount of data recorded in the system log. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a system log management support apparatus and system log management support method for managing log information of a network system.

  IT (Information Technology) system auditing is important due to internal control of companies. In internal control, the execution / operation history of a business process by a user using an IT system is recorded as a system log, and this system log is used for analysis when a security accident occurs or when a failure is dealt with. Therefore, companies must record, store, and manage system logs. The structure of the system log basically consists of the contents of “when, where, who, what, and what operation”, and the output data differs depending on the IT system. Further, in an IT system used by many users, an enormous amount of system logs are output, and further, system logs must be stored for a long time due to strengthening of internal control of a company. For this reason, there is a problem that the storage capacity of the storage device for recording and storing the system log becomes full immediately.

  By the way, a log data editing method for editing log data has been proposed, and one of the log data editing methods includes deleting unnecessary or old system logs or consolidating system logs every hour. A technique for reducing the data capacity by efficiently editing the system log such as displaying only the number of cases is disclosed (for example, see Patent Document 1).

JP 2000-76101 A

  However, according to the above-mentioned conventional technology, since the system log originally required for analysis is deleted or there is a lack of detailed data, internal control that requires a complete system log is considered. It is not a method for reducing the system log capacity. Further, in the conventional technique, there is a possibility that unexpected system log data may be edited depending on the editing method. In other words, the conventional technology has a problem that deficiencies occur when analyzing the system log for internal control.

  The present invention has been made in view of the above, and it is possible to reduce the capacity of a system log recorded / stored in an IT system, and to reproduce the original complete system log. An object of the present invention is to obtain a system log management support apparatus and system log management support method capable of performing the above.

  In order to achieve the above object, a system log management support apparatus according to the present invention aggregates output keys for data having the same content that appears more than a predetermined ratio among a plurality of output keys of a system log composed of predetermined output keys. And normalizing condition setting reflecting means for reducing the amount of data recorded in the system log.

  According to the present invention, since the output items in which the same contents are repeatedly output are aggregated and the contents of the system log are edited, the capacity of the system log can be reduced and saved, and the original complete System log can be reproduced.

  Exemplary embodiments of a system log management support apparatus and a system log management support method according to the present invention will be explained below in detail with reference to the accompanying drawings. Note that the present invention is not limited to the embodiments.

Embodiment.
FIG. 1 is a diagram schematically showing an example of a system configuration to which a system log management support apparatus according to the present invention is applied. In this system, an IT system 10 owned by an organization and a system log management support apparatus 20 are connected via a network 30, and the system log management support apparatus 20 is connected to a system log via a communication line 40 such as a network. The evacuation storage device 50 is connected.

  The IT system 10 is an intra-organization network built in an organization such as a company, for example. Although not shown, the IT system 10 stores electronic data managed in the organization and services provided to the organizational members, or to an external network. A server device that controls access to the system, an information processing terminal owned by the organization member, and a system log 11 that is log information such as access to the server device via the information processing terminal by the organization member, A system log collection device for management.

  The system log management support device 20 supports management of the system log 11 collected by the system log collection device of the IT system 10. More specifically, the size (capacity) of the system log 11 collected by the IT system 10 is reduced, and the original and complete system log 11 is later analyzed when a security accident occurs or when a failure is dealt with. The system log 11 is normalized and stored as a normalized system log so that it can be restored. The system log saving storage device 50 is a device for saving (backing up) the normalized system log that is managed by the system log management support device 20.

  Next, a detailed configuration of the system log management support apparatus 20 will be described. FIG. 2 is a block diagram schematically showing a functional configuration of the system log management support apparatus according to the present invention. The system log management support apparatus 20 includes a system log acquisition unit 21, a display unit 22, a display processing unit 23, an input unit 24, a normalization condition setting reflection unit 25, and a normalization system log information storage unit 26. A search unit 27, a saving unit 28, and a control unit 29 for controlling each of these processing units. The system log management support apparatus 20 can be configured by an information processing apparatus such as a personal computer.

  The system log acquisition unit 21 acquires a system log from the target IT system 10 and temporarily stores it. In FIG. 1, since the IT system 10 and the system log management support apparatus 20 are connected via the network 30, the system log 11 is received and acquired from the system log collection apparatus of the IT system 10 via the network 30. can do. In this case, the system log acquisition unit 21 includes a communication function and a storage function that temporarily stores the system log 11 received by the communication function.

  The system log is recorded on a recording medium such as a CD (Compact Disk) -R / RW (Recordable / Rewritable), a DVD (Digital Versatile Disk) -R / RW, a DVD + R / RW, a DVD-RAM (Random Access Memory), or a memory card. It is also possible to read what is recorded in In this case, the system log acquisition unit 21 is configured by a recording medium reading processing function that reads the system log recorded on the recording medium.

  The display unit 22 is configured by a display device such as a liquid crystal display device. Further, the display processing unit 23 displays a predetermined display screen on the display unit 22. For example, the display processing unit 23 displays the acquired system log on the display unit 22, displays a normalization setting screen for normalizing the acquired system log on the display unit 22, or the normalized system A process for displaying a search screen for performing a search using a log (hereinafter referred to as a normalized system log) on the display unit 22 is performed.

  The input unit 24 includes an input device such as a keyboard and a mouse, and is an input interface with a user (administrator) of the system log management support device 20. Via the input unit 24, an instruction from the user such as a normalization condition for normalizing the acquired system log, a search condition, and a normalized system log save command to the system log save storage device 50 is input. Is done.

  Here, the normalization condition is obtained by selecting an item having data that frequently appears in duplicate (appears at a predetermined ratio or more) as a user browsing the system log displayed on the display unit 22. Is set. In this specification, normalization means that the system log is divided into an aggregation table composed of data that tends to be redundant and a data table composed of other data. In the example shown below, the normalization condition setting means setting items for creating an aggregation table and a data table from the system log.

  The normalization condition setting reflection unit 25 creates the normalized system log information by editing the system log acquired by the system log acquisition unit 21 based on the normalization condition input by the user from the input unit 24 The normalized system information is stored in the normalized system log information storage unit 26. Specifically, the normalization condition setting reflection unit 25 sequentially reads records in the system log, and includes an aggregation table (corresponding to the aggregation information in the claims) based on the contents of the normalization conditions set by the user. And a data table (corresponding to the data information in the claims), and each record in the data table is associated with one of the records in the aggregation table to create normalized system log information.

  The search unit 27 performs a search from the normalized system log information based on the search condition input by the user from the input unit 24. Further, the save unit 28 converts the normalized system log information in the normalized system log information storage unit 26 into a text file based on the save command input by the user from the input unit 24, and stores the system log save storage device 50. Evacuate to. The CSV (Comma Separated Value) format can be used as the file format of the normalized system log saved to the system log saving storage device 50. By saving in the CSV format, the normalized system log can be imported again into the system log management support apparatus 20. Further, the saving unit 28 deletes only the records included in the corresponding data table from the normalized system log information saved in the normalized system log information storage unit 26. This is because the records in the aggregate table are assumed to be associated with the records in the data table using the identifier of the aggregate table, so it is better not to delete the records in the aggregate table.

  Next, the system log management support method in the system log management support apparatus 20 having such a configuration, more specifically, normalization condition setting processing, normalized system log creation processing, search processing, and save processing will be described. .

(Normalization condition setting process)
The user of the system log management support apparatus browses the acquired system log before executing the normalization processing of the system log, and normalization conditions for separating the items classified into the aggregation table and the items classified into the data table Set up. Items classified in the aggregation table are items in which the same content appears in the system log at a predetermined frequency, and items classified in the data table are other items. The classification of this item is performed based on the user's judgment.

  FIG. 3 is a diagram illustrating an example of items collected as a system log. This system log is an item indicating the contents of the system log 11 collected by a system log collection device (not shown) in the IT system 10 of FIG. 1, for example. Here, “log type”, “event ID”, “machine name” that is a server device accessed by the organization member of the IT system 10 via the information processing terminal, and organization that accessed the server device corresponding to the machine name “User name” indicating the member, “Audit” indicating the result of the audit, “Operation” indicating the content of the operation, “Date and time” indicating the date and time the organization member accessed, and on the server device accessed by the organization member It is assumed that “path” which is the location of the file is included as an item of the system log.

  FIG. 4 is a diagram illustrating an example of system log data. In this system log data, one line indicates one record collected by the IT system 10, and the contents corresponding to the items shown in FIG. 3 are arranged separated by commas.

  For example, the administrator displays the system log data shown in FIG. 4 on the display unit 22 and selects, as a redundant key, an item that is judged to have a lot of overlapping contents. Generally, when data corresponding to a certain key (item) appears in a predetermined ratio or more, that key is selected as a redundant key. In FIG. 4, the item “log type” corresponding to the data “FILE”, the item “event ID” corresponding to the data “560”, the item “machine name” corresponding to the data “Server-1”, The item “audit” corresponding to the data “success audit / failure audit” frequently appears. For this reason, it is assumed here that the administrator selects each item (key) of “log type”, “event ID”, “machine name”, and “audit” via the input unit 24 as redundant keys.

  Thereafter, the normalization condition setting reflection unit 25 acquires the content of the selected redundant key and the content other than the redundant key that was not selected, creates an aggregation table based on the redundant key, and generates a key other than the redundant key. An SQL statement for creating a data table is generated based on the above, and an aggregation table and a data table are created in the normalized system log information storage unit 26.

  FIG. 5 is a diagram illustrating an example of the generated aggregation table, and FIG. 6 is a diagram illustrating an example of the generated data table. In the aggregation table shown in FIG. 5, the redundant key set by the user is an item, and “id” that is an identifier for uniquely identifying a combination (record) of contents input to these items is an item. It has been added. In addition, the records stored in the aggregation table are not recorded when the contents of each item are exactly the same. Further, the items in the aggregation table of FIG. 5 selected by the user as described above become the normalization conditions.

  In addition, the data table shown in FIG. 6 includes “user name”, “operation”, “date / time”, and “pass”, which are other keys not selected as redundant keys, as items, and inputs to these items. The “aggregation table id” for associating each record to the corresponding aggregation table record is added as an item. Thus, the normalization condition setting process ends.

(Normalized system log creation process)
FIG. 7 is a flowchart illustrating an example of a normalization process procedure of the system log. First, when the execution of system log normalization processing is instructed by the user via the input unit 24, the system log acquisition unit 21 captures the system log from the IT system 10 via the network 30 or from a recording medium (step S11). Next, the normalization condition setting reflection unit 25 reads one line (one record) in the system log captured by the system log acquisition unit 21 (step S12). Hereinafter, this record is referred to as an original record. Here, it is assumed that the original record shown in the row 101 of FIG. 4 is selected.

  Thereafter, the normalization condition setting reflection unit 25 determines whether or not there is a value corresponding to the redundant key in the original record, that is, the value corresponding to the item in the aggregation table, in the record stored in the aggregation table (Step S1). S13).

  When the value corresponding to the redundant key in the original record does not match the record in the aggregation table (in the case of No in step S13), the normalization condition setting reflecting unit 25 uses the data corresponding to the redundant key as a record. “Id” for identifying this record is assigned and stored in the aggregation table (step S14). Thereafter, the id stored in the aggregation table in step S14 is added to the original record read in step S12 (step S15).

  For example, when the original record in the system log is the first line (one record), that is, when the original record shown in line 101 of FIG. 4 is selected, the aggregated table is displayed as shown in FIG. Is in a state where no record is stored. Therefore, the normalization condition setting reflection unit 25 acquires data corresponding to the redundant key from the original record, adds the id, and stores it in the aggregation table. FIG. 8A is a diagram illustrating an example of a state where data is stored in the aggregation table of FIG. 5. That is, “FILE” corresponding to the type of log in the original record of the row 101 in FIG. 4, “560” corresponding to the event ID, “Server-1” corresponding to the machine name, “Success audit” corresponding to the audit "001" is added to the data consisting of "" and stored in the aggregation table. Then, id is added to the original record in the row 101 in FIG. FIG. 8B is a diagram illustrating a state where id is assigned to the original record. Here, id “001” is added to the end of the original record in the row 101 of FIG.

  In addition, when the value corresponding to the redundant key in the original record matches the record in the aggregation table in Step S13 (in the case of Yes in Step S13), the normalization condition setting reflection unit 25 The id attached to the record is added to the original record (step S16).

  For example, in the case where the record is already registered in the aggregation table as shown in FIG. 8A, the redundant key of the original record shown in the row 101 in FIG. 4 is the log type = “FILE”, Since event ID-= “560”, machine name = “Server-1”, and audit = “success audit”, this corresponds to the record in row 111 in the aggregation table of FIG. Therefore, the normalization condition setting reflection unit 25 adds the id “001” of the record in the row 111 to the end of the original record as illustrated in FIG.

  After step S15 or step S16, the normalization condition setting reflection unit 25 deletes the data corresponding to the redundant key from the original record (step S17), and stores the record in the data table (step S18).

  FIG. 8C is a diagram illustrating an example of a state where records are stored in the data table. The contents obtained by deleting the redundant key from the data shown in FIG. 8-2 are stored in the data table as shown in FIG. 8-3.

  Then, the normalization condition setting reflection unit 25 determines whether all the original records in the system log have been read (step S19). If all the original records in the system log have not been read (No in step S19), the process returns to step S12, and the above-described processing is repeatedly executed until all the original records in the system log are read. When all the original records in the system log have been read (Yes in step S19), the normalized system log creation process ends.

  8-4 is a diagram illustrating an example of an aggregation table created from FIG. 3, and FIG. 8-5 is a diagram illustrating an example of a data table created from FIG. From the system log shown in FIG. 3, a normalized system log including an aggregate table including two records as shown in FIG. 8-4 and a data table including five records as shown in FIG. 8-5 is created. The

(System log search processing)
A search is performed according to a search instruction from the user using the normalized system log stored in the normalized system log information storage unit 26. FIG. 9 is a diagram illustrating an example of a search screen. When a search is desired, the display processing unit 23 displays a search screen 150 as shown in FIG. 9 on the display unit 22 according to a search instruction from the input unit 24 by the user. The search screen 150 includes a search key specification area 151 for specifying a search key, a search condition input area 152 for inputting a search condition, and a “search” button 154 for instructing execution of the search.

  The search key designation area 151 is composed of, for example, a list box, in which items of system logs (normalized system log information) are stored in a list format in advance, and an item that the user wants to search from the list is used as a search key. select. In addition, the search condition input area 152 is configured by a text box, for example, and is an area in which a condition (keyword) that the user wants to search for the search key is input via the input unit 24. Among these items, items that have not been input are set to NULL. Further, AND search or OR search between keywords in the search condition input area 152 can be designated, and AND search or OR search can be selected in the search method selection area 153 as a search method between the respective conditions. It is. Further, the “search” button 154 searches the contents input in the search key designation area 151, the search condition input area 152, and the search method selection area 153 using the normalized system log information.

  Next, a search processing method will be described. After the search key input by the user is classified into an item included in the aggregation table or an item included in the data table, a record including a keyword in each search key is searched from the classified table. Thereafter, the search results of the respective tables are combined to leave only the columns having the same id of the aggregate table, and are restored to the original system log.

  Further, a specific search processing method will be described. FIG. 10 is a diagram illustrating a specific example of the procedure of the search process. Here, “date and time” is selected as the search key, and “2007/09/30” is input as the keyword. That is, it is assumed that a search instruction is issued so as to extract a system log whose date is “2007/09/30”.

  Since the date / time key is included in the data table, the search unit 27 searches the data table in FIG. 8-5 (step S101), and records the date / time key in the data table including the keyword “2007/09/30”. Search and extract (step S102). Next, the search result using the data table and the aggregate table are combined (step S103), and the combined result is acquired (step S104). Thereafter, a row (record) having the same id in the aggregation table in the join result is extracted (step S105), the id is deleted, and each data in the record is rearranged in a predetermined order to perform shaping. The search result is obtained in the original system log format (step S106). The search unit 27 passes this search result to the display processing unit 23, and the display processing unit 23 outputs the search result to the display unit 22.

  In the search processing described here, after searching for the keyword of the search key in the individual tables of the aggregate table and the data table, the search result of the system log having the original form is obtained by combining the two. First, join the aggregate table and data table, leave only the columns with the same id of the aggregate table in the join result, restore to the original system log, and then enter the search key entered by the user You may search using.

(Normalized system log information backup process)
When the normalized system log information is to be saved, the saving unit 28 converts the normalized system log information into a text file and saves it in the system log saving storage device 50. In this case, each of the aggregation table and the data table is output as a text file such as CSV format. The CSV format includes a format in which data arranged in a predetermined item order is separated by a comma, a colon, a semicolon, a tab, or the like.

  The contents to be saved may be not only the entire normalized system log information but also a record to be saved in the normalized system log information. In this case, similarly to the search process described above, the record to be saved is searched, the data log in the data table matching the search and the aggregate table are converted into a text file and saved in the system log saving storage device 50. .

  Further, the save unit 28 deletes only the records in the data table saved in the system log save storage device 50 from the normalized system log information storage unit 26. This is because there is a high possibility that the records in the data table that are not saved refer to the records in the aggregate table, and if the data in the aggregate table is deleted, the records in the data table are restored to the original system log. It is because it becomes impossible to restore to.

  According to this embodiment, it is possible to manage on the database as normalized system log information in which the capacity of the system log is reduced without modifying the contents of the system log. It is also possible to easily restore the original system log from the normalized system log information. As a result, the system log in the IT system 10 that outputs a huge amount of log data can be efficiently managed.

  For example, an average of 150 bytes per line and a redundant key is an average of 25 bytes. Also, the id of the aggregation table is 2 bytes. Consider a case where 15 rows of data are stored in the aggregation table and 100,000 rows of data are stored in the data table. The capacity of the system log when the aggregation is not performed is 150 × 100,000 = 15,000,000 bytes. The capacity of the normalized system log information when the normalization according to the first embodiment is performed is as follows. (150−25 + 2) × 100,000 + (25 + 2) × 15 = 12,700,405 bytes, which has the effect of reducing the capacity by about 16%.

  Also, during the search process, search is performed in each of the aggregate table and data table, but when searching for keywords in the aggregate table, since the number of records in the aggregate table is small, prepare an index that is normally used for search, Since there is no need to add to the aggregate table, the capacity of the aggregate table can be further reduced.

  As described above, the system log management support apparatus according to the present invention is useful for auditing in an IT system of an organization such as a company.

It is a figure which shows typically an example of the structure of the system by which the system log management assistance apparatus concerning this invention is applied. It is a block diagram which shows typically the function structure of the system log management assistance apparatus concerning this invention. It is a figure which shows an example of the item collected as a system log. It is a figure which shows an example of system log data. It is a figure which shows an example of the produced | generated aggregation table. It is a figure which shows an example of the produced | generated data table. It is a flowchart which shows an example of the normalization process procedure of a system log. FIG. 6 is a diagram illustrating an example of a state in which data is stored in an aggregation table in FIG. 5. It is a figure which shows the state by which id was provided to the original record. It is a figure which shows an example of the state which stored the record in the data table. It is a figure which shows an example of the aggregation table created from FIG. It is a figure which shows an example of the data table produced from FIG. It is a figure which shows an example of a search screen. It is a figure which shows the specific example of the procedure of a search process.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 IT system 20 System log management support apparatus 21 System log acquisition part 22 Display part 23 Display processing part 24 Input part 25 Normalization condition setting reflection part 26 Normalization system log information storage part 27 Search part 28 Saving part 29 Control part 30 Network 40 Communication line 50 System log storage device

Claims (8)

  Normalization conditions for reducing the amount of data recorded in the system log by aggregating output keys of the same content data that appear in a predetermined ratio or more among a plurality of the output keys of the system log consisting of predetermined output keys A system log management support apparatus comprising a setting reflection unit.   The normalization condition setting reflecting means identifies a redundant key composed of output keys of data of the same content that appears in a predetermined ratio or more among output keys constituting the system log, and a combination of data corresponding to the redundant keys In the system log, the aggregated information composed of the identification key, the output key other than the redundant key, and the data information composed of the association key for associating with the record in the aggregated information using the identification key The system log management support apparatus according to claim 1, wherein normalized system log information is generated by dividing the record.   The normalization condition setting reflecting means is configured to output the redundant key of the one record when data corresponding to the redundant key of the one record in the system log does not correspond to any record stored in the aggregate information. The system log management support apparatus according to claim 2, wherein an identifier is attached to data corresponding to the information and stored in the aggregated information.   When searching for a record including a keyword in the predetermined output key of the normalized system log information, after searching for the record including the keyword in the output key in each of the aggregated information and the data information, The system log management support apparatus according to any one of claims 1 to 3, further comprising search means for combining the results and outputting a search result.   When searching for a record that includes a keyword in the predetermined output key of the normalized system log information, a record that includes the keyword in the output key with respect to a result obtained by combining the aggregated information and the data information The system log management support apparatus according to any one of claims 1 to 3, further comprising search means for performing a search.   When receiving an instruction to save the specified record in the normalized system log information to another recording device, the specified record is output to the other recording device and then saved in the data information. 6. The system log management support apparatus according to claim 1, further comprising a saving unit that deletes only the record.   The system log management support apparatus according to claim 6, wherein the saving unit outputs the designated record to the other recording apparatus in a predetermined text format.   A system characterized by aggregating output keys of data appearing in a predetermined ratio or more among a plurality of the output keys of a system log composed of predetermined output keys to reduce the amount of data recorded in the system log Log management support method.

Images