JP2010182194A - Device and program for generating integrated log and recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a device which extracts attributes from a plurality of different types of logs different from each other and adds relevant attributes not existing in respective logs to generate an integrated log in which logs are related with each other by these attributes and to provide a log management means capable of searching an event resulting from a relay of histories of a plurality of attributes, from the integrated log. <P>SOLUTION: In a different-types-of log integration management device 100, an attribute extraction part 110 receives log data from at least one of a predetermined PC operation log 200, a multifunction machine log 210, and an entry/exit log 20 and extracts item data corresponding to two or more predetermined attribute items from the log data. The attribute extraction part 110 standardizes respective pieces of extracted item data on the basis of attribute management information 120 stored in an attribute management information storage part, and generates the whole of respective pieces of standardized item data as attribute data. A collection/storage part 113 stores the attribute data generated by the attribute extraction part 110 into an integrated log 117 in an integrated log storage part. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an integrated log generation device and an integrated log generation program for generating an integrated log from a plurality of different types of logs.

  A conventional log integrated management device integrates attribute items (for example, person identification information) that cross-link different types of logs to different types of logs (different types of logs) output from various systems and devices. An identification code is prepared, and the value of each log attribute item is associated with the identification code for integration, and stored and managed as an integrated log in a format unified for each identification code for integration (for example, Patent Document 1). ).

JP 2007-233661 A

  The conventional log integrated management device expresses a history in an instance having an attribute corresponding to the identification code for integration by arranging the integrated log in time series by log generation date and time (time stamp). Therefore, the relationship between the histories in each instance (for example, when the integration identification code corresponds to a person, the relationship between the behavior histories of different persons) is not directly expressed as data. Therefore, there is a problem that processing is complicated when log search is performed.

  The present invention extracts attributes from a plurality of different types of logs different from each other, adds related attributes that do not exist in each log, generates an integrated log in which logs are associated with the plurality of attributes, and generates the integrated log An object of the present invention is to provide a log management means that enables a search for an event that has a history of a plurality of attributes.

The integrated log generation device of this invention is
Log data indicating one data unit in each of a plurality of predetermined types of logs, and standardized log data in which log data including item data corresponding to each attribute item of a plurality of attribute items is standardized is accumulated. An integrated log storage unit for storing the integrated log;
An attribute management information storage unit for storing the standardization rules as attribute management information;
Inputting the log data from at least one of the plurality of predetermined log types, extracting item data corresponding to two or more predetermined attribute items from the input log data; A standardized log data generation unit that standardizes each extracted item data based on the attribute management information stored in the attribute management information storage unit, and generates the entire standardized item data as the standardized log data; ,
And an accumulation unit that accumulates the standardized log data generated by the standardized log data generation unit in the integrated log of the integrated log storage unit.

  According to the present invention, it is possible to provide an integrated log generation device that extracts attributes from heterogeneous logs, adds related attributes that do not exist in each heterogeneous log, and generates an integrated log in which logs are associated with the plurality of attributes.

2 is a block diagram of a heterogeneous log integrated management device 100 according to Embodiment 1. FIG. FIG. 4 is a diagram showing PC operation log data 201 according to the first embodiment. FIG. 6 is a diagram illustrating MFP log data 211 according to the first embodiment. The figure which shows the entrance / exit log data 221 in Embodiment 1. FIG. FIG. 5 shows integrated log data 150 according to the first embodiment. The figure which shows the relationship between the integrated log data 150 in Embodiment 1, PC operation log data 201 grade | etc.,. 6 is a flowchart of a unified log design procedure according to the first embodiment. FIG. 5 shows ID management information 121 in the first embodiment. FIG. 6 is a diagram showing device management information 122 in the first embodiment. FIG. 5 is a diagram showing location management information 123 in the first embodiment. FIG. 5 is a diagram showing event management information 124 in the first embodiment. FIG. 6 shows integrated definition data 160 in the first embodiment. The figure which shows the history tracking type | mold data of the history tracking type DB134 in Embodiment 1. FIG. 5 is a flowchart of integrated log generation processing according to the first embodiment. FIG. 5 shows attribute data in the first embodiment. 5 is a flowchart of data standardization processing according to the first embodiment. 6 is a flowchart of history tracking type data generation processing according to the first embodiment. 5 is a flowchart showing a process of integrated log search in the first embodiment. The figure which shows an example of the hardware constitutions of the heterogeneous log integrated management apparatus 100 in Embodiment 2. FIG.

Embodiment 1 FIG.
FIG. 1 is a block diagram of a heterogeneous log integrated management apparatus 100 (integrated log generation apparatus). The heterogeneous log integrated management device 100 includes an attribute extraction unit 110 (an example of a standardized log data generation unit), an attribute management information storage unit that stores attribute management information 120, an image acquisition unit 112 (an example of an image storage unit), a collection / storage Unit 113 (an example of an accumulation unit), a log search unit 114 (an example of an integrated log search unit), a log management unit 115, an image data storage unit that stores image data 116, an integrated log storage unit that stores an integrated log 117, and a history Data generation unit 130 (an example of a history tracking type data generation unit), a definition information storage unit that stores integrated definition information 131, a history data search unit 132 (an example of a history tracking unit), a history tracking type data management unit 133, a history tracking A history tracking database storage unit that stores a type DB (DataBase) 134 and an integrated log search cooperation unit 140 are provided.

(1) The heterogeneous log integrated management device 100 is a device that collects and accumulates various logs and implements a search using a history of events recorded in the logs.
(2) The PC operation log 200 is log data in which various operation contents are recorded by an information leakage countermeasure system or the like on a PC (Personal Computer) installed or temporarily brought into an office or the like.
(3) The multifunction machine log 210 is log data that records various operations on a multifunction machine (having a plurality of functions such as a copy function, a printer function, and a facsimile function) installed in an office or the like.
(4) The entrance / exit log 220 is log data recorded by an entrance / exit management device such as an office.
(5) The monitoring image 230 is image data recorded by a monitoring video camera installed in an office or the like. The monitoring image 230 is stored in the image information storage device.
(6) The client PC 300 is an operation PC for searching and referring to logs using the heterogeneous log integrated management apparatus 100.

In the heterogeneous log integrated management device 100,
(1) The attribute extraction unit 110 inputs the PC operation log 200, the multifunction machine log 210, and the entrance / exit log 220, extracts attribute items from each log with reference to the attribute management information 120, and generates attribute data 111 to be described later. Generate.
(2) The attribute management information 120 includes ID management information 121 for managing an identifier of a person or the like recorded in each log, device management information 122 for managing a device or the like that records a log, and information on the position of the recorded log Location management information 123 to be managed and event management information 124 to manage an event that causes a log to be recorded are included.
(3) The image acquisition unit 112 extracts related image data from the monitoring image 230 based on the information of the attribute data 111 and stores it in the image data 116.
(4) The collection / accumulation unit 113 stores the log data of each log and the attribute data 111 extracted from the log data in the integrated log 117 as a set of data.
(5) The log search unit 114 searches the integrated log 117 and the image data 116 according to the search condition.
(6) The log management unit 115 performs processing such as storage input / output of the integrated log 117 and the image data 116.
(7) The history data generation unit 130 receives attribute information from the log search unit 114, generates history tracking type data according to the integrated definition information 131, and stores it in the history tracking type DB 134.
(8) The history data search unit 132 searches the history tracking DB 134 according to the conditions.
(9) The history tracking type data management unit 133 performs processing such as storage input / output of the history tracking type DB 134.
(10) The integrated log search cooperation unit 140 combines the log search unit 114 and the history data search unit 132 based on a user request from the integrated log search screen 301 executed on the client PC 300, and combines the integrated log 117 and the image data 116. The history tracking DB 134 is searched.

  The PC operation log 200, the multifunction machine log 210, and the entrance / exit log 220 are transferred from the system apparatus that records and manages each log to the heterogeneous log integrated management apparatus 100 at regular intervals via the network. The monitoring image 230 takes out necessary image data by designating the shooting date and time and information for identifying the camera from a device that stores and manages the image data recorded by the monitoring video camera.

(PC operation log 200)
FIG. 2 is a schematic diagram showing an example of the PC operation log 200 in FIG. In FIG. 2, PC operation log data 201 is data in which operations on a PC are recorded by using an information leakage countermeasure system or the like. The PC operation log data 201 includes a date and time item in which the log is recorded, a host name item for identifying the PC on which the operation has been performed, a login user item indicating the subject of the operation, and an operation item indicating the specific content of the operation. In addition, an item in which related information such as a file name to be operated is recorded is output. In FIG. 2, the PC operation log data 201 is expressed in a format in which the recorded items can be identified as columns, but may actually be a readable text or XML format. In either case, it can be dealt with by cutting out items as individual columns as preprocessing.

(MFP log 210)
FIG. 3 is a schematic diagram showing an example of the multifunction machine log 210 in FIG. In FIG. 3, multifunction machine log data 211 is data obtained by accumulating log data recorded by the multifunction machine by a multifunction machine management system or the like. The MFP log data 211 includes a date / time item in which the log is recorded, a device ID item indicating the MFP in which the process was performed, an operation item indicating the specific contents of the process, and a user ID item indicating the subject of the process. Items for recording related information such as the number of executions of the process and the destination telephone number are output. In FIG. 3, the MFP log data 211 is expressed in a format in which the recorded items can be identified as columns, but may actually be a readable text or XML format. In either case, this can be dealt with by cutting out information as individual columns as preprocessing.

(Entrance / exit log 220)
FIG. 4 is a schematic diagram showing an example of the entrance / exit log 220 in FIG. In FIG. 4, entry / exit log data 221 is data recorded by an entry / exit management device or the like. The entry / exit log data 221 includes a date and time item in which the log is recorded, a number item to be operated, a signal item indicating the operation content, a factor item indicating the cause of recording the log, an identification number item indicating the subject of the operation, An item in which related information such as a traffic factor is recorded is output. In FIG. 4, the entry / exit log data 221 is expressed in a format in which the recorded items can be identified as columns, but may actually be in a byte sequence or XML format based on a specified code number. In either case, this can be dealt with by cutting out information as individual columns as preprocessing.

(Integrated log 117)
FIG. 5 is a schematic diagram showing an example of the integrated log 117 in FIG. In FIG. 5, the integrated log data 150 is a log ID item that uniquely identifies each log data, a date / time item when the log is recorded, and the log data is one of a PC operation log 200, a multifunction machine log 210, and an entry / exit log 220. Type item indicating log, event item indicating log generation factor, target item indicating log generation source, user ID item indicating subject of event recorded in log, location item indicating location of event related to log and original It consists of log body items that store all the log information. FIG. 6 shows the correspondence between the integrated log data 150, the PC operation log data 201, the multifunction machine log data 211, and the entry / exit log data 221. The structure of the integrated log data 150 is derived from the contents of the PC operation log 200, the multifunction machine log 210, and the entrance / exit log 220, which are integration targets, according to the procedure shown in FIG.

(Integrated log design flow)
FIG. 7 is a flowchart showing a procedure for a designer to design a structure of an integrated log for integrating and storing logs of different formats output from various systems and devices. In FIG.
(1) In step S001, at least necessary to determine the contents of each log from items included in the log to be integrated (here, the PC operation log 200, the multifunction machine log 210, and the entry / exit log 220 correspond) To select items. For example, an item in which information such as the date and time of the log, the user who performed the event represented by the log, the target or related device, and the event indicating the content of the event is recorded.
(2) In step S002, in addition to the items selected in step S001, related information that is not recorded in the log but can be used for associating a plurality of logs to be integrated (eg, log target device) (Explained position item indicating the location of the user) is extracted.
(3) In step S003, regarding the items identified in steps S001 and S002, the semantically identical items are integrated into one item, and the items are arranged. For example, the identification date of the person related to the log date and time or the log event (the login item in the PC operation log 200, the user ID item in the multifunction machine log 210, and the identification number item in the entry / exit log 220) corresponds to the entity represented by the item. Are the same, so integrate the items.
(4) In step S004, for the items arranged in step S003, the items indicating the cause of log recording in each log to be integrated are consolidated into one event item regardless of the semantic content. The item indicating the log recording cause corresponds to, for example, an operation item in the PC operation log 200, an operation item in the multifunction machine log 210, and a signal item in the entry / exit log 220.
(5) In step S005, attribute information obtained by adding a log ID item for uniquely identifying integrated log data and a log type item indicating the type of log data to the items arranged up to step S004 Define as
(6) In step S006, a log text item for storing the data of each log to be integrated as it is is added to the attribute information in step S005, and the integrated log data is combined with the attribute information and the log text. To do.
(7) The integrated log structure can be determined as described above.

  The attribute management information 120 manages correspondence information for standardizing data values of the attribute information of the integrated log data 150 designed by the designer according to the flowchart shown in FIG.

(ID management information 121)
FIG. 8 is a schematic diagram showing an example of the ID management information 121 in FIG. The ID management information 121 manages the correspondence between the standard ID for integration and the value of the corresponding item in each log so that the same person has the same ID for the user ID items integrated in step S003. In FIG. 8, the user ID management table 170 is composed of a user ID item that is a standard ID and an explanation item for recording its contents. The value of the user ID item is a unique value without duplication. The ID correspondence table 171 includes a log type item for identifying a log type, an identifier item that is user identification information in each log, and a user ID item that indicates a standard ID corresponding to the identifier item. FIG. 8 shows a case where user identification information is unified in the multifunction machine log 210 and the entrance / exit log 220. The value of the user ID item in the ID correspondence table 171 needs to be defined in the user ID item of the user ID management table 170.

(Device management information 122)
FIG. 9 is a schematic diagram showing an example of the device management information 122 in FIG. The device management information 122 manages the correspondence between the standard value and the value of the corresponding item in each log so that the data value of the target item is identifiable and in a unified format. In FIG. 9, the device correspondence table 172 includes target items representing standard values, log type items for identifying log types, identifier items and sub-identifier items that are device identification information in each log, and contents of the target items. It consists of explanation items for recording. Ensure that the value of the target item is a unique value without duplication. With regard to the values of the identifier item and sub-identifier item, the log (PC operation log, MFP log) that can uniquely identify the device by log type uses only the identifier item, and not only the log type but also the actual log output For the log (entrance / exit log) that can be uniquely specified by combining with the device, the identifier item and the sub-identifier item are used.

(Location management information 123)
FIG. 10 is a schematic diagram showing an example of the location management information 123 in FIG. The position management information 123 manages the correspondence between the target item value and the position information so that the log position information can be derived from the target item. In FIG. 10, the position management table 173 is composed of position items representing positions corresponding to logs and explanation items for recording the contents. The value of the position item should be a unique value without duplication. The position correspondence table 174 includes target items of the device correspondence table 172 in FIG. 9 and position items indicating the positions. The value of the position item in the position correspondence table 174 needs to be defined in the position item of the position management table 173.

(Event management information 124)
FIG. 11 is a schematic diagram showing an example of the event management information 124 in FIG. The event management information 124 manages the correspondence between the standard value and the value of the corresponding item in each log so that the event item is identifiable and in a unified format. In FIG. 11, an event management table 175 includes an event item representing a standard value, a log identification item for identifying a log type, an identifier item that is information on an item corresponding to an event in each log, and the contents of the event item. Consists of explanation items for recording. The event item value should be a unique value without duplication.

(Integrated definition information 131)
FIG. 12 is a schematic diagram showing an example of the integrated definition information 131 (history tracking type data creation definition information) in the heterogeneous log integrated management apparatus 100 shown in FIG. The integrated definition information 131 is definition information for creating history tracking type data used for history tracking. In FIG. 12, the integrated definition data 160 is roughly divided into three, [SourceDefinition], [Source1] to [Source3], and [Class1] to [Class4]. In the [SourceDefinition] portion, the number of classes (ClassCount), the number of attributes (AttributeCount) in the history tracking type data, the number of input sources (SourceCount) serving as the original data, and the types of each source (Source1 to Source3) are defined. Here, a class is an item (viewpoint) of interest when tracing (tracking) history data in time series, and an attribute is an item related to data other than the class. Further, PC operation log (PC), multifunction machine log (MFP), and entry / exit log (ACS) are defined as the source types. In [Source1] to [Source3], for each of the three types of sources, the item position where the date / time item (Timestamp), event item (Event), class item (any of ClassNo1 to ClassNo4), and attribute item (Attribute1) exist. Indicates the number. In [Class 1] to [Class 4], information on classes is defined. In the integrated definition data 160, only class names (ClassName) are defined for four classes, “person”, “position”, “target”, and “gate”. The “person” class is used when tracking historical data regarding the behavior of a specific person. The “position” class is used to track the distribution of people in a place with historical data. The “target” class is used when tracking historical data on the usage status of a certain device. “Gate” is used to track the flow of a person at a certain point with historical data.

(History tracking DB 134)
FIG. 13 is a schematic diagram showing an example of history tracking type data stored in the history tracking type DB 134 in the heterogeneous log integrated management apparatus 100 shown in FIG. In FIG. 13, the history tracking type data 161 includes a date and time item when the log is recorded, a log ID item for uniquely identifying each log data in the integrated log 117, an event item indicating the cause of the log, the number of log classes, and the like. Consists of class information items for the number of classes. The class information item is composed of information items of the class itself and instance information of log data from the viewpoint of the class.

  Next, the operation will be described. The operation is roughly divided into three parts: an integrated log generation operation A, a history tracking type data generation operation B, and an integrated log search operation C.

(Integrated log generation operation A)
FIG. 14 is a flowchart showing the flow of integrated log generation processing in the heterogeneous log integrated management apparatus 100 shown in FIG. FIG. 15 is a diagram for explaining attribute data. 14 are operations of the attribute extraction unit 110, S 109 is an operation of the image acquisition unit 112, and S 110 is an operation of the collection / accumulation unit 113. The integrated log is generated individually for each of the PC operation log 200, the multifunction machine log 210, and the entrance / exit log 220. In the generated integrated log 117, as shown in FIG. Accumulated in a mixed form.

(1) First, in step S101, the attribute extraction unit 110 inputs log data for an arbitrary number of logs for a processing target log. Log data may be input one by one from the source system device to the heterogeneous log integrated management device 100, or may be input collectively in units of multiple items. At this time, information relating to the type of log (PC operation log 200, multifunction machine log 210, entry / exit log 220) is also input.
(2) In step S102, the attribute extraction unit 110 reads one log data from the log data input from the log generation source. For example, in the case of FIG. 3, one row of records (one unit of log data) corresponds.
(3) In step S103, the attribute extraction unit 110 sets the log type of the input log data based on the log type. As shown in FIG. 15, in FIG. 3, “MFP” is displayed.
(4) In step S104, the attribute extraction unit 110 determines the format of the log data from the type of log, and extracts item data corresponding to the attribute (date, event, target, user ID) of the integrated log from the log data. .
(5) In step S105, the attribute extraction unit 110 standardizes the value of the item data with reference to the attribute management information 120 for the item data corresponding to the attribute of the integrated log extracted in step S104. The event item converts a value based on the event management information 124. The value of the target item (target for event occurrence) is converted based on the device management information 122. The user ID item converts a value based on the ID management information 121. For event date and time items, the expression format is converted as necessary.
(6) In step S106, the attribute extraction unit 110 derives the value of the position item (an example of related information) based on the position management information 123 from the value of the target item converted in step S105.
(7) In step S107, the attribute extraction unit 110 generates attribute item data from the item data obtained in step S103 (type), step S105 (standardization), and step S106 (position item), and sets the attribute data 111. Create or add. One record in one line in FIG. 15 is one attribute data (an example of standardized log data).
(8) In step S108, the attribute extraction unit 110 evaluates the presence or absence of unprocessed data among the log data input in step S101. If there is unprocessed data, the process of all data is performed in step S102. If is finished, the process proceeds to step S109.
(9) In step S109, the image acquisition unit 112 inputs the attribute data 111, and converts all the log data input in step S101 into log data based on the date and time items and the position item values of the attribute data 111. Corresponding image data is acquired from the monitoring image 230.
(10) In step S110, the collection / accumulation unit 113 loads the data into the integrated log 117 as a set of the log data (log data body) input in step S101 and the attribute data 111. In addition, as shown in FIG. 5, adding all of the log body is an example. The attribute extraction unit 110 adds a predetermined portion (including the entire log body) of the log body according to the setting. Then, using the value of the log ID item of the loaded integrated log, the image acquisition unit 112 links (corresponds) the image data acquired in step S109 and the integrated log data to the image data 116.

  Thus, an integrated log can be generated.

(Details of S105 and S106)
FIG. 16 shows the data item standardization process in step S105 (standardization) in FIG. 14 and the position item derivation process (related information derivation process) in step S106 (position item derivation). It is a flowchart showing a flow.

(S401)
First, in step S401, the type of log during integrated log generation processing and item data to be standardized or derived (item data corresponding to the event, target, user ID extracted in step S104, or target item data standardized in step S105). ).

(S402)
In step S402, the attribute management information 120 to be referred to in the standardization process or the position item derivation process is specified from the type of item data input in step S401. When the item data is an item corresponding to an event, the event management table 175 of FIG. 11 is used. When the item data is an item corresponding to a target, the device correspondence table 172 of FIG. 9 is used. The ID correspondence table 171 in FIG. 8 is used, and in the case of target item data, the position correspondence table 174 in FIG. 10 is used.

(S403)
In step S403, the corresponding record is searched from the attribute management information 120 based on the log type and item data input in step S401. When the reference destination is the event management table 175, a record in which the log type item and the identifier item match the input log type and item data, respectively, is searched. When the reference destination is the device correspondence table 172, a record in which the log type item and the identifier item match the input log type and item data is searched. When the reference destination is the ID correspondence table 171, a record in which the log type item and the identifier item match the value and item data corresponding to the input log type is searched. When the reference destination is the position correspondence table 174, a record that matches the target item input by the target item is searched.

(S404)
In step S404, the item data to be standardized or derived is output from the search result record from the attribute management information 120 searched in step S403. In the case of a search result record in the event management table 175, an event item is output. In the case of a search result record in the device correspondence table 172, the target item is output. In the case of a search result record in the ID correspondence table 171, a user ID item is output. In the case of the search result record in the position correspondence table 174, the position item is output.

  As described above, the event item, the target item, and the user ID item can be standardized and the position item can be derived.

(History tracking type data generation operation B)
Next, processing for generating history tracking type data from the integrated log will be described. FIG. 17 is a flowchart showing the flow of history tracking type data generation processing in the heterogeneous log integrated management apparatus 100 shown in FIG. S201 to S204 are operations of the log search unit 114, and S205 to S210 are operations of the history data generation unit 130.

(1) First, in step S <b> 201, the log search unit 114 inputs a “time range” as a target for generating history tracking type data from the log data of the integrated log 117. The time range may be appropriately specified as necessary, or may be automatically determined at regular intervals.
(2) In step S202, the log search unit 114 still acquires log data in the time range out of the time range and the log type (any of the PC operation log 200, the multifunction machine log 210, and the entry / exit log 220). A search is performed on the integrated log 117 by specifying a log type that has not been selected as a selection condition.
(3) In step S203, the log search unit 114 acquires and records the log data of the search result in step S202. The log data of the search result may be stored as data in a buffer area on the memory or may be output to a file.
(4) In step S204, the log search unit 114 evaluates whether there is a log type from which the log data in the time range input in step S201 has not been acquired. If there is an unacquired log type, all processing proceeds to step S202. If the log type has been acquired, the process proceeds to step S205.

(5) In step S205, the history data generation unit 130 inputs “integrated definition data 160” (history tracking type data creation definition information) in FIG.
(6) In step S206, the history data generation unit 130 inputs log data of a log type that has not yet been processed among the log data acquired in S203. When the log data is stored in the buffer area on the memory, the buffer area is received, and when the file is output, the file is opened and the log data is read.
(7) In step S207, the history tracking type data generation process is executed by referring to the corresponding information of the integrated definition data 160 input in step S205 from the type of log data input in step S206. First, based on the information of the source type in [SourceDefinition] of the integrated definition data 160, it is checked which section of [Source1] to [Source3] the input log type corresponds to. Next, based on the information of the corresponding section, the subsequent processing is executed for all log data for each piece of input log data. First, values are extracted from the item position numbers for the date / time item (Timestamp), event item (Event), and attribute item (Attribute1), and are set in the date / time item, event item, and log ID item of the history tracking type data, respectively. Next, for the class item defined in the corresponding section (any one of ClassNo1 to ClassNo4), the value is extracted from the item position number and set to the instance item of the corresponding class information, and the corresponding [Class1] to [Class A value is set with reference to information in the section of Class 4], and history tracking type data is generated. In the example of the integrated definition data 160, only the class name (ClassName) is defined. However, by defining the hierarchical relationship between the log data here, it is possible to generate history tracking type data having the hierarchical relationship between the data. become.
(8) In step S208, the log data input in S206 is released. If it was stored in the buffer area in memory, the buffer area is released, and if it was stored in the file, the file is deleted.
(9) In step S209, it is evaluated whether there is an unprocessed log. If there is an unprocessed log, the process proceeds to step S206.
(10) In step S210, the generated history tracking log data is stored in the history tracking DB 134.
(11) As described above, history tracking log data can be generated from the integrated log.

(Integrated log search operation C)
Finally, the integrated log search will be described. FIG. 18 is a flowchart showing the flow of integrated log search in the heterogeneous log integrated management apparatus 100 shown in FIG.

(1) First, in step S <b> 301, the user inputs “log type” and “search condition” for an event to be searched from the integrated log search screen 301. For example, when searching for an event related to a person who entered a room at a certain time, an entry / exit log is designated as the “log type”, and a time and position are designated as the “search condition”. Here, the “search condition” may be for an attribute item of the integrated log data 150 or for a log body item. The format of the user interface of the integrated log search screen 301 is not limited.
(2) In step S302, the integrated log search cooperation unit 140 receives the “log type” and the “search condition” from the integrated log search screen 301, generates a search query for the integrated log 117, and sends it to the log search unit 114. Request a search. The log search unit 114 searches the integrated log 117 and returns the search result to the integrated log search cooperation unit 140. The integrated log search cooperation unit 140 passes search result data to the integrated log search screen 301. The integrated log search screen 301 outputs the received search result data.

(3) In step S303, if the user wants to track the log from the search result data obtained in step S302, the process proceeds to step S304, and if the tracking is unnecessary, the process proceeds to step S308.

(Perform log tracking)
(4) In step S304, the integrated log search screen 301 inputs a class (any one of person, position, and target) in the history tracking type data from the user as a viewpoint used for tracking. For example, when it is desired to track a person based on an entry / exit log, the class is a person. The integrated log search screen 301 instructs the integrated log search cooperation unit 140 to perform history tracking by specifying the class and log ID item information of the search result data. The integrated log search cooperation unit 140 requests the history data search unit 132 to search the history tracking DB 134 from the class and the log ID item. The history data search unit 132 extracts data that matches the specified log ID from the history tracking DB 134, and searches for history data having the same value as the instance of the specified class in the data and executes sorting by date and time items. As a search result, a set of history data is returned from the history data search unit 132 to the integrated log search cooperation unit 140. The integrated log search cooperation unit 140 passes a set of history data to the integrated log search screen 301. The integrated log search screen 301 outputs a set of received history data as a log history.
(5) In step S305, the user refers to the log history output from the integrated log search screen 301, and visually evaluates the history sequence.

(6) In step S306, if the log history is to be tracked from a different class (viewpoint), the class and log ID are specified, and the process returns to step S304. If tracking is not required, the process proceeds to step S307. Switching the viewpoint refers to, for example, changing from a certain point in the history of a person to the history of the PC used by the person and tracking. In this case, the class is a target, and the log ID of the history data whose viewpoint is to be switched is designated.

(7) In step S307, if more detailed log information is required in the log history, the integrated log search cooperation unit 140 is instructed from the integrated log search screen 301 to the log ID of history data that requires detailed information. The integrated log search cooperation unit 140 requests the log search unit 114 to search using the specified log ID as a search condition. A search is executed by the log search unit 114, and the search result is returned to the integrated log search cooperation unit 140. The integrated log search cooperation unit 140 passes search result data to the integrated log search screen 301. The integrated log search screen 301 outputs the received search result data.

(8) In step S308, if a related image output is necessary for the output log, the process proceeds to step S309. If unnecessary, the integrated log search ends.
(9) In step S309, the integrated log search cooperation unit 140 is instructed from the integrated log search screen 301 for the log ID of a log that requires an image. The integrated log search cooperation unit 140 requests the log search unit 114 to perform an image search using the specified log ID as a search condition. The search is executed by the log search unit 114, and the image data of the search result is returned to the integrated log search cooperation unit 140. The integrated log search cooperation unit 140 passes the search result image data to the integrated log search screen 301. The integrated log search screen 301 outputs the received search result image data.

  As described above, the integrated log can be searched.

  As described above, heterogeneous logs are accumulated as unified logs in a format that allows association with multiple attributes, history tracking data is created from multiple attributes and associated with unified logs, and history tracking is performed for unified log searches. Since the search for type data can be used, it is possible to search the integrated log by transferring the history of multiple attributes.

  In addition, location information that is not recorded in the log is added as an attribute of the integrated log, and different types of logs are related by location information, so the history is searched using the relationship between different types of logs that do not appear directly in the log. can do.

  Furthermore, since the image data is accumulated by associating the monitoring image data with the log based on the position information, it is possible to search for image data related to arbitrary integrated log data.

  In addition, since different types of logs are associated with each other by a plurality of attributes, the history can be traced by other attributes even for log data having no value of a certain attribute item.

  Furthermore, since the original log body is stored as it is in the integrated log, there is no loss of information recorded in the log, and a search using unique information that is not common among different types of logs can be performed. Further, in the generation of history tracking type data from the integrated log, since the association with the history tracking type data and the hierarchical relationship can be defined for each log type, unique relationship information can be set for a certain log type.

Embodiment 2. FIG.
Next, the second embodiment will be described with reference to FIG. The second embodiment is an embodiment in which a series of operations of the heterogeneous log integrated management device 100 is grasped as a method, a program, and a computer-readable recording medium recording the program.

  In the first embodiment, the heterogeneous log integrated management device 100 (integrated log generation device) has been described. A series of operations of each component (“˜”) that is a component of the heterogeneous log integrated management apparatus 100 according to the first embodiment is related to each other, and the heterogeneous log integrated management apparatus 100 performs this series of operations. It is also possible to grasp as a method. Further, by grasping these series of operations as processing to be executed by the computer, it is possible to grasp as a program (integrated log generation program) to be executed by the computer. It can also be understood as a computer-readable recording medium on which the program is recorded.

  FIG. 19 is a diagram illustrating an example of hardware resources of the heterogeneous log integrated management device 100 which is a computer. In FIG. 19, the heterogeneous log integrated management device 100 includes a CPU 810 (Central Processing Unit) that executes a program. The CPU 810 includes a ROM 811 (Read Only Memory), a RAM 812 (Random Access Memory), a display device 813, a keyboard 814, a mouse 815, a communication board 816, a flexible disk drive (FDD) 817, a compact disk drive 818, and a printer via a bus 825. 819, connected to the magnetic disk device 820 and the like, and controls these hardware devices. Instead of the magnetic disk device 820, a storage device such as a flash memory, an optical disk device, or a memory card read / write device may be used.

  The RAM 812 is an example of a volatile memory, and the storage medium such as the ROM 811 and the magnetic disk device 820 is an example of a nonvolatile memory. These are examples of a storage device, a storage unit, or a storage unit.

  The communication board 816 communicates with other devices such as the client PC 300 and an image information storage device that holds the monitoring image 230.

  The magnetic disk device 820 stores an operating system 821 (OS), a window system 822, a program group 823, and a file group 824. The programs in the program group 823 are executed by the CPU 810 and the operating system 821.

  The program group 823 stores a program for executing the function described as “˜unit” in the description of the first embodiment. The program is read and executed by the CPU 810.

  The file group 824 includes information such as the attribute management information 120, the attribute data 111, the image data 116, the integrated log 117, the integrated definition information 131, and the history tracking DB 134 described in the above embodiment, and the determination result of “˜”. ”,“ Determined results ”,“ extracted results ”,“ processed results ”, data, signal values, variable values, parameters, etc. It is stored as each item. The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 810 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, output, and display. Information, data, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory during CPU operations for extraction, search, reference, comparison, calculation, calculation, processing, output, and display. Is done.

  In addition, what has been described as “˜unit” in the description of the first embodiment may be “˜circuit”, “˜device”, “˜device”, “means”, and “˜step”. ”,“ ˜procedure ”, or“ ˜processing ”. That is, what has been described as “˜unit” may be realized by firmware stored in the ROM 811. Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware. The program is read by the CPU 810 and executed by the CPU 810. In other words, the program causes the computer to function as the “˜unit” described in the above description.

In the above embodiment, the heterogeneous log integrated management apparatus including the following means has been described.
(A) Attribute extraction means for extracting attribute items from heterogeneous logs and standardizing values;
(B) Attribute addition means for adding related information that does not exist in the log, such as the location information and identification code of the system / device that output the log;
(C) log storage means for storing the attribute and the log body as a set of data;
(D) Log search means for searching the accumulated log according to a search condition using attribute or log body information;
(E) History data generation means for generating history data by associating different types of logs using attributes with respect to the accumulated logs;
(F) History data storage means for storing history data;
(G) History data search means for searching for specific history data and searching for history data related to arbitrary history data;
(H) Search linkage means for linking log search and history data search;

In the above embodiment,
(H) In the search cooperation means, the integrated log search and the history data search are linked by executing the search of the integrated log using the history data identifier and the search execution of the history data related to the data of the integrated log. A heterogeneous log integrated management device has been described.

In the above embodiment,
(A) In the attribute extraction means, for the log of the entrance / exit management system as a heterogeneous log, the log generation date / time, the operator, the operation content, and the device identifier information in the log of the entrance / exit management system are extracted
In the (b) attribute adding means, adding location information of the entry / exit management device,
The heterogeneous log integrated management apparatus has been described in which the attribute data is extracted from the accumulated log in the (e) history data generation means, and the logs are associated based on the items of the operator, location information, and device identifier.

In the above embodiment,
In the (a) attribute extraction means, for the PC operation log as a heterogeneous log, the log generation date / time, operator, operation content, and PC identifier information in the PC operation log are extracted,
In the (b) attribute adding means, the PC position information is added respectively,
The heterogeneous log integrated management apparatus has been described in which the attribute data is extracted from the accumulated log in the (e) history data generation means, and the logs are associated with each other based on the operator, location information, and PC identifier items.

In the above embodiment,
In the (a) attribute extraction means, for the operation log of the multifunction machine as a heterogeneous log, the log generation date and time, the operator, the operation content, the information of the multifunction machine identifier in the multifunction machine operation log are extracted
In the (b) attribute adding means, the location information of the multifunction device is added,
The heterogeneous log integrated management apparatus has been described in which the attribute data is extracted from the accumulated log in the (e) history data generation means, and the logs are associated based on the items of the operator, the position information, and the MFP identifier.

In the above embodiment,
A heterogeneous log integrated management apparatus having the following means has been described.
(A) Image acquisition means for extracting image data related to the log from the monitoring image storage server based on the log generation date and time and position information, and storing it in the integrated log;
(B) Image search means for extracting related image data together with log data during integrated log search;

  100 heterogeneous log integrated management device, 110 attribute extraction unit, 111 attribute data, 112 image acquisition unit, 113 collection / accumulation unit, 114 log search unit, 115 log management unit, 116 image data, 117 integrated log, 120 attribute management information, 121 ID management information, 122 Device management information, 123 Location management information, 124 Event management information, 130 History data generation unit, 131 Integrated definition information, 132 History data search unit, 133 History tracking type data management unit, 134 History tracking type DB 140 Integrated log search cooperation unit, 200 PC operation log, 210 MFP log, 220 entry / exit log, 230 monitoring image, 300 client PC, 301 integrated log search screen.

Claims (10)

Log data indicating one data unit in each of a plurality of predetermined types of logs, and standardized log data in which log data including item data corresponding to each attribute item of a plurality of attribute items is standardized is accumulated. An integrated log storage unit for storing the integrated log;
An attribute management information storage unit for storing the standardization rules as attribute management information;
Inputting the log data from at least one of the plurality of predetermined log types, extracting item data corresponding to two or more predetermined attribute items from the input log data; A standardized log data generation unit that standardizes each extracted item data based on the attribute management information stored in the attribute management information storage unit, and generates the entire standardized item data as the standardized log data; ,
An integrated log generation apparatus comprising: an accumulation unit that accumulates the standardized log data generated by the standardized log data generation unit in the integrated log of the integrated log storage unit. The attribute management information storage unit
The attribute management information is information that does not exist as an attribute item of the log data in each of a plurality of predetermined types of logs, and is information that can be specified from at least one item data of the extracted item data As related information,
The standardized log data generation unit
Identifying the relevant information based on the attribute management information and the extracted item data, adding the identified relevant information to the standardized log data;
The storage unit
The integrated log generation apparatus according to claim 1, wherein the standardized log data to which the related information is added is accumulated in the integrated log. The standardized log data generation unit
Adding a predetermined portion of the log data that is a source of generation of the standardized log data to the standardized log data;
The storage unit
The integrated log generation device according to claim 1, wherein the standardized log data to which the predetermined part of the log data is added is accumulated in the integrated log. The integrated log stored in the integrated log storage unit is:
A plurality of the standardized log data that has been standardized based on the log data in each of a plurality of predetermined types of logs is stored,
The integrated log generation device further includes:
A definition information storage unit that stores history tracking type data creation definition information that creates history tracking type data that can be used for history tracking from the plurality of standardized log data accumulated in the integrated log;
Based on the history tracking data creation definition information, a history tracking data generation unit that creates the history tracking data from the plurality of standardized log data accumulated in the integrated log;
The integrated log generation device according to claim 1, further comprising a history tracking type data storage unit that stores the history tracking type data generated by the history tracking type data generation unit. The integrated log generation device further includes:
An integrated log search unit that receives search condition information indicating a search condition, searches for the standardized log data that matches the search condition information from the integrated log in the integrated log storage unit, and outputs the hit standardized log data The integrated log generation device according to any one of claims 1 to 4, wherein The standardized log data accumulated in the unified log is
Event information indicating a predetermined event; date and time information indicating the date and time when the event occurred; and position information indicating a position where the event occurred;
The integrated log generation device further includes:
An image data storage unit for storing predetermined image information;
Based on the date and time information and the position information included in the standardized log data for an image information storage device that stores image information corresponding to at least one of the predetermined types of logs. The image information corresponding to the standardized log data is retrieved, and when the image information corresponding to the standardized log data is hit, the image data stored is associated with the standardized log data corresponding to the hit image information. An image storage unit for storing in the unit,
The integrated log search unit
If the standardized log data is searched and hit, it is determined whether or not the image data corresponding to the hit standardized log data is stored in the image storage unit. 6. The integrated log generation apparatus according to claim 5, wherein the standardized log data and the stored image data are output. The integrated log generation device further includes:
The predetermined item data of the standardized log data searched by the integrated log search unit is accepted as a tracking viewpoint indicating a tracking item in history tracking, and based on the received tracking viewpoint, the history tracking type data storage unit The integrated log generation device according to claim 5, further comprising a history tracking unit that performs history tracking on the history tracking type data and outputs a result of the history tracking. Each of the predetermined types of logs includes:
Operation of a multifunction peripheral having an entry / exit log created by the entry / exit management system, a PC operation log showing a PC (Personal Computer) operation record, and at least a printer function and a copy function The integrated log generation apparatus according to claim 1, comprising at least one of a log and a multifunction machine operation log indicating recording. Computer
Log data indicating one data unit in each of a plurality of predetermined types of logs, and standardized log data in which log data including item data corresponding to each attribute item of a plurality of attribute items is standardized is accumulated. An integrated log storage for storing the integrated log,
An attribute management information storage unit for storing the standardization rules as attribute management information;
Inputting the log data from at least one of the plurality of predetermined log types, extracting item data corresponding to two or more predetermined attribute items from the input log data; A standardized log data generation unit that standardizes each extracted item data based on the attribute management information stored in the attribute management information storage unit, and generates the entire standardized item data as the standardized log data.
An accumulator that accumulates the standardized log data generated by the standardized log data generator in the integrated log of the integrated log storage;
Integrated log generation program to function as   A computer-readable recording medium storing the integrated log generation program according to claim 9.

Images