JP2014006715A - Access log analysis device and access log analysis method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To acquire an executed process flow and a degree of certainty of occurrence of the flow from a log of a target system without changing an application or the like.SOLUTION: An access log analysis device 600 is for use in an information system that includes: an application server 200; a user terminal 100 for transmitting a processing request to the server; and a database 300 for returning a response to an inquiry from the server. The device includes: a packet management part for storing a communication packet consisting of the processing request, inquiry and response; a processing request mapping candidate process part for calculating a degree of certainty of occurrence of the processing requests, for each of the inquiries, with regard to a series of patterns of the inquiries that are called from the individual processing requests for a predetermined period; an inquiry pattern candidate process part having functionality for calculating a degree of certainty of the inquiry pattern candidate from the inquiry called by each of the processing requests; and a screen drawing process part for displaying the processing request and the inquiry candidate in correlation with each other.

Description

  The present invention relates to an access log analysis device and an access log analysis method.

  Conventionally, in an information system configured via a communication network, various logs are collected on the system for the purpose of collecting information necessary for system operation. By examining the collected various logs, a system trace is executed that makes it possible to trace a processing request for an application running on the information system. This system trace is expected to facilitate the discovery and identification of the cause of problems such as bottlenecks in the system performance of information systems and erroneous data input by users.

  On the other hand, in system trace, a plurality of logs on a node such as a server computer (hereinafter referred to as “server”) constituting an information system are individually acquired. With respect to a series of processes executed with “DB”), it is necessary to check the flow of the series of processes by matching log information collected by a plurality of nodes.

  In this regard, in Patent Document 1, in the system trace, after individually acquiring a plurality of logs on the information system, common unique information included in various logs is designated as the link information. Next, as pre-learning, filtering of logs collected based on the link information is performed, and a business pattern in which a series of business processes are patterned based on data including the link information is created. At the time of log collection, log filtering based on the link information is performed, and mapping to the business pattern is further performed, so that the breakdown of each business processing time can be calculated based on the contents of the log.

  In Patent Document 2, log information can be traced by using information called a relay ID in a system trace to connect calling relationships between applications on the information system. As an example of a relay ID, a method is disclosed in which information obtained by adding a process ID to a time stamp is created as a relay ID, and each time an application is passed, the identifier of the application to be called next is connected to the back. . According to this method, the application calling order can be specified simply by adding a relay ID.

JP 2006-92358 A JP 2005-346414 A

  However, in the method of Patent Document 1, in order to appropriately determine which information flowing through the communication network that constitutes the information system should be selected as unique link information, the information system is operating. You need to understand the content of the application and the work being performed by it. For this reason, if the system administrator does not fully understand them, there is a problem that it takes time to identify the link information and start the system trace.

  In Patent Document 2, as described above, in order to enable system tracing, it is necessary to implement a change in the information system in which a function for newly generating a relay ID and adding it to packet information is added to each application. There was a problem that there was.

  The present invention has been made to solve the above and other problems, and information processing that is normally executed in a target information system without modifying elements such as applications running in the information system. It is an object of the present invention to provide an access log analysis apparatus and an access log analysis method that can grasp the information processing flow executed in the information system with a predetermined accuracy by collecting and analyzing the logs.

  In order to achieve the above object, according to one aspect of the present invention, an application server in which an application program is running, a user terminal that transmits a processing request to the application server, and the processing request received An access log analyzing apparatus that is communicably connected to an information system that is communicably connected to a database that receives an inquiry from the application and returns a reply, the processing request and the inquiry and answer A packet management unit that acquires and stores the communication packet that constitutes the communication packet, and obtains the communication packet for a predetermined period from the packet management unit, extracts the processing request and the inquiry, Select processing request mapping candidates that are candidates for the processing request that is the caller, and The processing request mapping candidate generation accuracy is obtained as a provisional generation accuracy from the number of processing requests associated with the inquiry, the number of times the inquiry is called by the processing request in a certain past period, and the processing request mapping The processing request mapping candidate processing unit having a function of calculating the new processing request mapping candidate generation accuracy by adding the provisional generation accuracy to the generation probability of the candidates, and the generation accuracy of the inquiry called by each processing request Each query pattern that is recorded in the past certain period is obtained by calculating a provisional occurrence accuracy from the number of combinations of query patterns that are a series of query patterns called from each processing request. And the processing request marker for the inquiry. Based on the inquiry pattern candidate processing unit having a function of calculating the accuracy of the inquiry pattern candidate calculated from the provisional occurrence accuracy of the ping candidate, and the generation accuracy of the processing request mapping candidate and the occurrence accuracy of the inquiry pattern candidate, There is provided an access log analyzing apparatus including a screen drawing processing unit having a function of generating screen data for displaying the screen by associating the processing request with the inquiry candidate called by the processing request.

  According to the present invention, it is executed in the information system by collecting and analyzing the information processing log normally executed in the target information system without modifying the elements such as applications running in the information system. It is possible to grasp the processed information processing flow with a predetermined accuracy.

FIG. 1 is a system configuration diagram of an information system 1 to which an access log analyzer according to an embodiment of the present invention is connected. FIG. 2 is a diagram illustrating a hardware configuration of each component configuring the information system 1. FIG. 3 is a diagram illustrating a software configuration of the access log analysis apparatus 600. FIG. 4 is a sequence diagram illustrating information processing executed in the information system 1. FIG. 5A is a diagram illustrating an access log analysis processing flow executed by the access log analysis device 600. FIG. 5B is a diagram illustrating an access log analysis processing flow executed by the access log analysis device 600. FIG. 5C is a diagram illustrating an access log analysis processing flow executed by the access log analysis device 600. FIG. 5D is a diagram illustrating an access log analysis processing flow executed by the access log analysis device 600. FIG. 6 is a diagram illustrating a configuration example of the packet management table 609. FIG. 7 is a diagram illustrating a configuration example of the Web access ID list 605. FIG. 8 is a diagram illustrating a configuration example of the DB access ID list 606. FIG. 9 is a diagram illustrating a configuration example of the Web access type management table 610. FIG. 10 is a diagram illustrating a configuration example of the DB access type management table 611. . FIG. 11 is a diagram illustrating a configuration example of the Web access mapping candidate management table 607. FIG. 12A is a diagram illustrating a configuration example of the Web access mapping result management table 612. . FIG. 12B is a diagram illustrating a configuration example of the Web access mapping result management table 612. FIG. 13A is a diagram illustrating a configuration example of a DB access pattern candidate management diagram 608. FIG. 13B is a diagram illustrating a configuration example of the DB access pattern candidate management diagram 608. FIG. 14 is a diagram illustrating a configuration example of the DB access pattern result management diagram 613. FIG. 15A is a diagram illustrating an example of a DB access ID related graph. FIG. 15B is a diagram illustrating an example of a DB access ID related graph. FIG. 15C is a diagram illustrating an example of a DB access ID related graph. FIG. 15D is a diagram illustrating an example of a DB access ID related graph. FIG. 15E is a diagram illustrating an example of a DB access ID related graph. FIG. 15F is a diagram illustrating an example of a DB access ID related graph. FIG. 15G is a diagram illustrating an example of a DB access ID related graph. FIG. 16 is a diagram showing an example of a log monitoring screen showing the analysis result of the access log analyzing apparatus 600.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. In the embodiment, when a plurality of the same components appear, for example, the user terminal 100-1 and the user terminal 100-2 are denoted by adding branch numbers to the reference numerals. Further, when a plurality of identical components are described together, for example, the branch number is omitted as in the user terminal 100.

Configuration of Information System 1 First, the configuration of an information system to which the access log analysis device of this embodiment is connected will be described. FIG. 1 shows a configuration example of the information system 1. An information system 1 illustrated in FIG. 1 is a user interactive service cooperation system, and includes a user terminal 100, an application server 200, a business DB 300, a packet replication device 400, a packet capture device 500, an access log analysis device 600, and a log monitoring terminal 700. It is configured with. The components of the information system 1 are connected to each other by a communication network 800. The communication network 800 is, for example, the Internet that enables data transmission / reception using an HTTP communication protocol, but may be another communication network.

  The user terminal 100 is a computer that can communicate with an application server 200 (described later) via a communication network 800, such as a personal computer in which a Web browser is installed. The application server 200 is a Web server on which an application for providing the function of the information system 1 is mounted and operating.

  The business DB 300 is a computer having a function of searching data stored in the DB based on a query received from an application running on the application server 200 and returning a search result to the application. In this embodiment, data exchange between the application of the application server 200 and each business DB 300 is executed by SQL, but other DB languages may be used. Further, in the configuration example of FIG. 1, the business DB 300 is described as a computer separate from the application server 200, but may be integrally installed in the application server 200.

  The packet duplication device 400 is a communication device connected between the application server 200 and the communication network 800, and performs routing of communication packets transmitted and received by the application server 200 on the communication network 800, and the communication packet Is copied and transmitted to the packet capture device 500 described later. Specifically, the packet duplication device 400 can be configured as a switching hub having a communication packet duplication function.

  The packet capture device 500 is a computer having a function of receiving a packet transmitted / received by the application server 200 replicated by the packet replication device 400 from the packet replication device 400 and storing it in a storage area constituted by an appropriate storage device. .

  The access log analysis device 600 is processed between the application server 200 of the information system 1, the user terminal 100, and the business DB 300 by acquiring the packets stored in the packet capture device 500 and analyzing them. It is a computer having a function of generating a record of access (log). The access log analysis processing by the access log analysis device 600 will be described later.

  The log monitoring terminal 700 is a computer having a function of acquiring an access log analysis result by the access log analysis device 600 from the access log analysis device 600 via the communication network 800 and outputting the result by an appropriate output device. In the present embodiment, a web browser as the log display unit 701 is mounted on the log monitoring terminal 700, and for example, a log monitoring screen can be displayed on a liquid crystal display device or the like.

  FIG. 2 shows the components constituting the information system 1 of FIG. 1, which are the user terminal 100, the application server 200, the business DB 300, the packet replication device 400, the packet capture device 500, the access log analysis device 600, and the log. The figure which illustrated the hardware constitutions of the information processing apparatus 10 which functions as the monitoring terminal 700 is shown. In the information processing apparatus 10, a CPU 11, a memory 12, a communication interface 13 for communicating with other apparatuses via a communication network such as the Internet and a LAN, an input device 14 such as a keyboard and a mouse, a monitor, a printer An output device 15 such as a reading device 16 and an external storage device 17 such as a hard disk drive are connected via an internal communication interface 19. The reader 16 can be configured with a necessary input / output device for a connection port to which a portable storage medium 18 such as an IC card or a USB memory can be connected.

  In the information system 1 of FIG. 1, each function included in each component is implemented by loading a program that realizes these functions onto the memory 12 and executing the program by the CPU 11. These programs may be stored in advance in the external storage device 17 of the information processing device 10, or when necessary, the reading device 16 or the communication device 13 and a medium that can be used by the information processing device 10. It may be introduced into the external storage device 17 from another device via the. The medium refers to, for example, a storage medium 18 that can be attached to and detached from the reading device 16, a communication network that can be connected to the communication device 13, or a carrier wave that propagates through the communication network, a digital signal, and the like. The program may be stored once in the external storage device 17 and then loaded onto the memory 12 and executed by the CPU 11 or loaded directly onto the memory 12 without being stored in the external storage device 17. Then, it may be executed by the CPU 11.

Definition of Terms Here, definitions of terms used in describing this embodiment will be described. First, “Web access mapping” is a combination that links each DB access transmitted from the application running on the application server 200 to the business DB 300 with the Web access of the application caller transmitted from the user terminal 100. Or the operation. Hereinafter, the web access mapping is simply referred to as mapping unless particularly required.

  “Mapping accuracy” is a probability indicating a possibility that mapping may actually occur for a plurality of Web accesses linked to each DB access. In each DB access, the total mapping accuracy of all Web access mapping candidates that can be mapped is 1. Therefore, when only one Web access is mapped to one DB access, the mapping accuracy is 1, and it is determined that the one DB access is caused by the mapped Web access.

  The “DB access pattern” refers to an ordered combination of DB accesses that are sequentially called by the application in response to reception of Web access transmitted from the user terminal 100 to the application.

  “The accuracy of the DB access pattern” is a probability indicating that the DB access similar to the DB access pattern may actually occur in the application, and the sum of the accuracy of all DB access pattern candidates is 1.

Functions of Access Log Analysis Device 600 Next, functions provided in the access log analysis device 600 will be described. FIG. 3 shows a software configuration example of the access log analysis apparatus 600. The access log analysis apparatus 600 includes an operating system (OS) 620, a data I / O unit 630, a packet management unit 601, a Web access mapping candidate analogy processing unit 602, a DB access pattern analogy processing unit 603, and a log drawing processing unit 604. I have. The OS 620 is basic software serving as an execution base of software implemented and operated in the access log analysis apparatus 600, and can be appropriately selected from OSs generally used as computer OSs. The data I / O unit 630 executes data I / O processing for transmitting / receiving data that is input to or output from the access log analysis apparatus 600 to / from each functional unit under the control of the OS 620.

  The packet management unit 601 has a function of receiving a packet acquired by the packet capture device 500 and storing it in the packet management table 609. A configuration example of the packet management table 609 is shown in FIG. A packet management table 609 illustrated in FIG. 6 stores a record group in which a time stamp 6091 and packet information 6092 are associated with each other. The time stamp 6091 records the date and time when the corresponding packet was captured by the packet capture device 500. In the packet information 6092, for example, information on a transmission source IP address, a transmission destination IP address, a transmission source port number, and / or a packet type is recorded. It is possible to know between which component in the information system 1 the packet is transmitted and received by the source IP address and the destination IP address (URL in this embodiment). The packet type records the packet type from the data content included in the packet. The packet types in this embodiment are Web access and DB access.

  The Web access mapping candidate analogy processing unit 602 acquires mapping candidates between Web access and DB access based on the message sequence structure extracted from the Web access log and DB access log, and the number of occurrences / probability of mappings that occurred in the past Based on the above, it has a function of calculating the accuracy of each mapping candidate.

  The DB access pattern analogy processing unit 603 has a function of calculating the accuracy of a DB access pattern based on the accuracy of mapping candidates and the number of occurrences / probabilities of DB access patterns that have occurred in the past.

  The log drawing processing unit 604 displays a Web access log list and a DB access list based on an access log analysis result, and based on the acquired mapping candidate accuracy and DB access pattern accuracy, each DB access information, Web access information, Log monitoring screen data for visualizing the mapping and the accuracy of the mapping.

  The web mapping candidate analogy processing unit 602 also includes a web access type management table 610 that manages a web access type that is information obtained by classifying each web access according to a combination of a destination URL and a parameter included in the web access. A DB access type management table 611 that manages DB access types, which are information classified by combinations of DB location information (host name, DB name) in the information system 1 and query information included in the DB access. The Web access mapping result management table 612 that manages the mapping results between past DB access types and Web access types is managed. The DB access pattern analogy processing unit 603 manages a DB access pattern result management diagram 613 that manages the relationship between the Web access type called in the past and the DB access pattern. The web access type management table 610, the DB access type management table 611, the web access mapping result management table 612, and the DB access pattern result management diagram 613 will be described later with respect to data processing executed by the access log analysis device 600.

  The web access mapping candidate analogy processing unit 602 also manages the web access ID list 605 for managing the web access currently being accessed from the user terminal 100 to the application server 200, and is currently accessing the business DB 300 from the application server 200. Web access mapping candidate management table for managing the mapping status between currently accessed DB access and Web access, recorded in the DB access ID list 606, DB access ID list 606, and Web access ID list 605 for managing DB access 607 and the DB access pattern for managing the currently accessed Web access recorded in the Web access ID list 605 and DB access pattern candidates for each Web access The candidate management diagram 608, is loaded into the respective memory 12 above, manages. The Web access mapping candidate management table 607 and the DB access pattern candidate management diagram 608 will be described later with respect to data processing executed by the access log analysis apparatus 600. The DB access pattern candidate management diagram 608 also uses the DB access pattern analogy processing unit 603.

Example of Data Processing Sequence in Information System 1 Next, the flow of data processing executed by the information system 1 of this embodiment will be described. FIG. 4 shows data processing in the information system 1 as a sequence diagram. The information system 1 is a Web transaction trace system in which two users use services provided by the application server 200 using Web browsers mounted on the user terminals 100-1 and 100-2, respectively. In the present embodiment, data processing when a user performs online shopping using an application that implements an electronic commerce function implemented in the application server 200 will be described as an example. The access log analysis process executed in the present embodiment is performed by using the data processing sequence in the information system 1 illustrated in FIG. 4 from a set of time series packets stored in the packet capture device 500 to a certain degree of accuracy. It is a process to reconfigure with. Therefore, the sequence diagram illustrated in FIG. 4 is originally obtained as a result of the access log analysis process, but for the purpose of explanation in this application, access is made to the record of the packet originally obtained by the process sequence as shown in FIG. The following description will be continued assuming that log analysis processing is performed.

  In FIG. 4, the user performs a product purchase procedure from the user terminal 100-1 at an online shop established in the information system 1. Specifically, the Web browser on the user terminal 100-1 sends and receives HTTP messages (processing requests for the application of the application server 200) of W1-1 and W1-2 to and from the application server 200, and at that time The application server 200 performs user authentication. At this time, the application server 200 performs SQL authentication represented by D1-1 and D1-2 with the business DB (hereinafter referred to as “authentication DB”) 300-1 storing authentication data for user authentication. Send and receive messages (inquiries to the business DB 300). Next, the Web browser of the user terminal 100-1 transmits / receives HTTP messages of W3-1 and W3-2 to / from the application server 200, and displays a settlement screen including member information / credit card information. At this time, in order for the application server 200 to acquire information necessary for displaying the payment screen, a business DB (hereinafter referred to as “member DB”) storing unique information including names, ages, credit card numbers, etc. regarding online shopping members. ) D3-1-1 and D3-2 SQL messages are sent to and received from 300-3, and payment information including credit card information such as credit card company name, credit card number, registered name, and validity period is stored. The D5-1 and D5-2 SQL messages are transmitted to and received from the business DB (hereinafter “settlement DB”) 300-2.

  On the other hand, from the user terminal 100-2, it is assumed that the user has performed a process of browsing member information in order to confirm points accumulated in the registered online shop. Specifically, the Web browser on the user terminal 100-2 transmits / receives W2-1 and W2-2 HTTP messages to / from the application server 200, and at that time, the application server 200 performs user authentication. . At this time, the application server 200 transmits and receives D2-1 and D2-2 SQL messages to and from the authentication DB 300-1 for user authentication. Next, the Web browser of the user terminal 100-2 transmits / receives W4-1 and W4-2 HTTP messages to / from the application server 200, and displays a settlement screen including member information / credit card information. At this time, the application server 200 sends and receives D4-1 and D4-2 SQL messages to and from the member DB 300-3 in order to acquire information necessary for displaying the payment screen.

  In FIG. 4, an HTTP message transmitted / received between the user terminal 100 and the application server 200 passes through the packet capture device 500. At that time, the packet capture device 500 temporarily accumulates the packets constituting the message passed on its own memory, and periodically transmits it to the packet management table 609 of the access log analysis device 600. Note that the access log analysis device 600 may periodically request the packet capture device 500 to transmit the accumulated packets. In FIG. 4, for convenience of illustration, two sets of packet capture devices 500 are described. However, as shown in the configuration example of FIG. 1, one packet capture device 500 is actually included in the information system 1. Is provided.

Access Log Analysis Processing Next, the access log analysis device 600 performs log analysis on the message that has passed through the packet capture device 500 in FIG. 4, and combines the log of the HTTP message in the same Web transaction with the log of the SQL message. A series of processing displayed on the screen of the Web browser will be described with reference mainly to FIGS. 5A to 5B. In connection with the description of this process, the various tables whose configurations are illustrated in FIGS. In this embodiment, these data processes are performed by the packet management unit 601, the Web access mapping candidate analogy processing unit 602 (hereinafter “mapping processing unit 602”) or the DB access pattern analogy processing unit 603 (hereinafter “ Pattern processing unit 603 ").

  First, in FIG. 5A, when access log analysis is started (S1001), the log range to be analyzed is designated from the log monitoring terminal 700 (S1002). Specifically, it can be specified by inputting date and time information to which a log to be analyzed belongs from the input device 14 of the log monitoring terminal 700. The analysis target may be specified by specifying the message stored in the packet management table 609 by the message transmission time, the IP address, the port number, the HTTP or SQL header content, and the like. In this embodiment, it is assumed that all messages shown in the sequence illustrated in FIG. 4 are to be analyzed.

  When the analysis target log is specified and the analysis is started, the packet management unit 601 reads the specified log (W1-1 in FIG. 4 here) one by one from the packet management table 609 (S1003). Next, the packet management unit 601 determines whether the reading of the designated log has been completed (S1004).

  Next, in S1004, when the packet management unit 601 determines that reading of the specified log has not been completed (S1004, No), the packet management unit 601 determines that the read capture data is an HTTP request or an HTTP response. , SQL request, or SQL response is determined (S1005). In the sequence of FIG. 4 assumed in the present embodiment, the types of capture data are the above-described four types, but other types of data are appropriately selected according to the form of data processing executed in the information system 1. You may make it discriminate | determine by.

  Since W1-1 in FIG. 4 is determined as an HTTP request, the mapping processing unit 602 issues w1 as a Web access ID for identifying this message, and the corresponding Web access type ID 6101 from the Web access type management table 610 in FIG. Wt3 is acquired (S1006). The Web access type management table 610 stores a Web access type 6101, a Web access URL 6102, a parameter input URL 6103, and a parameter 6104 in association with each other as shown in the configuration example of FIG. The mapping processing unit 602 compares the content of the capture data to be analyzed with the Web access type management table 610 to identify the type of the capture data and associate the corresponding Web access type ID 6101 with it. The web access ID list 605 shown in the configuration example of FIG. 7 stores the web access ID 6051 and the web access type ID 6052 in association with each other. In the present embodiment, wt3 corresponds to the Web access W1-1 and W2-1 in FIG. 4 and indicates an HTTP request related to user authentication. The Web access type ID 6052 is set in advance assuming a message type used for data processing performed in the information system 1. The mapping processing unit 602 registers the web access ID w1 in association with wt3 in the web access ID list 605 (S1007). Thereafter, the mapping processing unit 602 returns the process to S1003.

Analysis of W2-1 Next, the mapping processing unit 602 analyzes the message of W2-1 in FIG. As in the case of W1-1, since W2-1 is an HTTP request, the mapping processing unit 602 issues w2 as a Web access ID for identifying W2-1 and associates it with wt3 which is the corresponding Web access type ID. The web access ID w2 is registered in the web access ID list 605 on the memory. Thereafter, the mapping processing unit 602 returns the process to S1003.

Analysis of D1-1 Next, the mapping processing unit 602 analyzes the message of D1-1. 5A and 5B, since D1-1 is an SQL request, the mapping processing unit 602 issues d1 as a DB access ID for identifying this message, and corresponds to the DB access type management table 611 in FIG. Dt1 is acquired as the DB access type ID 6062 (S1021). The DB access type ID 6062 is determined using the DB access type management table 611 whose configuration example is shown in FIG. The DB access type management management table 611 includes a DB access type ID 6111 for identifying a DB access type, a host name 6112 and a DB name 6113 that are corresponding DB access destinations, and query information included in the corresponding DB access. 6114 is stored in association with each other. That is, the mapping processing unit 602 compares the data to be analyzed (D1-1 in this case) with the DB access type management table 611, and associates the specified DB access type ID 6111 with the data to be analyzed. In the DB access type ID list 606 illustrated in FIG. 8, the DB access ID 6061 and the DB access type ID 6062 are stored in association with each other on the memory.

  Thereafter, the mapping processing unit 602 adds the node d1 as the DB access ID to the DB access ID related graph 620 (FIG. 15A) that manages the DB access status that has occurred so far in the memory (S1022). Since the next step of S1023 does not correspond to d1, it is skipped as described later, and in step S1024, w1 and w2 issued as Web access IDs currently being executed are added as attribute values of the d1 node. The situation of the DB access ID related graph at this point is as shown in FIG. 15A, and the attribute value is described around the node. The graph of FIG. 15A represents that the Web access that caused the generation of D1-1 at the time of D1-1 transmission is either W1-1 or W2-1. The DB access ID related graph 620 illustrates whether each DB access is accessing the business DB 300 and the relationship with the Web access that can be a caller. The DB access ID related graph 620 may be described in another expression format such as a table.

Analysis of D2-1 Next, the mapping processing unit 602 analyzes the message of D2-1 in FIG. Since D2-1 is an SQL request in the same manner as D1-1, the mapping processing unit 602 sequentially performs the processing of S1021 to S1024 in FIG. 5B. The mapping processing unit 602 issues d2 as a DB access ID for identifying D2-1, stores it in the DB access ID list 606 in association with the corresponding DB access type ID dt1, as shown in FIG. 15B. A node d2 is added to the access ID related graph 620 (S1022).

  For D2-1, in S1023, a link is generated with the d1 node to which the finished attribute described later is not attached. This link indicates that an exclusive relationship exists between DB accesses, and d1 and d2 indicate that they are not called from the same Web access. At the time of execution of S1023, the DB access in which the finished attribute is not given to other surrounding nodes is currently being accessed, and thus has an exclusive relationship with such a node. The situation of the DB access ID related graph 620 at this time is as shown in FIG. 15B, and the Web access IDs being accessed at the time of issuing d2 are w1 and w2.

Analysis of D1-2 Next, the mapping processing unit 602 analyzes the message of D1-2 in FIG. Since D1-2 is an SQL response returned from the business DB 300 corresponding to D1-1, the mapping processing unit 602 adds a finished attribute to the d1 node as shown in FIG. 15C (S1025). Further, since the web access IDs currently being accessed with respect to D1-1 are w1 and w2, the web access ID attributes w1 and w2 of d1 are not changed (S1026). In addition, since a unique transmission source port number is assigned to each transmitted DB access to the SQL request and the SQL response which are SQL DB accesses, the mapping processing unit 602 uses the transmission source port number to correspond to the corresponding SQL port. Requests and responses can be specified.

  In S1027, since it is determined whether the number of node attribute values is 1, when the two w1 and w2 are associated as in this example, the mapping processing unit 602 moves the process to S1031. Transition. In S1031, since the finished attribute is not assigned to the node d2, the mapping processing unit 602 returns to S1003 in FIG. 5A and continues log analysis.

Analysis of W1-2 Next, the mapping processing unit 602 analyzes the message of W1-2 in FIG. Since W1-2 is an HTTP response, the mapping processing unit 602 shifts the process to S1008 and deletes w1 from the Web access ID list 605 on the memory (S1008). At this time, the web access ID 6051 existing in the web access ID list 605 is only w2. Then, as illustrated in FIG. 15D, the mapping processing unit 602 marks the node attribute value w1 in the DB access ID related graph 620 (S1009). In the present embodiment, the marked attribute value is represented by underlining the value as shown in FIG. 15D. The marked web access ID indicates that the processing of the HTTP request specified by the web access ID has been completed.

Analysis of D2-2 Next, the mapping processing unit 602 analyzes the message of D2-2 in FIG. Since D2-2 is an SQL response (S1005, SQL response), the mapping processing unit 602 sequentially performs the processing from S1025 to S1027. Since the Web access ID being accessed is only w2 at the time of executing S1026, the attribute of the Web access ID is updated to w2 as shown in FIG. 15D.

  In this way, the process S1026 narrows down the Web access mapping candidates by obtaining a list of Web access IDs that are being accessed at the start and end of DB access, and calculating the common part thereof, thereby achieving higher accuracy. Thus, it is possible to analogize Web access mapping candidates. In particular, in the present embodiment, since the Web accesses w1 and w2 are both accesses to the same URL of the application server 200, Web access mapping candidates for d1 and d2 if the narrowing by calculation of the common part is not performed. It is difficult to analogize. In this case, the web access mapping candidates for d1 and d2 are both w1 and w2, and in any combination, the accuracy of the mapping candidate is 0.5, that is, the probability is equal and the mapping accuracy is lowered.

  In S1027, since the web access ID of the node attribute value is only one of w2, the mapping processing unit 602 advances the processing to S1028, deletes w2 from the web access ID list attribute value of d1 which is an adjacent node, The link between d1 and d2 is also deleted (S1029).

  Thereafter, in S1030, the mapping processing unit 602 performs the processes of S1027 to S1029 for d1 that is an adjacent node of d2. In S1027, since the Web access ID list attribute value of the node d1 is only w2, the mapping processing unit 602 advances the process to S1028 and deletes w1 from the Web access ID list attribute of d2. The situation of the DB access ID related graph 620 at this time is as shown in FIG. 15D.

  After the above processing, the mapping processing unit 602 determines whether all nodes in the DB access ID related graph 620 have the finished attribute (S1031) and whether all the Web access ID list attribute values of each node are marked ( S1032) is determined. In order to satisfy these determination conditions for D2-2, the mapping processing unit 602 advances the process to S1200 in FIG. 5A.

== Web access mapping candidate accuracy calculation processing, DB access pattern candidate accuracy calculation processing ==
In step S1200, the mapping processing unit 602 performs web access mapping candidate accuracy calculation processing. A specific processing flow example of the Web access mapping candidate accuracy calculation processing is shown in FIG. 5C. In the Web access mapping candidate accuracy calculation process, for the two types of DB accesses with the DB access IDs d1 and d2, the Web access ID that is the call source is estimated, the Web access mapping candidate is extracted, and the accuracy for each candidate is calculated. To implement. The accuracy of the Web access mapping candidate is displayed on the log monitoring screen illustrated in FIG. 16 after log analysis, and is information indicating the degree of connection between the Web log and the DB log.

  With reference to FIG. 5C, the Web access mapping candidate accuracy calculation process will be specifically described. First, when the processing is started in S1201, the Web access mapping candidate w1 is acquired from the attribute value of the d1 node for the DB access ID d1 from the DB access ID related graph 620 in FIG. 15D (S1202).

  Next, the mapping processing unit 602 calculates the provisional accuracy of the Web access mapping candidate w1 for d1 (S1203). The provisional accuracy is preliminary data used for calculating the accuracy of the Web access ID w1, and in this embodiment, the occurrence probability is divided equally by the number of Web access mapping candidates. Here, since the web access mapping candidate for d1 is only w1, the provisional accuracy of w1 is 1. Thereafter, wt3 is acquired as the Web access type ID 6052 corresponding to w1 from the Web access ID list 605 of FIG. 7 (S1204). Subsequently, the mapping processing unit 602 acquires the number of appearances of wt3, which is a web access type ID that has occurred in the past, from the web access mapping result management table 612 (S1205). In this embodiment, 17 is acquired as the number of occurrences of Web access type ID = wt3 for dt1 as the DB access type ID from FIG. 12A.

Next, the mapping processing unit 602 calculates the probability that the mapping candidate appears from the provisional accuracy that the mapping candidate appears in S1202 and the past number of appearances of the mapping candidate obtained in S1204 (S1206). The appearance probability of the mapping candidate is calculated as a ratio of the total number of appearances (including this time) of each mapping candidate to the total number of appearances (including this time) of all the mapping candidates that are targets. Specifically, the mapping accuracy is calculated by the following equation.
Mapping accuracy = (appearance number of target mapping candidates + provisional accuracy) / (appearance number of all mapping candidates + total provisional accuracy) (Equation 1)
Here, since the mapping candidate is only w1, the mapping accuracy is 1. As shown in FIG. 11, the calculated accuracy is stored in the Web access mapping candidate management table 607 in association with the Web access ID and the DB access ID.

  Thereafter, the mapping processing unit 602 adds the accuracy obtained above to the mapping result management table 612 indicating the number of appearances of past Web access mapping candidates (S1207). Here, the Web access mapping result management table 612 before log analysis is as shown in FIG. 12A, and 1 is added to the number of appearances of the DB access type ID dt1 and the Web access type ID wt3. Thus, the calculation of the accuracy of the Web access mapping candidate regarding d1 is finished, and the mapping processing unit 602 returns the processing to the flow of FIG. 5A.

  Subsequently, the pattern processing unit 603 calculates the DB access pattern candidate accuracy using the mapping candidate accuracy calculated in S1200 (S1300). The accuracy of the DB access pattern candidate is displayed on the log monitoring screen illustrated in FIG. 16 after log analysis, as is the accuracy of the Web access mapping candidate, and is information indicating the degree of connection between the Web log and the DB log.

  The pattern processing unit 603 refers to the DB access pattern result management diagram 608 to acquire the number of appearances of the DB access pattern that has occurred in the past due to the Web access type ID = wt3 (S1304). In this embodiment, from FIG. 14, a path that follows a node from the left to the right in the order of start → wt3 → dt1 → end is selected, and the number attached to the end that is a leaf node is acquired as the number of appearances 12 times. To do.

Next, the pattern processing unit 603 calculates the probability of appearance of the DB access pattern candidate from the provisional accuracy of appearance of the DB access pattern candidate calculated in S1303 and the past appearance count of the DB access pattern candidate calculated in S1304. (S1305). Appearance accuracy of DB access pattern candidates is determined for each DB access pattern candidate (this time) with respect to the total number of appearances (including this time) of all target DB access pattern candidates. Calculated as a percentage of the total number of occurrences. Specifically, the DB access pattern accuracy is calculated by the following formula.
DB access pattern accuracy = (appearance count of target DB access pattern candidates + provisional accuracy) / (appearance count of all DB access pattern candidates + total provisional accuracy) (Equation 2)
Here, since the DB access pattern candidates are only patterns passing through the path of start → wt3 → dt1 → end, the mapping accuracy is 1. The calculated accuracy is stored in the DB access pattern candidate management diagram 608 as shown in FIG. 13B.

  Thereafter, in the process of S1306, the pattern processing unit 603 adds the accuracy obtained above to the DB access pattern result diagram 608 indicating the number of appearances of past DB access pattern candidates. Here, 1 is added to the number of appearances assigned to each node in the path of start → wt3 → dt1 → end. As described above, the pattern processing unit 603 finishes the DB access pattern candidate accuracy calculation, and returns the process to the flow of FIG. 5A.

  Next, the accuracy of Web access mapping candidates for DB access d2 is calculated in the same procedure as DB access d1. In the case of DB access d2, the change from DB access d1 is that the Web access mapping candidate acquired in S1202 is only w2, and the other points are the same as in the case of DB access d1.

  Also, when the accuracy of the DB access pattern candidate is calculated using the calculated accuracy of the Web access mapping candidate, the DB access pattern candidate is only a pattern passing through the path of start → wt3 → dt1 → end, so that the DB access d1 It is the same as the case of.

Analysis of W2-2 Hereinafter, processing of packet data after W2-2 in FIG. 4 will be described. Since it is determined in S1005 of FIG. 5A that W2-2 is an HTTP response, the Web access w2 is deleted from the Web access ID list 605 on the memory (S1008). At this point, the web access ID 6051 no longer exists in the web access ID list 605. Then, as illustrated in FIG. 15E, the mapping processing unit 602 marks the node attribute value whose Web access ID is w2 (S1009).

Analysis of W3-1 Next, the mapping processing unit 602 analyzes the message of W3-1 in FIG. Since it is determined in step S1005 in FIG. 5A that W3-1 is an HTTP request, the mapping processing unit 602 performs processing in the order of S1006 and S1007. The mapping processing unit 602 issues w3 as a Web access ID for identifying W3-1 and registers the Web access ID = w3 in the Web access ID list 605 on the Web access memory in association with the corresponding Web access type ID = wt1. To do.

Analysis of D3-1 Next, the mapping processing unit 602 analyzes the message of D3-1. Since D3-1 is determined to be an SQL request in S1005 of FIG. 5A, the mapping processing unit 602 sequentially performs the processes of S1021 to S1024 of FIG. 5B. First, the mapping processing unit 602 issues d3 as a DB access ID for identifying D3-1, and stores it in the DB access ID list 606 in association with the corresponding DB access type ID dt2. Thereafter, the mapping processing unit 602 adds the node of the DB access d3 to the DB access ID related graph 620 (S1022). Since the mapping processing unit 602 does not correspond to the DB access d3 in S1023, the mapping processing unit 602 does not execute link generation, and adds w3 that is the currently executed Web access ID to the Web access ID attribute value of the d3 node (S1024).

Analysis of W4-1 Next, the mapping processing unit 602 analyzes the message of W4-1 in FIG. In S1005 of FIG. 5A, since W4-1 is determined to be an HTTP request, the mapping processing unit 602 performs processing in the order of S1006 and S1007. The mapping processing unit 602 issues w4 as a Web access ID for identifying W4-1, and associates Web access ID = w4 with the Web access ID list 605 on the memory in association with wt2 which is the corresponding Web access type ID. To do.

Analysis of D3-2 Next, the mapping processing unit 602 returns to S1003 in FIG. 5A and analyzes the message of D3-2. In S1005 of FIG. 5A, since D3-2 is determined to be an SQL response, the mapping processing unit 602 sequentially performs the processes of S1025 to S1027. Since the Web access IDs being accessed are w3 and w4 at the time of execution of S1026, the attribute value of the Web access ID is updated only to w3. Thereby, the mapping processing unit 602 executes the processing of S1028 to S1030, and the situation of the DB access ID related graph 620 is as shown in FIG. 15E.

  After the above processing, the condition that the finished attribute is assigned to all the nodes of the graph 620 is satisfied in S1031, but the condition that all the Web access IDs of the node attribute values in the graph are not satisfied in S1032. The mapping processing unit 602 returns the processing to S1003 in FIG. 5A and performs processing on the subsequent packet data.

Analysis of D4-1 Next, the mapping processing unit 602 analyzes the message of D4-1 in FIG. In S1005 of FIG. 5A, since it is determined that D4-1 is an SQL request, the mapping processing unit 602 sequentially performs the processes of S1021 to S1024. The mapping processing unit 602 issues d4 as the DB access ID for identifying D4-1, stores it in the DB access ID list 606 in association with the corresponding DB access type ID = dt2, and DB access to the DB access ID related graph 620. The node d4 is added (S1022). Since the mapping processing unit 602 does not correspond to d4 in S1023, the mapping processing unit 602 adds Web access IDs w3 and w4 that are currently being implemented to the attribute value of the d4 node without generating a link (S1024).

Analysis of D5-1 Next, the mapping processing unit 602 analyzes the message of D5-1 in FIG. In S1005 of FIG. 5A, since D5-1 is determined to be an SQL request in the same manner as D4-1, the mapping processing unit 602 sequentially performs the processing of S1021 to S1024 for D5-1. Specifically, the mapping processing unit 602 issues d5 as the DB access ID for identifying D5-1, stores it in the DB access ID list 606 in association with the corresponding DB access type ID dt3 (S1021). Thereafter, the mapping processing unit 602 adds the node of the DB access d5 to the DB access ID related graph 620 as shown in FIG. 15F (S1022).

  Next, the mapping processing unit 602 generates a link with the d4 node to which the finished attribute is not attached in the DB access ID related graph 620 (S1023). The status of the DB access ID related graph 620 at this time is as shown in FIG. 15F, and the web access IDs w3 and w4 being accessed when the d5 is issued as the DB access ID are the web access ID attribute values of the d5 node. (S1024). Thereafter, the mapping processing unit 602 shifts the processing to S1003 in FIG. 5A and reads D4-2, which is the next message.

Analysis of D4-2 Next, the mapping processing unit 602 analyzes the message of D4-2 in FIG. Since D4-2 is determined to be an SQL response in S1005 of FIG. 5A, the mapping processing unit 602 first sequentially performs the processes of S1025 to S1027 of FIG. 5B. Specifically, the mapping processing unit 602 adds a finished attribute to the DB access d4 that is the target node of the DB access d5 (S1025). In S1026, since the Web access IDs being accessed are w3 and w4, the attribute values of the Web access ID related to d5 remain w3 and w4 as common parts with the attribute value of the DB access d4. Therefore, the mapping processing unit 602 determines in S1027 that the number of Web access IDs that are node attribute values for the DB access d5 is not 1, and shifts the processing to S1031. In S1031, since the DB access d5 has not yet been given the finished attribute, the mapping processing unit 602 returns the processing to S1003 in FIG. 5A, reads the next message D5-2, and continues the log analysis.

Analysis of D5-2 Next, the mapping processing unit 602 analyzes the message of D5-2. Since it is determined in S1005 of FIG. 5A that D5-2 is an SQL response, the mapping processing unit 602 sequentially performs the processes of S1025 to S1027 of FIG. 5B. Specifically, the mapping processing unit 602 first adds a finished attribute to the corresponding DB access d5 (S1025). In S1026, since the Web access IDs being accessed are w3 and w4, the common part with the attribute value of the DB access d4 for the DB access d5 remains w3 and w4. Therefore, the mapping processing unit 602 determines in S1027 that the number of Web access IDs that are node attribute values for the DB access d5 is not 1, and shifts the processing to S1031. In S1031, the mapping processing unit 602 checks whether all attribute values of the DB access ID related graph 620 are marked because the finished attribute is assigned to all nodes as shown in FIG. 15G. As shown in FIG. 15G, since all of them have not been marked yet (S1032, No), the mapping processing unit 602 returns the processing to S1003 in FIG. 5A, reads the next message W4-2, and continues log analysis. To do.

Analysis of W4-2 Next, the mapping processing unit 602 analyzes the message of W4-2 in FIG. Since it is determined in S1005 of FIG. 5A that W4-2 is an HTTP response, the mapping processing unit 602 deletes w4 of the Web access ID 6051 from the Web access ID list 605 on the memory (S1006). At this time, the web access ID 6051 existing in the web access ID list 605 is only w5. Then, the mapping processing unit 602 marks the node attribute value whose Web access ID 6051 is w4 in the DB access ID related graph 620 of FIG. 15G (S1009). Thereafter, the mapping processing unit 602 returns the processing to S1003 in FIG. 5A.

Analysis of W5-2 Finally, the mapping processing unit 602 analyzes the message of W5-2 in FIG. Since it is determined in S1005 of FIG. 5A that W5-2 is an HTTP response, the mapping processing unit 602 deletes the DB access w5 from the Web access ID list 605 on the memory (S1008). At this point, the web access ID 6051 does not exist in the web access ID list 605 of FIG. Then, the mapping processing unit 602 marks the node attribute value whose Web access ID 6051 is w5 (S1009).

  Next, the mapping processing unit 602 shifts the processing to S1003, but there is no message to be read any more and it is determined that all data has already been read (S1004, Yes). Next, the DB access ID related It is determined whether all the graphs 620 have been processed (S1010). At this time, since the graph illustrated in FIG. 15G including the nodes d3, d4, and d5 has not been processed, the mapping processing unit 602 advances the processing to S1200.

== Web access mapping candidate accuracy calculation processing, DB access pattern candidate accuracy calculation processing ==
In S1200, the mapping processing unit 602 calculates the accuracy of Web access mapping candidates for the DB access whose DB access ID is d3. For DB access d3, since the Web access mapping candidate acquired in S1202 is only w3, the accuracy of the Web access mapping candidate is 1 as in the case of DB access d1 and d2.

  Subsequently, the mapping processing unit 602 calculates the accuracy of the Web access mapping candidate for the DB access whose DB access ID is d4. For the DB access d4, the Web access mapping candidates acquired in S1202 are w3 and w4, so the provisional accuracy of the Web access mapping candidates is 1/2 (S1203). Also, the web access type IDs corresponding to the web accesses w3 and w4 are wt1 and wt2, respectively, and the number of occurrences of wt1 and wt2 when the DB access type dt2 is called is from the web access mapping result management table 612 in FIG. 12A. , 10 times each (S1204, S1205). As described above, the probability that w3 is generated when the DB access d4 is called is 0.5. Similarly, the probability that w4 is generated when the DB access d4 is called is 0.5 (S1206). Then, as illustrated in FIG. 12B, the mapping processing unit 602 adds the obtained mapping accuracy to the Web access mapping result management table 612 (S1207).

  Next, the mapping processing unit 602 calculates the accuracy of Web access mapping candidates for the DB access whose DB access ID is d5. Also in this case, since the Web access mapping candidates acquired in S1202 are w3 and w4, the provisional accuracy of the Web access mapping candidates is 1/2 (S1203). Also, the web access type IDs corresponding to w3 and w4 are wt1 and wt2, respectively, and the number of appearances of wt1 and wt2 when the DB access type dt3 is called is based on the web access mapping result management table 612 in FIG. 13 times and 1.5 times (S1205). From the above, when DB access d5 is called, the probability that w3 is the caller is 0.87. In addition, when DB access d5 is called, the probability that w4 is the caller is 0.13 (S1206). Then, the mapping processing unit 602 adds the obtained mapping accuracy to the web access mapping result management table 612, as illustrated in FIG. 12B (S1207). Thereafter, the mapping processing unit 602 shifts the processing to S1300 in FIG. 5A.

  Next, in S1300, the pattern processing unit 603 calculates the accuracy of DB access pattern candidates for the Web accesses w3 and w4. In this case, the accuracy of the DB accesses d3, d4, and d5 for the web access w3 is 1, 0.5, and 0.87 from the web access mapping candidate management table 607 of FIG. The accuracy of d4 and d5 with respect to w4 is 0.5 and 0.13, respectively. Referring to FIG. 15G, one of the DB accesses d4 and d5 corresponds to w3 and the other corresponds to w4. Of these, when the sum of probabilities is 1, the probability that the DB access d4 and the Web access w3, the DB access d5 and the Web access w4 correspond to each other is 0.13, the DB access d4 and the Web access w4, and the DB access d5 and The probability that each Web access w3 corresponds is 0.87. Therefore, the DB access pattern corresponding to the Web access IDs of the Web accesses w3 and w4 is expressed as shown in FIG. 13A.

  Next, the pattern processing unit 603 calculates provisional accuracy of each DB access pattern candidate (S1303). First, the pattern processing unit 603 extracts patterns passing through the paths of start → w3 → d3 → d4 and start → w3 → d3 → d5 as DB access pattern candidates for the web access w3, and the provisional accuracy is on each path. Calculated by the product of the numbers attached to the node. As a result, the former provisional accuracy is 0.13 and the latter provisional accuracy is 0.87. The provisional accuracy is similarly calculated for the access pattern candidate for the Web access w4. In this case, the provisional accuracy of the pattern passing through the path of start → w4 → d4 and the path of start → w4 → d5 is 0.87 and 0.13, respectively.

  Next, the pattern processing unit 603 acquires the number of appearances of the DB access pattern that occurred in the past from the DB access pattern result management diagram 613 (S1304). Specifically, the pattern processing unit 603 replaces the Web access ID and DB access ID at each node with the corresponding Web access ID type and DB access ID type for each DB access pattern candidate described above, as shown in FIG. A path search is performed on the DB access pattern result management diagram 613 shown in FIG. Then, for the matching path, the number attached to the leaf node is returned as the number of appearances.

  Referring to FIG. 13B, the DB access pattern candidate for Web access w3, the accuracy of w3 → d3 → d4, is calculated to be 0.19 (S1305). Similarly, the accuracy of DB access pattern candidates, w3 → d3 → d5, w4 → d4, w4 → d5 is calculated to be 0.81, 0.84, and 0.16, respectively. Then, the mapping processing unit 602 adds the obtained DB access pattern accuracy to the Web access mapping result management table 612 (S1306). Thereafter, the pattern processing unit 603 returns the process to S1003 in FIG. 5A.

  As shown by the relationship between the DB access d4 and the Web access w4 and w5 in the present embodiment, it is determined which DB access ID is associated with which mapping candidate simply by calculating the accuracy of the Web access mapping candidate associated with the DB access ID. There are cases where it is not possible. However, in this embodiment, by calculating the accuracy of DB access pattern candidates based on the number of occurrences of past DB access patterns, it is possible to estimate with high probability which DB access is called from which Web access. Yes.

  Here, since all of the capture data has already been read (S1004), and all the processes in the DB access ID related graph 620 have been completed (S1010, Yes), the mapping processing unit 602 analyzes the access log. Is finished (S1100).

Log Monitoring Screen Example FIG. 16 shows an example of a log monitoring screen displayed on the web browser of the user terminal 100 by the log display unit 701 of the log monitoring terminal 700 included in the information system 1 of FIG. Show. In the example of FIG. 16, the Web access ID to be investigated is selected on the log monitoring screen by clicking with the mouse or the like, and the DB access log associated with the selected Web access ID (“WebID” in FIG. 16) is displayed in color. To do.

  In the present embodiment, when the line specified by the web access ID w3 is designated, the DB access pattern linked to w3 is ranked and displayed at the bottom of the screen. Here, when a pattern associated with an accuracy of 81% is selected, the background color of the DB access log displayed on the right side of the screen as the DB access associated with the Web access w3 is the line specified by the DB access IDs d3 and d5. Changes. For such output processing, for example, the log drawing processing unit 604 of the access log analysis apparatus 600 refers to the DB access pattern candidate management diagram 608 in FIG. 13B based on the designation of the search target Web access from the log monitoring terminal 700. Is executed. By such an operation, for example, it is possible to trace the cause of the problem occurring on the business DB 300 side by tracing the processing sequence in the information system 1 from the operation information on the user terminal 100 or the like. At that time, it is not necessary to make any changes to the components of the information system 1 and the structure of data to be handled.

  Note that the access log analysis apparatus 600 according to the present embodiment can be applied for various purposes other than enabling the cause of the problem to be traced by the system trace in the information system 1. Examples of such applications include business systems such as various application settlement processes in a business flow used in a company or the like, and a settlement process in a travel expense system. In the input work in such a business system, the user may take a procedure of pressing a work completion button after inputting a lot of information. In such a case, in the business system, when the work completion button is pressed, the DB information addition / update process occurs collectively, and at that time, an SQL UPDATE statement or INSERT statement is issued. Therefore, the HTTP response linked to the DB access ID that issued the UPDATE or INSERT statement in the DB access log is regarded as a work end delimiter, and the interval until the next work end delimiter is regarded as one work unit. In addition, it is possible to acquire the flow of work in units of work in time series.

  As described above, according to the access log analysis apparatus of the present embodiment, the log of information processing that is normally executed in the target information system can be performed without modifying the elements such as applications running in the information system. By collecting and analyzing, the information processing flow executed in the information system can be grasped with a predetermined accuracy.

  In addition, this invention is not limited to embodiment mentioned above. A person skilled in the art can make various additions and changes within the scope of the present invention. For example, the above embodiments can be combined as appropriate.

DESCRIPTION OF SYMBOLS 1 Information system 10 Information processing apparatus 11 CPU 12 Memory 13 Communication apparatus 14 Input apparatus 15 Output apparatus 16 Reading apparatus 17 External storage apparatus 18 Portable storage medium 100 User terminal 200 Application server 300 Business DB 400 Packet replication apparatus
500 packet capture device 600 access log analysis device 601 packet management unit 602 Web access mapping candidate analogy processing unit 603 DB access pattern analogy processing unit 604 log drawing processing unit 605 Web access ID list 606 DB access ID list 607 Web access mapping candidate management table 608 DB access pattern candidate management diagram 609 Packet management table 610 Web access type management table 611 DB access type management table 612 Web access mapping result management table 613 DB access pattern result management diagram 700 Log monitoring terminal 701 Log display unit 800 Communication network

Claims (9)

An application server in which an application program is running, a user terminal that transmits a processing request to the application server, and a database that receives an inquiry from the application that has received the processing request and returns a reply can communicate with each other. An access log analyzer connected to the connected information system so as to be able to communicate,
A packet management unit for acquiring and storing communication packets constituting the processing request and the inquiry and reply;
The communication packet of a predetermined period is acquired from the packet management unit, the processing request and the inquiry are extracted, and a processing request mapping candidate that is a candidate for the processing request that is the caller of the inquiry is selected. ,
The occurrence accuracy of each processing request mapping candidate is obtained as a provisional occurrence accuracy from the number of the processing requests associated with the inquiry, the number of times the inquiry is called by the processing request in a certain past period, and the processing request A processing request mapping candidate processing unit having a function of calculating the new processing request mapping candidate generation accuracy by adding the provisional generation accuracy to the generation accuracy of the mapping candidate;
The occurrence probability of the inquiry called by each processing request is calculated, the provisional occurrence accuracy is obtained from the number of combinations of inquiry patterns which are a series of inquiry patterns called from each processing request, and a predetermined period in the past A query pattern candidate processing unit having a function of calculating the accuracy of the query pattern candidate from the number of appearances of each of the query patterns recorded to occur and the provisional occurrence accuracy of the processing request mapping candidate for the query When,
A function for generating screen data for displaying the screen by associating the processing request with the inquiry candidate called by the processing request based on the generation accuracy of the processing request mapping candidate and the generation probability of the inquiry pattern candidate A screen drawing processing unit having
Comprising
Access log analyzer. The access log analyzer according to claim 1,
The processing request mapping processing unit selects, as the processing request mapping candidate, the processing request that is not responded to the processing request at the time of transmission of the query and at the time of reception of a response to the query. To
Access log analyzer. The access log analyzer according to claim 2,
When the processing request mapping processing unit determines that there is no processing request commonly associated with different inquiries, each of the inquiries is called by the processing request with which the inquiries are associated with each other. judge,
Access log analyzer. The access log analyzer according to claim 1,
The processing request mapping processing unit, as a ratio of the total appearance frequency of each of the processing request mapping candidates in the total appearance frequency of all the processing request mapping candidates that are targeted, the occurrence accuracy of the processing request mapping candidate calculate,
Access log analyzer. The access log analyzer according to claim 4,
The processing request mapping processing unit calculates provisional accuracy of each processing request mapping candidate by equally dividing the occurrence probability of the processing request mapping candidate by the number of processing request mapping candidates.
Access log analyzer. The access log analyzer according to claim 1,
The inquiry pattern processing unit is configured to determine a probability of occurrence of the inquiry pattern candidates associated with each of the processing requests, including all of the inquiry pattern candidates that are currently included in the analysis. Calculated as a ratio of the total number of appearances including the one currently being analyzed for each query pattern candidate to the number of appearances,
Access log analyzer. The access log analyzer according to claim 6,
The inquiry pattern processing unit calculates the provisional accuracy of the inquiry pattern candidate as a product of the occurrence accuracy of each inquiry called by the processing request.
Access log analyzer. The access log analyzer according to claim 1,
The screen rendering processing unit displays each processing request using a processing request ID that is an identification code for identifying the processing requests from each other, and responds when any of the processing request IDs is selected. The query pattern candidates that are called by the processing request to be displayed are ranked according to their occurrence probability, and when the query pattern candidates in a specific order are selected, the query pattern candidates included in the selected query pattern candidates are displayed. An access log analysis device that displays an inquiry in association with the processing request specified by the selected processing request ID. An application server in which an application program is running, a user terminal that transmits a processing request to the application, and a database that receives an inquiry from the application that has received the processing request and returns a response are communicably connected. An information system access log analysis method, wherein the information system is communicably connected to the information system, and includes an information processor having a processor and a memory.
Acquire and store the communication packet constituting the processing request and the inquiry and answer,
Obtaining the communication packet for a predetermined period, extracting the processing request and the inquiry, selecting a processing request mapping candidate that is a candidate for the processing request that is the caller of the inquiry,
The occurrence accuracy of each processing request mapping candidate is obtained as a provisional occurrence accuracy from the number of the processing requests associated with the inquiry, the number of times the inquiry is called by the processing request in a certain past period, and the processing request Add the provisional occurrence accuracy to the occurrence probability of the mapping candidate to calculate the new processing request mapping candidate occurrence accuracy,
The occurrence probability of the inquiry called by each processing request is calculated, the provisional occurrence accuracy is obtained from the number of combinations of inquiry patterns which are a series of inquiry patterns called from each processing request, and a predetermined period in the past The accuracy of the query pattern candidate is calculated from the number of appearances of each of the query patterns recorded to occur and the provisional occurrence accuracy of the processing request mapping candidate for the query,
Based on the generation accuracy of the processing request mapping candidate and the generation accuracy of the inquiry pattern candidate, generate screen data for associating the processing request with the inquiry candidate called by the processing request and displaying the screen.
Access log analysis method.