JP2020197929A - Log analysis system and log analysis method - Google Patents

Abstract

To provide a log analysis system that can analyze log information when accessing a server on a network from a terminal.SOLUTION: A log analysis system includes a VPN device 30 and an analysis device 40. The VPN device mediates communications between terminals 10-1 to 10-N and servers 20-1 to 20-M while encrypting them, and collects logs related to the communications between the terminals and the servers. The analysis device analyzes the collected logs. The VPN device may receive encrypted data, decrypt the encrypted data, and then store the decrypted data as a log.SELECTED DRAWING: Figure 1

Description

The present invention relates to a log analysis system and a log analysis method.

With the progress of communication technology and information processing technology, various services are provided from companies and government agencies via networks. The user (consumer) operates various terminals such as a mobile phone and a smartphone to use the above service. For example, so-called e-commerce, which is the use of electronic commerce for buying and selling goods and services, is routinely performed.

In such electronic commerce, access information (log information) to a WEB site or the like may be collected for the purpose of grasping the user's behavior. For example, in Patent Document 1, in a service provided by a service provider, user information including user attributes and action history is acquired, and advertisements and other information according to the user are provided based on the user information. It is stated that it has been done.

Japanese Unexamined Patent Publication No. 2019-46473

As described in Patent Document 1, in order to send an accurate advertisement or the like to the user, the user's action history or the like is required.

However, the current situation is that the log information that the service provider really needs is not collected. For example, for the purpose of log collection, it is conceivable to install a dedicated application for log collection on a terminal such as a smartphone.

However, in log collection using such a dedicated application, useful information is available when it is necessary to prepare the above application for each OS (Operating System) or when the communication between the terminal and the server is encrypted. I can't get it.

A main object of the present invention is to provide a log analysis system and a log analysis method that enable analysis of log information when a server on a network is accessed from a terminal.

According to the first aspect of the present invention, the VPN (Virtual Private Network) device that mediates the communication between the terminal and the server while encrypting the communication and collects the log related to the communication between the terminal and the server, and the collected one. A log analysis system including an analysis device for analyzing the logs is provided.

According to the second aspect of the present invention, there are a step of collecting logs related to the communication between the terminal and the server while encrypting and mediating the communication between the terminal and the server, and a step of analyzing the collected logs. A log analysis method including, is provided.

According to each viewpoint of the present invention, there is provided a log analysis system and a log analysis method that enable analysis of log information when a server on a network is accessed from a terminal. In addition, according to the present invention, other effects may be produced in place of or in combination with the effect.

It is a figure which shows an example of the schematic structure of the log analysis system which concerns on 1st Embodiment. It is a figure which shows an example of the processing configuration of the VPN (Virtual Private Network) apparatus which concerns on 1st Embodiment. It is a figure which shows an example of GUI (Graphical User Interface) generated by the setting information acquisition part. It is a figure which shows another example of the processing structure of the VPN apparatus which concerns on 1st Embodiment. It is a figure which shows an example of the log information collected by the log collection part. It is a figure which shows an example of the processing structure of the analysis apparatus which concerns on 1st Embodiment. It is a figure which shows an example of GUI generated by the setting information acquisition part. It is a figure for demonstrating the operation of the log analysis part which concerns on 1st Embodiment. It is a figure for demonstrating the operation of the log analysis part which concerns on 1st Embodiment. It is a figure for demonstrating the operation of the log analysis part which concerns on 1st Embodiment. It is a sequence diagram which shows an example of the operation of the log analysis system which concerns on 1st Embodiment. An example of the hardware configuration of the VPN device according to the first embodiment is shown.

[First Embodiment]
The first embodiment will be described in more detail with reference to the drawings.

FIG. 1 is a diagram showing an example of a schematic configuration of a log analysis system according to the first embodiment. Referring to FIG. 1, the log analysis system includes a plurality of terminals 10-1 to 10-N (N is a positive integer, the same applies hereinafter) and a plurality of servers 20-1 to 20-M (M is a positive integer, The same applies hereinafter), a VPN (Virtual Private Network) device 30, and an analysis device 40.

In the following description, if there is no particular reason for distinguishing terminals 10-1 to 10-N, it is simply referred to as "terminal 10". Similarly, unless there is a particular reason to distinguish between servers 20-1 to 20-M, it is simply referred to as "server 20".

The terminal 10 accesses the network by a wired or wireless communication means. Examples of the terminal 10 include mobile terminal devices such as smartphones, mobile phones, game machines, and tablets, computers (personal computers, laptop computers), and the like.

The server 20 is installed on a network such as the Internet and provides various services such as electronic commerce and information retrieval.

The VPN device 30 is a device that mediates communication between the terminal 10 and the server 20 while encrypting the communication, and collects logs (requests to the server 20 and responses to the terminal 10) regarding communication between the terminal 10 and the server 20. ..

The VPN device 30 operates as a communication device (proxy server) that mediates communication between the terminal 10 and the server 20. The VPN device 30 receives user data (packets) transmitted from the terminal 10 to the server 20, and transfers the received data to the destination server 20. When the VPN device 30 receives the response of the above data from the server 20, the VPN device 30 transfers the received response to the terminal 10.

The VPN device 30 encrypts communication with other devices (terminal 10, server 20) at the time of the data transfer. Specifically, the VPN device 30 encrypts the communication between the terminal 10 and the server 20 by using a protocol such as SSL (Secure Sockets Layer).

The VPN device 30 collects a communication log (access log) between the terminal 10 and the server 20. At that time, the VPN device 30 does not collect the log in the encrypted state, but collects the log in the decrypted state (plaintext log). That is, the VPN device 30 receives the encrypted data (packet) from the terminal 10 and the server 20, decrypts the encrypted data, and then stores the decrypted data as a log.

The VPN device 30 transmits the collected logs to the analysis device 40 at regular intervals or at predetermined timings.

The analysis device 40 analyzes the received log (log collected by the VPN device 30) and outputs the result (log analysis result).

The disclosure of the present application is based on the premise that the VPN device 30 collects the access log of the user who has agreed to collect the log. Therefore, the terminal 10 is set to access the network via the VPN device 30.

Specifically, a simple application for setting a packet transmission destination to the VPN device 30 is installed in the terminal 10, and the terminal 10 transmits a packet to the VPN device 30 by operating the application. As described above, since the user of the terminal 10 agrees that the VPN device 30 collects the access log, the log analysis system disclosed in the present application does not cause a problem related to privacy or the like.

FIG. 2 is a diagram showing an example of a processing configuration (processing module) of the VPN device 30 according to the first embodiment. Referring to FIG. 2, the VPN device 30 includes a communication control unit 301, a log collection unit 302, and a setting information acquisition unit 303.

The communication control unit 301 is a means for controlling communication with other devices (terminal 10, server 20).

The communication control unit 301 makes the encrypted communication between the own device and the terminal 10 different from the encrypted communication between the own device and the server 20. Specifically, when SSL communication is used with each device, the communication control unit 301 has a first common key for encrypted communication with the terminal 10 and a first for encrypted communication with the server 20. Try to use each of the two common keys. That is, the communication control unit 301 terminates the encrypted communication between the terminal 10 and the own device and the encrypted communication between the server 20 and the own device, respectively.

In principle, the communication control unit 301 decrypts and re-encrypts the communication between the terminal 10 and the server 20, but depending on the communication between the terminal 10 and the server 20, the communication is normal when the above processing is performed. It may not be possible to do so. Specifically, when the above processing is performed, the server 20 or the terminal 10 may not respond normally. In such a case, the communication control unit 301 does not perform any processing on the communication between the terminal 10 and the server 20, and transfers the packet as it is. For example, the communication control unit 301 receives the encrypted packet from the server 20, and when the terminal 10 does not respond to the packet from the server 20, the communication control unit 301 transfers the data acquired from the server 20 to the terminal 10 as it is.

As described above, the VPN device 30 does not decrypt the communication between the terminal 10 and the server 20 if the terminal 10 does not operate normally when the encrypted data is received from the specific server 20. That is, the VPN device 30 records the unencrypted communication as it is. The VPN device 30 "decrypts" the encrypted communication once, records the plaintext (records the log), and then "encrypts" it again. Further, if the VPN device 30 cannot communicate correctly after performing the above processing (decryption, re-encryption), the VPN device 30 passes through without "decrypting" (the encrypted one is transmitted to the receiving side as it is). ). As a result, communication between the server 20 and the terminal 10 having special specifications can also be stored as a log.

When the communication control unit 301 acquires the encrypted data from another device, the communication control unit 301 decrypts the acquired data. After that, the communication control unit 301 delivers the decoded data (plaintext data) to the log collection unit 302.

The log collecting unit 302 is a means for collecting a log (access log) of communication between the terminal 10 and the server 20. The log collecting unit 302 stores the data acquired from the communication control unit 301 in a storage unit (not shown). At that time, the log collection unit 302 performs a log collection operation according to the "log collection operation setting information" input by the system administrator or the like. The log collection operation setting information is information that defines an operation when the VPN device 30 collects logs.

The setting information acquisition unit 303 is a means for acquiring (inputting) log collection operation setting information. For example, the setting information acquisition unit 303 generates a GUI (Graphical User Interface) for the system administrator or the like to input the log collection operation setting information (see, for example, FIG. 3). Alternatively, the setting information acquisition unit 303 may input a file in which the log collection operation setting information is described, or may acquire the log collection operation setting information from a database server or the like on the network.

There are various operations that can be determined by the log collection operation setting information. For example, it is possible to set the communication direction between the terminal 10 and the server 20 when collecting logs. More specifically, it is possible to set whether to record the bidirectional communication between the terminal 10 and the server 20 as a log or to record the communication in only one direction (uplink and downlink) as a log.

For example, in the case of setting to leave a log related to upstream communication (communication from the terminal 10 to the server 20), the log collecting unit 302 stores only the data (plaintext data) acquired from the terminal 10 as a log. Store in.

Alternatively, it is possible to set that the access to the same server 20 (same domain) is not stored as a log except for the first access. For example, consider the case where the terminal 10-2 accesses the server 20-1 in FIG. In this case, the log when the terminal 10-2 first accesses the server 20-1 is stored, but the log when the terminal 10-2 subsequently accesses the server 20-1 is not stored.

Even in this case, if the terminal 10-2 accesses a server different from the server 20-1 (for example, the server 20-2) and then accesses the server 20-1 again, the server is the server. The log for 20-1 is stored.

Information when accessing the same server 20 (same domain) is not very important for the purpose of grasping the user's behavior on the network in a broad sense. By omitting the storage of such unimportant data, the size of the log information handled by the VPN device 30 and the analysis device 40 is reduced.

Regarding the data transmitted from the same server 20 to the terminal 10, it is possible to set that only the first data (first response) is stored and the subsequent logs are not stored.

The log collection operation setting information may include a setting related to "time". For example, the access log between the terminal 10 and the server 20 may be stored after a predetermined time has elapsed since the terminal 10 accessed the server 20.

For example, a few seconds are set at the predetermined time. If the user transfers access to another server 20 within the above few seconds, it is possible that the user accidentally accessed an unintended site. By including the above time setting in the setting information, it is possible to eliminate such a log contrary to the user's intention. As a result, the size of the log can be reduced and the analysis accuracy in the analysis device 40 can be improved.

The log collection operation setting information may include a log collection operation according to the content of the data acquired from the terminal 10 or the server 20.

For example, if the request sent from the terminal 10 to the server 20 includes a referrer, it may be set to be recorded as a log. The referrer is information indicating the URL (Uniform Resource Locator) of the link source, and is important information at the time of log analysis. Therefore, the size of the log can be reduced by leaving only the request (access log) including the referrer.

It is also possible to set that data having a specific attribute is left as a log, or that data having a specific attribute is not left as a log. For example, if the acquired data is an "image", it is possible to set not to leave the data related to the image as a log.

Alternatively, it is possible to set to leave only a specific type of image as a log. For example, it is possible to set to leave only an image related to a specific target (for example, a smartphone or the like) as a log among the image data.

In this case, as shown in FIG. 4, it may be determined whether or not the image data acquired by using the learning model 304 for discriminating the specific target is the target to be recorded in the log. The learning model 304 is generated by machine learning using the teacher data with labels attached to the images. Any algorithm such as a support vector machine, boosting, or neural network can be used to generate a learning model (classification model). Since a known technique can be used for the algorithm such as the support vector machine, the description thereof will be omitted.

In this way, the VPN device 30 can determine whether or not to store the received data as a log according to the characteristics of the received data (for example, the received data is an image file). Further, when the received data is image data and the image data includes a predetermined target, the VPN device 30 may store the image data including the predetermined target as a log.

Specifically, the log collection unit 302 determines whether or not the acquired data is an image file based on the file name and extension. If the acquired data is an "image", the log collecting unit 302 inputs the image data to the learning model 304. The log collection unit 302 performs a log collection operation according to the determination result (specific target, non-specific target) of the learning model 304.

For example, if the image data related to the smartphone is set to be stored as a log, the log collecting unit 302 stores the data determined to be "smartphone" by the learning model 304, and discards the data determined to be "non-smartphone". To do.

FIG. 5 is a diagram showing an example of log information collected by the log collecting unit 302. As shown in FIG. 5, the log collecting unit 302 stores the date and time when the log was acquired, the source of the log, and the access log in association with each other. The "remarks" shown in FIG. 5 are for facilitating the understanding of the contents of the log and are not included in the actual log information.

FIG. 5 shows only the access log in the upstream direction (communication from the terminal 10 to the server 20). Although the code of the terminal 10 is shown as the source in FIG. 5, an IP (Internet Protocol) address or the like can be used as the identifier of the source.

In FIG. 5, the logs acquired by the VPN device 30 are described in order (described in chronological order), but the access log may be divided and stored for each terminal 10. That is, the VPN device 30 may store the communication log between the terminal 10 and the server 20 in chronological order to generate log information, or may separately store the communication log for each terminal 10 and store the log information. May be generated.

FIG. 6 is a diagram showing an example of a processing configuration (processing module) of the analysis device 40 according to the first embodiment. Referring to FIG. 6, the analysis device 40 includes a communication control unit 401, a log analysis unit 402, and a setting information acquisition unit 403.

The communication control unit 401 is a means for controlling communication with another device (for example, VPN device 30).

The log analysis unit 402 is a means for analyzing the log information acquired from the VPN device 30.

The setting information acquisition unit 403 is a means for acquiring setting information (hereinafter, referred to as log analysis operation setting information) that determines an operation at the time of log analysis by the log analysis unit 402. For example, the setting information acquisition unit 403 generates a GUI for the system administrator or the like to input the log analysis operation setting information (see, for example, FIG. 7).

The setting information acquisition unit 403 delivers the information set by the GUI to the log analysis unit 402.

The log analysis unit 402 executes log analysis according to the log analysis operation setting information, and outputs the result.

The log analysis operation setting information includes information on what kind of log analysis is to be executed.

For example, the log analysis unit 402 analyzes the input / output related to the access to the site based on the site specified by the system administrator. When the analysis instruction is included in the log analysis operation setting information, the log analysis unit 402 outputs the log analysis result as shown in FIG.

With reference to FIG. 8, the system administrator specifies a site (or network domain) as a reference for the access flow. In this case, the log analysis unit 402 searches for the reference site from the log information acquired from the VPN device 30. After that, the log analysis unit 402 extracts the site accessed immediately before the searched reference site and the site accessed immediately after the reference site, and counts the number of people (the number of terminals) for each site.

The log analysis unit 402 displays the log analysis result including the above result (the number of visitors for each site). In the example of FIG. 8, an access flow (input / output to / from the reference site) to the reference site is generated centering on the reference site, and the number of people is represented by the thickness of the arrow indicating the direction of the flow.

With reference to FIG. 8, it can be seen that the access to the reference site is more from site B than from site A, and when moving from the reference site to another site, site C is more than site D. In this way, the analysis device 40 may generate an access flow based on a specific site based on the log collected by the VPN device 30.

In the example of FIG. 8, the input / output of one stage centering on the reference site is used as the log analysis result, but the user may specify the number of stages. For example, assuming that the number of stages when generating the access flow is "2 stages", the log analysis result as shown in FIG. 9 can be obtained.

A system administrator or the like who comes into contact with the log analysis results as shown in FIGS. 8 and 9 can grasp the user's behavior on the network.

By using the referrer, companies can grasp the route to reach their own site. For example, in the example of FIG. 8, the company or the like that operates the reference site can grasp the access from the site A or the site B. However, companies and the like cannot grasp what kind of site the user will transition to after leaving the reference site.

On the other hand, since the analysis device 40 according to the first embodiment can also provide the output (transition destination) from the reference site to the above-mentioned companies and the like, it provides useful information to the companies and the like that operate the reference site. it can. In the example of FIG. 8, the company or the like that operates the reference site can take measures such as increasing the number of advertisements on the site C.

The log analysis unit 402 may categorize the site into a plurality of types in advance and analyze the access status for each categorized type. For example, the log analysis unit 402 may perform log analysis as shown in FIG.

Specifically, the log analysis unit 402 classifies the sites that can be included in the log information acquired from the VPN device 30 into a predetermined type (genre). For example, referring to FIG. 10, the sites included in the log information are classified into "portal site", "news site", and "EC site".

The log analysis unit 402 classifies each site included in the log information into one of the above genres, and counts the number of accesses for each time zone. In the example of FIG. 10, it can be seen that the number of accesses to the EC (Electronic Commerce) site increases rapidly during the time zone of 20:00.

Subsequently, the operation of the log analysis system according to the first embodiment will be described with reference to the drawings. FIG. 11 is a sequence diagram showing an example of the operation of the log analysis system according to the first embodiment.

The VPN device 30 relays the communication between the terminal 10 and the server 20 (step S01).

The VPN device 30 collects a communication log (access log) between the terminal 10 and the server 20 (step S02).

The VPN device 30 transmits the collected logs to the analysis device 40 at regular intervals or at predetermined timings (step S03).

The analysis device 40 analyzes the acquired log information (step S04).

Next, the hardware of each device constituting the log analysis system will be described. FIG. 12 is a diagram showing an example of the hardware configuration of the VPN device 30.

The VPN device 30 can be configured by an information processing device (so-called computer), and includes the configuration illustrated in FIG. For example, the VPN device 30 includes a processor 311, a memory 312, an input / output interface 313, a communication interface 314, and the like. The components such as the processor 311 are connected by an internal bus or the like so that they can communicate with each other.

However, the configuration shown in FIG. 12 is not intended to limit the hardware configuration of the VPN device 30. The VPN device 30 may include hardware (not shown), and may not include an input / output interface 313 if necessary. Further, the number of processors 311 and the like included in the VPN device 30 is not limited to the example shown in FIG. 12, and for example, a plurality of processors 311 may be included in the VPN device 30.

The processor 311 is a programmable device such as a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or a DSP (Digital Signal Processor). Alternatively, the processor 311 may be a device such as an FPGA (Field Programmable Gate Array) or an ASIC (Application Specific Integrated Circuit). Processor 311 executes various programs including an operating system (OS).

The memory 312 is a RAM (Random Access Memory), a ROM (Read Only Memory), an HDD (Hard Disk Drive), an SSD (Solid State Drive), or the like. The memory 312 stores an OS program, an application program, and various data.

The input / output interface 313 is an interface of a display device or an input device (not shown). The display device is, for example, a liquid crystal display or the like. The input device is, for example, a device that accepts user operations such as a keyboard and a mouse.

The communication interface 314 is a circuit, a module, or the like that communicates with another device. For example, the communication interface 314 includes a NIC (Network Interface Card) and the like.

The function of the VPN device 30 is realized by various processing modules. The processing module is realized, for example, by the processor 311 executing a program stored in the memory 312. The program can also be recorded on a computer-readable storage medium. The storage medium may be a non-transitory such as a semiconductor memory, a hard disk, a magnetic recording medium, or an optical recording medium. That is, the present invention can also be embodied as a computer program product. In addition, the program can be downloaded via a network or updated using a storage medium in which the program is stored. Further, the processing module may be realized by a semiconductor chip.

The analysis device 40 can also be configured by an information processing device like the VPN device 30, and its basic hardware configuration is not different from that of the VPN device 30, so the description thereof will be omitted.

As described above, in the log collection system according to the first embodiment, the VPN device 30 collects logs related to communication between the terminal 10 and the server 20. Since the VPN device 30 terminates the encrypted communication performed with the terminal 10 and the server 20, it is possible to decrypt the data received from these devices and collect the plaintext data (access log). The analysis device 40 analyzes the data collected by the VPN device 30. As a result, it is possible to realize a log analysis system that enables analysis of log information when the terminal 10 accesses the server 20 on the network.

[Modification example]
The configuration, operation, and the like of the log analysis system described in the above embodiment are examples, and are not intended to limit the system configuration and the like.

For example, a part of the functions of the VPN device 30 may be included in the analysis device 40, or vice versa. For example, the analysis device 40 may include a setting information acquisition function of the VPN device 30. In this case, the analysis device 40 may input the log collection operation setting information and the log analysis operation setting information and transmit the log collection operation setting information to the VPN device 30.

Alternatively, the analysis device 40 may generate log collection operation setting information based on the log analysis operation setting information, and transmit the generated log collection operation setting information to the VPN device 30. That is, the analysis device 40 may instruct the VPN device 30 to collect log information suitable for the requested log analysis operation. For example, when the analysis device 40 generates the access flow as shown in FIGS. 8 and 9 (when the generation of the flow is included in the log analysis operation setting information), the analysis device 40 is limited to the access from the terminal 10 to the server 20. Log collection operation setting information to be stored may be generated and set in the VPN device 30.

Further, the SQLN device 30 can identify a user or a terminal accessing from the terminal 10, and holds a log by associating the user ID or the terminal ID with the user ID, and the SQLN device 30 or the analysis device 40 uses the user ID. It holds the personal attributes of the specified user or the personal attributes of the user who uses the terminal specified by the terminal ID, and the personal attributes are, for example, gender, age, address area, occupation, etc., and the log and these personal attributes are stored. By combining (JOIN on SQL, etc.), analysis by individual attribute becomes possible. Specifically, it is possible to identify and analyze logs of only men.

Further, the VPN device 30 can also identify which application (browser, various SNS applications, etc.) of the terminal 10 is accessing the outside, and holds the application name, application ID, and application type as a log. It is also possible, and by analyzing such logs, it is possible to analyze by application.

Further, in addition to the log information acquired from the VDC device 30, the analysis device 40 is acquired from other data (for example, questionnaire data by the user, ID-POS (POS data with an ID), and means different from the VPN device 30. Access log, user information held by each company) may be acquired and retained, and log information may be analyzed by associating the log information with the other data.

Further, the VPN device 30 and the analysis device 40 perform WEB crawling on the URL included in the acquired access log, and determine the type and type (WEB page of what kind of content) of the URL content included in the access log. You may grasp and hold it. The information collected by the WEB crawling may be utilized for log analysis.

Further, the VPN device 30 and the analysis device 40 may identify and retain the company or service that owns the domain based on the domain of the URL of the acquired access log. The analysis device 40 may utilize the information for log analysis. It should be noted that the company that owns the domain can be specified by a Whois search or the like.

Although the embodiments of the present invention have been described above, the present invention is not limited to these embodiments. It will be appreciated by those skilled in the art that these embodiments are merely exemplary and that various modifications are possible without departing from the scope and spirit of the invention.

10, 10-1 to 10-N terminal
20, 20-1 to 20-M Server 30 VPN device 40 Analysis device 301, 401 Communication control unit 302 Log collection unit 303, 403 Setting information acquisition unit 304 Learning model 311 Processor 312 Memory 313 Input / output interface 314 Communication interface 402 Log analysis Department

Claims (10)

A VPN (Virtual Private Network) device that mediates communication between a terminal and a server while encrypting it, and collects logs related to communication between the terminal and the server.
An analyzer that analyzes the collected logs,
A log analysis system, including. The log analysis system according to claim 1, wherein the VPN device receives encrypted data, decrypts the encrypted data, and then stores the decrypted data as a log. The log analysis system according to claim 1 or 2, wherein the VPN device determines whether or not to store the received data as a log according to the characteristics of the received data. The log according to claim 3, wherein the VPN device stores the image data including the predetermined target as a log when the received data is the image data and the image data includes the predetermined target. Analysis system. The VPN device does not decode the communication between the terminal and the server when the terminal does not normally respond to the data received from the server when the encrypted data is received from the server. The log analysis system according to any one of 1 to 4. The log analysis system according to any one of claims 1 to 5, wherein the analysis device generates an access flow based on a specific site based on the collected logs. The log analysis system according to claim 6, wherein the analysis device acquires the number of stages when generating the access flow from the outside. The VPN device collects logs based on the log collection operation setting information that defines the operation when collecting the logs.
The log analysis system according to any one of claims 1 to 7, wherein the analysis device analyzes the collected logs based on log analysis operation setting information that defines an operation when analyzing the logs. The log analysis system according to claim 8, wherein the analysis device generates the log collection operation setting information based on the log analysis operation setting information, and transmits the generated log collection operation setting information to the VPN device. A step of collecting logs related to the communication between the terminal and the server while encrypting and mediating the communication between the terminal and the server.
The steps to analyze the collected logs and
Log analysis method including.

Images