JP5411907B2 - Log analysis system, log analysis device, log analysis method, and log analysis program - Google Patents

Description

  The present invention relates to a log analysis system, a log analysis device, a log analysis method, and a log analysis program.

  In conventional Web systems and computer systems on the cloud that have been attracting attention in recent years, individual subsystems cooperate to execute one process. For example, in a file sharing system or the like, subsystems each having a different role, such as a portal subsystem, an authentication subsystem, an access analysis subsystem, and a file storage subsystem, operate in cooperation to execute one process.

  By the way, when processing troubles occur in a computer system, processing records (logs) stored in the system are generally analyzed. The same applies to a system in which individual subsystems cooperate to execute one process (hereinafter referred to as a cooperation system), such as the above-described Web system or computer system on the cloud. In order to grasp the processing status of the corresponding user, a help desk person analyzes the processing records generated by each subsystem. For example, by analyzing each log accumulated in each subsystem as a process record, how far the process related to the user has been executed, whether the process related to the user was successful, which subsystem in the process related to the user Carry out fault isolation, such as whether the problem was a problem.

  In addition, as a technique of log management accumulated in the computer system, for example, there is a mechanism for extracting the same keyword between different logs (see Non-Patent Document 1).

“Introduction to Logstorage Ver. 4”, [Online], [October 21, 2011 search], Internet (URL: http://www.logstorage.com/pdf/logstorage_Intro.pdf)

  By the way, in the cooperation system, a unique log is generated in each subsystem, and a keyword for identifying a user process handled in each subsystem is generally different among the subsystems. For example, in a linkage system, a user ID that is a keyword indicating a user is clearly specified in a log generated by a front portal subsystem or an authentication system. On the other hand, the same user ID is rarely used for logs generated by subsystems that process individual functions. For example, transaction IDs related to processing, content IDs related to data, and processes related to processes The case where it is described in a log as different keywords, such as ID, is common.

  For example, when a trouble occurs in the cooperation system, it is necessary to grasp a series of processes in the cooperation system. For this reason, the help desk staff extracts the logs accumulated in each subsystem, analyzes the contents, and selects the same user from the keywords included in the logs accumulated in each subsystem. By associating the keywords indicating the processes with respect to each other, an attempt is made to link the individual processes executed in each subsystem. However, when keywords used in each subsystem are different, it is extremely difficult for a help desk person to determine whether to indicate processing for the same user. For example, a help desk person says that he / she will use keywords to determine where and what logs exist for each subsystem and whether the processes described in the subsystem logs are related to a series of processes. Inefficient work will be performed.

  The above-described prior art (Non-Patent Document 1) extracts the same keyword between different logs. However, regarding a process related to the same user, different keywords between different logs are automatically and efficiently used. It is not related.

  The present invention has been made in view of the above, and in a series of processes executed in cooperation with a plurality of information processing apparatuses, each information is obtained by associating the processing records (logs) of the information processing apparatuses with each other. It is an object of the present invention to provide a log analysis system, a log analysis device, a log analysis method, and a log analysis program capable of efficiently grasping the cooperation relationship of individual processes executed by a processing device.

  In order to solve the above-described problems and achieve the object, the present invention provides a log for analyzing a plurality of information processing apparatuses and a processing record related to a series of processes executed by the plurality of information processing apparatuses in cooperation with the same user. A log analysis system having an analysis device, wherein the information processing device has an output unit that outputs a log describing information of processing executed in the series of processing as a processing record, and the log analysis device includes: One of the plurality of logs output from the plurality of information processing apparatuses is set as an inspection target, a keyword included in the inspection target log is extracted, and the past is based on the time when the inspection target log is recorded. Alternatively, an extraction unit that extracts a keyword included in each log other than the inspection target recorded in the future, and a plurality of keywords extracted by the extraction unit are combined. And having a storage unit for storing in the storage unit in association with.

  In addition, the present invention is a log analysis device that analyzes a processing record related to a series of processes executed in cooperation by a plurality of information processing apparatuses for the same user, and relates to the series of processes from each of the plurality of information processing apparatuses. One of a plurality of logs output as processing records is taken as an inspection target, keywords included in the inspection target log are extracted, and recorded in the past or future based on the time when the inspection target log was recorded. It has an extraction part which extracts a keyword contained in each of logs other than the inspection object, and a storage part which associates a keyword extracted by the extraction part with each other and stores it in a storage part.

  Further, the present invention is executed by a log analysis system having a plurality of information processing apparatuses and a log analysis apparatus that analyzes a processing record related to a series of processes executed by the plurality of information processing apparatuses in cooperation with each other for the same user. In this log analysis method, one of a plurality of logs output as a processing record related to the series of processes from each of the plurality of information processing apparatuses is used as an inspection target, and a keyword included in the inspection target log is extracted. And an extraction step for extracting a keyword included in each of logs other than the inspection target recorded in the past or the future based on the time when the inspection target log was recorded, and the keyword extracted by the extraction step And a storage step of storing them in the storage unit in association with each other.

  The present invention is also a log analysis method executed by a log analysis device that analyzes a processing record related to a series of processing executed in cooperation by a plurality of information processing devices for the same user, each of the plurality of information processing devices. From one of a plurality of logs output as a processing record related to the series of processes, the keyword included in the inspection target log is extracted, and the time when the inspection target log is recorded is used as a reference An extraction step of extracting a keyword included in each of logs other than the inspection target recorded in the past or the future, and a storage step of storing the keywords extracted in the extraction step in association with each other in a storage unit It is characterized by that.

  In addition, the present invention is a log analysis program for causing a log analysis apparatus that analyzes a processing record related to a series of processes executed in cooperation by a plurality of information processing apparatuses for the same user, the plurality of information processing apparatuses One of a plurality of logs output as a processing record related to the series of processes from each of the above is used as an inspection target, a keyword included in the inspection target log is extracted, and a time when the inspection target log is recorded An extraction procedure for extracting a keyword included in each of logs other than the inspection target recorded in the past or the future as a reference, and a storage procedure for storing the keywords extracted by the extraction procedure in the storage unit in association with each other Is executed.

  According to the present invention, in a series of processes executed in cooperation with a plurality of information processing apparatuses, individual processes executed in each information processing apparatus by associating the processing records (logs) of the information processing apparatus with each other. Can be efficiently grasped.

FIG. 1 is a functional block diagram illustrating the configuration of the log analysis system according to the first embodiment. FIG. 2 is a diagram showing a flow of processing executed in the PKI system. FIG. 3 is a diagram illustrating an example of user access log data output from the portal server. FIG. 4 is a diagram illustrating an example of certificate issuance / revocation application log data output from the RA server. FIG. 5 is a diagram illustrating an example of certificate issuance / revocation log data output from the CA server. FIG. 6 is a diagram illustrating an example of certificate registration log data output from the repository server. FIG. 7 is a diagram illustrating an example of information described in the keyword association table. FIG. 8 is a diagram illustrating an example of information described in the keyword-log association table. FIG. 9 is a diagram illustrating an example of information described in the time neighborhood setting table. FIG. 10 is a diagram illustrating a flow of processing by the log analysis system according to the first embodiment. FIG. 11 is a diagram illustrating a flow of processing by the log analysis system according to the first embodiment. FIG. 12 is a diagram illustrating a flow of processing by the log analysis system according to the first embodiment. FIG. 13 is a diagram illustrating an example of a computer that executes a program for realizing the same function as the processing described in the embodiment.

  Embodiments of a log analysis system, a log analysis device, a log analysis method, and a log analysis program according to the present application will be described below with reference to the drawings. Each example to be described later is merely an embodiment, and does not limit the embodiments of the log analysis system, the log analysis device, the log analysis method, and the log analysis program according to the present application. In addition, the embodiments described later can be appropriately combined within a range that does not cause a contradiction in the processing contents.

[Outline and Features of Log Analyzer (Example 1)]
An overview and characteristics of the log analysis system according to the first embodiment will be described. The log analysis system according to the first embodiment is summarized as analyzing a process record regarding a series of processes executed by a plurality of information processing apparatuses in cooperation with each other for the same user. The log analysis system according to the first embodiment extracts a keyword included in the inspection target log from one of a plurality of logs output as a processing record of a series of processes from a plurality of information processing apparatuses. In addition, the main feature is that keywords included in each of logs other than the inspection target recorded in the past or the future are extracted and correlated with each other based on the time when the inspection target log is recorded.

  In other words, the log analysis system according to the first embodiment is the timing at which the log is recorded (log recording time) even if the keyword is a different expression that is uniquely assigned to each subsystem in a series of processes related to the same user. ) Logs that are close to each other can be related to each other, so that differently expressed keywords that are uniquely assigned to each subsystem can be related to each other. The relationship can be grasped efficiently.

[Configuration of Log Analysis System (Example 1)]
In the first embodiment described below, as an example of a series of processes executed in cooperation with each subsystem, a process related to issuance or revocation of an electronic certificate for a certain user will be described as an example.

  FIG. 1 is a functional block diagram illustrating the configuration of the log analysis system according to the first embodiment. As shown in FIG. 1, the log analysis system according to the first embodiment includes a log analysis device 1 and a disk device 2. The log analysis system according to the first embodiment is generated as a process record by a subsystem from a plurality of subsystems constituting a PKI (Public Key Infrastructure) system 3 that issues an electronic certificate to a user 31. The obtained log data is acquired and analysis processing is executed.

  As shown in FIG. 1, the plurality of subsystems constituting the PKI system 3 include a portal server 32, an RA (Registration Authority) server 33, a CA (Certificate Authority) server 34, and a repository server 35.

  The log data group illustrated in FIG. 1 is a set of log data generated by a plurality of subsystems that configure the PKI system 3. The “user access log data 41” is generated and output as a process record by the portal server 32. The “certificate issuance / revocation application log data 42” is generated and output as a processing record by the RA server 33. The “certificate issuance / revocation log data 43” is generated and output as a processing record by the CA server 34. The “certificate registration log data 44” is generated and output as a processing record by the repository server 35.

  Here, the flow of processing executed in the PKI system 3 when the user 31 has issued or revoked an electronic certificate will be described with reference to FIG. FIG. 2 is a diagram showing a flow of processing executed in the PKI system. When the user 31 performs an operation for issuing or revoking an electronic certificate, as described below, each of a plurality of subsystems constituting the PKI system 3 performs processing related to the issuance or revocation of an electronic certificate, Each time a process is performed, a log is output as a record of the process.

  Specifically, as shown in FIG. 2, the user 31 performs a certificate issuing operation on the portal server 32 (S101). The portal server 32 that has received the certificate issuance operation transmits a certificate issuance application message for the user 31 to the RA server 33 (S102). The certificate issuance application message includes a user ID for identifying the user 31. For example, the user ID is expressed by “UserID = *** (* is an arbitrary number)”, and a unique ID is assigned to each user. Here, the portal server 32 outputs a log including the user ID to the “access log data 41 (see FIG. 1)” as a record of the processing in step S102.

  Upon receiving the certificate issuance application message, the RA server 33 transmits a certificate issuance application message for the user corresponding to the user ID included in the certificate issuance application message to the CA server 34 (step S103). This certificate issuance application message includes a transaction ID as information for identifying a series of processes for issuing an electronic certificate to the user 31. The transaction ID is expressed by “TransactionID = *** (* is an arbitrary number)”, and a unique ID is assigned to each series of processes. Here, the RA server 33 outputs a log including the user ID and the transaction ID to the “certificate issuance / revocation application log data 42 (see FIG. 1)” as a record of performing the process of step S103.

  Upon receiving the certificate issuance application message, the CA server 34 issues an electronic certificate and transmits a registration application message for the issued electronic certificate to the repository server 35 (S104). The registration application message includes a certificate ID for identifying the issued electronic certificate. The certificate ID is expressed as “CertificateID = ** (* is an arbitrary number)”, and a unique ID is assigned to each electronic certificate.

  Receiving the certificate registration application message, the repository server 35 registers the electronic certificate and transmits a certificate registration completion notification message to the CA server 34 (S105). This certificate registration completion notification message includes the certificate ID. Here, the repository server 35 outputs a log including the certificate ID to the “certificate registration log data 44 (see FIG. 1)” as a record of the processing in step S105.

  The CA server 34 that has received the certificate registration completion notification message transmits a certificate issuance completion notification message to the RA server 33 (S106). This message certificate issuance completion notification includes a transaction ID and a certificate ID. Here, the CA server 34 outputs a log including the transaction ID and the certificate ID to the “certificate issuance / revocation log data 43 (see FIG. 1)” as a record of the processing in step S106.

  Receiving the certificate issuance completion notification message, the RA server 33 transmits a certificate issuance completion notification message to the portal server 32 (S107). This certificate issuance completion notification message includes a user ID. The RA server 33 outputs a log including the user ID and the transaction ID to the “certificate issuance / revocation application log data 42 (see FIG. 1)” as a record of the processing in step S107.

  Upon receiving the certificate issuance completion notification message, the portal server 32 displays a message notifying the user 31 that the issuance of the electronic certificate has been completed (step S108). Here, the portal server 32 outputs a log including the user ID to the “access log data 41 (see FIG. 1)” as a record of performing the process of step S108.

  A set of individual processes (steps S101 to S108) executed in cooperation by the portal server 32, RA server 33, CA server 34, and repository server 35 constituting the PKI system 3 is an electronic certificate of the user 31. It is a series of processes related to issuance.

  Further, when the electronic certificate of the user 31 is revoked, the processing from step S109 to step S116 shown in FIG. 2 is executed. A set of individual processes (steps S109 to S116) executed by each of the portal server 32, RA server 33, CA server 34, and repository server 35 constituting the PKI system 3 is also an electronic certificate of the user 31. This is a series of processes related to the revocation of the electronic certificate of the user 31 as in the case of issuance.

  An example of log data output as a process record from each of the portal server 32, the RA server 33, the CA server 34, and the repository server 35 configuring the PKI system 3 will be described with reference to FIGS.

  FIG. 3 shows an example of user access log data 41 output from the portal server 32. FIG. 3 is a diagram illustrating an example of user access log data output from the portal server. As shown in FIG. 3, the access log data 41 is given an access log data name 411 (for example, logA.txt), and records each log output each time processing is performed from the portal server 32. ing. For example, as shown in FIG. 3, the access log data 41 includes a user ID 412 (for example, UserID = 1111) unique to the user 31 performing the digital certificate issuing operation, and the time when the log is output from the portal server 32. 413 (for example, 2011/03/07 12:11: 10.640), [INFO (processing information)] (for example, certificate issuance start), and the like are recorded.

  For example, when the portal server 32 outputs a log including “UserID = 1111” as a record of performing the process of step S102 illustrated in FIG. In the first row of the access log data 41 of txt, “UserID = 1111” as the user ID 412, “2011/03/07 12: 11: 10.640”, [INFO (processing information)] as the log output time 413 “Certificate issue start” is recorded. When the portal server 32 outputs a log including “UserID = 1111” as a record of performing the process of step S108 illustrated in FIG. In the second row of the access log data 41 of txt, “UserID = 1111” as the user ID 412, “2011/03/07 12: 11: 11.730” as the log output time 413, and [INFO (processing information)] “Certificate issuance completed” is recorded. Logs output from the RA server 33, the CA server 34, and the repository server 35 are also recorded by the same method as the log output from the portal server 32.

  FIG. 4 shows an example of the certificate issuance / revocation application log data 42 output from the RA server 33. FIG. 4 is a diagram illustrating an example of certificate issuance / revocation application log data output from the RA server. As shown in FIG. 4, the certificate issuance / revocation application log data 42 is given a certificate issuance / revocation application log data name 421 (for example, logB.txt), and processing is performed from the RA server 33. Each log that is output to is recorded. For example, as shown in FIG. 4, the certificate issuance / revocation application log data 42 includes a user ID 422 (for example, UserID = 1111) included in the certificate issuance application message received from the portal server 32, and the user 31. Transaction ID 423 (for example, TransactionID = 13321) for identifying a series of processes for issuing an electronic certificate, and a time 424 (for example, 2011/03/07 12:11) when the log is output from the RA server 33. : 10.709), [INFO (processing information)] (for example, certificate issuance start), and the like are recorded.

  FIG. 5 shows an example of the certificate issuance / revocation log data 43 output from the CA server 34. FIG. 5 is a diagram illustrating an example of certificate issuance / revocation log data output from the CA server. As shown in FIG. 5, the certificate issuance / revocation log data 43 is given a certificate issuance / revocation log data name 431 (for example, logC.txt), and is output each time processing is performed from the CA server 34. Individual logs are recorded. For example, as shown in FIG. 5, the certificate issuance / revocation log data 43 includes a transaction ID 432 (for example, TransactionID = 13321) included in the certificate issuance application message received from the RA server 33, and a log from the CA server 34. The output time 433 (for example, 2011/03/07 12: 11: 11.706) and [INFO (processing information)] (for example, certificate issuance completion) are recorded.

  FIG. 6 shows an example of certificate registration log data 44 output from the repository server 35. FIG. 6 is a diagram illustrating an example of certificate registration log data output from the repository server. As shown in FIG. 6, the certificate registration log data 44 is given a certificate registration log data name 441 (for example, logD.txt) and is output each time processing is performed from the repository server 35. A log is recorded. For example, as shown in FIG. 6, the certificate registration log data 44 includes a certificate ID 442 (for example, CertificateID = 21) included in the certificate registration application message received from the CA server 33, and a log from the repository server 35. The output time 443 (for example, 2011/03/07 12: 11: 11.100) and [INFO (processing information)] (for example, certificate issuance completion) are recorded.

  Returning to FIG. 1, the disk device 2 stores a keyword association table 21 and a keyword-log association table 22.

  The keyword association table 21 describes the association information of keywords included in the logs output from the portal server 32, RA server 33, CA server 34, and repository server 35. FIG. 7 shows an example of information described in the keyword association table 21. FIG. 7 is a diagram illustrating an example of information described in the keyword association table. FIG. 7 shows a description example of the keyword association table 21 when the user ID, the transaction ID, and the certificate ID are extracted from the log. A keyword is information described in a log generated as a process record by an information processing apparatus that processes individual functions in a series of processes performed by a plurality of information processing apparatuses in cooperation with each other for the same user. Information such as a user ID for identifying a processing target user, a transaction ID for identifying a series of processing, a content ID for identifying processing data, and a process ID for identifying a processing process.

  As shown in FIG. 7, the value of “UserID” is described in the first column from the left of the keyword relation table 21, the value of “TransactionID” is described in the second column, and “CertificateID” is described in the third column. The value of is described. The values described in each row of the keyword association table 21 are extracted from the log as keywords that are related to each other in a series of processes by the log analysis device 1 described later. For example, “UserID = 1111”, “TransactionID = 13321”, and “CertificateID = 21” described in the second line below the item line shown in FIG. 7 are associated with each other as keywords in a series of processing. It is a thing.

  The keyword related information described in the keyword relation table 21 shown in FIG. 7 includes, for example, certificate issuance / revocation application log data 42 (logB.txt) shown in FIG. 4 and certificate issuance / revocation log data shown in FIG. 43 (logC.txt) and certificate registration log data 44 (for example, logD.txt) shown in FIG. For example, it is assumed that there is a relationship between a single log and a plurality of keywords included in another log in which the time described in the log and the time in the vicinity are described. Therefore, the user ID 422 and the transaction ID 423 are obtained from the individual logs recorded in the certificate issuance / revocation application log data 42 (logB.txt) in which “UserID” and “TransactionID” are included in the same one log. It is possible to find a relationship between In addition, the certificate issuance / revocation log data 42 (logB.txt) is recorded in the vicinity (recorded within a predetermined time including the recorded time). (Eg, logC.txt) and individual logs recorded in each of the certificate registration log data (eg, logD.txt) can find an association between transaction ID 432 and certificate ID 442. it can. Furthermore, by describing these relationships in one row of the keyword relationship table 21, the three keywords of user ID, transaction ID, and certificate ID are associated with each other.

  More specifically, each log in the first or second line (425 shown in FIG. 4) of the certificate issuance / revocation application log data 42 (logB.txt) shown in FIG. 4 has one log. Includes both “UserID = 1111” and “TransactionID = 13321”. Therefore, the association between “UserID = 1111” and “TransactionID = 13321” can be found. Further, the log (434 shown in FIG. 5) in the first line of the certificate issuance / revocation log data 43 (logC.txt) shown in FIG. 5 and the certificate registration log data 44 (for example, logD.txt) shown in FIG. ) In the first line log (444 shown in FIG. 6) are close to each other. Therefore, “TransactionID = 13321” included in the first line log of the certificate issuance / revocation log data 43 (logC.txt) shown in FIG. 5 and the certificate registration log data 44 (for example, logD. It is possible to find an association with “CertificateID = 21” included in the log of the first line of (txt). This makes it possible to manage keywords that can be regarded as highly relevant in a series of processes such as issuing an electronic certificate for a certain user. The same transaction ID is assigned in a series of processing. Therefore, the transaction ID is common to the keyword pair of “UserID = 1111” and “TransactionID = 13321” that detected the association and the keyword pair of “TransactionID = 13321” and “CertificateID = 21” that detected the association. Therefore, “UserID = 1111”, “TransactionID = 13321”, and “CertificateID = 21” can be associated with each other and described in one line, which is the record 211 in the second line shown in FIG.

  The keyword-log relation table 22 includes a registration keyword and log location information including the keyword (address and URL indicating the log storage location, the name of the file in which the log is recorded, the number of lines from the top of the file, etc.) Are described in association with each other. The registration keyword is a keyword that serves as a reference for detecting a log to be registered in the keyword-log relation table, and is information specified for identifying a user when a searcher searches the log, such as a UserID. . For example, FIG. 8 shows an example of information described in the keyword-log relation table 22. FIG. 8 is a diagram illustrating an example of information described in the keyword-log association table.

  As shown in FIG. 8, the first column from the left of the keyword-log relation table 22 describes the value of “UserID” set as a registration keyword, and the second column describes the value of log position information. Is done. FIG. 8 shows a case where the log data name and the number of log lines in the log data are described in order to indicate the position information of each log as the value of the log position information. ing.

  Further, as shown in FIG. 8, in the second and subsequent lines below the item line of the keyword-log relation table 22, log position information considered to be related to the registration keyword described in the left column is displayed. Described in the right column. For example, the description content of the second line (221 shown in FIG. 8) of the keyword-log relation table 22 indicates that the log position information considered to be related to the keyword “UserID = 1111” is “logA.txt1”. Show.

  Further, in the keyword-log relation table 22 shown in FIG. 8, information is described based on the logs output from the portal server 32, the RA server 33, the CA server 34, and the repository server 35. For example, if a registration keyword is included in the log, it is considered that the registration keyword and the log are related, and the registration keyword and log position information are described in the same line of the keyword-log relation table 22. . Therefore, the access log data 41 (logA.txt) shown in FIG. 3 and the certificate issuance / revoking application log data 42 (logB.txt) shown in FIG. Describes the set of UserID and log position information in the same row of the keyword-log relation table 22.

  If the log includes a keyword that is not a keyword for registration, the registration keyword associated with the keyword that is not a keyword for registration is extracted with reference to the keyword association table 21 shown in FIG. The registration keyword and log position information are described in the same line of the keyword-log relation table 22. For this reason, the certificate issuance / revocation log data 43 (logC.txt) shown in FIG. 5 and the certificate registration log data 44 (for example, logD.txt) shown in FIG. ), A set of UserID and log position information can be described in the same row of the keyword-log relation table 22. By describing the relationship between the registration keyword and the log position information in one table (keyword-log relation table 22), log data output from the portal server 32, RA server 33, CA server 34, and repository server 35 are recorded. For each included log, the relationship between the location information and UserID that is a registration keyword can be recorded in a unified manner.

  Returning to FIG. 1, the log analysis apparatus 1 includes a keyword relation table creation unit 11 and a keyword-log relation table creation unit 12.

  The keyword association table creation unit 11 extracts one of the plurality of logs output from the plurality of subsystems as the inspection target, extracts keywords included in the inspection target log, and sets the time when the inspection target log is recorded. As a reference, keywords included in each of logs other than the inspection target recorded in the past or the future are extracted and associated and registered in the keyword relation table 21.

  More specifically, the keyword association table creation unit 11 includes a log data group (see FIGS. 3 to 6) output from the portal server 32, the RA server 33, the CA server 34, and the repository server 35, and a time neighborhood setting table. 13 is read and individual logs included in the log data group are inspected. For example, when two or more different keywords are included in the inspection target log, the two keywords are extracted from the inspection target log as related. In addition, the keyword relation table creation unit 11 may include a keyword relation table creation unit when a plurality of keywords are included in other logs in which the time described in the inspection target log and the nearby time are described. 11 regards these keywords as related and extracts those keywords. For example, the keyword association table creation unit 11 refers to the time neighborhood setting table 13 and when the inspection target log is other log search processing target log data, the neighboring time is described for the other log search processing target log data. The other log is searched, and when the keyword is included in the other log, the keyword is extracted. Then, the keyword association table creation unit 11 registers the keyword extracted from the inspection target log and the keyword extracted from the log other than the inspection target log in the keyword association table 21 in association with each other. Note that the keyword association table creation unit 11 registers only two or more different keywords extracted from the inspection target log in the keyword association table 21 in association with each other when the inspection target log is not other log search processing target log data. In addition, when extracting a keyword from a log, the keyword relation table creation unit 11 converts a character code of the log into a specific character code (unicode or the like), and extracts a keyword that matches the character code of the keyword. From a log with a fixed format, a character code corresponding to a predetermined number of relative bytes from the beginning is extracted as a keyword, and from a structured log message, a character string decomposed according to a predetermined normalization syntax is extracted. Or extract it as a keyword.

  FIG. 9 shows an example of information described in the time neighborhood setting table 13. FIG. 9 is a diagram illustrating an example of information described in the time neighborhood setting table. As shown in FIG. 9, the time vicinity setting table 13 describes the processing target log data name, the search target log data name, and the time vicinity range.

  In the first column (131) from the left of the time neighborhood setting table 13 shown in FIG. 9, the log data name to be subjected to other log search processing in the vicinity of the time is described as the processing target log data name, and the second column from the left. In (132), a log data name different from the log data including the log to be processed is described as the search target log data name, and the third column (133) from the left shows the vicinity at the time of other log search processing. A specific numerical value about the range is described as the time vicinity range. For example, in the row of the time vicinity setting table 13 (134 in FIG. 9), the name “logC.txt” of the certificate issuance / revocation log data 43 shown in FIG. The name “logD.txt” of the certificate registration log data 44 shown in FIG. 6 is described as the value of the search target log data name, and “past 1.0 second, future 0.0 second” as the value of the time vicinity range. Is described. Note that the value in the time vicinity range indicates a time based on the time included in the inspection target log described in the processing target log data name. In addition, the time neighborhood setting table 13 is determined by the administrator of the log analysis device 1 in consideration of the relationship between keywords and time included in individual logs of each log data, and is described in advance before performing each process. It is something to keep.

  The keyword-log relation table creation unit 12 assigns a keyword included in the log data group 4 (see FIGS. 1 and 3 to 6) and a log including the keyword from the logs accumulated in the subsystem. Necessary information is associated and registered in the keyword-log relation table 22.

  More specifically, the keyword-log relation table creation unit 12 is preset with a registration keyword type. Then, the keyword-log relation table creating unit 12 reads the log data group 4 (see FIGS. 1 and 3 to 6) output from the portal server 32, the RA server 33, the CA server 34, and the repository server 35, and logs Examine individual logs in the data set. For example, when a keyword corresponding to a registration keyword is included for each log, the keyword-log relation table creating unit 12 sets the keyword and the log position information as a set to the keyword-log relation table 22. Register with. On the other hand, when a keyword different from the registration keyword is included, the keyword-log relation table creation unit 12 refers to the keyword relation table 21 and registers the keyword for registration associated with a keyword that is not a registration keyword. And the registered registration keyword and the position information of the inspection target log are registered in the keyword-log relation table 22 as a set.

[Processing by Log Analysis System (Example 1)]
The flow of processing by the log analysis system according to the first embodiment will be described with reference to FIGS. 10 to 12 are diagrams illustrating a flow of processing by the log analysis system according to the first embodiment.

(Whole process)
First, the flow of the entire process performed by the log analysis system according to the first embodiment will be described with reference to FIG.

  As shown in FIG. 10, the log analysis apparatus 1 reads the log data group 4 (FIGS. 1 and 3 to 6) (S201). Subsequently, the keyword relation table creation unit 11 executes a keyword relation table creation process for creating the keyword relation table 21 for the log data group 4 read in step S201 (S202). Subsequently, the keyword-log relation table creating unit 12 executes keyword-log relation table creation processing for creating the keyword-log relation table 22 for the log data group 4 read in step S201 (S203). finish.

(Keyword related table creation process)
Next, the flow of the keyword association table creation process shown in step S202 of FIG. 10 will be described in detail with reference to FIG.

  As shown in FIG. 11, the keyword association table creation unit 11 reads the time neighborhood setting table 13 (S301) and reads the log data group 4 (S302). Subsequently, the keyword association table creation unit 11 extracts one inspection target log to be inspected from the log data group 4 (S303), and includes one or more keywords included in the inspection target log. It is determined whether or not (S304). For example, when the log (434) on the first line is extracted as the inspection target from the certificate issuance / revocation log data 43 (logC.txt) shown in FIG. 5, one or more keywords are included in this log. It is determined whether or not.

  As a result of the determination, when one or more keywords are included in the inspection target log (S304, Yes), the keyword association table creating unit 11 subsequently refers to the time neighborhood setting table 13 and performs the inspection. It is determined whether the target log is included in other log search target log data near the time (S305). Here, the other log search processing target log data in the vicinity of the time is the time described in the log (other log) of the log data different from the time described in the inspection target log and the log data including the inspection target log. Is a type of log data that can be considered to be related to each other in terms of keywords included in the inspection target log and other logs (other than Log data to be searched.

  Since the log data for other log search processing is set in advance in the column of the processing target log data name (131) of the time vicinity setting table 13, the keyword relation table creating unit 11 sets the inspection target log to the time vicinity setting table. The determination processing in step S305 is executed by determining whether or not the log data is included in the log data set in the column of the processing target log data name (131). For example, when the log (434) on the first line is extracted as the inspection target from the certificate issuance / revocation log data 43 (logC.txt) shown in FIG. 5, the processing target log data of the time neighborhood setting table 13 shown in FIG. Since “logC.txt” is set in the column of the name (131), a determination result that the inspection target log is included in the log data of the other log search processing target is output.

  As a result of the determination, if the inspection target log is included in the log data of other log search processing targets in the vicinity of the time (S305, Yes), the keyword association table creating unit 11 at the time described in the inspection target log A process of extracting another log describing a nearby time is executed (S306).

  More specifically, the keyword relation table creation unit 11 sets the log data set in the search target log data name (132) column of the time vicinity setting table 13 as a search target, and includes the time included in the inspection target log. As a reference, the log (other log) in which the time included in the time vicinity range set in the time vicinity setting table 13 is described is extracted by searching the log data set as the search target. For example, in the time neighborhood setting table 13 shown in FIG. 9, since “logD.txt” is set in the column of the search target log data name, the keyword association table creating unit 11 uses the certificate registration log data shown in FIG. 44 (logD.txt) is set as a search target. Since the time neighborhood range set in the time neighborhood setting table 13 is set to “past 1.0 seconds, future 0.0 seconds”, the keyword association table creating unit 11 issues the certificate issuance / revocation. The time “2011/03/07 / described in the log (434) on the first line of the certificate issuance / revocation log data 43 (logC.txt) extracted from the log data 43 (logC.txt) as the inspection target. 12: 11: 11: 706 ”as a reference, another log in which the time in the range of“ past 1.0 seconds, future 0.0 seconds ”, which is the vicinity of the time, is described as certificate registration log data 44 ( Log D.txt) is searched from the log included. The time “2011/03/07/12: 11: 11” described in the log (444) on the first line of the certificate registration log data 44 (logD.txt) shown in FIG. : 100 ”is the time“ 2011/03/07/12: 11: 11 ”described in the log (434) of the first line of the certificate issuance / revocation log data 43 (logC.txt), which is the inspection target log. 706 ”as a reference, since it is within the time vicinity range of“ past 1.0 seconds, future 0.0 seconds ”, the keyword association table creation unit 11 sets the certificate registration log shown in FIG. The log (444) in the first line of the data 44 (logD.txt) is extracted as another log.

  Subsequently, the keyword association table creation unit 11 extracts keywords included in the log from each of the inspection target log and the other logs extracted in step S306 (S307). Then, the keyword association table creating unit 11 determines whether or not a set of two or more keywords is extracted as a result of the extraction in step S307 (S308).

  As a result of the determination, when two or more keyword sets are extracted (S307, Yes), the keyword association table creating unit 11 subsequently selects two or more keyword sets extracted in step S307. Then, it is determined whether or not it is already registered in the keyword association table 21 stored in the disk device 2 (S309).

  As a result of the determination, if the set of two or more keywords extracted in step S307 is not already registered in the keyword association table 21 (No in S309), the keyword association table creation unit 11 performs the process in step S307. Two or more extracted keywords are associated and registered in the keyword association table 21 (S310). On the other hand, if the result of determination is that a group of two or more keywords extracted in step S307 has already been registered in the keyword association table 21 (S309, Yes), the keyword association table creation unit 11 Determines whether all the logs included in the log data group 4 have been extracted (the process of FIG. 11 has been performed for all the logs included in the log data group) (S311).

  As a result of the determination, when all the logs included in the log data group 4 have not been extracted (No in S311), the keyword association table creating unit 11 returns to step S303 described above, and performs steps S303 to S311. Execute the process. On the other hand, when all the logs included in the log data group 4 are extracted as a result of the determination (S311, Yes), the keyword relation table creation unit 11 ends the keyword relation table creation process. .

  If it is determined in step S308 that no combination of two or more keywords has been extracted (No in S308), the keyword association table creating unit 11 proceeds to the process in step S311 described above.

  In step S305 described above, if the result of determination is that the inspection target log is not included in the log data subject to other log search processing near the time (S305, No), the keyword association table creating unit 11 performs the above-described step. The process proceeds to S307. In step S307, the keyword relation table creation unit 11 extracts keywords from only the search target log.

  In the above-described step S304, if one or more keywords are not included in the inspection target log as a result of the determination (No keyword) (S304, No), the keyword relation table creating unit 11 The process proceeds to step S311 described above.

(Keyword-log related table creation process)
Next, the flow of the keyword-log relation table creation process shown in step S203 of FIG. 10 will be described in detail with reference to FIG.

  As shown in FIG. 12, the keyword-log relation table creating unit 12 reads the log data group 4 (S401), and extracts one log from the read log data group 4 (S402). Subsequently, the keyword-log relation table creation unit 12 examines the extracted log and determines whether or not one or more keywords are included in the log (S403). Note that in step S103, it is determined whether or not one or more keywords are included in the extracted log in order to find information related to the keyword and the log. This is because it needs to be included.

  As a result of the determination, when one or more keywords are included in the log (S403, Yes), the keyword-log relation table creating unit 12 includes a registration keyword in the keywords. It is determined whether or not (S404).

  As a result of the determination, if the registration keyword is not included in one or more keywords included in the log extracted in step S402 (S404, No), the keyword-log relation table creating unit 12 With reference to the association table 21, it is determined whether or not a keyword matching one or more keywords included in the log extracted in step S402 is registered in the keyword association table 21 (S405).

  As a result of the determination, if a keyword matching one or more keywords included in the log extracted in step S402 is registered in the keyword association table 21 (S405, Yes), a keyword-log association table creation unit 12 refers to the keyword relation table 21 and relates the keywords in the keyword relation table 21 that match one or more keywords included in the log extracted in step S402 and the associated registration keywords to the keyword relation. Extract from Table 21 (S406).

  Subsequently, the keyword-log relation table creating unit 12 acquires the registration keyword extracted from the keyword relation table 21 in step S406 and the log position information extracted in step S402 (address or URL indicating the storage location of the log, log Are associated with each other and registered in the keyword-log relation table 22 (S407).

  Subsequently, the keyword-log relation table creation unit 12 has extracted all the logs included in the log data group 4 (whether the processing of FIG. 12 has been performed for all the logs included in the log data group) or not. Determination is made (S408).

  As a result of the determination, if all the logs included in the log data group 4 have not been extracted (No at S408), the keyword-log relation table creating unit 12 returns to Step S402 described above, and Steps S402 to S408 are performed. The process up to is executed. On the contrary, when all the logs included in the log data group 4 are extracted as a result of the determination (S408, Yes), the keyword-log relation table creation unit 12 creates the keyword-log relation table. The process ends.

  In step S405 described above, as a result of the determination, if a keyword that matches one or more keywords included in the log extracted in step S402 is not registered in the keyword association table 21 (S405, No), the keyword The log relation table creation unit 12 proceeds to the process of step S408 described above.

  If the registration keyword is included in one or more keywords included in the log extracted in step S402 as a result of the determination in step S404 described above (S404, Yes), the keyword-log relation table The creating unit 12 proceeds to the process of step S407 described above.

  If it is determined in step S403 that one or more keywords are not included in the log (No in S403), the keyword-log association table creation unit 12 proceeds to the process in step S408 described above. .

[Effects of Example 1]
As described above, in the log analysis system according to the first embodiment, the log analysis apparatus 1 includes, for example, a plurality of servers such as the portal server 32, the RA server 33, the CA server 34, and the repository server 35 that configure the PKI system 3. From the subsystem, one of a plurality of logs output as a processing record of a series of processes is taken as the inspection target, keywords included in the inspection target log are extracted, and the time at which the inspection target log was recorded is used as a reference Keywords included in each log other than the inspection target recorded in the past or the future are extracted and associated with each other. Therefore, according to the log analysis system according to the first embodiment, even when keywords having different expressions that are uniquely assigned to individual subsystems in a series of processes related to the same user, the log recording timing (log By regarding logs with similar recording times as being related to each other, it is possible to correlate different expressions of keywords that are uniquely assigned to individual subsystems. For example, two keyword information “UserID = 1111” and “TransactionID = 13321” exist in the processing results described at the same time on the same log, and the times described in the log are close to each other ( If there are two keyword information, “TransactionID = 13321” and “CertificateID = 21”, in the processing results described on different logs (within the time range), these three keywords are assigned to the same user. It is determined that the information relates to a series of processing, and is registered in association with the keyword association table 21 (see FIG. 7) as a result that can be referred to. Thus, for example, a help desk person can grasp that a plurality of differently expressed keywords belong to a series of processes by referring to the keyword relation table 21, and if a keyword recorded in a specific log is known, By referring to the keyword relation table 21, keywords expressed in another log can be assigned. In other words, even if only “TransactionID = 13321” exists in the record of a certain log, it can be determined that the process is related to “UserID = 1111” by referring to the keyword association table 21. Is possible. For this reason, according to the first embodiment, it is possible to efficiently grasp the cooperative relationship between individual processes executed in each subsystem.

  In the first embodiment, the keyword-log relation table 22 includes log position information (address and URL indicating the storage location of the log, file name and file in which the log is recorded) including the keyword registered in the keyword relation table 21. Record the number of lines from the top in association with each other. Therefore, for example, when the help desk person inspects the processing contents in other subsystems related to “UserID = 1111”, refer to the keyword association table 21 and assign “TransactionID = 13321” Subsequently, with reference to the keyword-log relation table 22, the position of the log from which “TransactionID = 13321” is extracted can be assigned. As described above, according to the first embodiment, the keywords belonging to a series of processes and the position information of the logs from which the keywords are extracted are centrally managed, so that the processing contents in the series of processes are described in the log. It can also be allocated efficiently.

  Hereinafter, Example 2 will be described as another embodiment of the log analysis system, the log analysis device, the log analysis method, and the log analysis program according to the present invention.

(1) Device Configuration, etc. The configuration of the log analysis system according to the first embodiment, for example, each component of the log analysis system shown in FIG. 1 is functionally conceptual and is not necessarily physically configured as illustrated. I don't need it.

  For example, the keyword association table creation unit 11 and the keyword-log association table creation unit 12 in the log analysis system shown in FIG. 1 may be functionally or physically integrated. Further, the keyword association table 21 and the keyword-log association table 22 stored in the disk device 2 shown in FIG. 1 may be configured to be functionally or physically integrated in the log analysis device 1. As described above, the specific form of distribution or integration of the components of the log analysis system shown in FIG. 1 is not limited to that shown in FIG. Depending on the above, it can be configured to be functionally or physically distributed and integrated in arbitrary units.

(2) Log Analysis Method The following log analysis method is realized by the log analysis system according to the first embodiment.

  That is, a log analysis method executed by a log analysis system having a log analysis device that analyzes a processing record related to a series of processing executed in cooperation by a plurality of information processing devices for the same user, the plurality of information processing devices One of a plurality of logs output as a processing record related to the series of processes from each of the above is used as an inspection target, a keyword included in the inspection target log is extracted, and a time when the inspection target log is recorded An extraction step for extracting a keyword included in each log other than the inspection target recorded in the past or the future as a reference (see, for example, S307 in FIG. 11), and the keyword extracted by the extraction step are mutually A log analyzing method including a storing step of storing in the storage unit in association with each other (for example, see S310 in FIG. 11) It is realized.

(3) Program for causing log analysis device to execute predetermined procedure The various processes described in the above-described embodiments (for example, FIGS. 10 to 12, etc.) are related to Embodiment 1 such as personal computers and workstations. By installing a program for causing a computer implemented as the log analysis apparatus 1 in the log analysis system to execute procedures (processes) for realizing the same processing functions as the various types of processing described in the above embodiment. It can also be realized.

  Therefore, in the following, an example of a computer that realizes the same functions as the various types of processing (for example, FIGS. 10 to 12 and the like) described in the above-described embodiment will be described with reference to FIG. FIG. 13 is a diagram illustrating an example of a computer that executes a program for realizing the same function as the processing described in the above embodiment.

  As illustrated in FIG. 13, a computer 1000 implemented as the log analysis apparatus 1 includes, for example, a memory 1010 and a CPU (Central Processing Unit) 1020. The computer 1000 also includes a hard disk drive interface 1030 and an optical disk drive interface 1040 as shown in FIG. Further, the computer 1000 includes a serial port interface 1050, a video adapter 1060, and a network interface 1070 as shown in FIG. The computer 1000 connects these units 1010 to 1070 via a bus 1080.

  As shown in FIG. 13, the memory 1010 includes a ROM (Read Only Memory) and a RAM (Random Access Memory). The ROM stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090 as shown in FIG. The optical disc drive interface 1040 is connected to the optical disc drive 1100 as shown in FIG. For example, a removable storage medium such as an optical disk is inserted into the optical disk drive 1100. As shown in FIG. 13, the serial port interface 1050 is connected to, for example, a mouse 2000 and a keyboard 3000. The video adapter 1060 is connected to a display 4000, for example, as shown in FIG.

  Here, as shown in FIG. 13, the hard disk drive 1090 stores, for example, an OS (Operating System), an application program, a program module, and program data.

  That is, a program having the same function as that of the log analysis device 1 described above is stored in, for example, the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described. That is, a program module describing a procedure for causing the computer 1000 as the log analysis apparatus 1 to implement the same processing functions as the various types of processing described in the above-described embodiment (for example, FIGS. 10 to 12, etc.) It is stored in the hard disk drive 1090. This program module corresponds to, for example, a procedure (process) executed by the keyword relation table creation unit 11 and the keyword-log relation table creation unit 12 of the log analysis apparatus 1 shown in FIG.

  In addition, it is used by a program module in which a procedure for causing the computer 1000 as the log analysis apparatus 1 to implement the same processing functions as the various types of processing (for example, FIGS. The stored data is stored as program data in the hard disk drive 1090, for example. For example, this program data is recorded in, for example, the keyword association table 21 (see FIG. 7), the keyword-log association table (see FIG. 8), and the time neighborhood setting table 13 (see FIG. 9) stored in the disk device 2. It corresponds to the various data that has been.

  Then, the CPU 1020 reads out the program modules and program data stored in the hard disk drive 1090 to the RAM as necessary, and realizes various processes described in the above-described embodiments (for example, FIG. 10 to FIG. 12). Follow the steps.

  It should be noted that a program module or program in which procedures for causing the computer 1000 as the log analysis apparatus 1 to implement the same processing functions as the various types of processing described in the above-described embodiment (for example, FIGS. The data is not limited to being stored in the hard disk drive 1090, and may be stored in, for example, the optical disk drive 1100 that is a removable storage medium. In this case, the CPU 1020 reads out program modules and program data having functions similar to those of the log analysis apparatus 1 via the optical disc drive 1100.

  Alternatively, a program module or program in which a procedure for causing the computer 1000 as the log analysis apparatus 1 to implement the same processing functions as the various types of processing (for example, FIGS. 10 to 12, etc.) described in the above embodiment is described. The data may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). In this case, the CPU 1020 reads program modules and program data having the same functions as those of the log analysis apparatus 1 from another computer via the network interface 1070.

  Instead of the CPU 1020 operating according to a program to perform various processes, for example, the process can be performed using an electronic circuit such as an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA). Further, as the memory 1010, a flash memory or the like can be used.

DESCRIPTION OF SYMBOLS 1 Log analysis apparatus 2 Disk apparatus 3 PKI system 31 User 32 Portal server 33 RA (Registration Authority) server 34 CA (Certificate Authority) server 35 Repository server 1000 Computer 1010 Memory 1020 CPU
1030 Hard disk drive interface 1040 Optical disk drive interface 1050 Serial port interface 1060 Video adapter 1070 Network interface 1080 Bus 1090 Hard disk drive 1100 Optical disk drive 2000 Mouse 3000 Keyboard 4000 Display

Claims (10)

A log analysis system having a plurality of information processing devices and a log analysis device for analyzing a processing record related to a series of processes executed in cooperation by the plurality of information processing devices for the same user,
Each of the plurality of information processing devices
An output unit that outputs, as a process record, a log describing information on processes executed in the series of processes;
The log analysis device
One of the plurality of logs output from the plurality of information processing devices is set as an inspection target, and a keyword included in the inspection target log is extracted, and a log data name of the inspection target log is stored in the inspection target log. The log to be inspected was recorded with reference to a log data name of another log related to the log and a time neighborhood setting table indicating a time neighborhood range when searching for the other log . an extraction unit for extracting a keyword included in each of the other log recorded in the past or future are shown in the time vicinity range relative to the time,
And a storage unit that stores the plurality of keywords extracted by the extraction unit in association with each other. The storage unit refers to information in which the extracted keywords are associated with each other, and the log that includes the keyword and the keyword or the keyword associated with the keyword is accumulated in the information processing apparatus The log analysis system according to claim 1, wherein information necessary for allocation is stored in the storage unit in association with each other. A log analysis device that analyzes a processing record related to a series of processing executed in cooperation by a plurality of information processing devices for the same user,
One of a plurality of logs output as a processing record relating to the series of processes from each of the plurality of information processing devices is taken as an inspection target, a keyword included in the inspection target log is extracted, and the inspection target log Log data name, log data name of other logs related to the log to be examined, and time neighborhood setting table showing the time neighborhood range when searching for the other logs, an extraction unit for extracting a keyword the inspected log is included in each of the other log other than the time past or said object recorded in the future shown in neighborhood range based on the time recorded,
And a storage unit that stores the keywords extracted by the extraction unit in a storage unit in association with each other. The storage unit refers to information in which the extracted keywords are associated with each other, and the log that includes the keyword and the keyword or the keyword associated with the keyword is accumulated in the information processing apparatus The log analysis apparatus according to claim 3, wherein information necessary for allocation is stored in the storage unit in association with each other. A log analysis method executed by a log analysis system having a plurality of information processing devices and a log analysis device for analyzing a processing record related to a series of processing executed by the plurality of information processing devices in cooperation with the same user. ,
One of a plurality of logs output as a processing record relating to the series of processes from each of the plurality of information processing devices is taken as an inspection target, a keyword included in the inspection target log is extracted, and the inspection target log Log data name, log data name of other logs related to the log to be examined, and time neighborhood setting table showing the time neighborhood range when searching for the other logs, an extraction step of extracting a keyword the inspected log is included in each of the other log other than past or inspected recorded in the future shown in the time vicinity range relative to the time recorded,
A storage step of storing the keywords extracted in the extraction step in association with each other in a storage unit. The storing step refers to information that correlates the plurality of extracted keywords with each other, and the log including the keyword and the keyword or the keyword associated with the keyword is accumulated in the information processing apparatus 6. The log analysis method according to claim 5, wherein information necessary for allocation is stored in the storage unit in association with each other. A log analysis method executed by a log analysis device that analyzes a processing record related to a series of processing executed in cooperation by a plurality of information processing devices for the same user,
One of a plurality of logs output as a processing record relating to the series of processes from each of the plurality of information processing devices is taken as an inspection target, a keyword included in the inspection target log is extracted, and the inspection target log Log data name, log data name of other logs related to the log to be examined, and time neighborhood setting table showing the time neighborhood range when searching for the other logs, an extraction step of extracting a keyword the inspected log is included in each of the other log other than past or inspected recorded in the future shown in the time vicinity range relative to the time recorded,
A storage step of storing the keywords extracted in the extraction step in association with each other in a storage unit. The storing step refers to information that correlates the plurality of extracted keywords with each other, and the log including the keyword and the keyword or the keyword associated with the keyword is accumulated in the information processing apparatus The log analysis method according to claim 7, wherein information necessary for allocation is stored in the storage unit in association with each other. A log analysis program for causing a log analysis device to analyze a processing record related to a series of processing executed in cooperation by a plurality of information processing devices for the same user,
One of a plurality of logs output as a processing record relating to the series of processes from each of the plurality of information processing devices is taken as an inspection target, a keyword included in the inspection target log is extracted, and the inspection target log Log data name, log data name of other logs related to the log to be examined, and time neighborhood setting table showing the time neighborhood range when searching for the other logs, an extracting procedure for extracting a keyword the inspected log is included in each of the other log other than past or inspected recorded in the future shown in the time vicinity range relative to the time recorded,
And a storage procedure for storing the keywords extracted by the extraction procedure in a storage unit in association with each other. The storage procedure refers to information in which the extracted keywords are associated with each other, and the log including the keyword and the keyword or the keyword associated with the keyword is accumulated in the information processing apparatus The log analysis program according to claim 9, wherein information necessary for allocation is stored in the storage unit in association with each other.

Images