WO2023170907A1 - Encryption system, encryption device, encryption method, and computer-readable medium - Google Patents

Encryption system, encryption device, encryption method, and computer-readable medium Download PDF

Info

Publication number
WO2023170907A1
WO2023170907A1 PCT/JP2022/010838 JP2022010838W WO2023170907A1 WO 2023170907 A1 WO2023170907 A1 WO 2023170907A1 JP 2022010838 W JP2022010838 W JP 2022010838W WO 2023170907 A1 WO2023170907 A1 WO 2023170907A1
Authority
WO
WIPO (PCT)
Prior art keywords
range
encryption
log
data
unit
Prior art date
Application number
PCT/JP2022/010838
Other languages
French (fr)
Japanese (ja)
Inventor
寿人 阿部
Original Assignee
日本電気株式会社
Necプラットフォームズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社, Necプラットフォームズ株式会社 filed Critical 日本電気株式会社
Priority to PCT/JP2022/010838 priority Critical patent/WO2023170907A1/en
Publication of WO2023170907A1 publication Critical patent/WO2023170907A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules

Definitions

  • the present disclosure relates to an encryption system, an encryption device, an encryption method, and a program.
  • log data collection must be kept confidential.
  • Patent Document 1 describes a log collection system that aims to collect log information while preventing information leakage to a third party without using a dedicated tool or a dedicated user interface.
  • the log collection system includes a formatting section, a log acquisition section, an encryption section, and a log writing section.
  • the formatting unit formats an external medium on which information can be read and written to include a public key in a volume label.
  • the log acquisition unit acquires log information when an external medium is connected.
  • the encryption unit encrypts the acquired log information using a public key included in the volume label.
  • the log writing section writes the encrypted log information to external media.
  • Patent Document 2 describes a method that makes it possible to adapt to high-speed lines by eliminating the need for processing using complex encryption algorithms, suppressing the deterioration of transmission efficiency due to redundant bits, and making it possible to conceal data using a simple method.
  • a packet communication method for this purpose is described.
  • the above packet communication method is a packet communication method for preventing data eavesdropping and tampering during data communication using bit synchronization, and includes an insertion step, a reception impossible step, and a reception enable step.
  • a synchronization flag sequence indicating the start and end of a frame, which is a unit of data to be transmitted, is inserted in a pseudo manner so that the frame length in packet communication is equal to or less than the minimum frame length.
  • the unauthorized receiving side discards frames with a length equal to or less than the minimum frame length as short frames, thereby making it impossible for an unauthorized person who attempts to eavesdrop or tamper with reception.
  • the reception enable step enables the receiving side of the authorized person to delete the pseudo-inserted synchronization flag sequence and receive a frame with a minimum frame length or less as a regular frame.
  • Patent Document 3 describes a data encryption method that does not require adding an encryption function to an existing WWW (World Wide Web) server or WWW browser.
  • the data encryption method performs data processing including encryption processing on data to be encrypted in which an instruction specifying a data processing method including an encryption processing method is incorporated in accordance with the embedded instruction.
  • the data encryption method described above encrypts the range specified by the encryption range specification command for encryption target data in which an encryption range specification command that specifies the range to be encrypted is incorporated.
  • Patent Document 4 describes a log recording device that aims to achieve both confidentiality of user data and failure analysis performance.
  • the log recording device includes a CDB (Command Description Block) determination means, a first encryption means, and a log output means.
  • the CDB determination means determines whether the SCSI request of the SCSI log data is related to user data or not, based on CDB determination information for the input SCSI (Small Computer System Interface) log data.
  • the first encryption means encrypts, based on an encryption key, a portion of the SCSI request that the CDB determination means determines is a SCSI request regarding user data, including user data.
  • the log output means formats and analyzes the SCSI request that the CDB determination means has determined is a SCSI request that does not relate to user data, and the SCSI request in which the portion including the user data from the first encryption means has been encrypted. output as a log file.
  • JP 2017-215853 Publication Japanese Patent Application Publication No. 11-215190 Japanese Patent Application Publication No. 11-215122 JP2019-097028A
  • the decryption range is limited not only when the data to be encrypted includes an encrypted part and an unencrypted part, but also when it only contains an encrypted part. Output as one piece of encrypted data incorporating the specified instruction. Therefore, even if the technology described in Patent Document 3 is applied to encrypt the log data of the device, even when all the log data is encrypted, one encrypted file incorporating the decryption range specification command is output. It turns out.
  • Patent Document 4 outputs as one file when it includes an encrypted part and an unencrypted part, so in order to decrypt it, even if all the parts are encrypted, Even if the file has been encrypted, information indicating that it has been encrypted is required.
  • the present disclosure has been made to solve the above problem, and when encrypting device log data by specifying the range to be encrypted, even if the entire range is encrypted, the range is
  • An object of the present invention is to provide an encryption system etc. that can avoid the need for information to be displayed.
  • the encryption system includes an acquisition unit that acquires log data, an encryption unit that encrypts the log data, and a range in which the encryption unit executes encryption before starting to acquire the log data.
  • a reception unit that receives an instruction to specify the log data, a storage unit that stores the log data, and a timing of acquisition of the log data by the acquisition unit and a start position and end position of the encryption by the encryption unit based on the range.
  • the encryption unit is controlled to execute encryption by inserting an end flag, which is a flag indicating the end position, and when the entire range of log data is specified as the range, the start flag is inserted. and controlling the encryption unit to execute encryption without controlling the insertion of the end flag, and for log data of a portion that falls within the range, encrypted data that does not fall within the range. Partial log data is stored in plain text as separate files in the storage unit.
  • the encryption device includes an acquisition unit that acquires log data, an encryption unit that encrypts the log data, and a range in which the encryption unit executes encryption before starting acquisition of log data.
  • a reception unit that receives an instruction to specify the log data, a storage unit that stores the log data, and a timing of acquisition of the log data by the acquisition unit and a start position and end position of the encryption by the encryption unit based on the range.
  • the encryption unit is controlled to execute encryption by inserting an end flag, which is a flag indicating the end position, and when the entire range of log data is specified as the range, the start flag is inserted. and controlling the encryption unit to execute encryption without controlling the insertion of the end flag, and for log data of a portion that falls within the range, encrypted data that does not fall within the range. Partial log data is stored in plain text as separate files in the storage unit.
  • the encryption method includes acquiring log data, encrypting the log data, receiving an instruction specifying a range to perform encryption before starting to acquire the log data, and encrypting the log data. storing the data; and controlling the timing of acquiring the log data, the start and end positions of encryption, and the storage of the log data based on the range; , inserting a start flag indicating the start position and an end flag indicating the end position into the start position and end position indicated by the range, respectively, to perform encryption; If the entire range of data is specified, encryption should be executed without inserting the start flag and end flag, and the log data of the part corresponding to the range should be encrypted.
  • This method includes storing the data in plain text for portions of the log data that do not fall within the above range as separate files.
  • the program is a program for causing a computer to execute an encryption process, and the computer-readable medium stores the program.
  • the encryption process includes acquiring log data, encrypting the log data, accepting an instruction specifying a range to perform encryption before starting to acquire the log data, and storing the log data.
  • the controlling includes controlling the timing of acquiring log data, the start position and end position of encryption, and storage of log data based on the range
  • the controlling includes Encrypting is performed by inserting a start flag indicating the start position and an end flag indicating the end position into the start position and end position, respectively, and the range is the entire range of the log data. is specified, the encryption is executed without inserting the start flag and the end flag, and for the log data of the part corresponding to the range, the encrypted data is For log data that does not correspond to the above, the data is stored in plain text as separate files.
  • FIG. 1 is a block diagram showing a configuration example of an encryption system according to a first embodiment
  • FIG. FIG. 2 is a block diagram showing an encryption device that is an example of the configuration of the encryption system in FIG. 1.
  • FIG. 3 is a flow diagram for explaining an example of an encryption method in the encryption system of FIG. 1 or the encryption device of FIG. 2.
  • FIG. 2 is a block diagram illustrating a configuration example of an encryption system according to a second embodiment.
  • FIG. 5 is a diagram showing an example of a log acquisition command accepted as an instruction in the encryption system of FIG. 4.
  • FIG. 5 is a flow diagram for explaining an example of processing in a target device in the encryption system of FIG. 4.
  • FIG. 7 is a flow diagram following FIG. 6.
  • FIG. 6 is a flow diagram following FIG. 6.
  • FIG. 5 is a sequence diagram showing an example of the overall processing in the encryption system of FIG. 4.
  • FIG. 9 is a sequence diagram following FIG. 8.
  • FIG. 10 is a flow diagram for explaining an example of processing in a target device in an encryption system according to a third embodiment.
  • FIG. It is a diagram showing an example of the hardware configuration of the device.
  • FIG. 1 is a block diagram illustrating a configuration example of an encryption system according to a first embodiment.
  • the encryption system 1 can include an acquisition section 1a, an encryption section 1b, a reception section 1c, a storage section 1d, and a control section 1e.
  • the encryption system 1 includes a device from which log data is to be collected (hereinafter referred to as a target device) and a log collection device that collects logs from the target device, and collects various types of log data in the target device. Therefore, the encryption system 1 can be called a log collection system.
  • the type of target device does not matter, as long as it can record logs.
  • the log collection device can be installed at the same location as the target device and directly connected to the target device, or can be installed at a remote location to the target device and connected via a network.
  • the target device can include an acquisition unit 1a, an encryption unit 1b, a reception unit 1c, a storage unit 1d, and a control unit 1e.
  • a recording medium as one element constituting the storage unit 1d
  • the present invention is not limited to this, such as providing the external device connected to the target device. Note that the storage unit 1d and the recording medium will be described later.
  • the target device may adopt a configuration in which functions are distributed among multiple devices, and in that case, a method for distributing the acquisition unit 1a, encryption unit 1b, reception unit 1c, storage unit 1d, and control unit 1e It doesn't matter.
  • each device may be provided with the functions of the encryption section 1b and the storage section 1d, and one of the devices may be provided with the acquisition section 1a, the reception section 1c, and the control section 1e.
  • the acquisition unit 1a acquires log data in the target device. Regardless of the method of acquiring log data, it is possible to acquire log data of a type and period that are predetermined or included in instructions described below, for example.
  • the encryption unit 1b encrypts the log data acquired by the acquisition unit 1a. However, as will be described later, the encryption unit 1b encrypts a specified range of log data, and does not encrypt log data outside the range. Further, the encryption method used in the encryption unit 1b is not limited as long as the encrypted data can be decrypted.
  • the reception unit 1c receives an instruction specifying the range to be encrypted by the encryption unit 1b before the acquisition unit 1a starts acquiring log data.
  • This instruction may be sent from a log collection device connected to the target device via a network or P2P. Therefore, the reception unit 1c can include a communication unit (not shown) that communicates with the log collection device.
  • This communication unit can include an interface for communicating with the outside wirelessly or by wire.
  • the function of the log collection device may be provided in the target device.
  • the encryption system 1 is constituted by the target device, and the above-mentioned instructions are also accepted from an operation unit provided in the target device.
  • the storage unit 1d stores encrypted log data and plaintext log data.
  • the storage unit 1d can be a storage device including a recording medium and a writing unit that writes data to the recording medium.
  • the type of recording medium does not matter.
  • the control unit 1e controls the timing of acquisition of log data by the acquisition unit 1a, the start and end positions of encryption by the encryption unit 1b, and the storage of log data by the storage unit 1d, based on the above range. .
  • the control unit 1e inserts a start flag indicating the start position and an end flag indicating the end position into the start position and end position indicated by the range accepted by the receiving unit 1c, respectively, and executes encryption.
  • the encryption unit 1b is controlled so as to At this time, the control unit 1e also controls the acquisition unit 1a to acquire log data based on the above range. In this way, the encryption system 1 can partially encrypt log data.
  • control unit 1e stores the encrypted data for the portion of the log data that falls within the above range, and stores the plain text data for the portion of the log data that does not fall within the above range into separate files (separate files). It is stored in the storage unit 1d as a log file).
  • the control unit 1e when the entire range of log data is specified as the above range, the control unit 1e performs encryption so that encryption is executed without performing control to insert a start flag and an end flag. 1b.
  • a start flag and an end flag are not inserted, and a log file that does not include a start flag and an end flag is stored in the storage unit 1d.
  • the control unit 1e can be realized by, for example, a CPU (Central Processing Unit), a working memory, a nonvolatile storage device that stores a program, and the like.
  • This program can be a program for causing the CPU to execute the processing of the acquisition section 1a, the encryption section 1b, the reception section 1c, and the writing section of the storage section 1d.
  • the recording medium of the storage device provided in the control section 1e can also be used as a recording medium of the storage section 1d.
  • the target device also includes a transmitter that transmits the file (log file) stored in the storage unit 1d to the log collection device that is the instruction device that sent the instruction, in response to the instruction received by the reception unit 1c. be able to.
  • This transmitting section can utilize a communication section provided in the receiving section 1c.
  • the target device includes an encryption unit 1b, a reception unit 1c, a storage unit 1d, and a transmission unit that transmits the log files stored in the storage unit 1d to the log collection device, and is configured as a log data collection target. It can be made into a device.
  • the log collection device is a device that transmits an instruction to the reception unit 1c to be accepted by the reception unit 1c.
  • the log collection device can include a control unit that controls the entire log collection device, and a communication unit that communicates with the target device.
  • This communication unit can include an interface for communicating with the outside wirelessly or by wire.
  • the log collection device can be configured to receive the log file stored in the storage unit 1d via the communication unit.
  • the control unit of the log collection device can be realized by, for example, a CPU, a working memory, a nonvolatile storage device that stores a program, and the like.
  • This program can be a program for causing the CPU to execute a process of generating an instruction to be transmitted to the reception unit 1c and a process of transmitting the instruction to the target device via the communication unit.
  • the recording medium of the storage device provided in the control unit of the log collection device can also be used as a recording medium for storing log files received in this manner.
  • the encryption system 1 can be configured as multiple devices with distributed functions, as illustrated by the log collection device and the target device, and the functions of each part illustrated as the target device are also distributed among multiple devices.
  • the distribution method is not limited.
  • each device is equipped with a control unit, a communication unit, and if necessary, a storage unit, etc., and the multiple devices are connected by wireless or wired communication.
  • the functions of the encryption system 1 may be realized by connecting and cooperating as necessary.
  • the encryption system 1 can be constructed as one encryption device 2 including an acquisition section 1a, an encryption section 1b, a reception section 1c, a storage section 1d, and a control section 1e.
  • FIG. 2 is a block diagram showing an encryption device 2 that is an example of the configuration of the encryption system 1 in FIG.
  • the encryption device 2 may be a device that has the functions of the target device described above, or a device that has the functions of the target device and the functions of the log collection device.
  • the encryption device 2 may be configured to include a computer device including hardware including, for example, one or more processors and one or more memories. At least a part of the functions of each part in the encryption device 2 can be realized by one or more processors operating according to a program read from one or more memories.
  • FIG. 3 is a flow diagram for explaining an example of an encryption method in the encryption system 1 or the encryption device 2.
  • the encryption method in the encryption system 1 will be described below, but the encryption method in the encryption device 2 is also similar.
  • the encryption system 1 receives an instruction specifying a range to perform encryption (step S1). Based on this instruction, the encryption system 1 acquires log data (step S2). Next, the encryption system 1 determines whether the instruction indicates that the entire range is to be encrypted (step S3).
  • step S3 the encryption system 1 executes encryption for the entire range of log data within the above range without inserting a start flag and an end flag, that is, without going through step S5 described below. (Step S6). Then, the encrypted log data is stored as one log file (step S7).
  • step S3 it is determined whether the log data acquired in step S2 falls within the above range. Then, for the log data determined as YES in step S4, that is, the log data corresponding to the above range, the encryption system 1 inserts a start flag and an end flag at the start position and end position of the log data in the above range, respectively. (Step S5). After that, the encryption system 1 executes encryption (step S6). Thereafter, the process similarly advances to step S7, and the encrypted log data is stored as one log file.
  • the encryption system 1 stores the plaintext data as one file (step S8).
  • step S2 the timing of obtaining the log data in step S2 is in the order shown in the figure, if it is the target to be encrypted, before encryption, and if it is in plain text, before the log file is stored (step S8). No question.
  • the encryptable log collection process has been described.
  • any method of decrypting an encrypted log file is not concerned.
  • the encrypted log file stored in this embodiment can be viewed by employing a decryption method that corresponds to the encryption method.
  • this log file can be viewed by employing a general-purpose decryption method.
  • the plaintext log file stored in this embodiment is a separate file from the encrypted log file, it can be viewed as is.
  • log data is not entirely encrypted when collecting logs from the target device, but only the confidential information is hidden by partially encrypting it, and only the information that can be provided is stored in the plain text log file. It can be published by doing this. For example, by partially encrypting the log, the information that can be published in the log, such as time information, can be immediately known, making it possible to quickly check the log when a problematic event occurs.
  • the configuration allows selection of whether or not encryption is required, it is possible to collect logs without the hassle of decryption even when debugging, such as during in-house testing, where encryption is not required. .
  • the log data when collecting logs of the target device, the log data can be partially encrypted, so the time occupied by CPU resources due to encryption can be shortened, and the log data of the target device can be partially encrypted.
  • the load can be reduced.
  • Embodiment 2 will be described with reference to FIGS. 4 to 9, focusing on the differences from Embodiment 1, but various examples described in Embodiment 1 can be applied.
  • FIG. 4 is a block diagram showing a configuration example of an encryption system according to the second embodiment
  • FIG. 5 is a diagram showing an example of a log acquisition command accepted as an instruction in this encryption system.
  • the encryption system shown in FIG. 4 may include a target device 10 that functions as an encryption device according to the present embodiment, and a log collection device 20 that collects log files from the target device 10. can.
  • the log collection device 20 may encrypt and collect log files at the location where the target device 10 is installed, or may encrypt and collect log files from the target device 10 connected remotely. Good too.
  • this system includes one target device 10.
  • this system includes a plurality of target devices 10 for one log collection device 20, and the log collection device 20 sends instructions to each of the plurality of target devices 10 and collects log files from each. It can also be configured as
  • the log collection device 20 can include a control section 21, an operation section 22, a storage section 23, and a communication section 24.
  • the log collection device 20 can be composed of a single device or a distributed device.
  • the control unit 21 is a control unit that controls the entire log collection device 20.
  • the control unit 21 can be realized by, for example, a CPU, a working memory, a nonvolatile storage device that stores a program, and the like.
  • This program can include a program for causing the CPU to execute processing for acquiring logs.
  • the storage device provided in the control section 21 can also be used as a storage section 23, which will be described later.
  • the operation unit 22 receives an operation for requesting a log file from the target device 10 that is the target of log collection, passes the operation details to the control unit 21, and the control unit 21 requests a log file according to the operation details. be able to.
  • This request is a command that requests (instructs) the target device 10 to acquire a log, and is hereinafter referred to as a log acquisition command.
  • the log acquisition command must include information indicating the log type to be collected, information indicating whether encryption is required, and information indicating the specified encryption range (in the case of partial encryption). I can do it.
  • These pieces of information that can be included in the log acquisition command, that is, parameters, can be specified from the operation unit 22, for example.
  • the above-described information indicating the log type can be information indicating the type of log to be collected, such as a log of a certain application installed in the target device 10 or a log of a certain device provided in the target device 10. .
  • the information indicating the log type will be described as being expressed as a log acquisition command name.
  • each log acquisition command includes information indicating the log type, or the target device 10 is configured to be able to determine the log type from the log acquisition command name.
  • the above-mentioned information indicating whether or not encryption is necessary can be information indicating either fully encrypted, partially encrypted, or no encryption required.
  • the above-mentioned information indicating the encryption range is information that specifies the encryption range for a log acquisition command in which partial encryption is specified, and is an invalid parameter in cases other than partial encryption.
  • the information indicating the encryption range may be information indicating the range specified by the processing content, such as from processing ⁇ to processing ⁇ , for the log type indicated by the log acquisition command, or from the first date and time to the second date and time.
  • the information can be information indicating the processing period.
  • the information indicating the encryption range may be a combination thereof.
  • the range specified by the processing content includes multiple ranges such as from processing ⁇ to processing ⁇ and from processing ⁇ to processing ⁇ , or from the first date and time to the second date and time and from the third date and time to the fourth date and time. It is also possible to have multiple processing periods.
  • the operations accepted by the operation unit 22 can include an operation of inputting information indicating the target device 10 that is the target of log collection.
  • the operations accepted by the operation unit 22 can include operations for inputting information included in the log acquisition command. Therefore, the accepted operations include information indicating the log data to be acquired or the type of the log data, information indicating whether or not to perform encryption, and if encryption is to be performed, whether to execute all or part of the target.
  • the operation may include an operation of inputting information indicating whether to execute the process.
  • the accepted operation can include an operation of inputting information indicating the encryption range.
  • the operation unit 22 may simply accept an operation to input information indicating the target device 10.
  • the control unit 21 can read or generate a log acquisition command based on predetermined contents regarding the necessity of encryption and specification of the encryption range (in the case of partial encryption).
  • the storage unit 23 is a storage device that stores the log file received from the target device 10 via the communication unit 24 in response to the above request.
  • the communication unit 24 transmits the above request to the target device 10 under the control of the control unit 21, and receives the log file as a response.
  • the communication unit 24 can include a wired or wireless communication interface.
  • the target device 10 is an example of the encryption device 2 in FIG.
  • the target device 10 can include a main control section 11 that controls the entire device, and a communication section 12 that communicates with the outside. Under the control of the main control unit 11, a functional unit that realizes an original function (not shown) in the target device 10 can be operated.
  • the target device 10 can include the following components in order to function as an encryption device. That is, the target device 10 includes a log acquisition section 15, a buffer section 16, an encryption section 17, a writing section 18, and a log acquisition section 16, respectively, as examples of the acquisition section 1a, encryption section 1b, storage section 1d, and control section 1e in FIG. A recording medium 19 and a generation control section 14 can be provided.
  • the communication unit 12 also has the function of the reception unit 1c in FIG. 2 as well as the function of transferring log files to the log collection device 20.
  • the log acquisition unit 15, the buffer unit 16, the encryption unit 17, the writing unit 18, the recording medium 19, and the generation control unit 14 can function as the log generation unit 13 that generates logs in cooperation with each other.
  • the target device 10 can be composed of a single device or a distributed device.
  • the main control unit 11 is a control unit that controls the entire target device 10.
  • the main control unit 11 can be realized by, for example, a CPU, a working memory, a nonvolatile storage device storing a program, and the like.
  • This program can be a program for causing the CPU to execute a process for instructing the generation control unit 14 of the log generation unit 13 to perform the process in the functional unit and the process related to log acquisition for functioning as an encryption device.
  • the storage device provided in the main control section 11 can also be used as a recording medium 19.
  • the communication unit 12 receives a log acquisition command from the log collection device 20, and transmits a log file in response.
  • the communication unit 12 can include a wired or wireless communication interface.
  • the log generation unit 13 generates a log file under control from the main control unit 11. Specifically, the log generation unit 13 receives the log acquisition command received by the communication unit 12 from the main control unit 11, thereby causing the components included in the log generation unit 13, such as the generation control unit 14, to cooperate. Through this cooperation, the log generation unit 13 generates a log file and transmits the log file via the communication unit 12, as described below.
  • the generation control unit 14 is a control unit that controls the entire log generation unit 13 under control from the main control unit 11.
  • the generation control unit 14 receives the log acquisition command received by the communication unit 12 from the main control unit 11, generates a log file according to the log acquisition command, and transmits the log file via the communication unit 12.
  • this log acquisition command can include the necessity of encryption and the specified encryption range in the case where partial encryption is performed.
  • the generation control unit 14 determines whether encryption is necessary or not, whether full encryption/partial encryption is required. It can be said that it is possible to know the changes.
  • the generation control unit 14 determines the timing of acquisition of log data by the log acquisition unit 15, the start and end positions of encryption by the encryption unit 17, and the recording medium 19 of log data by the writing unit 18. Write to and control.
  • the generation control unit 14 performs control to start collecting logs according to the log acquisition command received from the main control unit 11 in accordance with the contents described in the log acquisition command.
  • This control includes control over the log acquisition section 15, encryption section 17, and writing section 18, and for each of them, log data acquisition processing, log data encryption processing, log data file creation, and file writing are performed. Execute the process. Further, the generation control unit 14 returns the written log file, which is the written file, to the log collection device 20 that sent the log acquisition command via the communication unit 12.
  • the generation control unit 14 inserts an encryption start flag indicating the start position and an encryption end flag indicating the end position into the start position and end position indicated by the encryption range, respectively, and performs encryption.
  • the encryption unit 17 is controlled to execute the following.
  • the generation control unit 14 executes encryption without controlling to insert the encryption start flag and the encryption end flag. Controls the encryption unit 17. As a result, when encrypting the entire range of log data, the encryption start flag and encryption end flag are not inserted, and a log file that does not include the encryption start flag and encryption end flag is stored in the recording medium 19. It will be remembered.
  • the generation control unit 14 performs the following control as the log data file creation and file writing processing described above. That is, the generation control unit 14 generates separate logs by storing the encrypted data for the portion of the log data that falls within the encryption range, and the plain text data for the portion of the log data that does not fall within the encryption range.
  • the writing unit 18 is controlled so as to store it as a file.
  • a partial range of log data when a partial range of log data is specified as an encryption range in a log acquisition command, a part of the log data including the encryption range and larger than the encryption range is specified in the log acquisition command. Contain instructions to specify the range of log acquisition.
  • the operation unit 22 of the log collection device 20 also accepts an operation that specifies information indicating a partially encrypted log acquisition range, and the control unit 21 includes this information in the log acquisition command and sends it to the target device via the communication unit 24. 10.
  • the target device 10 it is also possible to know the range for acquiring log data in plain text from the partially encrypted log acquisition range and the encrypted range.
  • the generation control unit 14 controls the writing unit 18 to collectively store the encrypted data obtained in the partially encrypted log acquisition range as one log file 19a. Furthermore, the generation control unit 14 causes the writing unit 18 to store all the plaintext data obtained in a part (range) excluding the encrypted range of the partially encrypted log acquisition range as one log file 19b. control. With this control, even if the partially encrypted log acquisition range includes multiple encrypted ranges, all the data encrypted for these encrypted ranges are combined into one log file 19a, and the remaining ranges are All the plaintext data is combined into one log file 19b.
  • the partially encrypted log acquisition range is specified as the encryption range from processing ⁇ to processing ⁇ and from processing ⁇ to processing ⁇ , one encrypted log file 19a and one plaintext log file 19b are stored.
  • the same concept can be applied even when the encryption range is specified in multiple processing periods, such as from the first date and time to the second date and time and from the third date and time to the fourth date and time.
  • the first date and time, the second date and time, the third date and time, and the fourth date and time are explained as dates and times that are closer to the present in this order.
  • the encrypted log data from the first date and time to the second date and time and the encrypted log data from the third date and time to the fourth date and time are stored as one log file.
  • Plaintext log data from the second date and time to the third date and time, plaintext log data from the start date and time of the partially encrypted log acquisition range to the first date and time, and from the fourth date and time to the end date and time of the partially encrypted log acquisition range plaintext log data is stored as one log file.
  • the start date and time of the partially encrypted log acquisition range and the first date and time are the same, the corresponding plaintext log data does not exist, and the end date and time of the partially encrypted log acquisition range and the fourth date and time are the same. In this case, the corresponding plaintext log data does not exist.
  • the log acquisition unit 15 acquires the log data in the target device 10 instructed by the log acquisition command, and temporarily stores it in the buffer unit 16.
  • the buffer unit 16 is a temporary storage buffer for log data acquired by the log acquisition unit 15, and the temporarily stored log data is used when encrypted by the encryption unit 17 or written by the write unit 18. .
  • the encryption unit 17 encrypts the log data in the range (encryption range) specified by the log acquisition command among the log data acquired by the log acquisition unit 15.
  • the encryption method in the encryption unit 17 does not matter, as long as the encrypted data can be decrypted.
  • the encryption unit 17 also sets an encryption start flag to the start point indicated by the encryption range, and sets an encryption end flag to the encryption end point indicated by the encryption range.
  • the encryption start flag and encryption end flag can be set by inserting the encryption start flag and encryption end flag, respectively.
  • the encryption unit 17 encrypts the plaintext log data to be encrypted, which is temporarily stored in the buffer unit 16, by storing it in a byte array and using the set encryption method and password, for example.
  • the encryption method and password can also be set, and the setting of the encryption method must be accepted from the operation unit (not shown) of the target device 10, or be made according to the contents described in the log acquisition command. I can do it.
  • the password can be set according to the contents described in the log acquisition command, but is not limited thereto.
  • the encryption method used by the encryption unit 17 does not matter, such as using public key encryption, TLS (Transport Layer Security), SSL (Secure Socket Layer), or the like.
  • the encryption unit 17 can temporarily store the encrypted log data in the buffer unit 16. However, the encrypted log data can also be temporarily stored in a buffer section provided within the encryption section 17.
  • the writing unit 18 performs control to convert encrypted log data and plaintext log data temporarily stored in the buffer unit 16 into a file and write the file into a recording medium 19.
  • the recording medium 19 stores at least one of a log file for encrypted flagged log data, a log file for encrypted log data without a flag, and a log file for plaintext log data. That will happen.
  • the type of recording medium 19 does not matter, and may be, for example, a hard disk drive, a solid state drive, or a portable recording medium.
  • the recording medium 19 may be a storage device used by the target device 10 to perform its original functions.
  • the generation control unit 14 and the log acquisition unit 15 are subsystems for causing the CPU of the main control unit 11 to execute log generation, log file return processing via the communication unit 12, and log data acquisition processing, respectively.
  • the encryption unit 17 and the writing unit 18 may be configured with subprograms for causing the CPU of the main control unit 11 to execute processing for encrypting log data and processing for creating and writing log data into a file, respectively. can.
  • these parts are not limited to being composed of subprograms; for example, the encryption unit 17 can be composed of hardware that performs encryption.
  • FIG. 6 is a flowchart for explaining an example of processing in the log generation unit 13 of the target device 10 in this system
  • FIG. 7 is a flowchart following FIG. 6.
  • FIGS. 6 and 7 an example of processing for a certain log acquisition command will be explained as an example, but if there are multiple log acquisition commands for the target device 10, the following process will be executed for each log acquisition command. be done.
  • step S11 when the generation control unit 14 first receives the log acquisition command from the log collection device 20, it checks the information (parameters) written in the log acquisition command (step S11). Next, the generation control unit 14 determines whether encryption is necessary based on the check result (step S12).
  • step S12 the generation control unit 14 causes the log acquisition unit 15 to acquire (collect) log data, and causes the buffer unit 16 to temporarily store the collected log data in plain text. (Step S13). Next, the generation control unit 14 controls the writing unit 18 to convert the plaintext log data temporarily stored in the buffer unit 16 into a file and write it to the recording medium 19 (step S14), and ends the process.
  • step S12 the generation control unit 14 determines whether or not part of the data is encrypted (or all of it is encrypted) based on the check result in step S11 (step S15). ). If all are to be encrypted, that is, if NO in step S15, the generation control unit 14 causes the log acquisition unit 15 to acquire (collect) log data, and temporarily saves the collected log data in the buffer unit 16 in plain text. (Step S16).
  • the generation control unit 14 causes the encryption unit 17 to execute encryption on the log data temporarily stored in the buffer unit 16, and causes the encrypted log data to be temporarily stored in the buffer unit 16 (step S17). ).
  • the encryption unit 17 stores, for example, plaintext log data in a byte array, specifies an encryption method and password, and performs encryption.
  • the encryption method and password may be set in the log acquisition command or may be determined in advance.
  • the generation control unit 14 controls the writing unit 18 to convert the encrypted log data temporarily stored in the buffer unit 16 into a file and write it to the recording medium 19 (step S18), and ends the process.
  • step S15 If partial encryption is to be performed, that is, if YES in step S15, the generation control unit 14 executes the loop process from the start of the loop (step S21s) to the end of the loop (step S21e) until the log acquisition command ends. Execute.
  • the generation control unit 14 When performing partial encryption, the encryption start position is specified by the encryption range in any of the partial encryption log acquisition ranges. Therefore, the generation control unit 14 first determines whether the encryption start position is the one indicated by the check result in step S11 based on the current acquisition status of the log data (step S22). Note that at the beginning of the loop process, if the start position of the partially encrypted log acquisition range and the encryption start position match, YES is returned in step S22; otherwise, in other words, the unencrypted If there is a range, the answer in step S22 is NO.
  • step S22 the generation control unit 14 causes the log acquisition unit 15 to acquire (collect) log data, and temporarily stores the collected log data in the buffer unit 16 in plain text (step S23).
  • step S24 the generation control unit 14 determines whether it is the encryption start position based on the current acquisition status of the log data (step S24). If NO in step S24, the process in step S23 is continued.
  • the generation control unit 14 continues the process in step S23 until the sequence advances to the encryption start position (until YES in step S24).
  • the generation control unit 14 saves the plaintext log data temporarily stored in the buffer unit 16 to the first file, which is a file for plaintext.
  • the writing unit 18 is controlled to write to (step S25).
  • step S25 in the first loop in which the first file is not generated, the generation control unit 14 controls the writing unit 18 to generate the first file by converting the temporarily saved plaintext log data into a file. and write it on the recording medium 19.
  • step S25 the generation control unit 14 causes the writing unit 18 to add the temporarily stored plaintext log data to the first file stored in the recording medium 19.
  • step S26 the generation control unit 14 causes the encryption unit 17 to insert an encryption start flag (step S26).
  • the log data of only the encryption start flag for the encryption section may be temporarily stored in the buffer section 16.
  • step S27 the generation control unit 14 causes the log acquisition unit 15 to acquire (collect) log data, temporarily stores the collected log data in the buffer unit 16 in plain text (step S27), and places the encryption end point It is determined whether the process has proceeded to (step S28). If NO in step S28, the process in step S27 is continued.
  • step S28 the generation control unit 14 controls the encryption unit 17 to insert an encryption end flag at the end of the temporarily saved log data. Then, the encryption unit 17 is caused to execute the insertion (step S29).
  • the generation control unit 14 causes the encryption unit 17 to execute encryption on the flagged log data temporarily stored in the buffer unit 16, and causes the encrypted log data to be temporarily stored in the buffer unit 16.
  • the encryption unit 17 stores, for example, plaintext log data in a byte array, specifies an encryption method and password, and performs encryption.
  • the encryption method and password may be set in the log acquisition command or may be determined in advance.
  • the generation control unit 14 controls the writing unit 18 to write the encrypted log data that has been temporarily stored in the buffer unit 16 into the second file, which is an encryption file (step S31).
  • step S31 in the first loop in which the second file is not generated, the generation control unit 14 controls the writing unit 18 to generate the second file by converting the temporarily stored encrypted log data into a file. It is generated and written on the recording medium 19.
  • step S31 the generation control unit 14 causes the writing unit 18 to add the temporarily stored encrypted log data to the second file stored in the recording medium 19.
  • FIG. 8 is a sequence diagram showing an example of the overall processing in this system
  • FIG. 9 is a sequence diagram following FIG. 8.
  • the log collection device 20 transmits a log acquisition request, which is a log acquisition command, to the target device 10, and the generation control unit 14 receives it (step S100).
  • a log acquisition request which is a log acquisition command
  • the generation control unit 14 receives it (step S100).
  • the log acquisition command can be specified from the operation unit 22 of the log collection device 20 etc.
  • the contents set by the log acquisition command must be determined in advance, that is, it cannot be changed by the user of the log collection device 20. You can also make it impossible.
  • step S101 the generation control unit 14 checks the parameters set in the received log acquisition command (step S101).
  • Loop processing is executed for the number of log acquisition commands received. In this loop process, one of the following processes will be executed: no encryption, full encryption, or partial encryption, depending on the check result for the target log acquisition command. .
  • the generation control unit 14 executes the log acquisition command, thereby starting temporary storage (buffering) of the log data in the buffer unit 16 (step S102).
  • the generation control unit 14 requests the writing unit 18 to convert the log data into a file (step S103), and the writing unit 18 executes the file conversion and writes the plaintext log file to the recording medium 19. It is stored (step S104).
  • the writing unit 18 notifies the generation control unit 14 that the file creation has been completed in response to the request (step S105).
  • the generation control unit 14 transmits (transfers) the plaintext log file stored in the recording medium 19 to the log collection device 20 via the communication unit 12 (step S106), and ends the process. .
  • step S107 If the log acquisition command is to encrypt everything, the generation control unit 14 executes the log acquisition command, and temporary storage of the log data in the buffer unit 16 is started (step S107). Next, the generation control unit 14 transmits an encryption request to the encryption unit 17 (step S108), and the encryption unit 17 responds to the request and executes encryption of the temporarily stored log data (step S109). ), notifies the generation control unit 14 of the end of encryption (step S110).
  • the generation control unit 14 Upon receiving this notification, the generation control unit 14 requests the writing unit 18 to convert the log data into a file (step S111), and the writing unit 18 executes the file conversion and stores the encrypted data on the recording medium 19. The converted log file is stored (step S112). Next, the writing unit 18 notifies the generation control unit 14 that the file creation has been completed in response to the request (step S113). Next, the generation control unit 14 transmits (transfers) the encrypted log file stored in the recording medium 19 to the log collection device 20 via the communication unit 12 (step S114), and ends the process.
  • the encryption start position is not necessarily the beginning of the log data. Therefore, by executing the log acquisition command, the generation control unit 14 temporarily stores the log data in the buffer unit 16 as a process in a non-encrypted interval until the encryption start position is reached (step S126). . After that, the generation control unit 14 requests the writing unit 18 to convert the log data into a file (step S127), and the writing unit 18 executes the conversion into a file and writes the plaintext log file to the recording medium 19. It is stored (step S128). Next, in response to the request, the writing unit 18 notifies the generation control unit 14 that the file creation in this non-encrypted range has been completed (step S129). If there is the next unencrypted range, plaintext log data may be added to the plaintext log file stored in the recording medium 19 in step S127.
  • step S115 the generation control unit 14 executes a log acquisition command to start temporarily storing the log data in the buffer unit 16 (step S115).
  • step S116 the generation control unit 14 transmits an encryption start request to the encryption unit 17 (step S116).
  • step S117 the encryption unit 17 inserts an encryption start flag into the encryption start position of the unencrypted log data temporarily stored in step S115 (step S117), and generates an encryption start response. It is returned to the control unit 14 (step S118).
  • step S119 When the process progresses to the encryption end position, the generation control unit 14 transmits an encryption end request to the encryption unit 17 (step S119).
  • the encryption unit 17 inserts an encryption end flag at the end of the log data that is continuously temporarily stored in step S115 (step S120), and inserts an encryption end flag into the end of the log data that is continuously temporarily stored in step S115. Encryption is performed (step S121). Thereafter, the encryption unit 17 returns an encryption completion response to the generation control unit 14 (step S122).
  • the generation control unit 14 requests the writing unit 18 to create a file of the encrypted log data for that section (step S123). Upon receiving this request, the writing unit 18 executes file creation and stores the encrypted log file in the recording medium 19 (step S124). Next, in response to the request, the writing unit 18 notifies the generation control unit 14 that the file creation within this encryption range has been completed (step S125). If there is the next encrypted range, the encrypted log data may be added to the encrypted log file stored in the recording medium 19 in step S124.
  • the generation control unit 14 transmits (transfers) one plaintext log file and one encrypted log file stored in the recording medium 19 to the log collection device 20 via the communication unit 12 (step S130), Finish the process.
  • Embodiment 1 in addition to the effects of Embodiment 1, even when a log acquisition command includes multiple encryption ranges, multiple encryption ranges are combined into one encrypted log file. can be obtained as Furthermore, according to the present embodiment, even if a log acquisition command includes one or more encrypted ranges and as a result includes multiple unencrypted ranges, multiple unencrypted ranges are included.
  • the converted range can be obtained as a single plaintext log file.
  • the log acquisition command that partially encrypts includes information indicating the partially encrypted log acquisition range.
  • information indicating the log acquisition range may be included for both the log acquisition command for encrypting everything and the log acquisition command for not encrypting.
  • the target device 10 can specify log data to be collected based on the log type and log acquisition range included in the log acquisition command for these two types of log acquisition commands.
  • the generation control unit 14 in this embodiment determines the insertion positions of the encryption start flag and the encryption end flag during execution of the log acquisition command, and It has a function to switch between encryption, partial encryption (partial encryption), and full encryption. By providing such a function, it is possible to switch processing and generate a log file in response to any of these three types of requests from the log collection device 20, and to transfer the log file to the log collection device 20. I can do it.
  • the encrypted log file can be decrypted by ignoring these flags.
  • these flags can be used when sequentially viewing log files for one log acquisition command.
  • the encrypted log file can be decrypted first, and the encrypted range and non-encrypted range can be presented in that order. Which comes first, the encrypted range or the non-encrypted range, is known after the log acquisition command is generated by the log collection device 20, so it can be obtained by referring to the log acquisition command.
  • the next unencrypted range of the plaintext log file is read and presented, and when the presentation of the unencrypted range of the plaintext log file is finished, the next encryption start flag is used.
  • the next encrypted range can be read and presented.
  • Embodiment 3 will be described with reference to FIG. 10 and the like, focusing on the differences from Embodiment 2, but the various application examples described in Embodiments 1 and 2 can be applied to Embodiment 3 as well.
  • the configuration example of FIG. 4 can also be applied to the configuration example of the encryption system in the third embodiment, except for some processes, so the explanation will be based on the configuration example of FIG. 4.
  • a log acquisition command when a log acquisition command includes multiple encrypted ranges, the multiple encrypted ranges are collected as one encrypted log file, and the multiple unencrypted ranges are collected as one encrypted log file. I am trying to get it as a plain text log file.
  • the generation control unit 14 in this embodiment stores the encrypted log data in the recording medium 19 as one file every time the encryption range is delimited by the start position and end position, and stores the encrypted log data as one file in the recording medium 19.
  • the log data is stored in the recording medium 19 as one file.
  • log files are stored every time the encryption range is divided in the processing order, and each stored log file is sent to the log collection device 20. I can do it.
  • a specific example of a file storage method will be given below. If the encryption range from processing ⁇ to processing ⁇ and from processing ⁇ to processing ⁇ is specified in the log acquisition command, the following two encrypted log files will be stored as encrypted log files. . That is, encrypted log files from processing ⁇ to processing ⁇ and encrypted log files from processing ⁇ to processing ⁇ are stored. Further, continuous log data other than those processes can be made into plain text log files. For example, log data of a series of processes from after process ⁇ to before process ⁇ is stored as one plaintext log file.
  • the log data of that series of processes is stored as one plaintext log file
  • the log data of that series of processes is stored as one plaintext log file.
  • the log data of that series of processes is stored as one plaintext log file.
  • the same concept can be applied even when the encryption range is specified in multiple processing periods, such as from the first date and time to the second date and time and from the third date and time to the fourth date and time.
  • the first date and time, the second date and time, the third date and time, and the fourth date and time are explained as dates and times that are closer to the present in this order.
  • encrypted log files from the first date and time to the second date and time and encrypted log files from the third date and time to the fourth date and time are stored.
  • Plaintext log files up to date and time are stored. However, if the start date and time of the partially encrypted log acquisition range and the first date and time are the same, the corresponding plaintext log file does not exist, and the end date and time of the partially encrypted log acquisition range and the fourth date and time are the same. In this case, the corresponding plaintext log file does not exist.
  • information indicating the log acquisition range may be included in the log acquisition command for encrypting everything and the log acquisition command for not encrypting.
  • FIG. 10 is a flowchart for explaining an example of processing in the log generation unit 13 of the target device 10 in the encryption system according to the third embodiment, and is a flowchart for explaining another example of the processing following FIG. 6. It is a diagram.
  • the processing is the same in the case of no encryption and the case of all encryption, and the processing example in FIG. 6 can be applied.
  • FIG. 10 in the case of a log acquisition command that partially encrypts, processing at the encryption start position, processing at the encryption end position, and A loop process is executed in which any one of the processes in the non-encrypted section is executed.
  • the processes in steps S25 and S31 in FIG. 7 are changed to processes in steps S25a and S31a, respectively.
  • step S25a if the result in step S24 is YES, the generation control unit 14 converts the plaintext log data temporarily stored in the buffer unit 16, which is the target of the loop processing at that point, into a plaintext file.
  • the writing unit 18 is controlled to write to a certain first file.
  • step S25a the generation control unit 14 controls the writing unit 18 to generate a first file by converting the temporarily stored plaintext log data into a file and writes it into the recording medium 19.
  • the first file here is a first file for each target section. Therefore, the first file is stored as the first file for each target section for the number of times the loop process is YES in step S24. After step S25a ends, the process moves to the next loop process.
  • step S31a the generation control unit 14 writes the encrypted log data temporarily stored in the buffer unit 16, that is, the encrypted log data that has not been converted into a file, to a second file that is an encryption file.
  • the writing section 18 is controlled in such a manner.
  • step S31a the generation control unit 14 controls the writing unit 18 to create a second file by converting the temporarily stored encrypted log data, that is, the encrypted log data that has not been converted into a file, into a file. It is generated and written on the recording medium 19.
  • the second file here is a second file for each target section. Therefore, the second file will be stored as the second file for each target section for the number of times the loop process is YES in step S28. After step S31a ends, the process moves to the next loop process.
  • the encrypted log file can be decrypted by ignoring these flags.
  • these flags can be used when sequentially viewing encrypted log files for one log acquisition command.
  • the encrypted log file can be decrypted first, and the encrypted range and non-encrypted range can be presented in that order. Since this order is known after the log acquisition command is generated by the log collection device 20, it can be obtained by referring to the log acquisition command. Alternatively, this order can also be determined based on the last save date and time of the log file.
  • the next unencrypted range of the plaintext log file is read and presented, and when the presentation of the unencrypted range of the plaintext log file is finished, the next encryption start flag is used.
  • the next encrypted range can be read and presented.
  • the target device 10 is provided with a function to switch between the processes of the second embodiment and the third embodiment, and information indicating which process is applied is included in the log acquisition command sent by the log collection device 20. You can also do that.
  • FIG. 11 is a diagram showing an example of the hardware configuration of the device. Note that the same applies to the other embodiment [a] above.
  • the device 100 shown in FIG. 11 can include a processor 101, a memory 102, and a communication interface (I/F) 103.
  • the processor 101 may be, for example, a microprocessor, an MPU (Micro Processor Unit), or a CPU.
  • Processor 101 may include multiple processors.
  • the memory 102 is configured, for example, by a combination of volatile memory and nonvolatile memory. The functions of each device described in the first to third embodiments are realized by the processor 101 reading and executing a program stored in the memory 102. At this time, information can be exchanged with other devices via the communication interface 103 or an input/output interface (not shown).
  • the program includes instructions (or software code) that, when loaded into a computer, cause the computer to perform one or more of the functions described in the embodiments.
  • the program may be stored on a non-transitory computer readable medium or a tangible storage medium.
  • computer readable or tangible storage media may include random-access memory (RAM), read-only memory (ROM), flash memory, solid-state drive (SSD) or other memory technology, CD - Including ROM, digital versatile disc (DVD), Blu-ray disc or other optical disc storage, magnetic cassette, magnetic tape, magnetic disc storage or other magnetic storage device.
  • the program may be transmitted on a transitory computer-readable medium or a communication medium.
  • transitory computer-readable or communication media includes electrical, optical, acoustic, or other forms of propagating signals.
  • an acquisition unit that acquires log data; an encryption unit that encrypts log data; a reception unit that receives an instruction to specify a range to be encrypted by the encryption unit before starting acquisition of log data; a storage unit that stores log data; a control unit that controls the timing of acquisition of log data by the acquisition unit, the start and end positions of encryption by the encryption unit, and storage of log data by the storage unit, based on the range; Equipped with The control unit includes: The encryption unit is configured to perform encryption by inserting a start flag, which is a flag indicating the start position, and an end flag, which is a flag, which is a flag indicating the end position, into the start position and end position indicated by the range, respectively.
  • control If the entire range of log data is specified as the range, controlling the encryption unit to execute encryption without controlling to insert the start flag and the end flag; storing encrypted data for a portion of the log data that falls within the range, and storing plain text data for a portion of the log data that does not fall within the range as separate files in the storage unit; encryption system.
  • the receiving unit receives an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range;
  • the control unit stores the encrypted data obtained in the partially encrypted log acquisition range as one file in the storage unit, and excludes the range from the partially encrypted log acquisition range.
  • the receiving unit receives an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range;
  • the control unit stores the encrypted data as one file in the storage unit each time the range is divided by a start position and an end position, and stores the plaintext data as one file in the storage unit. to remember, Encryption system described in Appendix 1.
  • an instruction device that transmits an instruction to the reception unit to be accepted by the reception unit; a target device from which log data is to be collected, comprising the encryption unit, the reception unit, the storage unit, and a transmission unit that transmits the file stored in the storage unit to the instruction device; Equipped with The encryption system according to any one of Supplementary Notes 1 to 3.
  • the encryption unit is configured to perform encryption by inserting a start flag, which is a flag indicating the start position, and an end flag, which is a flag, which is a flag indicating the end position, into the start position and end position indicated by the range, respectively.
  • control If the entire range of log data is specified as the range, controlling the encryption unit to execute encryption without controlling to insert the start flag and the end flag; storing encrypted data for a portion of the log data that falls within the range, and storing plain text data for a portion of the log data that does not fall within the range as separate files in the storage unit; Encryption device. (Appendix 6) When a partial range of log data is specified as the range, the receiving unit receives an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range; The control unit stores the encrypted data obtained in the partially encrypted log acquisition range as one file in the storage unit, and excludes the range from the partially encrypted log acquisition range.
  • the encryption device storing the plaintext data obtained in the above sections as one file in the storage unit;
  • the encryption device according to appendix 5.
  • the receiving unit receives an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range;
  • the control unit stores the encrypted data as one file in the storage unit each time the range is divided by a start position and an end position, and stores the plaintext data as one file in the storage unit. to remember,
  • the encryption device according to appendix 5. comprising a transmitter configured to transmit the file stored in the storage unit to the instruction device that transmitted the instruction in response to the instruction received by the reception unit;
  • the encryption device according to any one of Supplementary Notes 5 to 7.
  • (Appendix 9) obtaining log data; encrypting log data; Before starting to acquire log data, accept instructions to specify the range to be encrypted. storing log data; and Based on the range, controlling the timing of log data acquisition, the start and end positions of encryption, and the storage of log data; Equipped with The controlling includes: performing encryption by inserting a start flag that is a flag that indicates the start position and an end flag that is a flag that indicates the end position for the start position and end position indicated by the range, respectively; When the entire range of log data is specified as the range, performing encryption without inserting the start flag and the end flag; storing encrypted data for a portion of the log data that falls within the range, and storing data in plain text for a portion of the log data that does not fall within the range as separate files; encryption methods, including (Appendix 10) When a partial range of log data is specified as the range, accepting an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range.
  • the controlling means to collectively store the encrypted data obtained in the partially encrypted log acquisition range as one file, and to store the encrypted data obtained in the partially encrypted log acquisition range in a portion excluding the range from the partially encrypted log acquisition range. including storing the obtained plaintext data together as one file; Encryption method described in Appendix 9. (Appendix 11) When a partial range of log data is specified as the range, accepting an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range. including; The controlling includes storing the encrypted data as one file and storing the plaintext data as one file every time the range is divided by a start position and an end position. Encryption method described in Appendix 9.
  • Appendix 12 The encryption method according to any one of appendices 9 to 11, comprising transmitting the stored file to the instruction device that transmitted the instruction in response to the instruction received by the acceptance.
  • Appendix 13 obtaining log data; encrypting log data; Before starting to acquire log data, accept instructions to specify the range to be encrypted.
  • the controlling includes: performing encryption by inserting a start flag that is a flag that indicates the start position and an end flag that is a flag that indicates the end position for the start position and end position indicated by the range, respectively; When the entire range of log data is specified as the range, performing encryption without inserting the start flag and the end flag; storing encrypted data for a portion of the log data that falls within the range, and storing data in plain text for a portion of the log data that does not fall within the range as separate files; including, A computer-readable medium that stores a program for causing a computer to perform encryption processing.
  • the controlling includes storing the encrypted data as one file and storing the plaintext data as one file every time the range is divided by a start position and an end position.
  • the encryption process includes, in response to the instruction received by the acceptance, transmitting the stored file to the instruction device that transmitted the instruction.
  • the computer-readable medium according to any one of appendices 13 to 15.

Abstract

An encryption system (1) or an encryption device comprises: a reception unit (1c) that receives an instruction designating a range for execution of encryption prior to the start of log data acquisition; and a control unit (1e). The control unit (1e) controls, on the basis of the range, the timing of log data acquisition, the start position and the end position for encryption, and the saving of the log data. The control unit (1e) controls an encryption unit (1b) such that encryption is performed by inserting a start flag and an end flag, respectively, at the start position and the end position indicated by the range. If the entire range of the log data is designated as the range, the control unit (1e) controls the encryption unit (1b) such that encryption is performed without performing control to insert a start flag and an end flag. The control unit (1e) stores, in separate files, the post-encryption data for the log data of the portion corresponding to the range, and the as-is plaintext data for the log data of the portion that does not correspond to the range.

Description

暗号化システム、暗号化装置、暗号化方法、及びコンピュータ可読媒体Encryption system, encryption device, encryption method, and computer-readable medium
 本開示は、暗号化システム、暗号化装置、暗号化方法、及びプログラムに関する。 The present disclosure relates to an encryption system, an encryption device, an encryption method, and a program.
 様々な種類の装置において、昨今の高機能化によりログのデータ量が増大してきている。また、装置の種類や取り扱う情報によっては、ログデータの収集は秘匿性を保つことが求められる。 The amount of log data in various types of devices has been increasing due to recent advances in functionality. Furthermore, depending on the type of device and the information handled, log data collection must be kept confidential.
 例えば、特許文献1には、専用のツールや専用のユーザインタフェースを用いることなく、第三者への情報漏洩を防止した状態でログ情報を収集することを目的としたログ収集システムが記載されている。上記ログ収集システムは、フォーマット部、ログ取得部、暗号化部、及びログ書出部を備える。上記フォーマット部は、情報の読み書きが可能な外部メディアに対し、公開鍵をボリュームラベルに含めるフォーマットを行う。上記ログ取得部は、外部メディアが接続された際に、ログ情報を取得する。上記暗号化部は、取得したログ情報をボリュームラベルに含まれる公開鍵により暗号化する。上記ログ書出部は、暗号化したログ情報を外部メディアに書き出す。 For example, Patent Document 1 describes a log collection system that aims to collect log information while preventing information leakage to a third party without using a dedicated tool or a dedicated user interface. There is. The log collection system includes a formatting section, a log acquisition section, an encryption section, and a log writing section. The formatting unit formats an external medium on which information can be read and written to include a public key in a volume label. The log acquisition unit acquires log information when an external medium is connected. The encryption unit encrypts the acquired log information using a public key included in the volume label. The log writing section writes the encrypted log information to external media.
 また、秘匿性を保ちつつログデータを収集するために、特許文献1に記載の技術とは異なりファイル単位で暗号化する手法を採用することもできる。しかしながら、そのような手法では、装置の演算リソースを占有してしまい、運用中の装置への負荷を上げるリスクがあるといった課題がある。そのため、部分的に暗号化を実施することで、演算リソースの負荷低減を図る手法が提案されている。 Furthermore, in order to collect log data while maintaining confidentiality, it is also possible to adopt a method of encrypting each file, unlike the technique described in Patent Document 1. However, such a method has the problem that it occupies the computing resources of the device, and there is a risk of increasing the load on the device during operation. Therefore, a method has been proposed in which the load on computing resources is reduced by partially encrypting the data.
 また、特許文献2には、複雑な暗号化アルゴリズムによる処理を不要とすることにより高速回線に適応させ、冗長ビットによる伝送効率の悪化を抑制し、簡易な方式によりデータの秘匿を可能とすることを目的としたパケット通信方法が記載されている。上記パケット通信方法は、ビット同期によるデータ通信の際のデータの盗聴、改竄を防止するためのパケット通信方法であって、挿入ステップ、受信不可能ステップ、及び受信可能ステップを有する。上記挿入ステップは、伝送されるデータの単位であるフレームの開始、終了を示す同期フラグシーケンスをパケット通信におけるフレーム長が最小フレーム長以下となるように擬似的に挿入する。上記受信不可能ステップは、不許可の受信側では、最小フレーム長以下のフレームをショートフレームとして破棄させることにより盗聴、改竄しようとする不許可者の受信を不可能にする。上記受信可能ステップは、許可者の受信側では、擬似的に挿入された同期フラグシーケンスを削除して最小フレーム長以下のフレームを正規フレームとして受信することを可能にする。 Furthermore, Patent Document 2 describes a method that makes it possible to adapt to high-speed lines by eliminating the need for processing using complex encryption algorithms, suppressing the deterioration of transmission efficiency due to redundant bits, and making it possible to conceal data using a simple method. A packet communication method for this purpose is described. The above packet communication method is a packet communication method for preventing data eavesdropping and tampering during data communication using bit synchronization, and includes an insertion step, a reception impossible step, and a reception enable step. In the insertion step, a synchronization flag sequence indicating the start and end of a frame, which is a unit of data to be transmitted, is inserted in a pseudo manner so that the frame length in packet communication is equal to or less than the minimum frame length. In the reception disabling step, the unauthorized receiving side discards frames with a length equal to or less than the minimum frame length as short frames, thereby making it impossible for an unauthorized person who attempts to eavesdrop or tamper with reception. The reception enable step enables the receiving side of the authorized person to delete the pseudo-inserted synchronization flag sequence and receive a frame with a minimum frame length or less as a regular frame.
 特許文献3には、既存のWWW(World Wide Web)サーバやWWWブラウザに暗号機能を追加する必要のない、データ暗号化方法が記載されている。上記データ暗号化方法は、暗号化処理方法を含むデータ処理方法を指定する命令が組み込まれた暗号化対象データに対して、組み込まれた命令に従って暗号化処理を含むデータ処理を行なう。上記データ暗号方法は、暗号化する範囲を指定する暗号化範囲指定命令が組み込まれた暗号化対象データに対して、暗号化範囲指定命令で指定された範囲を暗号化する。 Patent Document 3 describes a data encryption method that does not require adding an encryption function to an existing WWW (World Wide Web) server or WWW browser. The data encryption method performs data processing including encryption processing on data to be encrypted in which an instruction specifying a data processing method including an encryption processing method is incorporated in accordance with the embedded instruction. The data encryption method described above encrypts the range specified by the encryption range specification command for encryption target data in which an encryption range specification command that specifies the range to be encrypted is incorporated.
 特許文献4には、ユーザデータの秘匿性と障害解析性とを両立することを目的としたログ記録装置が記載されている。上記ログ記録装置は、CDB(Command Description Block)判定手段、第1暗号化手段、及びログ出力手段を備える。上記CDB判定手段は、入力されるSCSI(Small Computer System Interface)ログデータに対し、CDB判定情報に基づいて、SCSIログデータのSCSI要求がユーザデータに関するものか関しないものかを判定する。上記第1暗号化手段は、ユーザデータに関するSCSI要求であると前記CDB判定手段が判定したSCSI要求について、SCSI要求のユーザデータを含む部分を暗号化キーに基づいて暗号化する。上記ログ出力手段は、ユーザデータに関しないSCSI要求であるとCDB判定手段が判定したSCSI要求と、第1暗号化手段からのユーザデータを含む部分が暗号化されたSCSI要求とを整形し、解析用ログファイルとして出力する。 Patent Document 4 describes a log recording device that aims to achieve both confidentiality of user data and failure analysis performance. The log recording device includes a CDB (Command Description Block) determination means, a first encryption means, and a log output means. The CDB determination means determines whether the SCSI request of the SCSI log data is related to user data or not, based on CDB determination information for the input SCSI (Small Computer System Interface) log data. The first encryption means encrypts, based on an encryption key, a portion of the SCSI request that the CDB determination means determines is a SCSI request regarding user data, including user data. The log output means formats and analyzes the SCSI request that the CDB determination means has determined is a SCSI request that does not relate to user data, and the SCSI request in which the portion including the user data from the first encryption means has been encrypted. output as a log file.
特開2017-215853号公報JP 2017-215853 Publication 特開平11-215190号公報Japanese Patent Application Publication No. 11-215190 特開平11-215122号公報Japanese Patent Application Publication No. 11-215122 特開2019-097028号公報JP2019-097028A
 しかしながら、特許文献2に記載の技術では、データの秘匿性を実現するために、装置のログデータの全てを暗号化する場合にも同期フラグシーケンスを挿入する必要がある。 However, in the technology described in Patent Document 2, in order to achieve data confidentiality, it is necessary to insert a synchronization flag sequence even when encrypting all of the log data of the device.
 また、特許文献3に記載の技術では、暗号化対象データが暗号化された部分と暗号化がなされていない部分とを含む場合だけでなく暗号化された部分のみを含む場合においても、復号範囲指定命令を組み込んだ1つの暗号化データとして出力する。よって、特許文献3に記載の技術を、装置のログデータの暗号化に適用したとしても、ログデータを全て暗号化する場合にも復号範囲指定命令を組み込んだ1つの暗号化ファイルが出力されることになる。 Furthermore, with the technology described in Patent Document 3, the decryption range is limited not only when the data to be encrypted includes an encrypted part and an unencrypted part, but also when it only contains an encrypted part. Output as one piece of encrypted data incorporating the specified instruction. Therefore, even if the technology described in Patent Document 3 is applied to encrypt the log data of the device, even when all the log data is encrypted, one encrypted file incorporating the decryption range specification command is output. It turns out.
 また、特許文献4に記載の技術も、暗号化された部分と暗号化がなされていない部分とを含む場合には1つのファイルとして出力するものであるため、復号するためには、喩え全て暗号化したファイルであっても暗号化したことを示す情報が必要となる。 In addition, the technology described in Patent Document 4 outputs as one file when it includes an encrypted part and an unencrypted part, so in order to decrypt it, even if all the parts are encrypted, Even if the file has been encrypted, information indicating that it has been encrypted is required.
 本開示は、上記課題を解決するためになされたもので、暗号化を行う範囲を指定して装置のログデータを暗号化する場合に、全ての範囲を暗号化する場合であっても範囲を示す情報が必要となることを回避することが可能な暗号化システム等を提供することにある。 The present disclosure has been made to solve the above problem, and when encrypting device log data by specifying the range to be encrypted, even if the entire range is encrypted, the range is An object of the present invention is to provide an encryption system etc. that can avoid the need for information to be displayed.
 第1の態様では、暗号化システムは、ログデータを取得する取得部と、ログデータを暗号化する暗号化部と、ログデータの取得開始前に、前記暗号化部で暗号化を実行する範囲を指定する指示を受け付ける受付部と、ログデータを記憶する記憶部と、前記範囲に基づき、前記取得部によるログデータの取得のタイミングと、前記暗号化部による暗号化の開始位置及び終了位置と、前記記憶部によるログデータの記憶と、を制御する制御部と、を備え、前記制御部は、前記範囲が示す開始位置、終了位置に対し、それぞれ前記開始位置を示すフラグである開始フラグ、前記終了位置を示すフラグである終了フラグを挿入して暗号化を実行するように、前記暗号化部を制御し、前記範囲としてログデータの全ての範囲が指定された場合には、前記開始フラグ及び前記終了フラグを挿入する制御を行わずに暗号化を実行するように前記暗号化部を制御し、前記範囲に該当する部分のログデータについては暗号化後のデータを、前記範囲に該当しない部分のログデータについては平文のままのデータを、それぞれ別々のファイルとして前記記憶部に記憶させる、ものである。 In a first aspect, the encryption system includes an acquisition unit that acquires log data, an encryption unit that encrypts the log data, and a range in which the encryption unit executes encryption before starting to acquire the log data. a reception unit that receives an instruction to specify the log data, a storage unit that stores the log data, and a timing of acquisition of the log data by the acquisition unit and a start position and end position of the encryption by the encryption unit based on the range. , storage of log data by the storage unit, and a control unit for controlling the start position and the end position indicated by the range, a start flag that is a flag indicating the start position, respectively; The encryption unit is controlled to execute encryption by inserting an end flag, which is a flag indicating the end position, and when the entire range of log data is specified as the range, the start flag is inserted. and controlling the encryption unit to execute encryption without controlling the insertion of the end flag, and for log data of a portion that falls within the range, encrypted data that does not fall within the range. Partial log data is stored in plain text as separate files in the storage unit.
 第2の態様では、暗号化装置は、ログデータを取得する取得部と、ログデータを暗号化する暗号化部と、ログデータの取得開始前に、前記暗号化部で暗号化を実行する範囲を指定する指示を受け付ける受付部と、ログデータを記憶する記憶部と、前記範囲に基づき、前記取得部によるログデータの取得のタイミングと、前記暗号化部による暗号化の開始位置及び終了位置と、前記記憶部によるログデータの記憶と、を制御する制御部と、を備え、前記制御部は、前記範囲が示す開始位置、終了位置に対し、それぞれ前記開始位置を示すフラグである開始フラグ、前記終了位置を示すフラグである終了フラグを挿入して暗号化を実行するように、前記暗号化部を制御し、前記範囲としてログデータの全ての範囲が指定された場合には、前記開始フラグ及び前記終了フラグを挿入する制御を行わずに暗号化を実行するように前記暗号化部を制御し、前記範囲に該当する部分のログデータについては暗号化後のデータを、前記範囲に該当しない部分のログデータについては平文のままのデータを、それぞれ別々のファイルとして前記記憶部に記憶させる、ものである。 In a second aspect, the encryption device includes an acquisition unit that acquires log data, an encryption unit that encrypts the log data, and a range in which the encryption unit executes encryption before starting acquisition of log data. a reception unit that receives an instruction to specify the log data, a storage unit that stores the log data, and a timing of acquisition of the log data by the acquisition unit and a start position and end position of the encryption by the encryption unit based on the range. , storage of log data by the storage unit, and a control unit for controlling the start position and the end position indicated by the range, a start flag that is a flag indicating the start position, respectively; The encryption unit is controlled to execute encryption by inserting an end flag, which is a flag indicating the end position, and when the entire range of log data is specified as the range, the start flag is inserted. and controlling the encryption unit to execute encryption without controlling the insertion of the end flag, and for log data of a portion that falls within the range, encrypted data that does not fall within the range. Partial log data is stored in plain text as separate files in the storage unit.
 第3の態様では、暗号化方法は、ログデータを取得すること、ログデータを暗号化すること、ログデータの取得開始前に、暗号化を実行する範囲を指定する指示を受け付けることと、ログデータを記憶すること、及び、前記範囲に基づき、ログデータの取得のタイミングと、暗号化の開始位置及び終了位置と、ログデータの記憶と、を制御すること、を備え、前記制御することは、前記範囲が示す開始位置、終了位置に対し、それぞれ前記開始位置を示すフラグである開始フラグ、前記終了位置を示すフラグである終了フラグを挿入して暗号化を実行させること、前記範囲としてログデータの全ての範囲が指定された場合には、前記開始フラグ及び前記終了フラグの挿入を行わずに暗号化を実行させること、及び、前記範囲に該当する部分のログデータについては暗号化後のデータを、前記範囲に該当しない部分のログデータについては平文のままのデータを、それぞれ別々のファイルとして記憶させること、を含む、ものである。 In the third aspect, the encryption method includes acquiring log data, encrypting the log data, receiving an instruction specifying a range to perform encryption before starting to acquire the log data, and encrypting the log data. storing the data; and controlling the timing of acquiring the log data, the start and end positions of encryption, and the storage of the log data based on the range; , inserting a start flag indicating the start position and an end flag indicating the end position into the start position and end position indicated by the range, respectively, to perform encryption; If the entire range of data is specified, encryption should be executed without inserting the start flag and end flag, and the log data of the part corresponding to the range should be encrypted. This method includes storing the data in plain text for portions of the log data that do not fall within the above range as separate files.
 第4の態様では、プログラムは、コンピュータに、暗号化処理を実行させるためのプログラムであり、コンピュータ可読媒体は、前記プログラムが格納されたものである。前記暗号化処理は、ログデータを取得すること、ログデータを暗号化すること、ログデータの取得開始前に、暗号化を実行する範囲を指定する指示を受け付けることと、ログデータを記憶すること、及び、前記範囲に基づき、ログデータの取得のタイミングと、暗号化の開始位置及び終了位置と、ログデータの記憶と、を制御すること、を含み、前記制御することは、前記範囲が示す開始位置、終了位置に対し、それぞれ前記開始位置を示すフラグである開始フラグ、前記終了位置を示すフラグである終了フラグを挿入して暗号化を実行させること、前記範囲としてログデータの全ての範囲が指定された場合には、前記開始フラグ及び前記終了フラグの挿入を行わずに暗号化を実行させること、及び、前記範囲に該当する部分のログデータについては暗号化後のデータを、前記範囲に該当しない部分のログデータについては平文のままのデータを、それぞれ別々のファイルとして記憶させること、を含む、ものである。 In a fourth aspect, the program is a program for causing a computer to execute an encryption process, and the computer-readable medium stores the program. The encryption process includes acquiring log data, encrypting the log data, accepting an instruction specifying a range to perform encryption before starting to acquire the log data, and storing the log data. , and controlling the timing of acquiring log data, the start and end positions of encryption, and storage of log data based on the range, and the controlling includes controlling the timing of acquiring log data, the start position and end position of encryption, and storage of log data based on the range, and the controlling includes Encrypting is performed by inserting a start flag indicating the start position and an end flag indicating the end position into the start position and end position, respectively, and the range is the entire range of the log data. is specified, the encryption is executed without inserting the start flag and the end flag, and for the log data of the part corresponding to the range, the encrypted data is For log data that does not correspond to the above, the data is stored in plain text as separate files.
 本開示により、暗号化を行う範囲を指定して装置のログデータを暗号化する場合に、全ての範囲を暗号化する場合であっても範囲を示す情報が必要となることを回避することが可能な暗号化システム等を提供することができる。 According to the present disclosure, when encrypting device log data by specifying the range to be encrypted, it is possible to avoid the need for information indicating the range even when encrypting the entire range. A possible encryption system etc. can be provided.
実施形態1に係る暗号化システムの一構成例を示すブロック図である。1 is a block diagram showing a configuration example of an encryption system according to a first embodiment; FIG. 図1の暗号化システムの一構成例である暗号化装置を示すブロック図である。FIG. 2 is a block diagram showing an encryption device that is an example of the configuration of the encryption system in FIG. 1. FIG. 図1の暗号化システム又は図2の暗号化装置における暗号化方法の一例を説明するためのフロー図である。3 is a flow diagram for explaining an example of an encryption method in the encryption system of FIG. 1 or the encryption device of FIG. 2. FIG. 実施形態2に係る暗号化システムの一構成例を示すブロック図である。2 is a block diagram illustrating a configuration example of an encryption system according to a second embodiment. FIG. 図4の暗号化システムにおいて指示として受け付けられるログ取得コマンドの一例を示す図である。5 is a diagram showing an example of a log acquisition command accepted as an instruction in the encryption system of FIG. 4. FIG. 図4の暗号化システムにおける対象装置での処理の一例を説明するためのフロー図である。5 is a flow diagram for explaining an example of processing in a target device in the encryption system of FIG. 4. FIG. 図6に続くフロー図である。7 is a flow diagram following FIG. 6. FIG. 図4の暗号化システムにおける全体の処理の一例を示すシーケンス図である。5 is a sequence diagram showing an example of the overall processing in the encryption system of FIG. 4. FIG. 図8に続くシーケンス図である。9 is a sequence diagram following FIG. 8. FIG. 実施形態3に係る暗号化システムにおける対象装置での処理の一例を説明するためのフロー図である。10 is a flow diagram for explaining an example of processing in a target device in an encryption system according to a third embodiment. FIG. 装置のハードウェア構成の一例を示す図である。It is a diagram showing an example of the hardware configuration of the device.
 以下、図面を参照して、実施形態について説明する。なお、実施形態において、同一又は同等の要素には、同一の符号を付し、重複する説明を省略する場合がある。また、以下の各図面において、同一の要素及び同様な要素には同一の符号が付されており、必要に応じて重複説明は省略されている。 Hereinafter, embodiments will be described with reference to the drawings. Note that in the embodiments, the same or equivalent elements may be given the same reference numerals and redundant explanations may be omitted. Furthermore, in the following drawings, the same elements and similar elements are denoted by the same reference numerals, and redundant explanations are omitted as necessary.
<実施形態1>
 図1は、実施形態1に係る暗号化システムの一構成例を示すブロック図である。
 図1に示すように、本実施形態に係る暗号化システム1は、取得部1a、暗号化部1b、受付部1c、記憶部1d、及び制御部1eを備えることができる。暗号化システム1は、ログデータの収集対象となる装置(以下、対象装置)と、対象装置からログを収集するログ収集装置とを含み、対象装置における各種のログデータを収集する。よって、暗号化システム1は、ログ収集システムと称することができる。 <Embodiment 1>
FIG. 1 is a block diagram illustrating a configuration example of an encryption system according to a first embodiment.
As shown in FIG. 1, the encryption system 1 according to the present embodiment can include an acquisition section 1a, an encryption section 1b, a reception section 1c, a storage section 1d, and a control section 1e. The encryption system 1 includes a device from which log data is to be collected (hereinafter referred to as a target device) and a log collection device that collects logs from the target device, and collects various types of log data in the target device. Therefore, the encryption system 1 can be called a log collection system.
 なお、対象装置の種類は問わず、ログを記録できるような装置であればよい。また、ログ収集装置は、例えば、対象装置の場所と同じ場所で設置され直接接続されることも、対象装置の場所に対し遠隔地に設置され、ネットワークを介して接続されることもできる。 Note that the type of target device does not matter, as long as it can record logs. Further, the log collection device can be installed at the same location as the target device and directly connected to the target device, or can be installed at a remote location to the target device and connected via a network.
 暗号化システム1では、対象装置に取得部1a、暗号化部1b、受付部1c、記憶部1d、及び制御部1eを備えることができるが、例えば記憶部1dを構成する一要素としての記録媒体を対象装置に接続された外部の装置に備えるなど、これに限ったものではない。なお、記憶部1d、記録媒体については後述する。 In the encryption system 1, the target device can include an acquisition unit 1a, an encryption unit 1b, a reception unit 1c, a storage unit 1d, and a control unit 1e. For example, a recording medium as one element constituting the storage unit 1d However, the present invention is not limited to this, such as providing the external device connected to the target device. Note that the storage unit 1d and the recording medium will be described later.
 また、対象装置は、複数の装置に機能が分散された構成を採用することもでき、その場合の取得部1a、暗号化部1b、受付部1c、記憶部1d、及び制御部1eの分散方法も問わない。例えば、各装置に暗号化部1b及び記憶部1dの機能を備えるとともに、それらの装置のうちの1つの装置に取得部1a、受付部1c、及び制御部1eを備えることもできる。 Further, the target device may adopt a configuration in which functions are distributed among multiple devices, and in that case, a method for distributing the acquisition unit 1a, encryption unit 1b, reception unit 1c, storage unit 1d, and control unit 1e It doesn't matter. For example, each device may be provided with the functions of the encryption section 1b and the storage section 1d, and one of the devices may be provided with the acquisition section 1a, the reception section 1c, and the control section 1e.
 取得部1aは、対象装置におけるログデータを取得する。ログデータの取得の方法は問わず、例えば予め定められたあるいは後述の指示に含まれる、種類、期間のログデータを取得することができる。暗号化部1bは、取得部1aで取得されたログデータを暗号化する。但し、後述するように、暗号化部1bはログデータのうち指定された範囲の暗号化を行い、範囲外のログデータについては暗号化を実行しない。また、暗号化部1bにおける暗号化方法は問わず、暗号化されたデータが復号できるものであればよい。 The acquisition unit 1a acquires log data in the target device. Regardless of the method of acquiring log data, it is possible to acquire log data of a type and period that are predetermined or included in instructions described below, for example. The encryption unit 1b encrypts the log data acquired by the acquisition unit 1a. However, as will be described later, the encryption unit 1b encrypts a specified range of log data, and does not encrypt log data outside the range. Further, the encryption method used in the encryption unit 1b is not limited as long as the encrypted data can be decrypted.
 受付部1cは、取得部1aによるログデータの取得開始前に、暗号化部1bで暗号化を実行する範囲を指定する指示を受け付ける。この指示は対象装置にネットワーク又はP2Pなどで接続されたログ収集装置から送信されたものとすることができる。よって、受付部1cはログ収集装置と通信する通信部(図示せず)を備えることができる。この通信部は無線又は有線で外部と通信するインタフェースを備えることができる。但し、ログ収集装置の機能は対象装置に備えることもでき、この場合、暗号化システム1は対象装置で構成され、上記の指示も対象装置に設けられた操作部などから受け付けられることになる。 The reception unit 1c receives an instruction specifying the range to be encrypted by the encryption unit 1b before the acquisition unit 1a starts acquiring log data. This instruction may be sent from a log collection device connected to the target device via a network or P2P. Therefore, the reception unit 1c can include a communication unit (not shown) that communicates with the log collection device. This communication unit can include an interface for communicating with the outside wirelessly or by wire. However, the function of the log collection device may be provided in the target device. In this case, the encryption system 1 is constituted by the target device, and the above-mentioned instructions are also accepted from an operation unit provided in the target device.
 記憶部1dは、暗号化されたログデータや平文のままのログデータを記憶する。記憶部1dは、記録媒体と記録媒体へのデータの書き込みを行う書き込み部とを備える記憶装置とすることができる。記録媒体の種類は問わない。 The storage unit 1d stores encrypted log data and plaintext log data. The storage unit 1d can be a storage device including a recording medium and a writing unit that writes data to the recording medium. The type of recording medium does not matter.
 制御部1eは、上記範囲に基づき、取得部1aによるログデータの取得のタイミングと、暗号化部1bによる暗号化の開始位置及び終了位置と、記憶部1dによるログデータの記憶と、を制御する。 The control unit 1e controls the timing of acquisition of log data by the acquisition unit 1a, the start and end positions of encryption by the encryption unit 1b, and the storage of log data by the storage unit 1d, based on the above range. .
 制御部1eは、受付部1cで受け付けた範囲が示す開始位置、終了位置に対し、それぞれ開始位置を示すフラグである開始フラグ、終了位置を示すフラグである終了フラグを挿入して暗号化を実行するように、暗号化部1bを制御する。このとき、制御部1eは、上記範囲に基づきログデータを取得するように、取得部1aの制御も行うことになる。このように、暗号化システム1では、ログデータの部分的な暗号化を行うことができる。 The control unit 1e inserts a start flag indicating the start position and an end flag indicating the end position into the start position and end position indicated by the range accepted by the receiving unit 1c, respectively, and executes encryption. The encryption unit 1b is controlled so as to At this time, the control unit 1e also controls the acquisition unit 1a to acquire log data based on the above range. In this way, the encryption system 1 can partially encrypt log data.
 そして、制御部1eは、上記範囲に該当する部分のログデータについては暗号化後のデータを、上記範囲に該当しない部分のログデータについては平文のままのデータを、それぞれ別々のファイル(別々のログファイル)として記憶部1dに記憶させる。 Then, the control unit 1e stores the encrypted data for the portion of the log data that falls within the above range, and stores the plain text data for the portion of the log data that does not fall within the above range into separate files (separate files). It is stored in the storage unit 1d as a log file).
 特に本実施形態では、制御部1eは、上記範囲としてログデータの全ての範囲が指定された場合には、開始フラグ及び終了フラグを挿入する制御を行わずに暗号化を実行するように暗号化部1bを制御する。これにより、全ての範囲のログデータを暗号化する場合には、開始フラグ及び終了フラグが挿入されず、開始フラグ及び終了フラグを含まないログファイルが記憶部1dに記憶されることになる。 In particular, in this embodiment, when the entire range of log data is specified as the above range, the control unit 1e performs encryption so that encryption is executed without performing control to insert a start flag and an end flag. 1b. As a result, when encrypting the entire range of log data, a start flag and an end flag are not inserted, and a log file that does not include a start flag and an end flag is stored in the storage unit 1d.
 制御部1eは、例えば、CPU(Central Processing Unit)、作業用メモリ、及びプログラムを記憶した不揮発性の記憶装置などによって実現することができる。このプログラムは、取得部1a、暗号化部1b、受付部1c、及び、記憶部1dの書き込み部の処理をCPUに実行させるためのプログラムとすることができる。また、制御部1eに備えられる記憶装置の記録媒体は、記憶部1dの記録媒体としても利用することができる。 The control unit 1e can be realized by, for example, a CPU (Central Processing Unit), a working memory, a nonvolatile storage device that stores a program, and the like. This program can be a program for causing the CPU to execute the processing of the acquisition section 1a, the encryption section 1b, the reception section 1c, and the writing section of the storage section 1d. Further, the recording medium of the storage device provided in the control section 1e can also be used as a recording medium of the storage section 1d.
 また、対象装置は、受付部1cで受け付けた指示に応答して、記憶部1dに記憶されたファイル(ログファイル)を、指示を送信した指示装置であるログ収集装置に送信する送信部を備えることができる。この送信部は、受付部1cに備えられる通信部を援用することができる。このように、対象装置は、暗号化部1b、受付部1c、記憶部1d、及び、記憶部1dに記憶されたログファイルをログ収集装置に送信する送信部を備え、ログデータの収集対象となる装置とすることができる。 The target device also includes a transmitter that transmits the file (log file) stored in the storage unit 1d to the log collection device that is the instruction device that sent the instruction, in response to the instruction received by the reception unit 1c. be able to. This transmitting section can utilize a communication section provided in the receiving section 1c. In this way, the target device includes an encryption unit 1b, a reception unit 1c, a storage unit 1d, and a transmission unit that transmits the log files stored in the storage unit 1d to the log collection device, and is configured as a log data collection target. It can be made into a device.
 この例では、ログ収集装置は、受付部1cに対し、受付部1cで受け付ける指示を送信する装置となる。図示しないが、ログ収集装置は、その全体を制御する制御部と、対象装置と通信する通信部と、を備えることができる。この通信部は無線又は有線で外部と通信するインタフェースを備えることができる。また、ログ収集装置は、記憶部1dに記憶されたログファイルを、通信部を介して受信するように構成することができる。ログ収集装置の制御部は、例えば、CPU、作業用メモリ、及びプログラムを記憶した不揮発性の記憶装置などによって実現することができる。このプログラムは、受付部1cへ送信する指示を生成する処理及びその指示を対象装置に通信部を介して送信する処理をCPUに実行させるためのプログラムとすることができる。なお、ログ収集装置の制御部に備えられる記憶装置の記録媒体は、このようにして受信したログファイルを記憶する記録媒体としても利用することができる。 In this example, the log collection device is a device that transmits an instruction to the reception unit 1c to be accepted by the reception unit 1c. Although not shown, the log collection device can include a control unit that controls the entire log collection device, and a communication unit that communicates with the target device. This communication unit can include an interface for communicating with the outside wirelessly or by wire. Further, the log collection device can be configured to receive the log file stored in the storage unit 1d via the communication unit. The control unit of the log collection device can be realized by, for example, a CPU, a working memory, a nonvolatile storage device that stores a program, and the like. This program can be a program for causing the CPU to execute a process of generating an instruction to be transmitted to the reception unit 1c and a process of transmitting the instruction to the target device via the communication unit. Note that the recording medium of the storage device provided in the control unit of the log collection device can also be used as a recording medium for storing log files received in this manner.
 また、暗号化システム1は、ログ収集装置と対象装置とで例示したように、機能を分散させた複数の装置として構成することもでき、対象装置として例示した各部の機能も複数の装置に分散させて構成することができ、その分散の方法は問わない。複数の装置に機能を分散して暗号化システム1を構築する場合、各装置に制御部、通信部、及び必要に応じて記憶部等を備えるとともに、無線又は有線の通信により上記複数の装置を必要に応じて接続して協働して暗号化システム1としての機能を実現させればよい。 Furthermore, the encryption system 1 can be configured as multiple devices with distributed functions, as illustrated by the log collection device and the target device, and the functions of each part illustrated as the target device are also distributed among multiple devices. The distribution method is not limited. When constructing the encryption system 1 by distributing functions to multiple devices, each device is equipped with a control unit, a communication unit, and if necessary, a storage unit, etc., and the multiple devices are connected by wireless or wired communication. The functions of the encryption system 1 may be realized by connecting and cooperating as necessary.
 また、暗号化システム1は、図2に示すように、取得部1a、暗号化部1b、受付部1c、記憶部1d、及び制御部1eを備える1つの暗号化装置2として構築することもできる。図2は、図1の暗号化システム1の一構成例である暗号化装置2を示すブロック図である。暗号化装置2は、上述した対象装置の機能を備えた装置とすること、あるいは対象装置の機能及びログ収集装置の機能を備えた装置とすることができる。暗号化装置2は、例えば1以上のプロセッサと1以上のメモリとを含むハードウェアを含むコンピュータ装置を含んで構成され得る。暗号化装置2内の各部の機能の少なくとも一部は、1以上のプロセッサが、1以上のメモリから読み出したプログラムに従って動作することで実現され得る。 Furthermore, as shown in FIG. 2, the encryption system 1 can be constructed as one encryption device 2 including an acquisition section 1a, an encryption section 1b, a reception section 1c, a storage section 1d, and a control section 1e. . FIG. 2 is a block diagram showing an encryption device 2 that is an example of the configuration of the encryption system 1 in FIG. The encryption device 2 may be a device that has the functions of the target device described above, or a device that has the functions of the target device and the functions of the log collection device. The encryption device 2 may be configured to include a computer device including hardware including, for example, one or more processors and one or more memories. At least a part of the functions of each part in the encryption device 2 can be realized by one or more processors operating according to a program read from one or more memories.
 次に、図3を参照しながら、暗号化システム1又は暗号化装置2の処理例について説明する。図3は、暗号化システム1又は暗号化装置2における暗号化方法の一例を説明するためのフロー図である。以下、暗号化システム1における暗号化方法について説明するが、暗号化装置2における暗号化方法も同様である。 Next, a processing example of the encryption system 1 or the encryption device 2 will be described with reference to FIG. FIG. 3 is a flow diagram for explaining an example of an encryption method in the encryption system 1 or the encryption device 2. The encryption method in the encryption system 1 will be described below, but the encryption method in the encryption device 2 is also similar.
 まず、暗号化システム1は、ログデータの取得開始前に、暗号化を実行する範囲を指定する指示を受け付ける(ステップS1)。この指示に基づき、暗号化システム1は、ログデータを取得する(ステップS2)。次いで、暗号化システム1は、指示が全範囲を暗号化することを示しているか否かを判定する(ステップS3)。 First, before starting the acquisition of log data, the encryption system 1 receives an instruction specifying a range to perform encryption (step S1). Based on this instruction, the encryption system 1 acquires log data (step S2). Next, the encryption system 1 determines whether the instruction indicates that the entire range is to be encrypted (step S3).
 ステップS3でYESの場合、暗号化システム1は、上記範囲である全範囲のログデータに対し、開始フラグ及び終了フラグを挿入せずに、即ち後述のステップS5を経ずに、暗号化を実行する(ステップS6)。そして、暗号化されたログデータを1つのログファイルとして記憶する(ステップS7)。 If YES in step S3, the encryption system 1 executes encryption for the entire range of log data within the above range without inserting a start flag and an end flag, that is, without going through step S5 described below. (Step S6). Then, the encrypted log data is stored as one log file (step S7).
 一方、ステップS3でNOの場合、ステップS2で取得されたログデータについて、上記範囲に該当するか否かの判定を行う(ステップS4)。そして、ステップS4でYESと判定されたログデータ、つまり上記範囲に該当するログデータに対し、暗号化システム1は、上記範囲のログデータの開始位置、終了位置にそれぞれ開始フラグ、終了フラグを挿入する(ステップS5)。その後、暗号化システム1は、暗号化を実行する(ステップS6)。その後、同様にステップS7へ進み、暗号化されたログデータを1つのログファイルとして記憶する。 On the other hand, if NO in step S3, it is determined whether the log data acquired in step S2 falls within the above range (step S4). Then, for the log data determined as YES in step S4, that is, the log data corresponding to the above range, the encryption system 1 inserts a start flag and an end flag at the start position and end position of the log data in the above range, respectively. (Step S5). After that, the encryption system 1 executes encryption (step S6). Thereafter, the process similarly advances to step S7, and the encrypted log data is stored as one log file.
 一方、ステップS4でNOと判定されたログデータ、つまり上記範囲に該当しないログデータに対し、暗号化システム1は、平文のままのデータを1つのファイルとして記憶する(ステップS8)。 On the other hand, for log data for which the determination is NO in step S4, that is, log data that does not fall within the above range, the encryption system 1 stores the plaintext data as one file (step S8).
 なお、ステップS2のログデータの取得のタイミングは、暗号化する対象であれば暗号化する手前、平文のままの場合にはログファイルを記憶(ステップS8)の手前であれば、図示する順序に問わない。 Note that the timing of obtaining the log data in step S2 is in the order shown in the figure, if it is the target to be encrypted, before encryption, and if it is in plain text, before the log file is stored (step S8). No question.
 本実施形態による暗号化可能なログ収集処理について説明した。本実施形態は、暗号化されたログファイルの復号方法は問わない。本実施形態で記憶された暗号化されたログファイルは、暗号化方法に対応した復号方法を採用することで閲覧することができる。また、本実施形態では、全ての範囲で暗号化がなされたログファイルに開始フラグ及び終了フラグが存在しないが、このログファイルは汎用の復号方法を採用することで閲覧することができる。また、本実施形態で記憶された平文のログファイルは、暗号化されたログファイルとは別ファイルであるため、そのまま閲覧可能となる。 The encryptable log collection process according to this embodiment has been described. In this embodiment, any method of decrypting an encrypted log file is not concerned. The encrypted log file stored in this embodiment can be viewed by employing a decryption method that corresponds to the encryption method. Furthermore, in this embodiment, although there is no start flag and end flag in a log file that has been encrypted in all its ranges, this log file can be viewed by employing a general-purpose decryption method. Furthermore, since the plaintext log file stored in this embodiment is a separate file from the encrypted log file, it can be viewed as is.
 以上、本実施形態によれば、対象装置のログ収集時にログデータを全て暗号化するのではなく、部分的に暗号化することで秘匿情報のみを隠し、提供可能な情報のみを平文のログファイルとすることで公開することができる。例えば、部分的に暗号化することで、例えば時刻情報などのログの公開可能な情報がすぐに分かるため、問題事象発生時のログ確認を迅速に行うことが可能となる。また、本実施形態では、暗号化要否も選択できるような構成であるため、暗号化不要の、例えば自社内の試験時等、デバッグ時も復号化の手間なくログ収集することが可能となる。 As described above, according to the present embodiment, log data is not entirely encrypted when collecting logs from the target device, but only the confidential information is hidden by partially encrypting it, and only the information that can be provided is stored in the plain text log file. It can be published by doing this. For example, by partially encrypting the log, the information that can be published in the log, such as time information, can be immediately known, making it possible to quickly check the log when a problematic event occurs. In addition, in this embodiment, since the configuration allows selection of whether or not encryption is required, it is possible to collect logs without the hassle of decryption even when debugging, such as during in-house testing, where encryption is not required. .
 また、本実施形態によれば、対象装置のログを収集するに際し、ログデータを部分的に暗号化することができるため、暗号化によるCPUリソースの占有時間を短縮することができ、対象装置の負荷を低減することができる。 Further, according to the present embodiment, when collecting logs of the target device, the log data can be partially encrypted, so the time occupied by CPU resources due to encryption can be shortened, and the log data of the target device can be partially encrypted. The load can be reduced.
 例えば、対象装置に障害が発生し遠隔操作でのログデータの取得が難しい場合、現地に赴きログデータを収集しなければならず、その作業は第三者に委託されるケースがある。このようなケースであっても、本実施形態によれば、対象装置の負荷を低減しながら、必要な部分だけ秘匿性を確保することができるため、ログファイルの第三者による読み取りを不可能とし、情報漏洩のリスクを無くすことができる。このように、本実施形態では、対象装置の現地で又は遠隔からログ収集をする際、ログファイルの中身を第三者に参照されることなく安全に収集することができるようになる。 For example, if a problem occurs in the target device and it is difficult to obtain log data by remote control, it is necessary to go to the site and collect the log data, and there are cases where this work is outsourced to a third party. Even in such a case, according to this embodiment, it is possible to reduce the load on the target device and ensure confidentiality only for the necessary portion, making it impossible for a third party to read the log file. This eliminates the risk of information leakage. In this way, in this embodiment, when logs are collected locally or remotely from a target device, the contents of the log files can be safely collected without being referenced by a third party.
 特に、本実施形態によれば、暗号化を行う範囲を指定して装置のログデータを暗号化する場合に、全ての範囲を暗号化する場合であっても範囲を示す情報が必要となることを回避することが可能となる。つまり、本実施形態によれば、全ての範囲で暗号化するケースでは開始フラグ及び終了フラグが無くても暗号化することができ、また、暗号化部分と非暗号化部分とについてはそれぞれ別ファイルに保存することができる。よって、本実施形態によれば、全範囲を暗号化する場合のフラグを挿入しないことによるデータ量の削減効果が得られるとともに、ファイル閲覧時にも必要な部分を暗号化しておくことで必要な秘匿性を確保することができる。 In particular, according to this embodiment, when encrypting device log data by specifying a range to be encrypted, information indicating the range is required even when encrypting the entire range. It is possible to avoid this. In other words, according to this embodiment, in the case where the entire range is encrypted, it is possible to encrypt without the start flag and end flag, and the encrypted part and the non-encrypted part are separated into separate files. can be saved in Therefore, according to this embodiment, it is possible to reduce the amount of data by not inserting the flag when encrypting the entire range, and also to encrypt the necessary parts when viewing the file, so that necessary confidentiality can be achieved. It is possible to ensure sex.
<実施形態2>
 実施形態2について、図4~図9を参照しながら実施形態1との相違点を中心に説明するが、実施形態1で説明した様々な例が適用できる。まず、図4及び図5を参照しながら本実施形態に係る暗号化システムの構成例について説明する。図4は、実施形態2に係る暗号化システムの一構成例を示すブロック図で、図5は、この暗号化システムにおいて指示として受け付けられるログ取得コマンドの一例を示す図である。 <Embodiment 2>
Embodiment 2 will be described with reference to FIGS. 4 to 9, focusing on the differences from Embodiment 1, but various examples described in Embodiment 1 can be applied. First, a configuration example of the encryption system according to the present embodiment will be described with reference to FIGS. 4 and 5. FIG. 4 is a block diagram showing a configuration example of an encryption system according to the second embodiment, and FIG. 5 is a diagram showing an example of a log acquisition command accepted as an instruction in this encryption system.
 図4に示す暗号化システム(以下、本システム)は、本実施形態に係る暗号化装置として機能する対象装置10と、対象装置10からログファイルを収集するログ収集装置20と、を備えることができる。実施形態1で説明したように、ログ収集装置20は、ログファイルの暗号化と収集を、対象装置10の設置場所で実施してもよいし、あるいは遠隔で接続した対象装置10から実施してもよい。 The encryption system shown in FIG. 4 (hereinafter referred to as the present system) may include a target device 10 that functions as an encryption device according to the present embodiment, and a log collection device 20 that collects log files from the target device 10. can. As described in the first embodiment, the log collection device 20 may encrypt and collect log files at the location where the target device 10 is installed, or may encrypt and collect log files from the target device 10 connected remotely. Good too.
 説明の簡略化のため、対象装置10が本システムに1つ含まれる例を挙げる。但し、本システムは、1つのログ収集装置20に対し複数の対象装置10を備え、そのログ収集装置20でそれら複数の対象装置10に対しそれぞれ指示を送信し、それぞれからログファイルを収集するように構成されることもできる。 To simplify the explanation, an example will be given in which this system includes one target device 10. However, this system includes a plurality of target devices 10 for one log collection device 20, and the log collection device 20 sends instructions to each of the plurality of target devices 10 and collects log files from each. It can also be configured as
 ログ収集装置20は、制御部21、操作部22、記憶部23、及び通信部24を備えることができる。ログ収集装置20は単体の又は分散配置された装置で構成されることができる。 The log collection device 20 can include a control section 21, an operation section 22, a storage section 23, and a communication section 24. The log collection device 20 can be composed of a single device or a distributed device.
 制御部21は、ログ収集装置20の全体を制御する制御部である。制御部21は、例えば、CPU、作業用メモリ、及びプログラムを記憶した不揮発性の記憶装置などによって実現することができる。このプログラムは、ログ取得のための処理をCPUに実行させるためのプログラムを含むことができる。また、制御部21に備えられる記憶装置は、後述する記憶部23としても利用することができる。 The control unit 21 is a control unit that controls the entire log collection device 20. The control unit 21 can be realized by, for example, a CPU, a working memory, a nonvolatile storage device that stores a program, and the like. This program can include a program for causing the CPU to execute processing for acquiring logs. Furthermore, the storage device provided in the control section 21 can also be used as a storage section 23, which will be described later.
 操作部22は、ログ収集の対象となる対象装置10へログファイルの要求を行う操作を受け付け、その操作内容を制御部21に渡し、制御部21がその操作内容に従い、ログファイルの要求を行うことができる。この要求は、ログの取得を対象装置10へ要求(指示)するコマンドであり、以下、ログ取得コマンドと称する。 The operation unit 22 receives an operation for requesting a log file from the target device 10 that is the target of log collection, passes the operation details to the control unit 21, and the control unit 21 requests a log file according to the operation details. be able to. This request is a command that requests (instructs) the target device 10 to acquire a log, and is hereinafter referred to as a log acquisition command.
 ログ取得コマンドは、図5に例示するように、収集するログ種別を示す情報、暗号化要否を示す情報、及び指定された暗号化範囲(一部暗号化の場合)を示す情報を含むことができる。ログ取得コマンドに含めることができるこれらの情報、即ちパラメータは、例えば操作部22から指定することができる。 As illustrated in Figure 5, the log acquisition command must include information indicating the log type to be collected, information indicating whether encryption is required, and information indicating the specified encryption range (in the case of partial encryption). I can do it. These pieces of information that can be included in the log acquisition command, that is, parameters, can be specified from the operation unit 22, for example.
 上述したログ種別を示す情報は、例えば対象装置10に組み込まれた或るアプリケーションのログ、対象装置10に備えられた或るデバイスのログなど、収集するログの種別を示す情報とすることができる。図5の例では、簡略化のために、ログ種別を示す情報は、ログ取得コマンド名で表現されているものとして説明する。但し、各ログ取得コマンドにはログ種別を示す情報が含まれているか、あるいは、対象装置10側において、ログ取得コマンド名からログ種別を判定することが可能に構成されている。 The above-described information indicating the log type can be information indicating the type of log to be collected, such as a log of a certain application installed in the target device 10 or a log of a certain device provided in the target device 10. . In the example of FIG. 5, for the sake of simplification, the information indicating the log type will be described as being expressed as a log acquisition command name. However, each log acquisition command includes information indicating the log type, or the target device 10 is configured to be able to determine the log type from the log acquisition command name.
 なお、ここでは、全て暗号化する場合及び暗号化を全く実施しない場合については、対象装置10において、ログ種別だけで収集対象のログデータを特定することが可能であることを前提として説明する。但し、後述するようにこれらの場合について、ログ取得範囲を示す情報をログ取得コマンドに含めておき、対象装置10がログ種別及びログ取得範囲から収集対象のログデータを特定するように構成することもできる。 Here, the case where all data is encrypted and the case where no encryption is performed will be described on the premise that it is possible to specify the log data to be collected in the target device 10 only by the log type. However, as described later, in these cases, information indicating the log acquisition range should be included in the log acquisition command, and the target device 10 should be configured to specify the log data to be collected from the log type and the log acquisition range. You can also do it.
 上述した暗号化要否を示す情報は、全て暗号化、一部暗号化、及び暗号化不要のいずれかを示す情報とすることができる。上述した暗号化範囲を示す情報は、一部暗号化指定されたログ取得コマンドに対して、暗号化の範囲を指定する情報であり、一部暗号化以外の場合は無効のパラメータである。暗号化範囲を示す情報は、ログ取得コマンドが示すログ種別について、例えば、処理αから処理βまでといった処理内容で指定された範囲を示す情報とすることや、あるいは第1日時から第2日時までといった処理期間を示す情報とすることができる。あるいは、暗号化範囲を示す情報は、それらの組み合わせとすることもできる。また、処理内容で指定された範囲とは、例えば処理αから処理βまで及び処理γから処理δまでといった複数の範囲や、第1日時から第2日時まで及び第3日時から第4日時までといった複数の処理期間とすることもできる。 The above-mentioned information indicating whether or not encryption is necessary can be information indicating either fully encrypted, partially encrypted, or no encryption required. The above-mentioned information indicating the encryption range is information that specifies the encryption range for a log acquisition command in which partial encryption is specified, and is an invalid parameter in cases other than partial encryption. The information indicating the encryption range may be information indicating the range specified by the processing content, such as from processing α to processing β, for the log type indicated by the log acquisition command, or from the first date and time to the second date and time. The information can be information indicating the processing period. Alternatively, the information indicating the encryption range may be a combination thereof. In addition, the range specified by the processing content includes multiple ranges such as from processing α to processing β and from processing γ to processing δ, or from the first date and time to the second date and time and from the third date and time to the fourth date and time. It is also possible to have multiple processing periods.
 操作部22で受け付ける操作には、ログ収集の対象となる対象装置10を示す情報を入力する操作を含むことができる。操作部22で受け付ける操作には、ログ取得コマンドに含まれる情報を入力する操作を含むことができる。よって、受け付ける操作には、取得対象のログデータ又はそのログデータの種別を示す情報、暗号化を実行するか否かを示す情報、暗号化を実行するのであれば対象の全てを実行するか部分的に実行するかを示す情報を入力する操作を含むことができる。また、受け付ける操作には、取得対象のログデータに対し、部分的に暗号化を実行するのであればその暗号化範囲を示す情報を入力する操作を含むことができる。 The operations accepted by the operation unit 22 can include an operation of inputting information indicating the target device 10 that is the target of log collection. The operations accepted by the operation unit 22 can include operations for inputting information included in the log acquisition command. Therefore, the accepted operations include information indicating the log data to be acquired or the type of the log data, information indicating whether or not to perform encryption, and if encryption is to be performed, whether to execute all or part of the target. The operation may include an operation of inputting information indicating whether to execute the process. In addition, if the log data to be acquired is to be partially encrypted, the accepted operation can include an operation of inputting information indicating the encryption range.
 また、操作部22は、単に対象装置10を示す情報を入力する操作を受け付けるだけでもよい。その場合、制御部21は、暗号化要否及び暗号化範囲指定(一部暗号化の場合)に関する予め定められた内容に基づき、ログ取得コマンドを読み出す又は生成することができる。 Further, the operation unit 22 may simply accept an operation to input information indicating the target device 10. In that case, the control unit 21 can read or generate a log acquisition command based on predetermined contents regarding the necessity of encryption and specification of the encryption range (in the case of partial encryption).
 記憶部23は、上記要求への応答として、通信部24を介して対象装置10から受信したログファイルを記憶する記憶装置である。通信部24は、制御部21からの制御により上記要求を対象装置10へ送信し、その応答としてログファイルを受信する。通信部24は、有線又は無線の通信インタフェースを備えることができる。 The storage unit 23 is a storage device that stores the log file received from the target device 10 via the communication unit 24 in response to the above request. The communication unit 24 transmits the above request to the target device 10 under the control of the control unit 21, and receives the log file as a response. The communication unit 24 can include a wired or wireless communication interface.
 対象装置10は、図2の暗号化装置2の一例である。対象装置10は、その全体を制御する主制御部11と、外部と通信を行う通信部12と、を備えることができる。主制御部11の制御により、対象装置10における図示しない本来の機能を実現する機能部を機能させることができる。 The target device 10 is an example of the encryption device 2 in FIG. The target device 10 can include a main control section 11 that controls the entire device, and a communication section 12 that communicates with the outside. Under the control of the main control unit 11, a functional unit that realizes an original function (not shown) in the target device 10 can be operated.
 さらに、対象装置10は、暗号化装置として機能するために、次の構成要素を備えることができる。即ち、対象装置10は、図2の取得部1a、暗号化部1b、記憶部1d、及び制御部1eの一例としてそれぞれ、ログ取得部15及びバッファ部16、暗号化部17、書き込み部18及び記録媒体19、及び生成制御部14を備えることができる。また、通信部12は、図2の受付部1cの機能とともに、ログ収集装置20へのログファイルの転送を行う機能も備える。ログ取得部15及びバッファ部16、暗号化部17、書き込み部18及び記録媒体19、及び生成制御部14は、各部が連携してログを生成するログ生成部13として機能することができる。対象装置10は単体の又は分散配置された装置で構成されることができる。 Furthermore, the target device 10 can include the following components in order to function as an encryption device. That is, the target device 10 includes a log acquisition section 15, a buffer section 16, an encryption section 17, a writing section 18, and a log acquisition section 16, respectively, as examples of the acquisition section 1a, encryption section 1b, storage section 1d, and control section 1e in FIG. A recording medium 19 and a generation control section 14 can be provided. The communication unit 12 also has the function of the reception unit 1c in FIG. 2 as well as the function of transferring log files to the log collection device 20. The log acquisition unit 15, the buffer unit 16, the encryption unit 17, the writing unit 18, the recording medium 19, and the generation control unit 14 can function as the log generation unit 13 that generates logs in cooperation with each other. The target device 10 can be composed of a single device or a distributed device.
 主制御部11は、対象装置10の全体を制御する制御部である。主制御部11は、例えば、CPU、作業用メモリ、及びプログラムを記憶した不揮発性の記憶装置などによって実現することができる。このプログラムは、上記機能部における処理、並びに暗号化装置として機能させるためのログ取得に関する処理をログ生成部13の生成制御部14に指示する処理をCPUに実行させるためのプログラムとすることができる。また、主制御部11に備えられる記憶装置は、記録媒体19としても利用することができる。通信部12は、ログ取得コマンドをログ収集装置20から受信し、その応答としてログファイルを送信する。通信部12は、有線又は無線の通信インタフェースを備えることができる。 The main control unit 11 is a control unit that controls the entire target device 10. The main control unit 11 can be realized by, for example, a CPU, a working memory, a nonvolatile storage device storing a program, and the like. This program can be a program for causing the CPU to execute a process for instructing the generation control unit 14 of the log generation unit 13 to perform the process in the functional unit and the process related to log acquisition for functioning as an encryption device. . Further, the storage device provided in the main control section 11 can also be used as a recording medium 19. The communication unit 12 receives a log acquisition command from the log collection device 20, and transmits a log file in response. The communication unit 12 can include a wired or wireless communication interface.
 ログ生成部13は、主制御部11からの制御に従い、ログファイルの生成を行う。具体的には、ログ生成部13は、通信部12で受信したログ取得コマンドを主制御部11から受け取ることで、生成制御部14等、ログ生成部13に含まれる構成要素を連携させる。そして、ログ生成部13は、この連携により、以下に説明するようにログファイルの生成及び通信部12を介したそのログファイルの送信を行う。 The log generation unit 13 generates a log file under control from the main control unit 11. Specifically, the log generation unit 13 receives the log acquisition command received by the communication unit 12 from the main control unit 11, thereby causing the components included in the log generation unit 13, such as the generation control unit 14, to cooperate. Through this cooperation, the log generation unit 13 generates a log file and transmits the log file via the communication unit 12, as described below.
 生成制御部14は、主制御部11からの制御に従い、ログ生成部13の全体を制御する制御部である。生成制御部14は、通信部12で受信したログ取得コマンドを主制御部11から受け取ることで、ログ取得コマンドに従い、ログファイルを生成し、通信部12を介してそのログファイルの送信を行う。このログ取得コマンドは、上述したように、暗号化要否と、一部暗号化を行う場合の指定された暗号化範囲と、を含むことができる。無論、ログ取得コマンドは、暗号化範囲のみを含んでおけば、暗に暗号化要否も含んでいることを意味するため、生成制御部14において暗号化要否、全暗号化/一部暗号化を知ることができると言える。 The generation control unit 14 is a control unit that controls the entire log generation unit 13 under control from the main control unit 11. The generation control unit 14 receives the log acquisition command received by the communication unit 12 from the main control unit 11, generates a log file according to the log acquisition command, and transmits the log file via the communication unit 12. As described above, this log acquisition command can include the necessity of encryption and the specified encryption range in the case where partial encryption is performed. Of course, if the log acquisition command includes only the encryption range, it also implicitly includes the necessity of encryption, so the generation control unit 14 determines whether encryption is necessary or not, whether full encryption/partial encryption is required. It can be said that it is possible to know the changes.
 生成制御部14は、ログ取得コマンドに基づき、ログ取得部15によるログデータの取得のタイミングと、暗号化部17による暗号化の開始位置及び終了位置と、書き込み部18によるログデータの記録媒体19への書き込みと、を制御する。 Based on the log acquisition command, the generation control unit 14 determines the timing of acquisition of log data by the log acquisition unit 15, the start and end positions of encryption by the encryption unit 17, and the recording medium 19 of log data by the writing unit 18. Write to and control.
 つまり、生成制御部14は、主制御部11から受け取ったログ取得コマンドに従い、ログ取得コマンドに記述された内容に沿ってログ収集開始する制御を行う。この制御には、ログ取得部15、暗号化部17、及び書き込み部18に対する制御が含まれ、それぞれに対しログデータの取得処理、ログデータの暗号化処理、ログデータのファイル化及びファイルの書き込み処理を実行させる。さらに、生成制御部14は、通信部12を介して、書き込んだファイルであるログファイルを、ログ取得コマンドを送信したログ収集装置20に返信する。 In other words, the generation control unit 14 performs control to start collecting logs according to the log acquisition command received from the main control unit 11 in accordance with the contents described in the log acquisition command. This control includes control over the log acquisition section 15, encryption section 17, and writing section 18, and for each of them, log data acquisition processing, log data encryption processing, log data file creation, and file writing are performed. Execute the process. Further, the generation control unit 14 returns the written log file, which is the written file, to the log collection device 20 that sent the log acquisition command via the communication unit 12.
 上記の暗号化処理として、生成制御部14は、暗号化範囲が示す開始位置、終了位置に対し、それぞれ開始位置を示す暗号化開始フラグ、終了位置を示す暗号化終了フラグを挿入して暗号化を実行するように、暗号化部17を制御する。 As the above encryption process, the generation control unit 14 inserts an encryption start flag indicating the start position and an encryption end flag indicating the end position into the start position and end position indicated by the encryption range, respectively, and performs encryption. The encryption unit 17 is controlled to execute the following.
 但し、生成制御部14は、暗号化範囲としてログデータの全ての範囲が指定された場合には、暗号化開始フラグ及び暗号化終了フラグを挿入する制御を行わずに暗号化を実行するように暗号化部17を制御する。これにより、全ての範囲のログデータを暗号化する場合には、暗号化開始フラグ及び暗号化終了フラグが挿入されず、暗号化開始フラグ及び暗号化終了フラグを含まないログファイルが記録媒体19に記憶されることになる。 However, if the entire range of log data is specified as the encryption range, the generation control unit 14 executes encryption without controlling to insert the encryption start flag and the encryption end flag. Controls the encryption unit 17. As a result, when encrypting the entire range of log data, the encryption start flag and encryption end flag are not inserted, and a log file that does not include the encryption start flag and encryption end flag is stored in the recording medium 19. It will be remembered.
 上記のログデータのファイル化及びファイルの書き込み処理として、生成制御部14は次のような制御を行う。即ち、生成制御部14は、暗号化範囲に該当する部分のログデータについては暗号化後のデータを、暗号化範囲に該当しない部分のログデータについては平文のままのデータを、それぞれ別々のログファイルとして記憶するように、書き込み部18を制御する。 The generation control unit 14 performs the following control as the log data file creation and file writing processing described above. That is, the generation control unit 14 generates separate logs by storing the encrypted data for the portion of the log data that falls within the encryption range, and the plain text data for the portion of the log data that does not fall within the encryption range. The writing unit 18 is controlled so as to store it as a file.
 特に、本実施形態では、ログ取得コマンドにおいて、暗号化範囲としてログデータの一部の範囲が指定される場合には、そのログ取得コマンドにおいて、暗号化範囲を含み暗号化範囲より大きい一部暗号化ログ取得範囲を指定する指示を含むようにしておく。つまり、ログ収集装置20の操作部22では、一部暗号化ログ取得範囲を示す情報も指定する操作も受け付け、制御部21がその情報もログ取得コマンドに含め、通信部24を介して対象装置10に送信するように制御する。これにより、対象装置10において、一部暗号化ログ取得範囲と暗号化範囲とから平文でログデータを取得する範囲も知ることができる。 In particular, in this embodiment, when a partial range of log data is specified as an encryption range in a log acquisition command, a part of the log data including the encryption range and larger than the encryption range is specified in the log acquisition command. Contain instructions to specify the range of log acquisition. In other words, the operation unit 22 of the log collection device 20 also accepts an operation that specifies information indicating a partially encrypted log acquisition range, and the control unit 21 includes this information in the log acquisition command and sends it to the target device via the communication unit 24. 10. Thereby, in the target device 10, it is also possible to know the range for acquiring log data in plain text from the partially encrypted log acquisition range and the encrypted range.
 そして、生成制御部14は、一部暗号化ログ取得範囲で得られた暗号化後のデータをまとめて1つのログファイル19aとして記憶するように、書き込み部18を制御する。さらに、生成制御部14は、一部暗号化ログ取得範囲のうち暗号化範囲を除く部分(範囲)で得られた平文のデータをまとめて1つのログファイル19bとして記憶するように、書き込み部18を制御する。この制御により、一部暗号化ログ取得範囲に複数の暗号化範囲が含まれる場合にも、これらの暗号化範囲について暗号化されたデータを全てまとめて1つのログファイル19aとし、残りの範囲について平文データを全てまとめて1つのログファイル19bとする。 Then, the generation control unit 14 controls the writing unit 18 to collectively store the encrypted data obtained in the partially encrypted log acquisition range as one log file 19a. Furthermore, the generation control unit 14 causes the writing unit 18 to store all the plaintext data obtained in a part (range) excluding the encrypted range of the partially encrypted log acquisition range as one log file 19b. control. With this control, even if the partially encrypted log acquisition range includes multiple encrypted ranges, all the data encrypted for these encrypted ranges are combined into one log file 19a, and the remaining ranges are All the plaintext data is combined into one log file 19b.
 例えば、或るログ取得コマンドにおいて、一部暗号化ログ取得範囲のうち処理αから処理βまで及び処理γから処理δまでを暗号化範囲として指定されている場合、暗号化された1つのログファイル19aと平文の1つのログファイル19bとが記憶される。 For example, in a certain log acquisition command, if the partially encrypted log acquisition range is specified as the encryption range from processing α to processing β and from processing γ to processing δ, one encrypted log file 19a and one plaintext log file 19b are stored.
 第1日時から第2日時まで及び第3日時から第4日時までといった複数の処理期間で暗号化範囲が指定されている場合にも、同様の考え方が適用できる。なお、ここでは第1日時、第2日時、第3日時、第4日時は順に現在に近い日時として説明している。この場合には、第1日時から第2日時までの暗号化ログデータと第3日時から第4日時までの暗号化ログデータとが1つのログファイルとして記憶される。第2日時から第3日時までの平文ログデータと、一部暗号化ログ取得範囲の開始日時から第1日時までの平文ログデータと、第4日時から一部暗号化ログ取得範囲の終了日時までの平文ログデータと、が1つのログファイルとして記憶される。但し、一部暗号化ログ取得範囲の開始日時と第1日時とが同じ場合には対応する平文ログデータは存在せず、また一部暗号化ログ取得範囲の終了日時と第4日時とが同じ場合には対応する平文ログデータは存在しないことになる。 The same concept can be applied even when the encryption range is specified in multiple processing periods, such as from the first date and time to the second date and time and from the third date and time to the fourth date and time. Note that here, the first date and time, the second date and time, the third date and time, and the fourth date and time are explained as dates and times that are closer to the present in this order. In this case, the encrypted log data from the first date and time to the second date and time and the encrypted log data from the third date and time to the fourth date and time are stored as one log file. Plaintext log data from the second date and time to the third date and time, plaintext log data from the start date and time of the partially encrypted log acquisition range to the first date and time, and from the fourth date and time to the end date and time of the partially encrypted log acquisition range plaintext log data is stored as one log file. However, if the start date and time of the partially encrypted log acquisition range and the first date and time are the same, the corresponding plaintext log data does not exist, and the end date and time of the partially encrypted log acquisition range and the fourth date and time are the same. In this case, the corresponding plaintext log data does not exist.
 ログ取得部15は、生成制御部14の制御に従い、ログ取得コマンドで指示された、対象装置10におけるログデータを取得し、バッファ部16に一時保存する。バッファ部16は、ログ取得部15で取得されたログデータの一時保存バッファであり、一時保存されたログデータは、暗号化部17での暗号化時や書き込み部18での書き込み時に利用される。 Under the control of the generation control unit 14, the log acquisition unit 15 acquires the log data in the target device 10 instructed by the log acquisition command, and temporarily stores it in the buffer unit 16. The buffer unit 16 is a temporary storage buffer for log data acquired by the log acquisition unit 15, and the temporarily stored log data is used when encrypted by the encryption unit 17 or written by the write unit 18. .
 暗号化部17は、ログ取得部15で取得されたログデータのうちログ取得コマンドで指定された範囲(暗号化範囲)のログデータを暗号化する。暗号化部17における暗号化方法は問わず、暗号化されたデータが復号できるものであればよい。また、暗号化部17は、暗号化範囲が示す開始地点への暗号化開始フラグの設定、及び暗号化範囲が示す暗号化終了地点への暗号化終了フラグの設定も行う。暗号化開始フラグの設定、暗号化終了フラグの設定は、それぞれ暗号化開始フラグ、暗号化終了フラグを挿入することでなされることができる。 The encryption unit 17 encrypts the log data in the range (encryption range) specified by the log acquisition command among the log data acquired by the log acquisition unit 15. The encryption method in the encryption unit 17 does not matter, as long as the encrypted data can be decrypted. The encryption unit 17 also sets an encryption start flag to the start point indicated by the encryption range, and sets an encryption end flag to the encryption end point indicated by the encryption range. The encryption start flag and encryption end flag can be set by inserting the encryption start flag and encryption end flag, respectively.
 さらに、暗号化部17は、バッファ部16に一時保存された暗号化対象の平文のログデータを、例えば、byte配列に格納して設定された暗号化方式及びパスワードで暗号化する。暗号化部17では、暗号化方式やパスワードも設定可能となっており、暗号化方式の設定は対象装置10の図示しない操作部から受け付けること、あるいはログ取得コマンドに記述された内容に従ってなされることができる。パスワードの設定は、ログ取得コマンドに記述された内容に従ってなされることができるが、これに限らない。また、パスワードを使用する代わりに、公開鍵暗号化方式、TLS(Transport Layer Security)、SSL(Secure Socket Layer)などを用いるなど、暗号化部17での暗号化の手法は問わない。暗号化部17は、暗号化後のログデータをバッファ部16に一時保存させることができる。但し、暗号化後のログデータは暗号化部17内に設けたバッファ部に一時保存させることもできる。 Furthermore, the encryption unit 17 encrypts the plaintext log data to be encrypted, which is temporarily stored in the buffer unit 16, by storing it in a byte array and using the set encryption method and password, for example. In the encryption unit 17, the encryption method and password can also be set, and the setting of the encryption method must be accepted from the operation unit (not shown) of the target device 10, or be made according to the contents described in the log acquisition command. I can do it. The password can be set according to the contents described in the log acquisition command, but is not limited thereto. Furthermore, instead of using a password, the encryption method used by the encryption unit 17 does not matter, such as using public key encryption, TLS (Transport Layer Security), SSL (Secure Socket Layer), or the like. The encryption unit 17 can temporarily store the encrypted log data in the buffer unit 16. However, the encrypted log data can also be temporarily stored in a buffer section provided within the encryption section 17.
 書き込み部18は、バッファ部16に一時保存された、暗号化されたログデータや平文のままのログデータを、ファイル化して記録媒体19に書き込む制御を行う。これにより、記録媒体19には、暗号化されたフラグ付きログデータについてのログファイル、暗号化されたフラグ無しログデータについてのログファイル、及び平文のログデータについてのログファイルの少なくとも1つが記憶されることになる。 The writing unit 18 performs control to convert encrypted log data and plaintext log data temporarily stored in the buffer unit 16 into a file and write the file into a recording medium 19. As a result, the recording medium 19 stores at least one of a log file for encrypted flagged log data, a log file for encrypted log data without a flag, and a log file for plaintext log data. That will happen.
 記録媒体19の種類は問わず、例えばハードディスクドライブ、ソリッドステートドライブや、可搬型の記録媒体であってもよい。記録媒体19は、対象装置10が本来の機能を果たすうえで使用する記憶装置であってもよい。 The type of recording medium 19 does not matter, and may be, for example, a hard disk drive, a solid state drive, or a portable recording medium. The recording medium 19 may be a storage device used by the target device 10 to perform its original functions.
 また、生成制御部14、ログ取得部15は、主制御部11のCPUに、それぞれログ生成及び通信部12を介したログファイルの返信の処理、ログデータの取得の処理を実行させるためのサブプログラムで構成されることができる。暗号化部17、書き込み部18は、主制御部11のCPUに、それぞれ、ログデータの暗号化の処理、ログデータのファイル化及び書き込みの処理を実行させるためのサブプログラムで構成されることができる。但し、例えば暗号化部17は暗号化を行うハードウェアで構成されることもできるなど、これらの部位はサブプログラムで構成されることに限らない。 Additionally, the generation control unit 14 and the log acquisition unit 15 are subsystems for causing the CPU of the main control unit 11 to execute log generation, log file return processing via the communication unit 12, and log data acquisition processing, respectively. Can be configured programmatically. The encryption unit 17 and the writing unit 18 may be configured with subprograms for causing the CPU of the main control unit 11 to execute processing for encrypting log data and processing for creating and writing log data into a file, respectively. can. However, these parts are not limited to being composed of subprograms; for example, the encryption unit 17 can be composed of hardware that performs encryption.
 次に、図6及び図7を参照しながら、本システムにおける対象装置10での処理例について説明する。図6は本システムにおける対象装置10のログ生成部13での処理の一例を説明するためのフロー図で、図7は図6に続くフロー図である。 Next, an example of processing in the target device 10 in this system will be described with reference to FIGS. 6 and 7. FIG. 6 is a flowchart for explaining an example of processing in the log generation unit 13 of the target device 10 in this system, and FIG. 7 is a flowchart following FIG. 6.
 図6及び図7では、一例として或るログ取得コマンドに対する処理例について説明するが、対象装置10に対しるログ取得コマンドが複数存在する場合にはそれぞれのログ取得コマンドについての以下の処理が実行される。 In FIGS. 6 and 7, an example of processing for a certain log acquisition command will be explained as an example, but if there are multiple log acquisition commands for the target device 10, the following process will be executed for each log acquisition command. be done.
 ログ生成部13では、まず生成制御部14がログ収集装置20からのログ取得コマンドを受信すると、ログ取得コマンドに記述された情報(パラメータ)のチェックを実施する(ステップS11)。次いで、生成制御部14が、そのチェック結果から暗号化要否の判定を行う(ステップS12)。 In the log generation unit 13, when the generation control unit 14 first receives the log acquisition command from the log collection device 20, it checks the information (parameters) written in the log acquisition command (step S11). Next, the generation control unit 14 determines whether encryption is necessary based on the check result (step S12).
 暗号化不要の場合、即ちステップS12でNOの場合、生成制御部14は、ログ取得部15にログデータの取得(収集)を実行させ、収集したログデータをバッファ部16に平文で一時保存させる(ステップS13)。次いで、生成制御部14は、書き込み部18を制御し、バッファ部16に一時保存された平文のログデータをファイル化して記録媒体19に書き込ませ(ステップS14)、処理を終了する。 If encryption is not necessary, that is, if NO in step S12, the generation control unit 14 causes the log acquisition unit 15 to acquire (collect) log data, and causes the buffer unit 16 to temporarily store the collected log data in plain text. (Step S13). Next, the generation control unit 14 controls the writing unit 18 to convert the plaintext log data temporarily stored in the buffer unit 16 into a file and write it to the recording medium 19 (step S14), and ends the process.
 暗号化要の場合、即ちステップS12でYESの場合、生成制御部14は、ステップS11でのチェック結果から一部暗号化であるか否か(全て暗号化であるか)を判定する(ステップS15)。全て暗号化対象の場合、即ちステップS15でNOの場合、生成制御部14は、ログ取得部15にログデータの取得(収集)を実行させ、収集したログデータをバッファ部16に平文で一時保存させる(ステップS16)。 If encryption is required, that is, YES in step S12, the generation control unit 14 determines whether or not part of the data is encrypted (or all of it is encrypted) based on the check result in step S11 (step S15). ). If all are to be encrypted, that is, if NO in step S15, the generation control unit 14 causes the log acquisition unit 15 to acquire (collect) log data, and temporarily saves the collected log data in the buffer unit 16 in plain text. (Step S16).
 その後、生成制御部14は、バッファ部16に一時保存されたログデータに対し、暗号化部17に暗号化を実行させて、暗号化後のログデータをバッファ部16に一時保存させる(ステップS17)。暗号化部17では、例えば平文のログデータをバイト配列に格納して暗号化方式及びパスワードを指定し、暗号化を実施する。暗号化方式及びパスワードは、ログ取得コマンドでなされていてもよいし、予め定められていてもよい。 After that, the generation control unit 14 causes the encryption unit 17 to execute encryption on the log data temporarily stored in the buffer unit 16, and causes the encrypted log data to be temporarily stored in the buffer unit 16 (step S17). ). The encryption unit 17 stores, for example, plaintext log data in a byte array, specifies an encryption method and password, and performs encryption. The encryption method and password may be set in the log acquisition command or may be determined in advance.
 次いで、生成制御部14は、書き込み部18を制御し、バッファ部16に一時保存された暗号化後のログデータをファイル化して記録媒体19に書き込ませ(ステップS18)、処理を終了する。 Next, the generation control unit 14 controls the writing unit 18 to convert the encrypted log data temporarily stored in the buffer unit 16 into a file and write it to the recording medium 19 (step S18), and ends the process.
 一部暗号化を実施する場合、即ちステップS15でYESの場合、生成制御部14は、ログ取得コマンドが終了するまで、ループ開始(ステップS21s)からループ終了(ステップS21e)までに至るループ処理を実行する。 If partial encryption is to be performed, that is, if YES in step S15, the generation control unit 14 executes the loop process from the start of the loop (step S21s) to the end of the loop (step S21e) until the log acquisition command ends. Execute.
 一部暗号化を実施する場合には、一部暗号化ログ取得範囲のいずれかで暗号化範囲により暗号化開始位置が指定されている。よって、生成制御部14は、まずステップS11でのチェック結果が示す暗号化開始位置であるか否かを、ログデータの現時点での取得状況から判定する(ステップS22)。なお、ループ処理の最初においては、一部暗号化ログ取得範囲の開始位置と暗号化開始位置とが一致している場合には、ステップS22でYESとなり、それ以外の場合、つまり最初に非暗号化範囲がある場合にはステップS22でNOとなる。 When performing partial encryption, the encryption start position is specified by the encryption range in any of the partial encryption log acquisition ranges. Therefore, the generation control unit 14 first determines whether the encryption start position is the one indicated by the check result in step S11 based on the current acquisition status of the log data (step S22). Note that at the beginning of the loop process, if the start position of the partially encrypted log acquisition range and the encryption start position match, YES is returned in step S22; otherwise, in other words, the unencrypted If there is a range, the answer in step S22 is NO.
 ステップS22でNOの場合、生成制御部14は、ログ取得部15にログデータの取得(収集)を実行させ、収集したログデータをバッファ部16に平文で一時保存させる(ステップS23)。次いで、生成制御部14は、ステップS22と同様に、ログデータの現時点での取得状況から暗号化開始位置であるか否かを判定する(ステップS24)。ステップS24でNOの場合にはステップS23の処理を継続する。 If NO in step S22, the generation control unit 14 causes the log acquisition unit 15 to acquire (collect) log data, and temporarily stores the collected log data in the buffer unit 16 in plain text (step S23). Next, similarly to step S22, the generation control unit 14 determines whether it is the encryption start position based on the current acquisition status of the log data (step S24). If NO in step S24, the process in step S23 is continued.
 生成制御部14は、暗号化開始位置にシーケンスが進むまで(ステップS24でYESとなるまで)、ステップS23の処理を継続する。暗号化開始位置まで進んだ場合、即ちステップS24でYESとなった場合、生成制御部14は、それまでにバッファ部16に一時保存された平文のログデータを平文用のファイルである第1ファイルに書き込むように書き込み部18を制御する(ステップS25)。 The generation control unit 14 continues the process in step S23 until the sequence advances to the encryption start position (until YES in step S24). When the encryption progresses to the encryption start position, that is, when the answer is YES in step S24, the generation control unit 14 saves the plaintext log data temporarily stored in the buffer unit 16 to the first file, which is a file for plaintext. The writing unit 18 is controlled to write to (step S25).
 ステップS25では、第1ファイルが生成されていない最初のループでは、生成制御部14は、書き込み部18を制御し、一時保存された平文のログデータをファイル化することで第1ファイルを生成して記録媒体19に書き込ませておく。次回以降のループ処理では、ステップS25において、生成制御部14は、書き込み部18に記録媒体19に記憶された第1ファイルに、一時保存された平文のログデータを追記する。ステップS25の終了後、次のループ処理へと移る。 In step S25, in the first loop in which the first file is not generated, the generation control unit 14 controls the writing unit 18 to generate the first file by converting the temporarily saved plaintext log data into a file. and write it on the recording medium 19. In the subsequent loop processing, in step S25, the generation control unit 14 causes the writing unit 18 to add the temporarily stored plaintext log data to the first file stored in the recording medium 19. After step S25 ends, the process moves to the next loop process.
 一方、ステップS22でYESの場合、生成制御部14は、暗号化部17に暗号化開始フラグを挿入させる(ステップS26)。この段階では、その暗号化区間についての暗号化開始フラグのみのログデータをバッファ部16に一時保存しておけばよい。ステップS26に次いで、生成制御部14は、ログ取得部15にログデータの取得(収集)を実行させ、収集したログデータをバッファ部16に平文で一時保存させ(ステップS27)、暗号化終了位置に進んだか否かを判定する(ステップS28)。ステップS28でNOの段階ではステップS27の処理を継続する。 On the other hand, if YES in step S22, the generation control unit 14 causes the encryption unit 17 to insert an encryption start flag (step S26). At this stage, the log data of only the encryption start flag for the encryption section may be temporarily stored in the buffer section 16. Next to step S26, the generation control unit 14 causes the log acquisition unit 15 to acquire (collect) log data, temporarily stores the collected log data in the buffer unit 16 in plain text (step S27), and places the encryption end point It is determined whether the process has proceeded to (step S28). If NO in step S28, the process in step S27 is continued.
 暗号化終了位置に到達した場合、即ちステップS28でYESとなった場合、生成制御部14は、一時保存されたログデータの末尾に暗号化終了フラグを挿入するように暗号化部17を制御して、暗号化部17に挿入を実行させる(ステップS29)。 When the encryption end position has been reached, that is, YES in step S28, the generation control unit 14 controls the encryption unit 17 to insert an encryption end flag at the end of the temporarily saved log data. Then, the encryption unit 17 is caused to execute the insertion (step S29).
 次いで、生成制御部14は、バッファ部16に一時保存されたフラグ付きのログデータに対し、暗号化部17に暗号化を実行させて、暗号化後のログデータをバッファ部16に一時保存させる(ステップS30)。ここでも暗号化部17では、例えば平文のログデータをバイト配列に格納して暗号化方式及びパスワードを指定し、暗号化を実施する。暗号化方式及びパスワードは、ログ取得コマンドでなされていてもよいし、予め定められていてもよい。 Next, the generation control unit 14 causes the encryption unit 17 to execute encryption on the flagged log data temporarily stored in the buffer unit 16, and causes the encrypted log data to be temporarily stored in the buffer unit 16. (Step S30). Here too, the encryption unit 17 stores, for example, plaintext log data in a byte array, specifies an encryption method and password, and performs encryption. The encryption method and password may be set in the log acquisition command or may be determined in advance.
 生成制御部14は、それまでにバッファ部16に一時保存された暗号化後のログデータを暗号化用のファイルである第2ファイルに書き込むように書き込み部18を制御する(ステップS31)。 The generation control unit 14 controls the writing unit 18 to write the encrypted log data that has been temporarily stored in the buffer unit 16 into the second file, which is an encryption file (step S31).
 ステップS31では、第2ファイルが生成されていない最初のループでは、生成制御部14は、書き込み部18を制御し、一時保存された暗号化後のログデータをファイル化することで第2ファイルを生成して記録媒体19に書き込ませておく。次回以降のループ処理では、ステップS31において、生成制御部14は、書き込み部18に記録媒体19に記憶された第2ファイルに、一時保存された暗号化後のログデータを追記する。ステップS31の終了後、次のループ処理へと移る。 In step S31, in the first loop in which the second file is not generated, the generation control unit 14 controls the writing unit 18 to generate the second file by converting the temporarily stored encrypted log data into a file. It is generated and written on the recording medium 19. In subsequent loop processing, in step S31, the generation control unit 14 causes the writing unit 18 to add the temporarily stored encrypted log data to the second file stored in the recording medium 19. After step S31 ends, the process moves to the next loop process.
 次に、図8及び図9を参照しながら、ログ収集装置20と対象装置10の処理例について説明する。図8は本システムにおける全体の処理の一例を示すシーケンス図で、図9は図8に続くシーケンス図である。 Next, a processing example of the log collection device 20 and the target device 10 will be described with reference to FIGS. 8 and 9. FIG. 8 is a sequence diagram showing an example of the overall processing in this system, and FIG. 9 is a sequence diagram following FIG. 8.
 まず、ログ収集装置20は、ログ取得コマンドであるログ取得要求を対象装置10に送信し、それを生成制御部14が受け取る(ステップS100)。ログ取得コマンドはログ収集装置20等で操作部22から指定可能であるとして説明したが、ログ取得コマンドで設定される内容は予め定められておくこと、つまりログ収集装置20の使用者からは変更できないようにしておくこともできる。 First, the log collection device 20 transmits a log acquisition request, which is a log acquisition command, to the target device 10, and the generation control unit 14 receives it (step S100). Although it has been explained that the log acquisition command can be specified from the operation unit 22 of the log collection device 20 etc., the contents set by the log acquisition command must be determined in advance, that is, it cannot be changed by the user of the log collection device 20. You can also make it impossible.
 次いで、生成制御部14が受け取ったログ取得コマンドに設定されているパラメータのチェックを実施する(ステップS101)。受け取ったログ取得コマンドの分だけのループ処理が実行される。このループ処理では、対象となっているログ取得コマンドについてのチェックの結果に従い、暗号化なしの処理、全て暗号化する処理、及び一部暗号化する処理のいずれか1つが実行されることになる。 Next, the generation control unit 14 checks the parameters set in the received log acquisition command (step S101). Loop processing is executed for the number of log acquisition commands received. In this loop process, one of the following processes will be executed: no encryption, full encryption, or partial encryption, depending on the check result for the target log acquisition command. .
 暗号化なしのログ取得コマンドであった場合、生成制御部14がログ取得コマンドを実行することで、ログデータのバッファ部16への一時保存(バッファリング)が開始される(ステップS102)。次いで、生成制御部14が、書き込み部18に対し、そのログデータをファイル化するように要求し(ステップS103)、書き込み部18がファイル化を実行し、記録媒体19にその平文のログファイルを記憶する(ステップS104)。次いで、書き込み部18が、要求への応答としてファイル化が済んだことを生成制御部14に通知する(ステップS105)。この通知を受けて、生成制御部14が、記録媒体19に記憶された平文のログファイルを、通信部12を介してログ収集装置20に送信(転送)し(ステップS106)、処理を終了する。 If the command is a log acquisition command without encryption, the generation control unit 14 executes the log acquisition command, thereby starting temporary storage (buffering) of the log data in the buffer unit 16 (step S102). Next, the generation control unit 14 requests the writing unit 18 to convert the log data into a file (step S103), and the writing unit 18 executes the file conversion and writes the plaintext log file to the recording medium 19. It is stored (step S104). Next, the writing unit 18 notifies the generation control unit 14 that the file creation has been completed in response to the request (step S105). Upon receiving this notification, the generation control unit 14 transmits (transfers) the plaintext log file stored in the recording medium 19 to the log collection device 20 via the communication unit 12 (step S106), and ends the process. .
 全て暗号化するログ取得コマンドであった場合、生成制御部14がログ取得コマンドを実行することで、ログデータのバッファ部16への一時保存が開始される(ステップS107)。次いで、生成制御部14が、暗号化部17に暗号化要求を送信し(ステップS108)、暗号化部17がその要求に応答し、一時保存されたログデータの暗号化を実行し(ステップS109)、暗号化の終了を生成制御部14に通知する(ステップS110)。 If the log acquisition command is to encrypt everything, the generation control unit 14 executes the log acquisition command, and temporary storage of the log data in the buffer unit 16 is started (step S107). Next, the generation control unit 14 transmits an encryption request to the encryption unit 17 (step S108), and the encryption unit 17 responds to the request and executes encryption of the temporarily stored log data (step S109). ), notifies the generation control unit 14 of the end of encryption (step S110).
 この通知を受けて、生成制御部14が、書き込み部18に対し、そのログデータをファイル化するように要求し(ステップS111)、書き込み部18がファイル化を実行し、記録媒体19にその暗号化されたログファイルを記憶する(ステップS112)。次いで、書き込み部18が、要求への応答としてファイル化が済んだことを生成制御部14に通知する(ステップS113)。次いで、生成制御部14が、記録媒体19に記憶された暗号化後のログファイルを、通信部12を介してログ収集装置20に送信(転送)し(ステップS114)、処理を終了する。 Upon receiving this notification, the generation control unit 14 requests the writing unit 18 to convert the log data into a file (step S111), and the writing unit 18 executes the file conversion and stores the encrypted data on the recording medium 19. The converted log file is stored (step S112). Next, the writing unit 18 notifies the generation control unit 14 that the file creation has been completed in response to the request (step S113). Next, the generation control unit 14 transmits (transfers) the encrypted log file stored in the recording medium 19 to the log collection device 20 via the communication unit 12 (step S114), and ends the process.
 一部暗号化するログ取得コマンドであった場合、そのログ取得コマンドの終了まで、暗号化開始位置での処理、暗号化終了位置での処理、及び非暗号化区間での処理のいずれか1つが実行されるループ処理が実行される。 If the log acquisition command partially encrypts, one of the processing at the encryption start position, the process at the encryption end position, and the processing in the non-encryption section is performed until the end of the log acquisition command. The loop process to be executed is executed.
 暗号化開始位置がログデータの先頭と限らない。よって、生成制御部14は、ログ取得コマンドを実行することで、暗号化開始位置となるまでは非暗号区間での処理としてログデータのバッファ部16への一時保存が実行される(ステップS126)。その後、生成制御部14が、書き込み部18に対し、そのログデータをファイル化するように要求し(ステップS127)、書き込み部18がファイル化を実行し、記録媒体19にその平文のログファイルを記憶する(ステップS128)。次いで、書き込み部18が、要求への応答としてこの非暗号化範囲でのファイル化が済んだことを生成制御部14に通知する(ステップS129)。次の非暗号化範囲があった場合には、ステップS127において、記録媒体19に記憶された平文のログファイルに平文のログデータを追記するとよい。 The encryption start position is not necessarily the beginning of the log data. Therefore, by executing the log acquisition command, the generation control unit 14 temporarily stores the log data in the buffer unit 16 as a process in a non-encrypted interval until the encryption start position is reached (step S126). . After that, the generation control unit 14 requests the writing unit 18 to convert the log data into a file (step S127), and the writing unit 18 executes the conversion into a file and writes the plaintext log file to the recording medium 19. It is stored (step S128). Next, in response to the request, the writing unit 18 notifies the generation control unit 14 that the file creation in this non-encrypted range has been completed (step S129). If there is the next unencrypted range, plaintext log data may be added to the plaintext log file stored in the recording medium 19 in step S127.
 暗号化開始位置での処理例について説明する。暗号化開始位置に到達すると、生成制御部14がログ取得コマンドを実行することで、ログデータのバッファ部16への一時保存が開始される(ステップS115)。次いで、生成制御部14は、暗号化部17に対して暗号化開始要求を送信する(ステップS116)。暗号化部17では、暗号化開始要求を受信するとステップS115で一時保存された暗号化前のログデータの暗号化開始位置に暗号化開始フラグを挿入し(ステップS117)、暗号化開始応答を生成制御部14に返却する(ステップS118)。 An example of processing at the encryption start position will be explained. When the encryption start position is reached, the generation control unit 14 executes a log acquisition command to start temporarily storing the log data in the buffer unit 16 (step S115). Next, the generation control unit 14 transmits an encryption start request to the encryption unit 17 (step S116). Upon receiving the encryption start request, the encryption unit 17 inserts an encryption start flag into the encryption start position of the unencrypted log data temporarily stored in step S115 (step S117), and generates an encryption start response. It is returned to the control unit 14 (step S118).
 暗号化終了位置での処理例について説明する。暗号化終了位置まで処理が進むと、生成制御部14は、暗号化部17に対して暗号化終了要求を送信する(ステップS119)。暗号化部17では、ステップS115により継続的に一時保存されているログデータの末尾に暗号化終了フラグを挿入し(ステップS120)、暗号化開始フラグと暗号化終了フラグとで区切られた区間の暗号化を実施する(ステップS121)。その後、暗号化部17は、暗号化終了応答を生成制御部14に返却する(ステップS122)。 An example of processing at the encryption end position will be explained. When the process progresses to the encryption end position, the generation control unit 14 transmits an encryption end request to the encryption unit 17 (step S119). The encryption unit 17 inserts an encryption end flag at the end of the log data that is continuously temporarily stored in step S115 (step S120), and inserts an encryption end flag into the end of the log data that is continuously temporarily stored in step S115. Encryption is performed (step S121). Thereafter, the encryption unit 17 returns an encryption completion response to the generation control unit 14 (step S122).
 その後、生成制御部14が、書き込み部18に対し、その区間についての暗号化されたログデータをファイル化するように要求する(ステップS123)。この要求を受けた書き込み部18は、ファイル化を実行し、記録媒体19にその暗号化ログファイルを記憶する(ステップS124)。次いで、書き込み部18が、要求への応答としてこの暗号化範囲でのファイル化が済んだことを生成制御部14に通知する(ステップS125)。次の暗号化範囲があった場合には、ステップS124において、記録媒体19に記憶された暗号化ログファイルに暗号化されたログデータを追記するとよい。 After that, the generation control unit 14 requests the writing unit 18 to create a file of the encrypted log data for that section (step S123). Upon receiving this request, the writing unit 18 executes file creation and stores the encrypted log file in the recording medium 19 (step S124). Next, in response to the request, the writing unit 18 notifies the generation control unit 14 that the file creation within this encryption range has been completed (step S125). If there is the next encrypted range, the encrypted log data may be added to the encrypted log file stored in the recording medium 19 in step S124.
 以上のようにして、対象のログ取得コマンドによるログデータの取得及び一部暗号化及びファイル化が済んだ段階で、一部暗号化におけるループ処理が終了する。その後、生成制御部14は、記録媒体19に記憶された1つの平文ログファイル及び1つの暗号化ログファイルを、通信部12を介してログ収集装置20に送信(転送)し(ステップS130)、処理を終了する。 As described above, when the log data has been acquired using the target log acquisition command, partially encrypted, and created into a file, the loop processing for partial encryption ends. After that, the generation control unit 14 transmits (transfers) one plaintext log file and one encrypted log file stored in the recording medium 19 to the log collection device 20 via the communication unit 12 (step S130), Finish the process.
 以上、本実施形態によれば、実施形態1による効果に加えて、ログ取得コマンドに複数の暗号化範囲が含まれていた場合にも、複数の暗号化範囲をまとめて1つの暗号化ログファイルとして得ることができる。また、本実施形態によれば、ログ取得コマンドに1又は複数の暗号化範囲が含まれることで、結果的に複数の非暗号化範囲が含まれることになった場合にも、複数の非暗号化範囲をまとめて1つの平文ログファイルとして得ることができる。 As described above, according to this embodiment, in addition to the effects of Embodiment 1, even when a log acquisition command includes multiple encryption ranges, multiple encryption ranges are combined into one encrypted log file. can be obtained as Furthermore, according to the present embodiment, even if a log acquisition command includes one or more encrypted ranges and as a result includes multiple unencrypted ranges, multiple unencrypted ranges are included. The converted range can be obtained as a single plaintext log file.
 また、本実施形態では、一部暗号化を行うログ取得コマンドについて、一部暗号化ログ取得範囲を示す情報が含まれることについて説明した。但し、全て暗号化するためのログ取得コマンド、暗号化を実行しないログ取得コマンドのいずれについても、ログ取得範囲を示す情報を含めておくこともできる。これにより、対象装置10では、この2種のログ取得コマンドに対しても、ログ取得コマンドに含まれるログ種別及びログ取得範囲に基づき収集対象のログデータを特定することができる。 Furthermore, in the present embodiment, it has been explained that the log acquisition command that partially encrypts includes information indicating the partially encrypted log acquisition range. However, information indicating the log acquisition range may be included for both the log acquisition command for encrypting everything and the log acquisition command for not encrypting. As a result, the target device 10 can specify log data to be collected based on the log type and log acquisition range included in the log acquisition command for these two types of log acquisition commands.
 また、図8及び図9のシーケンス図で例示したように、本実施形態における生成制御部14は、暗号化開始フラグと暗号化終了フラグの挿入位置をログ取得コマンド実行中に判定し、非暗号化と一部暗号化(部分暗号化)と全暗号化とを切り替える機能を備える。このような機能を備えることで、ログ収集装置20からのこれらの3種類のいずれの要求に対しても処理を切り替えてログファイルを生成することやそのログファイルをログ収集装置20に転送することができる。 Further, as illustrated in the sequence diagrams of FIGS. 8 and 9, the generation control unit 14 in this embodiment determines the insertion positions of the encryption start flag and the encryption end flag during execution of the log acquisition command, and It has a function to switch between encryption, partial encryption (partial encryption), and full encryption. By providing such a function, it is possible to switch processing and generate a log file in response to any of these three types of requests from the log collection device 20, and to transfer the log file to the log collection device 20. I can do it.
 最後に、一部暗号化を行う場合の、閲覧時(復号時)における暗号化開始フラグ及び暗号化終了フラグの利用方法について、簡単に説明する。この場合の暗号化開始フラグ及び暗号化終了フラグは使用しなくても、暗号化ログファイルの復号は、これらのフラグを無視することで可能である。但し、一つのログ取得コマンドについてのログファイルを順番に閲覧する処理を行う場合には、これらのフラグを利用することができる。例えば、暗号化ログファイルの復号を先に実行しておき、順番に従い、暗号化範囲、非暗号化範囲を提示させることができる。暗号化範囲と非暗号化範囲のいずれが先であるかは、ログ収集装置20でログ取得コマンドの生成を行った後では既知であるため、ログ取得コマンドを参照して得ることができる。例えば、暗号化終了フラグの後は平文のログファイルの次の非暗号化範囲を読み出して提示し、平文のログファイルの非暗号化範囲の提示が終了した時点で次の暗号化開始フラグで示される次の暗号化範囲を読み出して提示することができる。 Finally, we will briefly explain how to use the encryption start flag and encryption end flag during viewing (decryption) when partially encrypting. In this case, even if the encryption start flag and encryption end flag are not used, the encrypted log file can be decrypted by ignoring these flags. However, these flags can be used when sequentially viewing log files for one log acquisition command. For example, the encrypted log file can be decrypted first, and the encrypted range and non-encrypted range can be presented in that order. Which comes first, the encrypted range or the non-encrypted range, is known after the log acquisition command is generated by the log collection device 20, so it can be obtained by referring to the log acquisition command. For example, after the encryption end flag, the next unencrypted range of the plaintext log file is read and presented, and when the presentation of the unencrypted range of the plaintext log file is finished, the next encryption start flag is used. The next encrypted range can be read and presented.
<実施形態3>
 実施形態3について、図10等を参照しながら、実施形態2との相違点を中心に説明するが、実施形態3でも実施形態1,2で説明した様々な応用例が適用可能である。実施形態3でも暗号化システムの構成例は一部の処理を除き図4の構成例が適用できるため、図4の構成例に基づき説明を行う。 <Embodiment 3>
Embodiment 3 will be described with reference to FIG. 10 and the like, focusing on the differences from Embodiment 2, but the various application examples described in Embodiments 1 and 2 can be applied to Embodiment 3 as well. The configuration example of FIG. 4 can also be applied to the configuration example of the encryption system in the third embodiment, except for some processes, so the explanation will be based on the configuration example of FIG. 4.
 実施形態2では、ログ取得コマンドに複数の暗号化範囲が含まれていた場合において、複数の暗号化範囲をまとめて1つの暗号化ログファイルとして得、複数の非暗号化範囲をまとめて1つの平文ログファイルとして得るようにしている。 In the second embodiment, when a log acquisition command includes multiple encrypted ranges, the multiple encrypted ranges are collected as one encrypted log file, and the multiple unencrypted ranges are collected as one encrypted log file. I am trying to get it as a plain text log file.
 これに対し、本実施形態における生成制御部14は、暗号化範囲が示す開始位置、終了位置で区切られる毎に、暗号化後のログデータを1つのファイルとして記録媒体19に記憶させ、平文のログデータを1つのファイルとして記録媒体19に記憶させる。つまり、本実施形態では、暗号化範囲が複数に分かれた場合に、処理順に暗号化範囲で区切られる毎にログファイルを記憶すること、並びに記憶した各ログファイルをログ収集装置20に送信することができる。 In contrast, the generation control unit 14 in this embodiment stores the encrypted log data in the recording medium 19 as one file every time the encryption range is delimited by the start position and end position, and stores the encrypted log data as one file in the recording medium 19. The log data is stored in the recording medium 19 as one file. In other words, in this embodiment, when the encryption range is divided into a plurality of parts, log files are stored every time the encryption range is divided in the processing order, and each stored log file is sent to the log collection device 20. I can do it.
 具体的にファイルの記憶方法について例示する。ログ取得コマンドにおいて処理αから処理βまで及び処理γから処理δまでが暗号化範囲として指定されている場合、暗号化ログファイルとしては、次の2つの暗号化ログファイルが記憶されることになる。即ち、処理αから処理βまでの暗号化ログファイルと、処理γから処理δまでの暗号化ログファイルと、が記憶されることになる。また、それらの処理以外の連続するログデータを、それぞれ平文のログファイルとすることができる。例えば、処理βの後から処理γの前までの一連の処理のログデータが1つの平文のログファイルとして記憶される。また、処理αの前に一連の処理があれば、その一連の処理のログデータが1つの平文のログファイルとして記憶され、処理δの後に一連の処理があれば、その一連の処理のログデータが1つの平文のログファイルとして記憶されることになる。この例では、平文のログファイルは最大で3つとなる。 A specific example of a file storage method will be given below. If the encryption range from processing α to processing β and from processing γ to processing δ is specified in the log acquisition command, the following two encrypted log files will be stored as encrypted log files. . That is, encrypted log files from processing α to processing β and encrypted log files from processing γ to processing δ are stored. Further, continuous log data other than those processes can be made into plain text log files. For example, log data of a series of processes from after process β to before process γ is stored as one plaintext log file. Additionally, if there is a series of processes before process α, the log data of that series of processes is stored as one plaintext log file, and if there is a series of processes after process δ, the log data of that series of processes is stored as one plaintext log file. will be stored as one plaintext log file. In this example, there will be a maximum of three plaintext log files.
 第1日時から第2日時まで及び第3日時から第4日時までといった複数の処理期間で暗号化範囲が指定されている場合にも、同様の考え方が適用できる。なお、ここでは第1日時、第2日時、第3日時、第4日時は順に現在に近い日時として説明している。この場合には、第1日時から第2日時までの暗号化ログファイルと第3日時から第4日時までの暗号化ログファイルとが記憶される。また、第2日時から第3日時までの平文ログファイルと、一部暗号化ログ取得範囲の開始日時から第1日時までの平文ログファイルと、第4日時から一部暗号化ログ取得範囲の終了日時までの平文ログファイルとが記憶される。但し、一部暗号化ログ取得範囲の開始日時と第1日時とが同じ場合には対応する平文ログファイルは存在せず、また一部暗号化ログ取得範囲の終了日時と第4日時とが同じ場合には対応する平文ログファイルは存在しないことになる。 The same concept can be applied even when the encryption range is specified in multiple processing periods, such as from the first date and time to the second date and time and from the third date and time to the fourth date and time. Note that here, the first date and time, the second date and time, the third date and time, and the fourth date and time are explained as dates and times that are closer to the present in this order. In this case, encrypted log files from the first date and time to the second date and time and encrypted log files from the third date and time to the fourth date and time are stored. In addition, the plaintext log files from the second date and time to the third date and time, the plaintext log files from the start date and time of the partially encrypted log acquisition range to the first date and time, and the end of the partially encrypted log acquisition range from the fourth date and time. Plaintext log files up to date and time are stored. However, if the start date and time of the partially encrypted log acquisition range and the first date and time are the same, the corresponding plaintext log file does not exist, and the end date and time of the partially encrypted log acquisition range and the fourth date and time are the same. In this case, the corresponding plaintext log file does not exist.
 なお、ここでも、実施形態2と同様に、一部暗号化ログ取得範囲の指定がなされるものとする。また、本実施形態においても、全て暗号化するためのログ取得コマンド、暗号化を実行しないログ取得コマンドにおいて、ログ取得範囲を示す情報を含めてもよい。 Note that here, as in the second embodiment, it is assumed that a partial encrypted log acquisition range is specified. Also in this embodiment, information indicating the log acquisition range may be included in the log acquisition command for encrypting everything and the log acquisition command for not encrypting.
 次に、図10を参照しながら、本実施形態における対象装置10のログ生成部13での処理の一例について説明する。図10は、実施形態3に係る暗号化システムにおける対象装置10のログ生成部13での処理の一例を説明するためのフロー図で、図6に続く処理の他の例を説明するためのフロー図である。 Next, an example of processing in the log generation unit 13 of the target device 10 in this embodiment will be described with reference to FIG. 10. FIG. 10 is a flowchart for explaining an example of processing in the log generation unit 13 of the target device 10 in the encryption system according to the third embodiment, and is a flowchart for explaining another example of the processing following FIG. 6. It is a diagram.
 図6及び図10でも、一例として或るログ取得コマンドに対する処理例について説明するが、対象装置10に対しるログ取得コマンドが複数存在する場合にはそれぞれのログ取得コマンドについての以下の処理が実行される。なお、図8及び図9で例示したようなシーケンス図による説明は省略する。 6 and 10, a processing example for a certain log acquisition command will be explained as an example, but if there are multiple log acquisition commands for the target device 10, the following processing will be executed for each log acquisition command. be done. Note that explanations using sequence diagrams such as those illustrated in FIGS. 8 and 9 will be omitted.
 本実施形態でも暗号化なしの場合や全て暗号化する場合の処理は同様であり、図6の処理例が適用できる。本実施形態では、図10に示すように、一部暗号化するログ取得コマンドであった場合、そのログ取得コマンドの終了まで、暗号化開始位置での処理、暗号化終了位置での処理、及び非暗号化区間での処理のいずれか1つが実行されるループ処理が実行される。このループ処理において、本実施形態では、図7におけるステップS25,S31の処理をそれぞれステップS25a,S31aの処理に変更している。 In this embodiment, the processing is the same in the case of no encryption and the case of all encryption, and the processing example in FIG. 6 can be applied. In this embodiment, as shown in FIG. 10, in the case of a log acquisition command that partially encrypts, processing at the encryption start position, processing at the encryption end position, and A loop process is executed in which any one of the processes in the non-encrypted section is executed. In this loop process, in this embodiment, the processes in steps S25 and S31 in FIG. 7 are changed to processes in steps S25a and S31a, respectively.
 ステップS25aでは、ステップS24でYESとなった場合、生成制御部14が、その時点でのループ処理で対象となった、バッファ部16に一時保存された平文のログデータを、平文用のファイルである第1ファイルに書き込むように書き込み部18を制御する。 In step S25a, if the result in step S24 is YES, the generation control unit 14 converts the plaintext log data temporarily stored in the buffer unit 16, which is the target of the loop processing at that point, into a plaintext file. The writing unit 18 is controlled to write to a certain first file.
 ステップS25aでは、生成制御部14は、書き込み部18を制御し、一時保存された平文のログデータをファイル化することで第1ファイルを生成して記録媒体19に書き込ませておく。ここでの第1ファイルは、対象区間別の第1ファイルとなる。よって、ステップS24でYESとなったループ処理の回数分だけ、第1ファイルが対象区間別の第1ファイルとして記憶されることになる。ステップS25aの終了後、次のループ処理へと移る。 In step S25a, the generation control unit 14 controls the writing unit 18 to generate a first file by converting the temporarily stored plaintext log data into a file and writes it into the recording medium 19. The first file here is a first file for each target section. Therefore, the first file is stored as the first file for each target section for the number of times the loop process is YES in step S24. After step S25a ends, the process moves to the next loop process.
 ステップS31aでは、生成制御部14は、バッファ部16に一時保存された暗号化後のログデータ、つまりファイル化していない暗号化後のログデータを、暗号化用のファイルである第2ファイルに書き込むように書き込み部18を制御する。 In step S31a, the generation control unit 14 writes the encrypted log data temporarily stored in the buffer unit 16, that is, the encrypted log data that has not been converted into a file, to a second file that is an encryption file. The writing section 18 is controlled in such a manner.
 ステップS31aでは、生成制御部14は、書き込み部18を制御し、一時保存された暗号化後のログデータ、つまりファイル化していない暗号化後のログデータを、ファイル化することで第2ファイルを生成して記録媒体19に書き込ませておく。ここでの第2ファイルは、対象区間別の第2ファイルとなる。よって、ステップS28でYESとなったループ処理の回数分だけ、第2ファイルが対象区間別の第2ファイルとして記憶されることになる。ステップS31aの終了後、次のループ処理へと移る。 In step S31a, the generation control unit 14 controls the writing unit 18 to create a second file by converting the temporarily stored encrypted log data, that is, the encrypted log data that has not been converted into a file, into a file. It is generated and written on the recording medium 19. The second file here is a second file for each target section. Therefore, the second file will be stored as the second file for each target section for the number of times the loop process is YES in step S28. After step S31a ends, the process moves to the next loop process.
 以上、本実施形態によれば、実施形態1による効果に加えて、ログ取得コマンドに複数の暗号化範囲が含まれていた場合にも、暗号化範囲毎に1つの暗号化ログファイルとして得ることができ、非暗号化範囲毎に1つの平文ログファイルとして得ることができる。 As described above, according to this embodiment, in addition to the effects of Embodiment 1, even when a log acquisition command includes multiple encryption ranges, it is possible to obtain one encrypted log file for each encryption range. can be obtained as one plaintext log file for each unencrypted range.
 ここで、一部暗号化を行う場合の、閲覧時(復号時)における暗号化開始フラグ及び暗号化終了フラグの利用方法について、簡単に説明する。この場合の暗号化開始フラグ及び暗号化終了フラグは使用しなくても、暗号化ログファイルの復号は、これらのフラグを無視することで可能である。但し、一つのログ取得コマンドについての暗号化ログファイルを順番に閲覧する処理を行う場合には、これらのフラグを利用することができる。例えば、暗号化ログファイルの復号を先に実行しておき、順番に従い、暗号化範囲、非暗号化範囲を提示させることができる。この順番はログ収集装置20でログ取得コマンドの生成を行った後では既知であるため、ログ取得コマンドを参照して得ることができる。あるいはログファイルの最終保存日時によりこの順番を判定することもできる。例えば、暗号化終了フラグの後は平文のログファイルの次の非暗号化範囲を読み出して提示し、平文のログファイルの非暗号化範囲の提示が終了した時点で次の暗号化開始フラグで示される次の暗号化範囲を読み出して提示することができる。 Here, we will briefly explain how to use the encryption start flag and encryption end flag during viewing (decryption) when partially encrypting. In this case, even if the encryption start flag and encryption end flag are not used, the encrypted log file can be decrypted by ignoring these flags. However, these flags can be used when sequentially viewing encrypted log files for one log acquisition command. For example, the encrypted log file can be decrypted first, and the encrypted range and non-encrypted range can be presented in that order. Since this order is known after the log acquisition command is generated by the log collection device 20, it can be obtained by referring to the log acquisition command. Alternatively, this order can also be determined based on the last save date and time of the log file. For example, after the encryption end flag, the next unencrypted range of the plaintext log file is read and presented, and when the presentation of the unencrypted range of the plaintext log file is finished, the next encryption start flag is used. The next encrypted range can be read and presented.
 また、対象装置10において、実施形態2と実施形態3との処理を切り替える機能を設けておき、ログ収集装置20で送信するログ取得コマンドにいずれの処理を適用するかを示す情報を含んでおくこともできる。 In addition, the target device 10 is provided with a function to switch between the processes of the second embodiment and the third embodiment, and information indicating which process is applied is included in the log acquisition command sent by the log collection device 20. You can also do that.
<他の実施形態>
[a]
 各実施形態において、暗号化システム、暗号化装置、対象装置、ログ収集装置、及び、暗号化システムに含めることができる装置の機能について説明したが、各装置は、図示した構成例に限ったものではなく、各装置としてこれらの機能が実現できればよい。 <Other embodiments>
[a]
In each embodiment, the functions of the encryption system, encryption device, target device, log collection device, and devices that can be included in the encryption system have been described, but each device is limited to the illustrated configuration example. Instead, it is sufficient if each device can realize these functions.
[b]
 実施形態1~3で説明した各装置は、次のようなハードウェア構成を備えていてもよい。図11は、装置のハードウェア構成の一例を示す図である。なお、上記他の実施形態[a]についても同様である。 [b]
Each of the devices described in Embodiments 1 to 3 may have the following hardware configuration. FIG. 11 is a diagram showing an example of the hardware configuration of the device. Note that the same applies to the other embodiment [a] above.
 図11に示す装置100は、プロセッサ101、メモリ102、及び通信インタフェース(I/F)103を備えることができる。プロセッサ101は、例えば、マイクロプロセッサ、MPU(Micro Processor Unit)、又はCPUなどであってもよい。プロセッサ101は、複数のプロセッサを含んでもよい。メモリ102は、例えば、揮発性メモリ及び不揮発性メモリの組み合わせによって構成される。実施形態1~3で説明した各装置における機能は、プロセッサ101がメモリ102に記憶されたプログラムを読み込んで実行することにより実現される。この際、他の装置との情報の送受は通信インタフェース103又は図示しない入出力インタフェースを介して行うことができる。 The device 100 shown in FIG. 11 can include a processor 101, a memory 102, and a communication interface (I/F) 103. The processor 101 may be, for example, a microprocessor, an MPU (Micro Processor Unit), or a CPU. Processor 101 may include multiple processors. The memory 102 is configured, for example, by a combination of volatile memory and nonvolatile memory. The functions of each device described in the first to third embodiments are realized by the processor 101 reading and executing a program stored in the memory 102. At this time, information can be exchanged with other devices via the communication interface 103 or an input/output interface (not shown).
 上述の例において、プログラムは、コンピュータに読み込まれた場合に、実施形態で説明された1又はそれ以上の機能をコンピュータに行わせるための命令群(又はソフトウェアコード)を含む。プログラムは、非一時的なコンピュータ可読媒体又は実体のある記憶媒体に格納されてもよい。限定ではなく例として、コンピュータ可読媒体又は実体のある記憶媒体は、random-access memory(RAM)、read-only memory(ROM)、フラッシュメモリ、solid-state drive(SSD)又はその他のメモリ技術、CD-ROM、digital versatile disc(DVD)、Blu-ray(登録商標)ディスク又はその他の光ディスクストレージ、磁気カセット、磁気テープ、磁気ディスクストレージ又はその他の磁気ストレージデバイスを含む。プログラムは、一時的なコンピュータ可読媒体又は通信媒体上で送信されてもよい。限定ではなく例として、一時的なコンピュータ可読媒体又は通信媒体は、電気的、光学的、音響的、またはその他の形式の伝搬信号を含む。 In the examples above, the program includes instructions (or software code) that, when loaded into a computer, cause the computer to perform one or more of the functions described in the embodiments. The program may be stored on a non-transitory computer readable medium or a tangible storage medium. By way of example and not limitation, computer readable or tangible storage media may include random-access memory (RAM), read-only memory (ROM), flash memory, solid-state drive (SSD) or other memory technology, CD - Including ROM, digital versatile disc (DVD), Blu-ray disc or other optical disc storage, magnetic cassette, magnetic tape, magnetic disc storage or other magnetic storage device. The program may be transmitted on a transitory computer-readable medium or a communication medium. By way of example and not limitation, transitory computer-readable or communication media includes electrical, optical, acoustic, or other forms of propagating signals.
 なお、本開示は上記実施形態に限られたものではなく、趣旨を逸脱しない範囲で適宜変更することが可能である。また、本開示は、それぞれの実施形態を適宜組み合わせて実施されてもよい。 Note that the present disclosure is not limited to the above embodiments, and can be modified as appropriate without departing from the spirit. Further, the present disclosure may be implemented by appropriately combining the respective embodiments.
 上記の実施形態の一部又は全部は、以下の付記のようにも記載されうるが、以下には限られない。 Part or all of the above embodiments may be described as in the following additional notes, but are not limited to the following.
(付記1)
 ログデータを取得する取得部と、
 ログデータを暗号化する暗号化部と、
 ログデータの取得開始前に、前記暗号化部で暗号化を実行する範囲を指定する指示を受け付ける受付部と、
 ログデータを記憶する記憶部と、
 前記範囲に基づき、前記取得部によるログデータの取得のタイミングと、前記暗号化部による暗号化の開始位置及び終了位置と、前記記憶部によるログデータの記憶と、を制御する制御部と、
 を備え、
 前記制御部は、
 前記範囲が示す開始位置、終了位置に対し、それぞれ前記開始位置を示すフラグである開始フラグ、前記終了位置を示すフラグである終了フラグを挿入して暗号化を実行するように、前記暗号化部を制御し、
 前記範囲としてログデータの全ての範囲が指定された場合には、前記開始フラグ及び前記終了フラグを挿入する制御を行わずに暗号化を実行するように前記暗号化部を制御し、
 前記範囲に該当する部分のログデータについては暗号化後のデータを、前記範囲に該当しない部分のログデータについては平文のままのデータを、それぞれ別々のファイルとして前記記憶部に記憶させる、
 暗号化システム。
(付記2)
 前記受付部は、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付け、
 前記制御部は、前記一部暗号化ログ取得範囲で得られた前記暗号化後のデータをまとめて1つのファイルとして前記記憶部に記憶させ、前記一部暗号化ログ取得範囲から前記範囲を除いた部分で得られた前記平文のデータをまとめて1つのファイルとして前記記憶部に記憶させる、
 付記1に記載の暗号化システム。
(付記3)
 前記受付部は、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付け、
 前記制御部は、前記範囲が示す開始位置、終了位置で区切られる毎に、前記暗号化後のデータを1つのファイルとして前記記憶部に記憶させ、前記平文のデータを1つのファイルとして前記記憶部に記憶させる、
 付記1に記載の暗号化システム。
(付記4)
 前記受付部に対し、前記受付部で受け付ける指示を送信する指示装置と、
 前記暗号化部、前記受付部、前記記憶部、及び、前記記憶部に記憶されたファイルを前記指示装置に送信する送信部を備え、ログデータの収集対象となる対象装置と、
 を備える、
 付記1~3のいずれか1項に記載の暗号化システム。
(付記5)
 ログデータを取得する取得部と、
 ログデータを暗号化する暗号化部と、
 ログデータの取得開始前に、前記暗号化部で暗号化を実行する範囲を指定する指示を受け付ける受付部と、
 ログデータを記憶する記憶部と、
 前記範囲に基づき、前記取得部によるログデータの取得のタイミングと、前記暗号化部による暗号化の開始位置及び終了位置と、前記記憶部によるログデータの記憶と、を制御する制御部と、
 を備え、
 前記制御部は、
 前記範囲が示す開始位置、終了位置に対し、それぞれ前記開始位置を示すフラグである開始フラグ、前記終了位置を示すフラグである終了フラグを挿入して暗号化を実行するように、前記暗号化部を制御し、
 前記範囲としてログデータの全ての範囲が指定された場合には、前記開始フラグ及び前記終了フラグを挿入する制御を行わずに暗号化を実行するように前記暗号化部を制御し、
 前記範囲に該当する部分のログデータについては暗号化後のデータを、前記範囲に該当しない部分のログデータについては平文のままのデータを、それぞれ別々のファイルとして前記記憶部に記憶させる、
 暗号化装置。
(付記6)
 前記受付部は、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付け、
 前記制御部は、前記一部暗号化ログ取得範囲で得られた前記暗号化後のデータをまとめて1つのファイルとして前記記憶部に記憶させ、前記一部暗号化ログ取得範囲から前記範囲を除いた部分で得られた前記平文のデータをまとめて1つのファイルとして前記記憶部に記憶させる、
 付記5に記載の暗号化装置。
(付記7)
 前記受付部は、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付け、
 前記制御部は、前記範囲が示す開始位置、終了位置で区切られる毎に、前記暗号化後のデータを1つのファイルとして前記記憶部に記憶させ、前記平文のデータを1つのファイルとして前記記憶部に記憶させる、
 付記5に記載の暗号化装置。
(付記8)
 前記受付部で受け付けた指示に応答して、前記記憶部に記憶されたファイルを、前記指示を送信した指示装置に送信する送信部を備える、
 付記5~7のいずれか1項に記載の暗号化装置。
(付記9)
 ログデータを取得すること、
 ログデータを暗号化すること、
 ログデータの取得開始前に、暗号化を実行する範囲を指定する指示を受け付けることと、
 ログデータを記憶すること、及び、
 前記範囲に基づき、ログデータの取得のタイミングと、暗号化の開始位置及び終了位置と、ログデータの記憶と、を制御すること、
 を備え、
 前記制御することは、
 前記範囲が示す開始位置、終了位置に対し、それぞれ前記開始位置を示すフラグである開始フラグ、前記終了位置を示すフラグである終了フラグを挿入して暗号化を実行させること、
 前記範囲としてログデータの全ての範囲が指定された場合には、前記開始フラグ及び前記終了フラグの挿入を行わずに暗号化を実行させること、及び、
 前記範囲に該当する部分のログデータについては暗号化後のデータを、前記範囲に該当しない部分のログデータについては平文のままのデータを、それぞれ別々のファイルとして記憶させること、
 を含む、暗号化方法。
(付記10)
 前記受け付けることは、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付けることを含み、
 前記制御することは、前記一部暗号化ログ取得範囲で得られた前記暗号化後のデータをまとめて1つのファイルとして記憶させ、前記一部暗号化ログ取得範囲から前記範囲を除いた部分で得られた前記平文のデータをまとめて1つのファイルとして記憶させることを含む、
 付記9に記載の暗号化方法。
(付記11)
 前記受け付けることは、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付けることを含み、
 前記制御することは、前記範囲が示す開始位置、終了位置で区切られる毎に、前記暗号化後のデータを1つのファイルとして記憶させ、前記平文のデータを1つのファイルとして記憶させることを含む、
 付記9に記載の暗号化方法。
(付記12)
 前記受け付けることで受け付けた指示に応答して、記憶されたファイルを、前記指示を送信した指示装置に送信すること
 を備える、付記9~11のいずれか1項に記載の暗号化方法。
(付記13)
 ログデータを取得すること、
 ログデータを暗号化すること、
 ログデータの取得開始前に、暗号化を実行する範囲を指定する指示を受け付けることと、
 ログデータを記憶すること、及び、
 前記範囲に基づき、ログデータの取得のタイミングと、暗号化の開始位置及び終了位置と、ログデータの記憶と、を制御すること、
 を含み、
 前記制御することは、
 前記範囲が示す開始位置、終了位置に対し、それぞれ前記開始位置を示すフラグである開始フラグ、前記終了位置を示すフラグである終了フラグを挿入して暗号化を実行させること、
 前記範囲としてログデータの全ての範囲が指定された場合には、前記開始フラグ及び前記終了フラグの挿入を行わずに暗号化を実行させること、及び、
 前記範囲に該当する部分のログデータについては暗号化後のデータを、前記範囲に該当しない部分のログデータについては平文のままのデータを、それぞれ別々のファイルとして記憶させること、
 を含む、
 暗号化処理を、コンピュータに実行させるためのプログラムが格納されたコンピュータ可読媒体。
(付記14)
 前記受け付けることは、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付けることを含み、
 前記制御することは、前記一部暗号化ログ取得範囲で得られた前記暗号化後のデータをまとめて1つのファイルとして記憶させ、前記一部暗号化ログ取得範囲から前記範囲を除いた部分で得られた前記平文のデータをまとめて1つのファイルとして記憶させることを含む、
 付記13に記載のコンピュータ可読媒体。
(付記15)
 前記受け付けることは、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付けることを含み、
 前記制御することは、前記範囲が示す開始位置、終了位置で区切られる毎に、前記暗号化後のデータを1つのファイルとして記憶させ、前記平文のデータを1つのファイルとして記憶させることを含む、
 付記13に記載のコンピュータ可読媒体。
(付記16)
 前記暗号化処理は、前記受け付けることで受け付けた指示に応答して、記憶されたファイルを、前記指示を送信した指示装置に送信することを含む、
 付記13~15のいずれか1項に記載のコンピュータ可読媒体。 (Additional note 1)
an acquisition unit that acquires log data;
an encryption unit that encrypts log data;
a reception unit that receives an instruction to specify a range to be encrypted by the encryption unit before starting acquisition of log data;
a storage unit that stores log data;
a control unit that controls the timing of acquisition of log data by the acquisition unit, the start and end positions of encryption by the encryption unit, and storage of log data by the storage unit, based on the range;
Equipped with
The control unit includes:
The encryption unit is configured to perform encryption by inserting a start flag, which is a flag indicating the start position, and an end flag, which is a flag, which is a flag indicating the end position, into the start position and end position indicated by the range, respectively. control,
If the entire range of log data is specified as the range, controlling the encryption unit to execute encryption without controlling to insert the start flag and the end flag;
storing encrypted data for a portion of the log data that falls within the range, and storing plain text data for a portion of the log data that does not fall within the range as separate files in the storage unit;
encryption system.
(Additional note 2)
When a partial range of log data is specified as the range, the receiving unit receives an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range;
The control unit stores the encrypted data obtained in the partially encrypted log acquisition range as one file in the storage unit, and excludes the range from the partially encrypted log acquisition range. storing the plaintext data obtained in the above sections as one file in the storage unit;
Encryption system described in Appendix 1.
(Additional note 3)
When a partial range of log data is specified as the range, the receiving unit receives an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range;
The control unit stores the encrypted data as one file in the storage unit each time the range is divided by a start position and an end position, and stores the plaintext data as one file in the storage unit. to remember,
Encryption system described in Appendix 1.
(Additional note 4)
an instruction device that transmits an instruction to the reception unit to be accepted by the reception unit;
a target device from which log data is to be collected, comprising the encryption unit, the reception unit, the storage unit, and a transmission unit that transmits the file stored in the storage unit to the instruction device;
Equipped with
The encryption system according to any one of Supplementary Notes 1 to 3.
(Appendix 5)
an acquisition unit that acquires log data;
an encryption unit that encrypts log data;
a reception unit that receives an instruction to specify a range to be encrypted by the encryption unit before starting acquisition of log data;
a storage unit that stores log data;
a control unit that controls the timing of acquisition of log data by the acquisition unit, the start and end positions of encryption by the encryption unit, and storage of log data by the storage unit, based on the range;
Equipped with
The control unit includes:
The encryption unit is configured to perform encryption by inserting a start flag, which is a flag indicating the start position, and an end flag, which is a flag, which is a flag indicating the end position, into the start position and end position indicated by the range, respectively. control,
If the entire range of log data is specified as the range, controlling the encryption unit to execute encryption without controlling to insert the start flag and the end flag;
storing encrypted data for a portion of the log data that falls within the range, and storing plain text data for a portion of the log data that does not fall within the range as separate files in the storage unit;
Encryption device.
(Appendix 6)
When a partial range of log data is specified as the range, the receiving unit receives an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range;
The control unit stores the encrypted data obtained in the partially encrypted log acquisition range as one file in the storage unit, and excludes the range from the partially encrypted log acquisition range. storing the plaintext data obtained in the above sections as one file in the storage unit;
The encryption device according to appendix 5.
(Appendix 7)
When a partial range of log data is specified as the range, the receiving unit receives an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range;
The control unit stores the encrypted data as one file in the storage unit each time the range is divided by a start position and an end position, and stores the plaintext data as one file in the storage unit. to remember,
The encryption device according to appendix 5.
(Appendix 8)
comprising a transmitter configured to transmit the file stored in the storage unit to the instruction device that transmitted the instruction in response to the instruction received by the reception unit;
The encryption device according to any one of Supplementary Notes 5 to 7.
(Appendix 9)
obtaining log data;
encrypting log data;
Before starting to acquire log data, accept instructions to specify the range to be encrypted.
storing log data; and
Based on the range, controlling the timing of log data acquisition, the start and end positions of encryption, and the storage of log data;
Equipped with
The controlling includes:
performing encryption by inserting a start flag that is a flag that indicates the start position and an end flag that is a flag that indicates the end position for the start position and end position indicated by the range, respectively;
When the entire range of log data is specified as the range, performing encryption without inserting the start flag and the end flag;
storing encrypted data for a portion of the log data that falls within the range, and storing data in plain text for a portion of the log data that does not fall within the range as separate files;
encryption methods, including
(Appendix 10)
When a partial range of log data is specified as the range, accepting an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range. including;
The controlling means to collectively store the encrypted data obtained in the partially encrypted log acquisition range as one file, and to store the encrypted data obtained in the partially encrypted log acquisition range in a portion excluding the range from the partially encrypted log acquisition range. including storing the obtained plaintext data together as one file;
Encryption method described in Appendix 9.
(Appendix 11)
When a partial range of log data is specified as the range, accepting an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range. including;
The controlling includes storing the encrypted data as one file and storing the plaintext data as one file every time the range is divided by a start position and an end position.
Encryption method described in Appendix 9.
(Appendix 12)
The encryption method according to any one of appendices 9 to 11, comprising transmitting the stored file to the instruction device that transmitted the instruction in response to the instruction received by the acceptance.
(Appendix 13)
obtaining log data;
encrypting log data;
Before starting to acquire log data, accept instructions to specify the range to be encrypted.
storing log data; and
Based on the range, controlling the timing of log data acquisition, the start and end positions of encryption, and the storage of log data;
including;
The controlling includes:
performing encryption by inserting a start flag that is a flag that indicates the start position and an end flag that is a flag that indicates the end position for the start position and end position indicated by the range, respectively;
When the entire range of log data is specified as the range, performing encryption without inserting the start flag and the end flag;
storing encrypted data for a portion of the log data that falls within the range, and storing data in plain text for a portion of the log data that does not fall within the range as separate files;
including,
A computer-readable medium that stores a program for causing a computer to perform encryption processing.
(Appendix 14)
When a partial range of log data is specified as the range, accepting an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range. including;
The controlling means to collectively store the encrypted data obtained in the partially encrypted log acquisition range as one file, and to store the encrypted data obtained in the partially encrypted log acquisition range in a portion excluding the range from the partially encrypted log acquisition range. including storing the obtained plaintext data together as one file;
Computer-readable medium according to appendix 13.
(Additional note 15)
When a partial range of log data is specified as the range, accepting an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range. including;
The controlling includes storing the encrypted data as one file and storing the plaintext data as one file every time the range is divided by a start position and an end position.
Computer-readable medium according to appendix 13.
(Appendix 16)
The encryption process includes, in response to the instruction received by the acceptance, transmitting the stored file to the instruction device that transmitted the instruction.
The computer-readable medium according to any one of appendices 13 to 15.
 以上、実施形態を参照して本願発明を説明したが、本願発明は上記によって限定されるものではない。本願発明の構成や詳細には、発明のスコープ内で当業者が理解し得る様々な変更をすることができる。 Although the present invention has been described above with reference to the embodiments, the present invention is not limited to the above. The configuration and details of the present invention can be modified in various ways that can be understood by those skilled in the art within the scope of the invention.
1 暗号化システム
1a 取得部
1b 暗号化部
1c 受付部
1d 記憶部
1e 制御部
2 暗号化装置
10 対象装置
11 主制御部
12 通信部
13 ログ生成部
14 生成制御部
15 ログ取得部
16 バッファ部
17 暗号化部
18 書き込み部
19 記録媒体
19a 暗号化されたログファイル
19b 平文のログファイル
20 ログ収集装置
21 制御部
22 操作部
23 記憶部
24 通信部
100 装置
101 プロセッサ
102 メモリ
103 通信インタフェース 1 Encryption system 1a Acquisition unit 1b Encryption unit 1c Reception unit 1d Storage unit 1e Control unit 2 Encryption device 10 Target device 11 Main control unit 12 Communication unit 13 Log generation unit 14 Generation control unit 15 Log acquisition unit 16 Buffer unit 17 Encryption unit 18 Writing unit 19 Recording medium 19a Encrypted log file 19b Plaintext log file 20 Log collection device 21 Control unit 22 Operation unit 23 Storage unit 24 Communication unit 100 Device 101 Processor 102 Memory 103 Communication interface

Claims (16)

  1.  ログデータを取得する取得部と、
     ログデータを暗号化する暗号化部と、
     ログデータの取得開始前に、前記暗号化部で暗号化を実行する範囲を指定する指示を受け付ける受付部と、
     ログデータを記憶する記憶部と、
     前記範囲に基づき、前記取得部によるログデータの取得のタイミングと、前記暗号化部による暗号化の開始位置及び終了位置と、前記記憶部によるログデータの記憶と、を制御する制御部と、
     を備え、
     前記制御部は、
     前記範囲が示す開始位置、終了位置に対し、それぞれ前記開始位置を示すフラグである開始フラグ、前記終了位置を示すフラグである終了フラグを挿入して暗号化を実行するように、前記暗号化部を制御し、
     前記範囲としてログデータの全ての範囲が指定された場合には、前記開始フラグ及び前記終了フラグを挿入する制御を行わずに暗号化を実行するように前記暗号化部を制御し、
     前記範囲に該当する部分のログデータについては暗号化後のデータを、前記範囲に該当しない部分のログデータについては平文のままのデータを、それぞれ別々のファイルとして前記記憶部に記憶させる、
     暗号化システム。     an acquisition unit that acquires log data;
    an encryption unit that encrypts log data;
    a reception unit that receives an instruction to specify a range to be encrypted by the encryption unit before starting acquisition of log data;
    a storage unit that stores log data;
    a control unit that controls the timing of acquisition of log data by the acquisition unit, the start and end positions of encryption by the encryption unit, and storage of log data by the storage unit, based on the range;
    Equipped with
    The control unit includes:
    The encryption unit is configured to perform encryption by inserting a start flag, which is a flag indicating the start position, and an end flag, which is a flag, which is a flag indicating the end position, into the start position and end position indicated by the range, respectively. control,
    If the entire range of log data is specified as the range, controlling the encryption unit to execute encryption without controlling to insert the start flag and the end flag;
    storing encrypted data for a portion of the log data that falls within the range, and storing plain text data for a portion of the log data that does not fall within the range as separate files in the storage unit;
    encryption system.
  2.  前記受付部は、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付け、
     前記制御部は、前記一部暗号化ログ取得範囲で得られた前記暗号化後のデータをまとめて1つのファイルとして前記記憶部に記憶させ、前記一部暗号化ログ取得範囲から前記範囲を除いた部分で得られた前記平文のデータをまとめて1つのファイルとして前記記憶部に記憶させる、
     請求項1に記載の暗号化システム。     When a partial range of log data is specified as the range, the receiving unit receives an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range;
    The control unit stores the encrypted data obtained in the partially encrypted log acquisition range as one file in the storage unit, and excludes the range from the partially encrypted log acquisition range. storing the plaintext data obtained in the above sections as one file in the storage unit;
    The encryption system according to claim 1.
  3.  前記受付部は、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付け、
     前記制御部は、前記範囲が示す開始位置、終了位置で区切られる毎に、前記暗号化後のデータを1つのファイルとして前記記憶部に記憶させ、前記平文のデータを1つのファイルとして前記記憶部に記憶させる、
     請求項1に記載の暗号化システム。     When a partial range of log data is specified as the range, the receiving unit receives an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range;
    The control unit stores the encrypted data as one file in the storage unit each time the range is divided by a start position and an end position, and stores the plaintext data as one file in the storage unit. to remember,
    The encryption system according to claim 1.
  4.  前記受付部に対し、前記受付部で受け付ける指示を送信する指示装置と、
     前記暗号化部、前記受付部、前記記憶部、及び、前記記憶部に記憶されたファイルを前記指示装置に送信する送信部を備え、ログデータの収集対象となる対象装置と、
     を備える、
     請求項1~3のいずれか1項に記載の暗号化システム。     an instruction device that transmits an instruction to the reception unit to be accepted by the reception unit;
    a target device from which log data is to be collected, comprising the encryption unit, the reception unit, the storage unit, and a transmission unit that transmits the file stored in the storage unit to the instruction device;
    Equipped with
    The encryption system according to any one of claims 1 to 3.
  5.  ログデータを取得する取得部と、
     ログデータを暗号化する暗号化部と、
     ログデータの取得開始前に、前記暗号化部で暗号化を実行する範囲を指定する指示を受け付ける受付部と、
     ログデータを記憶する記憶部と、
     前記範囲に基づき、前記取得部によるログデータの取得のタイミングと、前記暗号化部による暗号化の開始位置及び終了位置と、前記記憶部によるログデータの記憶と、を制御する制御部と、
     を備え、
     前記制御部は、
     前記範囲が示す開始位置、終了位置に対し、それぞれ前記開始位置を示すフラグである開始フラグ、前記終了位置を示すフラグである終了フラグを挿入して暗号化を実行するように、前記暗号化部を制御し、
     前記範囲としてログデータの全ての範囲が指定された場合には、前記開始フラグ及び前記終了フラグを挿入する制御を行わずに暗号化を実行するように前記暗号化部を制御し、
     前記範囲に該当する部分のログデータについては暗号化後のデータを、前記範囲に該当しない部分のログデータについては平文のままのデータを、それぞれ別々のファイルとして前記記憶部に記憶させる、
     暗号化装置。     an acquisition unit that acquires log data;
    an encryption unit that encrypts log data;
    a reception unit that receives an instruction to specify a range to be encrypted by the encryption unit before starting acquisition of log data;
    a storage unit that stores log data;
    a control unit that controls the timing of acquisition of log data by the acquisition unit, the start and end positions of encryption by the encryption unit, and storage of log data by the storage unit, based on the range;
    Equipped with
    The control unit includes:
    The encryption unit is configured to perform encryption by inserting a start flag, which is a flag indicating the start position, and an end flag, which is a flag, which is a flag indicating the end position, into the start position and end position indicated by the range, respectively. control,
    If the entire range of log data is specified as the range, controlling the encryption unit to execute encryption without controlling to insert the start flag and the end flag;
    storing encrypted data for a portion of the log data that falls within the range, and storing plain text data for a portion of the log data that does not fall within the range as separate files in the storage unit;
    Encryption device.
  6.  前記受付部は、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付け、
     前記制御部は、前記一部暗号化ログ取得範囲で得られた前記暗号化後のデータをまとめて1つのファイルとして前記記憶部に記憶させ、前記一部暗号化ログ取得範囲から前記範囲を除いた部分で得られた前記平文のデータをまとめて1つのファイルとして前記記憶部に記憶させる、
     請求項5に記載の暗号化装置。     When a partial range of log data is specified as the range, the receiving unit receives an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range;
    The control unit stores the encrypted data obtained in the partially encrypted log acquisition range as one file in the storage unit, and excludes the range from the partially encrypted log acquisition range. storing the plaintext data obtained in the above sections as one file in the storage unit;
    The encryption device according to claim 5.
  7.  前記受付部は、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付け、
     前記制御部は、前記範囲が示す開始位置、終了位置で区切られる毎に、前記暗号化後のデータを1つのファイルとして前記記憶部に記憶させ、前記平文のデータを1つのファイルとして前記記憶部に記憶させる、
     請求項5に記載の暗号化装置。     When a partial range of log data is specified as the range, the receiving unit receives an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range;
    The control unit stores the encrypted data as one file in the storage unit each time the range is divided by a start position and an end position, and stores the plaintext data as one file in the storage unit. to remember,
    The encryption device according to claim 5.
  8.  前記受付部で受け付けた指示に応答して、前記記憶部に記憶されたファイルを、前記指示を送信した指示装置に送信する送信部を備える、
     請求項5~7のいずれか1項に記載の暗号化装置。     comprising a transmitter configured to transmit the file stored in the storage unit to the instruction device that transmitted the instruction in response to the instruction received by the reception unit;
    The encryption device according to any one of claims 5 to 7.
  9.  ログデータを取得すること、
     ログデータを暗号化すること、
     ログデータの取得開始前に、暗号化を実行する範囲を指定する指示を受け付けることと、
     ログデータを記憶すること、及び、
     前記範囲に基づき、ログデータの取得のタイミングと、暗号化の開始位置及び終了位置と、ログデータの記憶と、を制御すること、
     を備え、
     前記制御することは、
     前記範囲が示す開始位置、終了位置に対し、それぞれ前記開始位置を示すフラグである開始フラグ、前記終了位置を示すフラグである終了フラグを挿入して暗号化を実行させること、
     前記範囲としてログデータの全ての範囲が指定された場合には、前記開始フラグ及び前記終了フラグの挿入を行わずに暗号化を実行させること、及び、
     前記範囲に該当する部分のログデータについては暗号化後のデータを、前記範囲に該当しない部分のログデータについては平文のままのデータを、それぞれ別々のファイルとして記憶させること、
     を含む、暗号化方法。     obtaining log data;
    encrypting log data;
    Before starting to acquire log data, accept instructions to specify the range to be encrypted.
    storing log data; and
    Based on the range, controlling the timing of log data acquisition, the start and end positions of encryption, and the storage of log data;
    Equipped with
    The controlling includes:
    performing encryption by inserting a start flag that is a flag that indicates the start position and an end flag that is a flag that indicates the end position for the start position and end position indicated by the range, respectively;
    When the entire range of log data is specified as the range, performing encryption without inserting the start flag and the end flag;
    storing encrypted data for a portion of the log data that falls within the range, and storing data in plain text for a portion of the log data that does not fall within the range as separate files;
    encryption methods, including
  10.  前記受け付けることは、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付けることを含み、
     前記制御することは、前記一部暗号化ログ取得範囲で得られた前記暗号化後のデータをまとめて1つのファイルとして記憶させ、前記一部暗号化ログ取得範囲から前記範囲を除いた部分で得られた前記平文のデータをまとめて1つのファイルとして記憶させることを含む、
     請求項9に記載の暗号化方法。     When a partial range of log data is specified as the range, accepting an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range. including;
    The controlling means to collectively store the encrypted data obtained in the partially encrypted log acquisition range as one file, and to store the encrypted data obtained in the partially encrypted log acquisition range in a portion excluding the range from the partially encrypted log acquisition range. including storing the obtained plaintext data together as one file;
    The encryption method according to claim 9.
  11.  前記受け付けることは、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付けることを含み、
     前記制御することは、前記範囲が示す開始位置、終了位置で区切られる毎に、前記暗号化後のデータを1つのファイルとして記憶させ、前記平文のデータを1つのファイルとして記憶させることを含む、
     請求項9に記載の暗号化方法。     When a partial range of log data is specified as the range, accepting an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range. including;
    The controlling includes storing the encrypted data as one file and storing the plaintext data as one file every time the range is divided by a start position and an end position.
    The encryption method according to claim 9.
  12.  前記受け付けることで受け付けた指示に応答して、記憶されたファイルを、前記指示を送信した指示装置に送信すること
     を備える、請求項9~11のいずれか1項に記載の暗号化方法。     The encryption method according to any one of claims 9 to 11, comprising transmitting the stored file to the instruction device that transmitted the instruction in response to the instruction received by the acceptance.
  13.  ログデータを取得すること、
     ログデータを暗号化すること、
     ログデータの取得開始前に、暗号化を実行する範囲を指定する指示を受け付けることと、
     ログデータを記憶すること、及び、
     前記範囲に基づき、ログデータの取得のタイミングと、暗号化の開始位置及び終了位置と、ログデータの記憶と、を制御すること、
     を含み、
     前記制御することは、
     前記範囲が示す開始位置、終了位置に対し、それぞれ前記開始位置を示すフラグである開始フラグ、前記終了位置を示すフラグである終了フラグを挿入して暗号化を実行させること、
     前記範囲としてログデータの全ての範囲が指定された場合には、前記開始フラグ及び前記終了フラグの挿入を行わずに暗号化を実行させること、及び、
     前記範囲に該当する部分のログデータについては暗号化後のデータを、前記範囲に該当しない部分のログデータについては平文のままのデータを、それぞれ別々のファイルとして記憶させること、
     を含む、
     暗号化処理を、コンピュータに実行させるためのプログラムが格納されたコンピュータ可読媒体。     obtaining log data;
    encrypting log data;
    Before starting to acquire log data, accept instructions to specify the range to be encrypted.
    storing log data; and
    Based on the range, controlling the timing of log data acquisition, the start and end positions of encryption, and the storage of log data;
    including;
    The controlling includes:
    performing encryption by inserting a start flag that is a flag that indicates the start position and an end flag that is a flag that indicates the end position for the start position and end position indicated by the range, respectively;
    When the entire range of log data is specified as the range, performing encryption without inserting the start flag and the end flag;
    storing encrypted data for a portion of the log data that falls within the range, and storing data in plain text for a portion of the log data that does not fall within the range as separate files;
    including,
    A computer-readable medium that stores a program for causing a computer to perform encryption processing.
  14.  前記受け付けることは、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付けることを含み、
     前記制御することは、前記一部暗号化ログ取得範囲で得られた前記暗号化後のデータをまとめて1つのファイルとして記憶させ、前記一部暗号化ログ取得範囲から前記範囲を除いた部分で得られた前記平文のデータをまとめて1つのファイルとして記憶させることを含む、
     請求項13に記載のコンピュータ可読媒体。     When a partial range of log data is specified as the range, accepting an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range. including;
    The controlling means to collectively store the encrypted data obtained in the partially encrypted log acquisition range as one file, and to store the encrypted data obtained in the partially encrypted log acquisition range in a portion excluding the range from the partially encrypted log acquisition range. including storing the obtained plaintext data together as one file;
    14. The computer readable medium of claim 13.
  15.  前記受け付けることは、前記範囲としてログデータの一部の範囲が指定される場合には、前記範囲を含み前記範囲より大きいログ取得範囲である一部暗号化ログ取得範囲を指定する指示を受け付けることを含み、
     前記制御することは、前記範囲が示す開始位置、終了位置で区切られる毎に、前記暗号化後のデータを1つのファイルとして記憶させ、前記平文のデータを1つのファイルとして記憶させることを含む、
     請求項13に記載のコンピュータ可読媒体。     When a partial range of log data is specified as the range, accepting an instruction to specify a partially encrypted log acquisition range that includes the range and is larger than the range. including;
    The controlling includes storing the encrypted data as one file and storing the plaintext data as one file every time the range is divided by a start position and an end position.
    14. The computer readable medium of claim 13.
  16.  前記暗号化処理は、前記受け付けることで受け付けた指示に応答して、記憶されたファイルを、前記指示を送信した指示装置に送信することを含む、
     請求項13~15のいずれか1項に記載のコンピュータ可読媒体。     The encryption process includes, in response to the instruction received by the acceptance, transmitting the stored file to the instruction device that transmitted the instruction.
    Computer readable medium according to any one of claims 13 to 15.
PCT/JP2022/010838 2022-03-11 2022-03-11 Encryption system, encryption device, encryption method, and computer-readable medium WO2023170907A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/010838 WO2023170907A1 (en) 2022-03-11 2022-03-11 Encryption system, encryption device, encryption method, and computer-readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/010838 WO2023170907A1 (en) 2022-03-11 2022-03-11 Encryption system, encryption device, encryption method, and computer-readable medium

Publications (1)

Publication Number Publication Date
WO2023170907A1 true WO2023170907A1 (en) 2023-09-14

Family

ID=87936451

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/010838 WO2023170907A1 (en) 2022-03-11 2022-03-11 Encryption system, encryption device, encryption method, and computer-readable medium

Country Status (1)

Country Link
WO (1) WO2023170907A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011237975A (en) * 2010-05-10 2011-11-24 Ricoh Co Ltd Information processing system
JP2017097703A (en) * 2015-11-26 2017-06-01 コニカミノルタ株式会社 Information processing device, information processing method, information processing system and information processing program
JP2019020795A (en) * 2017-07-12 2019-02-07 富士ゼロックス株式会社 Document management device, document management system, and program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011237975A (en) * 2010-05-10 2011-11-24 Ricoh Co Ltd Information processing system
JP2017097703A (en) * 2015-11-26 2017-06-01 コニカミノルタ株式会社 Information processing device, information processing method, information processing system and information processing program
JP2019020795A (en) * 2017-07-12 2019-02-07 富士ゼロックス株式会社 Document management device, document management system, and program

Similar Documents

Publication Publication Date Title
CN108347331B (en) Method and device for safe communication between T _ Box device and ECU device in Internet of vehicles system
US9137225B2 (en) Seamless remote storage of uniformly encrypted data for diverse platforms and devices
JP4755189B2 (en) Content encryption method, network content providing system and method using the same
JP4327865B2 (en) Content processing apparatus, encryption processing method, and program
US8571206B2 (en) Information transmitting apparatus, information transmitting method, and computer product
JP2006253745A (en) Data processing apparatus, system, and method
JP2006253746A (en) Data processing apparatus, system, and method
WO2017221979A1 (en) Process control device, process control method, and recording medium having process control program recorded therein
US8081761B2 (en) Communication encryption processing apparatus
WO2023170907A1 (en) Encryption system, encryption device, encryption method, and computer-readable medium
US20130061059A1 (en) Information processing apparatus, information processing method, and non-transitory computer readable medium
JP2008067162A (en) Control system and method for controlling system
JP2010067055A (en) Backup program
EP2579500A1 (en) Processing device, processing method, and processing program
JP4668028B2 (en) Transfer source software, transfer request terminal, transfer source pack generation device, and program set
JP4222132B2 (en) Software providing method and system
JP2007128131A (en) Server, file transfer method and file transfer program
JP7086163B1 (en) Data processing system
US8689014B2 (en) Data encryption device and control method thereof
JP2006313505A (en) Encryption and decryption system, apparatuses and methods for encryption and decryption, and program
US20080205646A1 (en) Computer-readable recording medium storing data decryption program, data decryption method, and data decryption device
JP5631164B2 (en) Multi-cluster distributed processing control system, representative client terminal, multi-cluster distributed processing control method
JP2017215853A (en) Log collection system, log output apparatus, log collection method, and log collection program
JP2004184516A (en) Digital data transmitting terminal
JP6992437B2 (en) Log recording device, log recording method, log decoding device, and log decoding method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22930888

Country of ref document: EP

Kind code of ref document: A1