Communications with a server on the Internet 116 include transmission and reception of mail through the mail server 113, Web communications through the proxy 114, and FTP (File Transfer Protocol).
[0015] It is assumed that a log analysis apparatus 117 is connected to the network 110 within an organization as are the file server 111 and the authentication server 112. It is assumed that the log analysis apparatus 117 collects, by a log collection section 118, logs of the terminal 101 connected to the network, and also logs concerning physical facility management such as the security gate control apparatus 102, for example, entry to and exit from the room 100 by a user, in addition to equipment concerning information processing such as the file server 111, the authentication server 112, the mail server 1 13, the proxy 114, and the firewall 115, and accumulates the logs in a log database 119. A log analysis section 120 performs keyword-based search, statistical analysis such as aggregation of the logs, analysis based on conformity to a predetermined rule, and the like on the logs accumulated in the log database 119. When the log analysis section 120 detects a phenomenon that needs to be notified to an administrator and to be dealt with, such as a security violation or failure, an alert (warning) is generated by an alert generation section 121 and is notified to the administrator. [0016] The logs stored in the log database 119 will now be described.
Fig. 2 is a diagram illustrating an example of a room entry/exit log which is a physical log.
Fig. 3 is a diagram illustrating an example of a file server access log which is an information log.
[0017] Fig. 2 will be described first. This is a room entry/exit log which is a physical log. The room entry/exit log consists of, for example, a date, a time, a user

calculated in SI03, is greater than the threshold value T, an abnormality can be detected. If an abnormality is detected, the processing proceeds to step S105. If no abnormality is detected, the processing ends.
[0025] Lastly, in step SI 05, if the abnormality has been detected in step SI 04, the alert generation section 121 provides the administrator with a warning. [0026] As described above, in the invention according to the present first embodiment, physical logs and information logs are analyzed in combination and previous log intervals and current log intervals are compared to analyze a discrepancy therebetween, so that it is possible to detect not only fraud performed during non-presence in a room, as is conventionally done, but also an abnormality before exit from the room. For example, in a case of malware infection, it is expected that a discrepancy of several hundred milliseconds or several seconds occurs in log intervals. By detecting this discrepancy, it is possible to detect malware infection or find internal fraud. [0027] The present invention keeps statistics of log intervals on a periodic basis and then calculates a discrepancy in the statistics, so that it is less likely to be affected by variation in individual log intervals. Generally, it is expected that a discrepancy consisting of several seconds, ten or so seconds, or the like occurs in intervals of human operations. For this reason, if a discrepancy were evaluated by looking at individual log intervals, it would be necessary to perform determination using a large threshold value T. In the present invention, however, evaluation is not performed on individual log intervals, and analysis is performed using a discrepancy in an overall distribution trend. Thus, it is possible to detect an abnormality using a small threshold value T, and a possibility of detecting an abnormality such as malware infection increases. [0028] Note that in step S103, the square distance in common use is used as a scale for the evaluation of a discrepancy in distribution. However, a discrepancy in

[Claim 1] A log analysis apparatus (117) comprising:
a log collection section (118) to collect a physical log which is a log of physical facility management equipment (102) and an information log which is a log of information equipment (101, 111, 112, 113, 114, 115) that executes information processing by a user operation; and
a log analysis section (120) to calculate a frequency distribution of time intervals between the physical log and the information log, and compare the frequency distribution with a frequency distribution calculated while the information equipment is in a normal state, and thereby to detect an abnormality of the information equipment.
[Claim 2] The log analysis apparatus according to claim 1, further comprising:
a log database (119) to store the physical log and the information log collected by the log collection section,
wherein the log analysis section extracts the physical log and the information log that occurred in a first period and the physical log and the information log that occurred in a second period from the log database, calculates a discrepancy x along a time axis between a first frequency distribution of time intervals between the physical log and the information log in the first period and a second frequency distribution of time intervals between the physical log and the information log in the second period, and detects the abnormality of the information equipment when the discrepancy x is greater than a discrepancy T along the time axis between the first frequency distribution and the second frequency distribution, the discrepancy T being calculated while the information equipment is in the normal state.

[Claim 3] The log analysis apparatus according to claim 1 or claim 2, further comprising:
an alert generation section (121) to generate a warning and notify an administrator of the warning when the abnormality of the information equipment has been detected by the log analysis section.
[Claim 4] A log analysis method of a log analysis apparatus (117) to analyze a log and detect an abnormality of information equipment (101, 111, 112, 113, 114, 115), the log analysis method comprising:
a log collection step of collecting a physical log which is a log of physical facility management equipment (102) and an information log which is a log of the information equipment that executes information processing by a user operation, by a log collection section (118); and
a log analysis step of calculating a frequency distribution of time intervals between the physical log and the information log, and comparing the frequency distribution with a frequency distribution calculated while the information equipment is in a normal state, and thereby detecting the abnormality of the information equipment, by a log analysis section (120).