Operation logs are collected as a measure to prevent information leakage from computers of end users who belong to organizations or the like. The computers can be, for example, personal computers (PCs). The operation logs collected from the PCs are used for monitoring the PCs, inspecting the PCs in case there is any information leakage, and analyzing the PCs in order to manage the risk of information leakage.
Such operation logs are, for example, a log that relates to the termination of the basic software that operates on a PC, such as the operating system (OS). Such a log that relates to the termination of an OS is, for example, a log of a user logging-off from a PC and a log of a PC being shutdown. Logging-off from a PC and the shutting down of a PC are performed by the OS. Therefore, to collect logs that relate to a termination of an OS, a monitoring application program monitors the OS and collects the time a user logs off and the time a PC is shutdown.
The technology disclosed in Japanese Laid-open Patent Publication No. 2005-332258 enables, when the PC is shut down abnormally, the conducting of a forced shutdown of the hardware and then the acquiring of a log indicative of an abnormal termination.
However, when a user shuts down a PC forcibly without entering an OS termination instruction, the monitoring application program disclosed in Japanese Laid-open Patent Publication No. 2005-332258 may not collect a log that relates to the termination of the OS.
For example, when a normal termination occurs, the monitoring application program updates both time information that has been acquired from the OS and time information that has been acquired from the OS and then held by the monitoring application program to defaults and then creates a normal termination log indicative of a normal termination. The time information can be an OS counter indicative of the time elapsed since the OS was last booted. When a forced termination occurs, there is no time for the monitoring application program to update the OS counter, which has been acquired from the OS and then held by the monitoring application program, to zero and also there is no time to create a log. When the monitoring application program is booted later, because the OS counter held by the monitoring application program is not zero, it is determined that a log that relates to the termination of the OS was not created at the last termination of the monitoring application program. The monitoring application program then uses the time that has been counted by the monitoring application program before the last termination to create a log of the last termination of the OS.
However, because a log is created depending on whether the OS counter held by the monitoring application program is zero or not, an acquired log that relates to a termination of an OS can be incorrect. The monitoring application program may not update the OS counter to zero not only when a forced termination occurs but also when the monitoring application program is terminated abnormally. Accordingly, when the monitoring application program is terminated abnormally while the PC is still running, the rebooted monitoring application program creates a log of a log-off from the PC and a log of a PC shutdown, and thus incorrect logs are created.