In Internet Protocol (IP) networks, analysis using log information is conducted in order to detect unauthorized access. In Patent Literature 1, a method is disclosed, which facilitates monitoring and analysis, by grouping a plurality of events, based on synoptic correlations among events in consideration of differences among event types that are attributes of the events, addresses, and the like, for a large amount of logs output by an invasion detecting device that performs logging of abnormal access on a network.