During the second half of 2007, Symantec 2007 of "Global Internet Security Threat Report," indicated the new malicious code growth has become 4.68 times larger than 2006, overall 711,912 pieces. Although the information security equipment provides query log file for the information security manager, but according to the current speed of malicious code generation, it’s too little to late for us to tracking the malicious code owing to the fact the malicious code has resulted in information security weakness. Therefore, in this study, we had been collecting Symantec antivirus server log files of the Tamkang University, analyzing the malicious code growth on campus and used security operations center (SOC) -ArcSight system build real-time to monitor the malicious code infection acts on campus. . As the matter of fact, the research turn out that the actual infection of the host computer is mainly caused by the misbehavior of the current internet users, accounting for 82.67%、Malicious code increased too fast, anti-virus vendors have not invented the corresponding virus solutions, accounting for 17.33%、Mainframe computer was not updated virus definitions, accounting for 0%. Abnormal increase in the number of malicious code from the same host, and the continuous infection of the Trojan horse is in the majority. Finally, combined with real-time monitoring of malicious code on the build platform, so managers can accurately control the use of campus computer, including daily number of malicious code, host infected with malicious code and the status of the most common malicious code infection rankings. Expectations of the campus through an understanding of the trend of malicious code to monitor and provide a monitor platform for the management control of the campus mainframe computer has been infected with malicious code on the current situation.