Common Tasks
Search
  • Advanced search options...
Tags
Archives
Archives

LogParser scripts for various occasions...

MSDN Blogs > Never doubt thy debugger > LogParser scripts for various occasions...

LogParser scripts for various occasions...

6 Feb 2008 9:56 AM
  • Comments 6

I've been working again with LogParser lately to extract some statistics for an IIS server which was facing a suspicious activity from the outside world: they were getting literally thousands of requests from a bunch if IP addresses to their page to request a "forgot password" for their online services. For this post is not important how we resolved the problem, but rather that of the occasion I had to create a few LogParser scripts to extract some statistics from the IIS logs, so I through those might be useful for other people too... Of course you're free to change them to adapt to your needs. Before you proceed, a couple of words on the scripts: those are meant to be "generic" and run with a batch file which accepts some input arguments, but you can run them from a command prompt directly replacing the "%x" placeholders; also, I print them on multiple lines to be easier to read, but you must run then on a single line.

 

This is to count how many requests you got to a specific page with a specific value in the query string (we were extracting data for the "change password" page with a "reset password" switch):

logparser "SELECT COUNT(*) INTO %1 FROM *.log WHERE EXTRACT_FILENAME(cs-uri-stem) = '%2' AND INDEX_OF(cs-uri-query, '%3') > 0" -i:IISW3C

 

Do you need some more details such as the return code, User-Agent etc...?

logparser "SELECT date, time, c-ip, cs-uri-query, sc-status, cs(User-Agent) 
    INTO %1 FROM *.log WHERE EXTRACT_FILENAME(cs-uri-stem) = '%2' AND INDEX_OF(cs-uri-query, '%3') > 0 
    ORDER BY c-ip" -i:IISW3C -RTP:-1

 

Since we noted that we were receiving a very high number or requests from specific IP addresses, here is the script to get this statistic:

logparser "SELECT DISTINCT c-ip, COUNT(*) as Hits INTO %1 FROM *.log 
    WHERE EXTRACT_FILENAME(cs-uri-stem) = '%2' AND INDEX_OF(cs-uri-query, '%3') > 0 
    GROUP BY c-ip ORDER BY Hits DESC" -i:IISW3C -RTP:-1

 

To get the average executing time for your pages (or web services) you must first of all enable extended logging in IIS, then you can run this script:

logparser "SELECT AVG(time-taken) As AverageTimeTaken, MAX(time-taken) As MaxTimeTaken, COUNT(*) As Hits, TO_LOWERCASE(cs-uri-stem) 
    INTO %1 FROM *.log
    WHERE EXTRACT_EXTENSION(TO_LOWERCASE(cs-uri-stem)) = '%2' 
    GROUP BY cs-uri-stem ORDER BY AverageTimeTaken DESC"  -i:IISW3C -RTP:-1

 

If you want information about requests getting a specific IIS status code, here's what you need:

logparser "SELECT date, time, cs-uri-stem, cs-uri-query, sc-status, cs(User-Agent) 
    INTO %1 FROM *.log WHERE sc-status = '%2'" -i:IISW3C -RTP:-1

 

If you want a nice pie graphic to summarize the distribution of bytes served for file type (you need extended logging to have the sc-bytes property):

LogParser "SELECT TO_UPPERCASE(EXTRACT_EXTENSION(cs-uri-stem)) AS PageType, MUL(PROPSUM(sc-bytes),100.0) AS Bytes 
    INTO %1 FROM *.log GROUP BY PageType ORDER BY Bytes DESC" 
    -chartType:PieExploded -chartTitle:"Bytes per page type" -categories:off -i:IISW3C -o:CHART

 

On the Event Viewer now... this is if you need to extract all the events for a specific SourceName:

logparser "SELECT TimeWritten, SourceName, EventID, Message INTO %2 FROM %2 
    WHERE SourceName = '%3'" -i:EVT -o:CSV

 

A very simple way to convert a .evt file into a csv one, if you prefer to use Excel for your filters:

logparser "SELECT * INTO %1 FROM %2" -i:EVT -o:CSV

 

That's it for today, I'll likely add new ones if you're interested (or if you have specific requests smile_wink).

 

Carlo

Quote of the day:
O Lord, help me to be pure, but not yet. - Saint Augustine
Leave a Comment
  • Please add 7 and 7 and type the answer here:
  • Post
Comments
  • DotNetKicks.com
    6 Feb 2008 10:46 AM

    You've been kicked (a good thing) - Trackback from DotNetKicks.com

  • Never doubt thy debugger
    30 May 2008 1:22 AM

    Here’s an addendum to my previous LogParser collection of scripts : how can we filter our IIS logs folder

  • Joshua Marcoe
    23 Jan 2009 12:31 PM

    Here is a little batch script I worked up that I think is useful, based on your info on this page:

    :: ############################################################################

    :: Website_Abusers_IPAddress

    :: This is useful for finding offending IPAddresses that are frequently hitting your website, causing slow reponse time for users,

    :: and maxing out your database.

    ::   Created by:   Joshua Marcoe

    :: Created on:   Jan. 22, 2009

    :: Last modified on: Jan. 23, 2009

    :: Derived from:  http://blogs.msdn.com/carloc/archive/2008/02/06/logparser-scripts-for-various-occasions.aspx

    :: Necessary Software:   Microsoft Log Parser 2.2 and sleep.exe ( sleep.exe is optional: part of Windows Server 2003 Resource Tool Kit)

    :: Note: the System Variable (or Environmental Variable) called PATH must contain the path to the LogParser.exe file: usually C:\Program Files\Log Parser 2.2

    :: To run, just place a copy of this batch file in your log folder, and execute it. It will create the .dat files right in the same directory.

    :: The .dat files will look like this:

    :: c-ip                      Hits

    :: ---------------         -----

    :: 209.62.53.50     17523

    :: 91.205.124.7      1429

    :: Then open the .dat files, to see which IP Addresses are causing problems, and block them in IIS if you want.

    :: Hit CTRL+C to end the batch file early, if only a few days of log files are needed. Delete all .dat files when finished.

    :: ############################################################################

    :: get all log file filenames in reverse alphabetical order and save in a file

    dir /B /O-N *.log > allLogFilesInReverseOrder.dat

    :: Parse data for offending IP Addresses ( hit CTRL + C to quit the batch file after enough files have been parsed for your needs )

    for /F %%f in (allLogFilesInReverseOrder.dat) do logparser "SELECT DISTINCT c-ip, COUNT(*) as Hits INTO %%f_IPAddressCount.dat FROM %%f GROUP BY c-ip ORDER BY Hits DESC" -i:IISW3C -RTP:-1

    rem IIS_Logfile_IPAddress_Count_All_Files is now finished. This program will exit in 15 seconds (using sleep.exe).

    call sleep 15

    exit

  • Falsufyani
    22 Jan 2010 10:45 PM

    Dear Sir

    i want to generate a report about OWA usage for the last week. I want the logparser to process all IIS log files for the last week. for example: if today is 23-Jan-2010, I want logparser to automatically process all logs between 16 - 22 /Jan/2010.

    any help is highly appreciated.

  • Fabio
    9 Apr 2010 2:04 PM

    Hello,

    I was hoping you could help me build a script that converts an evt file called "adtlog.evt" into a csv file called "adtlog.evt"

    I'm new to this, and I'm trying to make sense of your notes above. I don't see how you could specify the source file name.

    Any help would be greatly appreciated.

    -Fabio

  • 9 Apr 2010 2:12 PM

    Hello Fabio, the script is the last one shown in the post: logparser "SELECT * INTO %1 FROM %2" -i:EVT -o:CSV. This format is meant to be used in a batch file taking two command line arguments (%1 and %2), so for example based on yout request you could run it as "mybatch.bat adtlog.evt adtlog.evt".

    If instead you prefer to run the command in the cmd directly, you can simply use: logparser "SELECT * INTO adtlog.evt FROM adtlog.evt" -i:EVT -o:CSV.

    Hope this helps

Page 1 of 1 (6 items)