[analog-help] Trouble interpreting log / Getting User Report

Aengus analog07 at eircom.net
Wed Apr 2 09:24:14 PST 2008 

Michael Summerfield <msummerfield at wrightson.com> wrote:
> 
> I'm guessing Analog isn't finding the %u variable in my logformat
> statement
> 
> This one includes the user, mhurley:
> 
> 2007-12-10 20:40:37 W3SVC1 APOLLO 192.168.32.134 GET
> /include/styles/author.css - 80 - 66.250.5.66 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.432
> 2;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) mhurley
> http://www.riedthunberg.com/headlines/reload_headlines.aspx
> www.riedthunberg.com 200 0 0 445 651 62
> 
> I've interpreted it as:
> 
> LOGFORMAT (%Y-%m-%d %h:%n:%j %j %S %j %j - %j - %s %j %A %u %r %j %j
> %j %j %j %j)
That LOGFORMAT doesn't match the log entry. Your LOGFORMAT has 4 fields between the time and the first -, but the log entry has 5. 

Changing the LOGFORMAT to 

LOGFORMAT (%Y-%m-%d %h:%n:%j %j %j %S %j %j - %j - %s %j %A %u %r %j %j %j %j %j %j)

generates a User Report for your sample line.

But I don't think that LOGFORMAT is correct - the first %S looks like your servers address, rather than the remote address. %s (lowercase) is only used if %S (uppercase) is blank. And I'm pretty sure that that particular entry is a request for /include/styles/author.css , and that http://www.riedthunberg.com/headlines/reload_headlines.aspx is actually the referrer (%f), not the request (%r)

I'd try 

LOGFORMAT (%Y-%m-%d %h:%n:%j %j %j %j %j %r - %j - %S %j %A %u %f %j %c %j)

instead (no need for trailing %js). This also gets the status code of the request, so that you can tell failures from successes.

> There is a second log format I discovered while trying to figure out
> how to get the User Report which I've ignored so far:
> 
> 2007-12-10 13:51:30 W3SVC1 192.168.32.134 GET
> /include/images/logo.gif - 80 - 204.179.96.51
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322)
> 200 0 0
> 
> I can interpret this one as:
> 
> LOGFORMAT (%Y-%m-%d %h:%n:%j %S %j %j - %j - %s %j %j %j)

LOGFORMAT (%Y-%m-%d %h:%n:%j %j %j %j %r - %j - %S %A %c %j)

> Should I list both formats?

If you're using both logfiles, you'll need to list both logformats.

Aengus

More information about the analog-help mailing list