[analog-help] Logformat Problems
Aengus
analog07 at eircom.net
Fri Feb 29 18:38:37 PST 2008
At Friday, February 29, 2008 6:20 PM, The Wolf <tsawolf at gmail.com> wrote:
>> Hello everyone!
>>
>> I've been messing around with LOGFORMAT, trying to get it working
>> with our non-standard log setup.
>>
>> Unfortunately, there seem to be some rather weird errors going on.
>>
>> LOGFORMAT (%v\t%j\t%t\t%s\t%u\t[%d/%M/%Y:%h:%n:%j
>> %j]\t"%r"\t%c\t%b\t"%f"\t"%B") matches our real setup. All fields
>> are tab delimited, except for the date which is ISO compliant.
>>
>> servername, gzip Ratio, processing time, client IP, username,
>> [DD/MMM/YYYY:HH:NN:SS -TZTZ], "Request", status code, size,
>> "Referrer", "Useragent"
>>
>> However, analog thinks that all lines are corrupt, and the error
>> seems to point towards a different place in lines.
>>
>> A sample (sanitized for our users protection):
>> C: server - - 1.2.3.4 -
>> [27/Feb/2008:18:54:24 -0500] "GET /images/image.png HTTP/1.1"
>> 200 4373 " www.somesite.com" "Mozilla/5.0 (Windows; U;
>> Windows NT 6.0; en-US;) Gecko/0000 Firefox/0000"
>> C: *
>>
>> If we put a space where the first tab is (some of the tabs appear a
>> space long, but cat -e confirms they are actually tabs), it changes
>> to this:
>> C: server - - 1.2.3.4 -
>> [27/Feb/2008:18:54:24 -0500] "GET /images/image.png HTTP/1.1"
>> 200 4373 " www.somesite.com" "Mozilla/5.0 (Windows; U;
>> Windows NT 6.0; en-US;) Gecko/0000 Firefox/0000"
>> C:
>> *
>>
>> I'm not sure what to do next, so I turn to you.
If I change your %t to %j, Analog parses the line - it appears that "-"
isn't a valid %t.
(Tab delimited log files are almost impossible to debug - you have to
change the tabs to spaces in a sample line, and the \t to %w in the
LOGFORMAT to have any chance of figuring out what Analog doesn't like).
Aengus
More information about the analog-help
mailing list