> "Rodney Knott" <[EMAIL PROTECTED]> > >> I am attempting to run analog on the ISA logs we are using. I allowed >> analog to auto select a compatible format and it came up with W3 > extended, >> but that only processed a very small number of log entries. I ran it > again >> with debug C on and it gave me errors like the following for almost >> all > of >> our log entries: >> >> C: >> C:10.X.X.X anonymous Mozilla/4.0 (Compatible;MSIE 6.0; >> Windows > NT >> 5.0;Q312461) 2002-01-12 00:00:35 FIREWALL02 - >> www.streamingfaith.com 10.X.X.X 80 733 140 >> http Get http://10.X.X.X/images/radiotab.gif inet 304 >> > > The next line in the Debug output puts a * under the first field that > Analog can't make sense of. > > But even without that, a very brief look at > http://www.analog.cx/docs/logfmt.html#fmtstrings suggests that you want > a LOGFORMAT something like this: > > %S\t%u\t%B\t%Y-%m%d\t%h:%n:%j\t%j\t%j\t%v\t%j\t%j\t%b\t%T\t%j\t%j\t%r\t%j\ > t%c > > Note that I'm guessing that http://10.X.X.X/images/radiotab.gif is > supposed to be a request (even though requests don't start with > http://), and that www.streamingfaith.com is a virtual host name. > > If ISA has the option of logging in W3 Extended format, then use that, > so that you won't have to mess around with logformats that nobody > understands. > > Aengus
I started using the following format string with no results: (%s %B %Y-%m-%d %h:%n:%j %j %j %v %j %j %j %j %t %j %b %j %j %r %j %c) And on the debug the * appears after the first C: Thank you > > > +------------------------------------------------------------------------ > | This is the analog-help mailing list. To unsubscribe from this > | mailing list, go to > | http://lists.isite.net/listgate/analog-help/unsubscribe.html > | > | List archives are available at > | http://www.mail-archive.com/[email protected]/ > | http://lists.isite.net/listgate/analog-help/archives/ > | http://www.tallylist.com/archives/index.cfm/mlist.7 > +------------------------------------------------------------------------ +------------------------------------------------------------------------ | This is the analog-help mailing list. To unsubscribe from this | mailing list, go to | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | List archives are available at | http://www.mail-archive.com/[email protected]/ | http://lists.isite.net/listgate/analog-help/archives/ | http://www.tallylist.com/archives/index.cfm/mlist.7 +------------------------------------------------------------------------
