Rodney Knott ([EMAIL PROTECTED]):
>> "Rodney Knott" <[EMAIL PROTECTED]> >> >>> I am attempting to run analog on the ISA logs we are using. I allowed >>> analog to auto select a compatible format and it came up with W3 >> extended, >>> but that only processed a very small number of log entries. I ran it >> again >>> with debug C on and it gave me errors like the following for almost >>> all >> of >>> our log entries: >>> >>> C: >>> C:10.X.X.X anonymous Mozilla/4.0 (Compatible;MSIE 6.0; >>> Windows >> NT >>> 5.0;Q312461) 2002-01-12 00:00:35 FIREWALL02 - >>> www.streamingfaith.com 10.X.X.X 80 733 140 >>> http Get http://10.X.X.X/images/radiotab.gif inet 304 >>> >> >> The next line in the Debug output puts a * under the first field that >> Analog can't make sense of. >> >> But even without that, a very brief look at >> http://www.analog.cx/docs/logfmt.html#fmtstrings suggests that you want >> a LOGFORMAT something like this: >> >> %S\t%u\t%B\t%Y-%m%d\t%h:%n:%j\t%j\t%j\t%v\t%j\t%j\t%b\t%T\t%j\t%j\t%r\t%j\ >> t%c >> >> Note that I'm guessing that http://10.X.X.X/images/radiotab.gif is >> supposed to be a request (even though requests don't start with >> http://), and that www.streamingfaith.com is a virtual host name. >> >> If ISA has the option of logging in W3 Extended format, then use that, >> so that you won't have to mess around with logformats that nobody >> understands. >> >> Aengus > I started using the following format string with no results: > (%s %B %Y-%m-%d %h:%n:%j %j %j %v %j %j %j %j %t %j %b %j %j %r %j %c) > And on the debug the * appears after the first C: Well, the format you show is very different from the one Aengus suggested. First, his (and your logfile line) use tabs to separate, not spaces. Without quotes around the browser, space-delimited log file lines would be useless. Seconds, there's a username between the host and browser fields that you are missing. Third, you have a lot more fields that you are throwing out (%j) than there are fields in that line. There *is* a type in Aengus's format string. Try this instead: %S\t%u\t%B\t%Y-%m-%d\t%h:%n:%j\t%j\t%j\t%v\t%j\t%j\t%b\t%T\t%j\t%j\t%r\t%j\t%c -- Jeremy Wadsack Wadsack-Allen Digital Group +------------------------------------------------------------------------ | This is the analog-help mailing list. To unsubscribe from this | mailing list, go to | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | List archives are available at | http://www.mail-archive.com/[email protected]/ | http://lists.isite.net/listgate/analog-help/archives/ | http://www.tallylist.com/archives/index.cfm/mlist.7 +------------------------------------------------------------------------
