For more than a year the I successfully used the following LOGFORMAT:
LOGFORMAT (%S - - [%d/%M/%Y:%h:%n:%j %j] "%j %r %j" %c %b
%j "%j" "%B")
However, in the last weeks the format of the logfiles changed twice.
Unfortunately, I don't know what the elements of the new logfiles mean
and how to change the LOGFORMAT to get the same results as before. I ask
for help because I am lost - I don't understand the syntax of the ANALOG
commands fully enough, either.
Here are several examples of the logfile that could successfully be
analyzed by the LOGFORMAT shown above:
12.234.186.168 - - [11/Feb/2002:00:03:42 +0100] "GET /robots.txt
HTTP/1.0" 404 2118 www.kfn.de "-" "JCrawler/0.4a (robot; [EMAIL PROTECTED])"
166.102.19.181 - - [11/Feb/2002:00:11:32 +0100] "GET /softwareenzmann.html
HTTP/1.1" 200 8537 www.kfn.de "-" "Netprospector JavaCrawler"
66.77.73.87 - - [11/Feb/2002:00:11:37 +0100] "GET /kfnveroeffentlichungen.html
HTTP/1.0" 200 32521 www.kfn.de "-" "FAST-WebCrawler/3.3 ([EMAIL PROTECTED];
http://fast.no/support.php?c=faqs/crawler)"
Here are examples of the logfile after its first change (the LOGFORMAT
cannot read the second element, for example 62.29.33.47, that previously
was only "-"). Maybe I can ignore it, but I don't know how to do this via
the LOGFORMAT:
213.243.30.5 62.29.33.47 - [13/Feb/2002:17:53:19 +0100] "HEAD
/softwareenzmann.html HTTP/1.1" 200 0 www.kfn.de "-" "Mozilla/4.5 [en]
(Win98; I)"
130.75.2.10 unknown - [13/Feb/2002:18:05:43 +0100] "GET /
HTTP/1.0" 200 - www.kfn.de "-" "Mozilla/4.73 [de] (Win95; U)"
62.104.216.68 213.6.100.149 - [13/Feb/2002:18:41:44 +0100]
"GET /mitarbbereswill.html HTTP/1.0" 200 17437 www.kfn.de "http://www.google.de/search?q=Behandlung+Inhaftierter&hl=de&start=10&sa=N"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)"
Finally, three examples of the logfile after its last change. Now, the
logfile cannot read the last element (for example 129.96.248.65)
and I don't know its meaning, either. If I can ignore it, what would be
the correct specification of LOGFORMAT?
129.96.253.100 - - [18/Feb/2002:00:01:32 +0100] "GET /mitarbenzmanneng.html
HTTP/1.0" 200 19195 www.kfn.de "http://www.kfn.de/vorstandmitarbeiterengl.html"
"Mozilla/4.75 [en] (WinNT; U)" 129.96.248.65
129.96.253.100 - - [18/Feb/2002:00:01:34 +0100] "GET /photoenzmann.jpg
HTTP/1.0" 200 11163 www.kfn.de "http://www.kfn.de/mitarbenzmanneng.html"
"Mozilla/4.75 [en] (WinNT; U)" 129.96.248.65
216.35.103.44 - - [18/Feb/2002:00:06:45 +0100] "GET /gefaengnisfolgeneng.html
HTTP/1.0" 200 31067 www.kfn.de "-" "Mozilla/5.0 (Slurp/cat; [EMAIL PROTECTED];
http://www.inktomi.com/slurp.html)" -
Is it possible, to have a LOGFORMAT that can interpret all three versions
of the logfile? The problem is, that the changes of the format take place
within the logfiles, but I want to have them analyzed simultanously.
Thanks in advance,
Dirk
*************************************************
Dr. Dirk Enzmann
Criminological Research Institute of Lower Saxony
Luetzerodestr. 9
D-30161 Hannover
Germany
phone: +49-511-348.36.32
fax: +49-511-348.36.10
email: [EMAIL PROTECTED]
http://www.kfn.de
*************************************************
