"Dirk Enzmann" <[EMAIL PROTECTED]> wrote: > Here are examples of the logfile after its first change (the LOGFORMAT > cannot read the second element, for example 62.29.33.47, that previously > was only "-"). Maybe I can ignore it, but I don't know how to do this > via the LOGFORMAT:
%j means junk - just specify %j instead of - in the LOGFORMAT if you want to ignore a field, and can't be sure what will be in it. > 213.243.30.5 62.29.33.47 - [13/Feb/2002:17:53:19 +0100] "HEAD > /softwareenzmann.html HTTP/1.1" 200 0 www.kfn.de "-" "Mozilla/4.5 > [en] (Win98; I)" > > 130.75.2.10 unknown - [13/Feb/2002:18:05:43 +0100] "GET / HTTP/1.0" > 200 - www.kfn.de "-" "Mozilla/4.73 [de] (Win95; U)" > > 62.104.216.68 213.6.100.149 - [13/Feb/2002:18:41:44 +0100] "GET > /mitarbbereswill.html HTTP/1.0" 200 17437 www.kfn.de > "http://www.google.de/search?q=Behandlung+Inhaftierter&hl=de&start=10&sa > =N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)" The second field looks like an IP address, but if the first field is the remote host, I don't know what the second field might be, unless you have multiple virtual servers, but then "unknown" doesn't make any sense. > Finally, three examples of the logfile after its last change. Now, the > logfile cannot read the last element (for example 129.96.248.65) and I > don't know its meaning, either. If I can ignore it, what would be the > correct specification of LOGFORMAT? > > 129.96.253.100 - - [18/Feb/2002:00:01:32 +0100] "GET > /mitarbenzmanneng.html HTTP/1.0" 200 19195 www.kfn.de > "http://www.kfn.de/vorstandmitarbeiterengl.html"; > "Mozilla/4.75 [en] (WinNT; U)" 129.96.248.65 > > 216.35.103.44 - - [18/Feb/2002:00:06:45 +0100] "GET > /gefaengnisfolgeneng.html HTTP/1.0" 200 31067 www.kfn.de "-" > "Mozilla/5.0 (Slurp/cat; [EMAIL PROTECTED]; > http://www.inktomi.com/slurp.html)" - > > Is it possible, to have a LOGFORMAT that can interpret all three > versions of the logfile? The first and second version are really the same, with - being used when the actual data isn't available. > The problem is, that the changes of the format > take place within the logfiles, but I want to have them analyzed > simultanously. Until you find out what that last field is for, I'd suggest this logformat: LOGFORMAT (%S %j - [%d/%M/%Y:%h:%n:%j %j] "%j %r %j" %c %b %j "%j" "%B"%j) Aengus +------------------------------------------------------------------------ | This is the analog-help mailing list. To unsubscribe from this | mailing list, go to | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | List archives are available at | http://www.mail-archive.com/[email protected]/ | http://lists.isite.net/listgate/analog-help/archives/ | http://www.tallylist.com/archives/index.cfm/mlist.7 +------------------------------------------------------------------------
