I am trying to use Analog to calculate total traffic per user, from IIS 5.0 FTP logs. I'm using Analog v 5.91 beta on Windows 2000 professional.
The header of the log file looks like this:
#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
Here are a few representative lines from the file:
2003-10-18 06:04:17 196.25.19.251 rhodesia MSFTPSVC1 IDEOSPHERE01 196.36.153.48 21 [514]USER rhodesia - 331 0 0 0 FTP - - - -
2003-10-18 08:51:29 196.3.242.158 Xanovia MSFTPSVC1 IDEOSPHERE01 196.36.153.48 21 [523]sent /Xanovia/Template.ascx - 226 1630 0 350 FTP - - - -
What I want from Analog is just a user report.
Now, when I run Analog on the file with no LOGFORMAT specified, everything is fine except that Analog ignores the sc-bytes and only takes the cs-bytes into account. I want to see the total traffic, so I want the sc-bytes and cs-bytes to be added.
I began to experiment with specifying a LOGFORMAT. I discovered that Analog would reject a LOGFORMAT with two instances of %b. so I wanted to see if I could get Analog to read just the sc-bytes or just the cs-bytes, one at a time, planning to combine them in some form later.
Here are the LOGFORMATs I tried:
LOGFORMAT (%Y-%m-%d %h:%n:%j %s %u %j %j %j %j [%j]%j %r - %C %b %j %t FTP - - - -)
(for just the sc-bytes)
LOGFORMAT (%Y-%m-%d %h:%n:%j %s %u %j %j %j %j [%j]%j %r - %C %b %j %t FTP - - - -)
(for just the cs-bytes).
As far as I can see, both of these should work - but if I try either, Analog doesn't recognise the code (%C), and thinks there were no successful requests, and so I get no results.
I have checked that what I think are spaces are spaces and not tabs, and I have tried replacing all the spaces in the LOGFORMAT with %w, with no luck
I have spent hours looking for a solution to this problem on the web, but I've come up with nothing. Can anyone help? I have heard lots of people mention that they use Analog for FTP log analysis, so I assume there must be a way to get this to work.
Thank you for your time, Adrianna Pinska Ideosphere
+------------------------------------------------------------------------ | TO UNSUBSCRIBE from this list: | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | Digest version: http://lists.isite.net/listgate/analog-help-digest/ | Usenet version: news://news.gmane.org/gmane.comp.web.analog.general | List archives: http://www.analog.cx/docs/mailing.html#listarchives +------------------------------------------------------------------------
