I recently found that analog does not process logs that have entries from a Windows DAV attack. Here is the output of running analog on such a log with debugging turned on:
# ./analog +C"HOSTURL http://test.com"; +C"LOGFILE /var/tmp/analog-5.32/access_log" +C"OUTFILE /var/tmp/analog-5.32/test.html" +C"HOSTNAME test.com"
./analog: analog version 5.32/Unix
F: Closing configuration file /var/tmp/analog-5.32/analog.cfg
F: Opening /var/tmp/analog-5.32/lang/uk.lng as language file
F: Closing language file /var/tmp/analog-5.32/lang/uk.lng
F: Opening /var/tmp/analog-5.32/lang/ukdom.tab as domains file
F: Closing domains file /var/tmp/analog-5.32/lang/ukdom.tab
F: Opening /var/tmp/analog-5.32/lang/ukdesc.txt as report descriptions file
F: Closing report descriptions file /var/tmp/analog-5.32/lang/ukdesc.txt
F: Opening /var/tmp/analog-5.32/access_log as logfile
C: 65.60.150.234 - - [08/Apr/2004:01:05:46 -0600] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
C: *
./analog: Warning F: Can't auto-detect format of logfile
/var/tmp/analog-5.32/access_log: ignoring it
(For help on all errors and warnings, see docs/errors.html)
F: Closing logfile /var/tmp/analog-5.32/access_log
S: Successful requests: 0
S: Redirected requests: 0
S: Failed requests: 0
S: Requests returning informational status code: 0
S: Status code not given: 0
S: Unwanted lines: 0
S: Corrupt lines: 1
F: Opening /var/tmp/analog-5.32/test.html as output file
./analog: Warning R: Turning off empty time reports
./analog: Warning R: Turning off empty Request Report
./analog: Warning R: Turning off empty File Type Report
./analog: Warning R: Turning off empty Directory Report
./analog: Warning R: Turning off empty Domain Report
./analog: Warning R: Turning off empty Organisation Report
./analog: Warning R: Turning off empty Search Word Report
./analog: Warning R: Turning off empty Operating System Report
./analog: Warning R: Turning off empty File Size Report
./analog: Warning R: Turning off empty Status Code Report
F: Closing /var/tmp/analog-5.32/test.html
The corrupted line is very long. Is there a way around this kind of problem?
Octave
+------------------------------------------------------------------------ | TO UNSUBSCRIBE from this list: | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | Digest version: http://lists.isite.net/listgate/analog-help-digest/ | Usenet version: news://news.gmane.org/gmane.comp.web.analog.general | List archives: http://www.analog.cx/docs/mailing.html#listarchives +------------------------------------------------------------------------
