For Windows, I use the QuickDNS program as my helper DNS
resolver.
http://www.analogx.com/
I use a batch file that first runs quickDNS to resolve the
IPs in the IIS logs to names, then runs my Analog.
qdns /G analog.cfg /Y IP-of-my-DNS-Server
call analog.exe +gwhatever.cfg
Then, in my analog.cfg file, I tell Analog to read the
dnscache.txt that was created by QuickDNS
DNSFILE dnscache.txt
DNS read
The /G config.cfg switch for QuickDNS tells QuickDNS where
to find the raw IIS log files that should be read to be
resolved -- it reads the logfile line from the cfg file,
so if you had multiple config files you could resolve them
all separately.
There are other tools for Windows, but this one works for
me, so I didn't investigate further. Once you do this,
your Organization report will start showing the domain
names, whereas the Host report will show IP addresses.
Pam
On Thu, 18 Jan 2007 08:12:54 -0500 "Aengus"
<[EMAIL PROTECTED]> wrote:
On Wednesday, January 17, 2007 10:57 PM [EDT],
Tyson Varosyan <[EMAIL PROTECTED]> wrote:
However, my Organisation Report is a bit messed up.
First of all it
is not resolving IPs to host names, however that may be
cause there
is no rDNS set up for the few users that have hit my
site so far.
Analog doesn't do DNS lookups by default, because DNS
lookups are much, much slower than everyting else that
Analog does. (http://analog.cx/docs/dns.html)
I will wait and see. The more important problem is that
when it shows
the IPs, it does not show the entire IP, rather it shows
what seems
to be a random part of it.
The Organization report doesn't show IP addresses, it
shows Organizations. If you don't have DNS lookups
enabled, then it has to use the basic IP address to
decide when requests from different IP addresses aer
actually from the same Organization. In simple terms, all
addresses from the same "Class" address are considered to
be from a single Organization (eg 12.1.2.3 and
12.255.254.253 are in the same "Class A" address range,
as all addresses between 12.0.0.0 and 12.255.255.255 are
assigned to AT&T, whereas 145.1.2.3 and 145.255.254.253
are "Class B" adresses, and belong to different
organizations).
("Address classes" aren't really used anymore, but
provide an easy way to explain the Organization report.
Exceptions to the simple "Class model" are noted in
http://analog.cx/docs/domfile.html#orgrules )
For instance, and IP of 24.156.28.245 may be shown as
24.156 and
that's it! Or as 156.28 or 28.245... In ether case, it
is showing
only a small bit of the address.
Because requests from 24.156.28.245 and 24.156.28.246
are both from the same "Organization", they are both
listed under 24.156 Organization.
I am currently using Win2k3 Server, with IIS6 and my IIS
is
configured to use the "W3C EXTENDED LOG FILE FORMAT". I
have a few
other options for log formats in IIS - I was going to
try the
"Microsoft IIS...", but the first choice was the
default, so I have
not changed it yet...
W3C Extended is the best format choice.
Please advice on how I can get Analog to show full IPs
in the report.
Full IPs belong to Hosts, not Organizations, so turn on
the Host Report, with
HOST ON
Aengus
+------------------------------------------------------------------------
| TO UNSUBSCRIBE from this list:
| http://lists.meer.net/mailman/listinfo/analog-help
|
| Analog Documentation: http://analog.cx/docs/Readme.html
| List archives: http://www.analog.cx/docs/mailing.html#listarchives
| Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
+------------------------------------------------------------------------
