Aimee Mandeville <[EMAIL PROTECTED]> wrote: > I am using ISA logs to try and determine website statistics for a > website on our server. The ISA logs keep track of everything coming > through our firewall. i.e. mail, website traffic from our internal > computers out to the internet as well as users hitting our 5 websites > hosted on the same server. > > > > I am getting confused as to which INCLUDE EXCLUDE commands I should be > using. Ideally I would like to analyze one website at a time : > www.usawaterquality.org <http://www.usawaterquality.org/> . I would > like to get count of the number of hits this website it getting , who > is hitting it while excluding the hits the website it getting from > internal users.
I see that you have a field called "Rule" listed in your #Fields line. If you're trying to just analyze records that match a particular "Rule", then you can create a custom LOGFORMAT that specifies the records that are tagged with a particular rule. For example, this logformat should interpret all the records in your log: LOGFORMAT (%S\t%u\t%B\t%Y-%m-%d\t%h:%n:%j\t%j\t%j\t%j\t%j\t%j\t%j\t%j\t%b\t%j\t%j\t%r\t%j\t%c\t%j\t%j) If you only want to analyze the records that match a specific Rule, then specify the rule name in that field in the logfile: LOGFORMAT (%S\t%u\t%B\t%Y-%m-%d\t%h:%n:%j\t%j\t%j\t%j\t%j\t%j\t%j\t%j\t%b\t%j\t%j\t%r\t%j\t%c\twww.usawaterquality.org\t%j) Any entries that don't match that rule will be ignored (or counted as corrupt). Alternatively, if you're not really using the Username field, you can co-opt it: LOGFORMAT (%S\t%j\t%B\t%Y-%m-%d\t%h:%n:%j\t%j\t%j\t%j\t%j\t%j\t%j\t%j\t%b\t%j\t%j\t%r\t%j\t%c\t%u\t%j) and then use USERINCLUDE www.usawaterquality.org (That's probably the easiest approach if you need to do seperate reports for a couple of different "Rules"). I don't know much about ISA rules, so I don't know if this will work exactly the way you want it to, but even if it doesn't, you can still use the approach of creating a LOGFORMAT that will only match the lines that you are interested in - you just have to figure out how Analog can recognize the lines you want to report on. Aengus +------------------------------------------------------------------------ | TO UNSUBSCRIBE from this list: | http://lists.meer.net/mailman/listinfo/analog-help | | Analog Documentation: http://analog.cx/docs/Readme.html | List archives: http://www.analog.cx/docs/mailing.html#listarchives | Usenet version: news://news.gmane.org/gmane.comp.web.analog.general +------------------------------------------------------------------------
