Mailing List Archive

2009/2/12 Whatis myname <myname.whatis@gmail.com>:
> Hello,
> I am using Analog 6.0 on my 32- bit Windows XP machine. I edited my
> analog.cfg file to point to my Log file which is stored on my local
> machine's C: drive. My log file is in the ELFF (Extended Log File Format).
> When I double click the analog.exe file to run it, it generates the report
> but there is no data in it. Looking at the Report.html file, it says that
> there are 37,215 corrupt log file lines and 0 successful requests.
>
> My log file has the following line that describes the format of the fields:
>
> #Fields: date time time-taken c-ip sc-status s-action sc-bytes cs-bytes
> cs-method cs-uri-scheme cs-host cs-uri-path cs-uri-query cs-username
> s-hierarchy s-supplier-name rs(Content-Type) cs(User-Agent) sc-filter-result
> sc-filter-category x-virus-id s-ip s-sitename cs(Referer)
>
> I am not sure if (why) it is failing to recognize the log format from the
> log file, and unable to generate report with data in it.
>

Post the top few lines of your logfile too and someone will be able to
figure it out.

--
Stephen Turner
+------------------------------------------------------------------------
| TO UNSUBSCRIBE from this list:
| http://lists.meer.net/mailman/listinfo/analog-help
|
| Analog Documentation: http://analog.cx/docs/Readme.html
| List archives: http://www.analog.cx/docs/mailing.html#listarchives
| Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
+------------------------------------------------------------------------

Here are the first few lines from the log file:

#Software: SGOS 4.2.8.6
#Version: 1.0
#Start-Date: 2008-12-12 21:34:52
#Date: 2008-12-12 21:34:50
#Fields: date time time-taken c-ip sc-status s-action sc-bytes cs-bytes
cs-method cs-uri-scheme cs-host cs-uri-path cs-uri-query cs-username
s-hierarchy s-supplier-name rs(Content-Type) cs(User-Agent) sc-filter-result
sc-filter-category x-virus-id s-ip s-sitename cs(Referer)
#Remark: 1427112655 "GSDMZVCSN02" "144.140.198.8" "main"
2008-12-12 21:51:12 133 44.274.158.244 200 TCP_HIT 1394 167 GET https
mysite.somename.com /Registration/regFrameset.html - - DEFAULT_PARENT
20.146.4.250 text/html "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
PROXIED none - 134.122.133.5 SG-HTTPS-Reverse-Proxy-Service -
2008-12-12 21:51:13 144 43.250.188.255 200 TCP_HIT 1395 163 GET https
somesite.someothername.com /Registration/regFrameset.html - - DEFAULT_PARENT
22.149.6.166 text/html "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
PROXIED none - 158.130.128.8 SG-HTTPS-Reverse-Proxy-Service -





On Fri, Feb 13, 2009 at 5:57 AM, Stephen Turner <
analog-author@lists.meer.net> wrote:

> 2009/2/12 Whatis myname <myname.whatis@gmail.com>:
> > Hello,
> > I am using Analog 6.0 on my 32- bit Windows XP machine. I edited my
> > analog.cfg file to point to my Log file which is stored on my local
> > machine's C: drive. My log file is in the ELFF (Extended Log File
> Format).
> > When I double click the analog.exe file to run it, it generates the
> report
> > but there is no data in it. Looking at the Report.html file, it says that
> > there are 37,215 corrupt log file lines and 0 successful requests.
> >
> > My log file has the following line that describes the format of the
> fields:
> >
> > #Fields: date time time-taken c-ip sc-status s-action sc-bytes cs-bytes
> > cs-method cs-uri-scheme cs-host cs-uri-path cs-uri-query cs-username
> > s-hierarchy s-supplier-name rs(Content-Type) cs(User-Agent)
> sc-filter-result
> > sc-filter-category x-virus-id s-ip s-sitename cs(Referer)
> >
> > I am not sure if (why) it is failing to recognize the log format from the
> > log file, and unable to generate report with data in it.
> >
>
> Post the top few lines of your logfile too and someone will be able to
> figure it out.
>
> --
> Stephen Turner
> +------------------------------------------------------------------------
> | TO UNSUBSCRIBE from this list:
> | http://lists.meer.net/mailman/listinfo/analog-help
> |
> | Analog Documentation: http://analog.cx/docs/Readme.html
> | List archives: http://www.analog.cx/docs/mailing.html#listarchives
> | Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
> +------------------------------------------------------------------------
>

Running analog with all the debugging on revealed two problems:

1) The #Fields line uses cs-uri-path instead of the normal cs-uri or
cs-uri-stem.
2) The last field is the referrer, which should be in quotes, but is
not in your case.

After fixing these two things, the sample you gave processes fine.

I guess the first question is, what web server produced this file?

As for your options, you could either edit your logfiles to change
these two things, or you could write your own LOGFORMAT instead of
relying on analog parsing the #Fields line.

--
Stephen Turner
+------------------------------------------------------------------------
| TO UNSUBSCRIBE from this list:
| http://lists.meer.net/mailman/listinfo/analog-help
|
| Analog Documentation: http://analog.cx/docs/Readme.html
| List archives: http://www.analog.cx/docs/mailing.html#listarchives
| Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
+------------------------------------------------------------------------

Support for analog web log analyzer <analog-help@lists.meer.net> wrote:

< As for your options, you could either edit your logfiles to change
< these two things, or you could write your own LOGFORMAT instead of
< relying on analog parsing the #Fields line.

I posted a LOGFORMAT on Friday, but my server seems to have difficulty delivering mail to this list in the last few weeks - it's reporting that it can't find an MX record for lists.meer.net. Anyway, here's an excerpt from the e-mail that bounced over the weekend:


You can use an explicit LOGFORMAT to tell Analog how to parse your logfile by adding these lines to your analog.cfg file:

LOGFORMAT (%Y-%m-%d %h:%n:%j %T %S %c %j %b %j %j %j %v %r %q %u %j"%B" %j"%f")
LOGFORMAT (%Y-%m-%d %h:%n:%j %T %S %c %j %b %j %j %j %v %r %q %u %j"%B" %j)
LOGFILE logfile.log

I added 2 lines, the first for when there are referrers (I assume your webserver is quoting the referrers), and one for lines without referrers. Analog will use whichever one matches each line of the logfile.

Note that there is no space between the between the %j and "%f" at the end of that first line.

Aengus

-----------------------------------------------------------------
Find the home of your dreams with eircom net property
Sign up for email alerts now http://www.eircom.net/propertyalerts


+------------------------------------------------------------------------
| TO UNSUBSCRIBE from this list:
| http://lists.meer.net/mailman/listinfo/analog-help
|
| Analog Documentation: http://analog.cx/docs/Readme.html
| List archives: http://www.analog.cx/docs/mailing.html#listarchives
| Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
+------------------------------------------------------------------------