"Rodney Knott" <[EMAIL PROTECTED]> > I am attempting to run analog on the ISA logs we are using. I allowed > analog to auto select a compatible format and it came up with W3 extended, > but that only processed a very small number of log entries. I ran it again > with debug C on and it gave me errors like the following for almost all of > our log entries: > > C: > C:10.X.X.X anonymous Mozilla/4.0 (Compatible;MSIE 6.0; Windows NT > 5.0;Q312461) 2002-01-12 00:00:35 FIREWALL02 - > www.streamingfaith.com 10.X.X.X 80 733 140 http > Get http://10.X.X.X/images/radiotab.gif inet 304 >
The next line in the Debug output puts a * under the first field that Analog can't make sense of. But even without that, a very brief look at http://www.analog.cx/docs/logfmt.html#fmtstrings suggests that you want a LOGFORMAT something like this: %S\t%u\t%B\t%Y-%m%d\t%h:%n:%j\t%j\t%j\t%v\t%j\t%j\t%b\t%T\t%j\t%j\t%r\t%j\ t%c Note that I'm guessing that http://10.X.X.X/images/radiotab.gif is supposed to be a request (even though requests don't start with http://), and that www.streamingfaith.com is a virtual host name. If ISA has the option of logging in W3 Extended format, then use that, so that you won't have to mess around with logformats that nobody understands. Aengus +------------------------------------------------------------------------ | This is the analog-help mailing list. To unsubscribe from this | mailing list, go to | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | List archives are available at | http://www.mail-archive.com/analog-help@lists.isite.net/ | http://lists.isite.net/listgate/analog-help/archives/ | http://www.tallylist.com/archives/index.cfm/mlist.7 +------------------------------------------------------------------------
