Howdy, my name is Kevin Thompson. I'm, using analog 5.24 on a small webserver i have. The analog page is viewable at http://corrugated.csh.rit.edu/analog Please visit the web page, and pay special attention to the failure report (at the bottom)
This may be slightly confusing, but nonetheless, my problem is this: I get a large number of nimda and code red hits. This I dont really mind, because apache is immune to nimda and code red. However, I do wonder what percent of my failed requests are results of nimda/CR. So, what i figured I'd do is failalias anything that matched code red or nimda to just that "Code Red" and "Nimda" so it would show up as an element of the pie chart. The pertenent config lines: FAILALIAS REGEXPI:(NNNN|XXXX) "Code Red" FAILALIAS REGEXPI:(winnt|default) "Nimda" Note that there are actually a large number of different requests in my log file that match exactly one of those lines lines. For example, the "Nimda" regexpi matches all three of these lines: /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\\ /cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/ c+dir+c:\\ /samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/ c+dir+c:\\ Those three lines match "winnt" which is characteristic of nimda, but those are each unique urls. The problem is that in the failure report analog doesnt take the multiple "Nimda" entries and group them as one, most likely because they are each from unique hits that simply matched the regular expression for Nimda. In other words, all the entries that matched the /msadc/..... entry exactly were tallied up, counted as its own group, and then renamed "Nimda" Then the ones that matched /cgi-bin/.... were tallied up, counted as its own group and then renamed to "Nimda" At this point, it just so happens that two groups have a common name, but are being counted as two seperate groups, each with its own tally. I think this is a fault, and that any number of groups that share the same name (hit, alias, whatever) should be counted as one big group, such that all the small groups that matched "winnt" and were renamed to "Nimda" should be counted as one, big group under the "Nimda" heading. Lets say that "winnt" matched 31 lines that were exact matches to the /msadc/.. line i posted above. Lets also say that "winnt" matched 400 lines that were exact matches to the /cgi-bin/.. line i posted above. That means that i would have two groups, both named "Nimda", each with 31 matches, and 400 matches, respectively. Is there a way to get analog to aggregate groups that are all named the same thing into one big group, such that all the little "Nimda" groups that you see in my log would be displayed as one entry, with a correct total (the correct total right now would be approximately 128+127+55+22+16+13+13+12+10....)? I hope my post is as clear as can be, please look at my failure report to understand what i mean. -Kevin Thompson +------------------------------------------------------------------------ | This is the analog-help mailing list. To unsubscribe from this | mailing list, go to | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | List archives are available at | http://www.mail-archive.com/analog-help@lists.isite.net/ | http://lists.isite.net/listgate/analog-help/archives/ | http://www.tallylist.com/archives/index.cfm/mlist.7 +------------------------------------------------------------------------
