0

I recently came across Microsoft Log Parser. It is an amazing tool. I am parsing Exchange Receive connector protocol logs but I encounter this error with IISW3C format.

C:\TEMP>logparser "SELECT * FROM RECV20170706-1.LOG" -i:IISW3C
Task completed with parse errors.

Parse errors:
4 parse errors occurred during processing (To see details about the parse
  error(s), execute the command again with a non-zero value for the "-e"
  argument)

Statistics:
-----------
Elements processed: 0
Elements output:    0
Execution time:     0.06 seconds

Using -e does not fix it

C:\TEMP>logparser "SELECT * FROM RECV20170706-1.LOG" -i:IISW3C -e 5
Task completed with parse errors.
Parse errors:
Cannot find '#Fields' directive in header of file "C:\TEMP\RECV20170706-1.LOG". Lines 1 to 1 have been ignored
Error while parsing Date directive: missing space between Date and Time LogFile "C:\TEMP\RECV20170706-1.LOG", Row number 4, Directive '#Date:2017-07-06T00:00:04.363Z #Fields'
Unknown field date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context found in #Fields directive
Cannot find '#Fields' directive in header of file "C:\TEMP\RECV20170706-1.LOG". Lines 6 to 39711 have been ignored

I tried all input formats supported by Log Parser 2.2 (IISW3C, NCSA, IIS, IISODBC, BIN, IISMSID, HTTPERR, URLSCAN, CSV, TSV, W3C, XML, EVT, ETW, NETMON, REG, ADS, TEXTLINE, TEXTWORD, FS, COM). I encounter similar errors with other formats. I can use the GUI tool, Log Parser Studio with no difficulty but I prefer using the command line. I noticed the GUI uses a different input format, EELLog to parse.

These are my questions;

  • Is the Exchange-Extensible-Logging the only accepted format?
  • Can I get EEL input-format as an add-on for the command line utility?
  • Is there a command line switch or another executable with the Log Parser Studio which allows me to run it on CMD?
  • Can I modify the headers and directives a little and achieve a successful rendering with IISW3C format?

Updates

Error when using -i:w3c

C:\TEMP>logparser -i:w3c "SELECT [data] FROM RECV20170705-1.LOG"
Error: SELECT clause: Syntax Error: unknown field 'data'.
The closest match for input format 'W3C' is 'date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context'.

To see valid fields for the W3C input format type:
LogParser -h -i:W3C
Lordbalmon
  • 121
  • 1
  • 7
  • 1
    The file format isn't IISW3C. That is what using a non-zero value for -e showed. Use a more applicable input format. – user2320464 Jul 08 '17 at 19:56
  • I tried all formats supported by Log Parser 2.2 (IISW3C, NCSA, IIS, IISODBC, BIN, IISMSID, HTTPERR, URLSCAN, CSV, TSV, W3C, XML, EVT, ETW, NETMON, REG, ADS, TEXTLINE, TEXTWORD, FS, COM). Encounter similar errors. – Lordbalmon Jul 08 '17 at 20:04
  • As long as these logs are W3C-compliant (see https://www.w3.org/TR/WD-logfile.html), then the W3C input format should be able to parse them. What's the error you get with the W3C format? You may also try out the TSV format. To see the switches that allow you to customize an input format reader, type - using W3C as an example - `LogParser -h -i:W3C`. – Gabriele Giuseppini Jul 09 '17 at 09:34
  • As for your last question, sure you can modify the headers so that you can parse these logs with the W3C input format, just follow the W3C specs linked to in my other comment. As user2320464 says, you shouldn't use the IISW3C format, that's specific to IIS logs. – Gabriele Giuseppini Jul 09 '17 at 09:36
  • @GabrieleGiuseppini, OP is updated with W3C error information. – Lordbalmon Jul 10 '17 at 12:32
  • It looks like the input log's header is not properly W3C, as LogParser thinks that the log contains a field named "date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context". Have a look at the W3C specs and see if you can change the header accordingly. Alternatively, I'm quite sure you can use the TSV input format. – Gabriele Giuseppini Jul 11 '17 at 09:48

0 Answers0