4

Platform: Windows 2003 with Perl I am looking into how to cut the user Id out of the IIS log file. Then find out what that user did. Uploaded file, CWD.. things like that. There is [uniqu_ID]User ID. How to retrieve that Id and search for what it did. Please help.

Chaulky
  • 699
  • 1
  • 8
  • 23
Moe
  • 1,427
  • 4
  • 34
  • 54
  • Can you please post a few example lines of code? The problem seems rather easy, but examples would be great. – simbabque Apr 26 '12 at 08:33

2 Answers2

0

I found an example of the an IIS log file on Windows 2003 Server here. Still, please post your own lines of example log.

192.168.114.201, -, 03/20/01, 7:55:20, W3SVC2, SERVER, 172.21.13.45, 4502, 163, 3223, 200, 0, GET, /DeptLogo.gif, -,

Since this is nothing more than a comma seperated file, you have several different ways to go here. You could use Text::CSV if that is installed on your machine. If not, here's a simple example.

use strict;
use warnings;
use Data::Dumper;

my $user = {}; # we will store the actions in here

# This is what the log file looks like when split into an array
# 0: Client IP address
# 1: User name
# 2: Date
# 3: Time
# 4: Service and instance
# 5: Server name
# 6: Server IP
# 7: Time taken
# 8: Client bytes sent
# 9: Server bytes sent
# 10: Service status code
# 11: Windows status code
# 12: Request type
# 13: Target of operation
# 14: Parameters

open $log, '<', 'path/to/logfile.log';
while (my $line = <$log>) {
  my @fields = split /, /, $line; # split on comma and space
  # you'll get an array of actions for each user
  push @{ $user->{$fields[1]} }, "$fields[12] $fields[13]";  
  # or more specific:
#   push @{ $user->{$fields[1]} }, { 
#     'time' => $fields[3],
#     'action' => $fields[12],
#     'target' => $fields[13],
#   };
}
close $log;

print Dumper $user; # lets have a look

# More stuff to do with the data here...

This is the output:

$VAR1 = {
          '-' => [
                   'GET /DeptLogo.gif'
                 ]
        };

You could then go and write the contents of $user to another file, or group of files.

foreach my $u (sort keys %$user) {
  print "$u\r\n";
  foreach $action (@{ $user->{$u} }) {
    print "$action\r\n";
  }
}
simbabque
  • 53,749
  • 8
  • 73
  • 136
  • @Moe: if answer is not acceptable, please explain why, so one could further dig into your issue. – Mat M Oct 26 '12 at 14:29
0

Log Parser 2.2:

Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®.

Mitch Wheat
  • 295,962
  • 43
  • 465
  • 541
  • I can't download anything on the server. I have to work with what I have at the moment. Perl on windows 2003 – Moe Feb 13 '11 at 01:56
  • download to your local box, and process the log there. – Mitch Wheat Feb 13 '11 at 02:05
  • I wish I could... I wrote a perl script that will run on the server itself for status report. the script emails the status report. I can't do that from my PC. it has to run on the server. – Moe Feb 13 '11 at 02:21
  • LogParser is Magic for parsing Windows Logs. If you're reinventing the wheel, good luck! It is also accessible via a nice API. You can almost certainly use it from Perl as well. – Erik A. Brandstadmoen Feb 28 '11 at 17:12
  • It's a trivial problem for perl to solve -- what exactly have you tried writing so far? – Chris J Aug 24 '11 at 14:56
  • @Chris J: who is your comment directed to? It's an old question.... – Mitch Wheat Aug 24 '11 at 14:59