Microsoft Log Parser is a great tool when it comes to parse your IIS Log files. But probably you will need something more usable than a command line program: here comes the excellent tool provided by Lizard Labs: Log Parser Lizard GUI (free edition).
With this program you can query you IIS Log using a SQL-Like syntax and export your results into excel. Using Log Parser you can obtain almost any kind of information that is incapsulated into your IIS's logs. For example if you want to know, how many Http Requests (Hits) did a particular site on your web server gets since a certain date you can run:
SELECT date as Data, cs-username as Utente, cs-uri-stem as Url, COUNT(cs-uri-stem) as Hits
FROM 'c:\YOUR_IIS_LOG_FOLDER\ex*.log'
WHERE (cs-uri-stem NOT LIKE '%.jpg' AND
cs-uri-stem NOT LIKE '%.gif' AND
cs-uri-stem NOT LIKE '%.css' AND
cs-uri-stem NOT LIKE '%.js' AND
cs-username <> null AND
cs-uri-stem LIKE '%/YOURSITE/YOURFOLDER/%' AND
date >= '2009-01-01'
)
GROUP BY Data , Utente, cs-uri-stem
ORDER BY Data, Utente, Hits
As you can see, i have excluded different file types extensions, because i'm not interested in this kind of files. If you are intersted in tracking only aspx file extensions, you should modify the query in appropriate way.
Important searcheble IIS log fields are described into this table:
Table 1: IIS Log Fields
| Field Name |
Description |
Uses |
| Date (date) |
The date of the request. |
Event correlation. |
| Time (time) |
The UTC time of the request. |
Event correlation, determine time zone, identify scanning scripts. |
Client IP Address
(c-ip) |
The IP address of the client or proxy that sent the request. |
Identify user or proxy server. |
User Name
(cs-username) |
The user name used to authenticate to the resource. |
Identify compromised user passwords. |
Service Name
(s-sitename) |
The W3SVC instance number of the site accessed. |
Can verify the site accessed if the log files are later moved from the system. |
Server Name
(s-computername) |
The Windows host name assigned to the system that generated the log entry. |
Can verify the server accessed if the log files are later moved from the system. |
Server IP Address
(s-ip) |
The IP address that received the request. |
Can verify the IP address accessed if the log files are later moved from the system or if the server is moved to a new location. |
Server Port
(s-port) |
The TCP port that received the request. |
To verify the port when correlating with other types of log files. |
Method
(cs-method) |
The HTTP method used by the client. |
Can help track down abuse of scripts or executables. |
URI Stem
(cs-uri-stem) |
The resource accessed on the server. |
Can identify attack vectors. |
URI Query
(cs-uri-query) |
The contents of the query string portion of the URI. |
Can identify injection of malicious data. |
Protocol Status
(sc-status) |
The result code sent to the client. |
Can identify CGI scans, SQL injection and other intrusions. |
Win32 Status
(sc-win32-status) |
The Win32 error code produced by the request. |
Can help identify script abuse. |
Bytes Sent
(sc-bytes) |
The number of bytes sent to the client. |
Can help identify unusual traffic from a single script. |
Bytes Received
(cs-bytes) |
The number of bytes received from the client. |
Can help identify unusual traffic to a single script. |
Time Taken
(time-taken) |
The amount of server time, in milliseconds, taken to process the request. |
Can identify unusual activity from a single script. |
Protocol Version
(cs-version) |
The HTTP protocol version supplied by the client. |
Can help identify older scripts or browsers. |
| Host (cs-host) |
The contents of the HTTP Host header sent by the client. |
Can determine if the user browsed to the site by IP address or host name. |
User Agent
(cs(User-Agent)) |
The contents of the HTTP User-Agent header sent by the client. |
Can help uniquely identify users or attack scripts. |
Cookie
(cs(Cookie)) |
The contents of the HTTP Cookie header sent by the client. |
Can help uniquely identify users. |
Referer
(cs(Referer)) |
The contents of the HTTP Referer header sent by the client. |
Can help identify the source of an attack or see if an attacker is using search engines to find vulnerable sites. |
If you need more informations about Log Parsers capabilites, consider visiting: http://www.securityfocus.com/infocus/1712