Many of Microsoft's best and most powerful utilities go almost unnoticed, and the Log Parser is certainly one of the best (and most overlooked). Log Parser 2.0 is a command-line program that allows a user or administrator to run SQL-like queries against log files of almost any format currently in use. The results can be reported to the console, to a flat text file or to a SQL/ODBC database. The program itself is free of charge.
Scanned logs can be in any of the following formats:
- All file formats supported by IIS 5.0 and above. This includes W3C Extended, IIS, IISMSID, NCSA Common, Binary Log File Format, Open Database Connectivity (ODBC), URLScan and HTTP error log files.
- The NT Event Log and EVT backup log files (including Event Logs in Windows 2000 and XP).
- Generic CSV files.
- Generic W3C files, such as Personal Firewall log files, Windows Media Services log files, and Exchange Tracking log files.
- File and directory structure information.
- Generic text files.
The syntax for using the Log Parser is essentially the standard SQL syntax, with each input source treated as a relational table. Each field is a table column with an appropriate auto-assigned data type (STRING, INTEGER, REAL or TIMESTAMP). Queries can either be passed on the command line or specified in a file. Log Parser also supports conversion between any of the above log types; a SQL log could be converted
Log Parser contains a number of unique and powerful features. The Multiplex feature allows the multiple files to be piped in or out as either source or target tables; this would allow, for instance, event log messages to be written out to different files according to the event source. It is also possible to take piped input from STDIN, but only by using the IISMSID log format:
type iis5.log | LogParser "SELECT * from stdin" –i:IISMSID
This would pipe the file iis5.log into Log Parser using stdin as the SELECT...FROM table criterion.
Log Parser also includes a .DLL / COM-architecture version of the program, which allows it to be used by programming languages such as C++, Visual Basic or VBScript. A Web programmer could use Log Parser to produce a Web-based programmatic front-end for analyzing a Web server's own logs. With Log Parser, this is possible without having to spend money on a third-party solution or write complicated homebrew data-mining code.
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!
This was first published in December 2003