Need a way of parsing through data, such as Internet Information Services (IIS) log files, the Windows registry,...
and Active Directory? The Log Parser 2.2 utility lets you query and sift through thousands of files and data sources.
Per Microsoft: "Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. You tell Log Parser what information you need and how you want it processed. The results of your query can be custom-formatted in text based output, or they can be persisted to more specialty targets like SQL, SYSLOG, or a chart."
The Log Parser tool is available as a command-line executable (LogParser.exe) and as a set of scriptable COM objects (LogParser.dll). The two binaries are independent from each other; if you want to use only one, you do not need to install the other file on your computer.
- Log Parser's built-in Input Formats can retrieve data from the following sources:
- IIS log files (W3C, IIS, NCSA, Centralized Binary Logs, HTTP Error logs, URLScan logs, ODBC logs)
- Windows Event Log
- Generic XML, CSV, TSV and W3C - formatted text files (e.g. Exchange Tracking log files, Personal Firewall log files, Windows Media® Services log files, FTP log files, SMTP log files, etc.)
- Windows registry
- Active Directory Objects
- File and Directory information
- NetMon .cap capture files
- Extended/Combined NCSA log files
- ETW traces
- Custom plug-ins (through a public COM interface)
- A SQL-like engine core processes the records generated by an Input Format, using a dialect of the SQL language that includes common SQL clauses (SELECT, WHERE, GROUP BY, HAVING, ORDER BY), aggregate functions (SUM, COUNT, AVG, MAX, MIN), and a rich set of functions (e.g. SUBSTR, CASE, COALESCE, REVERSEDNS, etc.); the resulting records are then sent to an Output Format.
- Output Formats are generic consumers of records; they can be thought of as SQL tables that receive the results of the data processing. Log Parser's built-in Output Formats can:
- Write data to text files in different formats (CSV, TSV, XML, W3C, user-defined, etc.)
- Send data to a SQL database
- Send data to a SYSLOG server
- Create charts and save them in either GIF or JPG image files
- Display data to the console or to the screen
Unfortunately, LogParser is so powerful and flexible that I cannot easily show you how to use it. When using the command-line executable, Log Parser works on commands supplied by the user. Each command has five components:
- The Input Format to use
- Optional parameters for the Input Format
- The Output Format to use
- Optional parameters for the Output Format
- The SQL query that processes the records generated by the Input Format and produces records for the Output Format
Microsoft provides the following Windows Event Log example in its documentation, but there are MANY potential uses for this tool:
C:\>LogParser "SELECT TimeGenerated, SourceName, EventCategoryName, Message INTO report.txt FROM Security WHERE EventID = 528 AND SID LIKE '%TESTUSER%'" -resolveSIDs:ON
For more information on using the Log Parser utility, check out the following resources:
- Log Parser examples
- How Log Parser works
- Unofficial Log Parser support site
Inside the IIS Diagnostics Toolkit
How to install the Microsoft IIS Diagnostics Toolkit
How to use SSL Diagnostics 1.0
How to use Authentication and Access Control Diagnostics (AuthDiag) 1.0
How to use Exchange Server SMTP Diagnostics 1.0
How to use Log Parser 2.2
How to use WFetch 1.4
How to use Trace Diagnostics
How to use Debug Diagnostics 1.0
About the author: Tim Fenner (MCSE, MCSA: Messaging, Network+ and A+) is a senior systems administrator who oversees a Microsoft Windows, Exchange and Office environment. He is also an independent consultant who specializes in the design, implementation and management of Windows networks.