Menu
I am trying to determine if a user downloaded a file from FTP using MS Log Parser 2.2
I have not been able to get parser SQL query going, although I have used several samples queries.
Water Down Parser Query does not work:
strSQL = "SELECT date,COUNT(*) AS downloads,c-ip "
strSQL = strSQL & "FROM C:\temp\Log\*.log "
strSQL = strSQL & "WHERE cs-method='RETR' "
strSQL = strSQL & "GROUP BY date,c-ip "
Error:
RecordSet cannot be used at this time [Unknown Error]
Question:
How do I create a query:
- SELECT Date and Time of download
- Where user = 'xxx'
- WHERE RETR = is a download
- WHERE Filename = u_ex150709.log or xxx
Answers in C# are also welcome
VB.net Code:
Dim rsLP As ILogRecordset = Nothing
Dim rowLP As ILogRecord = Nothing
Dim LogParser As LogQueryClassClass = Nothing
Dim W3Clog As COMW3CInputContextClassClass = Nothing
Dim UsedBW As Double = 0
Dim Unitsprocessed As Integer
Dim strSQL As String = Nothing
LogParser = New LogQueryClassClass()
W3Clog = New COMW3CInputContextClassClass()
Try
strSQL = "SELECT date,COUNT(*) AS downloads,c-ip "
strSQL = strSQL & "FROM C:\temp\Log\*.log "
strSQL = strSQL & "WHERE cs-method='RETR' "
strSQL = strSQL & "GROUP BY date,c-ip "
'run the query against W3C log
rsLP = LogParser.Execute(strSQL, W3Clog)
'Error occurs in the line below
rowLP = rsLP.getRecord()
490
Answer: Open the Log Parser command window, and use the following command: LOGPARSER "Select Text from C:\Filemon. log where Text like '%Access Denied%'" -i:TEXTLINE -q:OffWhat we are telling the Log Parser tool is to parse through each line (Text) from the given file (C:\Filemon.
The default installation is to a LogParser folder in \Program Files (x86). LogParser consists of an executable file and a DLL, and you may want to copy those to a folder in the environment path, such as %WinDir%\System32\.
Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®.
Just like you I've written tools that leverage LogParser, eg http://eventanalyser.appointmentsbook.com/
Though back in 2004 (using .Net 1.1) I didn't have the benefit of downloading: https://visuallogparser.codeplex.com/
Check their source code, get your query working in it (VisualLogParser) and then simply reference it in your project and enjoy the open source community goodness.
As for your query regarding FTP leeching, here is the MSDN article: http://blogs.msdn.com/b/robert_mcmurray/archive/2010/09/02/detecting-ftp-leeches-with-logparser.aspx
SELECT date,COUNT(*) AS downloads,c-ip,x-session
FROM *.log
WHERE cs-method='RETR'
GROUP BY date,c-ip,x-session
HAVING COUNT(*) > 100
One thing does stand out about your query when looking at the one's I created a GUI to dynamically create, you're missing single quotes around the file path:
strSQL = strSQL & "FROM C:\temp\Log\*.log "
Try this:
strSQL = strSQL & "FROM 'C:\temp\Log\*.log' "
(and use a StringBuilder, not string concatenation... just to get in the habit of best practice)
As per:
If the quotes don't solve the problem first go, then try a single log file rather than the wildcard
*.logto narrow down on the syntax error. LogParser isn't designed to be helpful at diagnosing problem queries, instead Gabriele Giuseppini designed it to be fast, very fast!
180
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
