From: Garrett Bartley <garrett@smartechcorp.net>
To: analog-help@lists.isite.net
Date: Fri, 1 Nov 2002 13:50:46 -0500
Subject: [analog-help] Log formats for several log types
As promised, here are the log formats for several different server services
that I have successfully created with good results. I can make no guarantee
on any of these, but I can say that they have worked for me. Please
feel free to offer any corrections or improvements.
=============================================================================
Microsoft FTP Server
Sample log file line:
2002-10-31 15:33:33 207.32.96.139 user MSFTPSVC2 Server1 192.168.1.100 21 [2855]created filename.ext - 226 0 165340 1468
FTP - - - -
Log format:
LOGFORMAT "%Y-%m-%d %h:%n:%j %s %u %j %j %j [%j]%j %r - %C %b %b %t FTP - - - -"
Notes: This is with all logging turned on except for the Win32 status.
=============================================================================
Real Media Server
Sample log file line:
12.216.124.30 - - [31/Oct/2002:22:45:26 -0500] "GET dir/091202v1.rm RTSP/1.0" 200 23306141 [WinNT_5.0_6.0.9.380_play32_AOL8_en-US_UNK_axembed] [abc4fd5b-8b09-456b-9cdf-3e7fea4b705d] [Stat1: 8028 18 0 0 0 64_Kb
ps_Stereo_Music_-_RA8][Stat2: 64083 65987 0 0 0 18 18 0 0 0 50 64_Kbps_Stereo_Music_-_RA8] 77700425 1595 905 123 0 8581
Log format:
LOGFORMAT "%s %j %j [%d/%M/%Y:%h:%n:%j %j] "%j %r %j" %c %b [%B] %j"
Notes:
This ignores the extra statistics at the end and just reports the basics.
=============================================================================
Serv-U FTP Server
Sample log file line:
[3] Tue 14May02 16:56:25 - (000037) Error sending file f:\filename.ext, aborting (3.09 Kb/sec - 487424 bytes, client closed data connection)
[4] Tue 30Apr02 14:52:54 - (000257) Received file f:\filename.ext successfully (29
.2 Kb/sec - 5651 bytes)
[3] Wed 01May02 23:18:53 - (000002) Sent file f:\filename.ext successfully (92.2 Kb/sec - 6893 bytes)
[5] Tue 30Apr02 10:29:18 - (000245) Connected to 216.136.171.204 (Local address 192.168.1.101)
Log format(s):
LOGFORMAT "[%j] %j %d%M%y %h:%n:%j - (%j) Error sending file %r, aborting (%j Kb/sec - %b bytes, %j %j)"
LOGFORMAT "[%j] %j %d%M%y %h:%n:%j - (%j) Received file %r successfully (%j Kb/sec - %b bytes)"
LOGFORMAT "[%j] %j %d%M%y %h:%n:%j - (%j) Sent file %r successfully (%j Kb/sec - %b bytes)"
LOGFORMAT "[%j] %j %d%M%y %h:%n:%j - (%j) Connected to %s (Local address 192.168.1.101)"
=============================================================================
Shoutcast (Old style logging)
Sample log file lines:
<08/18/02@04:25:49> [SHOUTcast] DNAS/win32 v1.8.0 (Jan 2 2001) starting up...
<08/18/02@04:25:49> [main] loaded config from C:\Program Files\SHOUTcast2\sc_serv_gui.ini
<08/18/02@04:25:49> [main] initializing (usermax:200 portbase:9191)...
<08/18/02@04:25:49> [main] No ban file found (sc_serv.ban)
<08/18/02@04:25:49> [main] No rip file found (sc_serv.rip)
<08/18/02@04:25:49> [main] opening source socket
<08/18/02@04:25:49> [main] source thread starting
<08/18/02@04:25:49> [main] opening client socket
<08/18/02@04:25:49> [source] listening for connection on port 9192
<08/18/02@04:25:49> [main] Client Stream thread [0] starting
<08/18/02@04:25:49> [main] client main thread starting
<08/18/02@04:25:49> [dest: 216.253.39.2] server unavailable, disconnecting
<08/18/02@04:25:58> [source] connected from 66.192.5.158
<08/18/02@04:25:58> [source] icy-name:NEWSRADIO 640 WGST (rush dr. laura kimmer) ; icy-genre:NEWS TALK
<08/18/02@04:25:58> [source] icy-pub:1 ; icy-br:24 ; icy-url:http://www.wgst.com
<08/18/02@04:25:58> [source] icy-irc:#shoutcast ; icy-icq:0 ; icy-aim:N/A
<08/18/02@04:25:59> [dest: 205.188.234.42] starting stream (UID: 0)[L: 1]
<08/18/02@04:25:59> [dest: 205.188.234.42] connection closed (0 seconds) (UID: 0)[L: 0]{Bytes: 16384}
<08/18/02@04:26:00> [yp_add] yp.shoutcast.com added me successfully
<08/18/02@04:28:59> [yp_tch] yp.shoutcast.com touched!
<09/11/02@12:08:25> [dest: 63.236.253.100] service full, disconnecting
Log format(s):
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [dest: %s] connection closed (%t seconds) (UID: %u)[L: %r]{Bytes: %b}
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [dest: %s] starting stream (UID: %j)[L: %j]
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [yp_tch] yp.shoutcast.com touched!
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [dest: %s] service full, disconnecting
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [SHOUTcast] DNAS/win32 v1.8.0 (Jan 2 2001) starting up...
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [main] loaded config from C:\Program Files\%j\sc_serv_gui.ini
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [main] initializing (usermax:%j portbase:%j)...
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [main] No ban file found (sc_serv.ban)
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [main] No rip file found (sc_serv.rip)
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [main] opening source socket
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [main] source thread starting
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [main] opening client socket
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [source] listening for connection on port %j
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [main] Client Stream thread [%j] starting
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [main] client main thread starting
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [dest: %s] server unavailable, disconnecting
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [source] connected from %j
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [source] icy-name:NEWSRADIO 640 WGST (rush dr. laura kimmer) ; icy-genre:NEWS TALK
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [source] icy-pub:1 ; icy-br:24 ; icy-url:http://www.wgst.com
LOGFORMAT "<%m/%d/%y@%h:%n:%j> [source] icy-irc:#shoutcast ; icy-icq:0 ; icy-aim:N/A
<%m/%d/%y@%h:%n:%j> [yp_add] yp.shoutcast.com added me successfully
=============================================================================
Shoutcast (New W3C style logging)
Sample log file lines:
#Fields: c-ip c-dns date time cs-uri-stem c-status cs(User-Agent) sc-bytes x-duration avgbandwidth
66.156.94.18 66.156.94.18 2002-09-14 22:38:34 /stream?title=Unknown 200 iTunes%2F3%2E0%20%28Macintosh%3B%20N%3B%20PPC%29 409600 86 38096
Log format(s):
LOGFORMAT "%s %S %Y-%m-%d %h:%n:%j %r %c %u %b %j %j"
=============================================================================
Microsoft Windows Media
Sample log file lines:
#Fields: c-ip date time c-dns cs-uri-stem c-starttime x-duration c-rate c-status c-playerid c-playerversion c-playerlanguage cs(User-Agent) cs(Referer) c-hostexe c-hostexever c-os c-osversion c-cpu filelength filesize avgbandwidth protocol transport audiocodec videocodec channelURL sc-bytes c-bytes s-pkts-sent c-pkts-received c-pkts-lost-client c-pkts-lost-net c-pkts-lost-cont-net c-resendreqs c-pkts-recovered-ECC c-pkts-recovered-resent c-buffercount c-totalbuffertime c-quality s-ip s-dns s-totalclients s-cpu-util
203.40.128.205 2002-11-01 05:23:33 vincet mms://media.streamtoyou.com/cog/ISDN/OT_les06.asf 166 6 1 200 {CD48B822-BB6E-11D6-A01B-DD746EAE8C33} 6.4.7.1119 en-AU Mozilla/4.0_(compatible;_MSIE_6.0;_Windows_98;_YComp_5.0.0.0) http://www.ministerialtraining.org/VideoView.asp?ID=1&U=8&L=6&V=6&S=100 IEXPLORE.EXE 6.0.2600.0 Windows_98 4.10.0.2222 Pentium 1805 23113117 10638 mms UDP Windows_Media_Audio_V2 Microsoft_MPEG-4_Video_Codec_V3 - 15237 0 52 37 0 0 0 0 0 0 1 0 100 65.172.162.91 - 1 0
Log format(s):
LOGFORMAT (#%j: %j)
LOGFORMAT (%s%w%Y-%m-%d%w%h:%n:%j%w%S%w%r%w%j%w%j%w%j%w%j%w%j%w%j%w%j%w%B%w%f%w%j%w%j%w%j%w%j%w%j%w%j%w%j%w%j%w%j%w%j%w%j%w%j%w%j%w%b%w%j%w%j%w%j%w%j%w%j%w%j%w%j%w%j%w%j%w%j%w%j%w%j%w%j%w%v%w%j%w%j)
Notes: This is with all logging turned on except for the Win32 status.
=============================================================================
Microsoft SMTP
Note: Analog detects the log format automagically since it is very similar to IIS W3C logging.
=============================================================================
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
af2117b3d480cb88896677b7199e316e
>
files
>
252
