IIS W3C Log Format

328 views
Skip to first unread message

kamal

unread,
Aug 12, 2016, 6:50:25 PM8/12/16
to lnav
I am trying to create a format for IIS Web Server log files which are in the W3C format.

Here is my first stab at it but I am getting the following error:

error:iis_w3c.regex[default]:syntax error in subpattern name (missing terminator)
error:iis_w3c:invalid sample -- 2016-08-10 05:00:00 W3SVC1 SERVER1 192.168.101.100 GET /request.html - 80 - 192.168.102.100 HTTP/1.1 libwww-perl/6.05 - - www.example.com 200 0 0 566 267 124


{

"iis_w3c" : {
"title" : "IIS W3C log format",
"description" : "Log format used by IIS W3C",
"url" : "https://msdn.microsoft.com/en-us/library/ms525807(v=vs.90).aspx",
"regex" : {
"default" : {
"pattern" : "^(?<timestamp>\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}) (?<s-sitename>\\S+) (?<s-computername>\\S+) (?<s-ip>\\S+) (?<cs-method>\\S+) (?<cs-uri-stem>\\S+) (?<cs-uri-query>\\S+) (?<s-port>\\S+) (?<cs-username>\\S+) (?<c-ip>\\S+) (?<cs-version>\\S+) (?<cs-useragent>\\S+) (?<cs-cookie>\\S+) (?<cs-referer>\\S+) (?<cs-host>\\S+) (?<sc-status>\\S+) (?<sc-substatus>\\S+) (?<sc-win32-status>\\S+) (?<sc-bytes>\\S+) (?<cs-bytes>\\S+) (?<time-taken>\\S+)$"
}
},
"timestamp-format" : ["%Y-%m-%d %H:%M:%S"],
"value" : {
"s-sitename" : {"kind" : "string"},
"s-computername" : {"kind" : "string"},
"s-ip" : {"kind" : "string"},
"cs-method" : {"kind" : "string"},
"cs-uri-stem" : {"kind" : "string"},
"cs-uri-query" : {"kind" : "string"},
"s-port" : {"kind" : "string"},
"cs-username" : {"kind" : "string"},
"c-ip" : {"kind" : "string", "identifier" : true },
"cs-version" : {"kind" : "string", "identifier" : true },
"cs-useragent" : {"kind" : "string", "identifier" : true },
"cs-cookie" : {"kind" : "string"},
"cs-referer" : {"kind" : "string"},
"cs-host" : {"kind" : "string", "identifier" : true },
"sc-status" : {"kind" : "string", "identifier" : true },
"sc-substatus" : {"kind" : "string"},
"sc-win32-status" : {"kind" : "string"},
"sc-bytes" : {"kind" : "string"},
"cs-bytes" : { "kind" : "string"},
"time-taken" : {"kind" : "string"}
},
"sample" : [
{
"line" : "2016-08-10 05:00:00 W3SVC1 SERVER1 192.168.101.100 GET /request.html - 80 - 192.168.102.100 HTTP/1.1 libwww-perl/6.05 - - www.example.com 200 0 0 566 267 124"
}
]
}
}

Thanks.
- kamal

Timothy Stack

unread,
Aug 12, 2016, 7:00:49 PM8/12/16
to kamal, lnav

It looks like the names you have for the capture groups have dashes in them, which I
don't think is allowed (e.g. s-sitename).  Try changing the dash to an underscore.

thanks,

tim


- kamal

--
You received this message because you are subscribed to the Google Groups "lnav" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lnav+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

kant...@gmail.com

unread,
Aug 12, 2016, 7:54:12 PM8/12/16
to lnav, kant...@gmail.com

Thanks that made it work.
- kamal
Reply all
Reply to author
Forward
0 new messages