aila2-filter: A tool to filter IIS log files by time-taken or uri-stem fields
Table of content
IIS log files can contain a lot of interesting data for various troubleshooting purposes, however given the number of Altiris applications running on IIS it can be very difficult to access the data that interest you quickly and efficiently.
aila2-filter, as a part of the aila2 tool kit  was designed to help in this specific case, with filtering options available on the cs-uri-stem, time-taken, cs-uri-query, c-ip and sc-status fields.
Usage: aila2-filter [options] Options: -f, --file The path to the IIS log file you want to filter. This field is optional. -t, --time-taken n Filter on request that are taking long n milli- seconds. This only works if the IIS schema contains the time-taken field. --type
The filter inclusion and / or exclusion string will be used against the specified column. If not specified we use the URI Stem. Here are the supported columns: ___________________________________________________ | Column | IIS field | Comment | |---------|--------------|--------------------------| | uri | cs-uri-stem | The requested file path | | param | cs-uri-query | Request parameters | | cip | c-ip | Client IP address | | status | sc-status | IIS status code | --------------------------------------------------- -i, --inclusion-filter "filter string" Filter the IIS log file to include all request that match the entries provided in the filter string. The filter string is a list of space seperated entries. Each entry will be checked against the uri-stem field and matching entries will be printed out. -x, --exclusion-filter "filter string" Filter the IIS log file to exclude all request that match the entries provided in the filter string. The filter string is a list of space seperated entries. Each entry will be checked against the uri-stem field and matching entries will not be printed out. -s, --short This option control the output formatting. If selected the output log file will only contain the following fields (and any other fields will be discarded): date time-taken cs-method cs-uri-stem cs-uri-query cs-username c-ip sc-status sc-substatus sc-win32-status time-taken If no file is specified the input will be read from the console (stdin). If no arguments are specified this help message will be shown, as we expect at least one of the 3 filters to be set (if you need to print a file to stdout you can use type) or the --short option. Note! The 3 filter are cascaded, which has some implication on what data will be displayed. Here is a detail explanation of the proceedings: Stage 1: time-taken entries are matched. If nothing is specified by the user we use 0 as base. Entries greater or equal to the specified time-taken are passed on to the next filtering level. Stage 2: exclusion entries are matched. Any match from the exclusion filter will not be printed out or passed on to the next level. If no exclusion filters are defined the entries are passed on to the next level. Stage 3: inclusion entries are matched. Any match from the inclusion filter will be printed to stdout, miss will be discarded. If inclusion filters are not defined all entries received at this level are printed to stdout. Samples: aila2-filter.exe -f u_ex131231.log -t 5000 -x "itemservices.aspx console.asmx" -i "console" This filter will display all console operations but the itemservices and web-services hits (that are generated by the browser and not indicative of user operation). aila2-filter.exe -f u_ex131231.log -i "inventoryrule postevent" This filter will output all post event data and inventory rule data to stdout aila2-filter.exe -f u_ex131231.log -t 10000 -x "altiris/ns/agent" > u_ex131231_5000ms.log Output all requests outside of the NS/Agent uri that took longer than .5 seconds to complete and write the output to file u_ex131231_5000ms.log.
I would like to provide additional samples but my own servers are not generating much or interest, and I can't share other data for confidentiality reasons.
If this tool proves to be useful for you, or if you want to report bugs or ask for features, please add a comment below (real life short samples are more than welcome).
2014-01-07, Version 1 release.
File name: aila2-filter.exe
SHA256 hash: 928b60f7c51cb29e5f190a66ef7f9d5c48033d7adcfb83e51985dd38b0e5bc3e
Note: this is the base release. It includes filters and output control options, but only supports 2 fields for filtering (cs-uri-stem and time-taken).
2014-03-07, Version 2 release.
File name: aila2-filter.exe
SHA256 hash: d6edc44903a81a7279739a2d6959f89f051bfac8ed9d63b80fa03c7eb51153bf
This release introduced a large number of new filters and code refactoring. The filter column are now extented to cs-uri-query, sc-status and c-ip.