Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

aila2-filter: A tool to filter IIS log files by time-taken or uri-stem fields

Created: 07 Jan 2014 • Updated: 07 Mar 2014
Ludovic Ferre's picture
0 0 Votes
Login to vote

Table of content

Introduction:

IIS log files can contain a lot of interesting data for various troubleshooting purposes, however given the number of Altiris applications running on IIS it can be very difficult to access the data that interest you quickly and efficiently.

aila2-filter, as a part of the aila2 tool kit [1] was designed to help in this specific case, with filtering options available on the cs-uri-stem, time-taken, cs-uri-query, c-ip and sc-status fields.

Top

Usage:

Usage: aila2-filter [options]

Options:

    -f, --file      The path to the IIS log file you want to filter. This
                    field is optional.

    -t, --time-taken n  Filter on request that are taking long n milli-
                    seconds. This only works if the IIS schema contains
                    the time-taken field.

    --type      The filter inclusion and / or exclusion string will be
                    used against the specified column. If not specified we
                    use the URI Stem. Here are the supported columns:
                   ___________________________________________________
                  | Column  | IIS field    |  Comment                 |
                  |---------|--------------|--------------------------|
                  | uri     | cs-uri-stem  |  The requested file path |
                  | param   | cs-uri-query |  Request parameters      |
                  | cip     | c-ip         |  Client IP address       |
                  | status  | sc-status    |  IIS status code         |
                   ---------------------------------------------------

    -i, --inclusion-filter "filter string"

                    Filter the IIS log file to include all request that
                    match the entries provided in the filter string. The
                    filter string is a list of space seperated entries.
                    Each entry will be checked against the uri-stem field
                    and matching entries will be printed out.

    -x, --exclusion-filter "filter string"

                    Filter the IIS log file to exclude all request that
                    match the entries provided in the filter string. The
                    filter string is a list of space seperated entries.
                    Each entry will be checked against the uri-stem field
                    and matching entries will not be printed out.

    -s, --short     This option control the output formatting. If selected
                    the output log file will only contain the following
                    fields (and any other fields will be discarded):

                            date
                            time-taken
                            cs-method
                            cs-uri-stem
                            cs-uri-query
                            cs-username
                            c-ip
                            sc-status
                            sc-substatus
                            sc-win32-status
                            time-taken

If no file is specified the input will be read from the console (stdin).

If no arguments are specified this help message will be shown, as we expect at least one of the 3 filters to be set (if you need to print a file to stdout you can use type) or the --short option.

Note! The 3 filter are cascaded, which has some implication on what data will be displayed. Here is a detail explanation of the proceedings:

    Stage 1: time-taken entries are matched. If nothing is specified by the user we use 0 as base. Entries greater or equal to the specified time-taken are passed on to the next filtering level.

    Stage 2: exclusion entries are matched. Any match from the exclusion filter will not be printed out or passed on to the next level. If no exclusion filters are defined the entries are passed on to the next level.

    Stage 3: inclusion entries are matched. Any match from the inclusion filter will be printed to stdout, miss will be discarded. If inclusion filters are not defined all entries received at this level are printed to stdout.

Samples:

    aila2-filter.exe -f u_ex131231.log -t 5000 -x "itemservices.aspx console.asmx" -i "console"

    This filter will display all console operations but the itemservices and web-services hits (that are generated by the browser and not indicative of user operation).

    aila2-filter.exe -f u_ex131231.log -i "inventoryrule postevent"

    This filter will output all post event data and inventory rule data to stdout

    aila2-filter.exe -f u_ex131231.log -t 10000 -x "altiris/ns/agent" > u_ex131231_5000ms.log

    Output all requests outside of the NS/Agent uri that took longer than .5 seconds to complete and write the output to file u_ex131231_5000ms.log.


I would like to provide additional samples but my own servers are not generating much or interest, and I can't share other data for confidentiality reasons.

If this tool proves to be useful for you, or if you want to report bugs or ask for features, please add a comment below (real life short samples are more than welcome).

Top

Document history:

2014-01-07, Version 1 release.

File name: aila2-filter.exe

SHA256 hash: 928b60f7c51cb29e5f190a66ef7f9d5c48033d7adcfb83e51985dd38b0e5bc3e

Note: this is the base release. It includes filters and output control options, but only supports 2 fields for filtering (cs-uri-stem and time-taken).

2014-03-07, Version 2 release.

File name: aila2-filter.exe

SHA256 hash: d6edc44903a81a7279739a2d6959f89f051bfac8ed9d63b80fa03c7eb51153bf

This release introduced a large number of new filters and code refactoring. The filter column are now extented to cs-uri-query, sc-status and c-ip.

Top

References

[1] aila2: Version 1 Full Package with Installation and Execution Scripts

Top