Lead Image © Thomas Lammeyer, Fotolia.com

Lead Image © Thomas Lammeyer, Fotolia.com

Evaluating logfiles with Microsoft Log Parser Studio

Clear View

Article from ADMIN 23/2014
By
Microsoft's free Log Parser Studio tool offers a single view for analyzing the logfiles of Windows systems and services.

Windows systems record status messages in the event log, and some application servers, such as Internet Information Server (IIS) or the Exchange Server, also log event data to text files. You can use the free Microsoft Log Parser Studio tool to monitor and analyze these event logs on Microsoft systems.

Log Parser Studio [1], which is available as a free download on the Microsoft TechNet website, is a graphical front end for the Log Parser command-line tool. Together, these two programs form a useful toolbox for querying large amounts of structured data. The typical intended purpose is analyzing the logs from systems such as the IIS, Microsoft Exchange ActiveSync, Exchange Web Services (EWS), or Outlook Web Access (OWA).

Installation under .NET

.NET Framework 4.x and Log Parser 2.2 [2] form the basis for Log Parser Studio. The latter is a universal tool of just a few megabytes suitable for analyzing both text (i.e., logs, XML, or CSV files) and sources (i.e., Windows's own event logs). Microsoft has had this tool in its program for a long time; thus, it officially supports only Windows 2000, Windows XP, and Windows Server 2003 according to the website. However, the tool also works perfectly with current operating systems from Redmond. Installation is quick: Run the MSI package and accept the license terms, then choose the Complete installation type and start the setup process, which completes in just a few seconds.

Log Parser Studio as a graphical front end for the parser does not need to be installed; instead, just unpack it. To do so, download the ZIP archive, extract the contents to, for example, C:\Program files (x 86)\Log parser Studio 2, and start the application by double-clicking LPS.exe. Studio will automatically find the Log Parser installation, so it can be used right away.

Out the box, Log Parser Studio provides a library of more than 180 queries for different use cases (Figure  1). By default, these are stored in the program directory in the LPSV2Library.XML file. Additional user-defined queries are also saved in this file. If multiple users work independently with Log Parser Studio and are not supposed to overwrite each other's work, you are advised to change the database location from the outset. Go to the Options | Preferences menu and activate the Store library in AppData folder for UAC compatibility option in the following dialog. Then, the database for each user will be filed under %userprofile%\AppData\Roaming\ExLPT\Log parser Studio.

Figure 1: Log Parser Studio provides numerous queries for different use cases.

Unfortunately, Log Parser Studio does not indicate that the application needs to be restarted. When started the next time, Studio displays an error message indicating that the library cannot be found in this path. Ignore this message and cancel the search for a library. Log Parser Studio will then automatically create an empty LPSV2Library.XML in the user profile. With the Help | Recover library command, you can restore the queries of the delivery state.

Log Parser Studio 1 Update

If you are already using the first version of Log Parser Studio and have modified or created new queries in it, you can continue to use those queries in version 2. To begin, select the queries in the old version that you want to migrate, and select File | Export | Library as .XML in the menu. Then, save the XML file in the Log Parser Studio 2 program directory. In my tests, I was able to import customized queries into the new version immediately. To avoid problems, you should update the queries to the format of the current Log Parser Studio version before importing them.

To do this, open the new Log Parser Studio program directory. Drag and drop the XML file with the exported queries onto the ConvertLib.exe application. The tool writes the converted queries into a new file and adds the _converted string to their names. Import this file into Log Parser Studio using the File | Import | .XML to library command. The Query Import window will appear, in which you can select one or more queries to import. Caution is required here: The Replace Now button not only overwrites existing queries of same name (as you might expect) but also completely replaces the existing library. All existing queries are discarded here. Choosing the Merge Now button instead will add selected queries from the library and keep all existing queries.

Evaluating Event Logs

Queries are categorized by type on the basis of name. Thus, all queries that start with EVENTS evaluate the event log. Double-clicking the EVENTS: count errors and warnings every 24 hours entry opens the appropriate query in a separate tab. At the bottom, you will see the query's code. The top of the window is initially empty. If you click below the menubar on the second button from the left (the exclamation mark in a red circle), the query is run against the local system. A table showing the errors and warnings in the Application event log for each day appears in the output window.

The queries are based on Transact-SQL and can, with appropriate knowledge, be adapted to your own needs  [3]. To modify an existing query, click the lock icon in the toolbar above the code editor. The code is then released for editing. With altered FROM and WHERE clauses, you can, for example, evaluate the Security event log for failed logins. To do so, search for event ID 529 on systems up to Windows Server 2003. On newer systems after Windows Server 2008, event ID 4625 delivers the desired result:

SELECT QUANTIZE(TimeGenerated, 86400) \
  AS Day, COUNT(*) AS [Logons]
FROM SECURITY
WHERE EventID = 4625
GROUP BY Day
ORDER BY Day ASC

Log Parser Studio gives you a basic graphical representation. This uses the first two columns of a table, but only works if the second column of this table contains numeric values. The first column can be of any type. For multicolumn tables, you can subsequently drag and drop the column to be evaluated to the second position. Then, in the button bar, if you click the fourth icon from the right, you will see a visualization of the values as a graph (Figure 2).

Figure 2: Log Parser Studio supports graphical analysis of tables, for example, as bar charts.

By default, the output is a bar chart. You can choose from other display types via the drop-down box in the menubar of the window. Additionally, more complex tables can be exported using the fourth icon from the left (the right arrow on a green background) for further processing in Excel as a CSV file.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus