« Previous 1 2 3
Evaluating logfiles with Microsoft Log Parser Studio
Clear View
Batch Processing and PowerShell
Via the batch manager, you can run multiple queries in parallel in multithreading mode; this is useful if a large amount of data needs to be processed. If you prefer to execute the queries sequentially for performance reasons, check the fourth box, Run batched queries , in the Options | Preferences menu. Then, highlight the desired queries in the library, right-click to pop up the shortcut menu, and choose Add to batch . You can then start batch processing via the ! icon or by pressing Execute in the batch manager. One constraint is that all batch queries work on the same set of logfiles; unfortunately, it is impossible to assign different input data to individual queries.
As an alternative to interactive execution in Log Parser Studio, you can also export queries as PowerShell scripts, using the first icon from the right, and thus even run them on systems without Log Parser Studio. The only requirement is that the Log Parser command-line tool is installed. However, when exporting, the [LOGFILEPATH]
variable is resolved, and the names of the files activated in the Log File Manager end up in the script.
Thus, you should configure a folder before exporting instead of individual files so that a path with a wildcard is written to the script. With this, the script can be transferred more easily to another system and will work regardless of the actual file names in the log directory. A further peculiarity is that an exported query writes its output by default to the Documents
profile folder of the executing user. If you want to change this, call up the script using the -OutFile
switch:
.\hostnames.ps1 -OutFile c:\temp\hostnames.csv
This way, you can set up Log Parser queries, scheduled tasks, and automatically execute them.
Evaluating Exchange Logs
The differences between IIS and Exchange are not huge, because Exchange's Client Access server (CAS) role is based on IIS. Accordingly, you can track down the activities of Outlook Web Access, Exchange Web Services, and ActiveSync on the CAS with the logs in the C:\inetpub\logs\LogFiles\W3SVC1
path. For ActiveSync access only, you can try a variant of the browser query, sorted by client platform (Listing 2).
Listing 2
Access by ActiveSync Client
01 SELECT 02 CASE strcnt(cs(user-agent),'iPhone') WHEN 1 THEN 'iPhone' ELSE 03 CASE strcnt(cs(user-agent),'iPad') WHEN 1 THEN 'iPad' ELSE 04 CASE strcnt(cs(user-agent),'SAMSUNG') WHEN 1 THEN 'Samsung' ELSE 05 CASE strcnt(cs(user-agent),'Android') WHEN 1 THEN 'Android variant' ELSE 'Other' 06 END END END END as DeviceType, cs-uri-stem AS Vdir, Count(cs(User-Agent)) as Hits 07 FROM '[LOGFILEPATH]' 08 WHERE cs-uri-stem LIKE '%Microsoft-Server-ActiveSync%' 09 GROUP BY DeviceType, Vdir 10 ORDER BY Hits DESC
In addition to statistical analysis in normal operation, Log Parser Studio is also a great help if you have an Exchange Server with a high CPU load or excessive data growth on the log partition of a database. Such symptoms can be triggered by a single faulty ActiveSync client. A well-known example was a now-fixed bug in Apple iOS 6.1, with which a single iPhone was capable of flooding the log partition [5].
If the error is known, in this case an exception of type WrongObjectTypeException
, Log Parser Studio delivers the culprit (Listing 3). Even without knowledge of the error text, however, you can identify rogue ActiveSync clients. If a log partition fills up in a short amount of time, without obvious growth of the associated database, you will often see massive ActiveSync access by a client at the same time (Listing 4).
Listing 3
Searching for the Error Source
01 SELECT Cs-username AS User,MyDeviceId AS DeviceId, COUNT(*) AS Hits 02 USING EXTRACT_VALUE(cs-uri-query,'DeviceId') AS MyDeviceId 03 FROM '[LOGFILEPATH]' 04 WHERE cs-uri-query LIKE '%Error:WrongObjectTypeException%' 05 GROUP BY DeviceId,User 06 ORDER BY Hits DESC
Listing 4
Top 10 ActiveSync Users
01 SELECT TOP 10 cs-username AS UserID, cs(User-Agent) AS DeviceType, cs-uri-stem AS Vdir, c-ip AS CLIENT, Count(*) 02 FROM '[LOGFILEPATH]' 03 WHERE cs-uri-stem LIKE '%Microsoft-Server-ActiveSync%' 04 GROUP BY UserID, DeviceType, Vdir, Client 05 ORDER BY COUNT(*) DESC
High CPU load on the CAS can also be caused by ActiveSync [6]. With Log Parser Studio, you can identify the client to renew its Exchange configuration or, in the most extreme case, to reset the device to the factory settings.
Conclusions
Microsoft's Log Parser Studio is a useful free tool for admins. Of course, the tool might not be able to replace central log collection and analysis systems. Despite this, however, it makes your first steps in this field easier and helps to ensure a rapid response in the event of a fault. The prefabricated queries and numerous examples on the web already cover many practical cases. With a pinch of SQL expertise [7], you can easily modify these and develop your own queries.
Infos
- Log Parser Studio download: http://gallery.technet.microsoft.com/office/Log-Parser-Studio-cd458765
- Log Parser 2.2 download: http://www.microsoft.com/en-us/download/details.aspx?id=24659
- Creating Log Parser queries: http://blogs.technet.com/b/karywa/archive/2013/06/05/log-parser-studio-write-your-first-query-in-less-than-30-seconds.aspx
- Analyzing IIS files in Log Parser: http://blogs.msdn.com/b/carlosag/archive/2010/03/25/analyze-your-iis-log-files-favorite-log-parser-queries.aspx
- Log data flood with Apple iOS device: http://support.microsoft.com/kb/2814847/en-us
- High CPU load through ActiveSync: http://support2.microsoft.com/kb/2711053/en-us
- Transact-SQL: http://msdn.microsoft.com/en-us/library/bb510741.aspx
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)