Evaluating logfiles with Microsoft Log Parser Studio

Clear View

Batch Processing and PowerShell

Via the batch manager, you can run multiple queries in parallel in multithreading mode; this is useful if a large amount of data needs to be processed. If you prefer to execute the queries sequentially for performance reasons, check the fourth box, Run batched queries , in the Options | Preferences menu. Then, highlight the desired queries in the library, right-click to pop up the shortcut menu, and choose Add to batch . You can then start batch processing via the ! icon or by pressing Execute in the batch manager. One constraint is that all batch queries work on the same set of logfiles; unfortunately, it is impossible to assign different input data to individual queries.

As an alternative to interactive execution in Log Parser Studio, you can also export queries as PowerShell scripts, using the first icon from the right, and thus even run them on systems without Log Parser Studio. The only requirement is that the Log Parser command-line tool is installed. However, when exporting, the [LOGFILEPATH] variable is resolved, and the names of the files activated in the Log File Manager end up in the script.

Thus, you should configure a folder before exporting instead of individual files so that a path with a wildcard is written to the script. With this, the script can be transferred more easily to another system and will work regardless of the actual file names in the log directory. A further peculiarity is that an exported query writes its output by default to the Documents profile folder of the executing user. If you want to change this, call up the script using the -OutFile switch:

.\hostnames.ps1 -OutFile c:\temp\hostnames.csv

This way, you can set up Log Parser queries, scheduled tasks, and automatically execute them.

Evaluating Exchange Logs

The differences between IIS and Exchange are not huge, because Exchange's Client Access server (CAS) role is based on IIS. Accordingly, you can track down the activities of Outlook Web Access, Exchange Web Services, and ActiveSync on the CAS with the logs in the C:\inetpub\logs\LogFiles\W3SVC1 path. For ActiveSync access only, you can try a variant of the browser query, sorted by client platform (Listing 2).

Listing 2

Access by ActiveSync Client

01 SELECT
02 CASE strcnt(cs(user-agent),'iPhone') WHEN 1 THEN 'iPhone' ELSE
03 CASE strcnt(cs(user-agent),'iPad') WHEN 1 THEN 'iPad' ELSE
04 CASE strcnt(cs(user-agent),'SAMSUNG') WHEN 1 THEN 'Samsung' ELSE
05 CASE strcnt(cs(user-agent),'Android') WHEN 1 THEN 'Android variant' ELSE 'Other'
06 END END END END as DeviceType, cs-uri-stem AS Vdir, Count(cs(User-Agent)) as Hits
07 FROM '[LOGFILEPATH]'
08 WHERE cs-uri-stem LIKE '%Microsoft-Server-ActiveSync%'
09 GROUP BY DeviceType, Vdir
10 ORDER BY Hits DESC

In addition to statistical analysis in normal operation, Log Parser Studio is also a great help if you have an Exchange Server with a high CPU load or excessive data growth on the log partition of a database. Such symptoms can be triggered by a single faulty ActiveSync client. A well-known example was a now-fixed bug in Apple iOS  6.1, with which a single iPhone was capable of flooding the log partition  [5].

If the error is known, in this case an exception of type WrongObjectTypeException, Log Parser Studio delivers the culprit (Listing  3). Even without knowledge of the error text, however, you can identify rogue ActiveSync clients. If a log partition fills up in a short amount of time, without obvious growth of the associated database, you will often see massive ActiveSync access by a client at the same time (Listing 4).

Listing 3

Searching for the Error Source

01 SELECT Cs-username AS User,MyDeviceId AS DeviceId, COUNT(*) AS Hits
02 USING EXTRACT_VALUE(cs-uri-query,'DeviceId') AS MyDeviceId
03 FROM '[LOGFILEPATH]'
04 WHERE cs-uri-query LIKE '%Error:WrongObjectTypeException%'
05 GROUP BY DeviceId,User
06 ORDER BY Hits DESC

Listing 4

Top 10 ActiveSync Users

01 SELECT TOP 10 cs-username AS UserID, cs(User-Agent) AS DeviceType, cs-uri-stem AS Vdir, c-ip AS CLIENT, Count(*)
02 FROM '[LOGFILEPATH]'
03 WHERE cs-uri-stem LIKE '%Microsoft-Server-ActiveSync%'
04 GROUP BY UserID, DeviceType, Vdir, Client
05 ORDER BY COUNT(*) DESC

High CPU load on the CAS can also be caused by ActiveSync [6]. With Log Parser Studio, you can identify the client to renew its Exchange configuration or, in the most extreme case, to reset the device to the factory settings.

Conclusions

Microsoft's Log Parser Studio is a useful free tool for admins. Of course, the tool might not be able to replace central log collection and analysis systems. Despite this, however, it makes your first steps in this field easier and helps to ensure a rapid response in the event of a fault. The prefabricated queries and numerous examples on the web already cover many practical cases. With a pinch of SQL expertise  [7], you can easily modify these and develop your own queries.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus