[Logwatch-Devel] Parsing RealServer Logs

Pelkey, Jeff Jeff.Pelkey at titan.com
Thu Dec 8 11:46:33 MST 2005


Howdy,
 
I am trying to configure the RealServer logs into Logwatch and having a time with the LogFormat var.  I used the http.conf files to start with and have tried several things with no success.  It is the last six fields I think I need help getting straightened out.  We are using the default logging style (#5), which looks like this:

Logging style 5, which is the default style, does not build on the preceding styles. Instead, it copies style 2 and adds a presentation ID that helps you keep track of presentations that contain multiple clips: 

IP_address - - [timestamp] "GET filename protocol/version" HTTP_status_code
bytes_sent [client_info] [client_ID] [client_stats_results] file_size file_time
sent_time resends failed_resends presentation_ID

The following is an example of a logging style 5 entry: 

207.188.7.125 - - [26/Jun/2002:10:11:03 -0700] "GET real9video.rm RTSP/1.0"
200 858636 [WinNT_5.0_6.0.10.714_RealPlayer_RN92PD_en_686]
[8e07b707-19b7-448b-96b6-96c90151f2a6] [UNKNOWN] 926322 217 205 1 0 124
Here's the output I receive:
 --------------------- Real Media Begin ------------------------
 0.00 MB transferred in 0 responses  (1xx 0, 2xx 0, 3xx 0, 4xx 0, 5xx 0)
 This is a listing of log lines that were not parsed correctly.
 Perhaps the variable $LogFormat in file conf/services/realmedia.conf
 is not correct?
 (Only the first ten are printed; there were a total of 53)
    65.54.188.76 - - [07/Dec/2005:08:59:57 -0500]  "GET robots.txt HTTP/1.0" 404 213 [msnbot/1.0 (+http://search.msn.com/msnbot.htm)] [] [UNKNOWN] 0 0 0 0 0 41
    65.54.188.76 - - [07/Dec/2005:08:59:57 -0500]  "GET asxgen/mar152002/wm/1882_020315-a-56.asf.asx HTTP/1.0" 200 396 [msnbot/1.0 (+http://search.msn.com/msnbot.htm)] [] [UNKNOWN] 139 0 0 0 0 42

 
Here's what I've got so far in /etc/logwatch/conf/services:
$LogFormat = "%h - - %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{cookie}i\""
$HTTP_FIELDS = "client_ip timestamp request http_rc bytes_transfered referrer agent"
$HTTP_FORMAT = "     space dash space dash space brace    quote   space brace     space brace
space space space space space space "
 
Any ideas would be greatly appreciated!
Thanks, Jeff Pelkey



More information about the Logwatch-Devel mailing list