[Logwatch-Devel] Parsing RealServer Logs

Markus Lude lude at informatik.uni-tuebingen.de
Thu Dec 8 12:39:19 MST 2005


On Thu, Dec 08, 2005 at 01:46:33PM -0500, Pelkey, Jeff wrote:
> Howdy,

Hello,

> I am trying to configure the RealServer logs into Logwatch and having a time with the LogFormat var.  I used the http.conf files to start with and have tried several things with no success.  It is the last six fields I think I need help getting straightened out.  We are using the default logging style (#5), which looks like this:
> 
> Logging style 5, which is the default style, does not build on the preceding styles. Instead, it copies style 2 and adds a presentation ID that helps you keep track of presentations that contain multiple clips: 
> 
> IP_address - - [timestamp] "GET filename protocol/version" HTTP_status_code
> bytes_sent [client_info] [client_ID] [client_stats_results] file_size file_time
> sent_time resends failed_resends presentation_ID
> 
> The following is an example of a logging style 5 entry: 
> 
> 207.188.7.125 - - [26/Jun/2002:10:11:03 -0700] "GET real9video.rm RTSP/1.0"
> 200 858636 [WinNT_5.0_6.0.10.714_RealPlayer_RN92PD_en_686]
> [8e07b707-19b7-448b-96b6-96c90151f2a6] [UNKNOWN] 926322 217 205 1 0 124
> Here's the output I receive:
>  --------------------- Real Media Begin ------------------------
>  0.00 MB transferred in 0 responses  (1xx 0, 2xx 0, 3xx 0, 4xx 0, 5xx 0)
>  This is a listing of log lines that were not parsed correctly.
>  Perhaps the variable $LogFormat in file conf/services/realmedia.conf
>  is not correct?
>  (Only the first ten are printed; there were a total of 53)
>     65.54.188.76 - - [07/Dec/2005:08:59:57 -0500]  "GET robots.txt HTTP/1.0" 404 213 [msnbot/1.0 (+http://search.msn.com/msnbot.htm)] [] [UNKNOWN] 0 0 0 0 0 41
>     65.54.188.76 - - [07/Dec/2005:08:59:57 -0500]  "GET asxgen/mar152002/wm/1882_020315-a-56.asf.asx HTTP/1.0" 200 396 [msnbot/1.0 (+http://search.msn.com/msnbot.htm)] [] [UNKNOWN] 139 0 0 0 0 42
> 
>  
> Here's what I've got so far in /etc/logwatch/conf/services:
> $LogFormat = "%h - - %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{cookie}i\""
> $HTTP_FIELDS = "client_ip timestamp request http_rc bytes_transfered referrer agent"
> $HTTP_FORMAT = "     space dash space dash space brace    quote   space brace     space brace
> space space space space space space "

Try to introduce two dummy variables in HTTP_FIELDS for the fields where
usually the two dashes are and remove the two "dash" from HTTP_FORMAT?

$HTTP_FIELDS = "client_ip ident userid timestamp foo     request http_rc bytes_transfered agent"
$HTTP_FORMAT = "space     space space  brace     space   quote   space
space            brace brace brace space space space space space"

Maybe you don't need the "foo" field. I don't know, how the parsing
handles two consecutive spaces. Maybe you need to add the missing fields
at the end of HTTP_FIELDS. At least there seems some confusion between
the spaces and braces in your HTTP_FORMAT.

> Any ideas would be greatly appreciated!
> Thanks, Jeff Pelkey

I hope, some parts may help you.

Regards,
Markus Lude

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 185 bytes
Desc: not available
Url : http://www2.list.logwatch.org/pipermail/logwatch-devel/attachments/20051208/aea077a3/attachment.bin


More information about the Logwatch-Devel mailing list