Welcome to Networknet Blog!

Hi there! Welcome to my blog. My name is Ivan. I am a Dutch IT Professional working as Principal IT Consultant. Read more about me..

News, Problem Solutions and Other Interesting Information...

Logparser: how to analyze your log files?

Posted by Ivan

/ June 18, 2007 / 1 Comment

As IT security professionals we scan our networks and use different tools to perform our job. In the end we have dozen of log files which we need to analyze. Couple days I found a nice tool developed by Microsoft called LogParser.

Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®. You tell Log Parser what information you need and how you want it processed. The results of your query can be custom-formatted in text based output, or they can be persisted to more specialty targets like SQL, SYSLOG, or a chart.

It has some neat features for queering different data sources. I played with it and came up with some nice command lines.

Put your logs in a directory and make sure they all have the same extension e.g. .log or .txt Go to Command Prompt and paste the following command line.

Example 1

LogParser.exe -i:textline "select text from C:\Scans\*.log where text like '%VUL%'" -o:CSV

This command line will query all log files and find all hosts which are vulnerable. You can change the search text to any string you are looking for. Output:

10.202.1.8    :5900     vnc4:VULNERABLE
10.202.2.7   :5900     vnc4:VULNERABLE
Statistics:
-----------
Elements processed: 6565
Elements output:    2
Execution time:     0.36 seconds

Example 2

LogParser.exe -i:textline "select text from c:\scans\web.log where text like '%2.0.58%'" -o:CSV

10.7.80.171:80   Server: Apache/2.0.58 (Unix) mod_ssl/2.0.58 OpenSSL/0.9.8a DAV/2 PHP/5.1.6
10.7.80.172:80   Server: Apache/2.0.58 (Unix) mod_ssl/2.0.58 OpenSSL/0.9.8a DAV/2 PHP/5.1.6

Statistics:
-----------
Elements processed: 638
Elements output:    2
Execution time:     0.07 seconds

Example 3

LogParser.exe -i:textline "select text from c:\scans\ban.log where text like '%Imail%'" -o:CSV

Output:

10.20.121.73:143   * OK IMAP4 Server (IMail 9.04)
10.20.121.74:143   * OK IMAP4 Server (IMail 9.04)

Statistics:
-----------
Elements processed: 7390
Elements output:    2
Execution time:     0.66 seconds

In both examples I only used text files. The power of this tool is that you can use different sql statements to analyze your scan logfiles. Search complete directories for specific host banners/ports which are vulnerable for example. Hosts go up and down but the log files can be used for months after a scan has been completed.

Before I used this tool I did my analysis only with excel spreadsheets and filter them; I used many times the grep linux feature but from now I never want to miss this great tool.

References

Microsoft Download Center: LogParser 2.2

June 18, 2007
JoeD

Hi Ivan1980, nice post and very handy 😉

Welcome to Networknet Blog!

News, Problem Solutions and Other Interesting Information...

Logparser: how to analyze your log files?

Example 1

Example 2

Example 3

References

JoeD

Leave a comment

Sponsor

Search

Recent Posts

Tools: jc and jq to parse and filter JSON output

Kali: Essential terminal commands

Certification: Microsoft Power Platform Fundamentals PL-900

Popular Posts

Failed to lock the file! VMWare virtual disk (vmdk)

Microsoft .NET Framework 2.0 Service Pack 1 (KB110806) failed

CentOS how to change hostname?

Archives

Sign in to your account