AddThis Social Bookmark Button

Print

Using Log Parser 2.2

by Mitch Tulloch
07/12/2005

Log Parser is one cool tool. Created by Gabriele Giuseppini, a software engineer at Microsoft, the original Log Parser 1.0 was developed for Microsoft's internal testing purposes. It proved so popular that a public version, Log Parser 2.0, was released in 2001, and it has gone through two iterations, the current version being 2.2 and available from the Microsoft Download Center.

Log Parser operates as a kind of data pipeline. Into this pipe you can send information from IIS logs, Windows Event logs, Active Directory information, file system data, Registry data, Network Monitor traces, and so on. Once the data is in the pipe, you can process it using SQL statements; for example, to select certain portions of the data by a SELECT query. Then, as the processed data comes out of the pipeline, you can output it to text files, HTML files, Excel-style charts, or a SQL database table, or simply to the console as raw output. Putting these into proper syntax, a typical Log Parser command looks something like this:

logparser -i:<Input_Format> -o:<Output_format> <SQL_statement>

Things can get a bit more complicated, but that's the basic idea.

Of course, the best way to learn about Log Parser is to actually use it, so let's see what we can do, using the Windows Event logs as a data source. After installing Log Parser, open a command prompt and change to the C:\Program Files\Log Parser directory, where the logparser.exe executable resides. Let's begin with a simple query to select all records from the System log:

logparser "SELECT * FROM System" -i:EVT

Since there's no output format specified, Log Parser writes the output to the console. The result is a series of messy-looking records like this:


System   2096   2005-06-17 05:01:14   2005-06-17 05:01:14   7035
   4   Information event   0   None   Service Control Manager
   Fax|stop   BOX15   S-1-5-18   The Fax service was successfully 
   sent a stop control.

This event, for example, is an event of type Information that has an event ID of 7035 and an event source of Service Control Manager. Log Parser will display these events ten at a time, prompting you for a keystroke to continue or Ctrl-C to abort.

Let's focus in on events of type Error, as these are likely to be of some importance to us:

logparser "SELECT * FROM System WHERE EventTypeName='Error event'" -i:EVT

We still get messy-looking results, but now they're all Error events:


System   975   2005-05-10 16:40:09   2005-05-10 16:40:09   
  10010   1   Error event   0   None   DCOM   
  {601AC3DC-786A-4EB0-BF40-EE3521E70BFB}   BOX15   
  S-1-5-21-2696947089-119843295-2143939133-500   
  The server {601AC3DC-786A-4EB0-BF40-EE3521E70BFB} 
  did not register with DCOM within the required 
  timeout.

What kinds of Error events are we getting in our machine's System log? Let's output only the event sources this time:

logparser "SELECT SourceName FROM System WHERE 
    EventTypeName='Error event'" -i:EVT

The screen output now looks like this:

SourceName
-----------------------
DCOM
Service Control Manager
Service Control Manager
Service Control Manager
Service Control Manager
Service Control Manager
Service Control Manager
Service Control Manager
W32Time
W32Time
Press a key...

What are the different kinds of Error events in our System log, and how many of each source type were recorded? Log Parser can easily tell us this:

logparser "SELECT SourceName, COUNT(*) FROM System WHERE 
    EventTypeName='Error event' GROUP BY SourceName" -i:EVT

And here's what we get:

SourceName              COUNT(ALL *)
----------------------- ------------
DCOM                    5
Service Control Manager 43
W32Time                 8
NETLOGON                3
Microsoft Log Parser Toolkit

Related Reading

Microsoft Log Parser Toolkit
By Gabriele Giuseppini, Mark Burnett


Read Online--Safari
Search this book on Safari:
 

Code Fragments only

Pages: 1, 2

Next Pagearrow