Log Parser

Not just for IIS log files, you can parse Apache log files, too. Not just for web server log files, you can parse many log files. Not just for log files, either; you can parse a variety of files (including pcap files). Not just for files, you can parse Active Directory and the Windows File System as well.

Microsoft’s Log Parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®.

Log Parser writes SQL Server tables, and Microsoft offers a free SQL Server edition. If you don’t have Windows 7 (or Server 2008), add Windows Management Framework (Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0) as well.

Extend the power of these free tools.

Overview

Unofficial Log Parser Support Site

Log Parser forum at IIS.net

Log Parser Plus expressions, functions and sample queries

T-SQL Quick Ref from DevGuru

Get Dave Kleiman’s books “Security Log Management: Identifying Patterns in the Chaos” and “Microsoft Log Parser Toolkit: A complete toolkit for Microsoft’s undocumented log analysis tool”.

Log Parser provides a unified SQL interface to specific sources. Unlike Splunk, Log Parser does unify not unify data sources natively. However, since Log Parser can write to SQL databases, you could use multiple instances of Log Parser to create a unified data store, like Splunk. For an example, see Consolidating events with free Log Parser 2.0 tool. The free MSDE may be sufficient for your SQL database needs.

• Search ISA Web Proxy log for fully-qualified domain names per user
  "SELECT DISTINCT TO_LOWERCASE(cs-username) As User, r-host FROM isaproxylog.w3c WHERE s-svcname = 'w3proxy' ORDER BY User"
• Search ISA Web Proxy log for IP addresses that sent requests for a URL ending with “gate.php” on an external network (suggesting that a client is connecting to a ZeuS botnet Command and Control server):
  SELECT COUNT(DISTINCT c-ip) FROM isaproxylog.w3c WHERE cs-uri Like '%/gate.php' AND cs-Network = 'External'
• 10 largest files on the C: drive
  logparser "SELECT TOP 10 Path, Name, Size FROM C:\*.* ORDER BY Size DESC" -i:FS -recurse:0
• or
  logparser "SELECT TOP 10 EXTRACT_PATH(Path) AS Folder,
EXTRACT_FILENAME(Path) AS Filename,
DIV(Size, 1048576) AS MB
FROM C:\*.*
ORDER BY DIV(Size, 1048576) DESC"
• 20 largest files over 1 year old on the C: drive
  logparser "SELECT TOP 20 EXTRACT_PATH(Path) AS Folder,
EXTRACT_FILENAME(Path) AS Filename,
DIV(Size, 1048576) AS MB,
LastWriteTime
FROM C:\*.*
WHERE LastWriteTime < SUB(TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0001', 'yyyy'))
ORDER BY DIV(Size, 1048576) DESC"
• 10 most recently installed programs, saving result as CSV file
  logparser "SELECT TOP 10 Value AS Product, LastWriteTime AS [Date Installed] INTO RecentSoftware.csv FROM HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData WHERE ValueName='DisplayName' ORDER BY LastWriteTime DESC"
• List of recent files from Documents and Settings:
  logparser "SELECT LastWriteTime, CreationTime, Path INTO Files_from_Docs.csv FROM 'c:\documents and settings\*.*' WHERE Path Like '%recent%' AND Path NOT LIKE '%.' ORDER BY LastWriteTime DESC" -i:fs -recurse -o:csv
• Search for logons of a specific user on a specific server among the events in the Windows Event Log:
  LogParser "SELECT TimeGenerated, SourceName, EventCategoryName, Message INTO report.txt FROM Security WHERE EventID = 528 AND SID LIKE '%TESTUSER%'" -resolveSIDs:ON
• Parse the output of a ‘netstat’ command:
  netstat -a | LogParser "SELECT * FROM STDIN" -i:TSV -iSeparator:space -nSep:2 -fixedSep:off -nSkipLines:3
• Display the distribution of registry value types:
  LogParser "SELECT ValueType, COUNT(*) INTO DATAGRID FROM \HKLM GROUP BY ValueType"
• Finding MRU traces:
  logparser "SELECT Path, ValueName, Value, HEX_TO_ASC(Value) as Value2 INTO MRU-Lists.csv FROM \HKCU WHERE Path LIKE '%MRU%' OR Path LIKE '%recent%' OR Path LIKE '%Used%' OR Path LIKE '%Usage%' OR Path LIKE '%TIME%' OR Path LIKE '%Date%' OR Path LIKE '%Last%' OR Path LIKE '%Updated%' OR Path LIKE '%History%' OR valueName LIKE '%MRU%' OR ValueName LIKE '%recent%' OR ValueName LIKE '%Used%' OR ValueName LIKE '%Usage%' OR ValueName LIKE '%TIME%' OR ValueName LIKE '%Date%' OR ValueName LIKE '%Last%' OR ValueName LIKE '%Updated%' OR ValueName LIKE '%History%' ORDER BY Path, ValueName" -o:csv
• Create an XML report file containing logon account names and dates from the Security Event Log messages:
  LogParser "SELECT TimeGenerated AS LogonDate, EXTRACT_TOKEN(Strings, 0, '|') AS Account INTO Report.xml FROM Security WHERE EventID NOT IN (541;542;543) AND EventType = 8 AND EventCategory = 2"
• Return a hash of all .exe files in the system folder:
  logparser "SELECT Path, HASHMD5_FILE(Path) FROM C:\Windows\System32\*.exe" -i:FS -recurse:0 -o:datagrid
• Find duplicate hash values in the system folder:
  logparser "SELECT HASHMD5_FILE(Path) AS Hash, COUNT(*) AS NumberOfCopies FROM C:\Windows\System32\*.exe GROUP BY Hash HAVING NumberOfCopies > 1" -i:FS -recurse:1 -o:datagrid
• Return a hash of all .ocx files in the system folder:
  logparser "SELECT Path, HASHMD5_FILE(Path) FROM C:\Windows\system32\*.ocx" -i:FS -recurse:0 -o:datagrid
• Load a portion of the registry into a SQL table.
  LogParser "SELECT * INTO MyTable FROM \HKLM" -e:100 -i:REG -o:SQL -server:MyServer\SQLEXPRESS -database:MyDatabase -driver:"SQL Server" -createTable:ON
  Windows Authentication allows us to avoid specifying the username and password on the command line.
  -username:TestSQLUser -password:TestSQLPassword

The command allowed for 100 parsing errors before aborting. These parsing errors should reflect “Error opening key “HKLM\???????????”: Access is denied.” conditions. Run the LogParser command with elevated privileges.
Parse errors:
Error opening key "HKLM\SAM\SAM": Access is denied.
Error opening key "HKLM\SAM\SAM": Access is denied.
Error opening key "HKLM\SECURITY": Access is denied.
Error opening key "HKLM\SAM\SAM": Access is denied.
Error opening key "HKLM\SECURITY": Access is denied.
Error opening key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media
Center\Service\Recording\Restricted": Access is denied.

• You might want to run logparser on all .sql files in a folder. This works best if all queries are of the same type so you can specify input format and parameters.
  FOR %%i IN (*.sql) DO @logparser file:%%i > %%~ni.txt
• Display users’ job title breakdown from Active Directory:
  LogParser "SELECT title, MUL(PROPCOUNT(*), 100.0) AS Percentage INTO DATAGRID FROM 'LDAP://myusername:mypassword@mydomain/CN=Users,DC=mydomain,DC =com' WHERE title IS NOT NULL GROUP BY title ORDER BY Percentage DESC" -objClass:user
• Display titles of current channels on MSDN BLogs:
  LogParser "SELECT title INTO MSDNBlogs.txt FROM http://blogs.msdn.com/MainFeed.aspx#/rss/channel/item" -i:XML -fMode:Tree
• Examples included with Log Parser 2.2:
  • Implement an XML parser
  • Implement a process enumerator
  • Implement a QFE (patch) enumerator
• IIS queries included with Log Parser 2.2:
  • Get the number of requests and total bytes sent during each hour
  • Create a pie chart with the total number of bytes generated by each extension
  • Get the Top 20 verbs with the maximum and average time taken, and with the average number of bytes sent
  • Get the Top 20 URIs with the maximum and average time taken, and with the average number of bytes sent
  • Get the full HTTP status codes by number of hits
  • For each ASP error, get the Url and the ASP script line number
  • Get requests and full status by number of hits
  • Get hit counts for each extension
  • Get authentication and authorization failures
• Event log queries included with Log Parser 2.2:
  • Get logon failures from the Security Event Log
  • Get logon failure statistics from the Security Event Log
  • Get logon successes from the Security Event Log
  • Get the distribution of EventID values for each Source
• UrlScan queries included with Log Parser 2.2:
  • Get the clients whose requests have been rejected by UrlScan
  • Get all the UrlScan comments
• ETW log queries included with Log Parser 2.2:
  • Get the number of hits for each IIS AppPool
• ADS queries included with Log Parser 2.2:
  • Get the IIS Virtual Directories that allow WRITE access
• NETMON queries included with Log Parser 2.2:
  • Get the total network bytes per second
• Generic queries included with Log Parser 2.2:
  • Get a list of all the words in these text files ordered by number of times they appear
  • Get a list of all the hidden files in the C: drive ordered by their size
  • Get the distribution of file name lengths in the C: drive
• Helper functions included with Log Parser 2.2:
  • Get the status code in the “status.substatus” form
  • Get the request in the “uri-stem?uri-query” form
• Queries at Server Fault(recommended log parser queries for IIS log monitoring). If IP is an important element in your report, then including User-Agent as well. When User-Agents match, it suggest one machine using more than one IP address and Google’s web crawler has its own User-Agent.
  • Top bandwidth usage by URL
  • Top hits by URL
  • Top bandwidth and hits by IP / User-Agent
  • Top bandwidth by hour by IP / User-Agent
  • Top hits by hour by IP / User-Agent
• Queries at Forensic Log Parsing with Microsoft’s LogParser
  • 20 newest files on the web site
  • 20 most recently modified files on the web site
  • Hits per URL
  • File extensions used by web application
  • Hits per URL per day
  • Errors per hour
  • Excessive hits by IP / User-Agent
  • Errors per hour (to be followed by IP / User-Agent involved in excessive errors per hour)
  • User Logins
  • User-Agents
• Queries at Analyze your IIS Log Files – Favorite Log Parser Queries
  • Number of Hits per Client IP, including a Reverse DNS lookup (slow)
  • Top 25 File Types
  • Top 25 URLs
  • Number of hits per hour for the month of March
  • Number of hits per Method (GET, POST, etc)
  • Number of requests made by user
  • Extract Values from Query String (d and t) and use them for Aggregation
  • Find the Slowest 25 URLs (in average) in the site
  • List the count of each Status and Substatus code
  • List all the requests by user agent
  • List all the Win32 Error codes that have been logged
• Queries at ISAscripts.org:
  • Search ISA Web Proxy logs for a count of unique IP addresses NOT accessing a particular file or filetype from the External network.
  • Search ISA Web Proxy logs for a count of unique client IP addresses from the External network.
  • Search ISA Web Proxy logs for a count of unique IP addresses accessing a particular file or filetype from the External network.
    SELECT COUNT(DISTINCT c-ip) FROM isaproxylog.w3c WHERE cs-uri Like '%.zip' AND cs-Network = 'External'
  • Search ISA Web Proxy logs for a count of unique IP addresses accessing the robots.txt file from the External network in Web Proxy logs.
  • Search ISA Web Proxy logs for a list of unique client IP addresses in ISA Web Proxy or IIS W3C Extended logs.
  • Search ISA Web Proxy logs for a count of HTTP Filter error messages.
  • Search ISA Web Proxy logs for the top 20 external IP addresses that have generated Denied entries.
  • Search ISA Web Proxy logs for the top 10 external FQDNs that have generated Denied entries (reverse DNS lookups).
  • Search ISA Web Proxy logs for the top 20 users based on total bytes sent or received.
  • Search ISA Web Proxy logs for IPs and FQDNs accessed by each user.
  • Search ISA Web Proxy logs for percentage of log lines specifically Denied, categorized by governing rule in both Firewall and Web Proxy logs.
  • Search ISA Web Proxy logs for percentage of log lines with Allowed or Establish actions, categorized by governing rule in both Firewall and Web Proxy log.
  • Search ISA Firewall logs for top 20 external IP addresses that have generated Denied entries.
  • Search ISA Firewall logs for percentage of each type of status code.
  • Search ISA Firewall logs for top 20 external IP addresses that have sent Ping of Death (or SYN attack or LAND attack) packets.
  • Search ISA Firewall logs for top 20 external IP addresses that have sent packets whose headers were logged as raw hex.
  • Search ISA Firewall logs for count of agent applications.
  • Search ISA Firewall logs for top 20 users based on total bytes sent or received.
  • Search ISA Firewall logs for percentage of log lines specifically Denied, categorized by governing rule in both Firewall and Web Proxy logs.
  • Search ISA Firewall logs for percentage of log lines with Allowed or Establish actions, categorized by governing rule in both Firewall and Web Proxy log.
  • Search IIS Logs for unique referrer URLs with some qualifiers to filter out noise.
  • Search IIS Logs for unique user-agents with some qualifiers to filter out noise.
  • Search for unique client IP addresses in ISA Web Proxy or IIS W3C Extended logs.
  • Search IIS logs for unique referrer FQDNs in IIS logs with some qualifiers to filter out noise.
• Queries at Log Parser Plus:
  • Return a listing of Web pages, and referring pages, that returned a 200 status (or 300 or 400 or 500) status code
  • Bandwidth usage by request: Return pages sorted by the total number of bytes transferred, as well as the total number of requests and average bytes
  • Browsers (User-Agents) and their frequency
  • Cookie lengths with IP / User-Agent and number of requests made with that cookie/IP / User-Agent
  • Data sent and received, by file type
  • Domains referring traffic for resources
  • Convert FileZilla Server logs to W3C extended log format
  • HTTP Status Codes (pie chart)
  • HTTP Status Codes (text)
  • HTTP status codes and percentage of total
  • POSTs per IP / User-Agent by total requests
  • Requests using suspicious query parameters
  • Query parameters and their frequency
  • Query parameters, their frequency and IP / User-Agent
  • Requests by file type (extension)
  • Requests per day
  • Requests by hour and requests by hour per day
  • Requests by seconds to process and requests by seconds to process, with percentages
  • Requests, bandwidth, and last visit, by IP / User-Agent
• Queries at Log Parser 2.2 and ASP.NET:
  • Find text (in large text file)
  • Find the 10 largest files from a specific folder, including its subfolders
  • Find the 20 slowest pages in your Web site
  • Find the 20 most commonly used .aspx pages in your Web site
• Queries at Rahul Soni’s blog:
  • Find the peak time for your IIS Server
  • Checking traffic/requests between a specific client and server
  • Searching specific column names from a CSV file
  • Searching files for culprits when you don’t have Visual Studio on the Server.
  • What could be a more reliable way to find out “A word or phrase in the file”?
  • Analyzing the IISlogs to see if there is any pattern for errors
  • Search for all the fieldnames available for a given input type
• Queries at Steve Bunting’s blog:
  • Find Remote Desktop connects and reconnects
• Queries at Marc Grote’s Using the Logparser Utility to Analyze Exchange/IIS Logs:
  • Find OWA users
  • Show OWA usage
• Queries at Jeff Atwood’s Coding Horror:
  • Top 10 items retrieved
  • Top 10 slowest items
  • All Unique Urls retrieved
  • HTTP errors per hour
  • HTTP errors ordered by Url and Status
  • Win32 error codes by total and page
  • HTTP methods (GET, POST, etc) used per Url
  • Bytes sent from the server
  • Bytes sent from the client
• Bernard Cheah”s Graphing PING results
  ping -n 15 example.com | logparser "SELECT TO_INT(REPLACE_STR(EXTRACT_VALUE(Text,'time',' '),'ms','')) AS Response INTO Ping.gif FROM stdin WHERE Text LIKE '%%Reply%%' GROUP BY Response" -i textline -legend off -chartTitle "Ping Times" -view

• Queries at Dominick Baier’s Auditing the Event Logs
  • Show all events from the system eventlog, ordered by number of occurrences and event type (error, warning, info).
    logparser "select distinct EventID, EventTypeName, Message, Count(*) as Entries from System group by EventID, Message, EventTypeName order by EventTypeName, Entries DESC" -i:EVT -o:DATAGRID

  • Show failed logon attempts
    logparser "select distinct SID from Security where EventID IN (529; 530; 531; 532; 533; 534; 535; 537; 539)"

  • Show failed logon attempts and resolve SIDs to account names
    logparser "select distinct SID, RESOLVE_SID(SID) as Username from Security where EventID IN (529; 530; 531; 532; 533; 534; 535; 537; 539)

  • Find IP addresses with the most rejected packets in URLSCAN
    logparser "SELECT TOP 10 ClientIP, COUNT(*) as Entries FROM URLSCAN WHERE Comment LIKE 'Url%' GROUP BY ClientIP ORDER BY Entries DESC" -o:DATAGRID
  • Find IP addresses with the most rejected packets in URLSCAN, but add DNS names (slow)
    logparser "SELECT TOP 10 REVERSEDNS(ClientIP), COUNT(*) as Entries FROM URLSCAN WHERE Comment LIKE 'Url%' GROUP BY ClientIP ORDER BY Entries DESC" -o:DATAGRID

  • parse IIS 6 HTTPERR log entries
    logparser "SELECT TOP 10 src-ip, s-reason, Count(*) as Hits FROM HTTPERR group by src-ip, s-reason order by Hits DESC"

  • see all User-Agents that sent requests
    logparser "select distinct cs(User-Agent) from ex*.log order by cs(User-Agent)"

  • see all IP addresses and User-Agents that sent requests
    logparser "select distinct c-ip, cs(User-Agent) from ex*.log order by cs(User-Agent)"

  • see how many hits the corresponding Agents and IP addresses have produced, use
    logparser "SELECT distinct c-ip AS Client, cs(User-Agent), COUNT(*) as Hits FROM ex*.log group by cs(User-Agent), Client order by cs(User-Agent), Hits DESC"

  • see how many different people are using NewsGator
    logparser "SELECT distinct c-ip AS Client, cs(User-Agent), COUNT(*) as Hits FROM ex*.log where cs(User-Agent) like 'news%' group by cs(User-Agent), Client order by cs(User-Agent), Hits DESC"
• Mark Burnett’s Forensic Log Parsing with Microsoft’s LogParser
  • Have any files been added? Check for newest files on the web site
    logparser "SELECT TOP 20 Path, CreationTime from c:\inetpub\wwwroot\*.* ORDER BY CreationTime DESC" -i:FS -rtp:-1
  • Have any files been modified?
    logparser "SELECT TOP 20 Path, LastWriteTime from c:\inetpub\wwwroot\*.* ORDER BY LastWriteTime DESC" -i:FS -rtp:-1
  • What files been accessed? Should the files exist?
    logparser "SELECT DISTINCT TO_LOWERCASE(cs-uri-stem) AS URL, Count(*) AS Hits FROM ex*.log WHERE sc-status=200 GROUP BY URL ORDER BY URL" -rtp:-1
  • Identify file extensions in use
    logparser "SELECT TO_LOWERCASE(SUBSTR(Name, LAST_INDEX_OF(Name,'.'), STRLEN(Name))) AS Extension, Count(*) as Files from c:\inetpub\wwwroot\*.*, c:\inetpub\scripts\*.* WHERE Attributes NOT LIKE 'D%' GROUP BY Extension ORDER BY Files DESC" -i:fs -rtp:-1
  • Overused scripts may be a sign of abuse. Are there abnormal use patterns?
    LogParser "SELECT TO_STRING(TO_TIMESTAMP(date, time), 'yyyy-MM-dd') AS Day, cs-uri-stem, COUNT(*) AS Total FROM ex*.log WHERE (sc-status<400 or sc-status>=500) AND (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' OR TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%') GROUP BY Day, cs-uri-stem ORDER BY cs-uri-stem, Day" -rtp:-1
  • Excessive errors may be a sign of hacking attempts
    logparser "SELECT date, QUANTIZE(time, 3600) AS hour, sc-status, Count(*) AS Errors FROM ex03*.log WHERE sc-status>=400 GROUP BY date, hour, sc-status HAVING Errors>25 ORDER BY Errors DESC" -rtp:-1
  • A high number of hits to a single URL from a single IP could indicate a SQL Injection vulnerability is being exploited.
    logparser "SELECT DISTINCT date, cs-uri-stem, c-ip, Count(*) AS Hits FROM ex*.log GROUP BY date, c-ip, cs-uri-stem HAVING Hits>50 ORDER BY Hits Desc" -rtp:-1
  • High numbers of 500 HTTP status codes or other errors could indicate a SQL Injection vulnerability is being exploited
    logparser "SELECT cs-uri-query, Count(*) AS Total FROM ex*.log WHERE sc-status>=500 GROUP BY cs-uri-query ORDER BY Total DESC" -rtp:-1
  • GET requests to ASP pages that normally only receive POST requests could indicate a SQL Injection vulnerability is being exploited. What ASP errors are seen?
    logparser "SELECT cs-uri-query, Count(*) AS Total FROM ex*.log WHERE sc-status>=500 GROUP BY cs-uri-query ORDER BY Total DESC" -rtp:-1
  • What status codes are returned by the server?
    logparser "SELECT cs-uri-stem, sc-status, Count(*) AS Total FROM ex*.log WHERE TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%' GROUP BY cs-uri-stem, sc-status ORDER BY cs-uri-stem, sc-status" -rtp:-1
  • Win32 status codes, too
    logparser "SELECT cs-uri-stem, WIN32_ERROR_DESCRIPTION(sc-win32-status) as Error, Count(*) AS Total FROM ex*.log WHERE sc-win32-status>0 and (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%') GROUP BY cs-uri-stem, Error ORDER BY cs-uri-stem, Error" -rtp:-1
  • What HTTP methods are used for each page?
    logparser "SELECT cs-uri-stem, cs-method, Count(*) AS Total FROM ex*.log WHERE (sc-status<400 or sc-status>=500) AND (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%') GROUP BY cs-uri-stem, cs-method ORDER BY cs-uri-stem, cs-method" -rtp:-1
  • Bytes sent to client
    logparser "SELECT cs-uri-stem, Count(*) as Hits, AVG(sc-bytes) AS Avg, Max(sc-bytes) AS Max, Min(sc-bytes) AS Min, Sum(sc-bytes) AS Total FROM ex*.log WHERE TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%' GROUP BY cs-uri-stem ORDER BY cs-uri-stem" -rtp:-1
  • Bytes sent from client
    logparser "SELECT cs-uri-stem, Count(*) as Hits, AVG(cs-bytes) AS Avg, Max(cs-bytes) AS Max, Min(cs-bytes) AS Min, Sum(cs-bytes) AS Total FROM ex*.log WHERE TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%' GROUP BY cs-uri-stem ORDER BY cs-uri-stem" -rtp:-1
  • Time spent processing request
    logparser "SELECT cs-uri-stem, Count(*) as Hits, AVG(time-taken) AS Avg, Max(time-taken) AS Max, Min(time-taken) AS Min, Sum(time-taken) AS Total FROM ex*.log WHERE TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%' GROUP BY cs-uri-stem ORDER BY cs-uri-stem" -rtp:-1
  • Authenticated users; if you normally have anonymous users, authenticated users should be explained
    logparser "SELECT cs-username, Count(*) AS Hits from ex*.log WHERE cs-username IS NOT NULL GROUP BY cs-username ORDER BY Hits Desc" -rtp:-1
  • Any non-standard user-agents?
    logparser "SELECT DISTINCT cs(User-Agent) FROM ex*.log WHERE TO_LOWERCASE(cs(User-Agent)) NOT LIKE '%mozilla%' AND TO_LOWERCASE(cs(User-Agent)) NOT LIKE '%opera%' ORDER BY cs(User-Agent)" -rtp:-1
• Using Log Parser from C#

See also:

• LogQL. Parse CSV or other delimited files. Requires Java.
• Parse-O-Matic. Scripting language that supports conventions such as arrays and regular expressions and offers many ways to find, compare, and alter data, including the capability to compare strings, numbers, lengths, and patterns.
• Evil Through the Lens of Web Logs [pdf] by Russ McRee (russ@holisticinfosec.org). Other Log Parser examples are offered, other log parsing tools are described and (more importantly) why you are reviewing logs is explained.