000037121 - How to use Log Parser Studio in Archer to easily review IIS Logs

Document created by RSA Customer Support Employee on Dec 8, 2020Last modified by RSA Customer Support Employee on Dec 8, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000037121
Applies ToProduct Set: Archer
Product/Service Type: Archer
IssueYou would use this tool to review IIS Logs if the Archer issue seems to be sourced from the Archer Web Server(s). IIS log files are difficult to read in their raw format.
TasksYou will need to download and install Log Parser 2.2 from Microsoft's website.
This will act as the library and source for the application you will use.
https://www.microsoft.com/en-us/download/details.aspx?id=24659

Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files, and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®.

Then download the application, Log Parser Studio gives a User interface that you will be using to view the IIS Logs.
https://gallery.technet.microsoft.com/office/Log-Parser-Studio-cd458765

(NOTE: This is a stand-alone application that does not require you to install. Save the zip and extract it to a location on your computer then place a shortcut to the executable on your desktop) 

Log Parser Studio is a utility that allows you to search through and create reports from your IIS, Event, EXADB, and other types of logs. It builds on top of Log Parser 2.2 and has a full user interface for easy creation and management of related SQL queries.
ResolutionOnce you have downloaded and installed Log Parser 2.2, download and save the Log Parser Studio files to a location on your computer.
To review an IIS Log file in Log Parser Studio performs the following steps:
  1. Open Log parser studio: 
    Open Log Parser Studio
 

  • Once Opened, Click on the yellowish log folder button: 
    User-added image
 

  • Here you can select the folder or iis log file you want to parse and review. Click the Add Files button and select your IIS log file.
    select iis file
  • After you have selected the log file that you want to review, back on the main Log Parser Studio window, click the User-added image button. This creates a new Query to parse the IIS Logs.
  • On the bar near the center of the LPS (Log Parser Studio) window, select the Log type that we are going to use here: Click User-added image.
  • From that list that appears select the IISW3CLOG.
  • Next, we need to input the Query we are going to use. Log Parser uses Transact-SQL so you can use the following Query as a baseline and go from there:
      --
    SELECT date,
           time,
           cs-username,
           sc-status,
           sc-substatus,
           sc-win32-status,
           cs-uri-query,
           s-ip,
           c-ip,
           s-port,
           cs-method,
           cs-uri-stem,
           cs(Referer),
           time-taken
    From '[LOGFILEPATH]'
    --
    NOTE: The From clause with the LOGFILEPATH automatically choose the file and location you have selected in step 3 so this query should work as-is.
  • Next, click the User-added image to run the query. It may take some time depending on how large the IIS Log file is:
    User-added image
     
  • From the results, as shown above, you would pay attention to the sc-status field (this is the HTTP Error code that you would see such as 404 or 500). 
     
    If you want to get rid of all the positive entries, you can add a WHERE clause like WHERE sc-status <> '200' Which means where sc-status is NOT like 200.
    This removes the HTTP 200 status code entries.
    (HTTP 200 means that the web requests were processed successfully)


    User-added image
 

  • In the filtered results shown above, you can see where we have a bad entry 500 error. From there, we want to pay attention to the sc-substatus and even the sc-win32-status codes as these can give us more information about where we need to look in order to troubleshoot or resolve the issue on the webserver. 

 
NotesNotes:
  • The date field will show an inaccurate time but will show an accurate date.
  • The time field will show an inaccurate date but an accurate time.
  • The cs-username field may sometimes be populated depending on if an http header-based SSO solution is being used alongside Archer.
  • The cs-uri-qury, cs-uri-stem, and the cs(Referer) may give hints of the API call, where, or what was being pressed or accessed when the error occurred.

Outcomes