As administrators, we spend a lot of time and energy trying to discover what visitors to our Web sites are looking at, but we often overlook logging. Fortunately, numerous log analyzers that can provide the information we need are available. I've used Web Trends quite extensively, and it does a great job of telling me who, what, when, and where. But I often want to know what else I'm NOT seeing in these slick reports. Who's rattling my doors and seeing whether I'm awake and up-to-date on my Web server's security?
I won't waste your time by telling you about the need for security. Rather, I encourage you to look beyond the logs for what's hidden in them. The easiest way to accomplish this task is to run a simple DOS shell command (FINDSTR) against your log files. You can use FINDSTR on any log file. Here are some of the commands I use regularly:
FINDSTR /i /c:"POST /msadc/msadcs.dll" ex000312.log
This command looks in the World Wide Web Consortium (W3C)-formatted file ex000312.log for the string "POST /msadc/msadcs.dll". On my Web sites, I'm fortunate not to have any content that requires the Remote Data Factory (RDF), so I can search for someone horsing around to see whether I need to update my security. However, let's say you have applications that require RDF. Simply pipe the input of one FINDSTR command into another, as this line shows:
FINDSTR /i /c:"POST" ex000312.log | FINDSTR /I /v _
/c:"goodapp.dll"
This command shows any postings that weren't to goodapp.dll. (Note that this example won't catch someone attempting to mess with goodapp.dll.)
You can develop a list of things to scan for regularly, but one word of caution before you try parsing your logs: Finding something isn't cause to call your local district attorney and get a search warrant for the offender. However, as a responsible administrator, you need to know that someone is assessing your security before something serious happens. Log parsing gives you the ability to take precautions. For example, I've recently asked the firewall administrator to block certain areas for a few weeks, just to keep things safe.
