awstats and IIS7 Advanced Logging Module

2012-09-28
2014-06-27
  • mike pacheco
    mike pacheco
    2012-09-28

    Hi All,

    Used awstats before, but have always been behind a Load Balancer and always on
    Apache. Just had the Load balancer insert a header with the true client IP and
    modified apache to log the extra header field, configured awstats to look for
    that extra field and no problems.

    I now have to work with MS IIS 7 and the only way to get that extra header
    field with the true cleint IP (instead of the load balancer VIP for every
    request) is to use IIS Advanced Logging Module.

    Setup is easy enough, but I have not been able to get awstats to display any
    data at all, it crunches through the logs with no issues or errors ..

    D:\wwwroot\awstats\cgi-bin>perl awstats.pl -update -config=ordersets
    -LogFile=d:/awstats/foo/realip_d20120927.log
    Create/Update database for config "./awstats.foo.conf" by AWStats version
    7.0 (build 1.971)
    From data in log file "d:/awstats/foo/realip_d20120927.log"...
    Phase 1 : First bypass old records, searching new record...
    Direct access to last remembered record has fallen on another record.
    So searching new records from beginning of log file...
    Phase 2 : Now process new records (Flush history on disk after 20000 hosts)...
    Jumped lines in file: 0
    Parsed lines in file: 17306
    Found 0 dropped records,
    Found 12 comments,
    Found 0 blank records,
    Found 0 corrupted records,
    Found 0 old records,
    Found 17294 new qualified records.

    But I get nothing but "unknown" robots from the Load Balancers VIP monitor
    zero byte checks.

    LogFormat="%time2 s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username
    %host cs(User-Agent) cs(Host) sc-status sc-substatus sc-win32-status
    TimeTakenMS"

    IIS Log Fields are:

    Fields: date-local time-local s-ip cs-method cs-uri-stem cs-uri-query s-port

    cs-username RealIP cs(User-Agent) cs(Host) sc-status sc-substatus sc-
    win32-status TimeTakenMS

    And 2 sample log lines .. first one is a Load Balancer VIP check

    2012-09-26 20:00:01.750 111.111.111.222 HEAD /wkosaweb/OSALogin.aspx - 80 - -
    - "foo.test.com" 200 0 0 0

    Next is a real visitor

    2012-09-27 03:08:00.400 111.111.111.222 GET /wkosaweb/OSALogin.aspx
    OrderSetId=317 80 - "4.4.4.5" "Mozilla/5.0 (Windows NT 5.1; rv:14.0)
    Gecko/20100101 Firefox/14.0.1" "foo.test.com" 200 0 0 21839

    I've tried a number of different LogFormats, but I just can not seem to get
    any data out of awstats with these logs and the puzzling thing is everything
    looks right.

    Oh - I forgot - this is a new install of Awstats 7.0 build 1.971

    Any help or pointers would be appreciated.

    TIA .. Mike

     
  • shalvin
    shalvin
    2014-06-27

    Hi,

    This might be an issue your having.

    I have enabled Advanced logging on IIS. When collecting the logs ->

    all log entered are put into ---> Not viewed traffic *
    using the standard logging it works fine. Only when you capture the logs through advanced logging.

    I have narrowed it down to -
    in standard logging -> which works fine
    Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+Trident/5.0)

    in IIS advanced logging -> which puts everything into "Not viewed traffic *"
    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

    See the + symbols is the difference.... this is the issue.

    can you please advise how I can resolve this.
    I believe that everyone has this issue.
    Cheers,