forked from Mesverrum/MyPublicWork
-
Notifications
You must be signed in to change notification settings - Fork 0
/
IISLogParser.ps1
73 lines (59 loc) · 3.19 KB
/
IISLogParser.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# needs to be run with elevated permissions to access IIS log directories
# how far back in hours do we want to review logs?
$duration = 48
if(!$creds) {$creds = Get-Credential}
$sites = get-iissite
$ParsedLogs = [System.Collections.Generic.List[System.Object]]::new()
foreach($site in $sites ) {
Write-host " Checking $site Logs" -foregroundcolor Green
$logDir = $site.logfile.directory + "\w3svc" + $site.id
Write-host " $logDir" -foregroundcolor DarkGray
$logs = Get-ChildItem -Path $logDir | Where-Object {$_.LastWriteTime -ge [DateTime]::Now.Addhours(-$duration)}
ForEach ($log in $logs) {
Write-host " Parsing $($log.fullname)" -foregroundcolor DarkGreen
$results = @(
Select-String $log -Pattern ' GET ', ' POST ' |
where { $_ -match "^(?<Timestamp>\S+ \S+) \S+ \S+ \S+ (?<Method>\S+) (?<URIQuery>\S+ \S+) \d+ (?<User>\S+) (?<IP>\S+) \S+ \S+ \S+ \S+ \S+ (?<Response>\S+) \S+ \S+ (?<ServerBytesSent>\d+) (?<ClientBytesSent>\d+) (?<MS>\d+)" } |
foreach {
new-object PSObject –Property @{
Server = $server
Timestamp = $matches['Timestamp']
Method = $matches['Method']
URIQuery = ($matches['URIQuery']).Replace(' ','?')
User = $matches['User']
IP = $matches['IP']
Response = $matches['Response']
ServerBytesSent = [int]$matches['ServerBytesSent']
ClientBytesSent = [int]$matches['ClientBytesSent']
MS = [int]$matches['MS']
} } )
$ParsedLogs.Add($results)
}
}
# Examples of using the data
# most frequently requested pages
$ParsedLogs.URIQuery | where-object {$_ -like "*.aspx*" }| group-object | sort-object -Property "Count" -Descending | select -first 20 | ft -Property ("Count", "Name");
# most frequent User
#$ParsedLogs.User | group-object | sort-object -Property "Count" -Descending | select -first 10 | ft -Property ("Count", "Name");
# most frequent IP
#$ParsedLogs.IP | group-object | sort-object -Property "Count" -Descending | select -first 10 | ft -Property ("Count", "Name");
<# URI with the longest total amounts of time, this number can be affected by the client side as well as the server execution time and pages with more requests will obviously have high numbers here.
$aggs = [System.Collections.Generic.List[System.Object]]::new()
foreach($obj in $parsedlogs) {
foreach($row in $obj) {
if($row.uriquery -notin $aggs.uriquery) {
"Adding new row for $($row.uriquery)"
$new = new-object PSObject –Property @{
URIQuery = $row.uriquery
TotalMS = $row.ms
}
$aggs.add($new)
} else {
$index = $aggs.IndexOf($row.uriquery)
$aggs[$index].TotalMS = ($aggs[$index].TotalMS + $row.ms)
"Incrementing $($row.uriquery) by $($row.ms) ms to get $($aggs[$index].TotalMS) ms"
}
}
}
$aggs | sort-object -property totalms -Descending | select -first 10 | ft -Property ("totalms", "uriquery");
#>