Monitoring IIS Web Server with Logparser and the RRDtool
Thursday, March 12th, 2009 | Author:

Introduction

We read allot of articles on how one can use MRTG as an Intrusion detection tool or to creating traffic graph for a particular network subnet or a single IP address on Linux platform with Apache web server. But we find very few that allow us to have graphs on Windows Dedicated server with IIS Web Server.

Here are some steps that can be used to create graphs on Windows Dedicated server with IIS as the web servers. And there is no need to take all the efforts to configure MRTG as we can simply have graphs with the use of logparser and the RRDtool from Tobias Oetiker and you can use the RRDtool perfectly without the rest of MRTG.

Logparser

Logparser is a great free tool from Microsoft. It is written by Gabriele Giuseppini a Software Design Engineer from the test department. The first version of logparser was an internal testing tool inside Microsoft. Version 2 was made publicly available at the website, version 2.1 was a part of the IIS resource tools kit and version 2.2 was made available in January 2005.

Here is a brief introduction how logparser works:

Logparser need three things, an input format, an output format and a sort of SQL query. The SQL query is a dialect of SQL.

There are few very interesting articles on Microsoft’s website, one written by the Author himself:
How to use Logparser
Another one from Scripting Guys:

The article from the scripting guys shows you how to use the logparser directly in a script with a com object.

You can download Logparser from the link below:
DOWNLOAD LOAGPARSER

The above download has portable help file in the application directory. This help file give you the parameters of all the properties of the logparser.
There is also an unofficial website specially for logparser:
www.logparser.com

About RRDtool.

What is the RRDtool:

The RRDtool or Round Robin Database tool is a tool that can store date in a database and create graphs with it. The really great thing about RDDTool is that the database does not growing. It will stay almost the same size as when it was created.

On the RRD website
RRDTool Website
there are some really good tutorials, and it is recommended to read them before you use the RRDtool.
From this website you can also download the RRDtool, the only problem is that you need to compile it but if you download it with the MRTGbundle from the link below, it has a completed version of the RRDtool in the packet. If you unpack the MRTGbundle, you can copy the RRDtool directory to your scripting directory or your application directory and start using it.
DOWNLOAD RDDTool Compiled Version

Create Database.

Before you can use the RRDtool you need to create the database.
The link below has all the information on how and why to create a database along with the parameters.
How to create a database
Parameters

You can also use a script to do that.


‘#start script.
Set WshShell = WScript.CreateObject("WScript.Shell")
strCMD = ".binrrdtool.exe create Eservicing.rrd"
strCMD = strCMD & " --start N "
strCMD = strCMD & " -s 300"
strCMD = strCMD & " DS:Hits:GAUGE:600:0:2000000"
strCMD = strCMD & " DS:Error400:GAUGE:600:0:2000000"
strCMD = strCMD & " DS:Error500:GAUGE:600:0:2000000"
strCMD = strCMD & " RRA:AVERAGE:0.5:1:288"
strCMD = strCMD & " RRA:AVERAGE:0.5:2:2016"
strCMD = strCMD & " RRA:AVERAGE:0.5:4:2232"
strCMD = strCMD & " RRA:AVERAGE:0.5:12:8760"

WshShell.Run strCMD
‘#end script.

Here is an explanation of every command in the script:

Set WshShell = WScript.CreateObject("WScript.Shell")
This line create a shell object you need to run the RRDtool .
In the next 10 lines I create the command line that I run in the last line.

strCMD = ".binrrdtool.exe create Eservicing.rrd"
this starts the RRDtool with the create function and give the name of the database.

strCMD = strCMD & " --start N "
–start set the start time of the database and N is the current time. The RRDtool works with Unixtime, this are the seconds from 1 January 1970.

strCMD = strCMD & " -s 300"
-s is the seconds between a database update.

strCMD = strCMD & " DS:Hits:GAUGE:600:0:2000000"
strCMD = strCMD & " DS:Error400:GAUGE:600:0:2000000"
strCMD = strCMD & " DS:Error500:GAUGE:600:0:2000000"

with this three lines I create three data sources. DS stands for data source, Hits is the name of the data source GAUGE is one of the four type’s of data sources, 600 are the seconds between the records if there is no input after 600 the value is NULL, 0 is the minimum value of the record and 200000 is the maximum value.

strCMD = strCMD & " RRA:AVERAGE:0.5:1:288"
strCMD = strCMD & " RRA:AVERAGE:0.5:2:2016"
strCMD = strCMD & " RRA:AVERAGE:0.5:4:2232"
strCMD = strCMD & " RRA:AVERAGE:0.5:12:8760"

this four lines create four Round Robin Archives. RRA stands for Round Robin Archive, AVERAGE is one of the four consolidation functions, 0.5 is the consolidation interval, 1 is the number of data sources that are consolidate in one record in the Round Robin Archive. If every 600 seconds a DS is created and the value is 4 instead of 1 every 2400 seconds there will be a record add to the archive, the last value is the number of records the archive contains.
The first line create a Round Robin Archive with a consolidation interval of 0.5. every data source gets a record in the archive and the archive is 288 records long.

WshShell.Run strCMD
And with this line the command is executed.

Update database.

With the next script we use logparser to evaluate the logfile from a IIS server. We can run this script every 5 minutes. To write the results in RRD database.

‘#start script
Const ForReading = 1, ForWriting = 2, ForAppending = 8
'-------------------------------------------------------------------------
LogDir = "serverd$logsyswwwsiteW3SVC1"
Set WSHShell = CreateObject("Wscript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
Set objLogParser = CreateObject("MSUtil.LogQuery")
Set objDictIISlogslist = CreateObject("Scripting.Dictionary")

Dim strDate
Dim count
Error400 = 0
Error500 = 0
‘————————————————————————-
Main
‘————————————————————————-
‘————————————————————————-
Sub Main
Call MakeStrDate
Call GetUniqueHits
Call GetStatus
Call UpdateRRD
End Sub
‘————————————————————————-
‘ —————————————————————————-
Sub MakeStrDate
strMonth = Month(Now)
If Len(strMonth) = 1 Then
strMonth = “0” & CStr(strMonth)
End If
strDay = Day(Now)
If Len(strDay) = 1 Then
strDay = “0” & CStr(strDay)
End If
strYear =Right(Year(Now),2)
strDate = strYear & strMonth & strDay
End Sub
‘ —————————————————————————-
‘————————————————————————-
Sub GetUniqueHits
Set objInputFormat = CreateObject(“MSUtil.LogQuery.IISW3CInputFormat”)
objInputFormat.recurse = -1
objInputFormat.iCheckPoint = strDate & “.lpc”
strQuery = “SELECT count(*) as UniqueHits FROM ‘” & _
LogDir & “ex” & strDate & “.log'”
Set objRecordSet = objLogParser.Execute(strQuery, objInputFormat)
Do While Not objRecordSet.AtEnd
Set objRecord = objRecordSet.GetRecord
count = objRecord.GetValue(“UniqueHits”)
objRecordSet.MoveNext
Loop
End Sub
‘————————————————————————-
‘————————————————————————-
Sub GetStatus
Set objInputFormat = CreateObject(“MSUtil.LogQuery.IISW3CInputFormat”)
objInputFormat.recurse = -1
objInputFormat.iCheckPoint = strDate & “Error.lpc”
strQuery = “SELECT sc-status , COUNT(*) as Hits FROM ‘” & LogDir & “ex” & strDate & “.log’ WHERE sc-status > 399 GROUP BY sc-status ORDER BY Hits DESC”
Set objRecordSet = objLogParser.Execute(strQuery, objInputFormat)
Do While Not objRecordSet.AtEnd
Set objRecord = objRecordSet.GetRecord
If objRecord.GetValue(“sc-status”) > 399 And objRecord.GetValue(“sc-status”) < 500 Then
Error400 = Error400 + objRecord.GetValue(“Hits”)
End If
If objRecord.GetValue(“sc-status”) > 499 And objRecord.GetValue(“sc-status”) < 600 Then
Error500 = Error500 + objRecord.GetValue(“Hits”)
End If
objRecordSet.MoveNext
Loop

End Sub
‘————————————————————————-
‘————————————————————————-
Sub UpdateRRD
strRun = “.binrrdtool update Eservicing.rrd N:” & count & “:” & Error400 & “:” & Error500
X = WshShell.Run(strRun,0,True)
End Sub
‘————————————————————————-
‘#end script

We will not explain this script line by line as it is a pretty simple script.

Creating a Graphic with the RRDtool.

With the next script I create a graphic with the RRDtool.

Set WshShell = WScript.CreateObject("WScript.Shell")

strCMD = “.binrrdtool graph .graphintranetNLweek.gif”
strCMD = strCMD & ” –start N-1w –end N”
strCMD = strCMD & ” –vertical-label ” & Chr(34) & “Hits ” & Chr(34)
strCMD = strCMD & ” –title INTRANET”
strCMD = strCMD & ” DEF:Xhits=.databaseintranetNL.rrd:Hits:AVERAGE”
strCMD = strCMD & ” DEF:Xerror400=.databaseintranetNL.rrd:Error400:AVERAGE”
strCMD = strCMD & ” DEF:Xerror500=.databaseintranetNL.rrd:Error500:AVERAGE”
strCMD = strCMD & ” LINE2:Xhits#FF0000:” & Chr(34) & “Hits” & Chr(34)
strCMD = strCMD & ” LINE2:Xerror400#00FF00:” & Chr(34) & “400 Errors” & Chr(34)
strCMD = strCMD & ” LINE2:Xerror500#0000FF:” & Chr(34) & “500 Errors” & Chr(34)

WshShell.Run strCMD

You will make a note of 2 important thing in this script:
1. The DEF line: this line defines the Data Sources you use.
2. The LINE2: This defines the line in the graphic.