These steps will allow you to safely install Log Parser Lizard. Entire process should only take a minute. Choose the directory where you want to install Log Parser Lizard and agree to the licensing terms and click ‘Install’ to begin the installation process.

At this point, you may be prompted by the User Access Control informing you that you are making changes to your computer. You will need to agree to make these changes for the installation process to continue.

Finally, you will see a screen informing you that installation is complete. You are now ready to run Log Parser Lizard for a first time. Note that starting Log Parser Lizard from the installation Complete page will run Log Parser Lizard under the same user account as the installer. This may be problematic if you have installed Log Parser Lizard under a special account. If you have any problems with installing Log Parser Lizard, please have a look at our FAQ, or contact us for assistance.

NET Framework 4. If you are using Windows 7, make sure you have at least. Windows 10 and Windows Server should already have installed. MS Logparser engine is required for most of the queries and for complete functionality of Log Parser Lizard. To download MS Logparser 2. Log Parser Lizard supports auto-update when a new release is available. If you’re prompted by Log Parser Lizard, accept the newest update and it will be installed you won’t need to do anything else to get the latest bits.

Note: You can disable auto-update if you prefer to update Log Parser Lizard on your own schedule. Once you have installed Log Parser Lizard, reading the excellent help documentation will help you learn more about using Log Parser Lizard and writing SQL queries find the buttons on the toolabar. There are also a number of great resources on the Internet. Please check our Help Center and the following links for additional information:.

There are two editions of LPL: free trial and Professional. The Professional edition caters for the extra needs of professional system administrators and developers – and quite a few power users as well. There are advanced features in Professional version that most people will find useful. Also free trial is available for 20 days only so if you need LPL for more you should upgrade.

A single-user license for full version of Log Parser Lizard is an identified-user license. The registered user is the only authorized user of that license. A single-user license allows Log Parser Lizard to be installed in up to two locations as long as the authorized user is the only one with access to the software.

The purchaser cannot sell, lease, sub-lease, transfer or distribute the software to any other person. More single user licenses can be ordered if necessary if total number of LPL installations used by a single user is more then 2 or LPL is used by more persons.

A company license is a permission to allow the total number of installations, usually for a large company. A company means an organization, including public and private companies, corporations, institutions and non-profit organizations.

If you order a company license, full version of Log Parser Lizard can be installed on up to 60 computers or servers across the single company and can be used by any number of users. One license key is issued to register a company license on all computers. More company licenses can be ordered if necessary if total number of LPL installations is more then In the corporate environment, the IT Staff need to share information between computers.

For the very best in cutting edge capability you simply cannot go wrong with the one-two punch of the Log Parser Lizard Professional Edition combined with the multiple license package best suited to your situation. This will yield the maximum discount we give, while providing you with the widest range of features and capabilities.

Simply contact Lizard Labs Software within 15 days of your purchase and receive a no-hassle refund. Oh YES. It’s intellisense and tooltips, baby! The Internet is rife with excellent examples of Log Parser queries. I’ll cover a few here and provide some links to more comprehensive lists [2] [3] [4].

To really learn Log Parser I recommend grabbing some sample data, doing a Google search, and just playing with whatever queries strike your fancy. Like any computer language, there are multiple ways to achieve the same results, and taking the time to understand different queries is a quick way to learn the various functions and syntax. Do not be overwhelmed — you can create very powerful queries with a very limited Log Parser vocabulary. As an example, consider the following query:.

I often run this query because it gives me a quick view of the different file types that were requested from the web server. Cs-uri-stem is an IIS log field that records the page requested from the web server [5]. The output in Figure 3 gives me a good starting point for my review.

Knowing the multitude of CGI vulnerabilities that exist, I would certainly want to look deeper there. Similarly, I would also plan to investigate what.

The next step is to run a follow-up query:. I added two items to this query. The first, sc-status, provides the HTTP status code for the request, indicating whether the web requests were successful s or unsuccessful typically s and s [6].

In this case, I indicated I only wanted to see the count of status codes for files with a CGI extension. Looking at the results in Figure 4, I can see there were no successful requests for CGI files on this server. They were either not found or the server refused to respond to the request A final action might be to take a look at some of the CGI queries to determine whether the errors were due to misconfigurations or nefarious activity.

A quick review of the results in Figure 5 shows requests for several suspicious CGI files as well as a browser user agent of “Nikto”. The key takeaway is that during a log review, you will be running multiple queries to cut across a massive amount of data. By slicing the data in different ways, you have a much better chance of finding anomalous or malicious activity than if you were to attempt to review the logs manually.

Log Parser has a myriad of uses other than just parsing text files. The Windows Registry is a great example of a very large binary file that Log Parser can natively search. Figure 6 shows an example of sorting the Registry by LastWriteTime.

This system was suspected of being compromised at the beginning of November, and we were looking for any changes precipitated by the intruders.

Among other things, the results make it clear that WinSCP was installed on the system during that timeframe. This notation allows querying of remote machines over the network.

It is particularly useful if you are searching multiple systems for a specific indicator of compromise. This is a good example of when the command line version can be helpful, particularly when built into live response scripts. Unfortunately I am not aware of any easy way to use Log Parser to query offline Registry files that we might pull from a forensic image. The current version of Log Parser does not accept offline Registry files as input.

If you were truly motivated, you could extract data from the Registry hives in text form and pipe to Log Parser, but it would need to be a special case to be worth the effort. By looking for the same attacks in different ways, you increase your chances of finding that needle in the haystack. Malicious activity on your system is by definition anomalous and will usually be some of the least frequent events on a system.

Use Log Parser to trend activity such as hourly hits to critical. If you see thousands of errors in your logs and only a few errors, or a grouping of abnormal entries at 1AM on Saturday, those items might be worth investigating. Often times a more in-depth investigation can be avoided with just a little more information.

As an example, sometimes adding the web request query string cs-uri-query is much more helpful than just reviewing the page requested cs-uri-stem alone Figure 7. I have only touched on a few of Log Parser’s capabilities. It can slice and dice Event Logs both. EVT and. EVTX with aplomb. Remote systems can be queried and large scale searches of Active Directory objects can be performed.

– Log Parser and

If it is an issue with resource ACLs, the Filemon tool will be able to catch the error. Now, you ask the customer to send you the saved Filemon log file. Here comes the unfortunate part. You get the file say, Filemon. Notepad will appear to hang and will be painfully slow to find the “Access Denied” lines in the log file. Microsoft Office Excel will refuse to open the file completely. Now what? Answer: Open the Log Parser command window, and use the following command:. If you turn the -q command-line switch on, the statistics shown and the field name Text in the output below will be absent.

Text PM explorer. Answer: Use the -rtp parameter in your queries! This will be a necessary parameter in case you want to redirect the output into a file.

Also, when you write to STDOUT, output records are displayed in batches made up of a number of rows equal to the value specified for this parameter. Once a batch of rows has been displayed, it will prompt the user to press a key to display the next batch of rows. Specifying “-1” for this parameter disables batching altogether! Another way to achieve the same results in a cleaner way is to create a query file. This way, you can easily tweak your query file and run it from the Log Parser tool’s command line.

Apart from that, you can easily create a GUI according to your taste. If you want to achieve the same effect as in Scenario 1 from SQL queries, you can provide the following command:. If you notice, the query looks much cleaner now and makes more sense. This way, you can create more complex and larger queries as well, and everything will fit on your command line because you are using the. SQL file instead of the whole query.

It is not possible to fit more than characters on the command line anyways! Keeping the benefits of using query files, I will use this method in the following scenarios. You have a folder, and there are quite a few subfolders and files in it. You want to find out the top 10 largest files in that folder, including its subfolders. I know, for a specific folder, you can simply change the view on the View menu, click Details in Windows Explorer and sort the view by size.

But the problem here is that you need to account for the subfolder’s contents as well. Answer: Open the Log Parser tool command window, and use the following command:. Here -i:FS signifies that we are querying the file system. You can view the complete list of FS input format fields in the documentation and frame your query accordingly. If you don’t want all the subfolders or want to limit recursion, use 0, 1, 2, etc. The number implies the depth the parser will go into.

StatisticsElements processed: Elements output: 10 Execution time: 0. NET Web sites, and are not really happy with the performance. Log Parser supports several Output Formats:. To continue with our example, this query will write the results to a CSV file:. In our example, the file had a CSV extension. It contains many default queries that you can modify to fit your needs:. This shows its age. The latest version dates back to April However, OWC is only supported up until Office Even the extended support has been dropped for some time now.

If you need dashboards and overviews, quick access to detailed information that you need often, or ease-of-use for less tech-savvy people, Log Parser is limited. In such a case, take a look at Scalyr. It supports custom queries and monitoring Kubernetes. But they are a rich source of information. In order to make the best out of them, you need powerful features. And Scalyr comes with a bundle of them:.

Scalyr has a lot of ability. In short, think of Scalyr as a Swiss-Army knife for log management. If all of this grabs your interest, take Scalyr out for a spin. Like this article? A final action might be to take a look at some of the CGI queries to determine whether the errors were due to misconfigurations or nefarious activity.

A quick review of the results in Figure 5 shows requests for several suspicious CGI files as well as a browser user agent of “Nikto”. The key takeaway is that during a log review, you will be running multiple queries to cut across a massive amount of data.

By slicing the data in different ways, you have a much better chance of finding anomalous or malicious activity than if you were to attempt to review the logs manually. Log Parser has a myriad of uses other than just parsing text files. The Windows Registry is a great example of a very large binary file that Log Parser can natively search.

Figure 6 shows an example of sorting the Registry by LastWriteTime. This system was suspected of being compromised at the beginning of November, and we were looking for any changes precipitated by the intruders. Among other things, the results make it clear that WinSCP was installed on the system during that timeframe.

This notation allows querying of remote machines over the network. It is particularly useful if you are searching multiple systems for a specific indicator of compromise. This is a good example of when the command line version can be helpful, particularly when built into live response scripts. Unfortunately I am not aware of any easy way to use Log Parser to query offline Registry files that we might pull from a forensic image.

The current version of Log Parser does not accept offline Registry files as input. If you were truly motivated, you could extract data from the Registry hives in text form and pipe to Log Parser, but it would need to be a special case to be worth the effort. By looking for the same attacks in different ways, you increase your chances of finding that needle in the haystack.

Malicious activity on your system is by definition anomalous and will usually be some of the least frequent events on a system. Use Log Parser to trend activity such as hourly hits to critical. If you see thousands of errors in your logs and only a few errors, or a grouping of abnormal entries at 1AM on Saturday, those items might be worth investigating. Often times a more in-depth investigation can be avoided with just a little more information. As an example, sometimes adding the web request query string cs-uri-query is much more helpful than just reviewing the page requested cs-uri-stem alone Figure 7.

I have only touched on a few of Log Parser’s capabilities. It can slice and dice Event Logs both. EVT and. EVTX with aplomb. Remote systems can be queried and large scale searches of Active Directory objects can be performed.

Once you learn the basics, its power is really only limited by your creativity. Log Parser installs with excellent documentation, and there is even an entire book on the subject [8].

Log Parser : The Official Microsoft IIS Site

At least there should be a way to start. You can view the complete list of IISW3C input format fields in the documentation and frame your query accordingly. Click Properties , click the Advanced tab, and then click to select all the options. NET Web sites, and want to know the most commonly used.

It is always better to spend time tweaking the most-used pages rather than the pages that are used sparingly. Although there could be exceptions to this rule. Say the sparingly used page is a really bad page that causes high CPU utilization for that matter! Now, if you find that there a certain page takes a long time to be served Scenario 3 and the page is one of the most commonly used pages, you should always confirm that the page behaves well under stress. The -groupSize parameter specifies the width and height of the target image, in pixels.

The set of available chart types depends on the version of the Microsoft Office Web Components installed on the local computer. Here is how the output looks: As you have already seen, there could be multiple ways in which the Log Parser tool could prove really helpful in analyzing the data from various logs. Only creativity is the limit here! There are almost unlimited ways in which the data could reflect a much better picture to you, and it could be something you can act upon.

What we have touched is just the tip of the iceberg! NET, etc. Check out the “Resources” section below. I would like to discuss more scenarios for the Log Parser tool, and I have created a new section in my blog just for the Log Parser tool.

If you have any suggestions for scenarios or Log Parser tool queries that you want to share, please mail me at rahulso microsoft. As always, feel free to submit ideas on topics you want addressed in future columns or in the Knowledge Base using the Ask For It form. The third-party products that this article discusses are manufactured by companies that are independent of Microsoft.

Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products. NET To customize this column to your needs, we want to invite you to submit your ideas about topics that interest you and issues that you want to see addressed in future Knowledge Base articles and Support Voice columns.

About Log Parser is a very powerful, versatile tool that provides universal query access to text-based data, such as log files, XML files, and CSV files, as well as key data sources on the Microsoft Windows operating system, such as the event log, the registry, the file system, and the Active Directory directory service. Scenario 1: Parsing large text files for a specific text A small background of the problem Your customer experiences an “Access Denied” issue when they did something.

Sample output Text PM explorer. Using query files Another way to achieve the same results in a cleaner way is to create a query file. Report designer leverages the intuitive nature of a word processor and integrates the power of a banded report designer into one.

Table and SQL query result data can be edited in-place. Editing is It reads SQLite3 files and executes SQL queries are executed by Export Table to Excel utility allows you to export data rows from selected table to Excel spreadsheets. The Portable RazorSQL application can help you query , update, navigate, and manage all major databases. The application supports Download Now. To save the download to your computer for installation at a later time, click Save. To cancel the installation, click Cancel.

Microsoft Power Query for Excel Microsoft Power Query for Excel is an Excel add-in that enhances the self-service Business Intelligence experience in Excel by simplifying data discovery, access and collaboration. Microsoft Integration Runtime The Microsoft Integration Runtime is a customer managed data integration and scanning infrastructure used by Azure Data Factory, Azure Synapse Analytics and Azure Purview to provide data integration and scanning capabilities across different network environments.

View more popular downloads. Basically, you point Log Parser to a source, tell it what format the logs are in, define a query, and write the output somewhere. An example will make this clear. This query will show us the number of errors per day in the Application event log:. You can run this in the installation folder of Log Parser. We can put this query in a SQL file and format it nicely like below:. EventType 1 indicates errors and EvenType 2 indicates warnings. I can see that there were seven errors and warnings on the 15th of May.

I also see that the Elements Processed value i. This confirms that Log Parser is parsing all available logs for our filters. If you have access to a remote machine, you can even run Log Parser on your machine but query logs on the remote machine. Then you can create some advanced queries. For example, this query can show you the different user agents in all of the log files of a website hosted by IIS:. I set up a local website and executed some requests using two browsers and a load testing tool.

This is the result:.