Get the usernames from IIS Cognos logs - Logparser sample 1

Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project.

Let's get started with  scenario -
How do we get a username from IIS logs even when anonymous access is enabled.  In other words, IIS has enabled  with anonymous authentication, but we need to find the username who logged into our application.  

So the challenge is: based on Cognos - IIS logs to get the usernames who logged into the Cognos application(s) using the Logparser tool.  After continuous reviewing of the IIS logs, one interesting thing that surfaced was the data in the cs(cookie) field.

Below is an example of how cs(cookie) attribute looks like.


If you careful observe the attribute you will see that what I found was the username of the user who logged into Cognos exists.  I have underlined the username "cognosadmin" which I was interested in here to help you find it.  But how can I extract only cognosadmin or any other usernames from cs(cookie) through Logparser?  I fought with this almost 3 to 4 hours, working with various functions to get the usernames without any static indices on the attribute - here is the trick I came up with.
logparser "select EXTRACT_PREFIX(EXTRACT_TOKEN(cs(cookie),2,'auid*3d'),0,'*') AS test from c:\ex*.log where cs(cookie) like '%auid%'"

Open in new window

Once you run the above command, it will only display "cognosadmin" from cs(cookie) or what ever username is present in cs(cookie) because it is dynamic.

Download Log Parser 2.2

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.