Blog

Log Parser 2.2 is a free command line tool available from Microsoft.  It provides universal query access to text-based data such as log files, XML files, and CSV files.  It also can query Windows system data sources such as the Event Log, the Registry, the file system, Active Directory, and NetMon captures.  You can pick the information you want returned in the results and those results can be sent to a text file, SQL Server, or SYSLOG.  This tool basically reads your log files and lets you query them as if they were in a SQL Server database.  It is also light weight at only 1.4 MB download.

The possible uses for the Log Parser are endless, but I use is specifically for querying IIS logs when trouble shooting problems.  For example, using this tool makes it easy to find all the requests made by a specific signed in user.  Since this application is ran at the command like it can take a little time to get your query right, but after you get it working you can add the commands to a .bat file for future reference or scheduled tasks.  Here are some examples: [more]

Search IIS Logs for User Requests
Here is an example batch file that when run searches a directory of IIS log files for all requests made by users signed in with a username ending in “@example.com” and saves the results to a text file:
cd "C:\Program Files\Log Parser 2.2\"
logparser.exe "select logrow, date, time, c-ip, cs-username, cs-method, cs-uri-stem, cs-uri-query from ‘< your log directory path>\*.*’ where cs-username like '%%@example.com%%' order by date, time, logrow" -i:IISW3C -rtp:-1 > c:\temp\example-requests.txt

Search IIS Logs for Most Download Files
cd "C:\Program Files\Log Parser 2.2\"
logparser.exe " SELECT TOP 10 cs-uri-stem, count(*) as Downloads FROM ' from <your log directory path>\*.*' GROUP BY cs-uri-stem ORDER BY Downloads DESC" -i:IISW3C > c:\temp\most-downloaded.txt

Find 10 Largest Files in a Directory or Subdirectory
cd "C:\Program Files\Log Parser 2.2\"
logparser.exe " SELECT TOP 10 Path, Name, Size, Attributes FROM 'C:\Program Files\*.*' ORDER BY Size DESC"  -i:FS –Recurse:-1 > c:\temp\10-largest-program-files.txt

Get Number of Outbound Emails from Exchange
logparser.exe "SELECT connector-id, client-hostname, COUNT(*) AS Total INTO c:\temp\outbound-email-totals.csv FROM '<log file directory>\MSG*.log,<another log file directory>\MSG*.log' WHERE connector-id LIKE '%outbound' OR connector-id LIKE '%to Internet' GROUP BY client-hostname,connector-id WITH Rollup"  -i:CSV -nSkipLines:4 -o:csv

This is a very flexible tool.  There are tons of parameters that control how the application functions and the number of different queries you could write is only limited by your imagination.  I’ve found the best way to get started using it is to look at examples and there is a “Samples” folder included in the install directory that is helpful.

Related Links
Home Page (http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1976)
Log Parser 2.2 Documentation (http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1976)
Download (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en)
TechNet Article (http://technet.microsoft.com/en-us/library/ee692937.aspx)
Other examples of IIS log queries (http://blogs.iis.net/carlosag/archive/2010/03/25/analyze-your-iis-log-files-favorite-log-parser-queries.aspx)
Log Parser Forums (http://forums.iis.net/default.aspx?GroupID=51)
Graphing Ping Results (http://www.adopenstatic.com/cs/blogs/ken/archive/2005/05/30/22.aspx)
Query Windows Event Log (http://oreilly.com/pub/a/windows/2005/07/12/logparser.html)


 

After listening to a security podcast about Flash security, I decided to change some of my settings. You can do this by going to the Adobe Flash Player Settings Manager web page and clicking on the tabs to disable features.  One of the settings I disabled was "Allow third-party Flash content to store data on your computer". [more]

Adobe Flash Player Settings Manager

One thing I noticed after I disabled the "Allow third-party Flash content to store data on your computer." option was videos at some sites like CNET stopped working. This was happening regardless of which browser I tried, so I suspected a problem with Flash.  But other Flash content worked like YouTube.  Eventually, I remembered changing the Flash settings and re-enabled the third-party Flash content to fix the problem.


 

One of our Lubbock IT support clients uses both the PS and PCL6 versions of the Xerox Global Print Driver (GPD) in a Windows 2008-x86 clustered print server environment.

To fix an issue that we were having with v5.173 of the GPD, Xerox suggested we upgraded to the current 5.185 version of the driver.

I successfully upgraded the PS language of the v5.185 driver on both print servers without any problems.

The problem appeared after I upgraded the PCL6 driver. I downloaded and installed the PCL6 driver to both print servers. Both servers showed that the update was installed successfully; however, the version of the driver within print management still showed to be v5.173. When I pulled up the printer that was using the driver, the version showed to be the updated version (5.185). When print jobs were sent to printers using the updated PCL6 version of this driver, the print spooler would crash and fail over. This occurred on both print servers. [more]

I was unable to uninstall the driver at this time, because over 40 printers were pointed to this driver. I then modified each printer to use the PS version of the driver. After doing so, I then removed the driver package from the print server through print management. I successfully removed the driver and the package from one print server. On the second print server, I received the following error upon removal: “Failed to remove driver package x2univx.inf. Driver package in use.” The driver itself was no longer listed in the print management window.

I then reinstalled v5.185 of the global print driver on both servers. Printing was successful on the print server on which the driver was removed successfully. However, the print spooler continued to crash on the server which had the error on driver removal. I attempted to remove the driver again, but received the same error. Restarting the print spooler as well as the server after an install but before the removal did not alleviate the issue. At this point, I called Xerox. Unfamiliar with the issue, they suggested I remove some files manually from the print virtual quorum. I completed this process, but the error still occurred upon driver removal.

Finally, I reinstalled v5.173 of the global print driver. After a successful installation, I then attempted to remove the driver.  The driver package was removed successfully and installed the new version of the driver (v5.185). I modified some of the printers to use this new driver and printing was successful.


 

After the December 2010 Internet Explorer 8 updates I was seeing some strange behavior for a couple sites including gotomeeting.com.  Users could get to the first page, but if they clicked on any of the links they would get a page cannot be displayed error.  It appeared like the user could browse to the first page via the proxy, but all subsequent pages were being sent direct. 

It turns out the IE8 updates changed the behavior of the WPAD script that we were using and we had to edit the following line:
proxy = "PROXY proxy.company.com:8080; DIRECT";

We had to change it to look like:
proxy = "PROXY proxy.company.com:8080";

After making this change the sites in question began to work.


 

We recently encountered a terminal server user who said they were in Outlook and accidentally hit some keyboard combination that caused it to close.  When they tried to get back into Outlook it kept giving an error message.

When I connected and tried to run Outlook, it kept displaying an error message that there was no Outlook Profile setup.  However, when I checked the profiles there were in fact several profiles listed.  I tried creating a brand new profile, but still received the error message.

I had the user log off and back on to the terminal server, checked outlook from my account to make sure it wasn’t something server wide, and then I checked the actual outlook.exe under the Program Files directory.  I did not see anything checked for compatibility with my account, but when I checked the outlook.exe from her account, it had Compatibility Mode for Windows 95 checked. [more]

My assumption on what happened is that outlook crashed, came back up, and asked if it should be run in compatibility mode.  I am assuming the user said yes at this point, and it turned the option on which caused outlook to not work anymore.


 

I had looked at a problem with IE where the user worked frequently with data input into form fields.  The problem that they had was that it would not start giving the auto complete suggestions as they started typing. 

I checked Internet Options -> Content -> AutoComplete Settings and verified that the "Forms" option was checked.  Since it appeared that everything was enabled to do what the user wanted, I selected the "Delete AutoComplete history" option.  After clearing the history, the auto complete started working again. 

I am unsure whether or not the files containing the information for this feature were corrupt or possibly too large to continue working.


 

We had an ongoing issue with a customer’s HP server where the internal fans continually ran at full RPM. We had to move the server to a new location because the noise was too much for the employees. The HP monitoring software would shut down the server occasionally because it senses it over heating, but there was never any real sign or indication that there was an overheating issue. The problem typically occurred when backups were running so we thought it was possibly the tape drive was causing a faulty temperature reading.

We went as far as to purchase a USB temperature logger which I placed on the server to monitor the environment for a week.  All readings came back normal. I opened a case with HP Support and their recommendation was to update the firmware and the drivers and everything else they could think of. But nothing they suggested made a difference. [more]

I decided to take the server down and look at the internal parts for possible obstructions in air flow that would cause it to think it was overheating. I was checking the second processors heat sink I noticed it was not seated exactly right but was clamped down. I removed the heat sink and found dust under it. That’s right... dust between the CPU and the silver paste. As you can tell from the picture below the silver paste had never contacted the CPU, except on one corner. I grabbed some canned air, blew the dust off, and reseated the heat sink.  Closed up the server and started it up. Since that time the server has run super quite with no thermal issues to this day. However, HP did have to replace an internal fan that failed from running so long at high RPM.


 

A coworker and I have been doing a lot of work on the CommVault email archiving and compliance products here lately. CommVault email compliance solutions provide two ways to access data collected via email compliance archiving agents. The end-user compliance portal allows a user to log in and search only their email whereas the compliance portal allows search of all email that has been collected via journaling. The issue we were able to reproduce was the following:

A user with a specific employment date (lets say 10.1.2010 for instance) could log in and see email that was sent prior to his/her employment date. They couldn’t see ALL email, just certain email. [more]

Long story short, as part of a troubleshooting task with CommVault support, our customer had created  a “special” configuration that enabled the compliance agents to basically harvest all mail in the Exchange environment from all mailboxes. Part of the work that the CommVault indexing engine does is to look at the email message and “mark” the message in such a way that it can be found by associated parties via the end-user search portal. It does this by looking up all parties on the email in active directory, then it associates the message with all the user GUIDs that should have access to the message via end-user search. In our case specifically, when all the emails were “harvested” from all exchange mailboxes, a specific set of emails that were sent to a distribution group were pulled in. The indexing engine expands those distribution groups and links the GUIDs accordingly. Emails to that distribution group go back farther back in time than the employment of the user in question, but the user is CURRENTLY a member of the distribution group. So, when the indexing server expanded the group, that user was associated….and viola, access to an email prior to employment via end-user search.


 

If you forward a meeting invitation, Exchange will notify the meeting Organizer that the meeting notice has been forwarded, and to who it was forwarded.  So, if you don’t want the Organizer to know that their meeting was forwarded, you can forward the meeting as an attachment.

Notes:

  • When you forward a meeting request, it will not include the organizers name in the “To” or “CC”  fields; however, there is a small note above the “To” section that says “When you forward this meeting, a meeting forward notification will be sent to the organizer.”
  • If you look at the forwarded message (from your sent items), it does not show it was sent to the organizer; however, it does state in the From: Your Name on behalf of Person You Forwarded To.

 

Steve Gibson, one of the hosts of the popular "SecurityNow!" podcast, has created a tool that allows the checking of DNS servers for spoofability. This tool works by asking the user's browser to retrieve an image located at a uniquely named subdomain of the type xxxxxxxxxxxxx.dns.grc.com, "where the “xxxxxxxxxxxxx” is replaced with a unique 13-character string of characters that has never been used before."*

Then, in order to know the IP address for this special domain, the browser sends a DNS query to its DNS server, which then forwards this query to a special nameserver located at grc.com. This nameserver tells the DNS server that the location of that image is actually an "'alias' of the real domain name, which is a good deal longer and more complex."* The nameserver instructs the DNS server to look up the name of the "real" location of the image which looks like "...a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.xxxxxxxxxxxxx.dns.grc.com"* (with about 50 preceding 'a''s) [more]

The DNS server sends queries to the GRC nameserver, attempting to resolve the IP address of the given domain name one sub-domain at a time , causing the DNS server to send hundreds of requests which are collected by the GRC nameserver. As the nameserver collects these requests, it creates a scatter plot of both the Source Port and the Query Transaction ID of each request. Then, the data is analyzed to see the randomness of the Source Port and the Query Transaction ID which reveals the spoofability of the used DNS servers.

This tool is quite interesting, and shows that even as vulnerabilities arise on these critical systems, many do not fix the vulnerabilities, leaving the users at risk to visit a malicious web site believing that it is the site they were looking for which potentially places their private data at risk.

*A more thorough and detailed analysis of how this tool works can be found by reading GRC's article on how the DNS Nameserver Spoffability Test works.