[prev in list] [next in list] [prev in thread] [next in thread] 

List:       analog-help
Subject:    Re: [analog-help] Organisation Report Does not show full
From:       "Pam Drew  () Home" <pdrew () drewnet ! com>
Date:       2007-01-18 18:10:42
Message-ID: web-40213863 () mail3 ! easycgi ! com
[Download RAW message or body]

For Windows, I use the QuickDNS program as my helper DNS 
resolver.

http://www.analogx.com/

I use a batch file that first runs quickDNS to resolve the 
IPs in the IIS logs to names, then runs my Analog.
qdns /G analog.cfg /Y IP-of-my-DNS-Server
call analog.exe +gwhatever.cfg

Then, in my analog.cfg file, I tell Analog to read the 
dnscache.txt that was created by QuickDNS
DNSFILE dnscache.txt
DNS read

The /G config.cfg switch for QuickDNS tells QuickDNS where 
to find the raw IIS log files that should be read to be 
resolved -- it reads the logfile line from the cfg file, 
so if you had multiple config files you could resolve them 
all separately.

There are other tools for Windows, but this one works for 
me, so I didn't investigate further.  Once you do this, 
your Organization report will start showing the domain 
names, whereas the Host report will show IP addresses.

Pam


On Thu, 18 Jan 2007 08:12:54 -0500 "Aengus" 
<analog07@eircom.net> wrote:

> On Wednesday, January 17, 2007 10:57 PM [EDT],
> Tyson Varosyan <tyson@up-times.com> wrote:
> 
>> However, my Organisation Report is a bit messed up. 
>>First of all it
>> is not resolving IPs to host names, however that may be 
>>cause there
>> is no rDNS set up for the few users that have hit my 
>>site so far.
> 
> Analog doesn't do DNS lookups by default, because DNS 
>lookups are much, much slower than everyting else that 
>Analog does. (http://analog.cx/docs/dns.html)
> 
>> I will wait and see. The more important problem is that 
>>when it shows
>> the IPs, it does not show the entire IP, rather it shows 
>>what seems
>> to be a random part of it.
> 
> The Organization report doesn't show IP addresses, it 
>shows Organizations. If you don't have DNS lookups 
>enabled, then it has to use the basic IP address to 
>decide when requests from different IP addresses aer 
>actually from the same Organization. In simple terms, all 
>addresses from the same "Class" address are considered to 
>be from a single Organization (eg 12.1.2.3 and 
>12.255.254.253 are in the same "Class A" address range, 
>as all addresses between 12.0.0.0 and 12.255.255.255 are 
>assigned to AT&T, whereas 145.1.2.3 and 145.255.254.253 
>are "Class B" adresses, and belong to different 
>organizations).
> 
> ("Address classes" aren't really used anymore, but 
>provide an easy way to explain the Organization report. 
>Exceptions to the simple "Class model" are noted in 
>http://analog.cx/docs/domfile.html#orgrules )
> 
>> For instance, and IP of 24.156.28.245 may be shown as 
>>24.156 and
>> that's it! Or as 156.28 or 28.245... In ether case, it 
>>is showing
>> only a small bit of the address.
> 
> Because requests from 24.156.28.245 and 24.156.28.246 
>are both from the same "Organization", they are both 
>listed under 24.156 Organization.
> 
>> I am currently using Win2k3 Server, with IIS6 and my IIS 
>>is
>> configured to use the "W3C EXTENDED LOG FILE FORMAT". I 
>>have a few
>> other options for log formats in IIS - I was going to 
>>try the
>> "Microsoft IIS...", but the first choice was the 
>>default, so I have
>> not changed it yet...
> 
> W3C Extended is the best format choice.
> 
>> Please advice on how I can get Analog to show full IPs 
>>in the report.
> 
>Full IPs belong to Hosts, not Organizations, so turn on 
>the Host Report, with
> HOST ON
> 
> Aengus 
+------------------------------------------------------------------------
|  TO UNSUBSCRIBE from this list:
|    http://lists.meer.net/mailman/listinfo/analog-help
|
|  Analog Documentation: http://analog.cx/docs/Readme.html
|  List archives:  http://www.analog.cx/docs/mailing.html#listarchives
|  Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
+------------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]