Log Parsing Overview

Before You Begin

1.       Proactively enable logging (90 days in advance) – You must ensure that logging is enabled, and do so at least 90 days in advance of running the inventory scenario. You must also ensure that all the columns required for MAP Usage Tracking are enabled as described in the section called “Configure Log Files” of the Getting Started Guide.

You only need to enable logging for the software listed in the “Configure Log Files” section of the Getting Started Guide. If you are tracking usage on server software that does not require log files, you can skip this section. 

2.       Run Inventory – The Inventory and Assessment Wizard gathers current information about existing installations of Windows Server®, System Center Configuration Manager, Office SharePoint® Server, SQL Server® 2008, SQL Server 2012, Exchange Server, Lync Server 2010 and Forefront Endpoint Protection Server in your environment.

3.       Configure Log Parser – The Log Parser needs the location of the log files that you configured earlier to gather data from the servers in your environment. When you click “Go” on the Software Usage Tracking page, the Specify Log File Paths dialog box opens. Click Add to locate the path to the log files. MAP does not perform a recursive folder search, so you must list the full directory structure name for the location of each log file you want to parse.

4.       Parse Logs – When you click “Go” on the Software Usage Tracking page, the MAP Toolkit parses the logs files to find information about client and device access of the previously specified Microsoft® server products.

There are some restrictions on parsing security log files (*.evtx) generated by servers running Windows Server 2008 and Windows Server 2008 R2. The MAP Toolkit can parse *.evtx files only when it is installed on Windows Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2.

When you expand Data Collection in the navigation tree, there are two sub-nodes: Log Files and Instance Summary.

Log Files

The results pane shows the parsing results for the log files you specified earlier. The top of the pane shows the parsing status:

·         Processed: The number of log files that have been parsed.

·         Unprocessed: The number of log files that have yet to be processed.

·         Errored: The number of log files that could not be completely parsed due to errors in the format of the log file. Some events in an Errored log file may be parsed if the row that has the event is in the correct format.

·         Total: The total number of log files that the Log Parser attempted to parse. This value should be equal to the total number of log files in the directories you configured for the Log Parser.

 

You can view a table of the log file parsing results and group the results by either:

·         Computer System Name: The name of the server that logged the event.

·         Log File Name: The name of the log file being parsed.

·         Status: States whether the log was processed or not processed for parsing.

 

The remaining columns of the table cannot be used for grouping.

·         Events: The number of events contained in the log file.

·         Start Date: The date of the first logged event.

·         End Date: The date of the last logged event.

 

The Actions pane provides links to three tasks:

·         Configure Log Parser: Click this link to provide the location of the log files that you plan to parse.

·         Start Parsing: Click this link to start parsing data.

·         Stop Parsing: Click this link to stop parsing data. This link is only available while logs are being parsed.

Instance Summary

The results pane for the Instance Summary node lists software instances, indicates start and end dates, and provides user and device counts. You can group the display by Computer System Name or Software Instance.

Date Format

The format for the start and end dates in the Log Files pane is as follows: yyyy-mm-dd hh:mm:ss.

For example, 2010-03-09 23:52:12 would be March 9 in the year 2010 at 11:23 pm and 12 seconds.

Related Topics

Software Usage Tracking

Send Feedback