What are the actual comment line headers in your file? They begin with # and all IIA logs use a tab as the separator between field's Joseph -----Original Message----- From: Quillman Shawn (RBNA/CIT5) [mailto:Shawn.Quillman@xxxxxxxxxxxx] Sent: Thursday, March 07, 2002 9:15 AM To: [ISAserver.org Discussion List] Subject: [isalist] Funkiness in W3C Extended Format Log File http://www.ISAserver.org Hi Experts Out There (ie- Tom and Jim :), I'm writing a w3c -> isa log format converter and have noticed something odd in a w3c format log file for the web proxy service (running only in cache mode so can't check the firewall log). Basically, there are two lines merged into one with fields lost in each (I log all fields). I think there are possibly 27 of these in a file of 488852 lines. Here is an example: 10.24.145.105 anonymous Mozilla/4.0 (compatible; MSIE 5.0; Windows NT) N 2001-11-26 13:49:28 w3proxy FHISA01 - m1.maps.yahoo.com - 80 - - 3201 http TCP GET T 5.0) N 2001-11-26 13:49:15 w3proxy FHISA01 - www1.netquote.com - 443 - - 754 SSL-tunnel TCP CONNECT - - - 407 - - - It looks like the first line gets cut right before the uri field of the first line and joined with the the next line starting part way into the useragent field. In this case the useragent in the "second" line seems to be IE5.01 on W2K (Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)) or something similar. Looking at the activity around that area in the log, there doesn't seem to be anything abnormal in the way of malformed requests or anything. I discovered it after my conversion script had run on the file and I tried to do an analysis on the resulting isa format file using WebTrends Firewall Suite 4.0. WebTrends successfully analysed the new file but reported 27 instances of date and time being out of order. Any ideas? Think it may be a bug in ISA? I don't see anything related in the sp1 bug fix list. Call Microsoft? -Shawn > ____________________ > > Shawn R. Quillman > Robert Bosch Corporation AN-Fh/CIT5 > 38000 Hills Tech Drive > Farmington Hills, MI 48331 > (248) 553-1164 (P) (248) 848-2855 (F) > shawn.quillman@xxxxxxxxxxxx > ____________________ > ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')