Parse logs in Windows Server 2003 to find user actions

I found an example IIS log file on Windows 2003 Server here . However, post your own lines in the sample log.

192.168.114.201, -, 03/20/01, 7:55:20, W3SVC2, SERVER, 172.21.13.45, 4502, 163, 3223, 200, 0, GET, /DeptLogo.gif, -,

Since this is nothing more than a separate comma-delimited file, you have several different ways to go here. You can use Text :: CSV if it is installed on your computer. If not, here is a simple example.

use strict;
use warnings;
use Data::Dumper;

my $user = {}; # we will store the actions in here

# This is what the log file looks like when split into an array
# 0: Client IP address
# 1: User name
# 2: Date
# 3: Time
# 4: Service and instance
# 5: Server name
# 6: Server IP
# 7: Time taken
# 8: Client bytes sent
# 9: Server bytes sent
# 10: Service status code
# 11: Windows status code
# 12: Request type
# 13: Target of operation
# 14: Parameters

open $log, '<', 'path/to/logfile.log';
while (my $line = <$log>) {
  my @fields = split /, /, $line; # split on comma and space
  # you'll get an array of actions for each user
  push @{ $user->{$fields[1]} }, "$fields[12] $fields[13]";  
  # or more specific:
#   push @{ $user->{$fields[1]} }, { 
#     'time' => $fields[3],
#     'action' => $fields[12],
#     'target' => $fields[13],
#   };
}
close $log;

print Dumper $user; # lets have a look

# More stuff to do with the data here...

This is the conclusion:

$VAR1 = {
          '-' => [
                   'GET /DeptLogo.gif'
                 ]
        };

$user .

foreach my $u (sort keys %$user) {
  print "$u\r\n";
  foreach $action (@{ $user->{$u} }) {
    print "$action\r\n";
  }
}