============================================================================= Log Exporter June 13, 2002 (c) 2002 Symantec Corporation ============================================================================= Topics include: - Usage - Command Line Parameters - Export Filters - Wildcards - Samples ======================= Usage ======================= LogExprt.exe [-v] [-l{LOG}] [-x{FILE}] [-d{DELIMITER}] [-f{[+/-],Col,Data}] ======================= Command Line Parameters ======================= All command line parameters can be placed in quotes, in part or whole if spaces need to be specified. Parameter Usage ---------------------------------------------------------------------------- -v View Command. If a LogID is specified with the -l command, this command lists the columns of the specified log. If a LogID is not specified, this command lists all available logs. -l{LogID} Specifies which log the other commands are for. LogID value should be one of the four-digit values representing the each log, such as 0009 for Alerts log. -x{FILE} Export Command. Exports the log specified with the -l command. If FILE is not specified, the log file name is used with .txt appended to the end of it. -d{DELIMITER} Specifies what single character to use as a delimiter when exporting the log. If -d command is not used, the default delimiter used will be the comma "," character (no quotes, just the comma). Quotes " cannot and should not be used, nor should any DBCS character be used as a delimeter symbol. -f{[+/-],Col,Data} Optional Filter Command. This command allows the user to filter the data that is exported. See the "Export Filters" section for more details. ======================= Export Filters ======================= -f{[+,-],Col,Data} + and - The + (plus) and - (minus) modifiers on the filters allows the user to specify what type of filter this is. + filters specify that NO event log entries will be exported unless it matches all + filters. - filters specify that ALL event log entries will be exported unless it matches any - filter. Col Specifies which column this filter applies to. To get a list of columns, use the -v command line parameter. Wildcards may be used for this field. This field is not case sensitive. Data Specifies the data to look for in the specified column. This data must be found in the column for the filter to take effect. Wildcards may be used for this field. This field is not case sensitive. When using multiple filters, if any filter excludes an event log entry, the entry is excluded regardless of included filters. For this reason, the order in which the user specifies filters is important. For example, the following two filters will produce different output if they are swapped: -f"+,remote,internal*" -f"-,Date,10/23*" -f"-,Date,10/23*" -f"+,remote,internal*" ======================= Wildcards ======================= The following wildcards can be used in the Col and Data fields of export filters: * Matches any sequence of characters (zero or more). ? Matches any single character. \ Suppresses syntactic significance of a special character. [] Matches any character in the specified set. [!] or [^] Matches any character not in the specified set. A set is composed of characters or ranges; a range looks like 'character hyphen character', as in '0-9' or 'A-Z'. Any ASCII character can be used in a set or a range. To suppress the special syntactic significance of any of '][*?!^-\', and match the character exactly, precede it with a '\'. Examples -------- 10/2?/01 Would match all days between the 20th and the 29th in October of 2001. Note: 10/2[0-9]/01 would accomplish the same thing. 10/*/01 Would match any day in October of 2001. *.domain.com Would match any DNS entry that ended with domain.com. 192.168.*.* Would match all IP addresses that begin with 192.168. Note: 192.168* would accomplish the same thing. *.*.1.100 Would match all IP address that end with 1.100. Note: *.1.100 would accomplish the same thing. 192.168.23[012].* Would match all IP addresses that begin with 192.168.230, 192.168.231, and 192.168.232. 192.168.10[0-6].* Would match all IP addresses between 192.168.100.000 and 192.168.106.255. ======================= Samples ======================= LogExprt.exe -v This command would list the available logs. The following is an example of the text output from this command: Available Logs: 0001 - Content Blocking 0002 - Connections 0003 - Firewall 0004 - Intrusion Detection 0005 - Privacy 0006 - Restrictions 0007 - System 0008 - Web History 0009 - Alerts 0011 - Confidential Info 0012 - Spam LogExprt.exe -v -l0001 This would list the columns in the "Content Blocking" log. LogExprt.exe -x -l0002 This would export the "Connections" log to a comma delimited file named "Connections.txt" in the current directory. LogExport.exe -x"c:\log.txt" -l0007 This would export the "System" log to a comma delimited log file named "log.txt" in the root of the "C:" drive. LogExprt.exe -x -l0009 -d"~" This would export the "Alerts" log to a tilde delimited file named "Alerts.txt" in the current directory. LogExprt.exe -x -l0003 -f"+,Date,1/*/2002" This would export the "Firewall" log to a comma delimited file named "Firewall.txt" in the current directory. Only entries created during January 2002 will be exported to the file. LogExprt.exe -x -l0003 -f"+,Date,1/*/2002" -f"+,Message,*IEXPLORE*" This would export the "Firewall" log to a comma delimited file named "Firewall.txt" in the current directory. Only entries created during January 2002 that contain the word "IEXPLORE" in the message column will be exported to the file.