Log Files

Log files, even on Windows systems, will often be flat ASCII text files that contain each log entry on one line. This makes the easy to view, but often times these log files can be hundreds of kilobytes (KB) in size, even going over the megabyte (MB) range, depending upon the application generating the logs and the amount of traffic. For example, by default, Microsoft s web server, Internet Information Server (IIS) will write web and FTP logs to flat ASCII text files. Perl was originally designed to quickly and efficiently parse log files, and on Unix systems, those log files are, in many cases, ASCII text files. Parsing a nominally sized IIS web server log file of say, 20 or 30 KB in size is almost nothing. The power of Perl really comes into play when you need to parse several hundreds of MB of log files, looking for something specific, such as an IP address, or a particular string. For example, when dealing with an incident where a SQL injection attack has been suspected, I will most often run a search of the files in the image to determine which log files contain the string xp_cmdshell , which is the name of an SQL stored procedure that an attack may call when conducting or attempting his attack. From there, I will most likely extract the log files from the image and extract specific information from them.