Beginning with version 3.5, VShell for Windows
has the ability to log using the W3C extended log file format. This
new format allows the use of third-party log analysis tools to analyze
VShell's log files. Log analysis tools like Sawmill combined with VShell's
W3C logging support offer an easy way to answer many questions you may
have concerning the activity on your VShell server. These tools parse
the VShell log files and report information regarding the server traffic.
This tip discusses how to set up the Sawmill log analysis tool with
VShell's log files and how to apply its analysis and filtering capabilities.
There are many commercial and free log analysis tools available. Some tools provide basic server traffic statistics, such as total visits or total bandwidth during specific time periods. Other tools provide very detailed reports allowing you to determine exactly who has logged into the server, when they logged in, what files they uploaded or downloaded, and how many bytes were uploaded and downloaded.
The Sawmill log analysis tool provides an intuitive web-based interface. The reports generated by Sawmill make it easy to answer the following questions and many more about VShell server usage:
At this point we assume you have successfully installed Sawmill on the same machine that the VShell server is running on and have gone through the initial setup for Sawmill licensing and administrative user setup.
It is important to verify that the VShell server is indeed logging using the W3C log file format. To do this, open the VShell Control Panel, go to the Logging options category and verify that the Use W3C log file format option is enabled. This option is on by default. Any logs on the machine that were created with a version of VShell prior to 3.5 will not be in the analyzable W3C format.
After starting Sawmill, the first step is to create a profile. A profile is just the set of log files that will be analyzed. You can specify a specific log file, or use wildcards or regular expressions to select all or a specific set of log files. Selecting the Start here link will launch the New Profile wizard. From here, browse to the VShell log folder (typically C:\Program Files\VanDyke Software\VShell\Log) and select either a specific log file, or the folder itself so that all logs within the folder are part of the profile.
After specifying the log files, click the Next button.
Sawmill automatically determines the log format; it should detect your W3C log format. Once it does, choose the option Continue with the above detected log format and click on the Next button.
Now choose the log fields that you want included in the analysis. Checking all options will result in the most information available in the report, but will also increase the size of the Sawmill statistical database and the time to analyze. For this exercise, select all options other than Hits and Page views (Hits and Page views are geared to web servers and track specific web page hits and views). The Visitors option provides information on which users have connected to the server, while the Bytes, Server-to-Client bytes, and Client-to-Server bytes options track the total number of bytes transferred, number of bytes downloaded, and the number of bytes uploaded, respectively.
After the options have been selected, click the Next button. Finally, enter a descriptive name for the profile and select Finish, then close the wizard window.
After the profile has been created, Sawmill automatically reads in the logs, analyzes them, and creates the database of statistics. Once this is done, the default page displays a general overview of the logs analyzed, including total number of visitors and the number of bytes transferred. If logs from multiple days were used, then daily average figures will be shown as well.
Once the profile has been analyzed, the statistics can be filtered and viewed in any number of ways. On the left side of the interface are the major categories for filtering the data. These categories include the following:
A very powerful feature of Sawmill is its ability to "drill down". By repeatedly filtering on the categories described earlier, you are able to select only those parts of data that you are interested in seeing. For example, an administrator may be interested in finding out who has been accessing a particular file on the system. To find this information you first select the Pages category. This lists all the files that have been uploaded to or downloaded from the system.
Select the file you are interested in to bring up the file's overview page. Then click on the Zoom to report >> drop-down menu and select the next category you want to filter on. For example, select the Authenticated usernames category to view a list of all users who accessed the file.
Once you select a username, you can drill down even further, for instance, to select one of the date categories, which lets you see exactly when the file was last accessed by this user, or the Client IPs category, to see where the user was connecting from.
The Single-page Summary is another useful page that quickly provides information on all of the categories reported. This page displays bar graphs for all date and time categories, allowing you to easily see when the server traffic is at its highest and lowest.
All authenticated usernames are listed, as well as all files that have been transferred.