Analog is my tool of choice for doing log file analysis, by virtue of it being free, fast and reasonably functional. The "Failure Report" is a good way to find broken links (especially external ones), but it can quickly get cluttered up with the access attempts of various worms. Here are the lines that I include in my
.cfg file to make the access list a bit cleaner (along with links explaining what they refer to):
# Nimda FILEEXCLUDE */c+dir FILEEXCLUDE */scripts FILEEXCLUDE */c FILEEXCLUDE */d FILEEXCLUDE *_vti_bin* FILEEXCLUDE *_mem_bin* FILEEXCLUDE *MSADC* FILEEXCLUDE *msadc* FILEEXCLUDE *root.exe* FILEEXCLUDE *cmd.exe* # (perhaps others as well) FILEEXCLUDE *FormMail.pl # Spam relay checking FILEEXCLUDE *default.ida* # Code Red FILEEXCLUDE */scripts/nsiislog.dll* # Windows Media Services exploit FILEEXCLUDE */NULL.printer* # IIS 5.0 buffer overflow exploit FILEEXCLUDE */x01* # SOCKS5 remote exploit FILEEXCLUDE #:1337* # Proxy setup attempt
These are the the things that are attributed to worms, but there may be other entries that are not desirable either. The most common one is a 404 when requesting "favicon.ico" which is MSIE, Safari, and Mozilla looking for your site icon. A more rare one is "/msoffice/cltreq.asp", invoked by Internet Explorer when Microsoft Office is installed and the Discussion Bar is enabled, as described in this thread.