Analog is my tool of choice for doing log file analysis, by virtue of it being free, fast and reasonably functional. The "Failure Report" is a good way to find broken links (especially external ones), but it can quickly get cluttered up with the access attempts of various worms. Here are the lines that I include in my .cfg file to make the access list a bit cleaner (along with links explaining what they refer to):

# Nimda
FILEEXCLUDE */c+dir
FILEEXCLUDE */scripts
FILEEXCLUDE */c
FILEEXCLUDE */d
FILEEXCLUDE *_vti_bin*
FILEEXCLUDE *_mem_bin*
FILEEXCLUDE *MSADC*
FILEEXCLUDE *msadc*
FILEEXCLUDE *root.exe*
FILEEXCLUDE *cmd.exe*                   # (perhaps others as well)

FILEEXCLUDE *FormMail.pl                # Spam relay checking
FILEEXCLUDE *default.ida*               # Code Red
FILEEXCLUDE */scripts/nsiislog.dll*     # Windows Media Services exploit 
FILEEXCLUDE */NULL.printer*             # IIS 5.0 buffer overflow exploit
FILEEXCLUDE */x01*                      # SOCKS5 remote exploit
FILEEXCLUDE #:1337*                     # Proxy setup attempt 

These are the the things that are attributed to worms, but there may be other entries that are not desirable either. The most common one is a 404 when requesting "favicon.ico" which is MSIE, Safari, and Mozilla looking for your site icon. A more rare one is "/msoffice/cltreq.asp", invoked by Internet Explorer when Microsoft Office is installed and the Discussion Bar is enabled, as described in this thread.