Exploring IIS Log File analyzer ReadLogs (1)

This document explains how to use log analyzer (readlogs.exe) to diagnose Microsoft Internet Information Server (IIS) problems. This article also discusses some general debugging concepts and explains what to look for when reviewing ReadLogs output.

Log File analyzer agrees to use the external monitor together to help us identify the causes of IIS conflicts or other problems. We will introduce you to the details of the accident monitor in future articles. You can get the 7.1 version of the unexpected monitor here.
Background
When you run the accident monitor, it generates a log file for troubleshooting your IIS server. Log File analyzer (called readlogs.exe) goes further than the unexpected monitor in simple analysis. ReadLogs allows you to quickly browse these components to identify factors that may cause some potential IIS problems. With ReadLogs, you can:

● Determine which stream in the process causes a fault.

● The "fault stack" is displayed, which lists the running modules and what they are doing when a fault occurs.

● Collect all loaded modules (no matter which stream they are running) and view the available versions of these modules.

● Search for and view all errors or warnings about symbols.

● Find all the unexpected errors that may have occurred but are not captured by the analyzer due to being serious.

● Search for and display unexpected information of other types.

● Quickly display the results of commands that are running in the Process of excluding applause.

● Generate an unexpected custom report with a wide range of configurable data options.

The above functions and other functions will be introduced in depth in this article.

It should be noted that while ReadLogs simplifies the analysis, you cannot use this tool alone to analyze the problem. The entire unexpected analyzer tool kit, including ReadLogs, is designed to guide you in the right direction. However, further steps are required to fully analyze the status.

Note: Although ReadLogs version 7 is designed to read log files from unexpected monitors of earlier versions, not all log files of earlier versions can be correctly parsed. When trying to open the log file generated by an unexpected Monitor of Version 6.1, you may notice that the ReadLogs dialog box does not appear, and the CPU usage is high. If this happens, use the task manager to read the logs and use NotePad to read the log files.

Install and run ReadLogs
ReadLogs is automatically installed when you install an unexpected monitor. You can run this tool directly from the unexpected monitor, or use it as an independent application of the unexpected monitor program group:

In the Start Menu, point to the program, to the debugging tool, to the unexpected monitor, and to ReadLogs.

Note: For a better understanding of how logs are generated or how to explain the output results, see html "> understanding Windows NT and Windows NT debugger.
Perform a log analysis
When you start ReadLogs for the first time, the system displays the main window of the log file analyzer (Figure 1), showing different aspects of the log file.


The system fills in the main information window and main output window with information related to the log file. Note the information displayed in the upper left corner of the window:

● Fault type (in this case, the debugger is manually wrong)

● Unexpected monitor version used to generate logs.

● Logs use custom or standard commands.

● Start time and stop time of the log file.

Use main Information Window
When you first parse a log or select a program function, the analyzer inserts a message in the main information window. This information may display data (discussed later) or briefly describe the results of your actions or actions. ReadLogs uses dynamic information based on your actions and log parsing results. Examples of dynamic information include:

● When you parse the log for the first time, ReadLogs checks whether the log is manually pick up or wrong. If you are using an old debugger, are there any unsolved dynamic link library (DLL) calls. This information is automatically displayed in the main information window.

● When you click a row in the main output window (after filling it with Stack or module information), the main information window displays the version information of the selected module.

● When you click fault stack, the main information window displays the register stack of the processor and detailed stack information of the fault stack.

Use primary output window
The format of the main output window varies according to the information you want to view. The related function help page provides an example of output with descriptions. Some examples of dynamic output include:

● Stack list output.

● List of loaded DLL.

● List of inherent stream IDs of locks and locks.

● Any errors found in logs.

View the stack list
When you click the stack list in the main window of the log file analyzer, ReadLogs displays the Thread Stacks window.


Figure 2: stream Stack window.

The information displayed in the stream Stack window may be the most important part of automatic debugging or any debugging. The stream stack indicates the code executed when a fault occurs. These stream stack information is useful for understanding which DLL is executed and the functions in the DLL. You can read the stack from the bottom, because the DLL and function in the last row call the DLL and function in the previous row. Consider the following points when reading the stack:

● The Function Column displays the DLL name and the function name called inside the DLL. The system uses one! Separate the function name from the DLL name. Sometimes there is a plus sign and a number after the function name. This represents an offset, meaning that the Code actually executed is x bytes after the function starts.

● DLL and function name information comes from the DLL symbol file. If the symbol file cannot be correctly read, ReadLogs displays a function call. In the same way as 2, the Image @ is followed by an address and an offset. The address indicates the memory location of the called DLL internal function call. ReadLogs tries to identify this problem in the Name Resolution column and searches for the loaded DLL list to see if the memory location is within the range of their start and end addresses. In the preceding example, ReadLogs finds the address in Taxcalc. dll.

● If a given DLL has no symbols, the function bar will display only one memory address (for example, 0x0230ffd0) and one offset. Similarly, ReadLogs still wants to confirm and display this name in the confirm name column. If you encounter a DLL like this, you should consider obtaining a symbolic file for the DLL for future debugging.

● Although the debugger is picked out by a fault caused by the top of the stack command, this does not mean that the top DLL has a responsibility for this. In many cases, you will see the core Microsoft Windows NT file (such as Ntdll. dll) at the top of the stack ). This usually indicates that some other functions in the parameter passing errors cause this error.

● Just as you can click the address on the leftmost bar to get the version information from the DLL output, you can also get the ChildEBP address of the DLL in the stream Stack window, and version information (if any ).

By default, if you parse a log file, the fault stack is displayed in the main output window. Then, by reading the DEBUG command prompt in the log, ReadLogs can determine which stream stack causes a fault. When an unexpected monitor is picked up incorrectly, it usually sets itself as the stream that causes the error. It also sets a prompt to reflect the error stream, such as: x: yyy>. X indicates that the stream runs on several processors, and yyy indicates the number of streams.