Browser version in Apache logs

Does anyone have an expanded query that can parse out browser versions from Apache logs (or IIS logs)?

If found the following query below somewhere at some point (I think from IIS app), but I'd like to get more details like determining IE versions, OS versions, etc, which would need to be able to interpret what is in the logs and convert it to 'English' versions (IE: Windows NT 6.1 = Windows 7)

| where cs_uri_stem matches "/svc/services/Navigation"
| if (cs_user_agent matches "*compatible", "Compatable","") as Compatable
| if (cs_user_agent matches "Windows *" OR cs_user_agent matches "*Win32" OR cs_user_agent matches "Win64","Windows","") as OS
| if (cs_user_agent matches "Macintosh" OR cs_user_agent matches "Darwin/" OR cs_user_agent matches "Mac OS","MacOS",OS) as OS
| if (cs_user_agent matches "* CrOS ","Chrome OS",OS) as OS
| if (cs_user_agent matches "*Linux","Linux",OS) as OS
| if (cs_user_agent matches "iPad","iPad",OS) as OS
| if (cs_user_agent matches "iPhone","iPhone",OS) as OS
| if (cs_user_agent matches "Android","Android",OS) as OS
| if (cs_user_agent matches "Windows Phone","Windows Phone",OS) as OS
| if (OS == "","Other",OS) as OS
| if (cs_user_agent matches "Mozilla/; rv:)","Mozilla","") as Browser
| if (cs_user_agent matches "*MSIE","Internet Explorer",Browser) as Browser
| if (cs_user_agent matches "Firefox","Firefox",Browser) as Browser
| if (cs_user_agent matches "Safari","Safari",Browser) as Browser
| if (OS=="Android" AND cs_user_agent matches "WebKit","WebKit",Browser) as Browser
| if ((OS=="iPhone" OR OS=="iPad") AND (cs_user_agent matches "Mobile/" OR cs_user_agent matches "AppleWebKit(KHTML*Gecko)"),"Mobile Safari",Browser) as Browser
| if (browser == "" AND OS=="MacOS" AND cs_user_agent matches "Mozilla/ (Macintosh;(KHTML, like Gecko)","Safari",Browser) as Browser
| if (cs_user_agent matches "MobileSafari/","Mobile Safari",Browser) as Browser
| if (cs_user_agent matches "Chrome","Chrome",Browser) as Browser
| if (cs_user_agent matches "Opera*","Opera",Browser) as Browser
| if (cs_user_agent matches "Dolphin*","Dolphin",Browser) as Browser
| if (Browser == "","Other",Browser) as Browser

| count by OS,browser,Compatable|sort by _count

Andres Quintero Montana

May 10, 2018 18:02

The above post seems a little old. I put a query together for Browser version maybe someone else can provide input on it.

It is meant to capture browser versions, it is work in progress but it seems to run much faster than the one above.

_sourceCategory=*
| parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP/[\d\.]+\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<user_agent>.+?)\".*" nodrop
| parse regex "(?<OS>\([\w\s\d\.\;\:\/-]+\))" nodrop
| parse regex "(?<browser>Version\/[\d\.]+\sSafari)" nodrop
| parse regex "(?<browser>Version\/[\d\.]+\sMobile\/[\d\w]+\sSafari)" nodrop
| parse regex "(?<browser>Firefox\/[\d\.]+)" nodrop
| parse regex "(?<browser>Chrome\/[\d\.]+)" nodrop
| if (browser=="" AND OS=="(Macintosh; Intel Mac OS X 10_12_6)","KHTML, like Gecko",browser) as browser
| if (browser=="" AND OS=="(iPhone; CPU iPhone OS 9_3_4 like Mac OS X)","Mobile Safari",browser) as browser
| count by browser | sort by _count

Cheers

Browser version in Apache logs

Comments

Didn't find what you were looking for?