Parsing CS 1.6 Server Logs (logs/L*.log)

September 24, 2025 Daemon666 8 min read 18 vistas

Every CS 1.6 server can write a detailed, machine-readable log of connects, chat, kills and admin actions to cstrike/logs/. Most admins never turn it on until they need to answer "who did that?" a week too late. This shows how to enable logging, read the standard Half-Life log format, and extract answers with nothing more than grep and awk.

1. Turn logging on

Put these in server.cfg:

log on              // enable logging to cstrike/logs/
mp_logmessages 1    // include chat in the log
mp_logdetail 3      // log attacks and kills (bit 1 + bit 2)
sv_log_onefile 0    // 0 = one file per map/session, 1 = single file

Files land in cstrike/logs/ named by date, like L0715001.log (month, day, sequence). New files roll over on map change and at midnight, so a busy server produces many small logs — which is exactly what you want when grepping a single incident.

2. Read the log line format

Every line follows the Half-Life standard: a timestamp, then a quoted actor, a verb, and details. A kill looks like:

L 07/15/2026 - 20:14:33: "Neo<3><STEAM_0:1:12345><CT>" killed "Smith<5><STEAM_0:0:98765><TERRORIST>" with "ak47"

The actor is Name<userid><authid><team>. Other common verbs:

  • connected, address "1.2.3.4:27005" — a client joined.
  • entered the game — finished connecting.
  • disconnected — left.
  • say "..." and say_team "..." — chat.
  • triggered "..." — bomb planted/defused, round events.

Because the format is stable, tools like HLstatsX parse it directly; you can too.

3. Grep for the common questions

Who connected, and from what IP:

grep 'connected, address' cstrike/logs/L0715*.log

Everything a specific player did, by SteamID (survives name changes):

grep 'STEAM_0:1:12345' cstrike/logs/L0715*.log

All chat, to review an argument or a slur report:

grep -E '" (say|say_team) "' cstrike/logs/*.log

Grepping by SteamID rather than name is the key habit — names are trivially changed, the authid is not, which is also why SteamID bans are the precise ones.

4. awk for counts and leaderboards

A quick kill leaderboard for one log — pull the killer name from each killed line and tally:

grep '" killed "' cstrike/logs/L0715001.log \
 | awk -F'"' '{print $2}' \
 | sed 's/<.*//' \
 | sort | uniq -c | sort -rn | head

The -F'"' splits on quotes so field 2 is the killer's Name<id><auth><team> block; stripping from the first < leaves the name. Count word frequency in chat, count disconnects per hour, or filter to a time window with a timestamp grep — the same shape of pipeline answers most questions.

5. Find admin actions and abuse

AMX Mod X writes admin commands to the same logs (and to its own under addons/amxmodx/logs/). To audit who is banning and kicking:

grep -iE 'amx_(ban|kick|slay|slap|map)' cstrike/logs/*.log

This is the backbone of preventing admin abuse — the log is the record you check when a player claims an admin acted unfairly.

6. Correlate an incident end to end

When you need the full story of one player, chain the pipelines: pull their SteamID from the connect line, then grep every log that mentions it to reconstruct the session — when they joined, from which IP, what they said, who they killed, and whether an admin acted on them. Because the timestamp prefix is fixed-width, you can also narrow to a window with a plain string match:

grep 'STEAM_0:1:12345' cstrike/logs/*.log | grep '20:1'   // 20:10-20:19

That two-step — identity first, then time window — answers almost every "what happened at round 12" question without any external tooling. Archive the logs off the server periodically so a busy box does not rotate the evidence away before you look.

Troubleshooting

  • No log files at alllog on was never set, or the cstrike/logs/ directory is not writable by the server's user. Check permissions and the console for a log-open error.
  • Chat missing from the logmp_logmessages 0. Set it to 1.
  • No kill/attack linesmp_logdetail 0. Use 3 for attacks and kills.
  • One giant file instead of manysv_log_onefile 1. That is fine, but grep by date range instead of by filename.
  • Wrong timezone in timestamps — the log uses the server host's local time; set the box's timezone if it matters for correlating reports.

Verification

Trigger something and confirm it lands. Join the server, type a test line in chat, then:

tail -f cstrike/logs/L0715001.log

You should see your say line appear live with your name, userid and SteamID. Kill a bot and confirm a killed ... with line shows up. Once you trust the logs are complete, keep them — disk is cheap and the one time you need to prove what happened, only the log can.

Colaboradores: Daemon666 ✦
Compartir: