Microsoft’s IIS web server uses a non-standard file format that is rarely seen. IIS Log Files use a space-delimited file format and also contain comments in them. The column headings are defined in the comments. In this article, we are going to take a look at how to interpret IIS log files.
By the way, if you need help finding your IIS log files, be sure to check out our guide dedicated to that topic: Where Are IIS Log Files Located? How to View IIS Logs on Windows & Azure
Here are a few of the key things you need to know about IIS log formats:
Below is an example of what the output looks like from an IIS log file. This is a very simple example from a single ASP.NET web page being accessed. You can see that the page also downloads some JavaScript and CSS files. This example shows the column headings and one line. It shows here with a line break in it because it’s so long. You can see the real file on the screen also shown here.
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 2016-09-13 21:45:10 ::1 GET /webapp2 - 80 - ::1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/52.0.2743.116+Safari/537.36 - 500 0 0 5502
Field | Appears As | Description | Default Y/N |
Date |
date |
The date on which the activity occurred. |
Y |
Time |
time |
The time, in coordinated universal time (UTC), at which the activity occurred. |
Y |
Client IP Address |
c-ip |
The IP address of the client that made the request. |
Y |
User Name |
cs-username |
The name of the authenticated user who accessed your server. Anonymous users are indicated by a hyphen. |
Y |
Service Name and Instance Number |
s-sitename |
The Internet service name and instance number that was running on the client. |
N |
Server Name |
s-computername |
The name of the server on which the log file entry was generated. |
N |
Server IP Address |
s-ip |
The IP address of the server on which the log file entry was generated. |
Y |
Server Port |
s-port |
The server port number that is configured for the service. |
Y |
Method |
cs-method |
The requested action, for example, a GET method. |
Y |
URI Stem |
cs-uri-stem |
The target of the action, for example, Default.htm. |
Y |
URI Query |
cs-uri-query |
The query, if any that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages. |
Y |
HTTP Status |
sc-status |
The HTTP status code. |
Y |
Win32 Status |
sc-win32-status |
The Windows status code. |
N |
Bytes Sent |
sc-bytes |
The number of bytes that the server sent. |
N |
Bytes Received |
cs-bytes |
The number of bytes that the server received. |
N |
Time Taken |
time-taken |
The length of time that the action took, in milliseconds. |
N |
Protocol Version |
cs-version |
The protocol version —HTTP or FTP —that the client used. |
N |
Host |
cs-host |
The host header name, if any. |
N |
User Agent |
cs(User-Agent) |
The browser type that the client used. |
Y |
Cookie |
cs(Cookie) |
The content of the cookie sent or received if any. |
N |
Referrer |
cs(Referrer) |
The site that the user last visited. This site provided a link to the current site. |
N |
Protocol Substatus |
sc-substatus |
The sub status error code. |
Y |
IIS provides a few settings for customizing your IIS log files within the IIS Manager console. You can log them in the default W3C format or use IIS, NCSA or custom file formats.
You also have the ability to specify how the log files rollover. This determines if a new file is created hourly, daily, weekly, etc. You can also specify a max file size instead.
The fields that are being logged can also be customized. You may remove fields that you don’t need, select from some optional fields or even create your own. The custom fields should be values that are available in the HTTP headers or from the server variables.
MORE: Customizing IIS Logging Fields (TechNet)
If you want to open the IIS log files in the log file viewer, I would suggest using the free tool, Log Parser Studio from Microsoft. If you want to query your logs from the command line only, you can also use Log Parser 2.2, which has no UI.
When you open Log Parser Studio you can pick from a wide array of pre-built queries. I would suggest skipping that and follow these steps:
Once you have specified your log file location and the type of logs, you are ready to query your IIS log files.
Here is a basic query to get you started:
SELECT TOP 1000 * FROM '[LOGFILEPATH]' ORDER BY time-taken
LogParser supports a SQL-like syntax which can be used to do very powerful queries and reporting. Check out this website which lists 50 different queries as examples.
With Log Parser Studio you can also export the data to a CSV file which could be used via Excel or other tools.
If you want to get the most of your IIS log files, you will want to aggregate them within a log management service. These tools can help you view and query them in real time, across all of your servers. Log management is included as one of the features of Retrace.
Screenshot of Retrace log viewer
In this article about how to interpret IIS logs, we reviewed the format of the files, how to customize them, how to query them, and even how to aggregate them all with a log management solution.
If you would like to be a guest contributor to the Stackify blog please reach out to [email protected]