Tips from the Team

Tips to Get the Most Out of Your IIS Logs

Wouldn’t it be great if web apps and websites just worked the way they did in testing and staging? Unfortunately, it seems as soon as you release them into the wild, things start going wrong. When you’re getting calls from users or seeing availability alerts, getting your hands on the right data from your IIS logs can make a big difference in how quickly you respond.

DevOps practitioners and IT pros know the first step is to plan for service issues and enable IIS logging. This helps ensure you have the data you need to troubleshoot IIS issues when they happen.

Let’s walk through enabling IIS logging, and I’ll share some tips on what to look for in your IIS logs when there’s an issue.

How‌ ‌to‌ ‌Enable‌ ‌Logging‌ ‌in‌ ‌IIS‌ ‌

If ‌you’re‌ ‌running‌ ‌Windows‌ ‌Server‌ ‌2012‌ ‌or‌ ‌Windows‌ ‌8, ‌you‌ ‌can‌ ‌enable‌ ‌logging‌ ‌for‌ ‌IIS‌ ‌with‌ ‌the‌ ‌following‌ ‌steps.‌

‌Open‌ ‌the‌ ‌Internet‌ ‌Information‌ ‌Services‌ ‌(IIS)‌ ‌Manager‌ ‌and‌ ‌select‌ ‌the‌ web‌‌site‌ ‌you‌ ‌want‌ ‌to‌ ‌enable‌ ‌logging‌ ‌for‌ ‌in‌ ‌the‌ ‌‌Connections‌‌ ‌tree‌ ‌view. ‌

Double‌-click‌ ‌‌Logging‌ ‌‌in‌ ‌the‌ ‌‌Features‌ ‌View‌. ‌

Select‌ ‌a‌ ‌log‌ ‌format‌ ‌on‌ ‌the‌ ‌‌Logging‌‌ ‌page‌, ‌accessible‌ ‌in‌ ‌the‌ ‌‌Log‌ ‌

File‌‌ ‌section‌ ‌under‌ ‌‌Format.‌‌

‌Next,‌ ‌decide‌ ‌on‌ ‌a‌ ‌location‌ ‌to‌ ‌store‌ ‌the‌ ‌log‌ ‌file‌ ‌by‌ ‌specifying‌ ‌a‌ ‌path‌ ‌under‌ ‌‌Directory‌.‌ ‌By‌ ‌default,‌ ‌log‌ ‌files‌ ‌will‌ ‌be‌ ‌placed‌ ‌in‌ ‌‌%SystemDrive%\inetpub\logs\LogFiles‌, ‌but‌ ‌you‌ ‌can‌ ‌customize‌ it ‌to‌ ‌store‌ ‌files‌ ‌wherever‌ ‌you‌ ‌want.‌ ‌

Last,‌ ‌click‌ ‌‌Apply‌‌ ‌in‌ ‌the‌ ‌‌Actions‌ ‌pane.‌

IIS‌ ‌can‌ ‌write‌ ‌log‌ ‌messages‌ ‌in‌ ‌a‌ ‌variety‌ ‌of‌ ‌formats.‌ ‌The‌ ‌default‌ ‌format‌ ‌is‌ ‌the‌ ‌W3C‌ ‌Extended‌ ‌log‌ ‌format, which‌ ‌allows‌ ‌you‌ ‌to‌ ‌customize‌ ‌the‌ ‌data‌ ‌written‌ ‌to‌ ‌your‌ ‌logs.‌ ‌W3C‌ ‌is‌ ‌also‌ ‌ASCII-based,‌ ‌so‌ ‌it’s‌ ‌easy‌ to send logs and parse messages in SolarWinds® Papertrail.

‌If‌ ‌you‌ ‌select‌ ‌the‌ ‌W3C‌ ‌format‌ ‌when‌ ‌enabling‌ ‌logging,‌ ‌you‌ ‌can‌ ‌also‌ ‌pick‌ ‌fields‌ ‌you‌ ‌want‌ ‌logged.‌ ‌For‌ ‌example,‌ ‌for‌ ‌each‌ ‌query‌ ‌to‌ ‌your‌ ‌web‌ ‌server‌ ‌you‌ ‌can‌ ‌record‌ ‌the‌ ‌date‌ ‌and‌ ‌time,‌ ‌client‌ ‌IP‌ ‌address,‌ ‌server‌ ‌IP‌ ‌address,‌ ‌and‌ ‌HTTP‌ ‌status‌ ‌code‌ ‌simply‌ ‌by‌ ‌checking‌ ‌the‌ ‌box‌ ‌next‌ ‌to‌ ‌the‌ ‌fields.‌ ‌

These are the default‌ ‌fields‌ ‌for‌ ‌the‌ ‌W3C‌ ‌format‌ ‌for‌ ‌IIS‌ ‌10.0:‌ ‌

date‌‌ ‌—‌ ‌The‌ ‌date‌ ‌on‌ ‌which‌ ‌the‌ ‌activity‌ ‌occurred‌ ‌(YYYY-MM-DD).‌ ‌

s-ip‌‌ ‌—‌ ‌The‌ ‌IP‌ ‌address‌ ‌of‌ ‌the‌ ‌server‌ ‌on‌ ‌which‌ ‌the‌ ‌log‌ ‌file‌ ‌entry‌ ‌was‌ ‌generated.‌ ‌

cs-method‌‌ ‌—‌ ‌The‌ ‌action‌ ‌being‌ ‌taken‌ ‌by‌ ‌the‌ ‌client,‌ ‌e.g., ‌GET‌ ‌or‌ ‌POST.‌ ‌

cs-uri-stem‌‌ ‌—‌ ‌The‌ ‌file‌ ‌being‌ ‌requested‌.‌

cs-uri-query‌‌ ‌—‌ ‌The‌ ‌query,‌ ‌if‌ ‌any,‌ ‌the‌ ‌client‌ ‌was‌ ‌trying‌ ‌to‌ ‌perform.‌ ‌A‌ ‌Universal‌ ‌Resource‌ ‌Identifier (URI) query is only needed for dynamic pages.s-port‌‌ ‌—‌ ‌The‌ ‌port‌ ‌number‌ ‌being‌ ‌accessed‌ ‌by‌ ‌the‌ ‌client.‌ ‌

cs-username‌‌ ‌—‌ ‌The‌ ‌name‌ ‌of‌ ‌the‌ ‌authenticated‌ ‌user‌ who ‌accessed‌ ‌the‌ ‌server.‌ ‌Anonymous‌ users are indicated by a hyphen. ‌

c-ip‌‌ ‌—‌ ‌IP‌ ‌address‌ ‌of‌ ‌the‌ ‌client‌ ‌accessing‌ ‌the‌ ‌web‌ ‌server.‌ ‌

cs(User-Agent)‌‌ ‌—‌ ‌The‌ ‌browser‌ ‌used‌ ‌by‌ ‌the client‌ ‌to‌ ‌access‌ ‌the‌ ‌web‌ ‌server.‌ ‌

cs(Referer)‌‌ ‌—‌ ‌The‌ ‌site‌ ‌the‌ ‌user‌ ‌last‌ ‌visited.‌ ‌This‌ ‌site‌ ‌provided‌ ‌a‌ ‌link‌ ‌to‌ ‌the‌ ‌current‌ ‌site.‌ ‌

sc-status‌‌ ‌—‌ ‌The‌ ‌HTTP‌ ‌status‌ ‌code‌. ‌

sc-substatus‌‌ ‌—‌ ‌The‌ ‌substatus‌ ‌error‌ ‌code.‌ ‌

sc-win32-status‌‌ ‌—‌ ‌The‌ ‌Windows‌ ‌status‌ ‌code.‌ ‌

time-taken‌‌ ‌—‌ ‌The‌ ‌length‌ ‌of‌ ‌time‌ ‌the‌ ‌action‌ ‌took,‌ ‌in‌ ‌milliseconds.‌ ‌

It’s‌ ‌also‌ ‌a‌ ‌good‌ ‌idea‌ ‌to‌ ‌choose‌ ‌a‌ ‌log‌ ‌file‌ ‌rollover‌ ‌schedule‌ ‌when‌ ‌you‌ ‌enable‌ ‌logging.‌ ‌Log‌ ‌files‌ ‌can‌ ‌grow‌ ‌to‌ ‌be‌ ‌very‌ ‌large,‌ ‌especially‌ ‌for‌ ‌web‌ ‌servers‌ ‌that‌ ‌receive‌ ‌a‌ ‌lot‌ ‌of‌ ‌traffic,‌ ‌so‌ ‌limiting‌ ‌the‌ ‌size‌ ‌of‌ ‌each‌ ‌individual‌ ‌log‌ ‌file‌ ‌makes‌ ‌them‌ ‌more‌ ‌manageable.‌ ‌

You‌ ‌can‌ ‌schedule‌ ‌how‌ ‌often‌ ‌you‌ ‌want‌ ‌a‌ ‌new‌ ‌log‌ ‌file‌ ‌to‌ ‌be‌ ‌created‌ ‌under‌ ‌the‌ ‌‌Log‌ ‌File‌ ‌Rollover‌‌ ‌section,‌ ‌where‌ ‌you‌ ‌can‌ ‌pick‌ between‌ ‌‌Hourly,‌ ‌Daily,‌ ‌Weekly,‌ ‌‌and‌ ‌‌Monthly.‌ ‌‌Alternatively,‌ ‌you‌ ‌can‌ ‌opt‌ ‌to‌ ‌have‌ ‌your‌ ‌log‌ ‌file‌ ‌rolled‌ ‌over‌ ‌once‌ ‌it‌ ‌reaches‌ ‌a‌ ‌certain‌ ‌size.‌ ‌

How‌ ‌to‌ ‌View‌ ‌IIS‌ ‌log‌ ‌Files‌ ‌

Here’s‌ ‌an‌ ‌example‌ ‌of‌ ‌an‌ ‌IIS‌ ‌log‌ ‌entry‌ ‌that‌ ‌recorded‌ ‌a‌ ‌404‌ ‌HTTP‌ ‌status‌ ‌code‌ ‌when‌ ‌a‌ ‌user‌ ‌tried‌ ‌to‌ ‌access‌ ‌a‌ ‌non-existent‌ ‌URL:‌ ‌‌http://localhost/app03/‌. ‌

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip 
cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 

2020-01-27 11:55:17 ::1 GET /app03/—80—::1 
Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko
)+Chrome/62.0.3202.94+Safari/537.36 - 404 0 2 9 

The‌ ‌first‌ ‌line‌ ‌displays‌ ‌headers‌ describing ‌the‌ ‌log‌ ‌file‌ ‌format,‌ ‌and‌ ‌the‌ ‌second‌ ‌line‌ ‌contains‌ ‌the‌ ‌log‌ ‌entry.‌ ‌

‌Even‌ ‌though‌ ‌a‌ ‌number‌ ‌of‌ ‌tools‌ ‌are‌ ‌available‌ ‌for‌ ‌viewing‌ ‌log‌ ‌files‌ ‌locally‌ ‌on‌ ‌your‌ ‌Windows‌ ‌machine,‌ ‌such‌ ‌as‌ ‌Microsoft‌ ‌‌Log‌ ‌Parser‌,‌ getting a holistic view of all the web events can be ‌challenging.‌ With Papertrail‌, the logs from the different web application components and services can be in a single view, and you can search events in context to troubleshoot faster. ‌You‌ ‌can‌ ‌send‌ ‌IIS‌ ‌log‌ ‌files‌ ‌to‌ ‌

Papertrail‌ ‌using‌ ‌third-party‌ ‌tools‌ ‌such‌ ‌as‌ ‌‌Nxlog‌‌ ‌or‌ ‌‌Eventlog-to-Syslog‌‌ ‌by‌ ‌transmitting‌ ‌the‌ ‌plain-text‌ ‌files‌ ‌to‌ ‌the Papertrail‌ ‌syslog‌ ‌server.‌ ‌

How‌ ‌to‌ ‌Analyze‌ ‌IIS‌ ‌Log‌ ‌Files‌ ‌

Papertrail‌ ‌makes searching and analyzing IIS log files easy. The ‌‌search‌ ‌syntax‌‌ is similar to Google and ‌supports‌ ‌boolean‌ ‌operators‌ ‌such‌ ‌as‌ ‌‌AND‌,‌ ‌‌OR‌,‌ ‌and‌ ‌

NOT‌‌. You ‌can‌ ‌combine‌ ‌individual‌ ‌expressions‌ ‌to‌ ‌form‌ ‌more‌ ‌complex‌ ‌queries.‌ ‌For‌ ‌example,‌ this‌ ‌search‌ ‌query‌ ‌will‌ ‌return‌ ‌all‌ ‌HTTP‌ ‌‌GET‌‌ ‌requests‌ ‌to‌ ‌web‌ ‌apps‌ ‌located‌ ‌at‌ ‌URIs‌ ‌/‌app01/‌ ‌‌and‌ ‌‌/app02/‌:‌ ‌

GET (/app01 OR /app02) 

Papertrail‌ ‌also‌ ‌supports‌ ‌a‌ ‌negation‌ ‌operator‌ ‌(‌)‌‌ to ‌match‌ ‌log‌ ‌entries‌ ‌that‌ ‌do‌ ‌‌not‌ ‌‌contain‌ ‌a string.‌ ‌To‌ ‌find‌ ‌all‌ ‌IIS‌ ‌log‌ ‌messages‌ without ‌404‌ ‌HTTP‌ ‌status‌ ‌codes,‌ ‌you‌ ‌can‌ ‌use‌ ‌the‌ ‌following‌ ‌search‌ ‌query:‌ ‌

404 

Of course, some ‌issues‌ ‌can‌ ‌only‌ ‌be‌ ‌diagnosed‌ ‌while‌ ‌watching‌ ‌the‌ ‌events‌ ‌unfold‌ ‌in‌ ‌real‌ ‌time.‌ The ‌‌live‌ ‌tail‌‌ ‌feature‌ in Papertrail ‌lets you do so and allows‌ ‌you‌ ‌to‌ ‌pause,‌ ‌scroll,‌ ‌and‌ ‌search‌ ‌through ‌log‌ ‌messages in real time. ‌You‌ ‌can‌ ‌also‌ ‌filter‌ ‌incoming‌ ‌logs‌ ‌from‌ ‌the‌ ‌‌Papertrail‌ ‌event‌ ‌viewer‌‌ ‌to‌ ‌trim‌ ‌down‌ the‌ ‌size‌ ‌of‌ ‌your‌ ‌logs‌ ‌and‌ ‌focus‌ ‌on‌ ‌the‌ ‌parts‌ ‌that‌ ‌really‌ ‌matter.‌ ‌

Because‌ ‌Papertrail‌ ‌allows‌ ‌you‌ ‌to‌ ‌search‌ ‌across‌ ‌your‌ ‌log‌ ‌data‌ ‌from‌ ‌one‌ ‌place,‌ the ‌‌log‌ ‌velocity‌ ‌analytics‌‌ view is a good place to start your troubleshooting. This view shows you event volume over time for your logs. You can spot spikes in events and click on the graph to see messages, source, and other details.

If you plan ahead and set up IIS logging and consolidate your web application logs in Papertrail, you’ll have the tools you need to troubleshoot quickly.

Aggregate, organize, and manage your logs

Papertrail
  • Collect real-time log data from your applications, servers, cloud services, and more
  • Search log messages to analyze and troubleshoot incidents, identify trends, and set alerts
  • Create comprehensive per-user access control policies, automated backups, and archives of up to a year of historical data
Start free trial Fully Functional for 30 Days

Let's talk it over

Contact our team, anytime.
Toll Free: +1 (855) 679-0752
Phone: +1 (512) 498-6011
papertrailapp@solarwinds.com