IIS Log Files

How to Read & Customize IIS Log Files

Matt Watson Developer Tips, Tricks & Resources Leave a Comment

Microsoft’s IIS web server uses a non-standard file format that is rarely seen. IIS Log Files use a space-delimited file format and also contain comments in them. The column headings are defined in the comments. In this article, we are going to take a look at how to interpret IIS log files.

By the way, if you need help finding your IIS log files, be sure to check out our guide dedicated to that topic: Where Are IIS Log Files Located? How to View IIS Logs on Windows & Azure

How to Interpret the IIS Log File Format

Below is an example of what the output looks like from an IIS log file. This is a very simple example from a single ASP.NET web page being accessed. You can see that the page also downloads some JavaScript and CSS files.

Here are a few of the key things you need to know:

  • IIS may write separate files by day, by hour, and by IIS site (there are settings for this)
  • Lines that start with a # are comments
  • Everytime IIS restarts it will write to the log file the current version, date, and fields as shown below
  • The file is in a space delimited file format
  • Fields that have no value will show a dash (-) since spaces are not allowed

An example of the column headings and one line. It shows here with a line break in it because it’s so long. You can see the real file in the screen also shown here.

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2016-09-13 21:45:10 ::1 GET /webapp2 - 80 - ::1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/52.0.2743.116+Safari/537.36 - 500 0 0 5502
Interpret IIS Log File format

Screenshot of IIS Log File

Common IIS Log File Fields

FieldAppears AsDescriptionDefault Y/N

Date

date

The date on which the activity occurred.

Y

Time

time

The time, in coordinated universal time (UTC), at which the activity occurred.

Y

Client IP Address

c-ip

The IP address of the client that made the request.

Y

User Name

cs-username

The name of the authenticated user who accessed your server. Anonymous users are indicated by a hyphen.

Y

Service Name and Instance Number

s-sitename

The Internet service name and instance number that was running on the client.

N

Server Name

s-computername

The name of the server on which the log file entry was generated.

N

Server IP Address

s-ip

The IP address of the server on which the log file entry was generated.

Y

Server Port

s-port

The server port number that is configured for the service.

Y

Method

cs-method

The requested action, for example, a GET method.

Y

URI Stem

cs-uri-stem

The target of the action, for example, Default.htm.

Y

URI Query

cs-uri-query

The query, if any that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages.

Y

HTTP Status

sc-status

The HTTP status code.

Y

Win32 Status

sc-win32-status

The Windows status code.

N

Bytes Sent

sc-bytes

The number of bytes that the server sent.

N

Bytes Received

cs-bytes

The number of bytes that the server received.

N

Time Taken

time-taken

The length of time that the action took, in milliseconds.

N

Protocol Version

cs-version

The protocol version —HTTP or FTP —that the client used.

N

Host

cs-host

The host header name, if any.

N

User Agent

cs(User-Agent)

The browser type that the client used.

Y

Cookie

cs(Cookie)

The content of the cookie sent or received if any.

N

Referrer

cs(Referrer)

The site that the user last visited. This site provided a link to the current site.

N

Protocol Substatus

sc-substatus

The sub status error code.

Y

How to Customize IIS Log Files

IIS provides a few settings for customizing your IIS log files within the IIS Manager console. You can log them in the default W3C format or use IIS, NCSA or custom file formats.

You also have the ability to specify how the log files rollover. This determines if a new file is created hourly, daily, weekly, etc. You can also specify a max file size instead.

The fields that are being logged can also be customized. You may remove fields that you don’t need, select from some optional fields or even create your own. The custom fields should be values that are available in the HTTP headers or from the server variables.

Configure IIS Logs format

IIS Manager

MORE: Customizing IIS Logging Fields (TechNet)

How to Read IIS Log Files With Log Parser Studio

If you want to open the IIS log files in log file viewer, I would suggest using the free Log Parser Studio from Microsoft. If you want to query your logs from command line only, you can also use Log Parser 2.2, which has no UI.

When you open Log Parser Studio you can pick from a wide array of pre-built queries. I would suggest skipping that and follow these steps:

  1. File -> New Query
  2. Select where your log files are
  3. Set the log type of IISW3CLOG
How to Query IIS Log Files

Log Parser Studio

Once you have specified your log file location and the type of logs, you are ready to query your IIS log files.

Here is a basic query to get you started:

SELECT TOP 1000 *
FROM '[LOGFILEPATH]' 
ORDER BY time-taken

LogParser supports a SQL-like syntax which can be used to do very powerful queries and reporting. Check out this website which lists 50 different queries as examples.

With Log Parser Studio you can also export the data to a CSV file which could be used via Excel or other tools.

Log data exported from Log Parser Studio

How to Leverage Log Management to Interpret IIS Log Files

If you want to get the most of your IIS log files, you will want to aggregate them within a log management service. These tools can help you view and query them in real time, across all of your servers. Log management is included as one of the features of Retrace.

Log management advantages:

  • Search across all servers
  • Archival of log data
  • Monitor logs for potential problems
  • Provide easy access to all of IT

Log management search dashboard

Screenshot of Retrace log viewer

Summary

In this article about how to interpret IIS logs, we reviewed the format of the files, how to customize them, how to query them, and even how to aggregate them all with a log management solution.

 

About Matt Watson

Matt is the Founder & CEO of Stackify. He has been a developer/hacker for over 15 years and loves solving hard problems with code. While working in IT management he realized how much of his time was wasted trying to put out production fires without the right tools. He founded Stackify in 2012 to create an easy to use set of tools for developers.

Free Download