Microsoft’s IIS web server uses a non-standard file format that is rarely seen. IIS Log Files use a space-delimited file format and also contain comments in them. The column headings are defined in the comments. In this article, we are going to take a look at how to interpret IIS log files.
By the way, if you need help finding your IIS log files, be sure to check out our guide dedicated to that topic: Where Are IIS Log Files Located? How to View IIS Logs on Windows & Azure
IIS Log Files Guide
How to Interpret IIS Log Formats
Here are a few of the key things you need to know about IIS log formats:
- IIS may write separate files by day, by hour, and by IIS site (there are settings for this)
- Lines that start with a # are comments
- Everytime IIS restarts it will write to the log file the current version, date, and fields as shown below
- The file is in a space delimited file format
- Fields that have no value will show a dash (-) since spaces are not allowed
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 2016-09-13 21:45:10 ::1 GET /webapp2 - 80 - ::1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/52.0.2743.116+Safari/537.36 - 500 0 0 5502
Common IIS Log File Fields
|Field||Appears As||Description||Default Y/N|
The date on which the activity occurred.
The time, in coordinated universal time (UTC), at which the activity occurred.
Client IP Address
The IP address of the client that made the request.
The name of the authenticated user who accessed your server. Anonymous users are indicated by a hyphen.
Service Name and Instance Number
The Internet service name and instance number that was running on the client.
The name of the server on which the log file entry was generated.
Server IP Address
The IP address of the server on which the log file entry was generated.
The server port number that is configured for the service.
The requested action, for example, a GET method.
The target of the action, for example, Default.htm.
The query, if any that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages.
The HTTP status code.
The Windows status code.
The number of bytes that the server sent.
The number of bytes that the server received.
The length of time that the action took, in milliseconds.
The protocol version —HTTP or FTP —that the client used.
The host header name, if any.
The browser type that the client used.
The content of the cookie sent or received if any.
The site that the user last visited. This site provided a link to the current site.
The sub status error code.
How to Customize IIS Log Files
IIS provides a few settings for customizing your IIS log files within the IIS Manager console. You can log them in the default W3C format or use IIS, NCSA or custom file formats.
You also have the ability to specify how the log files rollover. This determines if a new file is created hourly, daily, weekly, etc. You can also specify a max file size instead.
The fields that are being logged can also be customized. You may remove fields that you don’t need, select from some optional fields or even create your own. The custom fields should be values that are available in the HTTP headers or from the server variables.
How to Read IIS Log Files With Log Parser Studio
If you want to open the IIS log files in the log file viewer, I would suggest using the free tool, Log Parser Studio from Microsoft. If you want to query your logs from the command line only, you can also use Log Parser 2.2, which has no UI.
When you open Log Parser Studio you can pick from a wide array of pre-built queries. I would suggest skipping that and follow these steps:
- File -> New Query
- Select where your log files are
- Set the log type of IISW3CLOG
Once you have specified your log file location and the type of logs, you are ready to query your IIS log files.
Here is a basic query to get you started:
SELECT TOP 1000 * FROM '[LOGFILEPATH]' ORDER BY time-taken
LogParser supports a SQL-like syntax which can be used to do very powerful queries and reporting. Check out this website which lists 50 different queries as examples.
With Log Parser Studio you can also export the data to a CSV file which could be used via Excel or other tools.
How to Interpret and Analyze IIS Log Files with Log Management
If you want to get the most of your IIS log files, you will want to aggregate them within a log management service. These tools can help you view and query them in real time, across all of your servers. Log management is included as one of the features of Retrace.
Aggregate IIS Log Files with Retrace Log Management:
- Search across all servers
- Archival of log data
- Monitor logs for potential problems
- Provide easy access to all of IT
Screenshot of Retrace log viewer
In this article about how to interpret IIS logs, we reviewed the format of the files, how to customize them, how to query them, and even how to aggregate them all with a log management solution.
- Stackify Retrace Releases Support for PHP - October 1, 2018
- Serilog Tutorial for .NET Logging: 16 Best Practices and Tips - August 15, 2018
- Retrace Log Management: Logs, Errors and Code Level Performance - April 25, 2018
- 5 Awesome Retrace Logging & Error Tracking Features - March 14, 2018
- Developer Things #8: How to Develop More Secure Software with Steve Feldman - February 8, 2018