Microsoft’s IIS web server uses a non-standard file format that is rarely seen. IIS Log Files use a space-delimited file format and also contain comments in them. The column headings are defined in the comments. In this article, we are going to take a look at how to interpret IIS log files.
By the way, if you need help finding your IIS log files, be sure to check out our guide dedicated to that topic: Where Are IIS Log Files Located? How to View IIS Logs on Windows & Azure
Here are a few of the key things you need to know about IIS log formats:
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 2016-09-13 21:45:10 ::1 GET /webapp2 - 80 - ::1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/52.0.2743.116+Safari/537.36 - 500 0 0 5502
The date on which the activity occurred.
The time, in coordinated universal time (UTC), at which the activity occurred.
Client IP Address
The IP address of the client that made the request.
The name of the authenticated user who accessed your server. Anonymous users are indicated by a hyphen.
Service Name and Instance Number
The Internet service name and instance number that was running on the client.
The name of the server on which the log file entry was generated.
Server IP Address
The IP address of the server on which the log file entry was generated.
The server port number that is configured for the service.
The requested action, for example, a GET method.
The target of the action, for example, Default.htm.
The query, if any that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages.
The HTTP status code.
The Windows status code.
The number of bytes that the server sent.
The number of bytes that the server received.
The length of time that the action took, in milliseconds.
The protocol version —HTTP or FTP —that the client used.
The host header name, if any.
The browser type that the client used.
The content of the cookie sent or received if any.
The site that the user last visited. This site provided a link to the current site.
The sub status error code.
IIS provides a few settings for customizing your IIS log files within the IIS Manager console. You can log them in the default W3C format or use IIS, NCSA or custom file formats.
You also have the ability to specify how the log files rollover. This determines if a new file is created hourly, daily, weekly, etc. You can also specify a max file size instead.
The fields that are being logged can also be customized. You may remove fields that you don’t need, select from some optional fields or even create your own. The custom fields should be values that are available in the HTTP headers or from the server variables.
If you want to open the IIS log files in the log file viewer, I would suggest using the free tool, Log Parser Studio from Microsoft. If you want to query your logs from the command line only, you can also use Log Parser 2.2, which has no UI.
When you open Log Parser Studio you can pick from a wide array of pre-built queries. I would suggest skipping that and follow these steps:
Once you have specified your log file location and the type of logs, you are ready to query your IIS log files.
Here is a basic query to get you started:
SELECT TOP 1000 * FROM '[LOGFILEPATH]' ORDER BY time-taken
LogParser supports a SQL-like syntax which can be used to do very powerful queries and reporting. Check out this website which lists 50 different queries as examples.
With Log Parser Studio you can also export the data to a CSV file which could be used via Excel or other tools.
If you want to get the most of your IIS log files, you will want to aggregate them within a log management service. These tools can help you view and query them in real time, across all of your servers. Log management is included as one of the features of Retrace.
Screenshot of Retrace log viewer
In this article about how to interpret IIS logs, we reviewed the format of the files, how to customize them, how to query them, and even how to aggregate them all with a log management solution.