A Beginners Guide to IIS Logging

IIS

Internet Information Server is one of the most powerful web servers provided by Microsoft that is able to host and run your web applications. IIS supports the following protocols: FTP, FTPS, SMTP, NNTP, HTTP/HTTPS. We can host our web sites on IIS, we can use it as an FTP site also. For more information, click here.

IIS Logs

You can configure your Web site or your FTP site to record log entries that are generated from user activity and from server activity. Log data can help you control access to content, determine content popularity, plan security requirements, and troubleshoot potential Web site issues or FTP site issues. For example, you can use the log files to help determine whether a security event has occurred. The data in the log files can provide information about the source of the attack.

IIS can save log files to different file formats. When you enable logging, you can specify the file format that you want to use. By default, IIS uses the W3C Extended log file format. Typically, the W3C Extended log file format is the preferred log type to use. This log format lets you configure lots of extended attributes that are useful to help analyze security.

Enable and configure logging in Internet Information Services (IIS)

Open the IIS management console and expand the server node and select Logging in the features panel

iis-logging-1

iis-logging-2

Press the “Select Fields” button to configure the information you wish to log in your log files:

You can customize the data that is logged to log files that use the W3C Extended log file format. To customize the data, select the properties that you want and omit the properties that you do not want. You may want to select the following properties when you customize W3C Extended log file format logs:

iis-logging-3

Client IP address – This is the IP address of the client that accesses the server. Notice that if a Web proxy computer is in front of the server that is running IIS, the IP address of the proxy may appear in the Client IP Address box. User name – This is the name of the user who accesses the server. If Anonymous authentication is configured, a hyphen (-) is logged instead of the user name. Method – This is the action that the client tries to perform. For example, the action may be a GET command or a POST command. URI stem – This is the resource on the server that is running IIS that the user tries to access. For example, the resource may be an HTML page, a graphic, a CGI program, or a script. Protocol status – This is the status of the action in HTTP terms. This is represented by a code number. Win32 status – This is the status of the action in Win32 code terms. Error numbers are reported. For example, error 5 means that access is denied. User agent – This is the name of the Web browser that accesses the server. Server IP address – This is the IP address of the virtual server where the log entry is generated. This option is helpful if you host multiple virtual servers on the same computer, and the multiple virtual servers use different IP addresses. Server port – This is the port number of the virtual server that receives the client request. This option is helpful if you host multiple virtual servers on the same computer, and the multiple virtual servers use different IP addresses. The default selection of fields will provide a decent amount of information for standard environments. If more detail is desired, select more fields. Next, choose a log file location and rollover frequency. Please note that on heavily accessed websites, log files will demand a fair amount of disk space.

Find IIS Logs

The default place for access logs is c:\inetpub\logs\LogFiles. Otherwise, check under IIS Manager, select the computer on the left pane, and in the middle pane, go under “Logging” in the IIS area. There you will see the default location for all sites (this is however overridable on all sites)

You could also look into C:\Windows\System32\LogFiles\HTTPERR which will contain similar log files that only represents errors.

Reading the IIS Log

Web server log file entries typically look similar to this:

212.209.212.66 - [29/Jul/2001:00:35:33 -0500] "GET /data-mining.htm HTTP/1.1" 200 11631 "http://internetmarketingengine.com/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"

Note that some of these entries may be in a different order in your log files.

212.209.212.66 = IP Address (or XX if the IP address has been resolved) 29/Jul/2001:00:35:33 = Date and Time of the entry -0500 = Time difference to Greenwich Mean time (Universal Time). This log file entry was created when the web server was on US Central Summer time GET = Action data-mining.htm HTTP/1.1 = Object – i.e. retrieve the page data-mining.htm 200 = result (Result 200 means the task has been completed) 11631 = size of object, in bytes http://internetmarketingengine.com/ = Referring URL (i.e. this particular page was accessed from the home page of the Internet Marketing Engine) Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) = Browser / version and platform – i.e. this person was using Microsoft Internet Explorer 5.5 and the Windows 2000 operating system.

References

http://www.codeproject.com/Articles/42724/Beginner-s-Guide-Exploring-IIS-With-ASP-NET#heading0028 http://techslate.net/cas-server-and-using-and-troubleshooting-iis-log-files/ http://support.microsoft.com/kb/313437 https://world.mendix.com/pages/viewpage.action?pageId=21135462 http://stackoverflow.com/questions/6426375/where-can-i-find-the-iis-logs http://internetmarketingengine.com/how-to-read-server-log-files.htm