In this article, we will learn about details of IIS Logs i.e. what are IIS logs, what does it contain, data fields from the HTTP requests that are logged into IIS logs, IIS Logs Formats & location of IIS Logs. We will also look at the strategies to manage the IIS log file’s disk usage.

Internet Information Server (IIS) is a web server from Microsoft that gets shipped with Windows Operating System. All the requests made to Web Serves are recorded in IIS Logs.

IIS Provides a logging feature that is efficient, configurable & and flexible logging architecture. You can configure options like IIS log Format, IIS log fields (in W3C format), IIS log location, File Encoding and rollover mechanism for the IIS log files.

Configure IIS Logs

You can configure IIS logs to capture details of all the HTTP requests along with the status that is processed by the sites hosted on that IIS. IIS logs can help you troubleshoot your site.

IIS logs can be configured at the Server or Site level. I personally prefer configuring logging at the Server level as this sets a default logging configuration for all the new sites.

IIS Manager can be used to configure logging. Note that the HTTP Logging feature should be installed (refer to the image below) for logging to be available

Enable HTTP Log on Windows

Configure or change settings using IIS Manager as shown below

Configure IIS Logs

Based on your needs for logging you can configure the following fields:

  • One log file per Site or Server, the default value is site & I personally prefer site.
  • Log File Format – IIS, NCSA, W3C, or Custom. W3C is a customizable option with different fields so you can log important properties and limit the log size if required.
  • Select Fields to be Logged (Only available for file format W3C). The detailed list of Fields is covered in the next section.
  • Directory where logs will be saved
  • Log Event Destination
  • Logfile rollover settings

IIS Log File Format

IIS write a log to the files. There is a fixed format in which the data is written to these log files. As discussed in the previous section the fields to be logged can be configured and also you can select the format for the log file. The W3C Extended format, IIS log format, and NCSA format are all ASCII text formats (unless UTF-8 is enabled for your Web sites).

The W3C IIS log file format allows you to select the fields you want to log for each request. The W3C file is a space-delimited file format and empty fields i.e. fields with no value will be displayed using the hyphen (-). Shown below is the sample of the IIS log file format for one request that is logged using the IIS Logs W3C format.

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2021-10-18 00:00:18
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2020-02-22 23:59:50 W3SVC2 SERVERNAME1 192.168.0.2 POST /Application/Controller/Action - 80 - 202.124.212.56 Mozilla/5.0+(Linux;+Android+11;+SM-M515F+Build/RP1A.200720.012;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/4.0+Chrome/93.0.4577.62+Mobile+Safari/537.36 - 200 0 0 140

Both the IIS & NCSA log file formats cannot be customized and are fixed ASCII formats. In IIS log file format the items are comma-separated. In NSCA fields are separated by space and empty fields are represented by a hyphen (-). The IIS log file format records more information than the NCSA log file format.

There is a tool provided by Microsoft Log Parser using which you can read the data from the IIS log files. Using this tool you will be able to run SQL-like queries against the log file and produce the desired report on screen or in a file.

List of IIS W3C Log Fields

Here is the complete list of fields that are available for logging in to the IIS logging module under log file format W3C.

  • Date (date): date of request.
  • Time (time): time of the request in Coordinated Universal Time (UTC).
  • Client IP Address (c-ip): the client IP address that made the request.
  • User Name (cs-username): the name of the authenticated user who made the request. A hyphen indicates an anonymous user.
  • Service Name (s-sitename): the site service name and instance number that handled the request.
  • Server Name (s-computername): the name of the server on which the request was made.
  • Server IP Address (s-ip): the IP address of the server on which the request was made.
  • Server Port (s-port): the server port number that is configured for the service.
  • Method (cs-method): the requested action, for example, a GET method.
  • URI Stem (cs-uri-stem): the URI, or target, of the action.
  • URI Query (cs-uri-query): the query, if any, that the client was trying to perform. A URI query is necessary only for dynamic pages.
  • Protocol Status (sc-status): the HTTP request status code.
  • Protocol Substatus (sc-substatus): the HTTP request substatus error code.
  • Win32 Status (sc-win32-status): the Windows status code.
  • Bytes Sent (sc-bytes): the number of bytes that the server sent to the client.
  • Bytes Received (cs-bytes): the number of bytes that the server received from the client.
  • Time Taken (time-taken): the time the request took to complete (in milliseconds).
  • Protocol Version (cs-version): the HTTP protocol version that the client used.
  • Host (cs-host): the hostname, if any.
  • User Agent (cs(UserAgent)): the browser type that the client uses for requests.
  • Cookie (cs(Cookie)): the content of the cookie sent or received.
  • Referrer (cs(Referrer)): the site that the user last visited. This site provided a link to the current site.

IIS Logs Location

The default location for IIS Log files is %SystemDrive%\inetpub\logs\LogFiles. But one can even change this default location and log to a different directory.

To verify or change the IIS logs file location follow the below steps

1. Start IIS Manager (Version 8.5) either from Start, =>run “intetmgr” or from Control Panel=>Administrative Tools=>Internet Information Services (IIS) Manager

Start IIS Manager
Start IIS Manager

2. In IIS Manager from Connections Tree on the left Panel select the site for which the Logs directory needs to be configured. From Feature View in the middle double click on Icon Logging

IIS Logs Location

On the Logging screen under Log File=>Directory, you can find the configured location for IIS Log Files. Alternatively, you can click on the action “View Log Files” to navigate directly to the logs folder in Windows Explorer.

IIS Logs Location

Manage IIS Log File Storage

IIS will generate logs and if traffic to your application is higher then it will generate huge log files on a daily basis. I have even seen log files with sizes greater than 1 GB on a daily basis. These huge log files will occupy your disk space and fill it sooner than you realize. So you need to monitor the disk space used & also apply some strategies for cleaning or moving the log files generated for your application.

There are multiple options using which you can manage the disk space available for writing logs to the disk. Below are some of the strategies which you can adapt

  • You can delete older log files i.e. you can decide that you need log files for how many days or months and if you decide to keep IIS log files for 30 days then accordingly you can delete the log files that are older than 30 days. So at any given moment, you will have 30 log files on your storage disk.
  • If you have a requirement that you cannot delete the older log files and need to maintain all the log files then in that case you can move the older log files to another disk or remote system. This way you will avoid the log disk full problem with the main log disk where logs are being written and move the log files to another server either in the same domain or a different domain.
  • You can even decide to use the Windows folder compression option for the log disk. Normally IIS Log files compress to about 2% of their original size. You can right-click on the log folder and click properties. In the properties window, you can select advance and then tick the check box for compressed contents to save disk space on the advanced screen and click Apply/Ok.

For deleting old log files and moving log files to different disks you can automate the task by writing a script that can be scheduled to run on a daily basis.

There is also an IIS Log Cleaner tool available to perform a cleanup action on the older log files. It is a simple tool to enforce a log retention policy for IIS. This tool deletes the log files older than the maximum age that you set and will run in the background once every hour. This is a third-party tool so doesn’t come with IIS. When you run this tool first time it will generate the settings.txt file in the same folder from where the tool was executed. This settings.txt file contains the configuration like the log file folder to be cleaned and the maximum age at which a log file is deleted.

Analyze IIS Logs

IIS logs can provide the following types of insights

  • Performance – How fast or slow are our requests?
  • User Behaviour – What a user is doing on the application?
  • Business Details – Which request has a high or less volume?
  • Operational – Total data sent or received by the server

IIS logs data can be used to improve the performance of the applications by checking time taken by critical business requests, analyzing user activities to improve navigation & minimizing errors by checking the HTTP status codes and sub-status codes.

You can use one of the various available tools to analyze IIS logs. One of the tools is WebLog Expert which provides a complete analysis report from IIS Logs.

You can also manually analyze IIS Logs using the free tool provided by Microsoft i.e. Log Parser. Log Parser is a command-line tool used to query IIS Logs. In fact, as per Microsoft, Log Parser is universal query access to text-based data such as log files, XML, CSV & Windows Event Logs. Log Parser supports a variety of output formats.

The log parser can be downloaded from this link. Installation is pretty simple. Alternatively, the Log Parser Studio that is built on top of the log parser can also be used for the analysis of IIS Logs. Log Parser Studio is a graphical user interface-based tool that comes with many predefined queries that can be used for analysis.

Here are a couple of sample log parser queries to read IIS Log files data

//Total requests count by IP Address
logparser -i:w3c "select c-ip, count(c-ip) as requestcount from [LogFileName] where cs-uri-stem like ‘/popuplarpost.aspx%’ group by c-ip order by count(c-ip) desc"

Sample value for [LogFileName] - 'C:\IISLogs\Web\*.log'


//Total of each request by date - output getting logged into csv
logparser -i:w3c "select date, cs-uri-stem, count(*) as TotalRequestCount INTO 'C:\IIS\Reports\TotalRequestsPerDay.csv' from 'C:\IIS\Logs\Web\*.log' group by date, cs-uri-stem ORDER BY count(*) desc"

Real-time monitoring of IIS logs to detect security issues or slow-moving requests is also possible and can help big time in keeping applications up & running.

Reference: https://docs.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis

You can also check my other Article explaining how to analyze ASP.NET application issues – https://procodeguide.com/programming/analyze-aspnet-application-issues/

Hope you found this article useful. Please support the Author
Buy Me A Coffee

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *