IIS Logs

You can send your IIS logs to Loggly, allowing you to do analytics, dashboards, alerts, and more. For example, you can see the top requests to your site. You can use the free and open source Nxlog tool to retrieve these logs and send them to Loggly. It will extract each individual field in the IIS logs, and then convert it to JSON so Loggly can parse and index each field. You can also use Snare or Syslog-NG for Windows.

This guide was written for Windows Vista or later in 64-bit, the latest version of nxlog in the default installation directory, IIS in the default directory, and can send TCP events out on port 514. It assumes the default log format for IIS, which is the W3C Extended Log Format. It was tested on Amazon EC2 with Windows_Server-2008-R2_SP1-English-64Bit-SQL_2008_R2_SP2_Express-2013.11.13 (ami-1653c826). For alternatives, please see the Advanced Options section.

IIS Logging Setup

1. Install Nxlog

Install nxlog using this guide if you haven’t already.

2. IIS Log Configuration

Open your nxlog configuration file.

C:\\Program Files (x86)\\nxlog\\conf\\nxlog.conf

Paste this configuration at the bottom of the file. If you use a custom logging directory, change the path to your custom directory. If you have multiple sites, create one input module for each site and add all of them to the route path separated by commas.

# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
<Extension w3c>
    Module xm_csv
    Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
    FieldTypes string, string, string, string, string, string, integer, string, string, string, string, string, string, integer, integer
    Delimiter ' '
    QuoteChar '"'
    EscapeControl FALSE
    UndefValue -
# Convert the IIS logs to JSON and use the original event time
<Input IIS_Site1>
    Module    im_file
    File    "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
    SavePos  TRUE
     Exec if $raw_event =~ /^#/ drop();   
            $SourceName = "IIS";          
            $Message = to_json();         
<Route IIS>
    Path IIS_Site1 => out

For Version 7 and Lower:
Version 7 is missing a field which we need to enable so the parser works correctly. Open Run prompt and type the following command and press enter.


This will open IIS Manager. Click on the Logging and open Select Fields window. Tick the Referer field in the W3C format and press OK button.

IIS Log Set using IIS Manager

3. View a webpage

View a webpage on your IIS server to generate a new log entry. It’s configured to not send old events.


4. Verify

Search for your IIS logs in Loggly using the app name or tag.

Click on one of the logs to show a list of JSON fields (see screenshot below). If you don’t see them, please check that you are using one of our automatically parsed log formats.
Search for your IIS logs

5. Use Your Logs

Get value from your IIS logs by solving problems and proactively preventing them. These guides are written for Apache web server, but the examples and use cases are also relevant for IIS.

Advanced IIS Logging Options

IIS Log Troubleshooting

If you don’t see any data show up in the verification step, then check for these common problems.

    • Verify there are IIS logs that match this filename pattern: C:/inetpub/logs/LogFiles/W3SVC1/u_ex*
    • Check our guide on Troubleshooting Nxlog
    • Search or post your own IIS manager and logging questions, or other topics, such as your Windows server, file format, or how to configure logging with your setup in the community forum.
Thanks for the feedback! We'll use it to improve our support documentation.