IIS Logs

You can send your IIS logs to Loggly, allowing you to do analytics, dashboards, alerts, and more. For example, you can see the top requests to your site. You can use the free and open source Nxlog tool to retrieve these logs and send them to Loggly. It will extract each individual field in the IIS logs, and then convert it to JSON so Loggly can parse and index each field. You can also use Snare or Syslog-NG for Windows.

This guide was written for Windows Vista or later in 64-bit, the latest version of nxlog in the default installation directory, IIS in the default directory, and can send TCP events out on port 514. It assumes the default log format for IIS, which is the W3C Extended Log Format. It was tested on Amazon EC2 with Windows_Server-2008-R2_SP1-English-64Bit-SQL_2008_R2_SP2_Express-2013.11.13 (ami-1653c826). For alternatives, please see the Advanced Options section.

IIS Logging Setup

1. Install Nxlog

Download the latest version of nxlog. It’s probably easiest to choose the Windows msi file which includes an installer.

2. IIS Log Configuration

Open your nxlog configuration file.

C:\\Program Files (x86)\\nxlog\\conf\\nxlog.conf

Replace the entire configuration file by pasting the following, and replacing the variables below. If you use a custom logging directory, change the path to your custom directory. If you have multiple sites, create one input module for each site and add all of them to the route path separated by commas.

## This is a sample NXLog configuration file created by Loggly. June 2013
## See the nxlog reference manual about the configuration options.
## It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
 
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\\Program Files\\nxlog
#define ROOT_STRING C:\\Program Files\\nxlog
define ROOT C:\\Program Files (x86)\\nxlog
define ROOT_STRING C:\\Program Files (x86)\\nxlog
define CERTDIR %ROOT%\\cert
 
Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\nxlog.pid
SpoolDir %ROOT%\\data
LogFile %ROOT%\\data\\nxlog.log
 
# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
#</Extension>
 
<Extension json>
 Module xm_json
</Extension>
 
<Extension syslog>
 Module xm_syslog
</Extension>
 
<Input internal>
 Module im_internal
 Exec  $Message = to_json(); 
</Input>

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
 Module im_msvistalog
 
#Uncomment im_mseventlog for Windows XP/2000/2003
#Module im_mseventlog
 
 Exec  $Message = to_json();
</Input>
 
# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
<Extension w3c>
  Module xm_csv
  Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
  FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
  Delimiter ' '
  QuoteChar '"'
  EscapeControl FALSE
  UndefValue -
</Extension>
 
# Convert the IIS logs to JSON and use the original event time
<Input IIS>
    Module    im_file
    File      "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
    SavePos   TRUE
    
 
    Exec if $raw_event =~ /^#/ drop();    \
       else                               \
       {                                  \
            w3c->parse_csv();             \
            $SourceName = "IIS";          \
            $Message = to_json();         \
       }
</Input>
 
<Output out1>
    Module om_tcp
    Host logs-01.loggly.com
    Port 514
 
    Exec to_syslog_ietf(); $raw_event = replace($raw_event, 'NXLOG@14506', 'CUSTOMER_TOKEN@41058 tag="IIS-Logs"] [', 1);

#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log",  $raw_event);
</Output>

<Route IIS>
    Path IIS => out1
</Route>

Replace the above variables:

  • CUSTOMER_TOKEN: Replace with your own customer token
  • ROOT and ROOT_STRING: If you are in 32-bit Windows, uncomment the top root path on lines 8 and 9 to use the 32-bit program files folder then comment the two below.

Note: If you want to include the default windows eventlog and internal logs with your IIS server logs then you can include these modules to the root path at the end separated by commas.

For Version 7 and Lower:
Version 7 is missing a field which we need to enable so the parser works correctly. Open Run prompt and type the following command and press enter.

inetmgr

This will open IIS Manager. Click on Logging and open Select Fields window. Check the Referer field checkbox in the W3C format and click OK.

IIS Log Set using IIS Manager

3. View a webpage

View a webpage on your IIS server to generate a new log entry. It’s configured to not send old events.

http://localhost

4. Verify

Search for your IIS logs in Loggly using the app name or tag.

Click on one of the logs to show a list of JSON fields (see screenshot below). If you don’t see them, please check that you are using one of our automatically parsed log formats.

Search for your IIS logs

5. Use Your Logs

Get value from your IIS logs by solving problems and proactively preventing them. These guides are written for Apache web server, but the examples and use cases are also relevant for IIS.

Advanced IIS Logging Options

IIS Log Troubleshooting

If you don’t see any data show up in the verification step, then check for these common problems.

    • Verify there are IIS logs that match this filename pattern: C:/inetpub/logs/LogFiles/W3SVC1/u_ex*
    • Check our guide on Troubleshooting Nxlog
    • Search or post your own IIS manager and logging questions, or other topics, such as your Windows server, file format, or how to configure logging with your setup in the community forum.
Thanks for the feedback! We'll use it to improve our support documentation.