IIS Logs

You can send your IIS logs to Loggly, allowing you to do analytics, dashboards, alerts, and more. For example, you can see the top requests to your site. You can use the free and open source Nxlog tool to retrieve these logs and send them to Loggly. It will extract each individual field in the IIS logs, and then convert it to JSON so Loggly can parse and index each field. You can also use Snare or Syslog-NG for Windows.

This guide was written for Windows Vista or later in 64-bit, the latest version of nxlog in the default installation directory, IIS in the default directory, and can send TCP events out on port 514. It assumes the default log format for IIS, which is the W3C Extended Log Format. It was tested on Amazon EC2 with Windows_Server-2008-R2_SP1-English-64Bit-SQL_2008_R2_SP2_Express-2013.11.13 (ami-1653c826). For alternatives, please see the Advanced Options section.

IIS Logging Setup

  1. Install Nxlog
  2. Install nxlog using this guide if you haven’t already.

  3. IIS Log Configuration
  4. Open your nxlog configuration file.

    C:\Program Files (x86)\nxlog\conf\nxlog.conf

    Paste this configuration at the bottom of the file. If you use a custom logging directory, change the path to your custom directory. If you have multiple sites, create one input module for each site and add all of them to the route path separated by commas.

    # Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
    <Extension w3c>
        Module xm_csv
        Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
        FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
        Delimiter ' '
        QuoteChar '"'
        EscapeControl FALSE
        UndefValue -
    </Extension>
     
    # Convert the IIS logs to JSON and use the original event time
    <Input IIS_Site1>
        Module    im_file
        File    "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
        SavePos  TRUE
     
         Exec if $raw_event =~ /^#/ drop();   \
           else                               \
           {                                  \
                w3c->parse_csv();             \
                $SourceName = "IIS";          \
                $Message = to_json();         \
           }
    </Input>
     
    <Route IIS>
        Path IIS_Site1 => out
    </Route>
    

    For Version 7 and Lower:
    Version 7 is missing a field which we need to enable so the parser works correctly. Open Run prompt and type the following command and press enter.

    inetmgr
    

    This will open IIS Manager. Click on the Logging and open Select Fields window. Tick the Referer field in the W3C format and press OK button.

    iis_scrn_rfr

  5. View a webpage
  6. View a webpage on your IIS server to generate a new log entry. It’s configured to not send old events.

    http://localhost

  7. Verify
  8. Search for your IIS logs in Loggly using the app name. You can also try trend analysis to see things like the most requested pages (see image below).

    syslog.appName:"IIS"

    Click on one of the logs to show a list of JSON fields (see screenshot below). If you don’t see them, please check that you are using one of our automatically parsed formats.
    IIS

  9. Use Your Logs
  10. Get value from your logs by solving problems and proactively preventing them. These guides are written for Apache web server, but the examples and use cases are also relevant for IIS.

Advanced IIS Logging Options

IIS Log Troubleshooting

If you don’t see any data show up in the verification step, then check for these common problems.

  • Verify there are IIS logs that match this filename pattern: C:/inetpub/logs/LogFiles/W3SVC1/u_ex*
  • Check our guide on Troubleshooting Nxlog
  • Search or post your own IIS manager and logging questions, or other topics, such as your Windows server, file format, or how to configure logging with your setup in the community forum.
Thanks for the feedback! We'll use it to improve our support documentation.


Top