Skip to main content
Sumo Logic

Collect Logs for the IIS 7 App

This procedure explains how to enable logging from Microsoft Internet Information Services (IIS) on your Windows server and ingest the logs into Sumo Logic.

Log Types

IIS 7 Logs (IIS 7.5 logs are used) are generated as local files and written to this directory by default: C:\inetpub\Logs\LogFiles\W3SVC1

Sumo Logic expects W3C format with these fields for our Field Extraction Rules and IIS 7 Application: (https://msdn.microsoft.com/en-us/library/ms525807(v=vs.90).aspx)

  • Date
  • Time
  • ServerIP
  • Method
  • UriStem
  • UriQuery
  • Server Port
  • UserName
  • ClientIP
  • UserAgent
  • Referer
  • Protocol Status
  • Protocol Substatus
  • Win32Status
  • TimeTaken

For more information about the IIS 7 log (IIS 7.5 logs are used) format, see https://www.iis.net/learn/manage/provisioning-and-managing-iis/configure-logging-in-iis.

Prerequisites

To prepare for logging IIS 7 events, perform the following two tasks.

To enable logging on your IIS Server, do the following:

  1. Open the Sever Manager Console
  2. Select Roles
  3. Select Web Server (IIS)
  4. Select the host from which to collect IIS logs
  5. In the right-hand pane, select Logging
  6. For the option One log file per select Site
  7. For the Log File Format, choose W3C so that you can select the fields to log
  8. Click Select Fields, and then select the checkboxes for these fields: 
  • Date
  • Time
  • ServerIP
  • Method
  • UriStem
  • UriQuery
  • Server Port
  • UserName
  • ClientIP
  • UserAgent
  • Referer
  • Protocol Status
  • Protocol Substatus
  • Win32Status
  • TimeTaken
  1. Click OK to save your configuration

To confirm that the log files are being created, do the following:

  1. Open a command-line window and change directories to C:\inetpub\Logs\LogFiles. This is the same path you will enter when you configure the Source to collect these files.
  2. Under the \W3SVC1 directory, you should see one or more files with a .log extension. If the file is present, you can collect it.

Step 1: Configure a Collector

Configure an Installed Collector (Windows). Sumo Logic recommends that you install the collector on the same system that hosts the logs.

Step 2: Configure a Source

To collect logs from IIS 7, use an Installed Collector and a Local File Source. You may also configure a Remote File Source, but the configuration is more complex. Sumo Logic recommends using a Local File Source if possible.

  1. Configure a Local File Source.
  2. Configure the Local File Source Fields as follows:
    1. Name: Required (for example, "IIS")
    2. Description. (Optional)
    3. File Path (Required).C:\inetpub\Logs\LogFiles\W3SVC1\*.log
    4. Collection start time. Choose how far back you would like to begin collecting historical logs. For example, choose 7 days ago to being collecting logs with a last modified date within the last seven days.
    5. Source Host. Sumo Logic uses the hostname assigned by the operating system by default, but you can enter a different host name.
    6. Source Category (Required). For example, "IIS_prod". (The Source Category metadata field is a fundamental building block to organize and label Sources. For details see Best Practices.)
  3. Configure the Advanced section:
    1. Timestamp Parsing Settings: Make sure the setting matches the timezone on the log files.
    2. Enable Timetamp Parsing: Select Extract timestamp information from log file entries.
    3. Time Zone: Select the option to Use time zone from log file. If none is present use: and set the timezone to UTC.
    4. Timestamp Format: Select the option to Automatically detect the format.
    5. Encoding. UTF-8 is the default, but you can choose another encoding format from the menu if your IIS logs are encoded differently.
    6. Enable Multiline Processing. Disable the option to Detect messages spanning multiple lines. Because IIS logs are single line log files, disabling this option will improve performance of the collection and ensure that your messages are submitted correctly to Sumo Logic.
  4. Click Save.

After a few minutes, your new Source should be propagated down to the Collector and will begin submitting your IIS log files to the Sumo Logic service.

Field Extraction Rules

  • Name: Microsoft IIS Logs
  • Scope: Use the source category set above, such as "IIS_prod"
  • Parse Expression:
parse regex "^[^#].*?(?<s_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<cs_method>\S+?)
(?<cs_uri_stem>\S+?) (?<cs_uri_query>\S+?) (?<s_port>\d+?) (?<cs_username>\S+?)
(?<c_ip>.+?) (?<cs_User_Agent>\S+?) (?<cs_Referer>\S+?) (?<sc_status>\d+?)
(?<sc_substatus>\d+?) (?<sc_win32_status>\d+?) (?<time_taken>\d+?)$"

Sample Log Messages

2016-11-17 22:34:34 10.0.0.167 GET /favicon.ico - 80 - 12.177.21.34 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_7_5)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/27.0.1453.110+Safari/537.36 404 0 2 1405 547 78
2016-11-17 22:34:34 10.0.0.98 GET /Trade/Images/VS-ConfigWeb.png - 80 - 156.74.250.7 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 304 0 0 209 748 7

Query Samples

The following query samples are taken from the IIS 7 App. 

Requests by App Over Time

The following query is taken from the the Requests by App Over Time panel on the IIS 7 Traffic Insights - App Requests Dashboard.

_sourceCategory=IIS* 
| parse regex "\d+-\d+-\d+ \d+:\d+:\d+ (?<server_ip>\S+) (?<method>\S+) (?<cs_uri_stem>/\S+?) " 
| parse regex field=cs_uri_stem "/(?<app>[^\./]+)/" nodrop
| if (isNull(app) || app="","Others",app) as app
| timeslice 1m 
| count by app,_timeslice  
| transpose row _timeslice column app
Operating Systems (OSes) and Browsers

The following query is taken from the OSes and Browsers panel of the IIS 7 Traffic Insights - Content and Client Platform Dashboard.

_sourceCategory=IIS* 
| parse regex "\d+-\d+-\d+ \d+:\d+:\d+ (?<server_ip>\S+) (?<method>\S+) (?<cs_uri_stem>/\S+?) \S+ \d+ (?<user>\S+) (?<client_ip>[\.\d]+) (?<agent>\S+) " 
| if ((agent matches "*Windows NT*") or (agent matches "*Windows+NT*") or (agent matches "*Windows *") or (agent matches "*Win32*") or (agent matches "*Win64*"), "Windows", "Other") as OS |
if (agent matches "*Macintosh*","MacOS",OS) as OS |
if ((agent matches "*Windows Phone*") or (agent matches "*Windows+Phone*"),"Windows Phone",OS) as OS |
if (agent matches "*Linux*","Linux",OS) as OS |
if (agent matches "*iPad*","iPad",OS) as OS |
if (agent matches "*iPhone*","iPhone",OS) as OS |
if (agent matches "*Android*","Android",OS) as OS |
if (agent matches "*Darwin*","Darwin",OS) as OS |
if (agent matches "*CrOS*","Google Chrome",OS) as OS |
if (agent matches "*MSIE*","Internet Explorer","Other") as Browser |
if (agent matches "Internet Explorer","Internet Explorer", Browser) as Browser |
if (agent matches "*Trident*","Internet Explorer", Browser) as Browser |
if (agent matches "*Firefox*","Firefox",Browser) as Browser |
if (agent matches "*Safari*","Safari", Browser) as Browser | 
if (agent matches "*Chrome*","Chrome", Browser) as Browser |
if (agent matches "Opera*","Opera", Browser) as Browser | 
if (agent matches "Dolphin*","Dolphin", Browser) as Browser
| count(agent) by OS,Browser 
| transpose row os column browser as *