Skip to main content
Sumo Logic

Collect Logs for the IIS 10 App

This page demonstrates how to enable logging from Microsoft Internet Information Services (IIS) and HTTP Error Logs on your Windows server and ingest those logs into Sumo Logic.

Log Types

This section covers the following default log formats for IIS 10 and IIS 8.5:

Default log formats are used by IIS 10 App. IIS allows you to choose which fields to log in IIS access logs. To understand the various fields and their significance see this link.

IIS Log files are generated as local files. For a standard Windows Server, the default log location is as follows: %SystemDrive%\inetpub\logs\LogFiles 

For example: 

c:\inetpub\logs\LogFiles\

Within the folder, you will find subfolders for each site configured with IIS. The logs are stored in folders that follow a naming pattern like W3SVC1, W3SVC2, W3SVC3, etc. The number at the end of the folder name corresponds to your site ID. For example, W3SVC2 is for site ID 2.

IIS Access Logs (W3C default format) 

Sumo Logic expects logs in W3C format with following fields for our Field Extraction Rules and IIS 10 Application:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip 
cs(User-Agent) cs(Referrer) sc-status sc-substatus sc-win32-status time-taken

IIS allows you to choose fields to log in IIS access logs. For explanations on the various fields and their significance see this link.

HTTP Error Logs 
#Fields: date time c-ip c-port s-ip s-port protocol_version verb cookedurl_query 
protocol_status siteId Reason_Phrase Queue_Name

For information on how to configure HTTP Error Logs, and for explanations on the various HTTP Error Log fields and their significance see this link.

Performance Logs 

Output of Perfmon queries to be configured at Installed Collector, "Windows Performance" Source.

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-usern…” with
“IIS Access Logs (W3C format) #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query
s-port cs-us…

Prerequisite tasks

The following tasks are required to prepare for logging IIS events:

Enable logging on your IIS Server

Perform the following task, if logging on your IIS Server is not already enabled.

To enable logging on your IIS Server, do the following:
  1. Open IIS Manager.

  2. Select the site or server in the Connections pane, and then double-click Logging.

  1. In the Format field under Log File, select W3C and then click Select Fields. IIS 10 App works on default fields selection.

  2. Select following fields, if not already selected. Sumo Logic expects these fields in IIS logs for the IIS Application and Field Extraction Rule by default:

date time s-ip cs-method cs-uri-stem cs-uri-query s-port
cs-username c-ip cs(User-Agent) cs(Referer) sc-status
sc-substatus sc-win32-status time-taken

For more information about IIS log format and log configuration refer link.

Verify that log files are created

Perform the following task to ensure that log files are being created.

To confirm log files are being created, do the following:
  1. Open a command-line window and change directories to C:\inetpub\Logs\LogFiles. This is the same path you will enter when you configure the Source to collect these files.

  2. Under the \W3SVC1 directory, you should see one or more files with a .log extension. If the file is present, you can collect it.

Enable HTTP Error Logs on your Windows Server

Perform the following task to enable HTTP Error Logs on your Windows Server, that is hosting the IIS Server.

To enable HTTP Error Logs on the Windows Server hosting IIS Server, do the following:
  1. To configure HTTP Error Logging, refer to this document link.

  2. To understand HTTP Error Log format, refer to this document link.

HTTP Error Log files are generated as local files. The default HTTP Error log file location is: C:\Windows\System32\LogFiles\HTTPERR

Configure a Collector

To collect logs for the IIS 10 App, you will install a local Collector on the same server that hosts the logs.

Configure Sources

This section demonstrates how to configure sources for the following log types:

Configure Source for IIS Access Logs

This section demonstrates how to configure a Local File Source for IIS Access Logs, for use with an Installed Collector. You may configure a Remote File Source, but the configuration is more complex.

To configure a local file source for IIS Access Logs, do the following:
  1. Configure a Local File Source.

  2. Specify Local File Source Fields as follows:

    1. Name: Required (for example, "IIS")

    2. Description. (Optional)

    3. File Path (Required).C:\inetpub\Logs\LogFiles\W3SVC*\*.log

    4. Collection start time. Choose how far back you would like to begin collecting historical logs. For example, choose 7 days ago to being collecting logs with a last modified date within the last seven days.

    5. Source Host. Sumo Logic uses the hostname assigned by the operating system by default, but you can enter a different host name.

    6. Source Category (Required). For example, "Webserver/IIS/Access". (The Source Category metadata field is a fundamental building block to organize and label Sources. For details see Best Practices.)

  3. Configure the Advanced section:

    1. Timestamp Parsing Settings: Make sure the setting matches the timezone on the log files.

    2. Enable Timetamp Parsing: Select Extract timestamp information from log file entries.

    3. Time Zone: Select the option to Use time zone from log file. If none is present use: and set the timezone to UTC.

    4. Timestamp Format: Select the option to Automatically detect the format.

    5. Encoding. UTF-8 is the default, but you can choose another encoding format from the menu if your IIS logs are encoded differently.

    6. Enable Multiline Processing. Disable the option to Detect messages spanning multiple lines. Because IIS logs are single line log files, disabling this option will improve performance of the collection and ensure that your messages are submitted correctly to Sumo Logic.

  4. Click Save.

After a few minutes, your new Source should be propagated down to the Collector and will begin submitting your IIS log files to the Sumo Logic service.

Configure Source for HTTP Error Logs

This section demonstrates how to configure a Local File Source for HTTP Error Logs, for use with an Installed Collector. You may configure a Remote File Source, but the configuration is more complex.

To configure a local file source for HTTP Error Logs, do the following:
  1. Configure a Local File Source.

  2. Specify the Local File Source Fields as follows:

    1. Name: Required (for example, "HTTP Error Logs")

    2. Description. (Optional)

    3. File Path (Required). C:\Windows\System32\LogFiles\HTTPERR\*.*

    4. Collection start time. Choose how far back you would like to begin collecting historical logs. For example, choose 7 days ago to being collecting logs with a last modified date within the last seven days.

    5. Source Host. Sumo Logic uses the hostname assigned by the operating system by default, but you can enter a different host name.

    6. Source Category (Required). For example, "Webserver/IIS/Error". (The Source Category metadata field is a fundamental building block to organize and label Sources. For details see Best Practices.)

  3. Configure the Advanced section:

    1. Timestamp Parsing Settings: Make sure the setting matches the timezone on the log files.

    2. Enable Timetamp Parsing: Select Extract timestamp information from log file entries.

    3. Time Zone: Select the option to Use time zone from log file. If none is present use: and set the timezone to UTC.

    4. Timestamp Format: Select the option to Automatically detect the format.

    5. Encoding. UTF-8 is the default, but you can choose another encoding format from the menu if your IIS logs are encoded differently.

    6. Enable Multiline Processing. Disable the option to Detect messages spanning multiple lines. Because IIS Error logs are single line log files, disabling this option will improve performance of the collection and ensure that your messages are submitted correctly to Sumo Logic.

  4. Click Save.

After a few minutes, your new Source should be propagated down to the Collector and will begin submitting your IIS HTTP Error log files to the Sumo Logic service.

Configure Source for IIS Performance (Perfmom) Logs

This section demonstrates how to configure a Windows Performance Source, for use with an Installed Collector.

Use the appropriate source for your environment:

To configure a Source for IIS Performance Logs, do the following: 
  1. Configure a Local Windows Performance Monitor Log Source.
  2. Configure the Local Windows Performance Source Fields as follows:
  • Name: Required (for example, "IIS Performance")
  • Source Category (Required). For example, Webserver/IIS/PerfCounter. (The Source Category metadata field is a fundamental building block to organize and label Sources. For details see Best Practices.)
  • Frequency: Every Minute (you may custom choose frequency)
  • Description. (Optional)
  1. Under Perfmon Queries Click Add Query.

  2. Add the following two queries:

  • Query 1:
  1. For Name, enter WebServices
  2. For Query, enter select TotalMethodRequestsPerSec, GetRequestsPerSec, PostRequestsPerSec, CurrentConnections, CurrentAnonymousUsers, CurrentNonAnonymousUsers, CGIRequestsPerSec, ISAPIExtensionRequestsPerSec, BytesReceivedPerSec, BytesSentPerSec, FilesReceivedPerSec, FilesSentPerSec, ServiceUptime, BytesTotalPerSec from Win32_PerfFormattedData_W3SVC_WebService
  • Query 2:
  1. For Name, enter HTTPServiceRequestQueues
  2. For Query, enter Select ArrivalRate, CurrentQueueSize, CacheHitRate, RejectionRate, MaxQueueItemAge from Win32_PerfFormattedData_Counters_HTTPServiceRequestQueue
  1. Click Save.

Field Extraction Rules

This section provides examples of the following field extraction rule types:

  • IIS Access Logs
  • HTTP ERROR Logs
  • Performance Logs (perfmon Query for W3SVC_WebService)
  • Performance Logs (perfmon Query for Counters_HTTPServiceRequestQueues)

IIS  Access Logs Field Extraction Rule

_sourceCategory=Webserver/IIS/Access
| parse regex "(?<server_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<method>\S+?) 
(?<cs_uri_stem>\S+?) (?<cs_uri_query>\S+?) (?<s_port>\S+?) (?<cs_username>\S+?) 
(?<c_ip>\S+?) (?<cs_User_Agent>\S+?) (?<cs_referer>\S+?) (?<sc_status>\S+?) 
(?<sc_substatus>\S+?) (?<sc_win32_status>\S+?) (?<time_taken>\S+?)$"

HTTP ERROR Logs Field Extraction Rule

_sourceCategory=Webserver/IIS/Error
| parse regex "(?<c_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<c_port>\S+?) 
(?<server_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<s_port>\S+?) (?<protocol_version>\S+?) 
(?<verb>\S+?) (?<cookedurl_query>\S+?) (?<Protocol_Status>\S+?) (?<SiteId>\S+?) 
(?<Reason_Phrase>\S+?) (?<Queue_Name>\S+?)$"

Performance Logs (perfmon Query for W3SVC_WebService) Field Extraction Rule

_sourceCategory=Webserver/IIS/PerfCounter Win32_PerfFormattedData_W3SVC_WebService
| parse "Name = \"*\";" as Name nodrop
| parse "BytesReceivedPersec = \"*\";" as BytesReceivedPersec nodrop
| parse "BytesSentPersec = \"*\";" as BytesSentPersec nodrop
| parse "BytesTotalPersec = \"*\";" as BytesTotalPersec nodrop
| parse "CGIRequestsPersec = *;" as CGIRequestsPersec nodrop
| parse "CurrentAnonymousUsers = *;" as CurrentAnonymousUsers nodrop
| parse "CurrentConnections = *;" as CurrentConnections nodrop
| parse "CurrentNonAnonymousUsers = *;" as CurrentNonAnonymousUsers nodrop
| parse "FilesReceivedPersec = *;" as FilesReceivedPersec nodrop
| parse "FilesSentPersec = *;" as FilesSentPersec nodrop
| parse "GetRequestsPersec = *;" as GetRequestsPersec nodrop
| parse "ISAPIExtensionRequestsPersec = *;" as GetRequestsPersec nodrop
| parse "PostRequestsPersec = *;" as PostRequestsPersec nodrop
| parse "ServiceUptime = *;" as ServiceUptime nodrop
| parse "TotalMethodRequestsPersec = *;" as TotalMethodRequestsPersec nodrop

Performance Logs (perfmon Query for Counters_HTTPServiceRequestQueues) Field Extraction Rule

_sourceCategory=Webserver/IIS/PerfCounter Win32_PerfFormattedData_Counters_HTTPServiceRequestQueues
| parse "Name = \"*\";" as Name nodrop
| parse "ArrivalRate = \"*\";" as ArrivalRate nodrop
| parse "CacheHitRate = \"*\";" as CacheHitRate nodrop
| parse "CurrentQueueSize = *;" as CurrentQueueSize nodrop
| parse "MaxQueueItemAge = \"*\";" as MaxQueueItemAge nodrop
| parse "RejectionRate = \"*\";" as RejectionRate nodrop

Sample Log Messages 

This section provides samples of the following log message types:

  • IIS Access Logs
  • HTTP Error Logs
  • IIS Performance Logs

Sample IIS Access Log (WC3 default format)

2019-03-14 07:58:10 10.0.0.104 PUT /Internal/RemoteShare/ ReturnUrl=%2fConfigWeb%2fAudit.aspx 
443 - 160.44.59.168 Mozilla/5.0+(Windows+NT+6.1;+rv:50.0)+Gecko/20100101+Firefox/50.0 
http://www.greylock.com 304 8 12030 58

2019-03-14 08:10:41 10.0.0.103 GET /welcome.png v=4.5.0 80 - 205.168.30.201 
Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html) 
http://www.bing.com/search?q=sumo%20applications&src=IE-SearchBox&FORM=IE11SR 200 8 12030 6

Sample HTTP Error Log

2019-03-14 20:10:10 10.20.190.10 45082 10.24.170.60 80 HTTP/1.1 GET 
/GlobalVilla/MySwimmingPool/images/favicons/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd 
403 - Forbidden -

2019-03-14 23:10:10 10.20.190.10 41095 10.24.170.60 80 HTTP/1.1 POST 
/GlobalVilla/MySwimmingPool/sumodemo/upload.php 411 - LengthRequired -

2019-03-14 23:09:41 10.20.190.10 58152 10.24.170.60 80 - - - - - Timer_ConnectionIdle -

Sample IIS Performance Logs

This section provides examples of IIS Performance Log formats produced by two different queries. For more information on other W3SVC WebServices Perfmon Counters refer to this documentation link.

A. This Perfmon query:
select TotalMethodRequestsPerSec, GetRequestsPerSec, PostRequestsPerSec, CurrentConnections, 
CurrentAnonymousUsers, CurrentNonAnonymousUsers, CGIRequestsPerSec, ISAPIExtensionRequestsPerSec, 
BytesReceivedPerSec, BytesSentPerSec, FilesReceivedPerSec, FilesSentPerSec, ServiceUptime, 
BytesTotalPerSec from Win32_PerfFormattedData_W3SVC_WebService

Produces the following  log format:

instance of Win32_PerfFormattedData_W3SVC_WebService
{
BytesReceivedPersec = "50";
BytesSentPersec = "125";
BytesTotalPersec = "75";
CGIRequestsPersec = 0;
CurrentAnonymousUsers = 10;
CurrentConnections = 9;
CurrentNonAnonymousUsers = 8;
FilesReceivedPersec = 0;
FilesSentPersec = 0;
GetRequestsPersec = 6;
ISAPIExtensionRequestsPersec = 0;
Name = "_Total";
PostRequestsPersec = 2;
ServiceUptime = 2398147;
TotalMethodRequestsPersec = 0;
};
B. This Perfmon query:
Select ArrivalRate, CurrentQueueSize, CacheHitRate, RejectionRate, MaxQueueItemAge from 
Win32_PerfFormattedData_Counters_HTTPServiceRequestQueues

Produces the following log format:

instance of Win32_PerfFormattedData_Counters_HTTPServiceRequestQueues
{
ArrivalRate = "100";
CacheHitRate = "27";
CurrentQueueSize = 0;
MaxQueueItemAge = "0";
Name = "GlobalVillage";
RejectionRate = "0";
}; 

Query Samples 

The following query sample is taken from the Top Server Errors by Server panel on the IIS 10 - Server Operations - Error dashboard.

_sourceCategory=Webserver/IIS/Access 5*
| parse regex "(?<server_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<method>\S+?) 
(?<cs_uri_stem>\S+?) (?<cs_uri_query>\S+?) (?<s_port>\S+?) (?<cs_username>\S+?) 
(?<c_ip>\S+?) (?<cs_User_Agent>\S+?) (?<cs_referer>\S+?) (?<sc_status>\S+?) 
(?<sc_substatus>\S+?) (?<sc_win32_status>\S+?) (?<time_taken>\S+?)$"
| where sc_status matches "5*"
| count by server_ip, cs_uri_stem, sc_status, sc_substatus, sc_win32_status | sort - _count

The following query sample is taken from the Top Reason Phrase panel on the IIS 10 - HTTP Error dashboard.

_sourceCategory=Webserver/IIS/Error
| parse regex "(?<c_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<c_port>\S+?) 
(?<server_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<s_port>\S+?) (?<protocol_version>\S+?) 
(?<verb>\S+?) (?<cookedurl_query>\S+?) (?<Protocol_Status>\S+?) (?<SiteId>\S+?) 
(?<Reason_Phrase>\S+?) (?<Queue_Name>\S+?)$"
| count by Reason_Phrase
| top 10 Reason_Phrase by _count, Reason_Phrase

The following query sample is taken from the IIS Site Uptime panel on the IIS 10 - Overview dashboard.

_sourceCategory=Webserver/IIS/PerfCounter
Win32_PerfFormattedData_W3SVC_WebService ServiceUptime
| parse "Name = \"*\";" as Name
| parse "ServiceUptime = *;" as ServiceUptime
| withtime ServiceUptime
| most_recent(ServiceUptime_withtime) as ServiceUptime by Name
| ServiceUptime / (60*60*24) as ServiceUptimeDays
| sort by ServiceUptimeDays, Name asc
| fields -ServiceUptime