Skip to main content
Sumo Logic

Collect Logs for IIS

This procedure explains how to enable logging from Microsoft Internet Information Services (IIS) on your Windows server and ingest the logs into Sumo Logic.

Log Types

IIS Logs are generated as local files and written to this directory by default: C:\inetpub\Logs\LogFiles\W3SVC1

Sumo Logic expects W3C format with these fields for our Field Extraction Rules and IIS Application: (https://msdn.microsoft.com/en-us/library/ms525807(v=vs.90).aspx)

  • Date
  • Time
  • ServerIP
  • Method
  • UriStem
  • UriQuery
  • Server Port
  • UserName
  • ClientIP
  • UserAgent
  • Referer
  • Protocol Status
  • Protocol Substatus
  • Win32Status
  • TimeTaken

For more information about the IIS log format, see https://www.iis.net/learn/manage/provisioning-and-managing-iis/configure-logging-in-iis.

Prerequisites/Requirements

To prepare for logging IIS events, perform the following:

Enable logging on your IIS Server

  1. Open the Sever Manager Console
  2. Select Roles
  3. Select Web Server (IIS)
  4. Select the host from which to collect IIS logs
  5. In the right-hand pane, select Logging
  6. For the option One log file per select Site
  7. For the Log File Format, choose W3C so that you can select the fields to log
  8. Click Select Fields, and then select the checkboxes for these fields (Sumo Logic expects these fields in IIS logs for the IIS Application and Field Extraction Rule by default):
    • Date
    • Time
    • ServerIP
    • Method
    • UriStem
    • UriQuery
    • Server Port
    • UserName
    • ClientIP
    • UserAgent
    • Referer
    • Protocol Status
    • Protocol Substatus
    • Win32Status
    • TimeTaken
  9. Click OK to save your configuration

Confirm that the log files are being created

  1. Open a command-line window and change directories to C:\inetpub\Logs\LogFiles. This is the same path you will enter when you configure the Source to collect these files.
  2. Under the \W3SVC1 directory, you should see one or more files with a .log extension. If the file is present, you can collect it.

Configure a Collector

Configure an Installed Collector (Windows). Sumo Logic recommends that you install the collector on the same system that hosts the logs.

Configure a Source

To collect logs from IIS, use an Installed Collector and a Local File Source. You may also configure a Remote File Source, but the configuration is more complex. Sumo Logic recommends using a Local File Source if possible.

  1. Configure a Local File Source.
  2. Configure the Local File Source Fields as follows:
    1. Name: Required (for example, "IIS")
    2. Description. (Optional)
    3. File Path (Required).C:\inetpub\Logs\LogFiles\W3SVC1\*.log
    4. Collection start time. Choose how far back you would like to begin collecting historical logs. For example, choose 7 days ago to being collecting logs with a last modified date within the last seven days.
    5. Source Host. Sumo Logic uses the hostname assigned by the operating system by default, but you can enter a different host name.
    6. Source Category (Required). For example, "IIS_prod". (The Source Category metadata field is a fundamental building block to organize and label Sources. For details see Best Practices.)
  3. Configure the Advanced section:
    1. Timestamp Parsing Settings: Make sure the setting matches the timezone on the log files.
    2. Enable Timetamp Parsing: Select Extract timestamp information from log file entries.
    3. Time Zone: Select the option to Use time zone from log file. If none is present use: and set the timezone to UTC.
    4. Timestamp Format: Select the option to Automatically detect the format.
    5. Encoding. UTF-8 is the default, but you can choose another encoding format from the menu if your IIS logs are encoded differently.
    6. Enable Multiline Processing. Disable the option to Detect messages spanning multiple lines. Because IIS logs are single line log files, disabling this option will improve performance of the collection and ensure that your messages are submitted correctly to Sumo Logic.
  4. Click Save.

After a few minutes, your new Source should be propagated down to the Collector and will begin submitting your IIS log files to the Sumo Logic service.

Field Extraction Rules

  • Name: Microsoft IIS Logs
  • Scope: Use the source category set above, such as "IIS_prod"
  • Parse Expression:
parse regex "^[^#].*?(?<s_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<cs_method>\S+?)
(?<cs_uri_stem>\S+?) (?<cs_uri_query>\S+?) (?<s_port>\d+?) (?<cs_username>\S+?)
(?<c_ip>.+?) (?<cs_User_Agent>\S+?) (?<cs_Referer>\S+?) (?<sc_status>\d+?)
(?<sc_substatus>\d+?) (?<sc_win32_status>\d+?) (?<time_taken>\d+?)$"

Sample Log Messages

2016-11-17 22:34:34 10.0.0.167 GET /favicon.ico - 80 - 12.177.21.34 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_7_5)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/27.0.1453.110+Safari/537.36 404 0 2 1405 547 78
2016-11-17 22:34:34 10.0.0.98 GET /Trade/Images/VS-ConfigWeb.png - 80 - 156.74.250.7 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 304 0 0 209 748 7

Query Samples (From IIS App)

IIS - All HTTP Response Codes with their Count
_sourceCategory=IIS*
| parse regex "(?<server_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<method>\S+?) 
(?<cs_uri_stem>\S+?) (?<cs_uri_query>\S+?) (?<s_port>\S+?) (?<cs_username>\S+?) 
(?<c_ip>\S+?) (?<cs_User_Agent>\S+?) (?<sc_status>\S+?) (?<sc_substatus>\S+?) 
(?<sc_win32_status>\S+?) (?<time_taken>\S+?)$" nodrop
| parse regex "(?<server_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<method>\S+?) 
(?<cs_uri_stem>\S+?) (?<cs_uri_query>\S+?) (?<s_port>\S+?) (?<cs_username>\S+?) 
(?<c_ip>\S+?) (?<cs_User_Agent>\S+?) (?<cs_referer>\S+?) (?<sc_status>\S+?) 
(?<sc_substatus>\S+?) (?<sc_win32_status>\S+?) (?<sc_bytes>\S+?) (?<cs_bytes>\S+?) 
(?<time_taken>\S+?)$" nodrop
| parse regex "(?<s_sitename>\S+?) (?<cs_computername>\S+?) 
(?<server_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<method>\S+?) 
(?<cs_uri_stem>\S+?) (?<cs_uri_query>\S+?) (?<s_port>\S+?) (?<cs_username>\S+?) 
(?<c_ip>\S+?) (?<cs_version>\S+?) (?<cs_User_Agent>\S+?) (?<cs_cookie>\S+?) 
(?<cs_referer>\S+?) (?<cs_host>\S+?) (?<sc_status>\S+?) (?<sc_substatus>\S+?) 
(?<sc_win32_status>\S+?) (?<sc_bytes>\S+?) (?<cs_bytes>\S+?) (?<time_taken>\S+?)$" nodrop
| count by sc_status
| sort by _count
IIS - Top URLs by Count
_sourceCategory=IIS*
| parse regex "(?<server_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<method>\S+?) 
(?<cs_uri_stem>\S+?) (?<cs_uri_query>\S+?) (?<s_port>\S+?) (?<cs_username>\S+?) 
(?<c_ip>\S+?) (?<cs_User_Agent>\S+?) (?<sc_status>\S+?) (?<sc_substatus>\S+?) 
(?<sc_win32_status>\S+?) (?<time_taken>\S+?)$" nodrop
| parse regex "(?<server_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<method>\S+?) 
(?<cs_uri_stem>\S+?) (?<cs_uri_query>\S+?) (?<s_port>\S+?) (?<cs_username>\S+?) 
(?<c_ip>\S+?) (?<cs_User_Agent>\S+?) (?<cs_referer>\S+?) (?<sc_status>\S+?) 
(?<sc_substatus>\S+?) (?<sc_win32_status>\S+?) (?<sc_bytes>\S+?) (?<cs_bytes>\S+?) 
(?<time_taken>\S+?)$" nodrop
| parse regex "(?<s_sitename>\S+?) (?<cs_computername>\S+?) 
(?<server_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<method>\S+?) (?<cs_uri_stem>\S+?) 
(?<cs_uri_query>\S+?) (?<s_port>\S+?) (?<cs_username>\S+?) (?<c_ip>\S+?) 
(?<cs_version>\S+?) (?<cs_User_Agent>\S+?) (?<cs_cookie>\S+?) (?<cs_referer>\S+?) 
(?<cs_host>\S+?) (?<sc_status>\S+?) (?<sc_substatus>\S+?) (?<sc_win32_status>\S+?) 
(?<sc_bytes>\S+?) (?<cs_bytes>\S+?) (?<time_taken>\S+?)$" nodrop
| count_frequent cs_uri_stem
| limit 100

Sumo Logic App

Now that you have set up collection for IIS, install the Sumo Logic App for IIS to use the preconfigured searches and dashboards that monitor log events generated by IIS.