Return to
Portfolio

72. Microsoft IIS

Microsoft Internet Information Server supports several logging formats. This chapter provides information about configuring IIS logging and NXLog collection. The recommended W3C format is documented below as well as other supported IIS formats.

This chapter also includes sections about collecting logs from the SMTP Server and about Automatic Retrieval of IIS Site Log Locations.

72.1. Configuring Logging

IIS logging can be configured at the site level or server level as follows. For more detailed information, see Configure Logging in IIS on Microsoft Docs.

  1. Open IIS Manager, which can be accessed from the Tools menu in the Server Manager or from Administrative Tools.

  2. In the Connections pane on the left, select the server or site for which to configure logging. Select a server to configure logging server-wide, or a site to configure logging for that specific site.

  3. Double-click the Logging icon in the center pane.

    Logging icon selected
  4. Modify the logging configuration as required. The W3C format is recommended.

    Logging configuration options

The resulting logs can be collected by NXLog as shown in the following sections.

72.2. W3C Extended Log File Format

IIS can write logs in the W3C format, and the logged fields can be configured via the Select Fields…​ button (see the Configuring Logging section). W3C is the recommended format for use with NXLog.

Log Sample
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2017-10-02 17:11:27
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2017-10-02 17:11:27 fe80::b5d8:132c:cec9:daef%6 RPC_IN_DATA /rpc/rpcproxy.dll 1d4026cb-6730-43bf-91eb-df80f41c050f@test.com:6001&CorrelationID=<empty>;&RequestId=11d6a78a-7c34-4f43-9400-ad23b114aa62&cafeReqId=11d6a78a-7c34-4f43-9400-ad23b114aa62; 80 TEST\HealthMailbox418406e fe80::b5d8:132c:cec9:daef%6 MSRPC - 500 0 0 7990
2017-10-02 17:12:57 fe80::a425:345a:7143:3b15%2 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.1715 80 - fe80::a425:345a:7143:3b15%2 Microsoft+WinRM+Client - 500 0 0 11279

Note that field names with special characters must be referenced with curly braces (for example, ${s-ip} and ${cs(User-Agent)}).

Example 316. Collecting W3C Format Logs With xm_w3c

This configuration reads from file with im_file and parses with xm_w3c.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
<Extension w3c_parser>
    Module      xm_w3c
</Extension>

<Input iis_w3c>
    Module      im_file
    File        'C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log'
    InputType   w3c_parser
</Input>

For NXLog Community Edition, the xm_csv module can be used instead for parsing the records.

Example 317. Collecting W3C Format Logs With xm_csv

This configuration parses the logs with the xm_csv module. The header lines are discarded and the $date and $time fields are parsed in order to set an $EventTime field.

Warning
The field list must be set according to the configured IIS fields. The fields shown here correspond with the default field selection in IIS versions 8.5 and 10.
nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<Extension w3c_parser>
    Module          xm_csv
    Fields          date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, \
                    s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), \
                    sc-status, sc-substatus, sc-win32-status, time-taken
    FieldTypes      string, string, string, string, string, string, integer, \
                    string, string, string, string, integer, integer, integer, \
                    integer
    Delimiter       ' '
    EscapeChar      '"'
    QuoteChar       '"'
    EscapeControl   FALSE
    UndefValue      -
</Extension>

<Input iis_w3c>
    Module          im_file
    File            'C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log'
    <Exec>
        if $raw_event =~ /^#/ drop();
        else
        {
            w3c_parser->parse_csv();
            $EventTime = parsedate($date + "T" + $time + ".000Z");
        }
    </Exec>
</Input>

72.3. Configuring IIS HTTP API Error logs

IIS can be configured to write HTTP Server API Error logs. There are three registry values that control HTTP API error logging. These keys are located at the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

For detailed information about this registry key’s specific values, please see Error logging in HTTP APIs on Microsoft Support.

Log Sample
#Software: Microsoft HTTP API 2.0
#Version: 1.0
#Date: 2018-10-01 22:10:02
#Fields: date time c-ip c-port s-ip s-port cs-version cs-method cs-uri sc-status s-siteid s-reason s-queuename
2018-10-01 22:10:02 ::1%0 49211 ::1%0 47001 - - - - - Timer_ConnectionIdle -
2018-10-01 22:10:02 ::1%0 49212 ::1%0 47001 - - - - - Timer_ConnectionIdle -
2018-10-01 23:45:09 172.31.77.6 2094 172.31.77.6 80 HTTP/1.1 GET /qos/1kbfile.txt 503 – ConnLimit
Example 318. Collecting IIS HTTP API Logs With xm_csv

This configuration parses the logs with the xm_w3c module. The header lines are discarded and the $date and $time fields are parsed in order to set an $EventTime field.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
<Extension w3c_parser>
    Module      xm_w3c
</Extension>

<Input iis_http>
    Module      im_file
    File        'C:\Windows\System32\LogFiles\HTTPERR\httperr1.log'
    InputType   w3c_parser
</Input>
Note
The xm_w3c module is not included in NXLog Community Edition, so the xm_csv module should be used.

72.4. IIS Log File Format

The IIS format is line-based, with comma-separated fields and no header. See IIS Log File Format (IIS 6.0) on TechNet for more information.

Log Sample
::1, HealthMailbox418406e8ac5b4b61a6b731ac4c660553@test.com, 9/28/2017, 14:49:00, W3SVC1, WINEXC, ::1, 7452, 592, 2538, 302, 0, POST, /OWA/auth.owa, &CorrelationID=<empty>;&cafeReqId=728beb5e-98de-4680-acb2-45968bef533c;&encoding=;,
127.0.0.1, -, 9/28/2017, 14:49:01, W3SVC1, WINEXC, 127.0.0.1, 6798, 2502, 682, 302, 0, GET, /ecp/, &CorrelationID=<empty>;&cafeReqId=0ed28871-4083-492f-99c2-2fbdb06a9466;&LogoffReason=NoCookiesGetOrE14AuthPost,
Example 319. Collecting Logs From the IIS Format

This configuration reads from file with im_file and parses the fields with xm_csv. The $Date and $Time fields are parsed in order to set an $EventTime field.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<Extension iis_parser>
    Module      xm_csv
    Fields      ClientIPAddress, UserName, Date, Time, ServiceAndInstance, \
                ServerName, ServerIPAddress, TimeTaken, ClientBytesSent, \
                ServerBytesSent, ServerStatusCode, WindowsStatusCode, RequestType, \
                TargetOfOperation, Parameters
    FieldTypes  string, string, string, string, string, string, string, integer, \
                integer, integer, integer, integer, string, string, string
    UndefValue  -
</Extension>

<Input iis>
    Module      im_file
    File        'C:\inetpub\logs\LogFiles\W3SVC*\u_in*.log'
    <Exec>
        iis_parser->parse_csv();
        $EventTime = strptime($Date + " " + $Time, "%m/%d/%Y %H:%M:%S");
    </Exec>
</Input>

72.5. NCSA Common Log File Format

The NCSA format is a line-based plain text format that separates fields with spaces and uses hyphens (-) as placeholders for empty fields. See the Common & Combined Log Formats section for more information about this format. See NCSA Common Log File Format (IIS 6.0) on Microsoft TechNet for more information about this format as used by IIS.

Log Sample
fe80::a425:345a:7143:3b15%2 - - [02/Oct/2017:13:16:18 -0700] "POST /mapi/emsmdb/?useMailboxOfAuthenticatedUser=true HTTP/1.1" 401 7226
fe80::a425:345a:7143:3b15%2 - TEST\HealthMailboxc0bafd1 [02/Oct/2017:13:16:20 -0700] "POST /mapi/emsmdb/?useMailboxOfAuthenticatedUser=true HTTP/1.1" 200 1482
Example 320. Collecting NCSA Format Logs

This configuration reads from file with the im_file module and uses a regular expression to parse each record.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<Input iis_ncsa>
    Module  im_file
    File    'C:\inetpub\logs\LogFiles\W3SVC*\u_nc*.log'
    <Exec>
        if $raw_event =~ /(?x)^(\S+)\ -\ (\S+)\ \[([^\]]+)\]\ \"(\S+)\ (.+)
                          \ HTTP\/\d\.\d\"\ (\S+)\ (\S+)/
        {
            $RemoteHostAddress = $1;
            if $2 != '-' $UserName = $2;
            $EventTime = parsedate($3);
            $HTTPMethod = $4;
            $HTTPURL = $5;
            $HTTPResponseStatus = $6;
            $BytesSent = $7;
        }
    </Exec>
</Input>

72.6. SMTP Server

IIS 6.0 in Windows Server 2008 R2 includes an SMTP server. This SMTP server has been deprecated beginning with Windows Server 2012, but it is still available in Windows Server 2016.

Warning
During operation, the IIS SMTP Server pads the W3C log to 64 KiB with NUL characters. When the SMTP Server stops, it truncates the file to remove the padding, causing im_file to re-read the log file and generate duplicate events.

IIS SMTP Server logging can be configured as follows.

  1. Open Internet Information Services (IIS) 6.0 Manager from Administrative Tools.

  2. Right click on the corresponding SMTP Virtual Server and click Properties.

    Opening SMTP Server Properties
  3. Check Enable logging and choose the logging format from the Active log format drop-down menu. The W3C format is recommended.

    Enabling SMTP Server logging
  4. Click the Properties…​ button to configure the log location and other options.

    Editing SMTP Logging Properties
  5. If using the W3C format, adjust the logged fields under the Advanced tab. Include the Date and Time fields and whatever extended properties are required.

    Modifying W3C fields
Example 321. Collecting W3C Logs From the IIS SMTP Server

The following configuration retrieves W3C logs and parses them using the xm_w3c module.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
<Extension w3c_parser>
    Module      xm_w3c
</Extension>

<Input smtp>
    Module      im_file
    File        'C:\Windows\System32\LogFiles\SmtpSvc1\ex*.log'
    InputType   w3c_parser
</Input>

See the preceding sections for more information about processing the other log formats or using xm_csv for processing W3C logs with NXLog Community Edition.

72.7. Automatic Retrieval of IIS Site Log Locations

The IIS per-site log file locations can be automatically fetched with a batch/PowerShell polyglot script via the include_stdout directive. For more details, see the PowerShell Generating Configuration section.

Example 322. Retrieving Log Locations via Script

The following polyglot script should be installed in the NXLog installation (or ROOT) directory. It uses the WebAdministration PowerShell module to return the configured log path for each site. If IIS is configured to use one log file per server, the path should instead be configured manually.

Warning
If there are multiple log formats in the log directory due to configuration changes, the wildcard path should be adjusted to match only those files that are in the corresponding format. For example, for W3C logging use u_ex*.log in the last line of the script.
get_iis_log_paths.cmd [Download file]
@( Set "_= (
Rem " ) <#
)
@Echo Off
SetLocal EnableExtensions DisableDelayedExpansion
if defined PROCESSOR_ARCHITEW6432 (
set powershell=%SystemRoot%\SysNative\WindowsPowerShell\v1.0\powershell.exe
) else (
set powershell=powershell.exe
)
%powershell% -ExecutionPolicy Bypass -NoProfile ^
-Command "iex ((gc '%~f0') -join [char]10)"
EndLocal & Exit /B %ErrorLevel%
#>
Import-Module -Name WebAdministration
foreach($Site in $(get-website)) {
$LogDir=$($Site.logFile.directory.replace("%SystemDrive%",$env:SystemDrive))

# WARNING: adjust path to match format (for example, for W3C use `u_ex*.log`).
Write-Output "File '$LogDir\W3SVC$($Site.id)\*.log'" }
nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
<Extension w3c_parser>
    Module          xm_w3c
</Extension>

<Input iis>
    Module          im_file
    include_stdout  %ROOT%\get_iis_log_paths.cmd
    InputType       w3c_parser
</Input>