IIS Logs

Loggly provides the infrastructure to aggregate and normalize log events so they are available to explore interactively, build visualizations, or create threshold-based alerting. In general, any method to send logs from a system or application to an external source can be adapted to send logs to Loggly. The following instructions provide one scenario for sending logs to Loggly.

You can send your IIS logs to Loggly, allowing you to do analytics, dashboards, alerts, and more. For example, you can see the top requests to your site. You can use the free and open source Nxlog tool to retrieve these logs and send them to Loggly. It will extract each individual field in the IIS logs, and then convert it to JSON so Loggly can parse and index each field. You can also use Snare or Syslog-NG for Windows.

This guide was written for Windows Vista or later in 64-bit, the latest version of nxlog in the default installation directory, IIS in the default directory, and can send TCP events out on port 514. It assumes the default log format for IIS, which is the W3C Extended Log Format. It was tested on Amazon EC2 with Windows_Server-2008-R2_SP1-English-64Bit-SQL_2008_R2_SP2_Express-2013.11.13 (ami-1653c826). For alternatives, please see the Advanced Options section.

IIS Logging Setup

1. Install Nxlog

Download the latest version of nxlog. It’s probably easiest to choose the Windows msi file which includes an installer.

2. IIS Log Configuration

Open your nxlog configuration file.

C:\\Program Files (x86)\\nxlog\\conf\\nxlog.conf

Replace the entire configuration file by pasting the following, and replacing the variables below. If you use a custom logging directory, change the path to your custom directory. If you have multiple sites, create one input module for each site and add all of them to the route path separated by commas.

## This is a sample NXLog configuration file created by Loggly. June 2013
## See the nxlog reference manual about the configuration options.
## It should be installed locally and is also available
## online at https://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
			
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\\Program Files\\nxlog
#define ROOT_STRING C:\\Program Files\\nxlog
define ROOT C:\\Program Files (x86)\\nxlog
define ROOT_STRING C:\\Program Files (x86)\\nxlog
define CERTDIR %ROOT%\\cert
			
Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\nxlog.pid
SpoolDir %ROOT%\\data
LogFile %ROOT%\\data\\nxlog.log
			
# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
#</Extension>
			
<Extension json>
  Module xm_json
</Extension>
			
<Extension syslog>
  Module xm_syslog
</Extension>
			
<Input internal>
  Module im_internal
  Exec $Message = to_json(); 
</Input>
			
# Windows Event Log
  <Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
  Module im_msvistalog
			
#Uncomment im_mseventlog for Windows XP/2000/2003
#Module im_mseventlog
  Exec $Message = to_json();
</Input>
			
# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
<Extension w3c>
  Module xm_csv
  Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
  FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
  Delimiter ' '
  QuoteChar '"'
  EscapeControl FALSE
  UndefValue -
</Extension>

# Convert the IIS logs to JSON and use the original event time
<Input IIS>
  Module  im_file
  File   "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
  SavePos  TRUE
			
  Exec if $raw_event =~ /^#/ drop();  \
    else                              \
    {                                 \
      w3c->parse_csv();               \
      $SourceName = "IIS";            \
      $Message = to_json();           \
    }
</Input>

<Output out1>
  Module om_tcp
  Host logs-01.loggly.com
  Port 514
			
  Exec to_syslog_ietf(); $raw_event = replace($raw_event, 'NXLOG@14506', 'CUSTOMER_TOKEN@41058 tag="IIS-Logs"] [', 1);

#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);
</Output>

<Route IIS>
  Path IIS => out1
</Route>

Replace the above variables:

CUSTOMER_TOKEN: Replace with your own customer token
ROOT and ROOT_STRING: If you are in 32-bit Windows, uncomment the top root path on lines 8 and 9 to use the 32-bit program files folder then comment the two below.

Note: If you want to include the default windows eventlog and internal logs with your IIS server logs then you can include these modules to the root path at the end separated by commas.

For Version 7 and Lower:
Version 7 is missing a field which we need to enable so the parser works correctly. Open Run prompt and type the following command and press enter.

inetmgr

This will open IIS Manager. Click on Logging and open Select Fields window. Check the Referer field checkbox in the W3C format and click OK.

IIS Log Set using IIS Manager

3. View a webpage

View a webpage on your IIS server to generate a new log entry. It’s configured to not send old events.

https://localhost

4. Verify

Search for your IIS logs in Loggly using the app name or tag.

Click on one of the logs to show a list of JSON fields (see screenshot below). If you don’t see them, please check that you are using one of our automatically parsed log formats.

Search for your IIS logs

5. Use Your Logs

Get value from your IIS logs by solving problems and proactively preventing them. These guides are written for Apache web server, but the examples and use cases are also relevant for IIS.

Troubleshoot Web Server Problems – Find the root cause of web server errors or unusual traffic patterns
Web Server Alerts and Dashboards – Monitor for web server errors and slow response times

Advanced IIS Logging Options

Syslog-NG for Windows – with commercial support from Balabit
Search or post your own IIS logging or log file questions in the community forum or read more about what IIS is here.

IIS Log Troubleshooting

If you don’t see any data show up in the verification step, then check for these common problems.

Verify there are IIS logs that match this filename pattern: C:/inetpub/logs/LogFiles/W3SVC1/u_ex*
Check our guide on Troubleshooting Nxlog
Search or post your own IIS manager and logging questions, or other topics, such as your Windows server, file format, or how to configure logging with your setup in the community forum.

The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.

Search SolarWinds Support