...
The Microsoft IIS Server logs analysis App automatically Collect - Read - Parse - Analyzes - Reports all web machine generated log data of the server and presents a comprehensive set of graphs and reports to analyze machine generated data. Use a predefined set of dashboards and gadgets widgets to visualize visualize and address the system software, code written, and infrastructure during development, testing, and production. This Microsoft IIS logs analysis App helps measure, troubleshoot, and optimize your servers integrity, stability and quality with visualization and investigation dashboards.
...
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(RefererReferrer) sc-status sc-substatus sc-win32-status time-taken
...
{date:Date,yyyy-MM-dd HH:mm:ss} {ip:Server IP,ftype=localip} {choice:Method,ftype=reqmethod;,GET;POST;HEAD} {text:Request URL,ftype=requrl} {text:queryString,ftype=querystring} {textnumber:Server Port,ftype=serverport} {text:Remote User,ftype=remoteuser} {geoip:Client IP,ftype=remoteip} {text:User Agent,ftype=useragent} {text:RefererQuery,ftype=refererquery}{regexp:Referer,ftype=referer;refName=RefererQuery,^([\w-]+://[^?]+|/[^?]+)} {number:ResponseStatus,ftype=respstatus} {textnumber:Protocol Substatus,ftype=ressubstatus} {text:Win32 Status,ftype=win32status} {number:Time Taken,ftype=processrequestmilli}{eoe}
Extended access log fields:
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(RefererReferrer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
...
{date:Date,yyyy-MM-dd HH:mm:ss} {text:Site Name,ftype=sitename} {text:Server Name,ftype=servername} {ip:Server IP,ftype=localip} {choice:Method,ftype=reqmethod;,GET;POST;HEAD} {text:Request URL,ftype=requrl} {text:queryString,ftype=querystring} {textnumber:Server Port,ftype=serverport} {text:Remote User,ftype=remoteuser} {geoip:Client IP,ftype=remoteip} {text:Protocol Version,ftype=protocolversion} {text:User Agent,ftype=useragent} {text:Cookie,ftype=cookie} {text:RefererQuery,ftype=refererquery}{regexp:Referer,ftype=referer;refName=RefererQuery,^([\w-]+://[^?]+|/[^?]+)} {text:Host,ftype=hostname} {number:ResponseStatus,ftype=respstatus} {textnumber:Protocol Substatus,ftype=ressubstatus} {text:Win32 Status,ftype=win32status} {number:Bytes Sent,ftype=bytesent} {number:Bytes Received,ftype=bytesreceived} {number:Time Taken,ftype=processrequestmilli}{eoe}
...
| Format String | Apear as | Description | XpoLog Pattern | XpoLog ftype | |
|---|---|---|---|---|---|
Date + Time | date time | The date on which the activity occurred. The time, in coordinated universal time (UTC), at which the activity occurred. | {date,yyyy-MM-dd HH:mm:ss} | ||
Client IP Address | c-ip | The IP address of the client that made the request. | {geoip:ClientIPClient IP,ftype=remoteip} | remoteip | |
User Name | cs-username | The name of the authenticated user who accessed your server. Anonymous users are indicated by a hyphen. | {text:Remote User,ftype=remoteuser} | remoteuser | |
Service Name and Instance Number | s-sitename | The Internet service name and instance number that was running on the client. | {text:Site Name,ftype=sitename} | sitename | |
Server Name | s-computername | The name of the server on which the log file entry was generated. | {text:Server Name,ftype=servername} | servername | |
Server IP Address | s-ip | The IP address of the server on which the log file entry was generated. | {ip:ServerIP,ftype= localip} | localip | |
Server Port | s-port | The server port number that is configured for the service. | {textnumber:ServerPort,ftype=serverport} | serverport | |
Method | cs-method | The requested action, for example, a GET method. | {choice:Method,ftype=reqmethod;,GET;POST;HEAD} | reqmethod | |
URI Stem | cs-uri-stem | The target of the action, for example, Default.htm. | {text:Request URL,ftype=requrl} | requrl | |
URI Query | cs-uri-query | The query, if any, that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages. | {text:queryString,ftype= querystring} | querystring | |
HTTP Status | sc-status | The HTTP status code. | {number:ResponseStatus,ftype=respstatus} | respstatus | |
Win32 Status | sc-win32-status | The Windows status code. | {text:Win32Status,ftype=win32status} | win32status | |
Bytes Sent | sc-bytes | The number of bytes that the server sent. | {number:Bytes Sent,ftype=bytesent} | bytesent | |
Bytes Received | cs-bytes | The number of bytes that the server received. | {number:Bytes Received,ftype=bytesreceived | bytesreceived | |
Time Taken | time-taken | The length of time that the action took, in milliseconds. | {number:Time Taken,ftype=processrequestmilli} | processrequestmilli | |
Protocol Version | cs-version | The protocol version —HTTP or FTP —that the client used. | {text:Protocol Version,ftype=protocolversion} | protocolversion | |
Host | cs-host | The host header name, if any. | {text:Host,ftype=hostname}
| hostname | |
User Agent | cs(User-Agent) | The browser type that the client used. | {text:User -agentAgent,ftype=useragent} | useragent | |
Cookie | cs(Cookie) | The content of the cookie sent or received, if any. | {text:Cookie,ftype=cookie} | cookie | |
Referrer | cs(Referrer) | The site that the user last visited. This site provided a link to the current site. | {text:RefererQuery,ftype=refererquery}{regexp:Referer,ftype=referer;refName=RefererQuery,^([\w-]+://[^?]+|/[^?]+)
| referer | |
Protocol Substatus | sc-substatus | The substatus error code. | {number:Protocol SubStatus,ftype=ressubstatus}
| ressubstatus |
...
IIS Error Log Pattern:
{priority:Type,ftype=severity,Error;Warning;Information;Success;Audit Failure;Audit Success}*;*{timestamp:Date,MM/dd/yyyy HH:mm:ss}*;*{text:Source,ftype=source}*;*{text:Category,ftype=category}*;*{number:Event,ftype=event}*;*{text:User,ftype=username}*;*{text:Computer,ftype=computer}*;*{string:Description}
...
logtype should be set to: iis, error
| Format String | Description | XpoLog Pattern | ftype |
|---|---|---|---|
| Priority | The status of the event. | {priority:Type,ftype=severity,Error;Warning;Information;Success;Audit Failure;Audit Success} | severity |
| Date | The date of the event. | {timestamp:Date,MM/dd/yyyy HH:mm:ss} | |
| Source | The source which the event is intented from. | {text:Source,ftype=source} | source |
| Category | The category which the records belongs to. | {text:Category,ftype=category} | category |
| Event | The ID of the event | {number:Event,ftype=event} | event |
| User | The user who performed the event. | {text:User,ftype=username} | username |
| Computer | The machine which the event was performed from. | {text:Computer,ftype=computer} | computer |
| Description | Description regarding the event | {string:Description} |