Microsoft IIS (Ver 6)

Background

The Microsoft IIS Server logs analysis App automatically Collect - Read - Parse - Analyzes - Reports all web machine generated log data of the server and presents a comprehensive set of graphs and reports to analyze machine generated data. Use a predefined set of dashboards and widgets to visualize and address the system software, code written, and infrastructure during development, testing, and production. This Microsoft IIS logs analysis App helps measure, troubleshoot, and optimize your servers integrity, stability and quality with visualization and investigation dashboards.

Steps

Add Log Data In XpoLog, When adding a log to XpoLog you can now select the Log Type (logtype) for Microsoft IIS these are the following logtypes:
1. iis
  1. in addition select not only iis but also you will need to select the log type - access or error
Once all required information is set click next and edit the log pattern, this step is crucial to the accuracy and deployment of the Analytic App. Use the following conversion table in order to build XpoLog pattern out of the access log format.

Example

In the header of IIS access logs , or on the IIS configuration file locate the format specification strings that configure the logged fields for example:

Defaults access log fields:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referrer) sc-status sc-substatus sc-win32-status time-taken

The following sequence is the log structure definition: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referrer) sc-status sc-substatus sc-win32-status time-taken

In XpoLog such pattern will be translated into:

{date:Date,yyyy-MM-dd HH:mm:ss} {ip:Server IP,ftype=localip} {choice:Method,ftype=reqmethod;,GET;POST;HEAD} {text:Request URL,ftype=requrl} {text:queryString,ftype=querystring} {number:Server Port,ftype=serverport} {text:Remote User,ftype=remoteuser} {geoip:Client IP,ftype=remoteip} {text:User Agent,ftype=useragent} {text:RefererQuery,ftype=refererquery}{regexp:Referer,ftype=referer;refName=RefererQuery,^([\w-]+://[^?]+|/[^?]+)} {number:ResponseStatus,ftype=respstatus} {number:Protocol Substatus,ftype=ressubstatus} {text:Win32 Status,ftype=win32status} {number:Time Taken,ftype=processrequestmilli}{eoe}

Extended access log fields:

#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referrer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

The following sequence is the log structure definition: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referrer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

In XpoLog such pattern will be translated into:

{date:Date,yyyy-MM-dd HH:mm:ss} {text:Site Name,ftype=sitename} {text:Server Name,ftype=servername} {ip:Server IP,ftype=localip} {choice:Method,ftype=reqmethod;,GET;POST;HEAD} {text:Request URL,ftype=requrl} {text:queryString,ftype=querystring} {number:Server Port,ftype=serverport} {text:Remote User,ftype=remoteuser} {geoip:Client IP,ftype=remoteip} {text:Protocol Version,ftype=protocolversion} {text:User Agent,ftype=useragent} {text:Cookie,ftype=cookie} {text:RefererQuery,ftype=refererquery}{regexp:Referer,ftype=referer;refName=RefererQuery,^([\w-]+://[^?]+|/[^?]+)} {text:Host,ftype=hostname} {number:ResponseStatus,ftype=respstatus} {number:Protocol Substatus,ftype=ressubstatus} {text:Win32 Status,ftype=win32status} {number:Bytes Sent,ftype=bytesent} {number:Bytes Received,ftype=bytesreceived} {number:Time Taken,ftype=processrequestmilli}{eoe}

for more information see below the format Conversion Table

logtype should be set to: iis, access

Format String	Apear as	Description	XpoLog Pattern	XpoLog ftype
Date + Time	date time	The date on which the activity occurred. The time, in coordinated universal time (UTC), at which the activity occurred.	{date,yyyy-MM-dd HH:mm:ss}
Client IP Address	c-ip	The IP address of the client that made the request.	{geoip:Client IP,ftype=remoteip}	remoteip
User Name	cs-username	The name of the authenticated user who accessed your server. Anonymous users are indicated by a hyphen.	{text:Remote User,ftype=remoteuser}	remoteuser
Service Name and Instance Number	s-sitename	The Internet service name and instance number that was running on the client.	{text:Site Name,ftype=sitename}	sitename
Server Name	s-computername	The name of the server on which the log file entry was generated.	{text:Server Name,ftype=servername}	servername
Server IP Address	s-ip	The IP address of the server on which the log file entry was generated.	{ip:ServerIP,ftype= localip}	localip
Server Port	s-port	The server port number that is configured for the service.	{number:ServerPort,ftype=serverport}	serverport
Method	cs-method	The requested action, for example, a GET method.	{choice:Method,ftype=reqmethod;,GET;POST;HEAD}	reqmethod
URI Stem	cs-uri-stem	The target of the action, for example, Default.htm.	{text:Request URL,ftype=requrl}	requrl
URI Query	cs-uri-query	The query, if any, that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages.	{text:queryString,ftype= querystring}	querystring
HTTP Status	sc-status	The HTTP status code.	{number:ResponseStatus,ftype=respstatus}	respstatus
Win32 Status	sc-win32-status	The Windows status code.	{text:Win32Status,ftype=win32status}	win32status
Bytes Sent	sc-bytes	The number of bytes that the server sent.	{number:Bytes Sent,ftype=bytesent}	bytesent
Bytes Received	cs-bytes	The number of bytes that the server received.	{number:Bytes Received,ftype=bytesreceived	bytesreceived
Time Taken	time-taken	The length of time that the action took, in milliseconds.	{number:Time Taken,ftype=processrequestmilli}	processrequestmilli
Protocol Version	cs-version	The protocol version —HTTP or FTP —that the client used.	{text:Protocol Version,ftype=protocolversion}	protocolversion
Host	cs-host	The host header name, if any.	{text:Host,ftype=hostname}	hostname
User Agent	cs(User-Agent)	The browser type that the client used.	{text:User Agent,ftype=useragent}	useragent
Cookie	cs(Cookie)	The content of the cookie sent or received, if any.	{text:Cookie,ftype=cookie}	cookie
Referrer	cs(Referrer)	The site that the user last visited. This site provided a link to the current site.	{text:RefererQuery,ftype=refererquery}{regexp:Referer,ftype=referer;refName=RefererQuery,^([\w-]+://[^?]+\|/[^?]+)	referer
Protocol Substatus	sc-substatus	The substatus error code.	{number:Protocol SubStatus,ftype=ressubstatus}	ressubstatus

IIS Error Log Pattern:

{priority:Type,ftype=severity,Error;Warning;Information;Success;Audit Failure;Audit Success}*;*{timestamp:Date,MM/dd/yyyy HH:mm:ss}*;*{text:Source,ftype=source}*;*{text:Category,ftype=category}*;*{number:Event,ftype=event}*;*{text:User,ftype=username}*;*{text:Computer,ftype=computer}*;*{string:Description}

for more information see below the format Conversion Table

logtype should be set to: iis, error

Format String	Description	XpoLog Pattern	ftype
Priority	The status of the event.	{priority:Type,ftype=severity,Error;Warning;Information;Success;Audit Failure;Audit Success}	severity
Date	The date of the event.	{timestamp:Date,MM/dd/yyyy HH:mm:ss}
Source	The source which the event is intented from.	{text:Source,ftype=source}	source
Category	The category which the records belongs to.	{text:Category,ftype=category}	category
Event	The ID of the event	{number:Event,ftype=event}	event
User	The user who performed the event.	{text:User,ftype=username}	username
Computer	The machine which the event was performed from.	{text:Computer,ftype=computer}	computer
Description	Description regarding the event	{string:Description}