Microsoft IIS (Ver 7)
Background
The Microsoft IIS Server logs analysis App automatically Collect - Read - Parse - Analyzes - Reports all web machine generated log data of the server and presents a comprehensive set of graphs and reports to analyze machine generated data. Use a predefined set of dashboards and gadgets to  visualize and address the system software, code written, and infrastructure during development, testing, and production. This Microsoft IIS logs analysis App helps measure, troubleshoot, and optimize your servers integrity, stability and quality with visualization and investigation dashboards.
Steps
- Add Log Data In XpoLog, When adding a log to XpoLog you can now select the Log Type (logtype) for Microsoft IIS these are the following logtypes:
- iis
- w3c
- webserver
- in addition select not only iis but also you will need to select the log type - access or error
- in addition select not only iis but also you will need to select the log type - access or error
- Once all required information is set click next and edit the log pattern, this step is crucial to the accuracy and deployment of the Analytic App. Use the following conversion table in order to build XpoLog pattern out of the access log format.
Example
In the header of IIS access logs , or on the IIS configuration file locate the format specification strings that configure the logged fields for example:
Defaults access log fields:
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
The following sequence is the log structure definition:Â date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
In XpoLog such pattern will be translated into:
{date:Date,yyyy-MM-dd HH:mm:ss} {geoip:ServerIP,ftype= localip} {text:RequestMethod,ftype=reqmethod} {text:RequestURL,ftype=requrl} {text:QueryString,ftype=querystring} {number:ServerPort,ftype=serverport} {text:username,ftype=remoteuser} {geoip:ClientIP,ftype=remoteip} {text:User-agent,ftype=useragent} {text:Referer,ftype=referer} {number:ResponseStatus,ftype=respstatus} {number:SubStatus,ftype=ressubstatus} {text:Win32Status,ftype=win32status} {number:ResponseTimeSecs,ftype=processrequestmilli}{eol}
Extended access log fields:
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
The following sequence is the log structure definition:Â date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
In XpoLog such pattern will be translated into:
{date:Date,yyyy-MM-dd HH:mm:ss} {text:SiteName,ftype=sitename} {text:ServerName,ftype=servername} {geoip:ServerIP,ftype= localip} {text:RequestMethod,ftype=reqmethod} {text:RequestURL,ftype=requrl} {text:QueryString,ftype=querystring} {number:ServerPort,ftype=serverport} {text:username,ftype=remoteuser} {geoip:ClientIP,ftype=remoteip} {text:ProtocolVer,ftype=protocolversion} {text:User-agent,ftype=useragent} {text:Cookie,ftype=cookie} {text:Referer,ftype=referer} {text:HostName,ftype=hostname} {number:ResponseStatus,ftype=respstatus} {number:SubStatus,ftype=ressubstatus} {text:Win32Status,ftype=win32status} {number:BytesSent,ftype=bytesent} {number:BytesReceived,ftype=bytesreceived} {number:ResponseTimeSecs,ftype=processrequestmilli}{eoe}
for more information see below the format Conversion Table
logtype should be set to: iis, access
Format String | Apear as | Description | XpoLog Pattern | ftype |
---|---|---|---|---|
Date + Time | date time | The date on which the activity occurred. Â The time, in coordinated universal time (UTC), at which the activity occurred. | {date,yyyy-MM-dd HH:mm:ss} | Â |
Client IP Address | c-ip | The IP address of the client that made the request. | {ip:ClientIP,ftype=remoteip} | remoteip |
User Name | cs-username | The name of the authenticated user who accessed your server. Anonymous users are indicated by a hyphen. | {text:username,ftype=remoteuser} | remoteuser |
Service Name and Instance Number | s-sitename | The Internet service name and instance number that was running on the client. | {text:SiteName,ftype=sitename} | sitename |
Server Name | s-computername | The name of the server on which the log file entry was generated. | {text:ServerName,ftype=servername} | servername |
Server IP Address | s-ip | The IP address of the server on which the log file entry was generated. | {ip:ServerIP,ftype=localip} | localip |
Server Port | s-port | The server port number that is configured for the service. | {number:ServerPort,ftype=serverport} | serverport |
Method | cs-method | The requested action, for example, a GET method. | {text:RequestMethod,ftype=reqmethod} | reqmethod |
URI Stem | cs-uri-stem | The target of the action, for example, Default.htm. | {text:RequestURL,ftype=requrl} Â | requrl |
URI Query | cs-uri-query | The query, if any, that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages. | {text:QueryString,ftype=querystring} | querystring |
HTTP Status | sc-status | The HTTP status code. | {number:ResponseStatus,ftype=respstatus} | respstatus |
Win32 Status | sc-win32-status | The Windows status code. | {text:Win32Status,ftype=win32status} | win32status |
Bytes Sent | sc-bytes | The number of bytes that the server sent. | {number:BytesSent,ftype=bytesent} | bytesent |
Bytes Received | cs-bytes | The number of bytes that the server received. | {number:BytesSent,ftype=bytesreceived} | bytesreceived |
Time Taken | time-taken | The length of time that the action took, in milliseconds. | {number:ResponseTimeSecs,ftype=processrequestmilli} | processrequestmilli |
Protocol Version | cs-version | The protocol version —HTTP or FTP —that the client used. | {text:ProtocolVer,ftype=protocolversion} | protocolversion |
Host | cs-host | The host header name, if any. | {text:HostName,ftype=hostname} Â | hostname |
User Agent | cs(User-Agent) | The browser type that the client used. | {text:User-agent,ftype=useragent} | useragent |
Cookie | cs(Cookie) | The content of the cookie sent or received, if any. | {text:Cookie,ftype=cookie} | cookie |
Referrer | cs(Referrer) | The site that the user last visited. This site provided a link to the current site. | {text:Referer,ftype=referer} Â | referer |
Protocol Substatus | sc-substatus | The substatus error code. | {number:SubStatus,ftype=ressubstatus} Â | ressubstatus |
Â
IIS Error Log Pattern:
{priority:Type,ftype=severity,Error;Warning;Information;Success;Audit Failure;Audit Success}*;*{timestamp:Date,MM/dd/yyyy HH:mm:ss}*;*{text:Source,ftype=source}*;*{text:Category,ftype=category}*;*{number:Event,ftype=event}*;*{text:User,ftype=username}*;*{text:Computer,ftype=computer}*;*{string:Description}
for more information see below the format Conversion Table
logtype should be set to: iis, error
Â
Format String | Description | XpoLog Pattern | ftype |
---|---|---|---|
Priority | The status of the event. | {priority:Type,ftype=severity,Error;Warning;Information;Success;Audit Failure;Audit Success} | severity |
Date | The date of the event. | {timestamp:Date,MM/dd/yyyy HH:mm:ss} | Â |
Source | The source which the event is intented from. | {text:Source,ftype=source} | source |
Category | The category which the records belongs to. | {text:Category,ftype=category} | category |
Event | The ID of the event | {number:Event,ftype=event} | event |
User | The user who performed the event. | {text:User,ftype=username} | username |
Computer | The machine which the event was performed from. | {text:Computer,ftype=computer} | computer |
Description | Description regarding the event | {string:Description} | Â |