How to Read IIS Server Logs

By Steve McDonnell

IIS logs all HTTP transactions to a log file.
i merznatalia/iStock/Getty Images

Web server log files identify server errors that need to be corrected, help identify suspicious activity and highlight security flaws. By default, Microsoft Internet Information Services logs all HTTP transactions to log files. You can choose the log file format with the IIS HTTP Logging element, and you can select the fields written to the log file when you select the W3C Extended log file format.

Log File Formats

IIS writes log files to space-separated ASCII or UTF-8 text files that you can open with any text editor. The W3C Extended log file format is the default format, and the only format that enables you to select up to 22 different fields you want written to the log file for each HTTP or FTP transaction. The National Center for Supercomputing Applications, or NCSA, Common format only supports HTTP and includes seven predefined fields. It's helpful to be familiar with the HTTP status codes as you review the data to easily identify transactions that resulted in an error, such as a 404 "Page Not Found" error, or transactions that attempted to access prohibited data, such as a 500 "Forbidden" error (link in Resources).

Logging to a Database

Instead of writing log files as text files, you can configure IIS to write a predefined set of fields to a file that can populate an ODBC-compliant database. IIS contains a template for loading the data into a Microsoft SQL Server database. This format, however, can degrade server performance because it disables the kernel-mode cache on the server. A better solution to make SQL-like queries against log data in any format is to download and run the Microsoft Log Parser tool (link in Resources).

Configuring Logs in IIS

To configure the log file format for a website and to find the location of the log files, run the IIS Manager, expand the server name in the Connections pane, expand the Sites, navigate to the website you want to configure or view, and then double-click "Logging" on the Home pane. If you select the W3C format, you can also choose the individual fields you want logged. Highlight and copy the location of the log file displayed at the bottom of the screen, and then open the file in a text editor such as WordPad.

W3C Format

The W3C format logs the following data for each HTTP or FTP request based on the fields you selected: date and time, in Coordinated Universal Time; source IP address; username, if known; destination site name and computer name; destination IP address and port number; type of request; target URI requested; URI query, if any; HTTP status and substatus codes; Windows status code; number of bytes the server sent and received; time it took to process, in milliseconds; and protocol version, host name, user agent, cookie and referrer.

NCSA Common Format

The NCSA Common format logs the following fields for each HTTP request: source IP address; remote user log name, if known; username, if known; date and time, in local server time; request URI, HTTP status code; and the number of bytes sent.