Versions Compared

Old Version 6

changes.mady.by.user Borja Moro Moreno

Saved on

compared with

New Version 7

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
minLevel2
typeflat

...

Anchor
access_logs
access_logs

Expand
titleEvent formats

IIS access logs

In the access log there is one event for each request processed by the server. Follow these steps to select type of logs you want to process:

IIS 7.0 and later

  1. Open IIS Manager (StartControl PanelSystem and securityAdministrative toolsIIS Manager).

  2. Select the site want to configure and double click on the Register icon in the Features view. 

  3. Check that the Logging is enabled (Enable/Disable option on the Actions view).

  4. Select the log format in the Format field (Register File section from Features view).

W3C Extended format

The W3C Extended log file format is the default log file format for IIS and it corresponds to the web.iis.access-w3c tag.

W3C Extended log format:

Code Block
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2013-01-03 08:45:16
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken

For a detailed description of the log fields, see the Microsoft documentation.

W3C Extended ALL format

This is the same as the W3C Extended format but logs all of the available fields and it corresponds to the web.iis.access-w3c-all tag. We recommend this format because it offers a greater level of detail.

W3C Extended ALL log format:

Code Block
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2013-01-21 11:46:52
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

NCSA Common Format

The NCSA Common format is fixed and it corresponds to the web.iis.access-ncsa tag. The log format is the same used in web.apache.accessclf (Common Log Format). 

NCSA Common log format:

Code Block
remotehost rfc931 authuser [date] "request" status bytes

...

These are the fields displayed in these tables:

web.iis.accessNcsa

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

environment

str

venv

site

str

vsite

clon

str

vclon

serverdate

timestamp

 

srcIp

ip4

 

user

str

 

method

str

 

url

str

 

protocol

str

 

statusCode

int4

 

responseLength

int4

 

srcIdentd

str

 

hostchain

str

 

tag

str

 

rawMessage

str

 

...

How is the data sent to Devo?

Devo recommends using the File Fetcher of the Endpoint Agent to forward IIS to Devo. In both cases:

  • Make sure the logs are written in text files.

  • Have the complete paths to the log files on hand when setting up the sending.