Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Introduction
The tags beginning with web.
iis iis
identify log events generated by the Internet Information Services (IIS) web server for Windows.
...
belonging to IBM.
Valid tags and data tables
The full tag must have at least six 3 levels. The first two are fixed as as web.
iisapache
. The third level identifies the log type /format and currently must be one of access-ncsa, access-w3c, or access-w3c-all.
The fourth, fifth and sixth levels are required and should identify the environment type, web application, and instance respectively.
environment - Describes the environment in when the event occurred. For example, development, testing, or production.
web application - The name of the web application.
clon - This is the instance that generated the event. Depending on your network, this can be a machine name, or the virtual name of an IIS process.
The values of these levels should be guided by the structure we propose because they will be saved in the events when saved in Devo. When you open the resulting data table, these will appear in the environment, site and clon columns.
...
Technology
...
Brand
...
Log type/format
...
Environment
...
Web application
...
Clon
...
web
...
iis
...
access-ncsa
access-w3c
access-w3c-all
free but required
...
free but required
...
free but required
Therefore, the valid tags include:
of events sent and the rest of them indicate the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product/Service | Tag | Data table |
---|---|---|
Apache HTTP Server Project |
|
|
|
| |
|
...
|
...
|
...
|
|
...
|
|
|
...
|
...
|
...
|
For more information, read the article about Devo tags.
Anchor | ||||
---|---|---|---|---|
|
Expand | ||
---|---|---|
| ||
IIS access logsIn the access log there is one event for each request processed by the server. Follow these steps to select type of logs you want to process:
W3C Extended formatThe W3C Extended log file format is the default log file format for IIS and |
...
it corresponds to the web.iis.access-w3c tag. W3C Extended log format
For a detailed description of the log fields, see the Microsoft documentation. W3C Extended ALL formatThis is the same as the W3C Extended format but logs all of the available fields and it corresponds to the web.iis. access-w3c-all tag. We recommend this format because it offers a greater level of detail. W3C Extended ALL log format
NCSA Common FormatThe NCSA Common format is fixed and it corresponds to the web.iis.access-ncsa tag. The log format is the same used in web.apache.accessclf (Common Log Format). NCSA Common log format
|
...
Table structure
These are the fields displayed in these tables:
web.iis.accessNcsa
web.iis.accessW3c
web.iis.accessW3cAll
web.iis.accessNcsa
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
environment |
| venv | |
site |
| vsite | |
clon |
| vclon | |
serverdate |
|
| |
srcIp |
|
| |
user |
|
| |
method |
|
| |
url |
|
| |
protocol |
|
| |
statusCode |
|
| |
responseLength |
|
| |
srcIdentd |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |
web.iis.accessW3c
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
environment |
| venv | |
site |
| vsite | |
clon |
| vclon | |
rawMessage |
|
| ✓ |
serverdate |
|
| |
srcIp |
|
| |
dstIp |
|
| |
serverPort |
|
| |
user |
|
| |
method |
|
| |
url |
|
| |
urlQuery |
|
| |
userAgent |
|
| |
referrer |
|
| |
statusCode |
|
| |
subStatus |
|
| |
win32Status |
|
| |
responseTime |
|
| |
other |
|
| |
comment |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
web.iis.accessW3cAll
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
environment |
| venv | |
site |
| vsite | |
clon |
| vclon | |
siteName |
|
| |
computerName |
|
| |
serverdate |
|
| |
srcIp |
|
| |
dstIp |
|
| |
serverName |
|
| |
serverPort |
|
| |
user |
|
| |
method |
|
| |
url |
|
| |
urlQuery |
|
| |
protocol |
|
| |
statusCode |
|
| |
referer |
|
| |
userAgent |
|
| |
cookies |
|
| |
subStatus |
|
| |
win32Status |
|
| |
responseLength |
|
| |
requestLength |
|
| |
responseTime |
|
| |
serverdate_str |
|
| |
rawMessage |
| rawSource | |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
How is the data sent to Devo?
Devo recommends using the File Fetcher of the Endpoint Agent to forward IIS to Devo. In both cases:
Make sure the logs are written in text files.
Have the complete paths to the log files on hand when setting up the sending.