Page Comparison

Table of Contents

maxLevel	2
minLevel	2
type	flat

Introduction

The tags beginning with web.iis iis identify log events generated by the Internet Information Services (IIS) web server for Windows.

...

belonging to IBM.

Valid tags and data tables

The full tag must have at least six 3 levels. The first two are fixed as as web.iisapache. The third level identifies the log type /format and currently must be one of access-ncsa, access-w3c, or access-w3c-all.

The fourth, fifth and sixth levels are required and should identify the environment type, web application, and instance respectively.

environment - Describes the environment in when the event occurred. For example, development, testing, or production.
web application - The name of the web application.
clon - This is the instance that generated the event. Depending on your network, this can be a machine name, or the virtual name of an IIS process.

The values of these levels should be guided by the structure we propose because they will be saved in the events when saved in Devo. When you open the resulting data table, these will appear in the environment, site and clon columns.

...

Technology

...

Brand

...

Log type/format

...

Environment

...

Web application

...

Clon

...

web

...

iis

...

access-ncsa
access-w3c
access-w3c-all

free but required

...

free but required

...

free but required

Therefore, the valid tags include:

of events sent and the rest of them indicate the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product/Service	Tag	Data table
Apache HTTP Server Project	`web.iis.accessNcsa`	`web.iis.accessNcsa`
	`web.iis.access-w3c.pro.gif.1`	`web.iis.accessW3c`
	`web.iis.access-`	`web.iis.accessW3c`

...

w3c.env.

...

aws.

...

pam

web.iis.access-w3c-all.

...

`b.app.clon`	`web.iis.accessW3cAll`
`web.iis.access-w3c-all.`

...

pro.

...

gif.

...

1

For more information, read the article about Devo tags.

Anchor

	access_logs
	access_logs

Expand

title	Event formats

IIS access logs

In the access log there is one event for each request processed by the server. Follow these steps to select type of logs you want to process:

IIS 7.0 and later

Open IIS Manager (Start → Control Panel → System and security → Administrative tools → IIS Manager).
Select the site want to configure and double click on the Register icon in the Features view.
Check that the Logging is enabled (Enable/Disable option on the Actions view).
Select the log format in the Format field (Register File section from Features view).

W3C Extended format

The W3C Extended log file format is the default log file format for IIS and

...

it corresponds to the web.iis.access-w3c tag.

W3C Extended log format

Code Block

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2013-01-03 08:45:16
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken

For a detailed description of the log fields, see the Microsoft documentation.

W3C Extended ALL format

This is the same as the W3C Extended format but logs all of the available fields and it corresponds to the web.iis. access-w3c-all tag. We recommend this format because it offers a greater level of detail.

W3C Extended ALL log format

Code Block

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2013-01-21 11:46:52
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

NCSA Common Format

The NCSA Common format is fixed and it corresponds to the web.iis.access-ncsa tag.

The log format is the same used in web.apache.accessclf (Common Log Format).

NCSA Common log format

Code Block
remotehost rfc931 authuser [date] "request" status bytes

...

Table structure

These are the fields displayed in these tables:

web.iis.accessNcsa
web.iis.accessW3c
web.iis.accessW3cAll

web.iis.accessNcsa

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
environment	`str`	venv
site	`str`	vsite
clon	`str`	vclon
serverdate	`timestamp`
srcIp	`ip4`
user	`str`
method	`str`
url	`str`
protocol	`str`
statusCode	`int4`
responseLength	`int4`
srcIdentd	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`		✓

web.iis.accessW3c

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
environment	`str`	venv
site	`str`	vsite
clon	`str`	vclon
rawMessage	`str`		✓
serverdate	`timestamp`
srcIp	`str`
dstIp	`str`
serverPort	`int4`
user	`str`
method	`str`
url	`str`
urlQuery	`str`
userAgent	`str`
referrer	`str`
statusCode	`int4`
subStatus	`int4`
win32Status	`int8`
responseTime	`int4`
other	`str`
comment	`str`
hostchain	`str`		✓
tag	`str`		✓

web.iis.accessW3cAll

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
environment	`str`	venv
site	`str`	vsite
clon	`str`	vclon
siteName	`str`
computerName	`str`
serverdate	`timestamp`
srcIp	`ip4`
dstIp	`ip4`
serverName	`str`
serverPort	`int4`
user	`str`
method	`str`
url	`str`
urlQuery	`str`
protocol	`str`
statusCode	`int4`
referer	`str`
userAgent	`str`
cookies	`str`
subStatus	`int4`
win32Status	`int4`
responseLength	`int4`
requestLength	`int4`
responseTime	`int4`
serverdate_str	`str`
rawMessage	`str`	rawSource
hostchain	`str`		✓
tag	`str`		✓

How is the data sent to Devo?

Devo recommends using the File Fetcher of the Endpoint Agent to forward IIS to Devo. In both cases:

Make sure the logs are written in text files.
Have the complete paths to the log files on hand when setting up the sending.

Versions Compared

Old Version 5

New Version 6

Key

Introduction

Valid tags and data tables

IIS access logs

W3C Extended format

W3C Extended log format

W3C Extended ALL format

W3C Extended ALL log format

NCSA Common Format

NCSA Common log format

Table structure

web.iis.accessNcsa

web.iis.accessW3c

web.iis.accessW3cAll

How is the data sent to Devo?