You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 12
Next »
Introduction
The tags beginning with web.iis
identify events generated by the IBM InfoSphere Information Server belonging to IBM.
The full tag must have at least 3 levels. The first two are fixed as web.apache
. The third level identifies the type of events sent and the rest of them indicate the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product/Service | Tag | Data table |
---|
Apache HTTP Server Project | web.iis.accessNcsa
| web.iis.accessNcsa
|
web.iis.access-w3c.pro.gif.1
| web.iis.accessW3c
|
web.iis.access-w3c.env.aws.pam
|
web.iis.access-w3c-all.b.app.clon
| web.iis.accessW3cAll
|
web.iis.access-w3c-all.pro.gif.1
|
For more information, read the article about Devo tags.
Event formats
IIS access logs: In the access log there is one event for each request processed by the server. Follow these steps to select type of logs you want to process:
IIS 7.0 and later |
---|
Open IIS Manager (Start → Control Panel → System and security → Administrative tools → IIS Manager). Select the site want to configure and double click on the Register icon in the Features view. Check that the Logging is enabled (Enable/Disable option on the Actions view). Select the log format in the Format field (Register File section from Features view).
|
NCSA Common Format:
The NCSA Common format is fixed and it corresponds to the web.iis.access-ncsa
tag. The log format is the same used in web.apache.accessclf (Common Log Format).
remotehost rfc931 authuser [date] "request" status bytes
W3C Extended format:
The W3C Extended log file format is the default log file format for IIS and it corresponds to the web.iis.access-w3c
tag.
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2013-01-03 08:45:16
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
For a detailed description of the log fields, see the Microsoft documentation.
W3C Extended ALL format:
This is the same as the W3C Extended format but logs all of the available fields and it corresponds to the web.iis.access-w3c-all
tag. We recommend this format because it offers a greater level of detail.
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2013-01-21 11:46:52
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
Table structure
These are the fields displayed in these tables:
web.iis.accessNcsa
Field | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | |
environment | str
| venv | |
site | str
| vsite | |
clon | str
| vclon | |
serverdate | timestamp
| | |
srcIp | ip4
| | |
user | str
| | |
method | str
| | |
url | str
| | |
protocol | str
| | |
statusCode | int4
| | |
responseLength | int4
| | |
srcIdentd | str
| | |
hostchain | str
| | ✓ |
tag | str
| | ✓ |
rawMessage | str
| | ✓ |
web.iis.accessW3c
Field | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | |
environment | str
| venv | |
site | str
| vsite | |
clon | str
| vclon | |
rawMessage | str
| | ✓ |
serverdate | timestamp
| | |
srcIp | str
| | |
dstIp | str
| | |
serverPort | int4
| | |
user | str
| | |
method | str
| | |
url | str
| | |
urlQuery | str
| | |
userAgent | str
| | |
referrer | str
| | |
statusCode | int4
| | |
subStatus | int4
| | |
win32Status | int8
| | |
responseTime | int4
| | |
other | str
| | |
comment | str
| | |
hostchain | str
| | ✓ |
tag | str
| | ✓ |
web.iis.accessW3cAll
Field | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | |
environment | str
| venv | |
site | str
| vsite | |
clon | str
| vclon | |
siteName | str
| | |
computerName | str
| | |
serverdate | timestamp
| | |
srcIp | ip4
| | |
dstIp | ip4
| | |
serverName | str
| | |
serverPort | int4
| | |
user | str
| | |
method | str
| | |
url | str
| | |
urlQuery | str
| | |
protocol | str
| | |
statusCode | int4
| | |
referer | str
| | |
userAgent | str
| | |
cookies | str
| | |
subStatus | int4
| | |
win32Status | int4
| | |
responseLength | int4
| | |
requestLength | int4
| | |
responseTime | int4
| | |
serverdate_str | str
| | |
rawMessage | str
| rawSource | |
hostchain | str
| | ✓ |
tag | str
| | ✓ |
How is the data sent to Devo?
Devo recommends using the File Fetcher of the Endpoint Agent to forward IIS to Devo. In both cases: