Introduction
The tags beginning with web.iis
identify events generated by the Internet Information Services belonging to Microsoft.
The full tag must have at least 3 levels. The first two are fixed as web.iis
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product/Service | Tag | Data table |
---|
Apache HTTP Server Project | web.iis.accessNcsa
| web.iis.accessNcsa
|
web.iis.access-w3c.pro.gif.1
| web.iis.accessW3c
|
web.iis.access-w3c.env.aws.pam
|
web.iis.access-w3c-all.b.app.clon
| web.iis.accessW3cAll
|
web.iis.access-w3c-all.pro.gif.1
|
For more information, read the article about Devo tags.
Event formats
IIS access logs: In the access log there is one event for each request processed by the server. Follow these steps to select type of logs you want to process:
IIS 7.0 and later |
---|
Open IIS Manager (Start → Control Panel → System and security → Administrative tools → IIS Manager). Select the site want to configure and double click on the Register icon in the Features view. Check that the Logging is enabled (Enable/Disable option on the Actions view). Select the log format in the Format field (Register File section from Features view).
|
NCSA Common Format:
The NCSA Common format is fixed and it corresponds to the web.iis.access-ncsa
tag. The log format is the same used in web.apache.accessclf (Common Log Format).
remotehost rfc931 authuser [date] "request" status bytes
W3C Extended format:
The W3C Extended log file format is the default log file format for IIS and it corresponds to the web.iis.access-w3c
tag.
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2013-01-03 08:45:16
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
For a detailed description of the log fields, see the Microsoft documentation.
W3C Extended ALL format:
This is the same as the W3C Extended format but logs all of the available fields and it corresponds to the web.iis.access-w3c-all
tag. We recommend this format because it offers a greater level of detail.
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2013-01-21 11:46:52
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
Table structure
These are the fields displayed in these tables:
web.iis.accessNcsa
Field | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | |
environment | str
| venv | |
site | str
| vsite | |
clon | str
| vclon | |
serverdate | timestamp
| | |
srcIp | ip4
| | |
user | str
| | |
method | str
| | |
url | str
| | |
protocol | str
| | |
statusCode | int4
| | |
responseLength | int4
| | |
srcIdentd | str
| | |
hostchain | str
| | ✓ |
tag | str
| | ✓ |
rawMessage | str
| | ✓ |
web.iis.accessW3c
Field | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | |
environment | str
| venv | |
site | str
| vsite | |
clon | str
| vclon | |
rawMessage | str
| | ✓ |
serverdate | timestamp
| | |
srcIp | str
| | |
dstIp | str
| | |
serverPort | int4
| | |
user | str
| | |
method | str
| | |
url | str
| | |
urlQuery | str
| | |
userAgent | str
| | |
referrer | str
| | |
statusCode | int4
| | |
subStatus | int4
| | |
win32Status | int8
| | |
responseTime | int4
| | |
other | str
| | |
comment | str
| | |
hostchain | str
| | ✓ |
tag | str
| | ✓ |
web.iis.accessW3cAll
Field | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | |
environment | str
| venv | |
site | str
| vsite | |
clon | str
| vclon | |
siteName | str
| | |
computerName | str
| | |
serverdate | timestamp
| | |
srcIp | ip4
| | |
dstIp | ip4
| | |
serverName | str
| | |
serverPort | int4
| | |
user | str
| | |
method | str
| | |
url | str
| | |
urlQuery | str
| | |
protocol | str
| | |
statusCode | int4
| | |
referer | str
| | |
userAgent | str
| | |
cookies | str
| | |
subStatus | int4
| | |
win32Status | int4
| | |
responseLength | int4
| | |
requestLength | int4
| | |
responseTime | int4
| | |
serverdate_str | str
| | |
rawMessage | str
| rawSource | |
hostchain | str
| | ✓ |
tag | str
| | ✓ |
How is the data sent to Devo?
Devo recommends using the File Fetcher of the Endpoint Agent to forward IIS to Devo. In both cases: