Document toolboxDocument toolbox

web.iis

Introduction

The tags beginning with web.iis identify events generated by the Internet Information Services belonging to Microsoft.

Valid tags and data tables

The full tag must have at least 3 levels. The first two are fixed as web.iis. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product/Service

Tag

Data table

Product/Service

Tag

Data table

Apache HTTP Server Project

web.iis.accessNcsa

web.iis.accessNcsa

web.iis.access-w3c.pro.gif.1

web.iis.accessW3c

web.iis.access-w3c.env.aws.pam

web.iis.access-w3c-all.b.app.clon

web.iis.accessW3cAll

web.iis.access-w3c-all.pro.gif.1

For more information, read the article about Devo tags.

IIS access logs: In the access log there is one event for each request processed by the server. Follow these steps to select type of logs you want to process:

IIS 7.0 and later

IIS 7.0 and later

  1. Open IIS Manager (Start → Control Panel → System and security → Administrative tools → IIS Manager).

  2. Select the site want to configure and double click on the Register icon in the Features view. 

  3. Check that the Logging is enabled (Enable/Disable option on the Actions view).

  4. Select the log format in the Format field (Register File section from Features view).

  • NCSA Common Format:
    The NCSA Common format is fixed and it corresponds to the web.iis.access-ncsa tag. The log format is the same used in web.apache.accessclf (Common Log Format).

    remotehost rfc931 authuser [date] "request" status bytes
  • W3C Extended format:
    The W3C Extended log file format is the default log file format for IIS and it corresponds to the web.iis.access-w3c tag.

    #Software: Microsoft Internet Information Services 7.5 #Version: 1.0 #Date: 2013-01-03 08:45:16 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken

    For a detailed description of the log fields, see the Microsoft documentation.

  • W3C Extended ALL format:
    This is the same as the W3C Extended format but logs all of the available fields and it corresponds to the web.iis.access-w3c-all tag. We recommend this format because it offers a greater level of detail.

    #Software: Microsoft Internet Information Services 7.5 #Version: 1.0 #Date: 2013-01-21 11:46:52 #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

Table structure

These are the fields displayed in these tables:

web.iis.accessNcsa

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

environment

str

venv

 

site

str

vsite

 

clon

str

vclon

 

serverdate

timestamp

 

 

srcIp

ip4

 

 

user

str

 

 

method

str

 

 

url

str

 

 

protocol

str

 

 

statusCode

int4

 

 

responseLength

int4

 

 

srcIdentd

str

 

 

hostchain

str

 

✓

tag

str

 

✓

rawMessage

str

 

✓

web.iis.accessW3c

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

environment

str

venv

 

site

str

vsite

 

clon

str

vclon

 

rawMessage

str

 

✓

serverdate

timestamp

 

 

srcIp

str

 

 

dstIp

str

 

 

serverPort

int4

 

 

user

str

 

 

method

str

 

 

url

str

 

 

urlQuery

str

 

 

userAgent

str

 

 

referrer

str

 

 

statusCode

int4

 

 

subStatus

int4

 

 

win32Status

int8

 

 

responseTime

int4

 

 

other

str

 

 

comment

str

 

 

hostchain

str

 

✓

tag

str

 

✓

web.iis.accessW3cAll

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

environment

str

venv

 

site

str

vsite

 

clon

str

vclon

 

siteName

str

 

 

computerName

str

 

 

serverdate

timestamp

 

 

srcIp

ip4

 

 

dstIp

ip4

 

 

serverName

str

 

 

serverPort

int4

 

 

user

str

 

 

method

str

 

 

url

str

 

 

urlQuery

str

 

 

protocol

str

 

 

statusCode

int4

 

 

referer

str

 

 

userAgent

str

 

 

cookies

str

 

 

subStatus

int4

 

 

win32Status

int4

 

 

responseLength

int4

 

 

requestLength

int4

 

 

responseTime

int4

 

 

serverdate_str

str

 

 

rawMessage

str

rawSource

 

hostchain

str

 

✓

tag

str

 

✓

How is the data sent to Devo?

Devo recommends using the File Fetcher of the Endpoint Agent to forward IIS to Devo. In both cases:

  • Make sure the logs are written in text files.

  • Have the complete paths to the log files on hand when setting up the sending.