IIS 7 and Above
How to get real website name in IIS logs.
Last post Mar 07, 2018 08:43 AM by Yuk Ding
Feb 07, 2018 10:53 AM|Luds|LINK
I am facing a issue with the IIS logs function on IIS 8.5.
My objective is to get the real sitename into the IIS logs files instead than the website intance ID gave by s-sitename field :W3SVC6 or W3SVC1.
I think the actual s-sitename field will not give me this value and I already tried couple server variables fields, do you know how I can get it?
My actuel logs fields:
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken X-FORWARDED-FOR
Thank you in advance for your help.
Feb 08, 2018 03:17 AM|Yuk Ding|LINK
The s-sitename means "internet service name+ instance ID". That's why you get the s-sitename value like w3svc6. What about use the cs-host to get the binding host header for each website? If you still require to get the site name of each websites. Then
I suggest you to create a custom response header with your sitename and add a custom field to log the sitename response header.
IIS always log the request based on different instance ID. So if you see 6 or 1, you should know which website the client is trying to access.
Feb 08, 2018 10:34 AM|Luds|LINK
Thank you for your reply , I am working on it.
Let me give more details about what I want to do:
I want to centralize and analyse all our IIS logs on more than 100 windows 2012 R2 server, my main issue is than we are hosting different type of multi tenant web applications and the log structure are unfortunately not the same everywhere...
The cs-host is not enough because it customizable by users so the only way I found to identify the application type is by using the website name but yes the tenant can be obtain with the cs-host field, please see below a example:
Feb 13, 2018 08:45 AM|Yuk Ding|LINK
The site name should be contained in the request header or body. So I think the only way to achieve this is add response header for each website.
Feb 14, 2018 08:49 PM|Luds|LINK
After somes research on microsoft documentations related to IIS.
I found this :
Optional Boolean attribute.
Specifies that the s-sitename field will contain either the site name (false) or the site ID (true). If the One log file per property is set to Site (the out-of-box default], then you won't get s-sitename column in the
log file by default, because the log file name property will contain the site ID instead. If the One log file per property is set to Server, the-s-sitename column will be included in the log file by default.
The default value is True, meaning that the s-sitename field contains the site ID. To log the site name instead, set logSiteID to False.
Source => https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/
While changing the logSiteId to false, I have the real sitename instead than the instance siteID:
#Date: 2018-02-14 20:37:28
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken Test
2018-02-14 20:37:25 DEFAULT+WEB+SITE FROVHWIN2K-02 ::1 GET /favicon.ico - 80 - ::1 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/64.0.3282.167+Safari/537.36 - http://localhost/ localhost 404 0 2 5015 365 1060 -
2018-02-14 20:44:31 DEFAULT+WEB+SITE FROVHWIN2K-02 ::1 GET /favicon.ico - 80 - ::1 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/64.0.3282.167+Safari/537.36 - http://localhost/ localhost 404 0 2 5015 365 2 -
I will see if this modification will come with new behaviors.
Thank you for your help.
Mar 07, 2018 08:43 AM|Yuk Ding|LINK
Thanks for sharing your experience.