IIS 5 & IIS 6
Scanning IIS 6 logs for application activity
Last post Sep 14, 2018 09:42 AM by Terry Peng
Sep 12, 2018 10:32 PM|ggiaquin|LINK
I am tasked with migrating our applications from windows 2003 to windows 2012. Part of the steps is that they want me to use the IIS logs and sift through them with a 3rd party application such as splunk, elasticsearch, etc (using the Microsoft recommended
tool Log Parser Studios). The goal of the IIS log analysis is to pick out which applications are still active and which can be left for dead. But I am running into some issues. When I run Log Parser, I am not able to pick out the individual Virtual Directories
and their activities only the website they are listed under. For example, I have a site in IIS called my.website.com and under it is something like MyWebSiteReports. When I run the search on the log files though, the cs-uri-stem comes back with something like
/login /admin but not the application it relates to. I am not sure if I am doing my query right or if I am using the right files.
I have dug around a tad and I am starting to have a sneaking suspicion that the applications/virtual directories needed to have their own logging set up in order for me to pick them out individually as I am not finding any other IIS log files besides the
HTTPERR folder which, according to research, only logs when an error happens. But that provides the application name that I thought I would get with the other folders.
What can I do to find the proper logs and or run the proper query for activity?
Sep 12, 2018 11:21 PM|lextm|LINK
The setting "centralLogFileMode" controls how IIS stores log entries, and you can only choose from per site, or per server.
If you want to analyze based on application/virtual directory, you have to build your own extra logic to associate "cs-uri-stem" with the actual applications/virtual directories under the site.
Sep 13, 2018 09:52 AM|Terry Peng|LINK
You said "I am starting to have a sneaking suspicion that the applications/virtual directories needed to have their own logging", but as I know, IIS does not provide such function, it only provides logs for per site rather than per application.
The cs-uri-stem should return the URL actually used by client. When you are calling an application, the application name will be in there and when you are calling a login or admin page, it will also be in there. Have you checked if any record's cs-uri-stem
does not contain your application name?
In my test, the cs-uri-stem contains the name of application I called and then I could use a query to filter the related record. I would suggest you try to use a query to filter it too. Here is a simple code.
SELECT * FROM '[LOGFILEPATH]' where cs-uri-stem like 'MyWebSiteReports'
Sep 13, 2018 03:55 PM|ggiaquin|LINK
Thanks for your response! That is what I saw on another forum that they had to create their own logs for the applications/virtual directories. I wanted to make sure I was not misunderstanding that as I have never done a project like this before. How would
I go about creating the appropriate logic? is that needed in the search query?
Sep 13, 2018 03:59 PM|ggiaquin|LINK
Yes, I am trying to do research as I have never worked in this area of expertise before. You mention that it should reply the application name as part of the stem but this is not the case at least for my reports. It will show only /login or /admin as an
example and that would be it.
I will definitely give your query a shot, I have something similar:
SELECT DATE, cs-uri-stem, COUNT(*) as hits FROM '[LOGFILEPATH]' WHERE sc-status = 200 GROUP BY cs-uri-stem
Sep 14, 2018 09:42 AM|Terry Peng|LINK
It is strange that the cs-uri-stem could only returns /login or /admin. Is there any rewrite/redirect rule worked to redirect your request to another page?
Please try to back up your log files and clean the original log files. Make sure there is no rewrite/redirect rule works now and then send a request to your application.
What's the url you requested and what's the log result?