Dombat


Software Engineering, Security, Management & Leadership

Dombat

IIS Logging Basics

19th August 2015

After I discovered Log Lizard and its awesome power to consume logs I soon found that I needed to configure more and more logs to make use of its full potential. Out of the box, many fields are not selected so your logs will be incomplete. This applies to IIS logging, FTP, SMTP as well as others.

IIS Advanced Logging
Make a start by downloading Advanced Logging for IIS or by the Web Platform Installer. You can use the standard IIS logging feature, but Advanced Logging adds extra features you can use later such as real time publishing, custom fields and client logging.

Click the Server Node in IIS and then double click the Advanced Logging icon.

In the Actions Pane on the right, click to enable logging.

If you can, move the log to a seperate drive to Windows. Logs can get big pretty quickly in some situations so you don't want to run out of disk on the Windows drive.

In the middle screen double click the log name (which defaults to %ComputerName%-Server) to open the log settings window.

Ensure that Enabled is checked. I like to start a new log when the config changes (this allows me to know when the config is changed when not done by me). Then click "Select Fields" to choose more fields to log.

By default fields UserAgent, Substatus, Method and Client-Ip are unchecked. These are useful so check them. Of course you can check all of them, but this of course will make your logs get larger faster.

I have configured all my logs to be compressed. This significantly reduces their size on disk, but if your server is always working hard it may not be appropriate for you due to the extra overheads.

Click Apply to save the changes. Note: Changing logging settings will restart your apps so be wary of this on production systems.

If you click the View Logs link in the Actions Pane then you should be able to see traffic being logged.

Software Engineer with interests in security and business processes.

View Comments