IIS can generate the following log types:
- Access logs with W3C Extended format
- Acess logs with NCSA Common format
- Access logs with IIS format
- HTTP.sys error logs
- ODBC logging (write in the logs directly in database)
- Binary logging (logs that are stored in files but in binary format)
The elements environment, application and clon are free, but mandatory. They can take the value chosen by the user to identify the event source, but they they must always exist. Each element name reflects the intended use:
- environment: the environment where the event occurs (development testing, production, etc.). The environments number and names are not fixed because there may be a lot of variation between installations.
- application: the web application name
- clon: the name of the instance where the event has occurred. Depending on the company it can be a machine name, the virtual name they want to give an IIS server, etc.
The element type is fixed and it identifies the type and format of the sent event. Devo understands the events from error and access logs in 4 different formats. This element can take one of the following values:
In the access log there is one event for each petition processed by the server. Follow these steps to select type of logs you want to process:
|IIS 6.0||IIS 7.0|
W3C Extended Format
The W3C Extended log file format is the default log file format for IIS. It is similar to Devo access-w3c type.
W3C Extended log format
#Software: Microsoft Internet Information Services 7.5 #Version: 1.0 #Date: 2013-01-03 08:45:16 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
Here you can find a detailed description of the log fields.
W3C Extended ALL Format
This is the log file recommended by Devo and it is similar to our access-w3c-all type.
- W3C Extended IIS format allows the user to select the fields to register for each petition.
- W3C Extended format uses the fields that IIS enables by default.
- W3C Extended All format consists in selecting all the fields offered by IIS for the W3c Extended.
Follow these steps to select all the fields:
- Select the W3C log format.
- Click on Properties or Selected fields (depending on the IIS version) located next to the Log Formats section.
Select all the available fields.
W3C Extended ALL log format
#Software: Microsoft Internet Information Services 7.5 #Version: 1.0 #Date: 2013-01-21 11:46:52 #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
NCSA Common Format
The NCSA Common format is fixed and it doesn't allow to select fields as in W3C Extended. It is similar to Devo access-ncsa type.
The log format is the same used in web.apache.access-clf (Common Log Format).
NCSA Common log format
remotehost rfc931 authuser [date] "request" status bytes
The log format is fixed and it doesn't allow to select fields as in W3C Extended. It is similar to Devo access-iis type.
IIS log format
c-ip, user, date, time, instance, server, s-ip, time-taken, cs-bytes, sc-bytes, sc-status, sc-win32-status, method, cs-url, cs-url-params,
HTTP.sys error log
This log is similar to Devo error type and collects the lowest level errors of the HTTP subsystem such as:
- connections timeout
- orphan petitions that have not been associated with any site
- errors that are returned to the client for various reasons, etc
The log format is fixed.
HTTP.sys error log format
date time c-ip c-port s-ip s-port protocol verb url status site-id reason-phrase queue-name
How to send to Devo via files
The standard method is to configure IIS to write the logs in a text file and rely on another tool (Snare Epilog or MagicLog) to send the events. This configuration requires 3 steps:
- Choose and configure the access logs format.
Choose the destination file for the IIS logs you want to send to Devo. The IIS logs are stored by default at:
Microsoft IIS log file path
%SystemDrive%\inetpub\logs\LogFiles (IIS 7.0) %windir%\system32\LogFiles (IIS 6.0)
- Configure the external tool to send the file (selected in the previous step) with the appropriate tags.