The tag  web.iis.type.environment.application.clon is used to label the logs from Microsoft IIS webserver.

IIS can generate the following log types:

  • Access logs with W3C Extended format
  • Acess logs with NCSA Common format
  • Access logs with IIS format
  • HTTP.sys error logs
  • ODBC logging (write in the logs directly in database)
  • Binary logging (logs that are stored in files but in binary format)

Tag Structure

The elements environment, application and clon are free, but mandatory. They can take the value chosen by the user to identify the event source, but they they must always exist. Each element name reflects the intended use: 

  • environment: the environment where the event occurs (development testing, production, etc.). The environments number and names are not fixed because there may be a lot of variation between installations. 
  • application: the web application name
  • clon: the name of the instance where the event has occurred. Depending on the company it can be a machine name, the virtual name they want to give an IIS server, etc.

The element type is fixed and it identifies the type and format of the sent event. Devo understands the events from error and access logs in 4 different formats. This element can take one of the following values:  

  • error
  • access-w3c
  • access-w3c-all
  • access-ncsa
  • access-iis

Access logs

In the access log there is one event for each petition processed by the server. Follow these steps to select type of logs you want to process:

IIS 6.0 IIS 7.0
  1. Run the Internet Service Manager application (StartProgramsAdministrative toolsInternet Services Manager).
  2. Click on the right button and go to Properties on the site you want to configure.
  3. On the Web site tag, check the box Enable logging.
  4. On Active log format select the desired log format.
  1. Open IIS Manager (Start Control Panel System and security Administrative tools IIS Manager).
  2. Select the site want to configure and double click on the Register icon in the Features view. 
  3. Check that the Logging is enabled (Enable/Disable option on the Actions view).
  4. Select the log format in the Format field (Register File section from Features view).

 W3C Extended Format

The W3C Extended log file format is the default log file format for IIS. It is similar to Devo access-w3c type.

W3C Extended log format

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2013-01-03 08:45:16
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken

Here you can find a detailed description of the log fields.

W3C Extended ALL Format

This is the log file recommended by Devo and it is similar to our access-w3c-all type.

  • W3C Extended IIS format allows the user to select the fields to register for each petition.
  • W3C Extended format uses the fields that IIS enables by default.
  • W3C Extended All format consists in selecting all the fields offered by IIS for the W3c Extended.

Follow these steps to select all the fields:

  1. Select the W3C log format.
  2. Click on Properties or Selected fields (depending on the IIS version) located next to the Log Formats section.
  3. Select all the available fields.

    W3C Extended ALL log format

    #Software: Microsoft Internet Information Services 7.5
    #Version: 1.0
    #Date: 2013-01-21 11:46:52
    #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

NCSA Common Format

The NCSA Common format is fixed and it doesn't allow to select fields as in W3C Extended. It is similar to Devo access-ncsa type.

The log format is the same used in web.apache.access-clf (Common Log Format). 

NCSA Common log format

remotehost rfc931 authuser [date] "request" status bytes

IIS Format

The log format is fixed and it doesn't allow to select fields as in W3C Extended. It is similar to Devo access-iis type.

IIS log format

c-ip, user, date, time, instance, server, s-ip, time-taken, cs-bytes, sc-bytes, sc-status, sc-win32-status, method, cs-url, cs-url-params,

HTTP.sys error log

This log is similar to Devo error type and collects the lowest level errors of the HTTP subsystem such as:

  • connections timeout
  • orphan petitions that have not been associated with any site
  • errors that are returned to the client for various reasons, etc

The log format is fixed.

HTTP.sys error log format

date time c-ip c-port s-ip s-port protocol verb url status site-id reason-phrase queue-name

How to send to Devo via files

The standard method is to configure IIS to write the logs in a text file and rely on another tool (Snare Epilog or MagicLog) to send the events. This configuration requires 3 steps: 

  1. Choose and configure the access logs format.
  2. Choose the destination file for the IIS logs you want to send to Devo. The IIS logs are stored by default at: 

    Microsoft IIS log file path

    %SystemDrive%\inetpub\logs\LogFiles (IIS 7.0)
    %windir%\system32\LogFiles (IIS 6.0)
  3. Configure the external tool to send the file (selected in the previous step) with the appropriate tags.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.