Updated on 2025-03-28 GMT+08:00

IIS Logs

Internet Information Services (IIS) is a part of Windows Server and provides web applications and services such as HTML, ASP.NET, and PHP to clients on networks. IIS supports protocols such as HTTP, HTTPS, FTP, and SMTP. It is widely used for website deployment and management in Windows. ​

IIS logs record web activities on IIS servers. These logs usually contain detailed information about HTTP requests and responses, such as the request time, request source, requested resource, protocol version, user agent, and response status.

An IIS log contains the following fields:

  1. Date and time: date and time when the request was sent.
  2. Client IP address: IP address of the client that initiated the request.
  3. Username: displayed if the request was authenticated; a hyphen (-) is shown otherwise.
  4. Request method: GET, POST, etc.
  5. Requested resource: URL of the request.
  6. Protocol version: HTTP/1.1, HTTP/2, etc.
  7. User agent: a string used by the client to describe itself, such as the browser type and version.
  8. Response status: HTTP status codes, such as 200 (success) and 404 (not found).
  9. Response bytes: number of bytes sent by the server to the client.
  10. Request processing time: the duration between the initiation and completion of the request.

In addition to these basic fields, IIS logs can also contain custom fields, depending on the IIS configuration and installed extensions.

Collection Method

Install ICAgent and configure ECS text log ingestion by referring to Installing ICAgent (Intra-Region Hosts) and Ingesting ECS Text Logs to LTS. Then, ICAgent will collect ECS text logs and report them to LTS.

IIS Log Examples and Fields

#Software: Information Services 10.0  
#Version: 1.0  
#Date: 2023-09-21 02:59:24  
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query sc-status sc-substatus sc-win32-status time-taken  
2023-09-21 02:59:24 192.168.1.1 GET /index.html - 301 0 0 123  
2023-09-21 02:59:25 192.168.1.1 GET /index.html/ 403 0 2 56
Table 1 IIS log fields

Field

Description

Example

#Software

Information about the software that generated the log.

Information Services 10.0

#Version

Version of the log file.

1.0

#Date

Date and time when the log was recorded.

2023-09-21 02:59:24

#Fields

Defines the fields of the log entry.

date time s-ip cs-method cs-uri-stem cs-uri-query sc-status sc-substatus sc-win32-status time-taken

date

Date when the request occurred.

2023-09-21

time

Time when the request occurred.

02:59:24

s-ip

Source IP address, that is, the IP address of the client that initiated the request.

192.168.1.1

cs-method

HTTP method of the request.

GET

cs-uri-stem

Request URL.

/index.html

cs-uri-query

Request URI query string.

In this example, the query string of the first request is empty.

sc-status

HTTP status code, indicating the response status of the server.

301

sc-substatus

Sub-status code, which provides more details about the HTTP status code.

0

sc-win32-status

Win32 status code, indicating the Windows system error code related to the HTTP status code.

In this example, the Win32 status code is 0 or 2, indicating that there is no error or a specific system error.

time-taken

Duration from the start to the end of the request, in milliseconds.

123

Log Location

The location of IIS log files depends on the configuration and version of IIS. However, IIS log files are usually located in one of the following server paths:

  1. Windows Server 2008 R2 and earlier:
    %SystemDrive%\inetpub\logs\LogFiles\W3SVC<Site ID>
  2. Windows Server 2012 R2 and later (including IIS on Windows 10):
    %SystemDrive%\inetpub\logs\LogFiles\<Site name>
  3. Configuration through IIS Manager:
    1. Open IIS Manager: Enter Internet Information Services (IIS) Manager in the Windows search bar and open it. Alternatively, choose Control Panel > Administrative Tools to locate IIS Manager.
    2. Navigate to the site:
      • In the left navigation pane of IIS Manager, expand your server name.
      • Then, items such as Website or Application pool are displayed. Click Website to check your website list.
      • Locate the website for which you want to configure logs and click it.
    3. Configure log settings:
      • Under the selected website, double-click Logging to access the logging setting page.
      • Check the storage location of the current log file and other related settings in the right pane.
    4. Modify the log file directory:
      • In the right pane, click the Browse button next to the Contents area.
      • A file browser window is displayed.
      • Select the folder where you want to store the log files and click OK.