Analyze IIS access logs - Simple Log Service - Alibaba Cloud Documentation Center

Log service allows you to collect and analyze Internet Information Services (IIS) access logs. This topic describes how to monitor and analyze access to your website by using IIS access logs. You can obtain data such as page views (PVs), unique visitors (UVs), requester locations, error requests, and inbound and outbound traffic.

Prerequisites

IIS logs are collected. For more information, see Collect logs in IIS configuration mode.

Note

During the collection process, Simple Log Service automatically generates indexes based on log content. You can modify indexes as needed. For more information, see Create indexes.

Background information

IIS is a secure web server that you can use to build and host websites. When you use IIS to build a website, you can collect and analyze IIS access logs.

We recommend that you use the following IIS W3C Extended Log Format:

logExtFileFlags="Date, Time, ClientIP, UserName, SiteName, ComputerName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, BytesSent, BytesRecv, TimeTaken, ServerPort, UserAgent, Cookie, Referer, ProtocolVersion, Host, HttpSubStatus"

The following example shows a sample IIS log:

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2020-09-08 09:30:26
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2009-11-26 06:14:21 W3SVC692644773 125.67.67.* GET /index.html - 80 - 10.10.10.10 Baiduspider+(+http://www.example.com)200 0 64 185173 296 0

Field prefixes
Prefix
Description
s-
Indicates a server action.
c-
Indicates a client action.
cs-
Indicates a client-to-server action.
sc-
Indicates a server-to-client action.

Fields

Field	Description
date	The date on which the client sends the request.
time	The point in time at which the client sends the request.
s-sitename	The Internet service name and instance ID of the site that is visited by the client.
s-computername	The name of the server on which the log is generated.
s-ip	The IP address of the server on which the log is generated.
cs-method	The request method that is used by the client, such as GET or POST.
cs-uri-stem	The URI in the request.
cs-uri-query	The query string that follows the question mark (?) in the HTTP request.
s-port	The port number of the server.
cs-username	The authenticated domain name or username that is used by the client to access the server. Authenticated users are indicated in the `Domain\Username` format. Anonymous users are indicated by a hyphen (-).
c-ip	The actual IP address of the client that sends the request.
cs-version	The protocol version that is used by the client, such as HTTP 1.0 or HTTP 1.1.
cs(User-Agent)	The browser used by the client.
Cookie	The content of the cookie that is sent or received. If no cookies are sent or received, a hyphen (-) is displayed.
referer	The site from which the client is directed.
cs-host	The host information.
sc-status	The HTTP status code returned by the server.
sc-substatus	The HTTP substatus code returned by the server.
sc-win32-status	The Windows status code returned by the server.
sc-bytes	The number of bytes sent by the server.
cs-bytes	The number of bytes received by the server.
time-taken	The time required to process the request. Unit: milliseconds.

Procedure

Log on to the Log Service console.
In the Projects section, click the project that you want to manage.
On the Log Storage > Logstores tab, click the Logstore that you want to manage.

Enter a query statement in the search box, and then select a time range.

A query statement consists of a search statement and an analytic statement in the Search statement|Analytic statement format. For more information, see Search syntax and SQL syntax and functions.

To collect statistics on the distribution of client IP addresses, execute the following query statement:
```
*| select ip_to_geo("c-ip") as country, count(1) as c group by ip_to_geo("c-ip") limit 100
```

To calculate the number of PVs and UVs, execute the following query statement:

*| select approx_distinct("c-ip") as uv ,count(1) as pv , date_format(date_trunc('hour', __time__), '%m-%d %H:%i') as time group by date_format(date_trunc('hour', __time__), '%m-%d %H:%i') order by time limit 1000

To calculate the percentage of each HTTP status code returned, execute the following query statement:
```
*| select count(1) as pv ,"sc-status" group by "sc-status"
```

To collect statistics on the inbound and outbound traffic, execute the following query statement:

*| select sum("sc-bytes") as net_out, sum("cs-bytes") as net_in ,date_format(date_trunc('hour', time), '%m-%d %H:%i') as time group by date_format(date_trunc('hour', time), '%m-%d %H:%i') order by time limit 10000

To calculate the percentage of each request method, execute the following query statement:
```
*| select count(1) as pv ,"cs-method" group by "cs-method"
```

To calculate the percentage of each browser type, execute the following query statement:

*| select count(1) as pv, case when "user-agent" like '%Chrome%' then 'Chrome' when "user-agent" like '%Firefox%' then 'Firefox' when "user-agent" like '%Safari%' then 'Safari' else 'unKnown' end as "user-agent" group by case when "user-agent" like '%Chrome%' then 'Chrome' when "user-agent" like '%Firefox%' then 'Firefox' when "user-agent" like '%Safari%' then 'Safari' else 'unKnown' end order by pv desc limit 10

To calculate the top 10 pages that are most frequently visited, execute the following query statement:

*| select count(1) as pv, split_part("cs-uri-stem",'?',1) as path group by split_part("cs-uri-stem",'?',1) order by pv desc limit 10

Prefix	Description
s-	Indicates a server action.
c-	Indicates a client action.
cs-	Indicates a client-to-server action.
sc-	Indicates a server-to-client action.