All Products
Search

This Product

    Simple Log Service:Parsing in IIS mode

    Document Center

    Simple Log Service:Parsing in IIS mode

    Last Updated:Dec 20, 2023

    You can use a Logtail plug-in to parse Internet Information Services (IIS) logs into structured data based on the log format that you specify. In this case, a log is parsed into multiple key-value pairs.

    Introduction to IIS logs

    Windows servers generate IIS logs based on the log format that you specify, such as IIS, NCSA, and W3C.

    • Log format

      #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

      • Field prefixes

        Prefix

        Description

        s-

        Indicates a server action.

        c-

        Indicates a client action.

        cs-

        Indicates a client-to-server action.

        sc-

        Indicates a server-to-client action.

      • Fields

        Field

        Description

        date

        The date on which the client sends the request.

        time

        The point in time at which the client sends the request.

        s-sitename

        The Internet service name and instance ID of the site that is visited by the client.

        s-computername

        The name of the server on which the log is generated.

        s-ip

        The IP address of the server on which the log is generated.

        cs-method

        The request method that is used by the client, such as GET or POST.

        cs-uri-stem

        The URI in the request.

        cs-uri-query

        The query string that follows the question mark (?) in the HTTP request.

        s-port

        The port number of the server.

        cs-username

        The authenticated domain name or username that is used by the client to access the server.

        • If the user is an authenticated user, the value of this field is displayed in the Domain\Username format.

        • If the user is an anonymous user, a hyphen (-) is displayed.

        c-ip

        The originating IP address of the client that sends the request.

        cs-version

        The protocol version that is used by the client, such as HTTP 1.0 or HTTP 1.1.

        cs(User-Agent)

        The browser that is used by the client.

        Cookie

        The content of the cookie that is sent or received. If no cookies are sent or received, a hyphen (-) is displayed.

        referer

        The site from which the client is directed.

        cs-host

        The host information.

        sc-status

        The HTTP status code that is returned by the server.

        sc-substatus

        The HTTP substatus code that is returned by the server.

        sc-win32-status

        The Windows status code that is returned by the server.

        sc-bytes

        The number of bytes that are sent by the server.

        cs-bytes

        The number of bytes that are received by the server.

        time-taken

        The time that is required to process the request. Unit: milliseconds.

    Entry point

    If you want to use a Logtail plug-in to process logs, you can add a Logtail plug-in configuration when you create or modify a Logtail configuration. For more information, see Overview.

    Configuration description

    Parameter

    Description

    Log Format

    The format of logs that are generated on the IIS server. Valid values:

    • IIS: Microsoft IIS log file format

    • NCSA: NCSA Common log file format

    • W3C: W3C Extended log file format

    IIS Configuration Fields

    The IIS configuration fields.

    • If you set Log Format to IIS or NCSA, the system automatically specifies the IIS configuration fields.

    • If you set Log Format to W3C, enter the content that is specified in logExtFileFlags of the IIS configuration file.

      logExtFileFlags="Date, Time, ClientIP, UserName, SiteName, ComputerName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, BytesSent, BytesRecv, TimeTaken, ServerPort, UserAgent, Cookie, Referer, ProtocolVersion, Host, HttpSubStatus"

      • Default path of the IIS5 configuration file: C:\WINNT\system32\inetsrv\MetaBase.bin

      • Default path of the IIS6 configuration file: C:\WINDOWS\system32\inetsrv\MetaBase.xml

      • Default path of the IIS7 configuration file: C:\Windows\System32\inetsrv\config\applicationHost.config

    Original Field

    The original field that stores log content before parsing. Default value: content.

    Regular Expression

    The regular expression that is used to extract IIS logs. Simple Log Service automatically generates a regular expression based on IIS Configuration Fields.

    Extracted Field

    The key that is automatically extracted based on IIS Configuration Fields.

    Retain Original Field if Parsing Fails

    After you select Retain Original Field if Parsing Fails, the original field is retained if parsing fails.

    Retain Original Field if Parsing Succeeds

    After you select Retain Original Field if Parsing Succeeds, the original field is retained if parsing is successful.

    New Name of Original Field

    If you select Retain Original Field if Parsing Fails or Retain Original Field if Parsing Succeeds, you can rename the original field that stores log content.