Skip to main content

Microsoft IIS Logs

Log Type: Microsoft IIS

Template Description: Parsing the common fields in your Microsoft IIS log.

Sample Log:

2017-07-13 19:05:07 10.0.0.103 POST /ConfigWeb/ManageUsers.aspx name=.NET+StockTrader+Web+Application&cfgSvc=Trade.StockTraderWebApplicationConfigurationImplementation.ConfigurationService&version=Version+5.0&hoster=Microsoft+Corporation&platform=Windows+Server+2008+R2+with+.NET+Framework+v4.0.30319&action=addUser&identify=0 80 localadmin 164.110.188.119 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 500 0 0 4786 194110 552

Parsing Rule:

parse regex "^[^#].*?(?<s_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<cs_method>\S+?) (?<cs_uri_stem>\S+?) (?<cs_uri_query>\S+?) (?<s_port>\d+?) (?<cs_username>\S+?) (?<c_ip>.+?) (?<cs_User_Agent>\S+?) (?<cs_Referer>\S+?) (?<sc_status>\d+?) (?<sc_substatus>\d+?) (?<sc_win32_status>\d+?) (?<time_taken>\d+?)$"

Resulting Fields:

FieldDescriptionExample
s_ipIP address of the server on which the log file entry was generated10.0.0.103
cs_methodRequested actionPOST
cs_uri_stemTarget of the action/ConfigWeb/ManageUsers.aspx
cs_uri_queryThe query, if any, that the client was trying to performname=.NET+StockTrader+Web+Application&cfgSvc=Trade.StockTraderWebApplicationConfigurationImplementation.ConfigurationService&version=Version+5.0&hoster=Microsoft+Corporation&platform=Windows+Server+2008+R2+with+.NET+Framework+v4.0.30319&action=addUser&identify=0
s_portServer port number that is configured for the service80
cs_usernameName of the authenticated user who accessed your serverlocaladmin
c_ipIP address of the client that made the request164.110.188.119
cs_User_AgentBrowser type that the client used500
cs_RefererSite that the user last visited0
sc_statusHTTP status code0
sc_substatusSubstatus error code4786
sc_win32_statusWindows status code194110
time_takenLength of time that the action took, in milliseconds552
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.