How to analyze IIS logs for better monitoring

Log analysis helps organizations determine the best way to optimize application functionality while giving development teams a leg up in root cause analysis. With that said, it’s not feasible to scroll through thousands of lines of log entries in a text editor. Instead, development teams need modern tools that enable them to centralize, filter, and analyze their logs in a way that allows them to glean valuable insights in a time-efficient manner.

In this article, we will discuss the challenges of managing and analyzing IIS server logs and also explain how these challenges can be overcome with modern log analysis tooling such as the IIS Log Analyzer from Sumo Logic. So keep reading for a deep-dive into IIS logs, including the benefits of effective IIS log management and a demonstration of Sumo Logic’s IIS Log Analyzer that will show you how it can help simplify these processes.

What Are IIS Logs?

IIS is a web server created by Microsoft for use on Windows machines. Like any web server, an IIS server produces logs. These logs provide information about each request made to the server, including the date and time of the request, the client IP address, the (authenticated) username of the user visiting the site, the HTTP status code returned by the web server as a result of the request, and more. When aggregated and analyzed, these logs can provide insights that allow development teams to get to the root cause of hard-to-find application problems and to better analyze web server activity as a whole.

IIS Log Format

Before digging into the IIS Log Analyzer tool, it’s helpful to know what a single IIS log entry will look like on the web server itself. An IIS web server records log entries in the W3C format by default. This results in entries formatted in the following manner:

2020-07-22 18:02:40 XXX.XXX.XXX.XX GET /details param1=abc¶m2=xyz 80 authenticateduser YYY.YYY.YYY.YY Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.89+Safari/537.36 www.refererpage.com 200 0 0 148

The fields displayed represent the following information:

Date - 2020-07-22 (date the request was made)

Time - 18:02:40 (time the request was made)

Server IP - XXX.XXX.XXX.XX (IP address of the server)

HTTP method - GET (HTTP method for the request)

URI Stem - /details (requested resource)

URI Query - param1=abc¶m2=xyz (query parameters for the request)

Server Port - 80

Username - authenticateduser

Client IP - YYY.YYY.YYY.YY (IP address for client machine)

User-Agent - Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.89+Safari/537.36

Referer - www.refererpage.com (the location from which the user was referred to the requested resource)

Protocol Status - 200 (HTTP response status for the request)

Substatus - 0

Win32 Status - 0

Time taken - 148 (time in milliseconds that it took to complete the request)

What Are the Challenges of IIS Log Analysis?

The challenges of IIS log management and analysis are similar to those associated with analyzing log files for any web server. A lack of centralization and intuitive log analysis functionality can result in significantly longer processes for root-cause analysis and log analysis in general. Consider the following:

It Is Not Easy to Manage Massive Log Volumes

It’s important to remember that every request made of an IIS web server results in a log event. For a web application with any degree of popularity, this makes for a seemingly endless amount of data. Simply managing this data and presenting it in a format that allows IT and development personnel to derive powerful insights that propel the business forward can be a full-time job in itself. In addition, the fact that this log data is decentralized (with IIS logs being created for various application instances across numerous servers) makes it impossible to effectively manage it without the assistance of log analysis tooling.

Log Searching and Analysis Can Be Painfully Slow

When dealing with the large amount of data coming from IIS log files, the mere thought of manually searching and analyzing them is overwhelming. For example, imagine that a developer is attempting to diagnose the cause of reported slowness for certain requests made to an application. Since IIS logs record the URI, request type, and the time each request takes to complete, it makes sense that they would be very valuable in this situation. However, it would be nearly impossible for the developer to locate and identify patterns of recurring, long-running requests by scrolling through server logs in a text editor. Instead, it is critical that teams leverage tooling that centralizes all IIS log files, performs automated analysis, and organizes and contextualizes this log data.

Configuring and Managing Multiple Tools Is a Hassle

Log analysis tools are a must for any organization looking to manage their IIS logs in an effective and efficient manner, and it’s crucial that these logs are managed with a single tool. The difficult part of root-cause analysis should be diagnosing the underlying cause of the issue at hand, not figuring out which tool to utilize when starting the analysis process.

There is also additional overhead associated with configuring, maintaining, and managing multiple log management tools. By adding yet another administrative task in the form of ensuring that all log analysis tools are properly configured, you reduce your team’s capacity to work with the log data itself and to create new features and technologies.

The IIS Log Analyzer from Sumo Logic

The IIS Log Analyzer from Sumo Logic is a robust platform for centralizing IIS web server logs that provides intuitive functionality which allows development teams to analyze large volumes of IIS log data with ease. Getting started with this tool requires a Sumo Logic account, which can be obtained as part of a free trial.

Simplify Log Management

With the IIS Log Analyzer, log files from all of an organization’s IIS web servers can be consumed, parsed, and analyzed in one centralized location. This provides full visibility into the IIS infrastructure as well as insight into the performance of all applications running on these servers. Centralizing log data within a log analysis tool means that automated analysis will be acting on a complete dataset. This allows an organization to comfortably rely on the resulting analysis as a true representation of what is occurring across their environments, and it lends credence to the actionable insights produced by the data analysis.

Intuitive Features for Faster Troubleshooting

The IIS Log Analyzer comes equipped with features that enable development teams to resolve application and infrastructure problems with greater ease and to refine their applications to provide a better user experience for their customers. Let’s take a look at some of the ways in which log data visualization and searchability can help drive better log management and analysis processes for any development organization.

Visualize Your IIS Logs

One of the ways in which the IIS Log Analyzer provides value to a development organization is in visualizations. These visualizations provide context that makes the IIS log entries easier to understand on a broader scale and enables DevOps personnel to identify patterns and trends that provide insight into how their applications are being utilized. This is something that would not be possible by simply scrolling through log entries in a text editor.

With the IIS Log Analyzer, the default dashboards display visualizations that show you:

• Which browsers are being used most often to access sites running on your IIS web servers
• Which resources are being requested most frequently
• Which media types are being requested
• Top query strings
• Top referers

and much more...

Search Your IIS Logs with Ease Using the Simple Query Language

Without question, organizations will need to go beyond what’s provided by default to fully understand their applications and infrastructure. Sumo Logic helps simplify this process by making all consumed logs searchable with the use of their simple query language. This feature makes the IIS Log Analyzer all the more valuable to a development team. Custom queries can be built and revisited as necessary to help DevOps personnel corner complex application problems and identify potential opportunities for providing additional value to end users.

Monitor Your Logs with Saved Searches

Sumo Logic allows for the development of custom searches. This can be useful in a variety of situations, and the fact that these searches can be saved and revisited makes them all the more valuable. For example, let’s say that it’s critical for you to monitor the query parameters for certain page classes in order to determine which content is most popular in an application hosted on your IIS web server. You can set up this process in minutes and monitor it as necessary so that your organization can gain insight into maintaining the attention of your audience.

Any log search can be saved by clicking the “Save As” link below the query. These saved searches can be scheduled to run with varying frequencies by selecting the “Schedule this search” button in the “Save Item” panel as illustrated below:

Reduce Troubleshooting with Additional Trace Context

Today, it’s more important than ever to leverage services that centralize your logs. By centralizing, you can consume and analyze log data from all relevant sources. The IIS Log Analyzer enables you to collect IIS log data from across your entire infrastructure, thus freeing development teams from worrying about blind spots. This allows them to concentrate on performing distributed traces to tie log events together so that they can better understand problems within their applications and apply proper fixes to the code base or supporting infrastructure.

View Your IIS Logs in Real-Time

Resolving application and infrastructure problems in as little time as possible is crucial for limiting the impact on the customer and preserving an organization’s reputation for providing valuable functionality with a high level of reliability. And, as we know, log data is critical for discovering problems, identifying their root cause, and fixing them. The IIS Log Analyzer app provides organizations with the ability to view contextualized log data in real-time, thereby reducing their mean time to acknowledgment (MTTA) and mean time to resolution (MTTR) for issues impacting product quality and reliability.