Microsoft IIS
Monitor Microsoft Internet Information Services (IIS) web server logs including access logs, error logs, and application logs using the File Stream plugin
Microsoft IIS Integration
Monitor and analyze Microsoft Internet Information Services (IIS) web server logs in real-time using LogFlux Agent’s File Stream plugin. This configuration-based approach provides comprehensive log parsing, .NET application monitoring, and Windows web server analytics.
Overview
The Microsoft IIS integration leverages LogFlux Agent’s File Stream plugin to:
- Real-time monitoring of IIS access logs, error logs, and application logs
- .NET application analytics with ASP.NET request processing and error tracking
- Performance monitoring with response times and resource utilization
- Security monitoring with authentication and authorization tracking
- Multi-site support for hosted web applications and virtual directories
- Windows integration with Event Log and Performance Counter correlation
Installation
The File Stream plugin is included with LogFlux Agent. Enable it for IIS log monitoring:
1
2
3
4
5
6
|
# Enable File Stream plugin (PowerShell as Administrator)
Start-Service -Name "LogFlux-FileStream"
Set-Service -Name "LogFlux-FileStream" -StartupType Automatic
# Verify plugin status
Get-Service -Name "LogFlux-FileStream"
|
IIS Configuration
Configure IIS logging through IIS Manager or web.config:
Enable IIS Logging (IIS Manager)
- Open IIS Manager
- Select server, site, or application
- Double-click “Logging” feature
- Configure log file format and location
- Enable logging and apply changes
IIS Site Configuration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
<!-- web.config -->
<configuration>
<system.webServer>
<httpLogging dontLog="false" />
<!-- Custom logging format -->
<httpLogging>
<customHeaders>
<add name="X-Forwarded-For" />
<add name="X-Real-IP" />
</customHeaders>
</httpLogging>
<!-- Error logging -->
<httpErrors errorMode="DetailedLocalOnly" />
<!-- Request filtering -->
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="52428800" />
</requestFiltering>
</security>
</system.webServer>
</configuration>
|
Application Pool Configuration
1
2
3
4
5
6
7
8
9
|
# Configure application pool logging
Import-Module WebAdministration
# Enable application pool process recycling logs
Set-ItemProperty -Path "IIS:\AppPools\DefaultAppPool" -Name processModel.logEventOnRecycle -Value "Time,Memory,PrivateMemory"
# Configure failure settings
Set-ItemProperty -Path "IIS:\AppPools\DefaultAppPool" -Name failure.rapidFailProtection -Value $true
Set-ItemProperty -Path "IIS:\AppPools\DefaultAppPool" -Name failure.rapidFailProtectionInterval -Value "00:05:00"
|
Basic Configuration
Configure the File Stream plugin to monitor IIS logs by creating C:\ProgramData\LogFlux-Agent\plugins\filestream-iis.toml:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
[filestream.iis_access]
paths = ["C:/inetpub/logs/LogFiles/W3SVC1/*.log"]
format = "iis_w3c"
tags = ["iis", "access", "windows"]
fields = {
service = "iis",
log_type = "access"
}
[filestream.iis_error]
paths = ["C:/Windows/System32/LogFiles/HTTPERR/*.log"]
format = "iis_httperr"
tags = ["iis", "error", "windows"]
fields = {
service = "iis",
log_type = "httperr"
}
[filestream.iis_application]
paths = ["C:/inetpub/logs/LogFiles/W3SVC1/application*.log"]
format = "regex"
tags = ["iis", "application", "aspnet"]
fields = {
service = "iis",
log_type = "application"
}
|
Standard IIS access log format:
1
2
3
4
5
6
7
8
9
10
11
12
13
|
[filestream.iis_w3c]
paths = ["C:/inetpub/logs/LogFiles/W3SVC*/*.log"]
format = "regex"
regex = '^(?P<date>\d{4}-\d{2}-\d{2}) (?P<time>\d{2}:\d{2}:\d{2}) (?P<s_sitename>\S+) (?P<s_computername>\S+) (?P<s_ip>\S+) (?P<cs_method>\S+) (?P<cs_uri_stem>\S+) (?P<cs_uri_query>\S+) (?P<s_port>\d+) (?P<cs_username>\S+) (?P<c_ip>\S+) (?P<cs_version>\S+) (?P<cs_user_agent>[^"]*) (?P<cs_cookie>[^"]*) (?P<cs_referer>[^"]*) (?P<cs_host>\S+) (?P<sc_status>\d+) (?P<sc_substatus>\d+) (?P<sc_win32_status>\d+) (?P<sc_bytes>\d+) (?P<cs_bytes>\d+) (?P<time_taken>\d+)$'
parse_timestamp = true
timestamp_field = "timestamp"
timestamp_format = "2006-01-02 15:04:05"
# Combine date and time fields
[filestream.iis_w3c.processors.add_fields]
fields = {
timestamp = "{{ .date }} {{ .time }}"
}
|
Windows HTTP.SYS error logs:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
[filestream.iis_httperr]
paths = ["C:/Windows/System32/LogFiles/HTTPERR/*.log"]
format = "regex"
regex = '^(?P<date>\d{4}-\d{2}-\d{2}) (?P<time>\d{2}:\d{2}:\d{2}) (?P<client_ip>\S+) (?P<client_port>\d+) (?P<server_ip>\S+) (?P<server_port>\d+) (?P<protocol_version>\S+) (?P<verb>\S+) (?P<url>\S+) (?P<query_string>\S+) (?P<status_code>\d+) (?P<site_id>\d+) (?P<reason>\S+) (?P<queue_name>\S+)$'
parse_timestamp = true
timestamp_field = "timestamp"
timestamp_format = "2006-01-02 15:04:05"
tags = ["iis", "httperr", "windows"]
# Combine date and time fields
[filestream.iis_httperr.processors.add_fields]
fields = {
timestamp = "{{ .date }} {{ .time }}"
}
|
ASP.NET Application Logs
Monitor ASP.NET application-specific logs:
1
2
3
4
5
6
7
8
|
[filestream.iis_aspnet]
paths = ["C:/inetpub/wwwroot/*/App_Data/Logs/*.log"]
format = "regex"
regex = '^(?P<timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}) \[(?P<thread>\d+)\] (?P<level>\w+) (?P<logger>[^ ]+) - (?P<message>.*)$'
parse_timestamp = true
timestamp_field = "timestamp"
timestamp_format = "2006-01-02 15:04:05,000"
tags = ["iis", "aspnet", "application"]
|
Advanced Configuration
Multi-Site Monitoring
Monitor multiple IIS sites separately:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[filestream.iis_site1]
paths = ["C:/inetpub/logs/LogFiles/W3SVC1/*.log"]
format = "iis_w3c"
tags = ["iis", "site1", "access"]
fields = {
service = "iis",
site = "default",
site_id = "1",
log_type = "access"
}
[filestream.iis_site2]
paths = ["C:/inetpub/logs/LogFiles/W3SVC2/*.log"]
format = "iis_w3c"
tags = ["iis", "site2", "access"]
fields = {
service = "iis",
site = "ecommerce",
site_id = "2",
log_type = "access"
}
|
Track performance metrics with calculated fields:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[filestream.iis_performance]
paths = ["C:/inetpub/logs/LogFiles/W3SVC*/*.log"]
format = "iis_w3c"
tags = ["iis", "performance"]
fields = {
service = "iis",
log_type = "performance"
}
# Add calculated performance metrics
[filestream.iis_performance.processors.add_fields]
fields = {
response_time_seconds = "{{ div .time_taken 1000 }}",
requests_per_minute = "{{ counter .c_ip 60 }}",
bandwidth_bytes = "{{ add .sc_bytes .cs_bytes }}"
}
# Filter slow requests
[filestream.iis_performance.processors.threshold]
field = "time_taken"
threshold = 5000 # 5 seconds
|
Security Monitoring
Track authentication and security events:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
[filestream.iis_security]
paths = ["C:/inetpub/logs/LogFiles/W3SVC*/*.log"]
format = "iis_w3c"
tags = ["iis", "security"]
fields = {
service = "iis",
log_type = "security"
}
# Filter for security-related status codes
[filestream.iis_security.processors.grep]
patterns = [
"sc_status:401", # Unauthorized
"sc_status:403", # Forbidden
"sc_status:404", # Not Found
"cs_method:POST", # POST requests
"cs_method:PUT", # PUT requests
"cs_method:DELETE" # DELETE requests
]
|
Application Pool Monitoring
Monitor application pool recycling and failures:
1
2
3
4
5
6
7
8
9
10
11
12
|
[filestream.iis_apppool]
paths = ["C:/Windows/System32/LogFiles/WMSvc/*.log"]
format = "regex"
regex = '^(?P<timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}) (?P<level>\w+) (?P<component>[^ ]+) (?P<message>.*)$'
parse_timestamp = true
timestamp_field = "timestamp"
timestamp_format = "2006-01-02 15:04:05"
tags = ["iis", "apppool", "management"]
fields = {
service = "iis",
log_type = "apppool"
}
|
Usage Examples
Monitor IIS Web Server
1
2
3
4
5
6
7
8
|
# Stream all IIS logs
logflux-cli stream --filter "service:iis"
# Monitor specific site
logflux-cli stream --filter "service:iis AND site_id:1"
# Track access logs only
logflux-cli stream --filter "service:iis AND log_type:access"
|
1
2
3
4
5
6
7
8
|
# Monitor slow requests (>5 seconds)
logflux-cli stream --filter "service:iis AND time_taken:>5000"
# Track 5xx errors
logflux-cli stream --filter "service:iis AND sc_status:>=500"
# Monitor high bandwidth usage
logflux-cli stream --filter "service:iis AND sc_bytes:>1048576"
|
Security Monitoring
1
2
3
4
5
6
7
8
|
# Track failed authentication
logflux-cli stream --filter "service:iis AND sc_status:401"
# Monitor forbidden requests
logflux-cli stream --filter "service:iis AND sc_status:403"
# Track potential attacks
logflux-cli stream --filter "service:iis AND (sc_status:404 OR cs_uri_stem:*.php)"
|
Windows Integration
Event Log Correlation
Correlate IIS logs with Windows Event Log:
1
2
3
4
5
6
7
8
9
10
|
[filestream.iis_events]
paths = ["C:/Windows/System32/LogFiles/W3SVC*/*.log"]
format = "iis_w3c"
tags = ["iis", "correlation"]
# Add Windows Event Log correlation
[filestream.iis_events.processors.enrich]
type = "windows_event"
source = "System"
filter = "EventID:1074 OR EventID:6008" # System shutdown/restart events
|
Monitor IIS performance counters:
1
2
3
4
5
6
7
8
9
|
# PowerShell script to log performance counters
$counters = @(
"\Web Service(_Total)\Bytes Total/Sec",
"\Web Service(_Total)\Current Connections",
"\ASP.NET Applications(__Total__)\Requests/Sec",
"\ASP.NET Applications(__Total__)\Errors Total/Sec"
)
Get-Counter -Counter $counters -SampleInterval 60 -MaxSamples 1440 | Export-Csv -Path "C:\inetpub\logs\perfcounters.csv" -NoTypeInformation
|
IIS Configuration Monitoring
Monitor IIS configuration changes:
1
2
3
4
5
6
7
8
|
[filestream.iis_config]
paths = ["C:/Windows/System32/LogFiles/W3SVC*/iis_config*.log"]
format = "json"
tags = ["iis", "configuration"]
fields = {
service = "iis",
log_type = "configuration"
}
|
Monitoring and Alerting
Key Metrics to Monitor
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
# High response time alert
[alerts.iis_slow_response]
query = "service:iis AND time_taken:>10000"
threshold = 10
window = "2m"
message = "IIS slow response times detected on site {{ .site }}"
# High error rate alert
[alerts.iis_error_rate]
query = "service:iis AND sc_status:>=500"
threshold = 20
window = "1m"
message = "High error rate in IIS: {{ .s_sitename }}"
# Application pool recycling alert
[alerts.iis_apppool_recycle]
query = "service:iis AND log_type:apppool AND message:recycle"
threshold = 1
window = "5m"
message = "IIS application pool recycled: {{ .component }}"
# Security threat alert
[alerts.iis_security_threat]
query = "service:iis AND (sc_status:401 OR sc_status:403)"
threshold = 50
window = "1m"
message = "Potential security threat detected in IIS"
|
Dashboard Metrics
Monitor these key IIS metrics:
- Request rate (requests per second by site)
- Response times (average, 95th percentile)
- Error rates (4xx, 5xx responses by site)
- Bandwidth utilization (bytes sent/received)
- Active connections (concurrent users)
- Application pool health (recycling events, failures)
- Authentication success/failure rates
- Resource utilization (CPU, memory, disk I/O)
Troubleshooting
Common Issues
IIS logs not appearing:
1
2
3
4
5
6
7
8
|
# Check IIS is running
Get-Service -Name W3SVC
# Verify log file permissions
Get-Acl "C:\inetpub\logs\LogFiles\W3SVC1"
# Check IIS logging configuration
Get-WebConfiguration -Filter "system.webServer/httpLogging"
|
Log format parsing errors:
1
2
3
4
5
6
7
8
|
# Test regex pattern
Select-String -Path "C:\inetpub\logs\LogFiles\W3SVC1\*.log" -Pattern "your_regex_pattern"
# Check LogFlux Agent logs
Get-EventLog -LogName Application -Source "LogFlux-Agent" -Newest 10
# Validate IIS log format
Get-Content "C:\inetpub\logs\LogFiles\W3SVC1\ex*.log" | Select-Object -First 10
|
Missing application logs:
1
2
3
4
5
6
7
8
|
# Check ASP.NET configuration
Get-WebConfiguration -Filter "system.web/trace"
# Verify application pool identity permissions
Get-WebConfiguration -Filter "system.webServer/processModel"
# Check application event log
Get-EventLog -LogName Application -Source "ASP.NET*" -Newest 10
|
Performance issues:
1
2
3
4
5
6
7
8
|
# Check IIS worker processes
Get-Process -Name w3wp
# Monitor performance counters
Get-Counter "\Process(w3wp*)\% Processor Time" -MaxSamples 5
# Check application pool recycling
Get-EventLog -LogName System -Source "WAS" -Newest 10
|
Best Practices
- Optimize log format to include only necessary fields
- Use log rotation to prevent disk space issues
- Monitor worker process resource usage
- Implement output caching for better performance
Security
- Enable request filtering to block malicious requests
- Use HTTPS for sensitive applications
- Monitor authentication failures and implement account lockout
- Regular security updates for IIS and .NET Framework
High Availability
- Configure multiple application pools for isolation
- Implement load balancing with ARR (Application Request Routing)
- Monitor health checks and automatic failover
- Use shared configuration for web farm scenarios
Log Management
1
2
3
4
5
6
7
8
9
|
# Optimize log rotation for IIS
$logRotateScript = @"
Get-ChildItem -Path "C:\inetpub\logs\LogFiles" -Recurse -Filter "*.log" |
Where-Object { $_.LastWriteTime -lt (Get-Date).AddDays(-30) } |
Remove-Item -Force
"@
# Create scheduled task for log cleanup
Register-ScheduledTask -TaskName "IIS Log Cleanup" -Action (New-ScheduledTaskAction -Execute "PowerShell" -Argument "-Command $logRotateScript") -Trigger (New-ScheduledTaskTrigger -Daily -At "02:00")
|
Integration Examples
.NET Core Applications
1
2
3
4
5
6
7
8
9
10
11
12
13
|
<!-- appsettings.json -->
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
},
"File": {
"Path": "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\application-{Date}.log",
"MinLevel": "Information"
}
}
}
|
Docker on Windows
1
2
3
4
|
FROM mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019
COPY app/ /inetpub/wwwroot/
VOLUME ["C:/inetpub/logs"]
EXPOSE 80
|
PowerShell Automation
1
2
3
4
5
6
7
|
# Automated IIS log analysis
$logs = Get-Content "C:\inetpub\logs\LogFiles\W3SVC1\*.log"
$errors = $logs | Where-Object { $_ -match " 5\d\d " }
$errors | ConvertFrom-Csv -Delimiter ' ' |
Group-Object sc_status |
Sort-Object Count -Descending |
Format-Table Name, Count
|
This comprehensive Microsoft IIS integration provides real-time web server monitoring, ASP.NET application analytics, and Windows-specific insights using LogFlux Agent’s File Stream plugin. The configuration-based approach offers detailed visibility into IIS operations, application performance, and security events in Windows environments.
Disclaimer
The Microsoft IIS logo and trademarks are the property of Microsoft Corporation. LogFlux is not affiliated with, endorsed by, or sponsored by Microsoft Corporation. The Microsoft IIS logo is used solely for identification purposes to indicate compatibility and integration capabilities.
