Introduction to IIS Logging and Analysis on Windows Server 2019

Internet Information Services (IIS) on Windows Server 2019 generates detailed access logs for every HTTP and HTTPS request received by a web server. These logs are invaluable for performance analysis, troubleshooting 4xx and 5xx errors, detecting security threats (such as directory traversal or SQL injection attempts), and auditing access to protected resources. IIS logs are written in W3C Extended Log File Format by default, containing fields such as date, time, client IP, request URI, HTTP method, status code, bytes transferred, referrer, and user agent. This guide covers configuring IIS logging, customizing log fields, implementing centralized logging, analyzing logs with PowerShell, and integrating with Log Analytics.

Configuring IIS Logging via IIS Manager

Open IIS Manager (inetmgr) from the Start menu or Server Manager. In the Connections pane, select the server node (for server-level logging affecting all sites) or select a specific website for site-specific logging. Double-click the Logging icon in the middle pane.

On the Logging page, verify or configure: Format should be W3C (the most detailed and compatible format). Directory should point to a volume with sufficient space — the default is %SystemDrive%inetpublogsLogFiles, but redirect to a dedicated logging volume for high-traffic servers. Log File Rollover controls how often a new log file is created — Daily is recommended for most servers. Schedule at Hourly for very high-traffic servers to keep individual log files to a manageable size.

Click Select Fields to choose which W3C fields are logged. The recommended minimum field set for security and operational analysis:

date, time, s-ip (server IP), cs-method (HTTP method), cs-uri-stem (request path), cs-uri-query (query string), s-port, cs-username (authenticated username), c-ip (client IP), cs(User-Agent), cs(Referer), sc-status (HTTP status code), sc-substatus, sc-win32-status, time-taken (response time in milliseconds).

Configuring IIS Logging via PowerShell

Use the IIS administration PowerShell module (WebAdministration) for scripted logging configuration. First, import the module:

Import-Module WebAdministration

Enable logging on a specific site and configure all recommended fields:

Set-WebConfigurationProperty -PSPath "IIS:SitesDefault Web Site" -Filter "system.webServer/httpLogging" -Name dontLog -Value $false

Set-WebConfigurationProperty -PSPath "IIS:SitesDefault Web Site" -Filter "system.applicationHost/sites/site[@name='Default Web Site']/logFile" -Name logFormat -Value "W3C"

Set-WebConfigurationProperty -PSPath "IIS:SitesDefault Web Site" -Filter "system.applicationHost/sites/site[@name='Default Web Site']/logFile" -Name directory -Value "D:IISLogs"

Set-WebConfigurationProperty -PSPath "IIS:SitesDefault Web Site" -Filter "system.applicationHost/sites/site[@name='Default Web Site']/logFile" -Name period -Value "Daily"

Enable all recommended W3C fields at server level:

Set-WebConfigurationProperty -PSPath "MACHINE/WEBROOT/APPHOST" -Filter "system.applicationHost/log/centralW3CLogFile" -Name logExtFileFlags -Value "Date,Time,ClientIP,UserName,SiteName,ComputerName,ServerIP,Method,UriStem,UriQuery,HttpStatus,HttpSubStatus,Win32Status,BytesSent,BytesRecv,TimeTaken,ServerPort,UserAgent,Referer,ProtocolVersion,Host,HttpSubStatus"

Enabling Failed Request Tracing (FREB)

IIS Failed Request Tracing (FREB) captures detailed diagnostic traces for requests that meet configurable failure conditions, such as requests with 4xx or 5xx status codes or requests taking longer than a threshold. FREB traces include the full request processing pipeline, showing exactly which IIS module generated the error.

Enable FREB for a site and capture all 5xx errors:

Enable-WebRequestTracing -Name "Default Web Site" -Directory "D:FREBLogs" -MaxLogFiles 50 -MaxLogFileSizeKB 1024 -StatusCodes 500-599

FREB log files are saved as XML files with an associated XSL stylesheet for viewing in Internet Explorer or Edge. Navigate to the FREB log directory and open an XML file in a browser for a color-coded request trace showing which module generated the failure and why.

Analyzing IIS Logs with PowerShell

IIS log files in W3C format are plain text with a header. Use PowerShell to parse and analyze them. The following script parses a W3C log file and reports the top 10 most requested URIs:

$logPath = "D:IISLogsW3SVC1u_ex260517.log"
$lines = Get-Content $logPath | Where-Object { $_ -notmatch "^#" }
$headers = (Get-Content $logPath | Where-Object { $_ -match "^#Fields:" }) -replace "#Fields: ", "" -split " "

$entries = $lines | ForEach-Object {
    $values = $_ -split " "
    $obj = [PSCustomObject]@{}
    for ($i = 0; $i -lt $headers.Count; $i++) {
        $obj | Add-Member -MemberType NoteProperty -Name $headers[$i] -Value $values[$i]
    }
    $obj
}

$entries | Group-Object "cs-uri-stem" | Sort-Object Count -Descending | Select-Object -First 10 Name, Count

Find all 5xx errors and their associated client IPs:

$entries | Where-Object { [int]$_."sc-status" -ge 500 } | Group-Object "c-ip" | Sort-Object Count -Descending | Select-Object Name, Count

Find slow requests (over 3 seconds, i.e., time-taken > 3000 ms):

$entries | Where-Object { [int]$_."time-taken" -gt 3000 } | Select-Object date, time, "cs-uri-stem", "time-taken", "sc-status" | Sort-Object "time-taken" -Descending

Using Microsoft Log Parser for IIS Analysis

Microsoft Log Parser is a free tool that allows SQL-style queries against IIS log files. Download it from the Microsoft website. Once installed, run queries from the command line:

logparser "SELECT cs-uri-stem, COUNT(*) AS Hits FROM D:IISLogsW3SVC1*.log GROUP BY cs-uri-stem ORDER BY Hits DESC" -i:W3C

Find the top 10 client IP addresses by request count:

logparser "SELECT c-ip, COUNT(*) AS Requests FROM D:IISLogsW3SVC1*.log GROUP BY c-ip ORDER BY Requests DESC" -i:W3C -o:CSV

Generate an hourly traffic report:

logparser "SELECT QUANTIZE(TO_TIMESTAMP(date, time), 3600) AS Hour, COUNT(*) AS Requests FROM D:IISLogsW3SVC1*.log GROUP BY Hour ORDER BY Hour ASC" -i:W3C

Forwarding IIS Logs to Azure Log Analytics

The Azure Monitor Agent can collect IIS log files and forward them to a Log Analytics Workspace. In your Data Collection Rule, add an IIS Logs data source. Specify the log directory path (e.g., D:IISLogsW3SVC*) and set the destination to your workspace. IIS logs appear in the W3CIISLog table in Log Analytics.

Query IIS logs in Log Analytics to find the most common HTTP errors across all web servers:

W3CIISLog
| where TimeGenerated > ago(24h)
| where scStatus >= 400
| summarize count() by scStatus, csUriStem, Computer
| order by count_ desc
| take 20

Detect potential SQL injection attempts in query strings:

W3CIISLog
| where TimeGenerated > ago(7d)
| where csUriQuery matches regex @"(?i)(union|select|insert|delete|drop|exec|xp_)"
| project TimeGenerated, Computer, cIP, csUriStem, csUriQuery, scStatus
| order by TimeGenerated desc