How to Configure IIS Logging and Request Tracing on Windows Server 2025

How to Configure IIS Logging and Request Tracing on Windows Server 2025

Effective logging is the foundation of diagnosing performance problems, security incidents, and application errors on any web server. IIS on Windows Server 2025 ships with two complementary diagnostic systems: the standard W3C access log, which records every HTTP request, and Failed Request Tracing (also called FREB — Failed Request Event Buffering), which captures granular pipeline-level detail for requests that fail or run slowly. This guide covers configuring both systems, parsing logs with PowerShell, and understanding ETW-based tracing for deeper diagnostics.

Prerequisites

• Windows Server 2025 with IIS installed (Web-Server role)
• Administrator access for feature installation and IIS configuration changes
• Sufficient disk space for log files (recommended: dedicate a non-system drive for logs in production)
• PowerShell 5.1 or later
• Optional: Log Parser Studio or Microsoft Log Parser 2.2 for advanced analysis

Step 1: Understanding IIS Log File Location and W3C Format

By default, IIS writes access logs in W3C Extended Log Format to:

%SystemDrive%inetpublogsLogFilesW3SVC1

Each IIS site gets its own subdirectory (W3SVC1, W3SVC2, etc., matching the site ID). Log files are named using the format u_exYYMMDD.log. The first few lines of a W3C log look like this:

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2026-05-17 00:00:00
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

2026-05-17 14:32:05 192.168.1.10 GET /index.html - 443 domainuser 10.0.0.5 Mozilla/5.0 https://contoso.com/ 200 0 0 45

Key W3C fields to know:

• sc-status — HTTP response status code (200, 404, 500, etc.)
• sc-substatus — IIS sub-status code (e.g., 401.2 = NTLM auth failure)
• sc-win32-status — Windows error code (useful for permission errors)
• time-taken — Request duration in milliseconds
• cs-uri-stem — The requested URL path

Step 2: Configure Log Location and Rollover Policy

Change the log directory to a dedicated drive and configure rollover behavior using PowerShell:

# Change log directory for a specific site (site ID 1 = Default Web Site)
Set-WebConfigurationProperty `
    -Filter "system.applicationHost/sites/site[@id='1']/logFile" `
    -PSPath "IIS:" `
    -Name directory `
    -Value "D:IISLogs"

# Set log file rollover period: Daily, Weekly, Monthly, Hourly, MaxSize
Set-WebConfigurationProperty `
    -Filter "system.applicationHost/sites/site[@id='1']/logFile" `
    -PSPath "IIS:" `
    -Name period `
    -Value "Daily"

# Configure size-based rollover (used when period = MaxSize), value in bytes (10 MB here)
Set-WebConfigurationProperty `
    -Filter "system.applicationHost/sites/site[@id='1']/logFile" `
    -PSPath "IIS:" `
    -Name truncateSize `
    -Value 10485760

# Enable UTF-8 encoding for log files (recommended for international URIs)
Set-WebConfigurationProperty `
    -Filter "system.applicationHost/sites/site[@id='1']/logFile" `
    -PSPath "IIS:" `
    -Name logTargetW3C `
    -Value "File"

Step 3: Customize W3C Log Fields

By default, IIS does not log all available fields. Add useful fields like the Host header, cookie, and X-Forwarded-For (for reverse proxy setups):

# Enable additional log fields including X-Forwarded-For and Host header
# logExtFileFlags is a bitmask combining field constants

$logFlags = [System.Int32]::MaxValue  # Enable all available fields

Set-WebConfigurationProperty `
    -Filter "system.applicationHost/sites/site[@id='1']/logFile" `
    -PSPath "IIS:" `
    -Name logExtFileFlags `
    -Value "Date,Time,ClientIP,UserName,SiteName,ComputerName,ServerIP,Method,UriStem,UriQuery,HttpStatus,Win32Status,BytesSent,BytesRecv,TimeTaken,ServerPort,UserAgent,Cookie,Referer,ProtocolVersion,Host,HttpSubStatus"

Step 4: Analyze IIS Logs with PowerShell

PowerShell provides powerful tools for parsing W3C log files without additional software:

# Search for all 500 errors in today's log
$logPath = "D:IISLogsW3SVC1u_ex$(Get-Date -Format 'yyMMdd').log"

Select-String -Path $logPath -Pattern " 500 " | Select-Object -First 20

# Parse log as CSV (skip comment lines starting with #) and find slow requests
Get-Content $logPath |
    Where-Object { $_ -notmatch "^#" } |
    ConvertFrom-Csv -Delimiter " " -Header @(
        "date","time","s-ip","cs-method","cs-uri-stem","cs-uri-query",
        "s-port","cs-username","c-ip","cs-user-agent","cs-referer",
        "sc-status","sc-substatus","sc-win32-status","time-taken"
    ) |
    Where-Object { [int]$_."time-taken" -gt 5000 } |
    Select-Object "cs-uri-stem","sc-status","time-taken" |
    Sort-Object "time-taken" -Descending |
    Format-Table -AutoSize

# Count requests per status code
Get-Content $logPath |
    Where-Object { $_ -notmatch "^#" } |
    ConvertFrom-Csv -Delimiter " " -Header @(
        "date","time","s-ip","cs-method","cs-uri-stem","cs-uri-query",
        "s-port","cs-username","c-ip","cs-user-agent","cs-referer",
        "sc-status","sc-substatus","sc-win32-status","time-taken"
    ) |
    Group-Object "sc-status" |
    Sort-Object Count -Descending |
    Format-Table Name, Count -AutoSize

Step 5: Install Failed Request Tracing (FREB)

Failed Request Tracing is a powerful diagnostic tool that captures the full IIS pipeline execution trace for requests you define by status code, URL pattern, or time threshold. Install the feature first:

# Install HTTP Tracing feature
Install-WindowsFeature -Name Web-Http-Tracing -IncludeManagementTools

# Verify
Get-WindowsFeature -Name Web-Http-Tracing

Step 6: Enable and Configure FREB Rules

Once installed, enable FREB for a site and create tracing rules targeting specific failure conditions:

# Enable FREB for the Default Web Site and set the log directory
Set-WebConfiguration `
    -Filter "system.applicationHost/sites/site[@id='1']/traceFailedRequestsLogging" `
    -PSPath "IIS:" `
    -Value @{
        enabled   = $true
        directory = "D:FREBLogs"
        maxLogFiles = 50
    }

# Add a FREB rule: trace all requests returning status 500
Add-WebConfigurationProperty `
    -Filter "system.webServer/tracing/traceFailedRequests" `
    -PSPath "IIS:SitesDefault Web Site" `
    -Name "." `
    -Value @{ path = "*" }

# Configure the trace rule conditions (status codes 500-999)
Add-WebConfigurationProperty `
    -Filter "system.webServer/tracing/traceFailedRequests/add[@path='*']/failureDefinitions" `
    -PSPath "IIS:SitesDefault Web Site" `
    -Name statusCodes `
    -Value "500-999"

# Add a condition for slow requests (longer than 10 seconds = 10000 ms)
Set-WebConfigurationProperty `
    -Filter "system.webServer/tracing/traceFailedRequests/add[@path='*']/failureDefinitions" `
    -PSPath "IIS:SitesDefault Web Site" `
    -Name timeTaken `
    -Value "00:00:10"

Step 7: Reading FREB XML Reports

FREB generates XML trace files with an associated XSL stylesheet that renders them as a detailed HTML report in Internet Explorer or Edge (legacy mode). Each file is named frNNNNNNNN.xml.

# List recent FREB trace files
Get-ChildItem -Path "D:FREBLogsW3SVC1" -Filter "fr*.xml" |
    Sort-Object LastWriteTime -Descending |
    Select-Object -First 10 Name, LastWriteTime, Length

# Open a specific FREB file in the default browser
Invoke-Item "D:FREBLogsW3SVC1fr000000001.xml"

# Extract summary from FREB XML using PowerShell XML parsing
[xml]$freb = Get-Content "D:FREBLogsW3SVC1fr000000001.xml"
$freb.failedRequest | Select-Object url, statusCode, timeTaken, triggerStatusCode

The FREB report organizes trace events by IIS pipeline module, showing exact timestamps, the module that processed each event (Authentication, Authorization, Handler Mapping, etc.), and the status at each stage. This makes it possible to pinpoint which module in the pipeline caused a failure.

Step 8: ETW Tracing for IIS

Event Tracing for Windows (ETW) provides real-time, low-overhead tracing for IIS internals. Use it to capture IIS events without file I/O overhead:

# Start an ETW trace session capturing IIS request events
logman create trace IIS-RequestTrace `
    -p "Microsoft-Windows-IIS-Logging" `
    -o D:ETWTracesiis-trace.etl `
    -f bincirc `
    -max 100

logman start IIS-RequestTrace

# ... reproduce the issue ...

logman stop IIS-RequestTrace
logman delete IIS-RequestTrace

# Convert the ETL file to a CSV for analysis
tracerpt D:ETWTracesiis-trace.etl -o D:ETWTracesiis-trace.csv -of CSV

ETW is particularly useful for diagnosing issues that happen so quickly that FREB doesn’t capture them, such as request routing failures or authentication negotiation problems at the kernel level.

Combining IIS access logs, FREB traces, and ETW gives you a complete picture of request handling on Windows Server 2025. Start with access logs for trend analysis and high-level error reporting, escalate to FREB for specific failed request deep-dives, and use ETW when you need millisecond-level pipeline visibility. With the PowerShell techniques in this guide, you can build automated log monitoring scripts that alert on elevated error rates or slow response times without relying on third-party monitoring agents.