Re: IIS Logs in LogInsight

tslogick1 · ‎06-15-2016

I installed the Microsoft - IIS content pack on my Log Insight cluster. I noticed it requires certain fields to be enabled on the IIS server for the logs. My question is, for it to work correctly, are these the only fields that "can" be enabled or do I just need to make sure that at least these ones are enabled? Hope that makes sense.

Thanks,

Tim

IIS Prerequisites:

IIS content pack uses logs in W3C format, the following fields need to be enabled in IIS logs using IIS Manager:

• date
• time
• s-sitename
• s-ip
• cs-method
• cs-uri-stem
• cs-uri-query
• s-port
• cs-username
• c-ip
• cs (User-Agent)
• sc-status
• sc-substatus
• sc-win32-status

• time-taken

admin · ‎06-15-2016

Yes that is correct for the content pack to work correctly, only the fields listed need to be enabled. Enabling any additional fields will change the log format and the content pack might not be able to display results in the widgets. This restriction comes as the content pack uses the csv parser to parse logs. For a csv parser, Count of the listed field-names must be equal to the count of comma-separated fields in the logs. This option is a mandatory for CSV parser. If it's missing, nothing will be parsed.

So if the field list changes in the logs the content pack will break. Hope this helps.

HawkieMan · ‎04-07-2017

It is also important to set a single log for IIS. You must enable server log instead of single site logs

All

IIS Logs in LogInsight

Content Packs