Collect logs from your Microsoft© Internet Information Service (IIS) webservers to troubleshoot operational and security issues easily. Search and quickly visualize web requests to see patterns in your web users’ activity. Customize reports to find URLs returning 404s or create rules and alerts to detect suspicious traffic for SQL injection, cross-site scripting (XSS), and other malicious requests.
Benefits of IIS Log Analysis
Your IIS logs contain a tremendous amounts of information about how users are accessing your webserver. If you have enabled proper logging levels, you can collect the source or client IP address, the HTTP method being queried, the URI stem or target and the specific query parameters requested. This information can be used with a log parser to detect requests that your application isn’t expecting and to find signs of an attack. For example, if the URI query includes a single quote and the HTTP method is a POST, you might be seeing a SQL injection attack. The IIS logs may be the only sign of such an attack if the application isn’t logging failed form submits and your web application firewall doesn’t detect the attack. The advantage of parsing the logs is you can see if someone is attempting to attack you. If you are breached, you can also review these logs from your secure log storage to find how they breached your network and more details about the attacker.
Implementing a Log Parser for IIS Log Analysis
Collecting the IIS logs from your webservers is easy with Log & Event Manager. Simply install the agent on your servers and add a connector in the Log & Event Manager web console for each of the servers you want to analyze IIS logs from. After you are collecting IIS logs, make sure your filters, reports, and alerts are configured to analyze the events that are critical for your environment. You should also update your dashboard to include specific events from these logs to quickly see any issues. For example, update your dashboard to track the number of 404s to detect if users are being sent to bad URLs, or if someone is trying to attack your webservers.
How IIS Log Analysis Works
Like most other events and logs, IIS logs can be visualized with bar charts, in the real-time monitor window, or by running reports for general or very specific events. Below is an example of HTTP POSTs over time. A quick visual scan in the log parser will show an anomaly where the number of POSTs increases. This could be a sign of an attack or improper usage of your webservers. You can perform these types of searches manually, or you can save these queries to automatically analyze your IIS logs.
SIEM Speeds Times to Resolution (Not Just for Security Issues)
Log & Event Manager Guided Tour
A SIEM Buyer’s Guide for the resource constrained IT pro
Try It Yourself
You can analyze IIS logs (and a lot more) for free when you download a free trial of Log & Event Manager. It’s fully functional for 30 full days!
With our DIY deployment wizard, you'll be up and analyzing your IIS logs in less than an hour.