Top five metrics to monitor in IIS Logs

Blog

Top five metrics to monitor in IIS Logs

David Girvin
,
Table of contents

Header blog ISS Logs Monitor 700x200

When managing and troubleshooting IIS (Internet Information Services) web server performance, logs are a critical resource. They capture detailed information about every request and response so your team can detect issues quickly. 

Let’s walk through the main IIS log formats, explore a sample log file, and break down five key types of IIS metrics you should monitor. 

IIS log file formats

IIS supports three types of log formats:

  • W3C – This format centralizes all URL logs for a session in a single log file. It logs each field with a space.
  • NCSA – This log format is an ASCII text-based format and can’t be customized. It logs less information than the W3C format, and its fields are also separated by spaces.
  • IIS — This log format comes from Microsoft and is also ASCII-based like NCSA. It has more information than NCSA, but not as much as W3C. Its fields are separated by commas.

Of these formats, W3C is the most commonly used, as it provides more information than the other two. However, if your logging needs are simple and storage efficiency is a priority, NCSA or IIS formats may suffice.

Sample IIS log file

Here’s what a typical IIS log file may look like:

blog iis logs code block

As you can tell, the log condenses a lot of information about each request into just a few lines. It includes the version of IIS, the date and time of the request, the IP addresses, the clients used, error codes, and more. Let’s break down the key types of IIS log metrics to monitor for better performance and troubleshooting.

Five key IIS log metrics to monitor

Rather than focusing on single metrics, it’s more effective to analyze related metrics in IIS logs to understand system behavior.  Here are five types of metrics to look for in your IIS logs:

1. Vital stats

The header is the first four lines beginning with a #. It contains vital information about the log file, such as:

  • The IIS version in use 
  • Date and time
  • The fields included in the log file 

Though it doesn’t contain metrics itself, these lines are key to reading the rest of the metrics in the log file.

2. IP addresses

The next important part of an IIS log file is the IP addresses from where the request was made and answered. Using this information, you can identify the client that made the request and the server IP that handled it. You can track the location of requests and identify any suspicious patterns. If there are numerous requests from unusual IPs, it’s likely fraudulent and needs to be looked into.

3. Client details

The log file includes details about the client, like the operating system, browser, and cookie info, which is vital information to have when troubleshooting and testing. Pages render differently on different browsers and devices, and using this information, you can assess the performance of a page on various devices and browsers.

By visualizing a large sample set of this data, like latency across different browsers, you can get a clear picture of performance in the real world. If you notice that a particular version of a browser or a particular OS is underperforming, you know where to look to fix the issue.

4. Performance

If configured, the time-taken field in W3C logs captures the time (in milliseconds) to complete a request. This shows the latency, which is an important metric to gauge performance. Again, if you look at the cumulative latency for all requests for a particular URL, you know how its performance measures up. Having an average latency for all pages and average latency over time will help you spot spikes in latency at any time, or for any particular page. Latency helps keep your SLAs, whether internal or external.

You may need to dig deeper to identify the root cause of the latency. It could be that there’s a seasonal spike during a promotional offer, which is normal, and you may need to scale resources to support this spike, or it may be a bottleneck in the network, which needs to be looked into further—or even worse, it may be something suspicious caused by an external source. Your response will depend on the details you find beyond the latency metric. Keep in mind that time-taken includes server processing time but not network latency between client and server.

5. Error codes

The IIS log file also reports on error statuses like 404s. This can be useful in catching pages that were moved accidentally, or URLs that need a redirect, or to see if users are typing in the wrong URL.

Conclusion

IIS is still a widely used web server, and its logs are key to maintaining high performance and strong security. By tracking vital metrics like latency, IP activity, client behavior, and errors, you can spot issues early and take the right action quickly.

To go further, consider using a log analysis tool like Sumo Logic that supports robust search, visualization, and correlation across data sources. Try it out for yourself with a 30-day free trial

David Girvin
Lead Technical Advocate
David Girvin is a Technical Advocate at Sumo Logic, facilitating technical accuracy in the cloud of marketing. Previously, he was an AppSec / offensive security architect for places like 1Password and Red Canary. When not working, David travels to surf destinations for surfing and foiling.

People who read this also enjoyed

postgreSQl on kubernetes

How to deploy PostgresSQL on Kubernetes

The patching paradox: The reality of AI in security

Secure your Slack environment with Sumo Logic Cloud SIEM