Microsoft's Internet Information Services (IIS) is a web server application that runs on the Windows operating system and can be used to serve HTML files or pages using the Hypertext Transfer Protocol (HTTP) communication language. For organizations that offer Software-as-a-Service (SaaS) products, either to internal or external customers, an IIS web server can act as a portal for web-based applications that deliver complex functions incorporating back-end and middleware systems.
IIS Log Files are a valuable source of insight and information into the operational status, usage and security posture of web-based applications that operate on IIS servers. Software developers and enterprise IT organizations can use IIS log files as a source of operational, security and performance feedback for their web servers - but only if the correct people, processes and technologies have been implemented to streamline this process. To help streamline the process of reviewing IIS logs, many IT organizations have implemented and IIS Log Viewer software solution.
An IIS Log Viewer is a software application whose function is to streamline the process of viewing log files from an IIS web server. IIS log viewer software tools may be categorized as log aggregators, log management tools or SIEM tools, depending on the additional features and functions that they support. In addition, to provide a unified view of IIS web server logs, and an IIS log viewer tool may support additional functions such as log analysis, data normalization, monitoring & alerts, and reporting.
An IIS log viewer software tool delivers value by streamlining the process of viewing and analyzing IIS log files, but it is the content of these logs that developers are most interested in - not the viewer itself. IIS logs contain valuable performance, security and business insights that can be extracted through log aggregation and analysis using the appropriate software solutions. Below, we highlight some of the most common IIS log file fields along with their relevance to each area of web server performance.
Time Taken - When an IIS web server completes a request, the log entry will include the length of time that the action took in milliseconds. High latency can indicate operational or network issues that should be addressed to optimize the customer experience.
Bytes Sent/Received - When the IIS web server sends or receives data, the resulting log entry will indicate the total volume of data that was sent or received by the server. This metric can be used as an indicator of both operations and security. If the server begins to send an abnormally large volume of data, someone may have discovered an exploit to extract data from back-end systems. From an operational standpoint, data transmission logs can help IT operators assess demand for additional bandwidth and server capacity.
Method - When an IIS web server receives a client request, the resulting log entry includes a description of the action or method that was requested. This allows IT organizations to see how information was sent to the webserver and detect any abnormal requests.
HTTP Status - An HTTP status code reveals valuable information about the results of a specific request. For IIS web servers, HTTP status codes can be used to determine how the server responded to a given request, whether the request succeeded or failed and whether an abnormal response occurred. Some HTTP status codes are also used to transmit information about errors to the customer. The customer might see a 301 redirect page if the data they requested has been moved permanently, or a 404 page if the data was not found on the server.
Client IP Address - When a client machine makes a request to the server, the resulting log entry includes the IP address where the request originated. IP addresses can be used to trace requests to a geographic region or a specific ISP. IT security analysts can use this information to determine the origin of suspicious traffic or as a means of authenticating users. If an application is meant to be accessed locally by users in California, a high number of requests from international IP addresses might indicate an attempted DoS or another type of cyber attack.
User Name - If your web application requires a username and password authentication, log entries should include the user name of the person who sent a request to the server. This ensures that requests can be traced back to individual users.
Referrer - An IIS web server can be configured to log the referrer - the last website that a user visited before the server was queried. This can help marketing teams determine what online pages or resources are linking to the web site or application and identify the most profitable and successful marketing channels.
Cookie - Cookies are used to track user behavior on a web site or application. They can be used to remember the user's authentication status, the contents of a shopping cart, or other user-specific data. Cookies help to provide a continuous experience for users that are returning to your web page or application.
User-Agent - The user agent field indicates which browser was used to query your IIS web server. IT operators can correlate user agent data with request latency and user behavior data to help optimize the customer experience across channels.
Many of these IIS log fields are dual-purpose - they can serve as valuable sources of information for more than one area of concern. For organizations that wish to extract the maximum value from their IIS log files, implementing an IIS log viewer application can help to collect, organize and analyze the data into actionable business, security and operational insights.
Sumo Logic's cloud-native platform is an ideal tool for IT organizations that depend on IIS web servers and wish to optimize their performance. With Sumo Logic as an IIS log viewer, IIS users can:
- Collect, aggregate and centralize event logs from IIS servers, customer applications, web apps and other IT infrastructure in a single location
- Troubleshoot IIS servers, identify performance bottlenecks and more easily discover the root causes of issues like missing content, HTTP errors and database errors
- Monitor customer interactions with web-based applications, including business metrics that help optimize the customer experience
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.