All Products
Search
Document Center

Simple Log Service:Analyze IIS access logs

Last Updated:Aug 02, 2023

Log service allows you to collect and analyze Internet Information Services (IIS) access logs. This topic describes how to monitor and analyze access to your website by using IIS access logs. You can obtain data such as page views (PVs), unique visitors (UVs), requester locations, error requests, and inbound and outbound traffic.

Prerequisites

IIS logs are collected. For more information, see Collect logs in IIS configuration mode.

Note

During the collection process, Simple Log Service automatically generates indexes based on log content. You can modify indexes as needed. For more information, see Create indexes.

Background information

IIS is a secure web server that you can use to build and host websites. When you use IIS to build a website, you can collect and analyze IIS access logs.

We recommend that you use the following IIS W3C Extended Log Format:

logExtFileFlags="Date, Time, ClientIP, UserName, SiteName, ComputerName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, BytesSent, BytesRecv, TimeTaken, ServerPort, UserAgent, Cookie, Referer, ProtocolVersion, Host, HttpSubStatus"

The following example shows a sample IIS log:

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2020-09-08 09:30:26
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2009-11-26 06:14:21 W3SVC692644773 125.67.67.* GET /index.html - 80 - 10.10.10.10 Baiduspider+(+http://www.example.com)200 0 64 185173 296 0
  • Field prefixes

    Prefix

    Description

    s-

    Indicates a server action.

    c-

    Indicates a client action.

    cs-

    Indicates a client-to-server action.

    sc-

    Indicates a server-to-client action.

  • Fields

    Field

    Description

    date

    The date on which the client sends the request.

    time

    The point in time at which the client sends the request.

    s-sitename

    The Internet service name and instance ID of the site that is visited by the client.

    s-computername

    The name of the server on which the log is generated.

    s-ip

    The IP address of the server on which the log is generated.

    cs-method

    The request method that is used by the client, such as GET or POST.

    cs-uri-stem

    The URI in the request.

    cs-uri-query

    The query string that follows the question mark (?) in the HTTP request.

    s-port

    The port number of the server.

    cs-username

    The authenticated domain name or username that is used by the client to access the server.

    • Authenticated users are indicated in the Domain\Username format.

    • Anonymous users are indicated by a hyphen (-).

    c-ip

    The actual IP address of the client that sends the request.

    cs-version

    The protocol version that is used by the client, such as HTTP 1.0 or HTTP 1.1.

    cs(User-Agent)

    The browser used by the client.

    Cookie

    The content of the cookie that is sent or received. If no cookies are sent or received, a hyphen (-) is displayed.

    referer

    The site from which the client is directed.

    cs-host

    The host information.

    sc-status

    The HTTP status code returned by the server.

    sc-substatus

    The HTTP substatus code returned by the server.

    sc-win32-status

    The Windows status code returned by the server.

    sc-bytes

    The number of bytes sent by the server.

    cs-bytes

    The number of bytes received by the server.

    time-taken

    The time required to process the request. Unit: milliseconds.

Procedure

  1. Log on to the Log Service console.
  2. In the Projects section, click the project that you want to manage.
  3. On the Log Storage > Logstores tab, click the Logstore that you want to manage.
  4. Enter a query statement in the search box, and then select a time range.

    A query statement consists of a search statement and an analytic statement in the Search statement|Analytic statement format. For more information, see Search syntax and SQL syntax and functions.

    • To collect statistics on the distribution of client IP addresses, execute the following query statement:

      *| select ip_to_geo("c-ip") as country, count(1) as c group by ip_to_geo("c-ip") limit 100
    • To calculate the number of PVs and UVs, execute the following query statement:

      *| select approx_distinct("c-ip") as uv ,count(1) as pv , date_format(date_trunc('hour', __time__), '%m-%d %H:%i') as time group by date_format(date_trunc('hour', __time__), '%m-%d %H:%i') order by time limit 1000
      PVs and UVs
    • To calculate the percentage of each HTTP status code returned, execute the following query statement:

      *| select count(1) as pv ,"sc-status" group by "sc-status"
      Percentage of each HTTP status code
    • To collect statistics on the inbound and outbound traffic, execute the following query statement:

      *| select sum("sc-bytes") as net_out, sum("cs-bytes") as net_in ,date_format(date_trunc('hour', time), '%m-%d %H:%i') as time group by date_format(date_trunc('hour', time), '%m-%d %H:%i') order by time limit 10000
      Inbound and outbound traffic
    • To calculate the percentage of each request method, execute the following query statement:

      *| select count(1) as pv ,"cs-method" group by "cs-method"
      Percentage of each request method
    • To calculate the percentage of each browser type, execute the following query statement:

      *| select count(1) as pv, case when "user-agent" like '%Chrome%' then 'Chrome' when "user-agent" like '%Firefox%' then 'Firefox' when "user-agent" like '%Safari%' then 'Safari' else 'unKnown' end as "user-agent" group by case when "user-agent" like '%Chrome%' then 'Chrome' when "user-agent" like '%Firefox%' then 'Firefox' when "user-agent" like '%Safari%' then 'Safari' else 'unKnown' end order by pv desc limit 10
      Percentage of each user agent (UA)
    • To calculate the top 10 pages that are most frequently visited, execute the following query statement:

      *| select count(1) as pv, split_part("cs-uri-stem",'?',1) as path group by split_part("cs-uri-stem",'?',1) order by pv desc limit 10
      Top 10 URLs by Number of Requests