Quick way to query IIS logs for 40x and 50x requests

12 Dezember 2012

For troubleshooting and general interest, I often have to look at the IIS log files for my web sites. There are always too many lines I'm not interesting in so I needed a way to filter for certain status codes.

Because nowadays rather than using RemoteDesktop, I'm using a remote PowerShell session, I needed the solution to work on the command line.

The established tool for looking at IIS log files is LogParser, so rather than reinventing the wheel I am using it. However to query for certain statuses you need to write a sql-like query or at least change a pre-existing file with such a query.

So I wrote a small PowerShell wrapper for LogParser, which allows me to do things like this:

.\Show-w3logs.ps1 -site hahndorf.eu -status 404.11 -hours 2 -show

this shows me all requests with a 404.11 status in the last two hours.

.\Show-w3logs.ps1 -status 5* -hours 10 -show

Shows all requests with 50x statuses in the last 10 hours for all sites on the server.

Requirements:

Works on all supported Windows Servers, including 2016

Setup:

Download LogParser from Microsoft, it's an msi file which you could install on your server. I never do this, I just install it on a dummy VM and then copy the two files 'LogParser.exe' and 'LogParser.dll' over to my server. (If you don't happen to have a dummy VM, use 7Zip to extract the files and then rename LogParser_exe.B1735C0B_1CB5_4257_8281_92109AE41CE6 to LogParser.exe and LogParser_dll.B1735C0B_1CB5_4257_8281_92109AE41CE6 to LogParser.dll)

Download the zip file for the scripts and extract the two files into a directory on your server.

Show-W3logslib.ps1 has the main content and you don't need to change it unless you want to change the functionality. Show-W3logs.ps1 is the file you are actually using and you need to configure it a little bit:

You need to change the last three lines.

outputDir is the directory where the results of the query are saved to. You can use a location under a web-root, so you can view the results via a browser or just any other location on your server.

logparser is the full path to the LogParser.exe executable which you downloaded before.

logslocation is the location of your IIS logfiles, if you are using the defaults it should be

"C:\inetpub\logs\LogFiles\W3SVC{siteid}\u_ex*.log"

The {siteid} is later replaced with the actual ID of the web site. I usually put the logs for each site under a folder for that site like

D:\sites\mysitename\logs\W3WVC51\u_ex*.log

In this case I need to set logslocation to

D:\sites\{site}\W3SVC{siteID}\u_ex*.log'

{site} is later replaced with the name of the site, it has to be the name of the web site as defined in IIS manager.

This also means the logs for all sites need to be under the same parent folder.

All other stuff in Show-W3logs.ps1 can be left as it is. Make sure you don't delete any of the back ticks and don't put any white-space or other characters after them. The back ticks are line continuation characters and with them the script just looks better.

Usage:

Open a PowerShell window as an elevated administrator, otherwise you don't have access to the log files.

Navigate to the directory with the scripts and start typing:

Show-W3Logs - [tab multiple times]

You can see the parameters for the script, some of the parameters are shortened compared to the ones for Show-W3LogsLib.

To get help type:

help Show-W3LogsLib -full

 

Please notice that even though we are calling Show-W3Logs, the help is in Show-W3LogsLib, the help describes each parameter. To see some examples type

help Show-W3LogsLib -examples

Examples:

Show-W3Logs -site foobar -hours 1 -status 404 -show

Shows all 404 requests for the site 'foobar' in the last hour.

Show-W3Logs -hours 1 -status 5x -show

Shows all 50x requests for all sites in the last hour.

Show-W3Logs -hours 1 -status 404.6 -show

Shows all 404.6 requests for all sites in the last hour.

Show-W3Logs -hours 1 -status 404!0 -show

Shows all 404.x requests except for 404.0 for all sites in the last hour.

Show-W3Logs -hours 1 -status ">401" -show -ua -ip

Shows all requests with status 401 or greater for all sites in the last hour. Includes the user-agent and client-ip address in the output

Show-W3Logs -hours 1000 -status ">501" -show -dt -site dummy

Shows all requests with status 501 or higher for the site 'dummy' in the last 1000 hours. Includes the date in the output

Things to keep in mind

IIS caches the request logs before writing it to the files. If you need the latest entries, stop and start the web site before looking at the logs.
You could also use:

netsh http flush logbuffer
to flush the buffers for the whole server.

All times in the logs are in UTC and not your local or the server's time, keep this in mind when looking at them.

Pages in this section

Categories

ASP.Net | Community | Development | IIS | IT Pro | Security | SQL (Server) | Tools | Web | Work on the road | Windows