IIS Log Analysis – Best Tools and Practices

on October 21, 2020

When you host applications on Microsoft web server technology Internet Information Services (IIS), your system administrators must carry out the ongoing task of IIS log analysis. This means they monitor the variables indicating whether IIS-hosted applications are running at optimal performance. You can also use IIS logs to check the security and integrity of said applications. When IIS was released back in 1995, it came with a log tracker that stored data in .txt format. It still does. However, reading through a thousand lines of text looking for diagnostic data is a tedious task. This brought about the need for third-party IIS log analysis tools.

In this post, we showcase some of these tools, along with best practices to help you keep an analytical eye on IIS logs. The tools you listed here enable you to easily filter events. Some even go as far as notifying the system administrators when an anticipated event is triggered. We assume prior knowledge of IIS, but you can read some IIS content for a refresh.

Without further ado, let’s dive into the three tools you should consider when analyzing IIS logs.

Best IIS Log Analysis Tools

The tools listed here have all been tested and evaluated based on how easy they make IIS log analysis. We provide a breakdown of our experience with each tool, giving you a glimpse of what to expect when you sign up and start tracking logs with the service. Performance and security are the key areas of concern IIS server administrators and other technical hands around a system are concerned about. As such, we’ll look specifically at the tools that address these two health conditions of any IIS server.

1. SolarWinds Loggly

© 2020 SolarWinds Worldwide, LLC. All rights reserved.

SolarWinds® Loggly® is a log analysis tool delivered on a SaaS platform. Loggly displays important logs on a dashboard and goes on to index, parse, and sort your logs according to your preferences. Loggly allows you to analyze and troubleshoot performance issues. It’s perfect if you want to keep a closer eye on applications hosted in the cloud. Loggly is compatible with AWS, GCP, and a long list of other reputable public, private, and hybrid cloud services providers.

This is only half of the system/server administration equation, but when implemented correctly, it should help keep systems up—not constantly crashing. Companies like Lenovo, Lucidchart, and EA use Loggly when analyzing usage data with the intent of keeping systems working at peak performance. This demonstrates the service’s efficiency when it comes to delivering on its core functionalities and user support.

Additionally, Loggly presents logs in JSON format, making them easier to read than in the default .txt file IIS uses. Below, you can see the clean view the Loggly dashboard provides when you search for logs using the tag “IIS” as a filter:

© 2020 SolarWinds Worldwide, LLC. All rights reserved.

2. SolarWinds Security Event Manager

For a security-focused look into IIS logs, SolarWinds Security Event Manager (SEM) is a handy tool. It comes with functions to give an administrator the ability to drill into access logs. You can isolate text logs based on the node an IIS service request came from. This way, you can run node-specific queries to troubleshoot performance concerns. Setting policies and rules in SEM enables the analyzer to notify administrators of suspicious activity. An easy-to-understand dashboard lists these events according to their relative threat levels, types, source machine, and user. This is more than you can extract from the default .txt file log Microsoft IIS provides.

© 2020 SolarWinds Worldwide, LLC. All rights reserved.

3. SolarWinds Papertrail

Since we’re going to discuss best practice methods to keep IIS logs under control, we might as well suggest tools designed to make both performance and security logs available on one dashboard. SolarWinds Papertrail is one such tool. Setting up Papertrail to track IIS logs is pretty straightforward; the developers and support team prepared a comprehensive manual. Once done, you won’t have to stay hooked into the various interfaces within the application. The list of third-party applications that integrate with Papertrail keeps expanding.

© 2020 SolarWinds Worldwide, LLC. All rights reserved.

Papertrail is perfect for cluster log management and analysis, and it’s a cloud-hosted application. An added advantage it has over other log filtering services is it can plug into the applications you host using IIS. This means you don’t look at only IIS, but the entire stack and the system you’re hosting when troubleshooting performance and security issues. Reputable companies that use Papertrail include GitHub, Travis CI, and Product Hunt.

Best Practices When Analyzing IIS Logs

Now that you have the tools, let’s focus on how best to use them. The first thing to do when trying out these tools on your system instances is to run a parallel trial operation. To analyze and learn how to use the tools above, we’re assuming the availability of logs stored in the default IIS logs folder. Even when you don’t have such data, dropping whatever method you’ve been using thus far and diving into a new way of doing things could be counterproductive. Nonetheless, Loggly allows new users to try out each feature using dummy data. You simply specify the source of log data to match your enterprise’s and it populates samples for you to test on.

© 2020 SolarWinds Worldwide, LLC. All rights reserved.

The next step is to integrate one of the tools suggested above with your environment. This stage has comprehensive documentation. The THWACK® community for IT professionals should come to your rescue if you face any undocumented challenges.

With a log monitoring application ready and waiting to filter and arrange logs, three things stand out as best practices. These three will make sure you’re using the application at full capacity from the moment data starts streaming in.

Best Practices Checklist

Standard with each of these tools is the ability to set notifications for events monitoring. As you saw in the Papertrail image of the system, third-party applications push notifications to mobile devices in real time. Below are some best practices you should follow when analyzing IIS logs:

  1. To effectively use log analysis applications, you’re going to need defined events to trigger such notifications. Applications like Slack make it easy for the right people to receive system status notifications, often resulting in shorter downtimes. Be sure to connect any other third-party applications you may use for collaboration across departments, such as Jira.
  2. At this point, we expect you’re done with setting up triggers. Also, your mobile devices have been configured to notify you in real time when a system-critical event occurs. Next on the best practices list is saving queries. Once you’ve grasped search query syntax, you might want to save each new query you perform. This way, other administrators won’t have trouble following up on the logs you mention to them in chat as you troubleshoot issues.
  3. Last but not least, when presenting information you pick up from the log haystack, use data visualization tools. This applies when you’re showing live metrics as much as when you’re preparing slides for presentations. These suggested platforms have the option to export reports and share them with stakeholders in formats they understand. Showing lines of gibberish to non-technical personnel only serves to scramble your efforts to make sense.

These are just a few of the best ways you can view logs with these IIS log analysis tools. It may take time to get used to the user interfaces of each tool above; however, the learning phase is well worth the insights you stand to gain.

Choosing the Best IIS Log Analysis Tool

You may want to try out the tools we have suggested in this post. A tool that runs queries using a scripting language your developers are already accustomed to is a great fit. In the case of Loggly, this would be JSON. Another point to consider is how effectively the log analysis tool covers your most common incidents. Sure, you could force this on any tool you try out first, but after a few trials, you’ll discover how some tools are better at certain tasks than others. Working with logs from IIS in .txt form is likely to slow down troubleshooting efforts, rather than help you. This is why applications such as SolarWinds Papertrail, Security Event Manager, and Loggly are crucial in simplifying IIS log analysis.

This post was written by Leo Gwangwadza. Leo is a BSc computer science graduate with over a decade of systems analysis, implementation, and support experience.

*As of September 2020

Related Posts