locked
How to get real website name in IIS logs. RRS feed

  • Question

  • User-775850427 posted

    Hello everyone,

    I am facing a issue with the IIS logs function on IIS 8.5.

    My objective is to get the real sitename into the IIS logs  files instead than the website intance ID gave by s-sitename field :W3SVC6 or W3SVC1.

    I think the actual s-sitename field will not give me this value and I already tried couple server variables fields, do you know how I can get it?

    My actuel logs fields:

    #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken X-FORWARDED-FOR

    Thank you in advance for your help.

    Lud

    Wednesday, February 7, 2018 10:53 AM

All replies

  • User-460007017 posted

    Hi Luds,

    The s-sitename means "internet service name+ instance ID". That's why you get the s-sitename value like w3svc6. What about use the cs-host to get the binding host header for each website? If you still require to get the site name  of each websites. Then I suggest you to create a custom response header with your sitename and add a custom field to log the sitename response header.

    https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/logfile/customfields/add

    https://support.microsoft.com/en-us/help/954002/how-to-add-a-custom-http-response-header-to-a-web-site-that-is-hosted

    IIS always log the request based on different instance ID. So if you see 6 or 1, you should know which website the client is trying to access.

    Best Regards,

    Yuk Ding

    Thursday, February 8, 2018 3:17 AM
  • User-775850427 posted

    Hello Yuk,

    Thank you for your reply , I am working on it.

    Let me give more details about what I want to do:

    I want to centralize and analyse all our IIS logs on more than 100 windows 2012 R2 server, my main issue is than we are hosting different type of multi tenant web applications and the log structure are unfortunately not the same everywhere...

    The cs-host is not enough because it customizable by users so the only way I found to identify the application type is by using the website name but yes the tenant can be obtain with the cs-host field, please see below a example:

    IIS sites

    Thursday, February 8, 2018 10:34 AM
  • User-460007017 posted

    Hi Luds,

    The site name should be contained in the request header or body. So I think the only way to achieve this is add response header for each website.

    Best Regards,

    Yuk Ding

    Tuesday, February 13, 2018 8:45 AM
  • User-775850427 posted

    Hi Yuk,

    After somes research on microsoft documentations related to IIS.

    I found this :

    logSiteId

    Optional Boolean attribute.

    Specifies that the s-sitename field will contain either the site name (false) or the site ID (true). If the One log file per property is set to Site (the out-of-box default], then you won't get s-sitename column in the log file by default, because the log file name property will contain the site ID instead. If the One log file per property is set to Server, the-s-sitename column will be included in the log file by default.

    The default value is True, meaning that the s-sitename field contains the site ID. To log the site name instead, set logSiteID to False.

    Source => https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/

    While changing the logSiteId to false, I have the real sitename instead than the instance siteID:

    #Date: 2018-02-14 20:37:28
    #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken Test
    2018-02-14 20:37:25 DEFAULT+WEB+SITE FROVHWIN2K-02 ::1 GET /favicon.ico - 80 - ::1 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/64.0.3282.167+Safari/537.36 - http://localhost/ localhost 404 0 2 5015 365 1060 -
    2018-02-14 20:44:31 DEFAULT+WEB+SITE FROVHWIN2K-02 ::1 GET /favicon.ico - 80 - ::1 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/64.0.3282.167+Safari/537.36 - http://localhost/ localhost 404 0 2 5015 365 2 -

    I will see if this modification will come with new behaviors.

    Thank you for your help.

    Luds

    Wednesday, February 14, 2018 8:49 PM
  • User-460007017 posted

    Hi Luds,

    Thanks for sharing your experience.

    Best Regards,

    Yuk Ding

    Wednesday, March 7, 2018 8:43 AM