IIS
- Home
- Logging Guide
- How to locate IIS server log files: A definitive guide
How to locate IIS server log files: A definitive guide
In this page
- Step-by-step instruction on how to locate IIS log files
- How to enable logging in your IIS web server
- 5 best practices for IIS logging
Microsoft IIS is a widely used web server application for hosting websites. Monitoring IIS web server logs is an effective way to prevent a malicious entity launching attacks on your network. This article will explain the steps involved in locating your IIS log files.
To locate the IIS log files of a website, you need the following:
- The site ID
- The directory
You can find them in IIS Manager by following these simple steps:
Launch IIS Manager
Go to Windows Control Panel > System and Security > Administrative Tools > Internet Information Services (IIS).
OR
Open the Run dialog box > type inetmgr > click OK.
IIS Manager will be launched.
- The Connections pane
- The Features View
- The Actions pane
Make sure to locate them to follow along with the remaining steps.
Finding the site ID:
The site ID is used to uniquely identify the log folders of different websites.
- In the Connections pane, click the Sites drop-down menu and find the list of all websites hosted in the IIS server. The site ID of all websites will be displayed in a list view.
- In the Actions pane, click the Settings option. The site ID will be displayed in the Advanced Settings window.
If you cannot find the ID, follow the next step
Finding the location of the IIS log files:
Generally, IIS log files are stored in this default path:
%SystemDrive%\inetpub\logs\LogFiles
- Go to Windows File Explorer > C Drive > Inetpub folder > Logs folder > LogFiles.
- In IIS Manager, after selecting a website in the Connections pane, select Features View and double-click the Logging icon. The logging window will open. Scroll through to find the Directory field and use the path mentioned there to locate your log files.
Once you open the LogFiles folder, you will find multiple sub-folders of
different websites named in this pattern: W3SVC +Site ID.
If your site ID is 10, then open the folder named W3SVC10.
In case the folders can’t be found in this default path, follow the next step
Locating log files of earlier IIS versions:
Identify which version of IIS is used by your server.
For versions IIS 1.0-IIS 6.0, follow these steps to locate your log files:
- Launch IIS Manager.
- In the Connections pane, click the Sites menu. Find the site for which you want to view the logs, right-click it, and select Properties.
- From there, go to Active Log Format > Website tab > General Properties, then scroll down to find the directory field.
The full path along with the sub-folder name will be displayed like this:
%SystemDrive%\Windows\System32\LogFiles\W3SVC8
Security tip: Microsoft has stopped rolling out updates for earlier versions of IIS (1.0-6.0). Using outdated software becomes an easy vulnerability for cyber attackers to target. Unpatched Windows systems and poor awareness around updating software were found to be the major reasons for the large-scale 2017 Wannacry ransomware attacks.
Best practice: Audit your enterprise network systems regularly. Update and use the latest versions of software and OSs.
If you're still unable to find the IIS log files, it's possible logging might have been turned off.
How to enable logging in your IIS web server
Open IIS Manager. In the Connections pane, click the website you want to enable logging for > click Features View > double-click the Logging icon > click Enable in the Actions pane.
Simplifying IIS log access and analysis
Manually enabling IIS web server logging and analyzing the logs is quite tedious. To overcome this challenge, we have log management tools like ManageEngine EventLog Analyzer that automate the collection, monitoring, analysis, and retention of your IIS web server logs in a central server.
Apart from generating real-time alerts and reports for IIS server incidents, EventLog Analyzer also provides deeper insights into critical information such as HTTP status code summaries, password changes, top users, admin resource accesses, and server configuration changes.
Check out and download a 30-day, free trial of EventLog Analyzer here.