Parsing IIS Logs

IIS Logs can tell us how consistently they are slow, the page response sizes, for what class of users the pages are slow (admins/readers), and at what times of the day they are slow.

Useful  columns: time-taken, sc-status, cs-username, cs-uri-stem and sc-byte/cs-byte.

Using log parser or a tool I have written named Log2Sql I use TSQL queries to analyze the date looking for patterns such as:

· Are normally fast requests taking a long time, eg http status 401, 304, 404 – these should normally always be super-fast.

· Looking at extensions I would expect gif, png, jpg, etc to be very fast as well. I expect pdf, pptx, to be a bit slower.

· I look at the domain portion of cs-username and get an idea of what domains might be coming from and use that to query the customer about the user population and their experiences in remote domains.

· I look for very large cs-bytes with POST verbs, this is typically an indication of ViewState issues, also sc-bytes might indicate this too.

· I look for very large sc-bytes for aspx pages as this might indicate a very large page payload due to queries or some other expensive call to populate the data on the page.

SELECT TOP 50 EXTRACT_EXTENSION(cs-uri-stem) as extension, time-taken, sc-Status FROM {…} ORDER BY time-taken DESC


Parsing Logs

•Load LogParser

•Run the following against a ULS file, it may need modifying:
“Select * INTO C:\temp\test.log FROM C:\temp\ULS.log WHERE level = ‘Critical’” –i TSV –headerRow:on –o:TSV

•Load PowerShell

•Run the following commands, file dates, category names and severity names may need changing to suit your logs

$splogs = “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\Logs”

Select-String “SharePoint Portal Server” $splogs\*20090728*.log

Select-String “SharePoint Portal Server” $splogs\*20090728*.log | Select-String “High“

Select-String “SharePoint Portal Server” $splogs\*20090728*.log | Select-String “High“ | %{$_.Line}

Select-String “SharePoint Portal Server” $splogs\*20090728*.log | Select-String “High“ | %{$_.Line} > selectedlog.txt

Notepad selectedlog.txt


2007 If you get “An unexpected error has occurred” with nothing written to the log files, what do you do? Turn on standard ASP.Net error page and full stack trace!

Change the web.config: -CallStack=“true”   and    <customErrors mode=“Off“/>

Simulate a unknown error page by changing <siteMap defaultProvider=”CurrentNavSiteMapProvider” enabled=”true”> in the web.config to <siteMap defaultProvider=”” enabled=”true”> and hitting the page.

Demo modifying the web.config for a Web app.


<customErrors mode=“Off“/>

Hit the page again and demo the new error.