LEM - IIS Advanced Logging

Set up the connector to receive the logs

1. Open the connectors on the node where IIS has been installed:
   MANAGE>Nodes>IIS Node>Gear Icon>Connectors
   
2. Type IIS in the search bar on the top left and then click the Gear Icon on the left hand side of the Microsoft IIS Advanced Logging Connector and select New:
   
3. Set up the IIS Advanced Logging Connector to point at the correct log file location: Make sure to review the folder path on the node.
   
4. Set the correct prefix and postfix for the log files in that location: Make sure to look at the log file on the node.
   
   
5. Save the Connector and Start it:
   

Check for the Logging

1. Create a Filter in the MONITOR>Filters area of the LEM WebConsole or Adobe Air Console to watch the incoming data using AnyAlert.ToolAlias=*Microsoft IIS W3C Advanced Logging* (make sure to modify the name if you changed the alias on the connector) and save the Filter:
   
2. Send the Filter Query to nDepth to review the data if needed or recreate the search in EXPLORE>nDepth:
   
3. If you are seeing data the IIS logging has started. If not, you will need to check the following items in IIS.

Set up IIS to send the logs to the log file in the correct format

1. Open IIS and select the Advanced Logging:
2. On the Advanced Logging page, Double click on the Group Name to open the Log Definition page:
3. On the Log Definition page click on the [Select Fields...] button to open the Select Logging Fields page:
4. Make sure the following items are checked on the Select Logging Fields page:
   
   date
   time
   s-ip
   cs-method
   cs-uri-stem
   cs-uri-query
   s-port
   cs-username
   c-ip
   cs(User-Agent)
   cs(Referer)
   sc-status
   sc-substatus
   sc-win32-status
   TimeTakenMS
   X-Forwarded-For
   
   
5. Apply the settings and restart IIS and the logging should start to come in after a few minutes.

Contact SolarWinds Technical Support if this does not cause the Advanced IIS logs to begin showing up on the LEM.