How to Monitor HTTP Request Headers in IIS Logs: A Developer’s Guide


2 views

Internet Information Services (IIS) does indeed log HTTP request headers, but not by default. The standard IIS logging (W3C format) primarily captures fundamental request data such as:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

To capture custom headers or additional request information, you need to configure IIS specifically for this purpose.

You can enable header logging in IIS through two main approaches:

  1. Custom W3C Logging Fields - Add specific headers to the standard logging
  2. Advanced Logging Module - Use the separate Advanced Logging feature

Edit your site's logging configuration in IIS Manager:

1. Select your site in IIS Manager
2. Open "Logging" feature
3. Click "Select Fields"
4. Add custom fields from the available options
5. For headers, choose "Request Header" from the "Source Type" dropdown

Example configuration in applicationHost.config:

<logFile customFields="RequestHeader=User-Agent" />

For more comprehensive logging:

1. Install "Advanced Logging" module if not present
2. Create a new logging definition
3. Add the specific headers you want to capture
4. Example PowerShell to enable logging for Authorization header:
   Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' 
   -filter "system.webServer/advancedLogging/server" 
   -name "customFields" 
   -value @{sourceType='RequestHeader';sourceName='Authorization'}

After configuration, your logs will include the specified headers. Example log entry:

2023-05-15 14:22:35 192.168.1.1 GET /test.html - 80 - 192.168.1.2 Mozilla/5.0+(Windows+NT+10.0) - 200 0 0 312
CustomField: Authorization=Bearer+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

You can parse these logs programmatically. Here's a C# example to extract header information:

using System;
using System.IO;
using System.Text.RegularExpressions;

public class IISLogParser
{
    public void ParseHeaders(string logPath)
    {
        var logEntries = File.ReadAllLines(logPath);
        var headerPattern = new Regex(@"CustomField:\s(?<headerName>\w+)=(?<headerValue>.+)");
        
        foreach (var entry in logEntries)
        {
            var match = headerPattern.Match(entry);
            if (match.Success)
            {
                Console.WriteLine($"{match.Groups["headerName"]}: {match.Groups["headerValue"]}");
            }
        }
    }
}

For scenarios where you need more flexibility than IIS logging provides:

  • Implement custom HTTP modules to intercept and log requests
  • Use Application Request Routing (ARR) as a reverse proxy with enhanced logging
  • Consider third-party solutions like LogParser or GoAccess for advanced analysis

Be aware that logging additional headers will:

  • Increase log file size significantly
  • Add minor processing overhead to each request
  • May require additional storage planning

For high-traffic sites, consider logging only specific headers or implementing sampling.

Yes, IIS (Internet Information Services) can log HTTP request headers, but this capability isn't enabled by default. The logging mechanism requires specific configuration to capture header information, which can be crucial for debugging, security analysis, or API monitoring.

To enable request header logging in IIS, you need to modify the server's configuration:

<system.webServer>
    <tracing>
        <traceFailedRequests>
            <add path="*">
                <traceAreas>
                    <add provider="WWW Server" areas="RequestHeaders" verbosity="Verbose" />
                </traceAreas>
                <failureDefinitions statusCodes="200-399" />
            </add>
        </traceFailedRequests>
    </tracing>
</system.webServer>

For more control, you can create a custom IIS module to log headers:

public class HeaderLoggerModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.BeginRequest += OnBeginRequest;
    }

    private void OnBeginRequest(object sender, EventArgs e)
    {
        var app = (HttpApplication)sender;
        var headers = app.Request.Headers;
        
        // Log headers to file or database
        File.AppendAllText(@"C:\logs\iis_headers.txt", 
            $"{DateTime.UtcNow}: {app.Request.Url} - Headers: {string.Join(", ", headers.AllKeys)}\n");
    }

    public void Dispose() { }
}

Once enabled, header information appears in:

  • IIS Failed Request Tracing logs (stored in %SystemDrive%\inetpub\logs\FailedReqLogFiles)
  • Custom log files if using a module approach
  • IIS Advanced Logging (when configured)

Here's how to specifically log authorization headers:

private void OnBeginRequest(object sender, EventArgs e)
{
    var app = (HttpApplication)sender;
    var authHeader = app.Request.Headers["Authorization"];
    
    if (!string.IsNullOrEmpty(authHeader))
    {
        Logger.TrackApiKeyUsage(authHeader, app.Request.Url);
    }
}

Remember that extensive header logging can impact server performance. Consider:

  • Logging only specific headers of interest
  • Implementing sampling for high-traffic servers
  • Using asynchronous logging mechanisms