How to Locate and Analyze IIS7 Log Files for a Specific Website: Folder Structure and Tools


2 views

IIS7 stores log files in C:\inetpub\logs\LogFiles by default. The subfolders follow this naming pattern:

W3SVC{site-id}

Where {site-id} is the unique numeric identifier assigned to each website in IIS. To find your website's ID:

Run this PowerShell command to list all sites with their IDs:

Import-Module WebAdministration
Get-ChildItem IIS:\Sites | Select-Object Name, Id

Example output:

Name     Id
----     --
Default Web Site 1
MyBlog  2
API     3

Log files are in W3C Extended Log File Format. You can parse them with this PowerShell script:

$logPath = "C:\inetpub\logs\LogFiles\W3SVC2"
$latestLog = Get-ChildItem $logPath | Sort-Object LastWriteTime | Select-Object -Last 1
Import-Csv $latestLog.FullName -Delimiter ' ' -Header $headers

Microsoft provides these tools for log analysis:

  • Log Parser Studio (free GUI tool)
  • Log Parser 2.2 (command line tool)

Example Log Parser query:

SELECT TOP 100 cs-uri-stem, COUNT(*) AS Hits 
FROM ex*.log 
GROUP BY cs-uri-stem 
ORDER BY Hits DESC

Popular alternatives include:

  • BareTail (real-time log viewer)
  • ELK Stack (Elasticsearch, Logstash, Kibana)
  • GoAccess (web-based analyzer)

html

IIS7 organizes log files in a hierarchical structure under C:\inetpub\logs\LogFiles. Each website gets its own subfolder named using the following convention:

W3SVC{site-id}

The site-id corresponds to the internal IIS identification number for your website. Here's how to find it:

  1. Open IIS Manager
  2. Select your website in the left pane
  3. Check the "Basic Settings" where you'll see the ID in parentheses

Within each W3SVC folder, logs are created daily with this naming pattern:

u_ex{YYMMDD}.log

For example, u_ex220101.log would contain logs from January 1, 2022. The most recent file will have the current date.

Microsoft provides Log Parser 2.2 (free download) which can query IIS logs like a database. Example query for 404 errors:

logparser.exe "SELECT date, time, cs-uri-stem, sc-status 
FROM 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log' 
WHERE sc-status = 404"

For programmers who prefer PowerShell, here's a script to find recent 500 errors:

$logPath = "C:\inetpub\logs\LogFiles\W3SVC1\"
$latestLog = Get-ChildItem $logPath | Sort LastWriteTime | Select -Last 1
Select-String -Path $latestLog.FullName -Pattern " 500 "

While IIS doesn't include a built-in GUI viewer, these third-party tools are popular among Windows administrators:

  • Log Parser Studio (free)
  • Baretail (real-time log monitoring)
  • ELK Stack (advanced centralized logging)

You can modify IIS log fields via the "Logging" feature in IIS Manager. Common additional fields programmers often enable:

<logFile customFields="
  cs(User-Agent),
  cs(Referer),
  X-Forwarded-For
" />