Parsing IIS Logs

Windows variant of a webserver is called Internet Information Services (IIS). The feature comes as part of Windows server builds but isn’t enabled but default.

If you manage an IIS server, logs write to c:\inetpub\logs by default and without a tool or capability, aren’t necessarily the easiest to read. With that, one can use PowerShell to parse the logs and find outliers and anomalies in the data.

We will start by reading a log file that has been moved to c:\ and viewing it in its original form using Get-Content.

From the output, we see a bunch of data. Part of what we see are the field names (depicted following #Fields). Just below that, we see the applicable data with each field separated by a space. Understanding that, we can retrieve the field names and create our own CSV. The field names will become our properties within the CSV.

From the output, we can now see we have a CSV. From here we can filter and parse the log much easier and cleaner.

We can get a count of source IPs in the log by doing the following:

(Get-Content $filePath | Select-String -Pattern '^#' -NotMatch | ConvertFrom-Csv -Delimiter ' ' -Header $headers).length

With the log that is being used, there are 72 IPs that accessed the website. From here, we can determine how many of them are unique by doing the following:

((Get-Content $filePath | Select-String -Pattern '^#' -NotMatch | ConvertFrom-Csv -Delimiter ' ' -Header $headers | Sort-Object c-ip -Unique)."c-ip").count

Using the above against the log, we can tell that there are 40 unique IPs that accessed the website. From here, we can return a full list of those IPs by doing the following:

With these IPs, we can conduct further analysis based on their geographic location. We can do this by utilizing a free API from http://api.ipapi.com and the below code.

From the above, we are able to enrich the data about the IP addresses attempting to access the website. The analysis doesn’t stop here as further analysis can be done based on the IP’s activity on the website or the reputation of the IPs through a number of platforms.

All the code used above can be found on my Github (https://github.com/WiredPulse/IIS_Log_Parser).