How to retrieve IIS HTTP logs remotely

In a previous blog post I explained how to configure the IIS HTTP logging. The next step is to analyze these logs. If you just use a text editor you can analyze them directly on the server but if you use a log analysis tool like the HttpLogBrowser, parsing and analyzing the log files can be CPU consuming so it is recommended to download these logs and use such a tool on a workstation. In in this article we will see how to share the logs on the web server so they can be downloaded remotely.

We will first treat the case when the web server is accessible through the LAN and then the case when the web server is only accessible through the internet.

Local web server

If the server is on your LAN you just need to share the IIS log folder with the Microsoft file and printer sharing with read only access permissions.

1. In the Windows Explorer, right click on the folder C:\inetpub\logs\LogFiles
2. Click on Properties
3. Click on the Sharing tab
4. Click on Advanced sharing
5. Check Share this folder
6. Specify the name of the share (e.g. HttpLogs)
7. Click on Permissions and specify which user or groups should be able to retrieve logs.
8. Click OK until all dialog boxes are closed.

We suppose here that concerned accounts are already allowed to access the log files through the file system permissions. If that’s not the case please read the previous article about the IIS log configuration.

Then you just need to access the share with the Windows explorer from your workstation to retrieve them from the following path: \\SERVERNAME\HttpLogs

Web server on the internet

If your web server is not on your local network you will need to use the FTP protocol to access these logs. So in the following section I will explain how to enable the FTP server even if there is a good chance that’s already the case in order to synchronize some web content. I will then explain how to configure more specifically the access to the log folder through the FTP server.

Install and configure a FTP site

We suppose here that there is not FTP site configured yet on the web server so we will install a new FTP site to access remotely a folder that may not be directly the log folder but could be the root folder of your web site.

Install the FTP site component

The first thing to do is to make sure that the FTP site Windows feature is installed.

1. Open the Server manager and click on Add roles and features.
2. Click next until you reach the Server roles section
3. And here select FTP service in the Web Server (IIS)/FTP Server category
4. Then click Next until the end of the wizard and then click Install

Create a SSL certificate

Then before adding the FTP site in IIS you also need to check if a certificate is available to secure the communication. In the IIS administration console select the computer node and double click on Server Certificates.

Then verify if a valid certificate is listed here.

If no certificate is listed you can either click on Create Self signed certificate to generate one but this method generates a certificate that is not recognized by latest versions FileZilla and more generally by FTP clients based on latest versions of GnuTLS.

The recommended way is to use the following PowerShell command:

New-SelfSignedCertificate -DnsName %ServerAddress% -CertStoreLocation "cert:\LocalMachine\My"

Replace %ServerAddress% with the address that you will use to access the FTP server.

Add the FTP site

Once the FTP site feature has been installed and the required certificate has been created you can re-open the IIS administration console and right click on the Sites node and click on Add FTP site.

Then specify a name for your FTP site and specify the path to the main folder you want to access remotely. This can be a different folder than the log folder. It could be the root folder of your web site in order to synchronize the web content. You will then be able to add later the log folder as a virtual directory (explained in the next section).

Then you need to specify the SSL certificate that you created previously. Don’t unselect Require SSL because otherwise the password of the account accessing the FTP site will be transmitted in clear through the internet.

In the next page select Basic as authentication. For the Authorization select either Specified roles or user group or Specified users. Then specify respectively a Windows security group or a user for which you want to allow access to the FTP site and select at least Read in Permissions. Select Write only if you share another folder than the log folder and you may need to upload some content.

Then you can click Finish to create the FTP site.

Add virtual directory

Now that the FTP server is up and running either after executing the previous steps or because it was already installed we will see how to share specifically the log folder as a virtual directory.

To do that, in the IIS administration console right click on the FTP site and click on Add Virtual Directory.

Then specify a name for the virtual directory and specify the folder where the log files are located and click OK.

Once the virtual folder has been created you may add a corresponding physical folder in the root folder of the FTP site in order to see the virtual folder when you list the content of the root folder (e.g. create the sub folder IISLogs in c:\intepub\wwwroot if this is your root folder). This is not required but if you don’t do it the virtual folder will be hidden and you will need to specify the path manually in the FTP client to enter the folder.

Retrieve logs with a FTP client

Now that the FTP server is configured to remotely access IIS log files we can do a test. On a workstation we can install for example the FileZilla FTP client and once installed:

1. In FileZilla open the Site manager from the Files menu and configure a new site.
2. Specify the internet address of your web server
3. For the encryption select Require explicit FTP over TLS.
4. Select Normal as Logon type
5. Specify the credentials of the user you configured to access the FTP site in IIS.

Once done you can click on Connect and you are prompted with the following dialog.

FileZilla asks you to confirm that the certificate is correct. Verify that it’s the certificate previously configured on the server. If OK, select Always trust certificate in future sessions and click OK.

If instead you get the following error message it means that the certificate was generated by the IIS administration console and you need to generate it with PowerShell instead as explained in the Create a SSL certificate section. Alternatively you can also use another FTP client like WinSCP.

“GnuTLS error -48: Key usage violation in certificate has been detected.”

Once the certificate has been successfully approved you can now access the log folder on the web server and retrieve the log files.

However, if you try to download the latest log file currently being written by IIS you may get an error saying that the file is opened by another process.

“550 The process cannot access the file because it is being used by another process.”

This can be a problem if you want to see what’s going on for example in the last hour because you would have to wait the next day with the default log file rotation (one log file per day).

If you are in this situation, the problem is explained in the following article of the Microsoft knowledge base and a patch can be downloaded for Windows 2008 R2, 2012 and 2012 R2. Windows server 2016 is not concerned by the problem.

550 The process cannot access the file" error when you try to download a file in Windows

Conclusion

So this concludes this article. You are now able to retrieve remotely the HTTP logs of your IIS web server in order to analyze them locally on your workstation and in a next article we will see how to synchronize these log files automatically.

No Comments

You must log on to comment.