November 2010 (1)
August 2010 (1)
July 2010 (1)
June 2010 (3)
July 2009 (3)
June 2009 (1)
May 2009 (1)
February 2009 (1)
January 2009 (1)
November 2008 (3)
October 2008 (4)
September 2008 (9)
August 2008 (6)
July 2008 (3)
June 2008 (3)
January 2008 (1)
November 2007 (2)
October 2007 (6)
September 2007 (5)
August 2007 (22)
July 2007 (6)
June 2007 (1)
May 2007 (3)
April 2007 (27)
March 2007 (8)
February 2007 (6)
September 2006 (2)
August 2006 (4)
July 2006 (9)
June 2006 (17)
May 2006 (20)
April 2006 (12)
March 2006 (9)
February 2006 (4)
January 2006 (3)
December 2005 (2)
November 2005 (4)
October 2005 (5)
September 2005 (37)
August 2005 (83)
July 2005 (6)

Active Directory / LDAP (0)
ASP.Net (19)
Blackberry Development (4)
c# (34)
c++ (3)
Code Camp (1)
Excel (1)
Exchange (3)
Front Page 2003 (6)
FTP User Editor (4)
IIS (146)
IIS - Log Parser (7)
IIS / FTP (12)
IIS / Tools / Administration (42)
IIS / Tools / Authentication (6)
IIS / Tools / Compression (8)
IIS / Tools / Crash & Hang (12)
IIS / Tools / ISAPI Filters (17)
IIS / Tools / Log Files (17)
IIS / Tools / Scripts (28)
IIS / Tools / Security (9)
IIS / Tools / SSL (6)
IIS 7 (3)
Internet Information Server (1)
Me (Chris Crowe) (6)
MIME Types (1)
Misc (72)
Oulook Express (2)
Silverlight (1)
SQL Server (27)
SQL Server CTE (1)
Vista (15)
Vista Gadgets (8)
Visual Studio (11)
Voice over BroadBand (1)
Windows (33)
Windows Powershell (3)
Windows Sharepoint Services (0)
Windows Sharepoint Services (15)
Windows Vista (14)
Wine Cellar (1)
WMI (8)
IIS / Tools / Log Files (17)

IIS / Tools / Log Files

Google Analytics - Track page views and analyze the flow of visitors

Google Analytics provides powerful tracking for anyone with a web presence, whether it be a small hobby website or a giant online enterprise. It's one of the most powerful web analytics solutions on the market - and it's free for anyone to use!

Google Analytics provides in-depth reports for everyone involved in the running of a website, from the developers and designers to the marketing and management teams. Find out where people leave your site, and what content catches their attention. Compare marketing campaigns and see your return on investment for all of your AdWords spend. The ways that you can use Google Analytics are endless.

This free version is limited to 5 million pageviews a month - however, users with an active Google AdWords account are given unlimited pageview tracking. In addition, Google Analytics is completely integrated into the AdWords front-end and with your AdWords campaign, making it easy to track your AdWords ROI.

You can awatch a simple video here about how it works:

Microsoft releases a new download center for IIS (everything in one place)

DownloadCENTER for has been released! 

The DownloadCENTER at, is a community hotspot for discovering, sharing, reviewing and promoting IIS-related solutions in a single place.  Dozens of existing downloads, for all versions of IIS – both from Microsoft and the community – are already available in DownloadCENTER today. 

This new feature of is particularly relevant with the release of IIS7 in Windows Vista.  The latest release of Microsoft’s Web server has a completely modular architecture which features over forty pluggable components that can be easily added, removed or even replaced with custom implementations. 

This powerful extensibility support is available to both .NET and C/C++ developers.  In the future, DownloadCENTER is expected to house a large number of IIS7 extensions submitted by not only the IIS team but the developers and partner ISVs of the IIS community as well.

To learn more about the DownloadCenter, read IIS Product Unit Manager, Bill Staples’ blog post about it or check it out yourself today!


IIS 6 - Web Site Instance IDs - seemingly random but they are not!

On IIS 6.0 you will find that when you create web sites that their log files are created with seemingly random numbers. In previous versions of IIS the Instance IDs as they are called were sequentially numbered.

The first "Default Web Site" has a log file directory of W3SVC1 but any new sites you create may end up as follows (or something similar)

  • W3SVC1240841244
  • W3SVC1289352529
  • W3SVC147076792
  • W3SVC1527186048
  • W3SVC1566259604
  • W3SVC1710104836

I have written a script that you can use to display all the web sites and their associated Instance Ids - the output similar to the following.

Web Sites                    Description
W3SVC/1                   Default Web Site
W3SVC/1036328378 WebSite1
W3SVC/1816184000 WebSite2
W3SVC/1867813904 WebSite3
W3SVC/568530179   WebSite4
W3SVC/719499532   WebSite5
W3SVC/669732006   WebSite6

See for the script.

Something I only learned recently was that the Instance Ids can be made sequential again by editing the registry and they are not random at all.

Changing the behaviour to the same as previous IIS versions

Remember : Editing the registry is a risk you take on your own shoulders.

To do this:

  1. Click Start, click Run. In the Open box, type regedit, and then click OK.
  2. In Registry Editor, locate the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetMgr\Parameters
  3. Click the Parameters key. On the Edit menu, click New Dword Value.
  4. Type IncrementalSiteIDCreation for the name.
  5. Double-click the name of the new value.
  6. Change Value Data to 1, and then click OK.
  7. To enable the change, restart the IIS services.

Note: When you remotely administer another IIS server, the value of the registry key of the local server is used to determine how the site identification number is generated on the remote server.

Why was it changed?

The reason that Instance ID were changed was that if you are running a Web Farm with multiple physical IIS servers and create a web site on each server with the same description all of the web sites will have the same Instance ID.

Basically if you create a new web site in IIS 6 and then delete the web site and create it again it will be created with the same Instance ID. So if you have multiple physical web servers for a particular web application you can read the log files from the same W3SVCx where x is the instance ID.

I created a web site with a description of XYZ and it produced the Instance ID of 906768 so my log file directory ended up as W3SVC906768

I then deleted this web site and the associated Log File Directory and repeated the exercise.

It indeed did create the same Instance ID of 90768

The following table shows some descriptions and Instance IDs

Description Instance ID Comment
A 66 ASCII character for B not A
B 67 ASCII character for C not B
AA 6631 No idea why 31 appears
AB 6632 No idea why 32 appears
AAA 669696 No idea why 96 appears


ClustrMaps - Show a map of where you get your web site visitors....

I came across an interesting site today

See at a glance where your site's visitors are located: instantaneously, even when the numbers are enormous! Visitors don't need to click on anything: just viewing your page is sufficient.

One thumbnail map on your site shows it all: We provide (free) the HTML that gives you a thumbnail map, like the one on the left. When it loads, it increments a counter and shows the locations of all the visitors to your page, cumulatively (even for huge numbers). Clicking on it zooms in to a big world map, and (optionally) lets you zoom in to the continents, as in the example below.

No hidden extras: For light users (under 2500 visitors daily - that is me) the service is free, forever, and stores cumulative totals up to many hundreds of thousands of visitors. Paying users get extra features.

C# application to show the WWW and FTP Sites and their log file directories....

I often look at the log files on my web server and with IIS 6 the folders are created with random numbers.

Correction from Tom regarding the “random numbers“:

In fact the log file names are generated from the site name so that in cases where a site is run on multiple servers the site id will be the same on each server. This helps with scripting and stuff. You can configure it in the registry to use the IIS5 type naming format if you want.

More details can be found below:

This simple application will display the WWW and FTP sites along with the log file directory. Just compile
it up or download the executable and drop the executable into your c:\windows\system32\logfiles folder and
just dblclick on it when you need to view the sites to folders relationships.

using System;
using System.DirectoryServices;
using System.IO;
using System.Collections;
using System.Windows.Forms;
namespace IISHelpDir
    /// Summary description for Class1.
    class Class1
        /// The main entry point for the application.
        static void Main(string[] args)
            SortedList www = new SortedList();
            SortedList ftp = new SortedList();
                const string FtpServerSchema = "IIsFtpServer"; // Case Sensitive
                const string WebServerSchema = "IIsWebServer"; // Case Sensitive
                string ServerName = "LocalHost";
                DirectoryEntry W3SVC = new DirectoryEntry("IIS://" + ServerName + "/w3svc");
                foreach (DirectoryEntry Site in W3SVC.Children) 
                    if (Site.SchemaClassName == WebServerSchema) 
                        string LogFilePath = System.IO.Path.Combine(
                        www.Add(Site.Properties["ServerComment"].Value.ToString(), LogFilePath);
                DirectoryEntry MSFTPSVC = new DirectoryEntry("IIS://" + ServerName + "/msftpsvc");
                foreach (DirectoryEntry Site in MSFTPSVC.Children) 
                    if (Site.SchemaClassName == FtpServerSchema) 
                        string LogFilePath = System.IO.Path.Combine(
                        ftp.Add(Site.Properties["ServerComment"].Value.ToString(), LogFilePath);
                int MaxWidth = 0;
                foreach(string Site in www.Keys)
                    if (Site.Length > MaxWidth)
                        MaxWidth = Site.Length;
                foreach(string Site in ftp.Keys)
                    if (Site.Length > MaxWidth)
                        MaxWidth = Site.Length;
                Console.WriteLine("Site Description".PadRight(MaxWidth)+"  Log File Directory");
                Console.WriteLine("WWW Sites");
                foreach(string Site in www.Keys)
                    Console.WriteLine(Site.PadRight(MaxWidth) + "  " + www[Site]);
                if (ftp.Keys.Count > 0)
                    Console.WriteLine("FTP Sites");
                    foreach(string Site in ftp.Keys)
                        Console.WriteLine(Site.PadRight(MaxWidth) + "  " + ftp[Site]);
                // Catch any errors
            catch (Exception e) 
                Console.WriteLine("Error: " + e.ToString());
                Console.WriteLine("Press enter to close/exit....");

To download a ZIP file containing the c# source and executable (.Net 1.1) please click here.

Basic Web Site Usage Statistics - SpotCheck

Spotcheck is a handy, freeware program that provides basic site usage statistics from IIS log files. You don't have to look at any advertising or give us an email address. Just download and use.

For more details see :

Preventing Log Evasion in IIS

One of the most important functions a Web site has is the ability to track who is visiting it, where they are coming from, and what they are doing. While logs themselves may not always be the most accurate measurement of what's going on, they do provide a high level overview useful for tracking common user functions and tasks. There are instances when certain types of data aren't logged such as referrers, cookies, user agents, and POST data. Logging can also be used to track abnormal behavior including malicious requests sent by a potential attacker trying to break into your site. These logs can be extremely valuable in identifying if an attack was successful or not, as well as some of the exact commands that an attacker may have executed.

For more details see the full article at

IIS - HTTP Status Codes

When you are checking your IIS log files you can find a field which defines the status of the request. This status can be very useful when you are trying to diagnose a problem such as a user being denied access to your site.

An example from a W3Extended log file format containing 2 log entries from Windows XP Professional

#Software: Microsoft Internet Information Services 5.1
#Version: 1.0
#Date: 2005-08-26 18:19:49
#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host

2005-08-26 18:19:49 - W3SVC1 CHRIS 80 GET /images/ - 302 0 285 586 62 HTTP/1.1 localhost
2005-08-26 18:19:49 - W3SVC1 CHRIS 80 GET /images/ - 403 5 334 587 16 HTTP/1.1 localhost

From the above log entries we can see we have a status of 302 (Object moved) for the first request, and a status of 403 (Forbidden) for the second request. But we do not know why the user was denied access. In this case I tried to browse an image directory and it did not have directory browsing enabled which should have logged a 403.14 error but IIS 5.1 and earlier do not support storing the sub status code.

Doing something similar with IIS 6 on Windows 2003 Server we get these log file entries.

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2005-08-26 00:03:26
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes
2005-08-26 18:33:30 W3SVC68783193 SBS2003 GET /images - 80 - HTTP/1.1 301 0 0 399 432
2005-08-26 18:33:30 W3SVC68783193 SBS2003 GET /images/ - 80 - HTTP/1.1 403 14 5 412 433

In the IIS 6 log file example above you can see that I am logging two status fields sc-status and sc-substatus

This time the first request is returning a status of 301 (Object Moved Permanently) and a sub status of 0 which is not used.
The second request returns a status of 403 (Forbidden) and a sub status of 14 (Directory Listing Denied)

1xx - Informational

These status codes indicate a provisional response. The client should be prepared to receive one or more 1xx responses before receiving a regular response.

100 - Continue.
101 - Switching protocols.

2xx - Success

This class of status codes indicates that the server successfully accepted the client request.

200 - OK. The client request has succeeded.
201 - Created.
202 - Accepted.
203 - Non-authoritative information.
204 - No content.
205 - Reset content.
206 - Partial content.

3xx - Redirection

The client browser must take more action to complete the request. For example, the browser may have to request a different page on the server or repeat the request by using a proxy server.

301 - Moved Permanently
- Object moved Temporarily
303 - See Other
304 - Not modified.
307 - Temporary redirect.

4xx - Client Error

An error occurs, and the client appears to be at fault. For example, the client may request a page that does not exist, or the client may not provide valid authentication information.

400 - Bad request.
401 - Access denied. IIS defines a number of different 401 errors that indicate a more specific cause of the error. These specific error codes are displayed in the browser but are not displayed in the IIS log:

401.1 - Logon failed.
401.2 - Logon failed due to server configuration.
401.3 - Unauthorized due to ACL on resource.
401.4 - Authorization failed by filter.
401.5 - Authorization failed by ISAPI/CGI application.
401.7 – Access denied by URL authorization policy on the Web server. This error code is specific to IIS 6.0.

403 - Forbidden. IIS defines a number of different 403 errors that indicate a more specific cause of the error:

403.1 - Execute access forbidden.
403.2 - Read access forbidden.
403.3 - Write access forbidden.
403.4 - SSL required.
403.5 - SSL 128 required.
403.6 - IP address rejected.
403.7 - Client certificate required.
403.8 - Site access denied.
403.9 - Too many users.
403.10 - Invalid configuration.
403.11 - Password change.
403.12 - Mapper denied access.
403.13 - Client certificate revoked.
403.14 - Directory listing denied.
403.15 - Client Access Licenses exceeded.
403.16 - Client certificate is untrusted or invalid.
403.17 - Client certificate has expired or is not yet valid.
403.18 - Cannot execute requested URL in the current application pool. This error code is specific to IIS 6.0.
403.19 - Cannot execute CGIs for the client in this application pool. This error code is specific to IIS 6.0.
403.20 - Passport logon failed. This error code is specific to IIS 6.0.

404 - Not found. 404.0 - (None) – File or directory not found.

404.1 - Web site not accessible on the requested port.
404.2 - Web service extension lockdown policy prevents this request.
404.3 - MIME map policy prevents this request.
404.4 - No Handler (IIS 7)
404.5 - Request Filtering: URL Sequence Denied (IIS 7)
404.6 - Request Filtering: Verb denied (IIS 7)
404.7 - Request Filtering: File extension denied (IIS 7)
404.8 - Request Filtering: Denied by hidden namespace (IIS 7)
404.9 - Denied since hidden file attribute has been set (IIS 7)
404.10 - Request Filtering: Denied because request header is too long (IIS 7)
404.11- Request Filtering: Denied because URL doubled escaping (IIS 7)
404.12 - Request Filtering: Denied because of high bit characters (IIS 7)
404.13 - Request Filtering: Denied because content length too large (IIS 7)
404.14 - Request Filtering: Denied because URL too long (IIS 7)
404.15- Request Filtering: Denied because query string too long (IIS 7)

405 - HTTP verb used to access this page is not allowed (method not allowed.)
406 - Client browser does not accept the MIME type of the requested page.
407 - Proxy authentication required.
412 - Precondition failed.
413 – Request entity too large.
414 - Request-URI too long.
415 – Unsupported media type.
416 – Requested range not satisfiable.
417 – Execution failed.
423 – Locked error.

5xx - Server Error

The server cannot complete the request because it encounters an error.

500 - Internal server error.

500.12 - Application is busy restarting on the Web server.
500.13 - Web server is too busy.
500.15 - Direct requests for Global.asa are not allowed.
500.16 – UNC authorization credentials incorrect. This error code is specific to IIS 6.0.
500.18 – URL authorization store cannot be opened. This error code is specific to IIS 6.0.
500.100 - Internal ASP error.

501 - Header values specify a configuration that is not implemented.
502 - Web server received an invalid response while acting as a gateway or proxy.

502.1 - CGI application timeout.
502.2 - Error in CGI application.

503 - Service unavailable. This error code is specific to IIS 6.0.
504 - Gateway timeout.
505 - HTTP version not supported.

For more details see these resources :

Log Parser - Different Output Formats available

In this blog entry we will display the same output in a number of different formats that Log Parser is capable of providing.


Using the default output format the results are displayed inside of the command prompt.

SELECT top 25 distinct c-ip as ClientIP, Count(*) as Hits
FROM \\sbs2003\LogFiles\W3SVC68783193\ex0508*.log
group by c-ip
order by Hits, c-ip desc

Command Line

LogParser.exe file:distinctclientrequests.sql


Notice in the above listing you get a "Press a key..." displayed you can turn this off if you use the -rtp:-1 switch


Using an output format of a chart you can create nice graphs of log entries

SELECT top 25 distinct c-ip as ClientIP, Count(*) as Hits
into test.gif
FROM \\sbs2003\LogFiles\W3SVC68783193\ex0508*.log
group by c-ip
order by Hits, c-ip desc

Command Line

LogParser.exe file:distinctclientrequests.sql -view


The output in this case is a file on disk called test.gif. and the -view parameter displays it in a window.



Using an output format of a DataGrid you can view the results inside of a grid which is a lot easier for viewing the results in certain circumstances.

SELECT top 25 distinct c-ip as ClientIP, Count(*) as Hits
FROM \\sbs2003\LogFiles\W3SVC68783193\ex0508*.log
group by c-ip
order by Hits, c-ip desc

Command Line

LogParser.exe file:distinctclientrequests.sql


LogParser - How to retreive the log filename where a LogFileEntry is from.

When using Log Parser you may want to include the log file name that the client data was extracted from. If you are using the W3C format you can do this with the LogFilename input field which will return the full path to the log filename that contains the row of data.

Save the data below as distinctclientrequests.sql

SELECT top 25 distinct LogFilename, c-ip as ClientIP, Count(*) as Hits
FROM \\sbs2003\LogFiles\W3SVC68783193\ex0508*.log
group by c-ip, LogFilename
order by Hits, c-ip desc

Command Line

LogParser.exe file:distinctclientrequests.sql

Example Output:

LogFilename ClientIP Hits
\\sbs2003\LogFiles\W3SVC68783193\ex050819.log 2791
\\sbs2003\LogFiles\W3SVC68783193\ex050809.log 2296
\\sbs2003\LogFiles\W3SVC68783193\ex050807.log 2262
\\sbs2003\LogFiles\W3SVC68783193\ex050806.log 1967
\\sbs2003\LogFiles\W3SVC68783193\ex050811.log 1838
\\sbs2003\LogFiles\W3SVC68783193\ex050808.log 1744
\\sbs2003\LogFiles\W3SVC68783193\ex050810.log 1441
\\sbs2003\LogFiles\W3SVC68783193\ex050804.log 1372
\\sbs2003\LogFiles\W3SVC68783193\ex050811.log 1243
\\sbs2003\LogFiles\W3SVC68783193\ex050824.log 965

If you are wanting to only get the log filename and not the full path you could use the following query:

Save the data below as distinctclientrequests.sql

SELECT top 25 distinct EXTRACT_FILENAME(LogFilename) as LogFile, c-ip as ClientIP, Count(*) as Hits
FROM \\sbs2003\LogFiles\W3SVC68783193\ex0508*.log
group by c-ip, LogFile
order by Hits, c-ip desc

Command Line

LogParser.exe file:distinctclientrequests.sql

Example Output:

LogFile ClientIP Hits
ex050819.log 2791
ex050809.log 2296
ex050807.log 2262
ex050806.log 1967
ex050811.log 1838
ex050808.log 1744
ex050810.log 1441
ex050804.log 1372
ex050811.log 1243
ex050824.log 965

IIS - ISAPI Filters [Freeware/Shareware] Enhanced Log for Microsoft IIS

Replaces the standard IIS error message (HTTP/1.0 404 Not Found, HTTP/1.0 401 Access denied, etc.) by custom HTML or HTTP message

The custom message can be defined for whole web site, or for any file or directory of the web. The message can contains redirection to the another site too.

You are free to use and distribute EnhancedLog. EnhancedLog signs every custom error message by refrerence to the PSTRUH Software home page. You are not allowed to change the sign in free version of EnhacedLog. You must register to remove the sign.

For more details see -

IIS - ISAPI Filers [Commerical] HttpLog ISAPI Filter

The ISAPI filter enables http raw data logging. Lets you log http header and document data to separate files, monitor IIS service output and check other filters (asp/cgi pages, ISAPI applications) functionality.

This product has not been updated since 2000 but may still have use for administrators.

For more details see -

IIS - ISAPI Filters - [Freeware] IISStatus

IISStatus links into the web server as an ISAPI filter to record each request, including ASP pages, as it is received and processed by the server.

Use this tool to monitor exactly what your ASP pages are doing and reduce time spent debugging. IISStatus is a Freeware product at this time. In future, we will be releasing enchanced versions of IISStatus although these releases may not be freeware (still freeware after 3 years)

For more details see -

Freeware - IIS / Tools / Log Files / The Webalizer

The Webalizer is a fast, free web server log file analysis program. It produces highly detailed, easily configurable usage reports in HTML format, for viewing with a standard web browser.


  • Is written in C to be extremely fast and highly portable. On a 200Mhz pentium machine, over 10,000 records can be processed in one second, with a 40 Megabyte file taking roughly 15 seconds (over 150,000 records).

  • Supports standard Common Logfile Format server logs. In addition, several variations of the Combined Logfile Format are supported, allowing statistics to be generated for referring sites and browser types as well. Now also has native support for wu-ftpd xferlog FTP and squid log formats as well.

  • Generated reports can be configured from the command line, or by use of one or more configuration files. Detailed information on configuration options can be found in the README file, supplied with all distributions.

  • Supports multiple languages. Currently, Catalan, Chinese (traditional and simplified), Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, Galician, German, Greek, Hungarian, Icelandic, Indonesian, Italian, Japanese, Korean, Latvian, Lithuanian, Malay, Norwegian, Polish, Portuguese (Portugal and Brazil), Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish, Turkish and Ukrainian are available.

  • Unlimited log file sizes and partial logs are supported, allowing logs to be rotated as often as needed, and eliminating the need to keep huge monthly files on the system.

  • Distributed under the GNU General Public License, complete source code is available, as well as binary distributions for some of the more popular platforms. Please read the Copyright notices for additional information.

For more details see -

To see a sample report see -

Freeware - IIS / Tools / Log Files / AWStats

AWStats is a free powerful and featureful tool that generates advanced web, streaming, ftp or mail server statistics, graphically.

This log analyzer works as a CGI or from command line and shows you all possible information your log contains, in few graphical web pages. It uses a partial information file to be able to process large log files, often and quickly. It can analyze log files from all major server tools like Apache log files (NCSA combined/XLF/ELF log format or common/CLF log format), WebStar, IIS (W3C log format) and a lot of other web, proxy, wap, streaming servers, mail servers and some ftp servers.

AWStats is a free software distributed under the GNU General Public License. You can have a look at this license chart to know what you can/can't do.

For more details see -

For a sample report see -

Freeware - IIS / Tools / Log Files / Analog
Analog shows you the usage patterns on your web server by analyzing your Log Files. It is a very simple package to get going and has a good following, you can simply customize which reports are generated and there are a number of people who provide additional files such as Search Engines, and Spiders so the product can keep up to date with web bots etc.
  • Ultra-fast
  • Scalable
  • Highly configurable
  • Reports in 32 languages
  • Works on any operating system
  • Free software ( Licence is now GPL)

For more details see -

For a sample report see -

To generate even nicer reports you can combine Analog with another product called Report Magic - for a sample report see -

Freeware - IIS / Tools / Log Files / Microsoft Log Parser 2.2

Microsoft Log Parser is a very cool little tool that you can use with a SQL query language to render details from a number of different log file formats including:

  • IIS log files in the NCSA Common, Combined, and Extended Log File Formats
  • IIS log files in the Microsoft Log File Format.
  • IIS log files in the W3C Extended Log File Format
  • IIS log files in the Centralized Binary Log File Format
  • IIS when configured to log in the ODBC Log Format

  • Active Directory Objects
  • Comma, Tab and Space Delimited Text Files
  • Enterprise Tracing for Windows trace log files (.etl files) and live ETW trace sessions
  • Windows Event Log and from Event Log backup files (.evt files).
  • Files and Directories
  • HTTP Error log files created by the Http.sys driver (IIS 6+ )
  • NETMON input format parses network capture files (.cap files) captured by the Network Monitor program (or exported from Ethereal)
  • Registry Values
  • Generic text files.
  • URLScan IIS filter log files
  • W3C Extended Log File Format
  • XML Files

  • Your Own Custom Plugins

You tell Log Parser what information you need and how you want it processed.

The results of your query can be custom-formatted in text based output, or they can be persisted to more specialty targets like SQL, SYSLOG, or a chart.  

An example query:

SELECT TOP 10 cs-uri-stem, COUNT(*)
FROM ex040305.log
GROUP BY cs-uri-stem

For more details on Log Parser see

The Unoffical Log Parser web site created and maintained by Mike Gunderloy see

For some additional scripts and code examples for using Log Parser from c# see

A book has been released called the Log Parser Toolkit - see

For a details explanation of how Log Parse works see

For examples of using the COM interface to Log Parser see