|
| 1 | +--- |
| 2 | +title: Collect IIS logs with Azure Monitor Agent |
| 3 | +description: Configure collection of Internet Information Services (IIS) logs on virtual machines with Azure Monitor Agent. |
| 4 | +ms.topic: how-to |
| 5 | +ms.date: 12/07/2022 |
| 6 | +author: guywi-ms |
| 7 | +ms.author: guywild |
| 8 | +ms.reviewer: shseth |
| 9 | + |
| 10 | +--- |
| 11 | + |
| 12 | +# Collect IIS logs with Azure Monitor Agent |
| 13 | + |
| 14 | +The Internet Information Service (IIS) logs data to the local disk of Windows machines. This article describes how to create a data collection rule (DCR) that sets up [Azure Monitor Agent](azure-monitor-agent-overview.md) to collect IIS logs from monitored machines. |
| 15 | + |
| 16 | +## Prerequisites |
| 17 | +To complete this procedure, you need: |
| 18 | + |
| 19 | +- Log Analytics workspace where you have at least [contributor rights](../logs/manage-access.md#azure-rbac). |
| 20 | +- [Data collection endpoint](../essentials/data-collection-endpoint-overview.md#create-data-collection-endpoint). |
| 21 | +- [Permissions to create Data Collection Rule objects](../essentials/data-collection-rule-overview.md#permissions) in the workspace. |
| 22 | +- A VM, Virtual Machine Scale Set, or Arc-enabled on-premises server with IIS logs. |
| 23 | + |
| 24 | + - The log file must be stored on a local drive of the machine on which Azure Monitor Agent is running. |
| 25 | + - Each entry in the log file must be delineated with an end of line. |
| 26 | + - The log file must not allow circular logging, log rotation where the file is overwritten with new entries or renaming where a file is moved and a new file with the same name is opened. |
| 27 | + |
| 28 | +## Create data collection rule to collect IIS logs |
| 29 | +The [data collection rule](../essentials/data-collection-rule-overview.md) defines: |
| 30 | + |
| 31 | +- Which source log files Azure Monitor Agent scans for new events. |
| 32 | +- How Azure Monitor transforms events during ingestion. |
| 33 | +- The destination Log Analytics workspace and table to which Azure Monitor sends the data. |
| 34 | + |
| 35 | +To create the data collection rule in the Azure portal: |
| 36 | + |
| 37 | +1. On the **Monitor** menu, select **Data Collection Rules**. |
| 38 | +1. Select **Create** to create a new data collection rule and associations. |
| 39 | + |
| 40 | + [  ](media/data-collection-rule-azure-monitor-agent/data-collection-rules-updated.png#lightbox) |
| 41 | + |
| 42 | +1. Enter a **Rule name** and specify a **Subscription**, **Resource Group**, **Region**, and **Platform Type**: |
| 43 | + |
| 44 | + - **Region** specifies where the DCR will be created. The virtual machines and their associations can be in any subscription or resource group in the tenant. |
| 45 | + - **Platform Type** specifies the type of resources this rule can apply to. The **Custom** option allows for both Windows and Linux types. |
| 46 | + |
| 47 | + [  ](media/data-collection-rule-azure-monitor-agent/data-collection-rule-basics-updated.png#lightbox) |
| 48 | + |
| 49 | +1. On the **Resources** tab, add the resources to which to associate the data collection rule. Resources can be virtual machines, virtual machine scale sets, and Azure Arc for servers. The Azure portal installs Azure Monitor Agent on resources that don't already have it installed. |
| 50 | + |
| 51 | + > [!IMPORTANT] |
| 52 | + > The portal enables system-assigned managed identity on the target resources, along with existing user-assigned identities, if there are any. For existing applications, unless you specify the user-assigned identity in the request, the machine defaults to using system-assigned identity instead. |
| 53 | +
|
| 54 | + If you need network isolation using private links, select existing endpoints from the same region for the respective resources or [create a new endpoint](../essentials/data-collection-endpoint-overview.md). |
| 55 | + |
| 56 | + [  ](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-with-endpoint.png#lightbox) |
| 57 | + |
| 58 | +1. On the **Collect and deliver** tab, select **Add data source** to add a data source and set a destination. |
| 59 | +1. Select **IIS Logs**. |
| 60 | + |
| 61 | + [  ](media/data-collection-iis/iis-data-collection-rule.png#lightbox) |
| 62 | + |
| 63 | +1. Optionally, specify a file pattern to identify the directory where the log files are located. |
| 64 | +1. On the **Destination** tab, add one or more destinations for the data source. You can select multiple destinations of the same or different types. For instance, you can select multiple Log Analytics workspaces, which is also known as multihoming. |
| 65 | + |
| 66 | + [  ](media/data-collection-rule-azure-monitor-agent/data-collection-rule-destination.png#lightbox) |
| 67 | + |
| 68 | +1. Select **Review + create** to review the details of the data collection rule and association with the set of virtual machines. |
| 69 | +1. Select **Create** to create the data collection rule. |
| 70 | + |
| 71 | +> [!NOTE] |
| 72 | +> It can take up to 5 minutes for data to be sent to the destinations after you create the data collection rule. |
| 73 | +
|
| 74 | +## Troubleshoot |
| 75 | +Use the following steps to troubleshoot collection of IIS logs. |
| 76 | + |
| 77 | +### Check if any IIS logs have been received |
| 78 | +Start by checking if any records have been collected for your IIS logs by running the following query in Log Analytics. If no records are returned then check the other sections for possible causes. This query looks for entires in the last two days, but you can modify for another time range. |
| 79 | + |
| 80 | +``` kusto |
| 81 | +W3CIISLog |
| 82 | +| where TimeGenerated > ago(48h) |
| 83 | +| order by TimeGenerated desc |
| 84 | +``` |
| 85 | + |
| 86 | +### Verify that the agent is sending heartbeats successfully |
| 87 | +Verify that Azure Monitor agent is communicating properly by running the following query in Log Analytics to check if there are any records in the Heartbeat table. |
| 88 | + |
| 89 | +``` kusto |
| 90 | +Heartbeat |
| 91 | +| where TimeGenerated > ago(24h) |
| 92 | +| where Computer has "<computer name>" |
| 93 | +| project TimeGenerated, Category, Version |
| 94 | +| order by TimeGenerated desc |
| 95 | +``` |
| 96 | + |
| 97 | +### Verify that IIS logs are being created |
| 98 | +Look at the timestamps of the log files and open the latest to see that latest timestamps are present in the log files. The default location for IIS log files is C:\\inetpub\\LogFiles\\W3SVC1. |
| 99 | + |
| 100 | +:::image type="content" source="media/data-collection-text-log/iis-log-timestamp.png" lightbox="media/data-collection-text-log/iis-log-timestamp.png" alt-text="Screenshot of IIS log on agent machine showing the timestamp."::: |
| 101 | + |
| 102 | +### Verify that you specified the correct log location in the data collection rule |
| 103 | +The data collection rule will have a section similar to the following. The `logDirectories` element specifies the path to the log file to collect from the agent computer. Check the agent computer to verify that this is correct. |
| 104 | + |
| 105 | +``` json |
| 106 | + "dataSources": [ |
| 107 | + { |
| 108 | + "configuration": { |
| 109 | + "logDirectories": ["C:\\scratch\\demo\\W3SVC1"] |
| 110 | + }, |
| 111 | + "id": "myIisLogsDataSource", |
| 112 | + "kind": "iisLog", |
| 113 | + "streams": [{ |
| 114 | + "stream": "ONPREM_IIS_BLOB_V2" |
| 115 | + } |
| 116 | + ], |
| 117 | + "sendToChannels": ["gigl-dce-6a8e34db54bb4b6db22d99d86314eaee"] |
| 118 | + } |
| 119 | + ] |
| 120 | +``` |
| 121 | + |
| 122 | +This directory should correspond to the location of the IIS logs on the agent machine. |
| 123 | + |
| 124 | +:::image type="content" source="media/data-collection-text-log/iis-log-files.png" lightbox="media/data-collection-text-log/iis-log-files.png" alt-text="Screenshot of IIS log files on agent machine."::: |
| 125 | + |
| 126 | +### Verify that the IIS logs are W3C formatted |
| 127 | +Open IIS Manager and verify that the logs are being written in W3C format. |
| 128 | + |
| 129 | +:::image type="content" source="media/data-collection-text-log/iis-log-format-setting.png" lightbox="media/data-collection-text-log/iis-log-format-setting.png" alt-text="Screenshot of IIS logging configuration dialog box on agent machine."::: |
| 130 | + |
| 131 | +Open IIS log on the agent machine to verify logs are in W3C format. |
| 132 | + |
| 133 | +:::image type="content" source="media/data-collection-text-log/iis-log-format.png" lightbox="media/data-collection-text-log/iis-log-format.png" alt-text="Screenshot of IIS log on agent machine showing the header specifies W3C format."::: |
| 134 | + |
| 135 | +### Share logs with Microsoft |
| 136 | +If everything is configured properly, but you're still not collecting log data, use the following procedure to collect diagnostics logs for Azure Monitor agent to share with the Azure Monitor group. |
| 137 | + |
| 138 | +1. Open an elevated PowerShell window. |
| 139 | +1. Change to directory `C:\Packages\Plugins\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent\[version]\`. |
| 140 | +1. Execute the script: `.\CollectAMALogs.ps1`. |
| 141 | +1. Share the `AMAFiles.zip` file generated on the desktop. |
| 142 | + |
| 143 | +## Next steps |
| 144 | + |
| 145 | +- Learn more about [Azure Monitor Agent](azure-monitor-agent-overview.md). |
| 146 | +- Learn more about [data collection rules](../essentials/data-collection-rule-overview.md). |
| 147 | +- Learn more about [data collection endpoints](../essentials/data-collection-endpoint-overview.md). |
0 commit comments