Searching IIS logs with Search-IISWebsiteLog

Today I'd like to talk about the Search-IISSiteLog cmdlet that's part of the CPolydorou.IIS module. This cmdlet can be used in order to search text base log files, especially IIS website logs.

Let's dive right in and search the Exchange IIS logs for the requests of a specific user!

We'll start by getting the sites on an Exchange 2013 server:

PS C:\> Get-Website

Name             ID State   Physical Path
----             -- -----   -------------
Default Web Site 1  Started %SystemDrive%\inetpub\wwwroot
Exchange Back En 2  Started C:\inetpub\wwwroot

Since we want to search for a user's requests, we'll use the "Default Web Site" website. Our exchange servers are named "exchange2013a" and "exchange2013b".

The Search-IISSiteLog command would be:

Search-IISSiteLog -WebSite "Default Web Site" `
                  -Pattern "cpolydorou" `
                  -ComputerName "exchange2013a","exchange2013b"

This command will get the path to the log files for the "Default Web Site" website on the specified servers and then will search the files for the pattern "cpolydorou" which corresponds to our user.

The key here is that the process will be executed in parallel and each server will take it's share of the load.

The output of the command will be objects like the following:

ComputerName          : EXCHANGE2013A
File                  : u_ex180120_x.log
Entry                 : 2018-01-20 19:11:13 ... POST /ecp/ 443 cpolydorou@lab.local ...
PSComputerName        : localhost
RunspaceId            : c88d0754-4a35-4cd9-a8f0-9b392bc82b41
PSSourceJobInstanceId : 0e1b09e8-b015-4618-baf4-b29f472182bd

Each object represents a line in a log file that matches the pattern. It contains the name of the server, the name of the file in order for us to be able to locate it and the entry itself.

The above command will search all the files in the log folder, which is not necessarily good since it may take some time and computing power that is not needed. In case we have a time frame for the requests we need to search, we can use the "-Start" and "-End" parameters.

When those parameters are used, the files in the log folders are filtered based on their LastWriteTime property and any files that have not been updated in that period are not searched.

The caveat here is that the timestamp of the requests is usually on GTM format and the LastWriteTime on the files on the time of the server! I would suggest widening the period of time for the search in order to search fewer files and then search the entries using their timestamp.

Although this workflow is created to search IIS website log files, it can be used to search any kind of text file in a directory. Use the "-Path" parameter to specify the directory containing the log files and you're all set.

The CPolydorou.IIS module is available on the PowerShell Gallery, I hope you'll find it helpful!

Popular posts from this blog

Domain Controller Machine Password Reset

Managing Active Directory User Certificates using PowerShell

Configuring a Certificate on Exchange Receive Connector