在 Azure Monitor 中收集 IIS 日志Collect IIS logs in Azure Monitor

Internet 信息服务 (IIS) 会将用户活动存储在日志文件中,并可通过 Azure Monitor 进行收集并将其存储为日志数据Internet Information Services (IIS) stores user activity in log files that can be collected by Azure Monitor and stored as log data.

IIS 日志

配置 IIS 日志Configuring IIS logs

Azure Monitor 会从 IIS 创建的日志文件中收集条目,因此,必须配置 IIS 以进行日志记录Azure Monitor collects entries from log files created by IIS, so you must configure IIS for logging.

Azure Monitor 仅支持以 W3C 格式存储的 IIS 日志文件,不支持自定义字段或 IIS 高级日志记录。Azure Monitor only supports IIS log files stored in W3C format and does not support custom fields or IIS Advanced Logging. Azure Monitor 不会收集 NCSA 或 IIS 本机格式的日志。It does not collect logs in NCSA or IIS native format.

在 Azure Monitor 中通过“高级设置”菜单配置 IIS 日志。Configure IIS logs in Azure Monitor from the Advanced Settings menu. 只需选择收集 W3C 格式 IIS 日志文件,即可完成配置。There is no configuration required other than selecting Collect W3C format IIS log files.

数据收集Data collection

每次日志时间戳更改时,Azure Monitor 都会从每个代理收集 IIS 日志条目。Azure Monitor collects IIS log entries from each agent each time the log timestamp changes. 5 分钟读取一次日志。The log is read every 5 minutes. 如果由于任何原因,IIS 在创建新文件时未在滚动更新时间之前更新时间戳,则会在创建新文件后收集条目。If for any reason IIS doesn't update the timestamp before the rollover time when a new file is created, entries will be collected following creation of the new file. 新文件创建的频率由 IIS 站点的“日志文件滚动更新计划” 设置控制,默认情况下为每天一次。The frequency of new file creation is controlled by the Log File Rollover Schedule setting for the IIS site, which is once a day by default. 如果设置为“每小时” ,则 Azure Monitor 每小时收集一次日志。If the setting is Hourly, Azure Monitor collects the log each hour. 如果设置为“每日” ,则 Azure Monitor 每 24 小时收集一次日志。If the setting is Daily, Azure Monitor collects the log every 24 hours.

IIS 日志记录属性IIS log record properties

IIS 日志记录的类型为 W3CIISLog,并具有下表中的属性:IIS log records have a type of W3CIISLog and have the properties in the following table:

属性Property 说明Description
ComputerComputer 从中收集事件的计算机的名称。Name of the computer that the event was collected from.
cIPcIP 客户端的 IP 地址。IP address of the client.
csMethodcsMethod 请求的方法,如 GET 或 POST。Method of the request such as GET or POST.
csReferercsReferer 用户通过链接转到当前站点的来源站点。Site that the user followed a link from to the current site.
csUserAgentcsUserAgent 客户端的浏览器类型。Browser type of the client.
csUserNamecsUserName 访问服务器的经身份验证的用户名称。Name of the authenticated user that accessed the server. 匿名用户会以连字符表示。Anonymous users are indicated by a hyphen.
csUriStemcsUriStem 请求的目标,例如网页。Target of the request such as a web page.
csUriQuerycsUriQuery 客户端正在尝试执行的查询(如果有的话)。Query, if any, that the client was trying to perform.
ManagementGroupNameManagementGroupName Operations Manager 代理的管理组的名称。Name of the management group for Operations Manager agents. 对于其他代理,这是 AOI-<工作区 ID>For other agents, this is AOI-<workspace ID>
RemoteIPCountryRemoteIPCountry 客户端 IP 地址的国家/地区。Country/region of the IP address of the client.
RemoteIPLatitudeRemoteIPLatitude 客户端 IP 地址的纬度。Latitude of the client IP address.
RemoteIPLongitudeRemoteIPLongitude 客户端 IP 地址的经度。Longitude of the client IP address.
scStatusscStatus HTTP 状态代码。HTTP status code.
scSubStatusscSubStatus 子状态错误代码。Substatus error code.
scWin32StatusscWin32Status Windows 状态代码。Windows status code.
sIPsIP Web 服务器的 IP 地址。IP address of the web server.
SourceSystemSourceSystem OpsMgrOpsMgr
sPortsPort 客户端连接到的服务器上的端口。Port on the server the client connected to.
sSiteNamesSiteName IIS 站点的名称。Name of the IIS site.
TimeGeneratedTimeGenerated 记录条目的日期和时间。Date and time the entry was logged.
TimeTakenTimeTaken 处理请求的时间长度(以毫秒为单位)。Length of time to process the request in milliseconds.

使用 IIS 日志的日志查询Log queries with IIS logs

下表提供了检索 IIS 日志记录的日志查询的不同示例。The following table provides different examples of log queries that retrieve IIS log records.

查询Query 说明Description
W3CIISLogW3CIISLog 所有 IIS 日志记录。All IIS log records.
W3CIISLog | where scStatus==500W3CIISLog | where scStatus==500 返回状态为 500 的所有 IIS 日志记录。All IIS log records with a return status of 500.
W3CIISLog | summarize count() by cIPW3CIISLog | summarize count() by cIP 按客户端 IP 地址的 IIS 日志条目计数。Count of IIS log entries by client IP address.
W3CIISLog | where csHost=="www.contoso.com" | summarize count() by csUriStemW3CIISLog | where csHost=="www.contoso.com" | summarize count() by csUriStem 按主机的 URL www.contoso.com 统计的 IIS 日志条目的计数。Count of IIS log entries by URL for the host www.contoso.com.
W3CIISLog | summarize sum(csBytes) by Computer | take 500000W3CIISLog | summarize sum(csBytes) by Computer | take 500000 每台 IIS 计算机接收的总字节数。Total bytes received by each IIS computer.

后续步骤Next steps

  • 配置 Azure Monitor 以收集其他数据源进行分析。Configure Azure Monitor to collect other data sources for analysis.
  • 了解日志查询以便分析从数据源和解决方案中收集的数据。Learn about log queries to analyze the data collected from data sources and solutions.