IIS – Review IISLog to track traffic within time period

Issue

We have been receiving a bunch of alerts from our monitoring tool.

Came through email, but as a loud mouth I asked the monitoring group to please send us  a tabulated summary.

 

Alert Report

Image

Explanation

  1. Again, I am like what happened for 2 hours on a specific web server.
    • On the second data row
      • How did we stay gone from 6:20 and 8:20 AM

TroubleShooting

Setup

Collected IIS Logs and trained Log Parser Studio against them.

 

Query


/*  New Query  */

SELECT TOP 10000 
            TO_TIMESTAMP(date, time) as ts
          , c-ip as ipAddress
          , cs-username as username
          , cs-uri-stem as URL
          , cs-uri-query as query
          , sc-status as status
          , time-taken as timeTaken
          , cs(User-Agent) as userAgent
          , cs(Referer) as referer

FROM '[LOGFILEPATH]'

where  TO_TIMESTAMP(date, time)
             between timestamp('2017/07/30 06:00:00', 'yyyy/MM/dd hh:mm:ss')  
             and timestamp('2017/07/30 12:00:00', 'yyyy/MM/dd hh:mm:ss')


Output

Explanation

  1. On 2017-June-30th between 6 AM and 6:13 AM, we recorded HTTP requests which came in twos
    • The first request was targeted to the home page
      • IIS returned 302
        • Redirection
    • The second request is to the /Account/LogOn page
      • Returned 200
        • 200 is OK
  2. We did not get another request till 8:18 AM
    • Again two HTTP requests
      • The first was 302
        • Re-direct
      • The redirection lead as to /Account/Logon
        • Returned 200
        • But, took a lot longer 18156 ms or 18 seconds
          • Need to come back upon validating actual measurement
  3. Things returned back to normal
    • 8:28 AM, 8:33 AM, 8:38 AM, 8:43 AM, 8:48 AM, 8:53 AM, 8:58 AM, 9:03 AM, 9:08 AM, and 9:13 AM

Summary

Traced the error back to the monitoring account being locked out during our blind two hour period.

3 thoughts on “IIS – Review IISLog to track traffic within time period

    • Mrs. Santhapuri:

      Thanks, it was a group effort.

      One of the managers called me and left a voice message stating “The tool is very sophisticated and it does pick up this disconnect”.

      Later, I went to talk to manager for the Monitoring group and he and I walked the logs. I had over compensated thinking I need to convert the IIS time from GMT to Local Time.

      He called one of Monitoring Engineers and we concluded that “there was an Active Directory ( AD ) problem that prevented authentication to sites“.

      Stay beautifully well and thanks for leaving a comment.

      Daniel

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s