Very large log files (250mb) in IIS over a period of a few days - Why?

Posted on 2008-11-16
Last Modified: 2012-06-27

I was looking to clear out space in the C drive of the exchange server and noticed quite a large amount of space taken up by the IIS log files at:


On first glance all the files typically looked very small and typically under 1mb. Then I noticed around begining of July 2008 a series of log files that rose up to 290mb in size. This was over a period of about 7 days.

AFter that period thing went pretty much back to normal although overall always a bit bigger after that date (but still under 1mb).

What even could have triggered such an event? Should I be worried?

I've not actually managed to open the files yet because of their size, but even if I did open them I would probably not understand them.

Question by:afflik1923
    LVL 58

    Accepted Solution


    The general rule of thumb with the IIS log files is that if they are larger, there were more requests passing through your IIS web server during those days. This could be something purely innocent: for example, an Exchange Server could have larger IIS logs over weekends when users access OWA from home, or if you were running some web-based tool against the web server on those dates.

    Do you have WSUS installed on this particular server? That product is renowned for causing an increase in IIS log files, mainly because all the workstations on the network are talking to the server on regular intervals to 'check in', check for updates and relay various other housekeeping information to the WSUS server.

    There is the potential that someone was trying to hack your web server from outside, or that some bot got stuck in a loop or something, but the fact the log files have decreased back almost to their originally size would indicate to me that whatever happened over those 7 days has now stopped. And remember, the most innocent reason would just be a sudden increase in visits to your website over that period...


    Author Comment

    Good comments. WSUS is not installed. Like you say, it was a while ago so that gives some comfort Are they easy to read if I can find a suitable tool that will open a 300 mb logfile?
    LVL 58

    Assisted Solution


    If you can get a tool to read them then you can get lots of information out of them - obviously the most important pieces of information would be where the requests came from (internal or external IPs), and what paths were being accessed. If it is paths which don't exist, then someone was trying to hack the web server by finding an application with a flaw in it, but otherwise, I'd say it's just a very large increase in innocent requests to view your website. Now, that said, it could indicate someone was trying to DDos (Distributed Denial of Service) you by making such a large number of requests, but again, if it has stopped now and went unnoticed at the time, there's not really much you can do this far down the line.

    The bottom line even if you were trying to be hacked, that is going to happen the moment you put your website out on the Internet. I can see the odd request for random pages in my IIS logs from time to time, but without closing port 80, you can't stop those from coming in.

    For parsing the logs try this log analyzer: I have the Lite (read, free) edition and it works for me; if you need it to fetch more information, you can always upgrade.

    LVL 95

    Assisted Solution

    by:Lee W, MVP
    If you want to really know why, you'll need to open them.  They are text files and while it may not make sense to you, you can post SMALL portions here.

    If you need space on the C: drive, you might want to review my page on boot drive size.

    (Note: your Exchange Information Store and Exchange Logs DO NOT belong on the C: drive).
    LVL 13

    Expert Comment

    1. Open Inetmgr
    2. select IIS default website properties ( Right click properties )
    3. Web Site (Tab)
     Down in this tab see { Properties } --> Enable Login ( Active Log Format)
    Click the property window { General Properties --Tab }

    See which radio button is clicked..I guess in your case it must be " Hourly" If its the case change it to " daily "or

    Click next tab " Extended Properties "

    Select these which are by default necessary..

    Client IP
    URI Stem
    Protocol Status

    ** Discuss with other teams if they need any further logs and information selected from these options and act accordingly.

    There are few tools and files that can shrink log files automaticcally once in a month when theyreach certain disk space.

     IIS log file compression tool

    Author Closing Comment

    Great input. I willnot worry too much this time about analysing the large log files but if it occurs again I might revist the subject.
    Thanks for advice.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
    Learn about cloud computing and its benefits for small business owners.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now