Very large log files (250mb) in IIS over a period of a few days - Why?


I was looking to clear out space in the C drive of the exchange server and noticed quite a large amount of space taken up by the IIS log files at:


On first glance all the files typically looked very small and typically under 1mb. Then I noticed around begining of July 2008 a series of log files that rose up to 290mb in size. This was over a period of about 7 days.

AFter that period thing went pretty much back to normal although overall always a bit bigger after that date (but still under 1mb).

What even could have triggered such an event? Should I be worried?

I've not actually managed to open the files yet because of their size, but even if I did open them I would probably not understand them.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


The general rule of thumb with the IIS log files is that if they are larger, there were more requests passing through your IIS web server during those days. This could be something purely innocent: for example, an Exchange Server could have larger IIS logs over weekends when users access OWA from home, or if you were running some web-based tool against the web server on those dates.

Do you have WSUS installed on this particular server? That product is renowned for causing an increase in IIS log files, mainly because all the workstations on the network are talking to the server on regular intervals to 'check in', check for updates and relay various other housekeeping information to the WSUS server.

There is the potential that someone was trying to hack your web server from outside, or that some bot got stuck in a loop or something, but the fact the log files have decreased back almost to their originally size would indicate to me that whatever happened over those 7 days has now stopped. And remember, the most innocent reason would just be a sudden increase in visits to your website over that period...


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
afflik1923Author Commented:
Good comments. WSUS is not installed. Like you say, it was a while ago so that gives some comfort Are they easy to read if I can find a suitable tool that will open a 300 mb logfile?

If you can get a tool to read them then you can get lots of information out of them - obviously the most important pieces of information would be where the requests came from (internal or external IPs), and what paths were being accessed. If it is paths which don't exist, then someone was trying to hack the web server by finding an application with a flaw in it, but otherwise, I'd say it's just a very large increase in innocent requests to view your website. Now, that said, it could indicate someone was trying to DDos (Distributed Denial of Service) you by making such a large number of requests, but again, if it has stopped now and went unnoticed at the time, there's not really much you can do this far down the line.

The bottom line even if you were trying to be hacked, that is going to happen the moment you put your website out on the Internet. I can see the odd request for random pages in my IIS logs from time to time, but without closing port 80, you can't stop those from coming in.

For parsing the logs try this log analyzer: I have the Lite (read, free) edition and it works for me; if you need it to fetch more information, you can always upgrade.

Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Lee W, MVPTechnology and Business Process AdvisorCommented:
If you want to really know why, you'll need to open them.  They are text files and while it may not make sense to you, you can post SMALL portions here.

If you need space on the C: drive, you might want to review my page on boot drive size.

(Note: your Exchange Information Store and Exchange Logs DO NOT belong on the C: drive).
Praveen DMInfra Team LeadCommented:
1. Open Inetmgr
2. select IIS default website properties ( Right click properties )
3. Web Site (Tab)
 Down in this tab see { Properties } --> Enable Login ( Active Log Format)
Click the property window { General Properties --Tab }

See which radio button is clicked..I guess in your case it must be " Hourly" If its the case change it to " daily "or

Click next tab " Extended Properties " 

Select these which are by default necessary..

Client IP
URI Stem
Protocol Status

** Discuss with other teams if they need any further logs and information selected from these options and act accordingly.

There are few tools and files that can shrink log files automaticcally once in a month when theyreach certain disk space.

 IIS log file compression tool
afflik1923Author Commented:
Great input. I willnot worry too much this time about analysing the large log files but if it occurs again I might revist the subject.
Thanks for advice.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.