[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Very large log files (250mb) in IIS over a period of a few days - Why?

Posted on 2008-11-16
6
Medium Priority
?
727 Views
Last Modified: 2012-06-27
Hi,

I was looking to clear out space in the C drive of the exchange server and noticed quite a large amount of space taken up by the IIS log files at:

C:\WINDOWS\system32\LogFiles\W3SVC1

On first glance all the files typically looked very small and typically under 1mb. Then I noticed around begining of July 2008 a series of log files that rose up to 290mb in size. This was over a period of about 7 days.

AFter that period thing went pretty much back to normal although overall always a bit bigger after that date (but still under 1mb).

What even could have triggered such an event? Should I be worried?

I've not actually managed to open the files yet because of their size, but even if I did open them I would probably not understand them.

Thanks
0
Comment
Question by:afflik1923
6 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 1700 total points
ID: 22970335

The general rule of thumb with the IIS log files is that if they are larger, there were more requests passing through your IIS web server during those days. This could be something purely innocent: for example, an Exchange Server could have larger IIS logs over weekends when users access OWA from home, or if you were running some web-based tool against the web server on those dates.

Do you have WSUS installed on this particular server? That product is renowned for causing an increase in IIS log files, mainly because all the workstations on the network are talking to the server on regular intervals to 'check in', check for updates and relay various other housekeeping information to the WSUS server.

There is the potential that someone was trying to hack your web server from outside, or that some bot got stuck in a loop or something, but the fact the log files have decreased back almost to their originally size would indicate to me that whatever happened over those 7 days has now stopped. And remember, the most innocent reason would just be a sudden increase in visits to your website over that period...

-tigermatt
0
 

Author Comment

by:afflik1923
ID: 22970342
Good comments. WSUS is not installed. Like you say, it was a while ago so that gives some comfort Are they easy to read if I can find a suitable tool that will open a 300 mb logfile?
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 1700 total points
ID: 22970352

If you can get a tool to read them then you can get lots of information out of them - obviously the most important pieces of information would be where the requests came from (internal or external IPs), and what paths were being accessed. If it is paths which don't exist, then someone was trying to hack the web server by finding an application with a flaw in it, but otherwise, I'd say it's just a very large increase in innocent requests to view your website. Now, that said, it could indicate someone was trying to DDos (Distributed Denial of Service) you by making such a large number of requests, but again, if it has stopped now and went unnoticed at the time, there's not really much you can do this far down the line.

The bottom line even if you were trying to be hacked, that is going to happen the moment you put your website out on the Internet. I can see the odd request for random pages in my IIS logs from time to time, but without closing port 80, you can't stop those from coming in.

For parsing the logs try this log analyzer: http://www.weblogexpert.com/lite.htm. I have the Lite (read, free) edition and it works for me; if you need it to fetch more information, you can always upgrade.

-tigermatt
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 97

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 300 total points
ID: 22971171
If you want to really know why, you'll need to open them.  They are text files and while it may not make sense to you, you can post SMALL portions here.

If you need space on the C: drive, you might want to review my page on boot drive size.  http://www.lwcomputing.com/tips/static/bootdrivesize.asp

(Note: your Exchange Information Store and Exchange Logs DO NOT belong on the C: drive).
0
 
LVL 13

Expert Comment

by:Praveen DM
ID: 22971764
1. Open Inetmgr
2. select IIS default website properties ( Right click properties )
3. Web Site (Tab)
 Down in this tab see { Properties } --> Enable Login ( Active Log Format)
Click the property window { General Properties --Tab }

See which radio button is clicked..I guess in your case it must be " Hourly" If its the case change it to " daily "or

Click next tab " Extended Properties " 

Select these which are by default necessary..

Date
Time
Client IP
Method
URI Stem
Protocol Status

** Discuss with other teams if they need any further logs and information selected from these options and act accordingly.


There are few tools and files that can shrink log files automaticcally once in a month when theyreach certain disk space.

 IIS log file compression tool
0
 

Author Closing Comment

by:afflik1923
ID: 31518536
Great input. I willnot worry too much this time about analysing the large log files but if it occurs again I might revist the subject.
Thanks for advice.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question