Very large log files (250mb) in IIS over a period of a few days - Why?

Hi,

I was looking to clear out space in the C drive of the exchange server and noticed quite a large amount of space taken up by the IIS log files at:

C:\WINDOWS\system32\LogFiles\W3SVC1

On first glance all the files typically looked very small and typically under 1mb. Then I noticed around begining of July 2008 a series of log files that rose up to 290mb in size. This was over a period of about 7 days.

AFter that period thing went pretty much back to normal although overall always a bit bigger after that date (but still under 1mb).

What even could have triggered such an event? Should I be worried?

I've not actually managed to open the files yet because of their size, but even if I did open them I would probably not understand them.

Thanks
afflik1923Asked:
Who is Participating?
 
tigermattConnect With a Mentor Commented:

The general rule of thumb with the IIS log files is that if they are larger, there were more requests passing through your IIS web server during those days. This could be something purely innocent: for example, an Exchange Server could have larger IIS logs over weekends when users access OWA from home, or if you were running some web-based tool against the web server on those dates.

Do you have WSUS installed on this particular server? That product is renowned for causing an increase in IIS log files, mainly because all the workstations on the network are talking to the server on regular intervals to 'check in', check for updates and relay various other housekeeping information to the WSUS server.

There is the potential that someone was trying to hack your web server from outside, or that some bot got stuck in a loop or something, but the fact the log files have decreased back almost to their originally size would indicate to me that whatever happened over those 7 days has now stopped. And remember, the most innocent reason would just be a sudden increase in visits to your website over that period...

-tigermatt
0
 
afflik1923Author Commented:
Good comments. WSUS is not installed. Like you say, it was a while ago so that gives some comfort Are they easy to read if I can find a suitable tool that will open a 300 mb logfile?
0
 
tigermattConnect With a Mentor Commented:

If you can get a tool to read them then you can get lots of information out of them - obviously the most important pieces of information would be where the requests came from (internal or external IPs), and what paths were being accessed. If it is paths which don't exist, then someone was trying to hack the web server by finding an application with a flaw in it, but otherwise, I'd say it's just a very large increase in innocent requests to view your website. Now, that said, it could indicate someone was trying to DDos (Distributed Denial of Service) you by making such a large number of requests, but again, if it has stopped now and went unnoticed at the time, there's not really much you can do this far down the line.

The bottom line even if you were trying to be hacked, that is going to happen the moment you put your website out on the Internet. I can see the odd request for random pages in my IIS logs from time to time, but without closing port 80, you can't stop those from coming in.

For parsing the logs try this log analyzer: http://www.weblogexpert.com/lite.htm. I have the Lite (read, free) edition and it works for me; if you need it to fetch more information, you can always upgrade.

-tigermatt
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
If you want to really know why, you'll need to open them.  They are text files and while it may not make sense to you, you can post SMALL portions here.

If you need space on the C: drive, you might want to review my page on boot drive size.  http://www.lwcomputing.com/tips/static/bootdrivesize.asp

(Note: your Exchange Information Store and Exchange Logs DO NOT belong on the C: drive).
0
 
Praveen DMInfra Team LeadCommented:
1. Open Inetmgr
2. select IIS default website properties ( Right click properties )
3. Web Site (Tab)
 Down in this tab see { Properties } --> Enable Login ( Active Log Format)
Click the property window { General Properties --Tab }

See which radio button is clicked..I guess in your case it must be " Hourly" If its the case change it to " daily "or

Click next tab " Extended Properties " 

Select these which are by default necessary..

Date
Time
Client IP
Method
URI Stem
Protocol Status

** Discuss with other teams if they need any further logs and information selected from these options and act accordingly.


There are few tools and files that can shrink log files automaticcally once in a month when theyreach certain disk space.

 IIS log file compression tool
0
 
afflik1923Author Commented:
Great input. I willnot worry too much this time about analysing the large log files but if it occurs again I might revist the subject.
Thanks for advice.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.