IIS logs every request made to your web server — the URL, HTTP status code, client IP, response time, and more. Reading these logs helps you diagnose application errors, investigate security incidents, track down 404s, and identify performance problems. Here is where to find IIS logs and how to read them effectively.
Where IIS Logs Are Stored
By default, IIS saves logs to:
C:\inetpub\logs\LogFiles\Under this folder there is a subfolder for each website and application pool — named W3SVC1, W3SVC2, etc. (the number corresponds to the IIS site ID). Inside each folder are daily log files named by date, e.g. u_ex260401.log (year 2026, April 1st).
To confirm the exact log path for a specific site:
- Open IIS Manager
- Click the site in the left panel
- Double-click Logging
- The Directory field shows the log path for that site
Reading an IIS Log File
IIS logs are plain text files. The first few lines start with # and describe the fields. A typical log entry looks like:
2026-04-01 09:15:32 192.168.1.50 GET /about.html - 80 - 203.0.113.25 Mozilla/5.0+... 200 0 0 245The fields in order (with the default W3C format):
- date, time: when the request was received (UTC by default)
- s-ip: the server IP that handled the request
- cs-method: GET, POST, PUT, DELETE, etc.
- cs-uri-stem: the path requested (e.g. /about.html)
- cs-uri-query: query string parameters (or – if none)
- s-port: the port the request came in on (80 or 443)
- cs-username: authenticated username (- for anonymous)
- c-ip: the client’s IP address
- cs(User-Agent): the browser or client software
- sc-status: HTTP response code (200 = OK, 404 = not found, 500 = server error)
- sc-substatus: IIS sub-status code (useful for diagnosing 4xx and 5xx errors)
- sc-win32-status: Windows error code if applicable
- time-taken: how long the request took in milliseconds
Find All Errors in a Log File (PowerShell)
# Find all 500 errors in today's log
$logPath = "C:\inetpub\logs\LogFiles\W3SVC1\u_ex$(Get-Date -Format 'yyMMdd').log"
Get-Content $logPath | Where-Object {$_ -match " 500 "} | Select-Object -Last 20
# Find all 404 errors
Get-Content $logPath | Where-Object {$_ -match " 404 "}
# Count errors by status code
Get-Content $logPath | Where-Object {$_ -notmatch "^#"} | ForEach-Object {($_ -split " ")[11]} | Group-Object | Sort-Object Count -DescendingFind Slow Requests
The time-taken field (last column) is in milliseconds. Find requests that took over 5 seconds:
Get-Content $logPath | Where-Object {$_ -notmatch "^#"} | Where-Object {
$fields = $_ -split " "
[int]$fields[-1] -gt 5000
} | Select-Object -Last 20Find Requests from a Specific IP
Get-Content $logPath | Where-Object {$_ -match "203.0.113.25"}Useful during a security investigation to see exactly what a suspicious IP requested.
Using Log Parser or Log Parser Studio
Microsoft’s free Log Parser 2.2 tool lets you run SQL-style queries against IIS logs — extremely powerful for analysis:
# Most requested pages
logparser "SELECT cs-uri-stem, COUNT(*) AS Hits FROM C:\inetpub\logs\LogFiles\W3SVC1\*.log GROUP BY cs-uri-stem ORDER BY Hits DESC" -i:W3C
# Top client IPs by request count
logparser "SELECT c-ip, COUNT(*) AS Hits FROM *.log GROUP BY c-ip ORDER BY Hits DESC" -i:W3CLog Parser Studio provides a GUI around Log Parser — both are free downloads from Microsoft.
Configuring Log Rotation and Retention
IIS logs grow indefinitely by default. Configure rotation in IIS Manager:
- Click the site → Logging
- Under Log File Rollover, set the schedule (Daily is standard)
- Tick Use local time for file naming and rollover if you want log times in local time rather than UTC
Old log files should be archived or deleted periodically. A script to delete logs older than 90 days:
Get-ChildItem "C:\inetpub\logs\LogFiles" -Recurse -File | Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays(-90)} | Remove-Item