how to separate IIS event logs by application in event viewer

Question

Just to start with, I would like to advise I am VERY new to IIS so apologies for any obvious questions in advance.

I have done some research around this topic and my findings have been inconclusive.

Here is my scenario;

I am currently running IIS 6 on a server I am remoting onto which is hosting around 20 sites.

I have identified that I can browser through errors that occur on the different web applications using the Event Viewer.

My current issue with this is that there seems to be no way to filter out the event logs on a "per application" basis and they are instead appearing randomly depending on the time they occur. There is also a mix of ASP.NET web Event, IIS-W3SVC-WP warnings etc.

To identify which warning is assigned to which application, I have to right click on the error, go to "event properties" and to "Application Path" that will have, for example, the path of my "HotelBookingSystem". The Application path of this will be "D:inetpub\wwwroot\HotelBookingSystem."

My question is, is there way to sort the event logs per application? What I would ideally like to do is filter all the results by "Application Path".

I have installed Microsoft's Log Parser Studios so believe there may be a way to run a query using that but my knowledge of SQL is not at a level to attempt to create such a query.

Any assistance would be much appreciated.

Answer 1

I've managed to solve this issue but it is quite a long winded method.

On "Event Viewer" I right clicked on the "Application" windows logs and saved the entire logs to a .txt file.

I copied this .txt file from the remote server onto my local machine.

I installed Log Parser 2.2 onto my machine (can be downloaded here

I accessed Log Parser by opening Command Prompt on my local machine and navigating to the location I had installed it e.g. Program Files (x86) > Log Parser 2.2 >.

Continuing from this, I entered the following command that search for a string (in my case, the application name) and also the date so I could narrow the search down to a specific date. I also printed out the results in a data grid;

logParser.exe "select * from **C:\NAME_OF_FILE.txt** WHERE text LIKE '%10/02/2015%' AND text LIKE '**YOUR_STRING**%'" -o:datagrid

You can also choose to put the result into an output file which in my case was;

-o:CSV > C:\temp\Test.csv

This may not be the best way to do it but it worked for me.

Answer 2

1. Try playing with wevtutil (that's a Windows command-line utility to manage events) to see if you can come up with an appropriate query.

   See https://technet.microsoft.com/en-us/magazine/dd310329.aspx

   and the help screens of the Query command:

   wevtutil qe /?

2. If you prefer a dialog-based solution, try XPath queries on Event Viewer as explained here: http://blog.backslasher.net/filtering-windows-event-log-using-xpath.html But I'm afraid Windows Event Log supports only a subset of XPath 1.0. It contains only 3 functions: position, Band, timediff.

3. There are also interesting options with Get-WinEvent Powershell command.

In your (edited) question you state you want to filter using a substring of the Description field. I don't think this will be possible with the inbuilt filters, I would use a wevtutil command to dump all relevant events to XML and then filter with some fully functional parser (could be a simple string search, or an XML parser with full XPath capabilities).