The attached PowerShell script will quickly analyze the IIS logs from Archer web servers and generate 40+ reports detailing Archer usage, HTTP errors and other general IIS stats. Most of the reports display the top 20 rows and include stats such as the count, average time and max time for each web request. All of the reports are HTML tables with sortable columns and sections that can be collapsed by clicking the header. A text-only version is also created.
Please check out the Archer IIS Log Analyzer Demo and Discussion - FFTH - RSA Link - 591806 presented in March 2021.
At first glance, the amount of data in the reports can be overwhelming, but extremely helpful when investigating trends/usage or troubleshooting an issue. Since the IIS logs capture query strings, some reports/stats are based on the IDs for modules, workspaces, dashboards, iViews, reports, fields, etc. To lookup the IDs via the UI, go to the manage page and hover the mouse over names. The Archer API can be used too, so check out the Archer API Templates - an Archer application to quickly test the Archer Web Services API, REST API, and Content API using Custom Objects and much more. Starting with v1.1, the script can optionally connect to the Archer instance database to lookup the ids. Unfortunately, the script only applies to On-Premise and single instance environments.
If IIS is capturing the Windows username or cookie, the script can be edited to filter the results by username or Archer session token. When filtered, a user’s activity report details the date, time (UTC), local time, time taken, HTTP code and the URL. The IIS logs results can be filtered by hours too.
How to Use
- Right-click the script file and select Run with PowerShell.
- By default, the open file dialog window will display.
- Select one or more IIS log files. All IIS log files must have the same headers.
- When the script completes, an HTML and text file is created with reports.
- Optional: Edit the script with a Text Editor like notepad to filter on username, Archer session token or the hours.
The script contains several examples that are commented out (lines starting with #).
List of IIS log file paths. Default value is blank which prompts user to select files.
Value can be a single file path, multiple paths, or use Get-ChildItem.
Single file: $files = 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex200119.log'
Multiple files: $files = 'C:\temp\test iis 6.log','C:\temp\test iis 7.log'
Multiple files using a folder and filter: $files = Get-ChildItem "C:\inetpub\logs\LogFiles\W3SVC1" -Filter "u_ex201027*.log" | Select-Object -ExpandProperty FullName
|Archer related report||Description|
|Users by Hour||
Number of unique usernames per hour. Depends on IIS configuration and may require Windows Authentication.
|Tokens by Hour||
Number of unique Archer session tokens per hour. Requires the cs(Cookie) field to be selected for logging.
|Log Reference Ids by Hour||Query string matches "logRefId=" grouped by hour|
|Record.aspx by Hour||URL matches "/record.aspx" grouped by hour|
|Search.aspx by Hour||URL matches "/search.aspx" grouped by hour|
|Dashboard.aspx by Hour||URL matches "/WorkspaceDashboard.aspx" grouped by hour|
|Top Modules using Record.aspx||URL matches "/record.aspx" and query string matches "moduleid="|
|Top Modules using Search.aspx||URL matches "/search.aspx" and query string matches "moduleid="|
|Top Reports using Search.aspx||URL matches "/search.aspx" and query string matches "reportid="|
|Top Workspaces||URL matches "/WorkspaceDashboard.aspx" and query string matches "workspaceid="|
|Top Dashboards||URL matches "/WorkspaceDashboard.aspx" and query string matches "dashboardid="|
|Top iViews||URL matches "/Portal/IViewsRender.aspx" and query string matches "iviewid="|
|Top iView Reports||URL matches "/SearchContent/IViewSearchResults.aspx" and query string matches "reportid" and "view=Report"|
|Top Modules using Export||URL matches "/ExportReportCreation.aspx" or "ExportRecord.aspx" and query string matches "moduleName="|
|Top Levels using Print||URL matches "/Print.aspx" and query string matches "levelid="|
|Top Fields using File Upload||URL matches "/FileUploadPopup.aspx" and query string matches "fieldId="|
|Top Fields using History Log View||URL matches "/HistoryLogContentView.aspx" and query string matches "hlFieldId="|
|Top Archer Tokens||
Grouped by Archer session tokens. Requires the cs(Cookie) field to be selected for logging.
|Top Web Services API||URL matches "/ws/"|
|Top REST API||URL matches "/api/" or "/platformapi/" and not "/api/internal/|/api/v2/|/content/unlock/"|
|Top Content API||URL matches "/contentapi/"|
|Top Mobile API||URL matches "/mobileapi/"|
|Top Advanced Workflow||URL matches "/wpservices/"|
|Top Navigation Menu API||URL matches "/navmenu" or "/navmenudetail/"|
|Top Internal API||URL matches "/api/internal/" or "/api/v2/" and not "/navmenudetail/"|
|IIS Log Files||List of IIS Log files used by script and extra details|
|IIS related reports||Description|
HTTP Hits by Hour
|Number of hits per hour|
HTTP 200 by Hour
|Number of HTTP code 200 per hour|
HTTP Errors by Hour
|Number of HTTP error codes >= 400 per hour|
Top .ASPX Pages
|URL matches ".aspx"|
|Grouped by unique URLs|
|Grouped by slowest unique URLs|
Top Urls with Errors
|Grouped by URLs with HTTP error codes >= 400|
|Grouped by users|
Top Users with errors
|Grouped by users with HTTP error codes >= 400|
Top Error Paths
|URL matches "/error.aspx" and query string matches "aspxerrorpath="|
|Grouped by HTTP status code. A description of the status code is included.|
Win32 Status Codes
|Grouped by Win32 status code. A description of the status code is included.|
|Grouped by IIS Verb|
Top Client IP Addresses
|Grouped by client IP Addresses|
Top Client IPs with errors
|Grouped by client IP addresses with HTTP error codes >= 400|
Top File Extensions
|Grouped by URL file extension|
Top Referer Hosts
|Grouped by referer hostname|
Top Referer URLs
|Grouped by referer URL|
Top Browsers by Name
|Grouped by short friendly browser name. Browser name is based on user agent string.|
Top User Agents
|Grouped by user agent string|
How does the script work...what is going on under the covers?
- Read top lines to get headers used in IIS log. This will be different depending on IIS version and fields selected for logging.
- Create a dynamic C# class and properties based on headers. This helps read very large files in seconds and keeps memory usage as low as possible.
- Read IIS log file and convert lines into objects.
- Filter the data if needed by username, Archer session token, or hours of day.
- Use PowerShell commands to analyze, group, and count the data using different criteria. Reports are saved to a hash table.
- Create an HTML and text file with reports. Reports are not displayed if empty.
- 1.2 - March 2021
- Added and fixed reports
- 1.1 - Jan 2021
- Added ID lookup from Archer instance database
- Added and fixed reports
- 1.0 - Dec 2020
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.