Helpful Tech Notes - Filter through IIS logs for certain items.

Guide Programming + Scripting Powershell Filter through IIS logs for certain items. Updated April 07 2026

You need to enable the Log in Event Viewer --> Applications and Services --> Microsoft --> Windows -->Microsoft-IIS-Logging -->Logs
Next, go to Control Panel, Administrative Tools--> Internet Information Services (IIS) Manager --> Logging --> Change Destination to "Both log file and ETW Event"

You regular log files are available here:
C:\inetpub\logs\LogFiles\W3SVC1
C:\inetpub\logs\LogFiles\W3SVC2

Copy to Clipboard
$ThresholdMs = 10000
$Since = (Get-Date).AddHours(-1)

Get-WinEvent -LogName 'Microsoft-IIS-Logging/Logs' -FilterXPath "*[System[TimeCreated[timediff(@SystemTime) <= 3600000]]]" |
Where-Object {
    $xml = [xml]$_.ToXml()
    $timeTaken = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq 'time-taken' }).'#text'
    $timeTaken -and [int]$timeTaken -gt $ThresholdMs
} |
ForEach-Object {
    $xml = [xml]$_.ToXml()
    $data = @{}
    $xml.Event.EventData.Data | ForEach-Object { $data[$_.Name] = $_.'#text' }

    [PSCustomObject]@{
        TimeCreated  = $_.TimeCreated
        TimeTakenMs  = [int]$data['time-taken']
        Method       = $data['cs-method']
        UriStem      = $data['cs-uri-stem']
        Status       = $data['sc-status']
        ClientIP     = $data['c-ip']
        BytesSent    = $data['sc-bytes']
        BytesRecv    = $data['cs-bytes']
    }
} | Sort-Object TimeCreated  | fl *

# Sort-Object TimeTakenMs -Descending | Format-Table -AutoSize

Search Keywords: Powershell, IIS, Logs,

©2024 - Some portions of this website are Copyrighted.
Your IP: 216.73.216.135 Referring URL:
Browser: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
Terms and Conditions, Privacy Policy, and Security Policy