In our first two Windows Logging guides, we explored basic and advanced concepts for general Windows logging. In this article, we will hone in on logs for two of the most common Windows Server applications:

  • Microsoft SQL Server—Microsoft’s relational database management system (RDBMS).
  • Internet Information Services (IIS)—Microsoft’s popular Windows web server application.

Both of these apps are staples in Windows ecosystems. Understanding how their logs work can make you a more efficient administrator. Let’s start with Microsoft SQL Server.

Learn More

Microsoft SQL Server logs

Microsoft’s popular RDBMS creates multiple logs and provides administrators with several ways to access those logs. We’ll focus on using SQL Server Management Studio (SSMS) to access and interact with key SQL Server logs.

SQL Server Transaction Log

The transaction log sequentially records the modifications and transactions that occur on a SQL Server instance. This log is a crucial part of database transaction recovery, database restoration, high availability, and disaster recovery for SQL Server.

The transaction log consists of smaller virtual log files (VLFs) in a larger, logical log file. It uses a circular approach in which VLFs are eventually overwritten. To understand how this circular process works, it’s important to become familiar with the following concepts:

  • Log Sequence Number (LSN)—The LSN is a unique number that identifies a record in the transaction log. An individual LSN record contains granular information on transactions, such as the Log Record Length, Previous LSN, Page ID, and Operation.
  • MinLSN—The oldest LSN required for a complete database recovery.
  • Truncation—The transaction log truncation process removes unnecessary VLFs to free space in the logical file. Depending on the SQL Server’s recovery model, truncation may occur after a checkpoint or backup.
The SQL Server transaction log with truncated and untruncated VLFs and the MinLSN visualized. The SQL Server transaction log with truncated and untruncated VLFs and the MinLSN visualized. ( Source ).

Now, back to that circular process. As transactions occur, they are recorded in the VLFs with a unique LSN. After backups or checkpoints, unneeded log files are truncated. The transaction log continues to append to the VLFs until it reaches the end of the logical log, then it repeats with the first VLF. If truncation occurs normally and the MinLSN remains untruncated, the transaction log can successfully support full database recoveries without the file growing too large or impacting performance.

SQL Server Transaction Log Location

By default, transaction logs are located in the same directory as the data files for a database (such as C:Program FilesMicrosoft SQL ServerMSSQL16.SQLEXPRESSMSSQLDATA on modern Windows operating systems) and use the .ldf (log database file) format and file extension. You can check the location of the transaction log with this command:

USE database_name;

GO

SELECT name, physical_name

FROM sys.database_files

WHERE type = 1;

GO

Check the location of the transaction log with this command

How To Read SQL Server Transaction Log Files

To read .ldf files, you can use third-party tools (sometimes called “SQL transaction readers” or similar) or the unofficial (but popular) fn_dblog command. For example, to read all the transaction log entries for database_name, you can use this command:

USE database_name;

GO

SELECT * FROM sys.fn_dblog(NULL, NULL);

GO

To read all the transaction log entries for database_name, you can use this command

SQL Server Error Log

The SQL Server error log is simpler than the transaction log. As an administrator, you’ll more likely need to read and analyze the error log than the transaction log for troubleshooting. If the system isn’t working properly and you’re looking for clues, this log is a good place to start.

SQL Server Error Log Location

By default, the SQL Server error log is located at %ProgramFiles%Microsoft SQL ServerSQL_versionMSSQLLog.

SQL Server Error Log Location

A new plaintext ERRORLOG file is created when the SQL Server service starts. Older logs have a number appended to them, and a higher number implies an older log (for example, ERRORLOG.2 is older than ERRORLOG.1).

How To Read the SQL Server Error Log

Because the SQL Server error log is a plaintext file, you can read it with a text editor like Notepad or Notepad++.

Reading SQL Server error log with a text editor

You can also use SSMS to view the log to better visualize and filter the data. To use SSMS to view the error log, follow these steps:

1. Launch Object Explorer with the F8 key or click ViewObject Explorer.

Finding Object Explorer under View tab or clicking F8 key

2. Expand the Management folder.

3. Expand the SQL Server Logs folder.

4. Double-click the desired log. The current log includes the word “Current” at the beginning of the name by default.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5. Now you can view, filter, and export the log data.

The fields in the error log are:

  • Date—A date and timestamp for the log record
  • Source—The source of a log message. This is often a specific SPID or the server itself.
  • Message—The log message content.
  • Type—The type of log. For basic configurations, this will usually be SQL Server.
  • Log Source—Which log file contains the record. This field is useful if you view multiple logs at once in SSMS.

Tips for Managing SQL Server Log Size

Both performance and logs are important aspects of maintaining a SQL Server. Unfortunately, logs can impede server performance at times. Usually, when logs become a problem, it's because they’ve grown too large. However, if the transaction log is too small to keep up with database queries, this can be a problem, too.

Striking a balance between log storage and performance can help you get the most out of your SQL Server deployment.

Here are some tips for managing SQL Server log size to help you get it right:

Expert Tip

Note that manipulating transaction log file size is a complex topic. For a deeper dive into managing transaction log growth, see Microsoft’s Manage the size of the transaction log file article.

  • Don’t set the transaction log FILEGROWTH parameter above 1,024 MB. Beginning with SQL Server 2016, the default FILEGROWTHparameter for the transaction log is 64 MB. Microsoft recommends against changing the parameter above 1,024 MB. Additionally, starting in SQL Server 2022 (16.x) instant file initialization (IFI) can benefit transaction log autogrowth events of up to 64 MB.
  • Use the DBCC SHRINKFILE Transact-SQL (T-SQL) command to reduce VLF space. The DBCC SHRINKFILE command's TRUNCATEONLY parameter can remove inactive VLFs to free up space on your system.
  • Set reasonable max error log sizes. A cap on the size and quantity of SQL Server error logs can help you save space on your system. To set a max file size and number of error logs in SCCM, follow these steps:

1. Launch Object Explorer with the F8 key or click ViewObject Explorer.

Finding Object Explorer under View tab or clicking F8 key

2. Expand the Management folder.

3. Right-click the SQL Server Logs folder and click Configure.

Configure option in SQL Server Logs Folder

4. Input values for the maximum number of error log files and the maximum size of an error log file (in KB), then click OK.

How to Configure SQL Server Error Log

5. The changes will take effect the next time your SQL Server instance restarts.

IIS Server Logs

In the *nix world, nginx and Apache are two of the most popular web server applications. In Windows environments, IIS is often the go-to web server application. IIS records logs that are comparable to nginx and Apache’s error and access logs. In this section, we’ll look at important IIS logs and how you can modify them.

We’ll use the IIS Manager in some of our examples below. We recommend installing it if you want to follow along.

Where To Find IIS Server Logs

Nginx and Apache logs are generally in subdirectories of /var/log/ by default. For IIS, the default location is %SystemDrive%inetpublogsLogFiles. For most systems, that means the files will be in subdirectories at C:inetpublogsLogFiles, and each of your sites will have a folder in that subdirectory.

IIS server logs location

How To Read IIS Server Logs

IIS log files are plaintext files that you can read with a text editor like Notepad or Notepad++.

Reading IIS server logs with plain text editors

The default fields in an IIS server log are described in the table below.

IIS Server Log Fields

FieldDescriptionExample Value
dateThe date the log record was created. 2023-11-11
timeThe time the log record was created in HH:MM:SS format.11:11:59
s-ipThe “server IP” where the log record was created. 198.51.100.11
cs-methodThe type of request (for example, the associated HTTP verb). GET
cs-uri-stemThe URI the client requested./recipes/breakfast/pepperandegg.html
cs-uri-queryThe query associated with the request (only relevant for dynamic pages).param1=egg&param2=giardiniera
s-portThe server port that the request was made on. 80
cs-usernameUsername associated with an authenticated request or a - character if the request is unauthenticated.webuser123
c-ipThe “client IP” of the client making the request. 192.0.2.11
cs(User-Agent)The client’s user agent. Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/108.0.0.0+Safari/537.36+Edg/108.0.1462.54
cs(Referer)The site that referred the user or a - if no relevant data available. http://www.example.com/bestbreakfast.html
sc-statusThe HTTP status code associated with the request.200
sc-substatusThe <a href="https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-administration-management/http-status-code#http-substatus-codes-added-in-iis-80">substatus code</a> associated with the request.0
sc-win32-statusThe <a href="https://learn.microsoft.com/en-us/windows/win32/debug/system-error-codes">Windows status code</a> associated with the request.0
time-takenHow long the request took in milliseconds. 210

How To Change IIS Log File Settings

The default fields in the IIS logs are not your only options. You can customize IIS logs to meet specific requirements. You can use the IIS manager to modify IIS log settings by following these steps:

1. Launch IIS Manager.

2. Select Sites → <Your Website>.

Selecting your site on iis manager

3. Double-click the Logging icon.

Logging icon on iis manager

4. Make and apply your changes.

Applying Logging changes on iis manager

We’ll review the different modifications you can make in the sections below.

IIS Log File Settings

IIS log file settings
  • FormatW3C logging is the default formatting. You can modify the fields in the W3C format using the Select Fields button. You can change the format to IIS or NCSA, both of which are fixed formats (which means you cannot modify fields). If W3C, IIS, or NCSA formats don’t meet your needs, consider Custom Logging for older IIS versions or Enhanced Logging for newer IIS versions.
  • Directory—The directory to store your IIS log files. In addition to specifying a local directory, you can send the logs to a remote server using UNC paths (for example, \RemoteServerLogDir).
  • Encoding—The encoding used for IIS log files.

IIS Log Event Destination

log event destination

In addition to the IIS log file, newer versions of IIS support Event Tracing for Windows (ETW). This section allows you to configure IIS to write to its log files only, ETW only, or both.

IIS Log File Rollover

log file rollover

The IIS Log File Rollover settings define how IIS handles log rollover. You can schedule the log files to roll over at a given time interval (Hourly, Daily, Weekly, and Monthly), based on file size, or not create new log files at all. If you want to optimize IIS log file storage, check out Microsoft’s Managing IIS Log File Storage article, which includes scripts for deleting old logs and covers enabling folder compression.

Log your data with CrowdStrike Falcon Next-Gen SIEM

Elevate your cybersecurity with the CrowdStrike Falcon® platform, the premier AI-native platform for SIEM and log management. Experience security logging at a petabyte scale, choosing between cloud-native or self-hosted deployment options. Log your data with a powerful, index-free architecture, without bottlenecks, allowing threat hunting with over 1 PB of data ingestion per day. Ensure real-time search capabilities to outpace adversaries, achieving sub-second latency for complex queries. Benefit from 360-degree visibility, consolidating data to break down silos and enabling security, IT, and DevOps teams to hunt threats, monitor performance, and ensure compliance seamlessly across 3 billion events in less than 1 second.

Schedule Falcon Next-Gen SIEM Demo

Arfan Sharif is a product marketing lead for the Observability portfolio at CrowdStrike. He has over 15 years experience driving Log Management, ITOps, Observability, Security and CX solutions for companies such as Splunk, Genesys and Quest Software. Arfan graduated in Computer Science at Bucks and Chilterns University and has a career spanning across Product Marketing and Sales Engineering.