Scroll Top
Evotec Services sp. z o.o., ul. Drozdów 6, Mikołów, 43-190, Poland

IISParser – PowerShell Module

IISParser - PowerShell Module

IISParser is a PowerShell module to read IIS logs. It's very fast and easy to use. This module is based on IISLogParser library that does all the heavy lifting. You can read quick introduction to IISParser on Reading IIS Logs with PowerShell blog post.

To install

Install-Module -Name IISParser -AllowClobber -Force

Force and AllowClobber aren't necessary, but they do skip errors in case some appear.

And to update

Update-Module -Name IISParser

That's it. Whenever there's a new version, you run the command, and you can enjoy it. Remember that you may need to close, reopen PowerShell session if you have already used module before updating it.

The essential thing is if something works for you on production, keep using it till you test the new version on a test computer. I do changes that may not be big, but big enough that auto-update may break your code. For example, a small rename to a parameter, and your code stops working! Be responsible!


Using IISParser module is very simple. Just import the module, and read the file as required.

Import-Module IISParser

Get-IISParsedLog -FilePath "C:\Support\GitHub\IISParser\Ignore\u_ex220507.log" | Select-Object -First 5 | Format-Table
Get-IISParsedLog -FilePath "C:\Support\GitHub\IISParser\Ignore\u_ex220507.log" | Select-Object -Last 5 | Format-Table
Get-IISParsedLog -FilePath "C:\Support\GitHub\IISParser\Ignore\u_ex220507.log" -First 5 -Last 5 -Skip 1 | Format-Table

Output of the above command will look like this:

DateTimeEvent       sSitename sComputername sIp           csMethod     csUriStem                                                                       csUriQuery                                                            sPort csUsername          cIp
-------------       --------- ------------- ---           --------     ---------                                                                       ----------                                                            ----- ----------          ---
07.05.2022 00:00:20                   GET          /api/v1.0/users/ $top=1&request_id=26cca5c9-37b6-4d0b-8ae1-31e5cb7ccc72                  444           
07.05.2022 00:00:22                RPC_IN_DATA  /rpc/rpcproxy.dll                                                               Exch1.EVOTEC.XYZ:6001&RequestId=9e1ca7e6-278e-4b98-a9c0-be947b39a582    81            
07.05.2022 00:00:22                RPC_OUT_DATA /rpc/rpcproxy.dll                                                               Exch1.EVOTEC.XYZ:6001&RequestId=3acb4929-df94-48c0-bbad-f5f2a39f0ac3    81            
07.05.2022 00:00:26                POST         /mapi/emsmdb/                                                                     444 Anonymous 
07.05.2022 00:00:27                POST         /autodiscover/autodiscover.xml                                                  &reqId=e4639aef-215b-420f-8100-1e2f8eca8bcb                             444 EVOTEC\masul

Of course there are a bit more properties available:

Get-IISParsedLog -FilePath "C:\Support\GitHub\IISParser\Ignore\u_ex220507.log" -First 1 -Skip 1 | Format-List

Output of the above command will look like this:

DateTimeEvent : 07.05.2022 00:00:22
sSitename     :
sComputername :
sIp           :
csMethod      : RPC_IN_DATA
csUriStem     : /rpc/rpcproxy.dll
csUriQuery    : Exch1.EVOTEC.XYZ:6001&RequestId=9e1ca7e6-278e-4b98-a9c0-be947b39a582
sPort         : 81
csUsername    :
cIp           :
csVersion     :
csUserAgent   : MSRPC
csCookie      :
csReferer     :
csHost        :
scStatus      : 401
scSubstatus   : 1
scWin32Status : 2148074254
scBytes       :
csBytes       :
timeTaken     : 64