Write to Windows Event Log when an IIS site is started or stopped

iis iis-7.5 windows-event-log
13,034

Solution 1

A couple of things. When I enable the Microsoft-Windows-IIS-Configuration/Operational event log, I do get events when the site is started or stopped. I get "Verbose" event 29 with this content:

Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/@state' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.

This is on Server 2008 R2. Now this doesn't tell you whether the site is started or stopped, but merely indicates that it changed status. Could be helpful if you monitor that log.

A long while back I wrote this: http://www.eventsentry.com/blog/2010/02/how-to-really-monitor-smtp-pop.html. It was a VBScript which would enumerate the virtual directories in IIS and tell you when one of them was stopped. This works on 2003, but unfortunately not on 2008. May be a starting point, I'll revisit this at some point so we can update the script.

Not the answer, but may get you closer to what you are trying to achieve. You'll most definitely will need some script (which is maybe trigger by the above event) which will enumerate the sites and their status.

Solution 2

Take a look in the XML View of the event log ID 29. There you can see OldValue and NewValue change from one state to another

OldValue>Starting NewValue>Stopped

\?\C:\Windows\system32\inetsrv\config\applicationHost.config MACHINE/WEBROOT/APPHOST /system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/@state 1 Starting Stopped

Solution 3

What you're looking to do is not natively built in to Windows/IIS.

The only thing that I can think that would come close is to look for when the log headers get re-written. Log headers get re-written with starts and stops therefore you could get a pretty good idea of when, but no idea of who.

So, again, I'm sorry to say, no.

Share:
13,034

Related videos on Youtube

LWixson
Author by

LWixson

Updated on September 18, 2022

Comments

  • LWixson
    LWixson almost 2 years

    Can I configure IIS 7.5 to write to the Windows Event Log whenever one of the sites on the web server is started or stopped? For example when someone starts/stops a site via the IIS Manager user interface.

    I know I can configure the Application_On{Start,End} for each of the web sites to write a custom message to the Windows Event Log, but I'm just wondering whether there's something built-in already. I also know about activating the logging of App Pool recycling, but that's not the same thing as starting/stopping a site, especially if more than one site is sharing the same App Pool.

    In particular it would be very helpful if it listed the name of the user who started/stopped the site.

    One thing I already tried was enabling logging to the IIS-Configuration>{Administrative, Operational} event logs, but unfortunately nothing appears there when starts / stops take place.

  • LWixson
    LWixson about 10 years
    I am running Server 2008 R2 like you. You are right. I'm not sure why I didn't see the events in the Operational event log before, but I do see them now. As you say, it doesn't show me whether it's a start or a stop, but it at least tells me the status changed, which is a good start.
  • Lucky Luke
    Lucky Luke about 10 years
    I'll see if I can adapt the script to monitor sites on 2008 as well. Also, please don't forget to upvote useful answers.
  • felickz
    felickz over 8 years
    See @Fredrik's answer... can confirm on 2012 R2 this is the case.. Take a look in the XML View of the event log ID 29. There you can see OldValue and NewValue change from one state to another
  • Lucky Luke
    Lucky Luke over 8 years
    After Frederik's answer I looked into this a bit more, and you can actually get real-time notifications when the site is stopped (or started) with EventSentry (Light). All you have to do is evaluate insertion string #7 (which contains the new status of the site as shown in the XML view - the <Data> tags are in order and start with #1), and match for one of the known strings (e.g. "Started", "Stopped"). Simply add those to an event log filter which looks for event #29. So, even though those insertion strings aren't shown, they are actually available for rule evaluation.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Configuring IIS 7.5 to enable server side includes (SSI) for the '.html' extension
Precompilation related error from an ASP.NET website that is NOT precomplied
Tracking Website's Page Visitors and Statistic at IIS level
Is it possible for windows authentication to not prompt the user for credentials?
How to disable server-side caching on IIS 7.5 (asp net mvc3)
ISAPI Settings not visible in IIS7
How do I change where a web.config for a virtual directory in IIS is generated?
What IIS version does Windows Server 2008 Web Edition come with
Duplicate 'system.web.extensions/scripting/scriptResourceHandler'
Simple IIS URL Rewrite