detection.wiki

Microsoft-Windows-IIS-Logging

2 events across 2 channels

EventTitleChannelSample
6200date date time time s-sitename ssitename s-computername scomputername s-ip sip …LogsN
6200date date time time s-sitename s-sitename s-computername s-computername s-ip …OperationalY

Event ID 6200: date date time time s-sitename ssitename s-computername scomputername s-ip sip cs-method csmethod cs-uri-stem csuristem cs-uri-query csuriquery s-port sport cs-username csusername c-ip cip cs-versi...

#
Provider
Microsoft-Windows-IIS-Logging
Channel
Logs

Description

date date time time s-sitename ssitename s-computername scomputername s-ip sip cs-method csmethod cs-uri-stem csuristem cs-uri-query csuriquery s-port sport cs-username csusername c-ip cip cs-version csversion cs(User-Agent) csUserAgent cs(Cookie) csCookie cs(Referer) csReferer cs-host cshost sc-status scstatus sc-substatus scsubstatus sc-win32-status scwin32status sc-bytes scbytes cs-bytes csbytes time-taken timetaken CustomFields

Message #

date %2 time %3 s-sitename %6 s-computername %7 s-ip %8 cs-method %9 cs-uri-stem %10 cs-uri-query %11 s-port %17 cs-username %5 c-ip %4 cs-version %21 cs(User-Agent) %18 cs(Cookie) %19 cs(Referer) %20 cs-host %22 sc-status %12 sc-substatus %23 sc-win32-status %13 sc-bytes %14 cs-bytes %15 time-taken %16 %24

Fields #

NameDescription
EnabledFieldsFlags UInt32
date UnicodeString
time UnicodeString
cip UnicodeString
csusername UnicodeString
ssitename UnicodeString
scomputername UnicodeString
sip UnicodeString
csmethod AnsiString
csuristem UnicodeString
csuriquery AnsiString
scstatus UInt16
scwin32status UInt32
scbytes UInt64
csbytes UInt64
timetaken UInt64
sport UInt16
csUserAgent AnsiString
csCookie AnsiString
csReferer AnsiString
csversion UnicodeString
cshost AnsiString
scsubstatus UInt16
CustomFields UnicodeString

Event ID 6200: date date time time s-sitename s-sitename s-computername s-computername s-ip s-ip cs-method cs-method cs-uri-stem cs-uri-stem cs-uri-query cs-uri-query s-port s-port cs-username cs-username c-ip c-...

#
Provider
Microsoft-Windows-IIS-Logging
Channel
Operational
Level
4

Fields #

NameDescription
EnabledFieldsFlags UInt32
date UnicodeString
time UnicodeString
c-ip
cs-username
s-sitename
s-computername
s-ip
cs-method
cs-uri-stem
cs-uri-query
sc-status
sc-win32-status
sc-bytes
cs-bytes
time-taken
s-port
csUser-Agent
csCookie AnsiString
csReferer AnsiString
cs-version
cs-host
sc-substatus
CustomFields UnicodeString
cip UnicodeString
csusername UnicodeString
ssitename UnicodeString
scomputername UnicodeString
sip UnicodeString
csmethod AnsiString
csuristem UnicodeString
csuriquery AnsiString
scstatus UInt16
scwin32status UInt32
scbytes UInt64
csbytes UInt64
timetaken UInt64
sport UInt16
csUserAgent AnsiString
csversion UnicodeString
cshost AnsiString
scsubstatus UInt16

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IIS-Logging",
    "guid": "{7E8AD27F-B271-4EA2-A783-A47BDE29143B}",
    "event_source_name": "",
    "event_id": 6200,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-30T01:44:48.8920827+00:00",
    "event_record_id": 4,
    "correlation": {},
    "execution": {
      "process_id": 12776,
      "thread_id": 10320
    },
    "channel": "Microsoft-IIS-Logging/Logs",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EnabledFieldsFlags": "2490367",
    "date": "2026-05-30",
    "time": "01:44:45",
    "c-ip": "::1",
    "cs-username": "-",
    "s-sitename": "W3SVC2",
    "s-computername": "JD-DC01-2022",
    "s-ip": "::1",
    "cs-method": "GET",
    "cs-uri-stem": "/index.html",
    "cs-uri-query": "-",
    "sc-status": "200",
    "sc-win32-status": "0",
    "sc-bytes": "285",
    "cs-bytes": "145",
    "time-taken": "10",
    "s-port": "8090",
    "csUser-Agent": "Mozilla/5.0+(Windows+NT;+Windows+NT+10.0;+en-US)+WindowsPowerShell/5.1.20348.4294",
    "csCookie": "-",
    "csReferer": "-",
    "cs-version": "-",
    "cs-host": "-",
    "sc-substatus": "0",
    "CustomFields": ""
  },
  "message": "date 2026-05-30 time 01:44:45 s-sitename W3SVC2 s-computername JD-DC01-2022 s-ip ::1 cs-method GET cs-uri-stem /index.html cs-uri-query - s-port 8090 cs-username - c-ip ::1 cs-version - cs(User-Agent) Mozilla/5.0+(Windows+NT;+Windows+NT+10.0;+en-US)+WindowsPowerShell/5.1.20348.4294 cs(Cookie) - cs(Referer) - cs-host - sc-status 200 sc-substatus 0 sc-win32-status 0 sc-bytes 285 cs-bytes 145 time-taken 10 "
}

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 7e8ad27f-b271-4ea2-a783-a47bde29143b

Defined in iisres.dll, which carries the event manifest.

Observed on:

  • WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02

Downloads