Skip to main content

Analyzing IIS Logs with Hadoop and Hive: From Ingestion to Partitioned Traffic Analysis

By Anonymous
Struggling with delivery, architecture alignment, or platform stability?

I help teams fix systemic engineering issues: processes, architecture, and clarity.
→ See how I work with teams.


This guide explains how to collect IIS W3C logs from Windows servers, ingest them into HDFS, define Hive tables for structured analysis, and run partitioned queries that calculate traffic per IP. The workflow reflects an early big-data pattern: mount, copy, structure, partition and analyze. The refreshed version clarifies each step and highlights how automated partition creation made near-real-time traffic analytics possible.

Apache-driven webfarms have always been easy to integrate into Hadoop and Hive, but many teams struggled with the same question: How do we collect and analyze IIS logs at scale? This walkthrough shows how IIS W3C logs can be exported, ingested into HDFS, structured in Hive, and processed into partitioned traffic tables for efficient reporting.

Configuring IIS for W3C Logging

Inside IIS Manager, under a website’s configuration, choose:
Logging → Format: W3C

From there you can configure:

  • Log output path
  • Fields to capture (IP, URI, user agent, status, etc.)
  • Log rotation and splitting (hourly rotation recommended)

After applying the configuration and restarting IIS, new logs will begin to appear in the chosen directory.

Mounting IIS Logs on a Linux/Hive Node

For small to medium environments, one simple method is to export the IIS log directory as a Windows share and mount it on the Hive or ingestion node: 

mount -t cifs //Windows-Server/share \
  -o user=name,password=passwd \
  /mountpoint

Copy the logs into HDFS for downstream analysis: 

hadoop dfs -copyFromLocal /mountpoint/filename <hdfs-dir>

For this example, assume the logs land in the directory iislog.

Defining Hive Tables for IIS Log Parsing

To analyze IIS logs, start by defining the raw table structure. The schema must match the W3C field layout.

Raw IIS Log Table

hive> CREATE TABLE iislog (
  sdate STRING,
  stime STRING,
  ssitename STRING,
  scomputername STRING,
  sip STRING,
  csmethod STRING,
  csuristem STRING,
  csuriquery STRING,
  sport INT,
  csusername STRING,
  cip STRING,
  csversion STRING,
  csuseragent STRING,
  csCookie STRING,
  csReferer STRING,
  scstatus INT,
  scsubstatus INT,
  scwin32status INT,
  scbyte INT,
  csbytes INT,
  timetaken INT
)
PARTITIONED BY (time STRING)
ROW FORMAT DELIMITED
FIELDS TERMINATED BY '32'
STORED AS TEXTFILE;

Aggregated Traffic Table

hive> CREATE TABLE iptraffic (
  sdate STRING,
  cip STRING,
  traffic INT,
  hits INT,
  appid STRING,
  scsuseragent STRING
)
PARTITIONED BY (time STRING)
ROW FORMAT DELIMITED
FIELDS TERMINATED BY '124'
STORED AS TEXTFILE;

This table will store summarized traffic per IP, per minute, with user agent and application metadata.

Automating Partition Creation and ETL

To perform rolling analysis, the workflow creates a Hive partition for the previous two minutes of logs, then runs an INSERT OVERWRITE statement into iptraffic.

Below is an example automation script: 

#!/bin/bash

TABLE=IPTRAFFIC
DATEPAR=`date -d '-2 Min' +"%Y%m%d%H%M"`
DATEPATH=`date -d '-2 Min' +"%Y-%m-%d/%H00/%M"`
SDATE=`date -d '-2 Min' +"%Y-%m-%d"`
STIME=`date -d '-2 Min' +"%H:%M"`

# Create the partition
hive -e "ALTER TABLE iptraffic ADD IF NOT EXISTS PARTITION (time='$DATEPAR')"
if [ $? -ne 0 ]; then
  echo "Couldn't create partition"
  exit 1
else
  echo "==> PARTITION (time='$DATEPAR') created"
fi

# Insert summarized traffic
hive -e "INSERT OVERWRITE TABLE iptraffic PARTITION (time=$DATEPAR)
  SELECT concat('$SDATE ','$STIME:00'),
         cip,
         sum(csbytes)/1024 as counter,
         count(1) as hits,
         ssitename,
         csuseragent
  FROM iislog
  WHERE iislog.time=$DATEPAR
    AND NOT(iislog.cip LIKE '192\\.%')
  GROUP BY cip,
           concat('$SDATE ','$STIME:00'),
           csuseragent,
           ssitename"

if [ $? -ne 0 ]; then
  echo '==> An error occurred in analysis'
  exit 1
else
  echo '==> Insert analysis successful'
fi

The script performs three core tasks:

  • Calculate timestamps for the relevant partition
  • Create the Hive partition if missing
  • Aggregate traffic and write the result into the warehouse directory

Inspecting Raw and Processed Data

View a sample from the raw IIS log table:

hive> SELECT * FROM iislog LIMIT 10;

Example output snippet:

20110928130000 2011-09-28 10:59:06 W3SVC2 IISTEST xxx.xxx.xxx.xxx GET /images/bluebox.gif - 80 - \
xxx.xxx.xxx.xxx HTTP/1.1 Mozilla/5.0 ... 6313985 NULL 200 0 0 551 1689 201109281300

Now check the aggregated traffic partition:

hadoop dfs -cat /user/hive/warehouse/iptraffic/time=201110071059/* | less

Example output:

2011-10-07 10:59:00|xxx.xxx.xxx.xxx|18|2|W3SVC5|Mozilla/5.0 (MSIE 9.0 ...)
2011-10-07 10:59:00|xxx.xxx.xxx.xxx|1|2|W3SVC7|Mozilla/5.0 (Chrome/14 ...)

The dataset is now structured, partitioned and ready for dashboarding, reporting or downstream machine learning workloads.

Why This Pattern Still Matters

Although modern data pipelines often use tools like Fluent Bit, Kafka, Spark, Iceberg and cloud-native ingestion services, the principles illustrated here remain foundational:

  • Normalize logs into structured tables
  • Use time-based partitioning for fast filtering
  • Apply lightweight automation to maintain rolling windows of data

This workflow helped many teams operationalize IIS analytics long before contemporary lakehouse tooling existed.

Related guides:

If you need help with distributed systems, backend engineering, or data platforms, check my Services.

Labels:

Most read articles

Why Is Customer Obsession Disappearing?

By
Many companies trade real customer-obsession for automated, low-empathy support. Through examples from Coinbase, PayPal, GO Telecommunications and AT&T, this article shows how reliance on AI chatbots, outsourced call centers, and KPI-driven workflows erodes trust, NPS and customer retention. It argues that human-centric support—treating support as strategic investment instead of cost—is still a core growth engine in competitive markets. It's wild that even with all the cool tech we've got these days, like AI solving complex equations and doing business across time zones in a flash, so many companies are still struggling with the basics: taking care of their customers. The drama around Coinbase's customer support is a prime example of even tech giants messing up. And it's not just Coinbase — it's a big-picture issue for the whole industry. At some point, the idea of "customer obsession" got replaced with "customer automation," and no...
Read more

How to scale MySQL perfectly

By
When MySQL reaches its limits, scaling cannot rely on hardware alone. This article explains how strategic techniques such as caching, sharding and operational optimisation can drastically reduce load and improve application responsiveness. It outlines how in-memory systems like Redis or Memcached offload repeated reads, how horizontal sharding mechanisms distribute data for massive scale, and how tools such as Vitess, ProxySQL and HAProxy support routing, failover and cluster management. The summary also highlights essential practices including query tuning, indexing, replication and connection management. Together these approaches form a modern DevOps strategy that transforms MySQL from a single bottleneck into a resilient, scalable data layer able to grow with your application. When your MySQL database reaches its performance limits, vertical scaling through hardware upgrades provides a temporary solution. Long-term growth, though, requires a more comprehensive approach. This invo...
Read more

What the Heck is Superposition and Entanglement?

By
This post is about superposition and interference in simple, intuitive terms. It describes how quantum states combine, how probability amplitudes add, and why interference patterns appear in systems such as electrons, photons and waves. The goal is to give a clear, non mathematical understanding of how quantum behavior emerges from the rules of wave functions and measurement. If you’ve ever heard the words superposition or entanglement thrown around in conversations about quantum physics, you may have nodded politely while your brain quietly filed them away in the "too confusing to deal with" folder.  These aren't just theoretical quirks; they're the foundation of mind-bending tech like Google's latest quantum chip, the Willow with its 105 qubits. Superposition challenges our understanding of reality, suggesting that particles don't have definite states until observed. This principle is crucial in quantum technologies, enabling phenomena like quantum comp...
Read more