Currently there are agents (like Epilog) that can watch the IIS Access logs and send the entries to a syslog server for centralized storage and analysis.
However, the output generated by the Failed Requests Tracing feature (https://docs.microsoft.com/en-us/iis/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis) is totally different from a regular log file, and the log agents are not able to collect it and transform into useful log entries.
The IISTracing-2-Syslog agent does exactly that: it monitors the Failed Requests Tracing directory and sends the failure information to a syslog server, using RFC5424 format.
What it does
The failed requests are logged by IIS as XML files, one file per request/failure, in a configured directory. While the IISTracing2Syslog service is running it keeps a Directory Watcher active on that directory.
When a new failed request log is generated the watcher is notified; the service reads that file, takes the most relevant information from it and sends the message to a remote syslog server.
Example of a resulting message (what the syslog server will receive):
{"traceFile":"fr000224.xml","url":"http://myserver.example.com/myapp/api/products/1000","siteId":"1","verb":"GET","userName":"","failureReason":"STATUS_CODE","statusCode":"500","triggerStatusCode":"500"}
Installing/Uninstalling
Currently binary builds are not available, so you will need to build the project using Visual Studio.
Just copy the resulting executable iisTracing2syslog.exe to a directory where it will live (this is not an extractor/installer). Then register the service with:
[path to the program]\iisTracing2syslog.exe --install
To remove, just run
[path to the program]\iisTracing2syslog.exe --install
then delete the .exe.
Configuration
The program does not have a configuration GUI. Parameters must be inserted directly on the Registry, using regedit for example.
These are the available options:
HKEY_LOCAL_MACHINE\SOFTWARE\Intelie\IISTracing2Syslog\Log\Path - The directory to be monitored. Check your IIS configuration, by default it is C:\inetpub\logs\FailedReqLogFiles\W3SVC1
HKEY_LOCAL_MACHINE\SOFTWARE\Intelie\IISTracing2Syslog\Network\Destination - Hostname or IP of the remote syslog server
HKEY_LOCAL_MACHINE\SOFTWARE\Intelie\IISTracing2Syslog\Network\DestPort - Port of the remote syslog server, by default 514