Can't see IIS-FTP logs in event viewer

Hi @Zeel Jain,

There is no such a thing. If you are trying to monitor activities of your IIS server, then unfortunately you need to read the separate log files. This applies to many Microsoft or third party products, as no one should flood the event log for application specific log entries.

I'm sure you've seen a similar solution below, using LogParsesr to convert logs to evtx format, which only works theoretically, but after investigation LogParser 2.2 supports reading evtx files and not exporting.

So you should ignore this method.

Log Parser works with queries, this is an example query to transform them to evtx.

SELECT *
FROM 'C:\Path\To\Your\FTP\Log\Files\u_ex*.log'
WHERE (Fields(1) LIKE 'FTP')
INTO 'C:\Path\To\Your\Output\Folder\output.evtx'
USING SELECT *

Correct Workaround

$logFilePath = "C:\inetpub\logs\LogFiles\FTPSVC7\u_ex250320.log"
$sourceName = "IIS-FTP"
if (-not [System.Diagnostics.EventLog]::SourceExists($sourceName)) {
    [System.Diagnostics.EventLog]::CreateEventSource($sourceName, "Application")
}
$logLines = Get-Content -Path $logFilePath
$fieldNames = @(
    'date', 'time', 'c_ip', 'cs_username', 's_ip', 's_port',
    'cs_method', 'cs_uri_stem', 'sc_status', 'sc_win32_status',
    'sc_substatus', 'x_session', 'x_fullpath'
)
foreach ($line in $logLines) {
    Write-Output "Processing line: $line"
    if ($line -match "^#") {
        Write-Output "Skipping comment line"
        continue
    }
    if ($line -notmatch '^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(.*)$') {
        Write-Output "Skipping invalid line format"
        continue
    }
    $logEntry = @{}
    for ($i = 0; $i -lt $fieldNames.Count; $i++) {
        $logEntry[$fieldNames[$i]] = $matches[$i + 1] 
    }
    $eventMessage = @()
    foreach ($field in $fieldNames) {
        $eventMessage += "$field : $($logEntry[$field])"
    }
    $eventMessage = $eventMessage -join " | "
    if ($logEntry['sc_status'] -eq "530") {
        $eventId = 13  
        try {
            Write-EventLog -LogName "Application" -Source $sourceName -EntryType Information -EventId $eventId -Message $eventMessage
            Write-Output "Event logged with ID: $eventId"
        } catch {
            Write-Output "Failed to write event log: $_"
        }
    } else {
    Write-Output "Skipping line with status: $($logEntry['sc_status'])"
}
}

output

Processing line: #Software: Microsoft Internet Information Services 10.0
Skipping comment line
Processing line: #Version: 1.0
Skipping comment line
Processing line: #Date: 2025-03-20 07:40:21
Skipping comment line
Processing line: #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem sc-status sc-win32-status sc-substatus x-session x-fullpath
Skipping comment line
Processing line: 2025-03-20 07:40:21 ::1 - ::1 21 ControlChannelOpened - - 0 0 849d7cae-e557-4b67-80ea-1ebee9eb0e77 -
Skipping line with status: -
Processing line: 2025-03-20 07:40:21 ::1 - ::1 21 OPTS UTF8+ON 200 0 0 849d7cae-e557-4b67-80ea-1ebee9eb0e77 -
Skipping line with status: 200
Processing line: 2025-03-20 07:40:27 ::1 - ::1 21 USER Jason 331 0 0 849d7cae-e557-4b67-80ea-1ebee9eb0e77 -
Skipping line with status: 331
Processing line: 2025-03-20 07:40:29 ::1 - ::1 21 PASS *** 530 1326 41 849d7cae-e557-4b67-80ea-1ebee9eb0e77 -
Event logged with ID: 13
Processing line: 2025-03-20 07:41:29 ::1 - ::1 21 QUIT - 221 0 0 849d7cae-e557-4b67-80ea-1ebee9eb0e77 -
Skipping line with status: 221
Processing line: 2025-03-20 07:41:29 ::1 - ::1 21 ControlChannelClosed - - 0 0 849d7cae-e557-4b67-80ea-1ebee9eb0e77 -
Skipping line with status: -
Processing line: 2025-03-20 07:41:41 ::1 - ::1 21 ControlChannelOpened - - 0 0 2d379160-acc3-4f59-bc06-6bb262a77486 -
Skipping line with status: -
Processing line: 2025-03-20 07:41:41 ::1 - ::1 21 OPTS UTF8+ON 200 0 0 2d379160-acc3-4f59-bc06-6bb262a77486 -
Skipping line with status: 200
Processing line: 2025-03-20 07:41:44 ::1 - ::1 21 USER Jason 331 0 0 2d379160-acc3-4f59-bc06-6bb262a77486 -
Skipping line with status: 331
Processing line: 2025-03-20 07:41:57 ::1 - ::1 21 PASS *** 530 1326 41 2d379160-acc3-4f59-bc06-6bb262a77486 -
Event logged with ID: 13
Processing line: 2025-03-20 07:42:47 ::1 - ::1 21 QUIT - 221 0 0 2d379160-acc3-4f59-bc06-6bb262a77486 -
Skipping line with status: 221
Processing line: 2025-03-20 07:42:47 ::1 - ::1 21 ControlChannelClosed - - 0 0 2d379160-acc3-4f59-bc06-6bb262a77486 -
Skipping line with status: -
Processing line: 2025-03-20 07:42:50 ::1 - ::1 21 ControlChannelOpened - - 0 0 fe236ae1-4bca-4029-8a0c-3ee4fbfb50dc -
Skipping line with status: -
Processing line: 2025-03-20 07:42:50 ::1 - ::1 21 OPTS UTF8+ON 200 0 0 fe236ae1-4bca-4029-8a0c-3ee4fbfb50dc -
Skipping line with status: 200
Processing line: 2025-03-20 07:42:53 ::1 - ::1 21 USER - 501 87 0 fe236ae1-4bca-4029-8a0c-3ee4fbfb50dc -
Skipping line with status: 501
Processing line: 2025-03-20 07:43:01 ::1 - ::1 21 QUIT - 221 0 0 fe236ae1-4bca-4029-8a0c-3ee4fbfb50dc -
Skipping line with status: 221
Processing line: 2025-03-20 07:43:01 ::1 - ::1 21 ControlChannelClosed - - 0 0 fe236ae1-4bca-4029-8a0c-3ee4fbfb50dc -
Skipping line with status: -

Test Result

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,

Jason