Can't see IIS-FTP logs in event viewer

Question

Can't see IIS-FTP logs in event viewer:

Note: Tested on Windows Server 2012, 2019, and 2022.

I heard that we can find the log coming from the IIS-FTP source with the event id 13, in the event viewer. This event id indicates failed logon attempt to an FTP server (running with IIS 10 and logging is enabled). Also, verified IIS-FTP is installed (FTP Extensibility, FTP Server, FTP Service) I'm able to see the IIS-Configuration, IIS and IIS-logging folder under Application and service logs -> Microsoft -> Windows but not able to get the IIS-FTP

How can i get the logs for IIS-FTP in event viewer?

Answer 1

Hi @Zeel Jain,

There is no such a thing. If you are trying to monitor activities of your IIS server, then unfortunately you need to read the separate log files. This applies to many Microsoft or third party products, as no one should flood the event log for application specific log entries.

I'm sure you've seen a similar solution below, using LogParsesr to convert logs to evtx format, which only works theoretically, but after investigation LogParser 2.2 supports reading evtx files and not exporting.

So you should ignore this method.

Log Parser works with queries, this is an example query to transform them to evtx.

SELECT *
FROM 'C:\Path\To\Your\FTP\Log\Files\u_ex*.log'
WHERE (Fields(1) LIKE 'FTP')
INTO 'C:\Path\To\Your\Output\Folder\output.evtx'
USING SELECT *

Correct Workaround

$logFilePath = "C:\inetpub\logs\LogFiles\FTPSVC7\u_ex250320.log"
$sourceName = "IIS-FTP"
if (-not [System.Diagnostics.EventLog]::SourceExists($sourceName)) {
    [System.Diagnostics.EventLog]::CreateEventSource($sourceName, "Application")
}
$logLines = Get-Content -Path $logFilePath
$fieldNames = @(
    'date', 'time', 'c_ip', 'cs_username', 's_ip', 's_port',
    'cs_method', 'cs_uri_stem', 'sc_status', 'sc_win32_status',
    'sc_substatus', 'x_session', 'x_fullpath'
)
foreach ($line in $logLines) {
    Write-Output "Processing line: $line"
    if ($line -match "^#") {
        Write-Output "Skipping comment line"
        continue
    }
    if ($line -notmatch '^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(.*)$') {
        Write-Output "Skipping invalid line format"
        continue
    }
    $logEntry = @{}
    for ($i = 0; $i -lt $fieldNames.Count; $i++) {
        $logEntry[$fieldNames[$i]] = $matches[$i + 1] 
    }
    $eventMessage = @()
    foreach ($field in $fieldNames) {
        $eventMessage += "$field : $($logEntry[$field])"
    }
    $eventMessage = $eventMessage -join " | "
    if ($logEntry['sc_status'] -eq "530") {
        $eventId = 13  
        try {
            Write-EventLog -LogName "Application" -Source $sourceName -EntryType Information -EventId $eventId -Message $eventMessage
            Write-Output "Event logged with ID: $eventId"
        } catch {
            Write-Output "Failed to write event log: $_"
        }
    } else {
    Write-Output "Skipping line with status: $($logEntry['sc_status'])"
}
}

output

Processing line: #Software: Microsoft Internet Information Services 10.0
Skipping comment line
Processing line: #Version: 1.0
Skipping comment line
Processing line: #Date: 2025-03-20 07:40:21
Skipping comment line
Processing line: #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem sc-status sc-win32-status sc-substatus x-session x-fullpath
Skipping comment line
Processing line: 2025-03-20 07:40:21 ::1 - ::1 21 ControlChannelOpened - - 0 0 849d7cae-e557-4b67-80ea-1ebee9eb0e77 -
Skipping line with status: -
Processing line: 2025-03-20 07:40:21 ::1 - ::1 21 OPTS UTF8+ON 200 0 0 849d7cae-e557-4b67-80ea-1ebee9eb0e77 -
Skipping line with status: 200
Processing line: 2025-03-20 07:40:27 ::1 - ::1 21 USER Jason 331 0 0 849d7cae-e557-4b67-80ea-1ebee9eb0e77 -
Skipping line with status: 331
Processing line: 2025-03-20 07:40:29 ::1 - ::1 21 PASS *** 530 1326 41 849d7cae-e557-4b67-80ea-1ebee9eb0e77 -
Event logged with ID: 13
Processing line: 2025-03-20 07:41:29 ::1 - ::1 21 QUIT - 221 0 0 849d7cae-e557-4b67-80ea-1ebee9eb0e77 -
Skipping line with status: 221
Processing line: 2025-03-20 07:41:29 ::1 - ::1 21 ControlChannelClosed - - 0 0 849d7cae-e557-4b67-80ea-1ebee9eb0e77 -
Skipping line with status: -
Processing line: 2025-03-20 07:41:41 ::1 - ::1 21 ControlChannelOpened - - 0 0 2d379160-acc3-4f59-bc06-6bb262a77486 -
Skipping line with status: -
Processing line: 2025-03-20 07:41:41 ::1 - ::1 21 OPTS UTF8+ON 200 0 0 2d379160-acc3-4f59-bc06-6bb262a77486 -
Skipping line with status: 200
Processing line: 2025-03-20 07:41:44 ::1 - ::1 21 USER Jason 331 0 0 2d379160-acc3-4f59-bc06-6bb262a77486 -
Skipping line with status: 331
Processing line: 2025-03-20 07:41:57 ::1 - ::1 21 PASS *** 530 1326 41 2d379160-acc3-4f59-bc06-6bb262a77486 -
Event logged with ID: 13
Processing line: 2025-03-20 07:42:47 ::1 - ::1 21 QUIT - 221 0 0 2d379160-acc3-4f59-bc06-6bb262a77486 -
Skipping line with status: 221
Processing line: 2025-03-20 07:42:47 ::1 - ::1 21 ControlChannelClosed - - 0 0 2d379160-acc3-4f59-bc06-6bb262a77486 -
Skipping line with status: -
Processing line: 2025-03-20 07:42:50 ::1 - ::1 21 ControlChannelOpened - - 0 0 fe236ae1-4bca-4029-8a0c-3ee4fbfb50dc -
Skipping line with status: -
Processing line: 2025-03-20 07:42:50 ::1 - ::1 21 OPTS UTF8+ON 200 0 0 fe236ae1-4bca-4029-8a0c-3ee4fbfb50dc -
Skipping line with status: 200
Processing line: 2025-03-20 07:42:53 ::1 - ::1 21 USER - 501 87 0 fe236ae1-4bca-4029-8a0c-3ee4fbfb50dc -
Skipping line with status: 501
Processing line: 2025-03-20 07:43:01 ::1 - ::1 21 QUIT - 221 0 0 fe236ae1-4bca-4029-8a0c-3ee4fbfb50dc -
Skipping line with status: 221
Processing line: 2025-03-20 07:43:01 ::1 - ::1 21 ControlChannelClosed - - 0 0 fe236ae1-4bca-4029-8a0c-3ee4fbfb50dc -
Skipping line with status: -

Test Result

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,

Jason

Answer 2

Hi Zeel Jain,

You're absolutely right that Event ID 13 is associated with FTP logon failures in IIS. However, it's important to clarify that IIS FTP does not log these events to Event Viewer by default, even though the event ID exists. Instead, FTP activity—including failed logins—is primarily recorded in FTP log files, not in the Windows Event Log.

FTP logs are stored in W3C format at:

C:\inetpub\logs\LogFiles\FTPSVC<siteID>\

It should look like this:

Event Viewer does not include a dedicated “IIS-FTP” log folder. Even though Event ID 13 exists, it is not automatically triggered by FTP failures unless you implement a custom logging solution. This design is intentional to avoid flooding the Event Log with application-specific entries.

If you want to see Event ID 13 in Event Viewer, you can use a PowerShell script to scan your FTP log files and manually write failed login attempts to the Event Log.

• Remember to change your "$logFilePath":

$logFilePath = "C:\inetpub\logs\LogFiles\FTPSVC1\u_ex250620.log"
$sourceName = "IIS-FTP"
if (-not [System.Diagnostics.EventLog]::SourceExists($sourceName)) {
    [System.Diagnostics.EventLog]::CreateEventSource($sourceName, "Application")
}
$logLines = Get-Content -Path $logFilePath
foreach ($line in $logLines) {
    if ($line -match "530") {
        Write-EventLog -LogName "Application" -Source $sourceName -EntryType Error -EventId 13 -Message "FTP logon failure detected: $line"
    }
}

This script checks for failed logins (530) and logs them as Event ID 13 in the Application log:

For more information, you can check out:

https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/ftpserver/logfile