IIRF.dll and IirfGlobal.ini go in the same folder. This folder is typically not a web document folder.
Then, in the web document folder root for each virtual directory, you can drop IIRF.ini. Each vdir gets its own set of rules.
Your description said they all went into the same folder, and that is generally not the right thing to do, with IIRF 2.0.
It's possible to configure the IIRF.ini for a particular virtual directory, and then submit URLs that are satisfied by a different vdir, and you will never get logging messages indicating the "miss". Do you understand what I mean?
In other words suppose you have vdir #1 , URL base of /products2, rooted at c:\wwwroot\products2. IIRF is configured in IIS, just as you said. Within the products2 vdir, you drop an IIRF.ini. Then you submit a URL request like
http://server/products/one/two/three . This request is handled by a different vdir, maybe the default one. It just so happens that this other vdir has no IIRF.ini. The request results
in a 404 response from IIS. At this point there is no logging in the IIRF ini, because when IIRF saw the request, it found no IIRF.ini and thus no rules, and no LogLevel directive to tell it to log.
Do you see how that could work?
The same IIRF behavior would result if you dropped the IIRF.ini file into a directory which was not the vdir doc root.
I don't know if that is the situation you have, but it seems likely. The config is not being read by IIRF.