StewartL, what logging profile have you assigned? If it's All Requests then simply browsing the site will generate logs. To see illegal requests then does the site have search fields you can input sample malicious scripts? Or can you construct http requests which violate the RFC violations e.g. IP address as host header.
Just a few options.