About Logging Site Activity

You can configure your Web or FTP sites to record log entries about user and server activity. IIS log data can help you regulate access to content, determine content popularity, plan security requirements, and troubleshoot potential Web site or FTP site problems. Logging IIS site activity should not be confused with the event logging carried out by Windows 2000 and viewed by using the Event Viewer. The logging in IIS is more extensive. The following sections explain IIS logging:

The Logging Process

The logging for a Web or FTP site is carried out by modules that operate independently of other activities on the server. You can choose the format of your logs for each individual Web or FTP site. If logging is enabled for a site, you can disable or enable it for individual directories on that site. For the procedure to enable or disable logging for sites or directories, see Enabling Logging.

The logs created by IIS can be read in a text editor, but typically, the files are loaded in a report-generating software tool. ODBC logging is logged to a database and the database can be used to generate reports. Process accounting logs are written interspersed with normal W3C Extended logs for each Web site.

Different log formats use different time zones for the basis of times listed in the logs. W3C Extended format uses Universal Time Coordinate (UTC), formerly called Greenwich Mean Time. The other formats use local time. The times listed in log files reflect the time the server uses to process requests and responses. These times do not reflect network travel time to the client, or client processing time.

Log File Formats

You can choose the format that your Web server uses to record user activity. The following formats are available:

The W3C Extended log file format, Microsoft IIS log file format, and NCSA log file format are all ASCII text formats. The W3C Extended and NCSA formats record logging data in four-digit year format. The Microsoft IIS format uses a two-digit year format and is provided for backward compatibility with earlier IIS versions. You can also create customized logging formats with the exact fields you need.

W3C Extended Log File Format

W3C Extended format is a customizable ASCII format with a variety of different fields. You can include fields important to you, while limiting log size by omitting unwanted fields. Fields are separated by spaces. Time is recorded as UTC (Greenwich Mean Time). For information about customizing this format, see Customizing W3C Extended Logging. For more information on the W3C Extended format specification, see the W3C site http://www.w3.org.

The example below shows lines from a file using the following fields: Time, Client IP Address, Method, URI Stem, HTTP Status, and HTTP Version.

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 1998-05-02 17:42:15
#Fields: time c-ip cs-method cs-uri-stem sc-status cs-version
17:42:15 172.16.255.255 GET /default.htm 200 HTTP/1.0

The preceding entry indicates that on May 2, 1998 at 5:42 P.M., UTC, a user with HTTP version 1.0 and the IP address of 172.16.255.255 issued an HTTP GET command for the file Default.htm. The request was returned without error. The #Date: field indicates when the first log entry was made, which is when the log was created. The #Version: field indicates that the W3C logging format used.

Any of the fields can be selected, but some fields may not have information available for some requests. For fields that are selected, but for which there is no information, a dash (—) appears in the field as a placeholder.

Microsoft IIS Log Format

Microsoft IIS format is a fixed (non-customizable) ASCII format. It records more items of information than the NCSA Common format. The Microsoft IIS format includes basic items such as the user's IP address, user name, request date and time, HTTP status code, and number of bytes received. In addition, it includes detailed items such as the elapsed time, the number of bytes sent, the action (for example, a download carried out by a GET command) and the target file. The items are separated by commas, making the format easier to read than the other ASCII formats, which use spaces for separators. The time is recorded as local time.

When you open a Microsoft IIS format file in a text editor, the entries are similar to the following examples:

192.168.114.201,
, 03/20/98, 7:55:20, W3SVC2, SALES1, 192.168.114.201, 4502, 163, 3223, 200, 0, GET, DeptLogo.gif

172.16.255.255, anonymous, 03/20/98, 23:58:11, MSFTPSVC, SALES1, 192.168.114.201, 60, 275, 0, 0, 0, PASS, intro.htm

The preceding sample entries are interpreted in the following tables. The top row in both tables is from the second Web site instance (which appears under "Service" as W3SVC2), the bottom row from the first FTP site instance (which appears under "Service" as MSFTPSVC1). The example is presented in two tables because of page-width limitations.

User’s IP address User name Date Time Service and instance Computer name IP address of server
192.168.114.201
03/20/98
7:55:20
W3SVC2
SALES1
172.21.13.45
172.16.255.255
anonymous
03/20/98
23:58:11
MSFTPSVC1
SALES1
172.21.13.45

Time taken Bytes received Bytes sent Service status code Windows 2000 status code Request type Target of the operation
4502
163
3223
200
0
GET
DeptLogo.gif
60
275
0
0
0
[376] PASS 
intro

In the example, the first entry indicates that an anonymous user with the IP address of 192.168.114.201 issued an HTTP GET command for the image file DeptLogo.gif at 7:55 A.M. on March 20, 1998, from a server named SALES1 at IP address 172.21.13.45. The 163-byte HTTP request had an elapsed processing time of 4502 milliseconds (4.5 seconds) to complete, and returned, without error, 3223 bytes of data to the anonymous user.

In the log file, all fields are terminated with a comma (,). A hyphen acts as a placeholder if there is no valid value for a certain field.

NCSA Common Log File Format

NCSA Common format is a fixed (non-customizable) ASCII format, available for Web sites but not for FTP sites. It records basic information about user requests, such as remote host name, user name, date, time, request type, HTTP status code, and the number of bytes received by the server. Items are separated by spaces; time is recorded as local time.

When you open an NCSA Common format file in a text editor, the entries are similar to the following example:

172.21.13.45
 REDMOND\fred [08/Apr/1997:17:39:04 -0800] "GET /scripts/iisadmin/ism.dll?http/serv HTTP/1.0" 200 3401

Note   In the preceding entry, the second field (which would show the remote log name of the user) is empty and is represented by the hyphen following the IP address 172.21.13.45.

The preceding sample entry is interpreted in the following tables. The example is shown in two tables because of page-width limitations.

Remote host name username Date Time and GMT offset
172.21.13.45
REDMOND\fred
08/Apr/1998
17:39:10 -0800

Request type Service Status code Bytes sent
GET /scripts/iisadmin/ism.dll?http/serv HTTP/1.0
200
3401

The entry indicates that a user named Fred in the REDMOND domain, with the IP address of 172.21.13.45, issued an HTTP GET command (that is, downloaded a file) at 5:39 P.M. on April 8, 1998. The request returned, without error, 3401 bytes of data to the user named Fred.

ODBC Logging

ODBC logging format is a record of a fixed set of data fields in an ODBC-compliant database, such as Microsoft Access or Microsoft SQL Server. Some of the items logged are the user's IP address, user name, request date and time, HTTP status code, bytes received, bytes sent, action carried out (for example, a download carried out by a GET command) and the target (for example, the file that was downloaded). The time is recorded as local time. With this option, you must specify the database to be logged to, and set up the database to receive the data.

To use ODBC logging, you must complete the following steps:

  1. Create a database containing a table with the appropriate fields for the logging data. IIS includes a SQL template file which can be run in a SQL database to create a table that accepts log entries from IIS. The file is called Logtemp.sql and is available in the \IISRoot directory. If you accepted the defaults offered in Setup, the \IISRoot directory is a subdirectory of the \WindowsNT\System32 directory. The following fields are required:
  2. Field Name Field Type
    ClientHost varchar(255)
    Username varchar(255)
    LogTime datetime
    Service varchar(255)
    Machine varchar(255)
    ServerIP varchar(50)
    ProcessingTime int
    BytesRecvd int
    BytesSent int
    ServiceStatus int
    Win32Status int
    Operation varchar(255)
    Target varchar(255)
    Parameters varchar(255)
  3. Give the database a system Data Source Name (DSN), which is a name that the ODBC software uses to find the database. For more information, see the Windows 2000 documentation.
  4. Supply IIS with the name of the database and table. If a user name and password are needed for accessing the database, you must also specify these in IIS.

Process Accounting

Process accounting is a new feature in IIS. It adds fields to the W3C Extended log file to record information about how Web sites use CPU resources on the server. This information is used to determine if sites are using disproportionally high CPU resources, or to detect malfunctioning scripts or CGI processes.

Process accounting can be enabled on a per-site basis. It does not provide details on CPU usage of individual applications and logs information only about out-of-process applications. It is available only for Web sites and is recorded only when W3C Extended log file format is selected. The process accounting information is interspersed with other logging information in the file. For the procedure to enable process accounting, see Tracking Processor Use.

The information gained from process accounting can be used to determine if process throttling should be enabled on a Web site. Process throttling limits the amount of processor time a Web site can use. For more information, see About Processor Utilization.

Log File Size and the Creation of New Log Files

When IIS logging is enabled, as it is by default, new log entries are generated whenever users are accessing the server. This causes a progressive increase in log file size or in the number of log files. You may need to balance the gathering of detailed data against the need to limit files to a manageable size and number. IIS offers two options for managing the generation of log data and the creation of new log files.

One way to manage log data is to use W3C Extended logging and customize it so that you gather only the data you need. For procedural help, see Customizing W3C Extended Logging. Another option for managing log files is to limit log size by changing the frequency of log file creation. For more information about interval options, see Saving Log Files. When selecting a logging option, keep in mind that you can access the current log file only after stopping the site.

Log files are simply ASCII (text) files. If you find you have created many small files when you prefer one large file, you can combine the files as you would with any ASCII files. For information about using the copy command for combining files, at the command prompt, type copy /?.

If your server runs out of disk space when IIS is attempting to add a log entry to a file, IIS logging shuts down. At the same time, in the Application log of Windows Event Viewer, an event is logged. When disk space is once again available, IIS logging resumes. This causes an additional event to be logged in the Application log of Windows Event Viewer.

Log File Names

Log file names use the first several letters to represent the logging format, and the remaining numbers to represent the time frame or sequence of the log. See the table below for details. The italicized letters represent digits: nn for sequential digits, yy for the year, mm for the month, ww for the week of the month, dd for the day, hh for the hour in 24-hour format (that is, 17 is 5:00 P.M.).

Format Criterion for New Logs Filename pattern
Microsoft IIS Log Format By file size inetsvnn.log
Hourly inyymmddhh.log
Daily inyymmdd.log
Weekly inyymmww.log
Monthly inyymm.log
NCSA Common Log File Format By file size ncsann.log
Hourly ncyymmddhh.log
Daily ncyymmdd.log
Weekly ncyymmww.log
Monthly ncyymm.log
W3C Extended Log File Format By file size extendnn.log
Hourly exyymmddhh.log
Daily exyymmdd.log
Weekly exyymmww.log
Monthly exyymm.log

© 1997-1999 Microsoft Corporation. All rights reserved.