You can configure your Web or FTP sites to record log entries about user and server activity. IIS log data can help you regulate access to content, determine content popularity, plan security requirements, and troubleshoot potential Web site or FTP site problems. Logging IIS site activity should not be confused with the event logging carried out by Windows 2000 and viewed by using the Event Viewer. The logging in IIS is more extensive. The following sections explain IIS logging:
The logging for a Web or FTP site is carried out by modules that operate independently of other activities on the server. You can choose the format of your logs for each individual Web or FTP site. If logging is enabled for a site, you can disable or enable it for individual directories on that site. For the procedure to enable or disable logging for sites or directories, see Enabling Logging.
The logs created by IIS can be read in a text editor, but typically, the files are loaded in a report-generating software tool. ODBC logging is logged to a database and the database can be used to generate reports. Process accounting logs are written interspersed with normal W3C Extended logs for each Web site.
Different log formats use different time zones for the basis of times listed in the logs. W3C Extended format uses Universal Time Coordinate (UTC), formerly called Greenwich Mean Time. The other formats use local time. The times listed in log files reflect the time the server uses to process requests and responses. These times do not reflect network travel time to the client, or client processing time.
You can choose the format that your Web server uses to record user activity. The following formats are available:
The W3C Extended log file format, Microsoft IIS log file format, and NCSA log file format are all ASCII text formats. The W3C Extended and NCSA formats record logging data in four-digit year format. The Microsoft IIS format uses a two-digit year format and is provided for backward compatibility with earlier IIS versions. You can also create customized logging formats with the exact fields you need.
W3C Extended format is a customizable ASCII format with a variety of different fields. You can include fields important to you, while limiting log size by omitting unwanted fields. Fields are separated by spaces. Time is recorded as UTC (Greenwich Mean Time). For information about customizing this format, see Customizing W3C Extended Logging. For more information on the W3C Extended format specification, see the W3C site http://www.w3.org.
The example below shows lines from a file using the following fields: Time, Client IP Address, Method, URI Stem, HTTP Status, and HTTP Version.
#Software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 1998-05-02 17:42:15 #Fields: time c-ip cs-method cs-uri-stem sc-status cs-version 17:42:15 172.16.255.255 GET /default.htm 200 HTTP/1.0
The preceding entry indicates that on May 2, 1998 at 5:42 P.M., UTC, a user with HTTP version 1.0 and the IP address of 172.16.255.255 issued an HTTP GET command for the file Default.htm. The request was returned without error. The #Date: field indicates when the first log entry was made, which is when the log was created. The #Version: field indicates that the W3C logging format used.
Any of the fields can be selected, but some fields may not have information available for some requests. For fields that are selected, but for which there is no information, a dash () appears in the field as a placeholder.
Microsoft IIS format is a fixed (non-customizable) ASCII format. It records more items of information than the NCSA Common format. The Microsoft IIS format includes basic items such as the user's IP address, user name, request date and time, HTTP status code, and number of bytes received. In addition, it includes detailed items such as the elapsed time, the number of bytes sent, the action (for example, a download carried out by a GET command) and the target file. The items are separated by commas, making the format easier to read than the other ASCII formats, which use spaces for separators. The time is recorded as local time.
When you open a Microsoft IIS format file in a text editor, the entries are similar to the following examples:
192.168.114.201,
, 03/20/98, 7:55:20, W3SVC2, SALES1, 192.168.114.201, 4502, 163, 3223, 200, 0, GET, DeptLogo.gif
172.16.255.255, anonymous, 03/20/98, 23:58:11, MSFTPSVC, SALES1, 192.168.114.201, 60, 275, 0, 0, 0, PASS, intro.htm
The preceding sample entries are interpreted in the following tables. The top row in both tables is from the second Web site instance (which appears under "Service" as W3SVC2), the bottom row from the first FTP site instance (which appears under "Service" as MSFTPSVC1). The example is presented in two tables because of page-width limitations.
Users IP address | User name | Date | Time | Service and instance | Computer name | IP address of server |
---|---|---|---|---|---|---|
192.168.114.201 |
| 03/20/98 |
7:55:20 |
W3SVC2 |
SALES1 |
172.21.13.45 |
172.16.255.255 |
anonymous |
03/20/98 |
23:58:11 |
MSFTPSVC1 |
SALES1 |
172.21.13.45 |
Time taken | Bytes received | Bytes sent | Service status code | Windows 2000 status code | Request type | Target of the operation |
---|---|---|---|---|---|---|
4502 |
163 |
3223 |
200 |
0 |
GET |
DeptLogo.gif |
60 |
275 |
0 |
0 |
0 |
[376] PASS |
intro |
In the example, the first entry indicates that an anonymous user with the IP address of 192.168.114.201 issued an HTTP GET command for the image file DeptLogo.gif at 7:55 A.M. on March 20, 1998, from a server named SALES1 at IP address 172.21.13.45. The 163-byte HTTP request had an elapsed processing time of 4502 milliseconds (4.5 seconds) to complete, and returned, without error, 3223 bytes of data to the anonymous user.
In the log file, all fields are terminated with a comma (,). A hyphen acts as a placeholder if there is no valid value for a certain field.
NCSA Common format is a fixed (non-customizable) ASCII format, available for Web sites but not for FTP sites. It records basic information about user requests, such as remote host name, user name, date, time, request type, HTTP status code, and the number of bytes received by the server. Items are separated by spaces; time is recorded as local time.
When you open an NCSA Common format file in a text editor, the entries are similar to the following example:
172.21.13.45
REDMOND\fred [08/Apr/1997:17:39:04 -0800] "GET /scripts/iisadmin/ism.dll?http/serv HTTP/1.0" 200 3401
Note In the preceding entry, the second field (which would show the remote log name of the user) is empty and is represented by the hyphen following the IP address 172.21.13.45.
The preceding sample entry is interpreted in the following tables. The example is shown in two tables because of page-width limitations.
Remote host name | username | Date | Time and GMT offset |
---|---|---|---|
172.21.13.45 |
REDMOND\fred |
08/Apr/1998 |
17:39:10 -0800 |
Request type | Service Status code | Bytes sent |
---|---|---|
GET /scripts/iisadmin/ism.dll?http/serv HTTP/1.0 |
200 |
3401 |
The entry indicates that a user named Fred in the REDMOND domain, with the IP address of 172.21.13.45, issued an HTTP GET command (that is, downloaded a file) at 5:39 P.M. on April 8, 1998. The request returned, without error, 3401 bytes of data to the user named Fred.
ODBC logging format is a record of a fixed set of data fields in an ODBC-compliant database, such as Microsoft Access or Microsoft SQL Server. Some of the items logged are the user's IP address, user name, request date and time, HTTP status code, bytes received, bytes sent, action carried out (for example, a download carried out by a GET command) and the target (for example, the file that was downloaded). The time is recorded as local time. With this option, you must specify the database to be logged to, and set up the database to receive the data.
To use ODBC logging, you must complete the following steps:
Field Name | Field Type |
ClientHost | varchar(255) |
Username | varchar(255) |
LogTime | datetime |
Service | varchar(255) |
Machine | varchar(255) |
ServerIP | varchar(50) |
ProcessingTime | int |
BytesRecvd | int |
BytesSent | int |
ServiceStatus | int |
Win32Status | int |
Operation | varchar(255) |
Target | varchar(255) |
Parameters | varchar(255) |
Process accounting is a new feature in IIS. It adds fields to the W3C Extended log file to record information about how Web sites use CPU resources on the server. This information is used to determine if sites are using disproportionally high CPU resources, or to detect malfunctioning scripts or CGI processes.
Process accounting can be enabled on a per-site basis. It does not provide details on CPU usage of individual applications and logs information only about out-of-process applications. It is available only for Web sites and is recorded only when W3C Extended log file format is selected. The process accounting information is interspersed with other logging information in the file. For the procedure to enable process accounting, see Tracking Processor Use.
The information gained from process accounting can be used to determine if process throttling should be enabled on a Web site. Process throttling limits the amount of processor time a Web site can use. For more information, see About Processor Utilization.
When IIS logging is enabled, as it is by default, new log entries are generated whenever users are accessing the server. This causes a progressive increase in log file size or in the number of log files. You may need to balance the gathering of detailed data against the need to limit files to a manageable size and number. IIS offers two options for managing the generation of log data and the creation of new log files.
One way to manage log data is to use W3C Extended logging and customize it so that you gather only the data you need. For procedural help, see Customizing W3C Extended Logging. Another option for managing log files is to limit log size by changing the frequency of log file creation. For more information about interval options, see Saving Log Files. When selecting a logging option, keep in mind that you can access the current log file only after stopping the site.
Log files are simply ASCII (text) files. If you find you have created many small files when you prefer one large file, you can combine the files as you would with any ASCII files. For information about using the copy command for combining files, at the command prompt, type copy /?.
If your server runs out of disk space when IIS is attempting to add a log entry to a file, IIS logging shuts down. At the same time, in the Application log of Windows Event Viewer, an event is logged. When disk space is once again available, IIS logging resumes. This causes an additional event to be logged in the Application log of Windows Event Viewer.
Log file names use the first several letters to represent the logging format, and the remaining numbers to represent the time frame or sequence of the log. See the table below for details. The italicized letters represent digits: nn for sequential digits, yy for the year, mm for the month, ww for the week of the month, dd for the day, hh for the hour in 24-hour format (that is, 17 is 5:00 P.M.).
Format | Criterion for New Logs | Filename pattern |
---|---|---|
Microsoft IIS Log Format | By file size | inetsvnn.log |
Hourly | inyymmddhh.log | |
Daily | inyymmdd.log | |
Weekly | inyymmww.log | |
Monthly | inyymm.log | |
NCSA Common Log File Format | By file size | ncsann.log |
Hourly | ncyymmddhh.log | |
Daily | ncyymmdd.log | |
Weekly | ncyymmww.log | |
Monthly | ncyymm.log | |
W3C Extended Log File Format | By file size | extendnn.log |
Hourly | exyymmddhh.log | |
Daily | exyymmdd.log | |
Weekly | exyymmww.log | |
Monthly | exyymm.log |