Export (0) Print
Expand All
1 out of 3 rated this helpful - Rate this topic

Logging

Published: February 29, 2012

Updated: February 29, 2012

Applies To: Windows Server 2012, Windows Server 2012 R2



Use the Logging feature page to configure how IIS logs requests made to the web server and when new log files are created.

Related scenarios

In this document

The following tables describe the UI elements that are available on the feature page and in the Actions pane.

 

Element Name Description

One log file per

Specifies whether the web server maintains one log file for the whole server or one log file for each site on the server.

When you select Site, the settings that you specify on the Logging page at the server level are default values for all sites on your server. You can then open the Logging page at the site level to configure specific settings for a site.

Format

Specifies the format of the log file that is created when a request is logged.

When you configure the web server to have one log file, you can select one of the following log file formats:

  • Binary

    Configures IIS to use the binary centralized logging format. By using this format, IIS creates one log file for all sites on the web server. Every site writes request hit log information as binary unformatted data to this log file. Because this kind of logging conserves valuable memory and CPU resources, it is appropriate for use in an ISP environment, where web servers can host many sites, or in any high-traffic situation.

    noteNote
    To extract data from this log file format, you must use a tool, such as LogParser 2.2.

  • W3C

    Configures IIS to use the centralized W3C log file format to log information about all sites on the server. This format is handled by HTTP.sys, and is a customizable ASCII text-based format, which means that you specify the fields that are logged. Specify the fields that are logged on the W3C Logging Fields dialog box by clicking Select Fields on the Logging page. Fields are separated by spaces, and time is recorded in Coordinated Universal Time (UTC).

When you configure the web server to have one log file per site, you can select one of the following log file formats:

  • IIS

    Configures IIS to use the Microsoft IIS log file format to log information about a site. This format is handled by HTTP.sys, and is a fixed ASCII text-based format, which means that you cannot customize the fields that are logged. Fields are separated by commas, and time is recorded as local time.

    The following list is a list of fields that are logged when you use the IIS log file format:

    • Client IP address

    • User name

    • Date

    • Time

    • Service and instance

    • Server name

    • Server IP address

    • Time taken

    • Client bytes sent

    • Server bytes sent

    • Service status code (A value of 200 indicates that the request was fulfilled successfully.)

    • Windows status code (A value of 0 indicates that the request was fulfilled successfully.)

    • Request type

    • Target of operation

    • Parameters (the parameters that are passed to a script.)

    Not all fields will contain data. When a field does not contain data, a hyphen (-) appears as a placeholder. When a field contains a non-printable character, HTTP.sys replaces it with a plus sign (+) to preserve the log file format.

  • NCSA

    Configures IIS to use the National Center for Supercomputing Applications (NCSA) Common log file format to log information about a site. This format is handled by HTTP.sys, and is a fixed ASCII text-based format, which means that you cannot customize the fields that are logged. Fields are separated by spaces, and time is recorded as local time with the Coordinated Universal Time (UTC) offset.

    The following list is a list of fields that are logged when you use the NCSA Common log file format:

    • Remote host address

    • Remote log name (This value is always a hyphen.)

    • User name

    • Date, time, and UTC offset

    • Request and protocol version

    • Service status code (A value of 200 indicates that the request was fulfilled successfully.)

    • Bytes sent

      Not all fields will contain data. When a field does not contain data, a hyphen (-) appears as a placeholder. When a field contains a non-printable character, HTTP.sys replaces it with a plus sign (+) to preserve the log file format.

  • W3C

    Use the W3C Extended logging format to log information about a site. This format is handled by HTTP.sys, which writes a customizable format, which means that you specify the fields that are logged. Specify the fields that are logged on the W3C Logging Fields dialog box by clicking Select Fields on the Logging page. Fields are separated by spaces, and time is recorded in Coordinated Universal Time (UTC).

    In Windows Server 2012 and earlier, HTTP.sys writes to an ASCII text-based file at the location specified by the Directory option. In Windows Server 2012 R2 and later, you have the additional option of writing the log information as an Event Tracing for Windows (ETW) event. For more information on ETW, see Event Tracing.

  • Custom

    Configures IIS to use a custom format for a custom logging module. When you select this option, the Logging page becomes disabled, because custom logging cannot be configured in IIS Manager.

Select Fields

Opens the W3C Logging Fields dialog box in which you can select which fields to log. This button is available only when the W3C log file format is selected.

Directory

Specifies the physical path where the log file or files are stored. The default value is %SystemDrive%\inetpub\logs\LogFiles.

Encoding

Specifies how the log file or log files are encoded: UTF-8 or ANSI.

Select UTF-8 when you want to enable both single-byte and multibyte characters in one string. This encoding enables you to read text-based logs, for example, W3C Extended, IIS, and National Center for Supercomputing Applications (NCSA) Common formats, in a language other than English. Additionally, if your web server serves URLs in a language or dialect other than the one supported by the server's default code page, you should enable UTF-8 encoding for log content.

By default, IIS tries to serve URLs in code pages other than the server's default code page. For security reasons, you might want to enable the UTF-8 format to reduce the effect of an attack that could cause UTF-8 URLs not to translate correctly to the default code page.

Log Event Destination

In Windows Server 2012 R2 and later, you can specify where you want the log events written:

  • Log file only: The log events are written to a log file in the location specified by the Directory option.

  • ETW event only: The log events are written as ETW events.

  • Both log file and ETW event: The log events are written both to the log file and as ETW events.

Schedule

Configures IIS to create new log files based one of the following values:

  • Hourly: a new log file is created each hour.

  • Daily: a new log file is created each day.

  • Weekly: a new log file is created each week.

  • Monthly: a new log file is created each month.

Maximum file size (in bytes)

Configures IIS to create a new log file when the file reaches a certain size (in bytes).

The minimum file size is 1048576 bytes. If this attribute is set to a value less than 1048576 bytes, the default value is implicitly assumed as 1048576 bytes.

Do not create new log files

Configures IIS to not create new log files. This means that there is a single log file that will continue to grow as information is logged.

Use local time for file naming and rollover

Specifies that log file naming and time for log file rollover uses the local server time. When this is not selected, Coordinated Universal Time (UTC) is used.

noteNote
Regardless of this setting, timestamps in the actual log file will use the time format for the log format that you select from the Format list. For example, NCSA and W3C log file formats use UTC time format for timestamps.

 

Element Name Description

Apply

Saves the changes that you have made on the feature page.

Cancel

Cancels the changes that you have made on the feature page.

Disable

Disables the feature.

View Log Files

Opens the log file directory.

Use the W3C Logging Fields dialog box to select the information that you want to include in log files. This dialog box is available only when you select W3C from the Format drop-down list on the Logging feature page.

 

Element Name Description

Date (date)

Logs the date on which the request occurred. Selected by default.

Time (time)

Logs the time, in Coordinated Universal Time (UTC), at which the request occurred. Selected by default.

Client IP Address (c-ip)

Logs the IP address of the client that made the request. Selected by default.

User Name (cs-username)

Logs the name of the authenticated user who accessed the server. Anonymous users are indicated by a hyphen. Selected by default.

Service Name (s-sitename)

Logs the Internet service name and instance number that was running on the client at the time that the incident was logged.

Server Name (s-computername)

Logs the name of the server on which the log file entry was generated.

Server IP Address (s-ip)

Logs the IP address of the server on which the log file entry was generated. Selected by default.

Server Port (s-port)

Logs the server port number that is configured for the service. Selected by default.

Method (cs-method)

Logs the HTTP method, such as GET, that is used in the request. Selected by default.

URI Stem (cs-uri-stem)

Logs the Uniform Resource Identifier (URI) that is the target of the action, such as Default.htm. Selected by default.

URI Query (cs-uri-query)

Logs the query, if any, that the client was trying to perform. A URI query is necessary only for dynamic pages. Selected by default.

Protocol Status (sc-status)

Logs the HTTP status code. Selected by default.

Protocol Substatus (sc-substatus)

Logs the HTTP substatus code. Selected by default.

Win32 Status (sc-win32-status)

Logs the Windows status code. Selected by default.

Bytes Sent (sc-bytes)

Logs the number of bytes that the server sent.

Bytes Received (cs-bytes)

Logs the number of bytes that the server received.

Time Taken (time-taken)

Logs the length of time that the action took in milliseconds. Selected by default.

Protocol Version (cs-version)

Logs the protocol version, HTTP or FTP, that the client used.

Host (cs-host)

Logs the host header name, if any.

noteNote
The host name that you configure for your website might appear differently in the log files because HTTP.sys logs host names by using the Punycode-encoded format.

User Agent (cs(User-Agent))

Logs the browser from which the request came. Selected by default.

Cookie (cs(Cookie))

Logs the content of the cookie sent or received, if any.

Referer (cs(Referer) )

Logs the site that the user last visited. This site provided a link to the current site.

In Windows Server 2012 R2 and later, you can perform enhanced logging by adding custom fields to the event log in addition to the standard fields listed above. This dialog box is available only when you select W3C from the Format drop-down list on the Logging feature page. Using the Log Event Destination option, you can specify that you want the log events to be sent to a log file, to Event Tracing for Windows (ETW), or both.

To add a custom field, in the W3C Logging Fields dialog box, click Add Field..., specify a Field Name, then select the Source Type - you can select Request Header, Response Header, or Server Variable. Depending on the Source Type you select, the Source field is updated to list the standard fields available. You can select one of the fields given, or type a custom source string. For more information on request and response headers, see HTTP protocol reference information. For more information on server variables, see IIS Server Variables.

noteNote
Enhanced logging cannot log a server variable with a name that contains lower-case characters. To include a server variable in the event log, ensure that its name consists of all upper-case characters.

Note that if you add custom fields to the event log, the total size of the logged fields is limited to 64K bytes. If the total size of the custom fields that you define is greater, then the logged content is truncated to 64K bytes.

noteNote
When enhanced logging is enabled, Kernel caching for request handling is disabled by IIS.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.