Log File Formats in IIS

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

IIS provides six different log file formats that you can use to track and analyze information about your IIS-based sites and services. In addition to the six available formats, you can create your own custom log file format. For more information about custom logging, see Custom Logging Modules.

The following log file formats and logging options are available in IIS:

You can read text-based log files using a text editor such as Notepad, which is included with Windows, but administrators often import the files into a report-generating software tool for further analysis.

For step-by-step instructions on how to enable logging, see Enabling Logging.

UTF-8 Format for Non-English Languages and Security

UTF-8 is a method of character encoding that allows for both single and multibyte characters in one string. If you want to read text-based (W3C Extended, IIS, and NCSA Common) log files in a language other than English, you can enable the UTF-8 format. You also need the UTF-8 format if you serve URLs in a language other than the native server code page, for example, if you serve Chinese URLs on a Japanese system. In addition, because IISĀ 6.0 tries to serve URLs in code pages other than the server default code page by default, you might want to enable the UTF-8 format for security reasons. It is a good security practice to enable the UTF-8 format in case of an attack based on URLs in UTF-8 that might not translate correctly to the default code page.

Note

IIS does not support the UTF-8 format for FTP site log files.

For information about enabling UTF-8, see Enabling UTF-8 Format for Non-English Languages and Security.

Log File Locations and ACLs

If you create a log file directory of C:\LogFilesfor HTTP.sys-generated logging (W3C Extended log file format, NCSA Common log file format, IIS log file format, centralized binary logging, or HTTP.sys error logging), then HTTP.sys generates the following subdirectories, and the log files are created under these subdirectories:

  • For the W3C Extended, NCSA Common, and IIS log file formats, HTTP.sys generates the subdirectory C:\LogFiles\W3SVC*#*, where # is the site ID.

  • For centralized binary logging, HTTP.sys generates the subdirectory C:\LogFiles\W3SVC.

  • For HTTP.sys error logging, HTTP.sys generates the subdirectory C:\WINDOWS\System32\LogFiles\HTTPErr.

By default, the log file directory has the following access control lists (ACLs):

  • NT Authority\System: Full access

  • Built-in\Administrators: Full access

  • Everyone: No access (Although the No access permission is the effective permission, this setting is not explicitly set by HTTP.sys.)

Individual log files in the log file directory have the following controls:

  • NT Authority\System: Full access

  • Built-in\Administrators: Read and delete access

  • Everyone: No access (Although the No access permission is the effective permission, this setting is not explicitly set by HTTP.sys.)

Important

The default log file directory ACLs (DACLs) are set for optimum security. If you choose to create log file directories with less restrictive ACLs, your system might be more vulnerable to attack.

If you are using the W3C Extended, NCSA Common, or IIS log file formats and it is necessary to do so, you can create a subdirectory called W3SVC# of the C:\LogFiles directory and set ACLs for that directory that are different from the defaults. For example, if you need to allow a site administrator to read the log files, create a W3SVC# subdirectory of the C:\LogFiles directory and set Read ACLs for the site's administrator.

Important

The owner of the W3SVC# subdirectory must be a member of the Local Administrators group. If not, HTTP.sys writes an error to the NT Event log and disables logging.

For more information about file and directory security and access control, see Managing a Secure IIS 6.0 Solution.