IIS Log File Format

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

The IIS log file format is a fixed ASCII text-based format, so you cannot customize it. Because HTTP.sys handles the IIS log file format, this format records HTTP.sys kernel-mode cache hits.

The IIS log file format records the following data:

  • Client IP address

  • User name

  • Date

  • Time

  • Service and instance

  • Server name

  • Server IP address

  • Time taken

  • Client bytes sent

  • Server bytes sent

  • Service status code (A value of 200 indicates that the request was fulfilled successfully.)

  • Windows status code (A value of 0 indicates that the request was fulfilled successfully.)

  • Request type

  • Target of operation

  • Parameters (the parameters that are passed to a script)

Not all fields will contain information. For fields for which there is no information, a hyphen (-) appears as a placeholder. If a field contains a nonprintable character, HTTP.sys replaces it with a plus sign (+) to preserve the log file format. This typically occurs with virus attacks, when, for example, a malicious user sends carriage returns and line feeds that, if not replaced with the plus sign (+), would break the log file format.

Fields are separated by commas, making the format easier to read than the other ASCII formats, which use spaces for separators. The time is recorded as local time. A Web site instance is displayed as W3SVC*#, and an FTP site instance is displayed as MSFTPSVC#*, where # is the instance of the site. Time taken is recorded in milliseconds. For more information about the time taken field, see W3C Extended Log File Format.