IIS Centralized Binary Logging

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Centralized binary logging is a process where multiple Web sites send binary, unformatted log data to a single log file. In contrast, the other IIS logging methods create one log file per Web site.

When a server running IIS hosts many Web sites, the process of creating hundreds or thousands of formatted log files and writing the log data to a disk can quickly consume valuable CPU and memory resources, thereby creating performance and scalability problems. Centralized binary logging minimizes the amount of system resources that are used for logging, while at the same time providing detailed log data for organizations that require it.

Centralized binary logging is a server property, not a site property, so when you enable centralized binary logging on a server, all of the Web sites on that server are configured to write log data to the central log file. When you enable centralized binary logging, you cannot record data from individual Web sites in a different format. The centralized binary logging log file has an Internet binary log (.ibl) file name extension. This file name extension ensures that text utilities do not try to open and read the central binary logging log file.

When to Use Centralized Binary Logging

Centralized binary logging is particularly useful when many Web sites are hosted on the same server or where server resources are at a premium. With centralized binary logging, an administrator can maximize the number of Web sites that a server can host and record activity for because centralized binary logging reduces the amount of system resources that are consumed during logging and decreases code paths in IIS, thus increasing performance and scalability.

Centralized binary logging can also reduce administration burdens for Internet service providers (ISPs) for whom collecting and storing logged data is imperative. For example, if an ISP has six servers with 10,000 Web sites per server, the ISP would have to manage 10,000 log files per day per server running IIS. With centralized binary logging, the ISP would have to manage and store only one file per server, per day.

Log files can be vital to troubleshooting applications. However, an organization might not want to take up system resources for log files that are used only in debugging situations. For example, a Web application team at an enterprise organization uses ASP and Microsoft® Visual Basic® development system to develop COM components that access a SQL database. The application team needs to maximize the response time of individual requests and maximize the amount of concurrent work that a group of servers can handle. Central binary logging can help the team achieve these goals.

For information about enabling centralized binary logging for all Web sites hosted on a server running IIS 6.0, see Centralized Binary Logging in IIS 6.0.

When you are ready to extract data from a raw log file, you can do one of the following:

• Create a tool that locates and extracts the data that you want from the raw file and converts the data into formatted text. You can view a header file and log file format descriptions in the IIS 6.0 Software Development Kit on MSDN.

• Use the Log Parser tool to extract data from the raw file. The Log Parser tool and its accompanying user documentation are included in the IIS 6.0 Resource Kit Tools.

Centralized Binary Logging File Format

The raw centralized binary logging log file is made up of fixed-length records or index records that contain string identifiers. The index records appear because, in an effort to record as much information as possible, variable-length string fields are replaced by numeric identifiers — indexes — that map the variable-length string to the logged identifier.

The raw log file is not human-readable, and it cannot be read using most available log analyzers. To extract data from a raw log file, you can create a tool that locates and extracts the data and then converts it into formatted text. For more information about the header file and log file format descriptions that you need to create such a tool, see Centralized Binary Log File Format.

Centralized binary logging records the following information, which is similar, but not identical, to the W3C Extended log file format:

• Date

• Time

• Client IP address

• User name

• Site ID

• Server name

• Server IP address

• Server port

• Method

• URI stem

• URI query

• Protocol status

• Windows status

• Bytes sent

• Bytes received

• Time taken

• Protocol version

• Protocol substatus

For information about the Time Taken field, see W3C Extended Log File Format.

• Host. The host header.

• User agent. The browser type of the client; this string is too large to be practical for the binary format.

• Cookie. The content of the cookie that was sent.

• Referrer. The site that the user last visited.