Configuring IIS Logs
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 with SP1
In addition to the Windows Server 2003 system and security logs, you should configure IIS to log site visits. When users access your server running IIS 6.0, IIS logs the information. The logs provide valuable information that you can use to identify any unauthorized attempts to compromise your Web server.
Depending on the amount of traffic to your Web site, the size of your log file (or the number of log files) can consume valuable disk space, memory resources, and CPU cycles. You might need to balance the gathering of detailed data with the need to limit files to a manageable size and number. If you are planning to put thousands of Web sites on one Web server with high traffic volumes and disk writes, you might want to use centralized binary logging to preserve server resources. Also, consider limiting log size by changing the frequency of log file creation. For more information, see Saving Log Files.
The IIS logs allow you to record events for each application and Web site on the Web server. You can create separate logs for each of your applications and Web sites. Logging information in IIS 6.0 goes beyond the scope of the event logging or performance monitoring features provided by Windows. The IIS logs can include information, such as who has visited your site, what the visitor viewed, and when the information was last viewed. You can use the IIS logs to identify any attempts to gain unauthorized access to your Web server.
IIS 6.0 supports different log formats for the IIS logs that you enable. IIS 6.0 supports the following log formats.
W3C Extended log file format
World Wide Web Consortium (W3C) Extended format is a customizable ASCII format with a variety of different properties. You can log properties that are important to you, while limiting log size by omitting unwanted property fields. Properties are separated by spaces. Time is recorded as Universal Time Coordinate (UTC).
For information about customizing this format, see W3C Extended Log File Format. For more information about the W3C Extended format specification, see the W3C Extended Log File Format on the W3C World Wide Web Consortium Web site.
IIS log file format
IIS log file format is a fixed (meaning that it cannot be customized) ASCII format. This file format records more information than other log file formats, including basic items, such as the IP address of the user, user name, request date and time, service status code, and number of bytes received. In addition, IIS log file format includes detailed items, such as the elapsed time, number of bytes sent, action (for example, a download carried out by a GET command), and target file. The IIS log file is an easier format to read than the other ASCII formats because the information is separated by commas, while most other ASCII log file formats use spaces for separators. Time is recorded as local time.
For more information about the IIS log file format, see IIS Log File Format.
NCSA Common log file format
National Center for Supercomputing Applications (NCSA) Common log file format is a fixed ASCII format that is available for Web sites, but not for FTP sites. This log file format records basic information about user requests, such as remote host name, user name, date, time, request type, HTTP status code, and the number of bytes sent by the server. Items are separated by spaces. Time is recorded as local time.
For more information about the NCSA Common log file format, see NCSA Common Log File Format.
Open Database Connectivity (ODBC) logging format is a record of a fixed set of data properties in a database that complies with ODBC, such as Microsoft Access or Microsoft SQL Server. Some of the items logged include the IP address of the user, user name, request date and time (recorded as local time), HTTP status code, bytes received, bytes sent, action carried out (for example, a download carried out by a GET command), and the target file. With ODBC logging, you must both specify the database to be logged to, and set up the database to receive the data.
|When ODBC logging is enabled, IIS disables the kernel-mode cache. As a result, overall server performance can be degraded.|
For more information about ODBC logging, see ODBC Logging.
Centralized binary logging
Centralized binary logging is the process of multiple Web sites writing binary, unformatted log data to a single log file. Each Web server running IIS creates one log file for all of the Web sites on that server. Centralized binary logging preserves valuable memory resources. Depending on your configuration, you can see dramatic performance and scalability gains with centralized binary logging.
For more information about centralized binary logging, see Centralized Binary Logging.
For more information about how to configure IIS logs, see Enable Logging_IIS_SP1_Dep. For more information about logging Web site activity, see Logging Site Activity. For more information about managing IIS logs, see Analyzing Log Files.