↑ Return to IIS Concept

Print this Page

IIS Logs

Types of IIS Logs.

1. NCSA (National Center for Supercomputing Application) Common log file format
2. Microsoft IIS log format
4. W3C Extended log file format (World Wide Web Consortium (W3C)
5. Open database connectivity (ODBC) logging

All successful and unsuccessful attempt will be logged access log files when we enable logging for an IIS server.

Default Log File Path: %systemroot%System32LogFiles

Http.Sys handles the writing operations over log files.

Naming Convention:

WWW sites W3SVC#
SMTP sites SmtpSvc#
NNTP sites NntpSvc#

In each case, the # is a number that references the instance of that site. The default web site is always 1, so the default web site’s logging directory would be W3SVC1. If, for example, your second web site’s number is 34523453, the web logging directory for that site would be W3SVC34523453.

We can do following by Access log report:

A. Determine the busiest times of the day and week.
B. Determine which browsers and platforms are used by people who visit your site
C. Obtain information about the amount of time users spend at the site.
D. Knowing which pages users visit most frequently can also allow you to customize your site to suit visitors’ needs. The pages used most often can be expanded and supported, while the less accessed pages can be modified to better support users.
Note: when IIS is attempting to add a log entry, it finds that the hard disk is full, IIS logging shuts down. Then an event is logged in the server application log. IIS will monitor the disk space, and when space becomes available again, IIS logging starts back up.

Enabling Logging for Your Site: SiteàPropertyàWeb Site Tab, Place a check mark in Enable logging and select logging type. And in the Property you can set hourly, daily, weekly, monthly, unlimited file size, when fie size reaches MB, log file path

  • per-server logging, IIS tracks requests for all Web sites in a single log file
  • per-site logging, IIS tracks requests for each Web site in separate log files.

Per-server logging is more efficient than per-site logging. For small and medium installations, you’ll find that per-site logging is easier to work with because you’ll have separate log files for each site.

With per-site logging, the available formats are:

(1) National Center for Supercomputing Applications (NCSA) Common Log File Format When your reporting and tracking needs are basic. With this format, log entries are small, so not as much storage space is required for logging. The common log format is a fixed ASCII or UTF-8 format. NCSA Common format is a fixed (non-customizable) ASCII format. The NCSA log records basic information about a transaction. The fields are separated by spaces. In the log file, a blank field is represented by a dash (-). Time is represented in local time, in 24-hour format. It was designed as a web server log and is not available for FTP sites. It is, however, available for IIS SMTP and NNTP sites.

The common log format is a good choice when you need to track certain items, such as:

  • Hits (the number of unique file requests)
  • Page views (the number of unique page requests)
  • Visits (the number of user sessions in a specified period)

Other basic access information
Each entry in the common log format has only seven fields. These fields are:

(1) Host: The value in this field is either the IP address of the remote host, such as, or the fully qualified domain name of the remote host, such as net48.microsoft.com

(2) Identification: This field is meant to identify users by their user name

(3) User Authentication: If you have a password-protected Web site, users must authenticate themselves with a user name and password. After users validate themselves with their user name and password, their user name is entered in the User Authentication field

(4) Time Stamp: This field tells you exactly, when someone accessed a file on the server. The format for the Time Stamp field is like: 15/Jan/2009:18:44:57 -0800

(5) HTTP Request Type: This field determines the method that the remote client used to request the resource.

(6) Status Code: Status codes indicate whether files were transferred correctly, were not found, and so on. Generally, status codes are three-digit numbers

(7) Transfer Volume: This field indicates the number of bytes transferred to the client because of the request

(2)Microsoft Internet Information Services (IIS) Log File Format: Use the IIS format when you need a bit more information. With this format, log entries are compact, so not as much storage space is required for logging. The Microsoft IIS log format is an ASCII format that cannot be modified. It includes basic information about each transaction. This format is comma separated, so it imports into Microsoft Excel very well. In the log file, a blank field is represented by a dash (-). Time is represented in local time, in 24-hour format.

This file format records more information than other log file formats, including basic items, such as the IP address of the user, user name, request date and time, service status code, and number of bytes received.

(3)World Wide Web Consortium (W3C) Extended Log File Format: Use the extended format when you must customize the tracked information and obtain detailed information. With this format, log entries can become large, and this greatly increases the amount of storage space required. Recording lengthy entries can also affect the performance of a busy server. The W3C Extended log file format is a customizable ASCII format that allows you to choose which fields you want to be logged, thereby limiting the log file size by including only necessary entries under Advance Tab in the Logging property window.

Log File Entries The log file entries are the records of the actual user events or process events. Each entry has a prefix and a field. The prefix appears before any of the fields to let you know the client, server, or both with which the data is associated. The prefixes are listed here:

  • c Client
    s Server
    r Remote
    cs Client to server
    sc Server to client
    sr Server to remote server
    rs Remote server to server

ODBC Logging: Use the ODBC format when you want to write access information directly to an ODBC-compliant database. With ODBC logging, you’ll need tracking software capable of reading from a database. Entries are compact, however, and data can be read much more quickly than from a standard log file. You may use any ODBC-compliant database, such as MS Access, SQL Server, or even Oracle. With NCSA, IIS, and W3C logging, you can use ANSI or UTF-8 text encoding. ANSI supports Standard English characters; UTF-8 supports Standard English characters and non-English characters. ODBC logging has fixed data fields, so it cannot be modified. You are also limited to a maximum of 255 characters in any field. Unless you have some pretty long URLs, this shouldn’t be a problem.

1. Create a database using ODBC-compliant database software.

2. Within the database, create a table for logging access entries. You can use the Logtemp.sql script to create this table. You will get logtemp.sql from inetsrv

3. Next, create a Data Source Name (DSN) that IIS can use to connect to the database from admin tool ODBC.

4. You use Microsoft Windows NT authentication, IIS must have permission to write to the database. If you use SQL Server authentication, you can specify an SQL Server login ID and password to use.

The default values are InternetDb for the database name, InternetLog for the table name, and InternetAdmin for the user name. When configuring DSN, the database name is the same as the data source name.

Creating a Logging Database and Table in SQL Server 2005

Create DB in SQL2005 by name LoggingDB

Then locate the Logtemp.sql script. Edit the script so that it sets the table name you want to use for the site’s log entries. For example, if you wanted to name the table HTTPLog, you would update the script as shown in the following listing:

use LoggingDB

create table HTTPLog (

ClientHost varchar(255), username varchar(255), LogTime datetime,

service varchar(255), machine varchar(255), serverip varchar(50),

processingtime int, bytesrecvd int, bytessent int, servicestatus int,

win32status int, operation varchar(255), target varchar(255),

parameters varchar(255) )

Creating a DSN for SQL Server 2005:
1. On the Administrative Tools menu, start Data Sources (ODBC).
2. On the System DSN tab, click Add. The Create New Data Source dialog box appears.
3. On the Driver list, select SQL Server, and then click Finish.
4. In the Name field, type the name of the DSN, such as IISDB.
5. In the Server field, type the name of the SQL Server to which you want to connect, or select (Local) if SQL Server is running on the same hardware as IIS.

Setting Up Centralized Binary Logging: Easiest way to set up centralized binary logging is to use the adsutil.vbs script, which is located in InetpubAdminScripts.

 Open a command prompt.
Navigate to the C:InetpubAdminScripts
Type in cscript.exe adsutil.vbs set w3svc/centralbinarylogingenabled true, press Enter
Stop and start the World Wide Publishing Service from the Services control panel.
After you’ve restarted the WWW service, binary logging will be active. The log file has an .ibl extension. Because the log is in binary format, opening it with Notepad won’t help much. You can extract data from the file using the parsing tool for centralized binary logging. This tool is located in the IIS 6 Resource Kit. (It probably won’t be long before third-party web reporting tools have support for binary logging as well.)

Permanent link to this article: http://www.techxpress.in/iis-6-0-2/iis-concept/iis-logs/

Leave a Reply

Bookmark this page