A brief overview of IIS 6.0 and the W3C extended log format

In Microsoft Internet Information Services (IIS) 6.0, you can choose to use a number of different formats for your access logs.

Access logs contain information about what files are requested, whether the request was successful or not.

Of all the available formats, the World Wide Web Consortium (W3C) extended log file format is by far the most flexible format available, as you can select the information that you would like to log. Of course, with that added flexibility, you also have larger log files, with the more you decide to log. Since logging is handled by the server (specifically IIS), no matter what kind of files you serve, the hardest part is determining what you'd like to log, and then doing something with that data.

Overview of the fields

W3C extended log fields are server and/or client-related. For example, there is the IP address that I use, the IP address that the server uses, and the browser that I use to access the server/content.

Working through the ordering in IIS, these fields are as follows:

  • Date ( date )
  • Time ( time )
  • Client IP Address ( c-ip )
  • User Name ( cs-username )
  • Service Name ( s-sitename )
  • Server Name ( s-computername )
  • Server IP Address ( s-ip )
  • Server Port ( s-port )
  • Method ( cs-method )
  • URI Stem ( cs-uri-stem )
  • URI Query ( cs-uri-query )
  • Protocol Status ( sc-status )
  • Protocol Substatus ( sc-substatus )
  • Win32 Status ( sc-win32-status )
  • Bytes Sent ( sc-bytes )
  • Bytes Received ( cs-bytes )
  • Time Taken ( time-taken )
  • Protocol Version ( cs-version )
  • Host ( cs-host )
  • User Agent ( cs(User-Agent) )
  • Cookie ( cs(Cookie) )
  • Referer ( cs(Referer) )

As you'll notice, most fields begin with either c, cs, s, or sc. As you look at where they are used, you can see that:

  • c is used for client-related fields
  • s is used for server-related fields
  • cs signifies information sent by the client to the server
  • sc signifies information sent by the server to the client

What the logs are named

When the log files are created in the extended format, they are given a specific filename, based upon what you've configured for when they are created.

By default, logs store daily information. So, each log will be given a filename based upon the current date, and will store 24 hours of data. However, logs can also be formatted to hold more or less data. Each, along with the format of the filename, is listed below.

  • EXTENDNN.LOG
    • Logs are unlimited in size, or created/closed after a particular size
  • EXYYMMDDHH.LOG
    • Hourly logs
  • EXYYMMDD.LOG
    • Daily logs
  • EXYYMMWW.LOG
    • Weekly logs
  • EXYYMM.LOG
    • Monthly logs

For most sites, you can continue to use the default of daily logs. However, if you have a large amount of traffic, you may consider hourly logs, or even based upon a file size.

Additional fields when using Log Parser

Briefly, there are two additional fields that are available, when using Log Parser (2.2).

These additional fields are as follows.

  • LogFilename
  • LogRow 

LogFilename contains the full path to the log file, while LogRow contains the row in that log file, that the data came from.

Next time ... 

Next time, we'll cover which of these fields you may want to log, for what benefit.

Search
Links of Note
Recent Posts
categories
Support This Site

If my blog was helpful to you, then please consider visiting my Amazon Wishlist.