This topic contains conceptual information about logging Web server activity for Web and FTP sites.
You can configure your Web or FTP sites to log information about user activity. This logging should not be confused with the usual logging carried out through Windows NT Server; the logging in IIS is more extensive and is viewed as ASCII text files or ODBC-compliant databases (not by using the Event Viewer). You can find out which users accessed your sites and what information they accessed. Logged data can help you regulate access to content, plan user accessibility, assess content popularity, and plan security requirements. You can also use logs to detect and troubleshoot potential Web site or FTP site problems.
The logging for a Web or FTP site is carried out by modules that operate independently of other activities on the server. You can choose which format your logs will be in for each individual Web or FTP site. If logging is enabled for a site, you can disable or enable it for individual directories in that site.
IIS can log server activity in the following formats:
The logs created by IIS can be read in a text editor or, for ODBC logging, viewed in a database; they can also be examined by using Microsoft Usage Import and Report Writer . For information, see Usage Import and Report Writer in the Microsoft® Site Server Express online documentation (online documentation is available only if you have installed the product).
You can choose the format that your Web server uses to record user activity. For information about how to specify the format, see Enabling Logging. To view examples of the different formats, see Interpreting Log Files. The following paragraphs describe the formats available.
Microsoft IIS Log Format is a fixed (non-customizable) ASCII format. It records more items of information than the NCSA Common format. The Microsoft IIS format includes basic items such as the user's IP address, user name, request date and time, HTTP status code, and number of bytes received; in addition, it includes detailed items such as the elapsed time, the number of bytes sent, the action (for example, a download carried out by a GET command) and the target (for example, the file that was downloaded). The items are separated by commas, making the format easier to parse than the other ASCII formats, which use spaces for separators. The time is recorded as local time (not Greenwich Mean Time).
NCSA Common Log File Format is a fixed (non-customizable) ASCII format, available for Web sites but not FTP sites. It records basic information about user requests, such as remote hostname, user name, date, time, request type, HTTP status code, and the number of bytes received by the server. Items are separated by spaces; time is recorded as local time (not Greenwich Mean Time).
W3C Extended Log File Format is a customizable ASCII format, that is, you can choose from a variety of different fields (items) to record. You can gather detail about fields important to you, while limiting log size by omitting unneeded fields. Fields are separated by spaces; time is recorded as Greenwich Mean Time. For information about customizing this format, see the topics called Customizing W3C Extended Logging.
ODBC Logging format allows you to log a fixed set of data fields in an ODBC-compliant database. Some of the items logged are the user's IP address, user name, request date and time, HTTP status code, bytes received, bytes sent, action carried out (for example, a download carried out by a GET command) and the target (for example, the file that was downloaded). The time is recorded as local time (not Greenwich Mean Time). With this option, you must specify the database to be logged to, and must set up that database to receive the data. For information about necessary steps for ODBC logging, see Preparing for ODBC Logging.
Note You can also create customized logging formats. These allow you to format the log exactly the way you need it to be. For more information about this, see Creating A Custom Logging Module.
You can control a number of options for the creation of log files, including the directory in which the files are created and the criterion for the starting of a new log file (for example, daily, weekly, or by file size). This section provides background information about file size and creation. For instructions on how to set options related to log file creation, see Enabling Logging and Specifying How Log Files are Saved.
When IIS logging is enabled, as it is by default, new log entries are generated whenever users are accessing the server. This causes a progressive increase in log file size or in the number of log files. Therefore, you may need to balance the gathering of detailed data against the need to limit files to a manageable size and number. IIS offers a number of ways of managing the generation of log data and the creation of new log files.
The main option for limiting the generation of log data is to use W3C Extended logging and customize it so that you gather only the data you need. For information, see the preceding section and the topics called Enabling Logging and Customizing W3C Extended Logging.
Another option for managing log files (although it does not limit the total volume of data collected) is to choose the criterion that IIS uses for determining when to start a new log file. Each criterion is described in the list that follows.
Note For the Daily, Weekly, and Monthly criteria for new log files, "midnight" is defined in the time zone used by the chosen log format. This means that for NCSA Common Log File Format or ODBC Logging, "midnight" is on local time; for Microsoft IIS Log Format and W3C Extended Log File Format, "midnight" is on Greenwich Mean Time.
You can choose one criterion from the following list:
Because log files are simply ASCII (text) files, if you find you have created many small files when you prefer one large file, you can combine the files as you would with any ASCII files. For information about using the copy command for combining files, at the command prompt, type copy /?.
If your server runs out of disk space when IIS is attempting to add a log entry to a file, IIS logging will shut down. At the same time, in the Application log of Windows NT Event Viewer, an event will be logged. When disk space is once again available, IIS logging will resume and, in the Application log of Windows NT Event Viewer, an additional event will be logged.
Note You can access the current log file only after stopping the site (that is, by starting Internet Service Manager, selecting the site, and clicking the Stop button).