You can study the log files from your Web or FTP server by viewing them in a text editor. You can also use Microsoft® Usage Import and Report Writer to help you analyze the data. For information, see Usage Import and Report Writer in the Microsoft® Site Server Express online documentation (online documentation is available only if you have installed the product). This topic provides samples and descriptions of log file formats as viewed directly in a text editor.
Note You can access the current log file only after stopping the site (that is, by starting Internet Service Manager, selecting the site, and clicking the Stop button).
Because you can customize W3C Extended Log File Format, the entries will vary, depending on the fields you have selected. For information about the fields available, see Customizing W3C Extended Logging.
The example below shows lines from a file using the following fields: Time, Client IP Address, Method, URI Stem, and HTTP Status.
#Software: Microsoft Internet Information Server 4.0
#Version: 1.0
#Date: 1997-05-02 17:42:15
#Fields: time c-ip cs-method cs-uri-stem sc-status cs-version
17:42:15 157.56.115.201 GET /default.htm 200 HTTP/1.0
The preceding entry says that on May 2, 1997 at 5:42 P.M., a user with HTTP version 1.0 and the IP address of 157.56.115.201 issued a GET command (that is, downloaded) the file Default.htm. The request returned without error.
Note The example shows abbreviations used in W3C Extended logging: cs stands for client-to-server actions, sc for server-to-client actions, c for client actions, and s for server actions.
Note Any of the fields can be selected, but not all fields will have information available for logging. For fields that are selected, but for which there is no information, a dash (—) will appear in the field as a placeholder.
When you open a Microsoft IIS Log Format file in a text editor, the entries will be similar to the following examples:
10.75.176.21, —, 03/20/97, 7:55:20, W3SVC, SALES1, 10.107.1.121
10.16.7.165, anonymous, 03/20/97, 23:58:11, MSFTPSVC, SALES1, 10.107.1.121
The preceding sample entries are interpreted in the following tables. The top row in both tables is from a Web site (which appears under "Service" as W3SVC), the bottom row from an FTP site (which appears under "Service" as MSFTPSVC). The example is shown in two tables because of page-width limitations.
| user’s IP address | user’s user name | Date | Time | Service | Computer name | IP address of server |
|---|---|---|---|---|---|---|
| 10.75.176.21 | — | 03/20/97 | 7:55:20 | W3SVC | SALES1 | 10.107.1.121 |
| 10.16.7.165 | anonymous | 03/20/97 | 23:58:11 | MSFTPSVC | SALES1 | 10.107.1.121 |
| Elapsed time | Bytes received | Bytes sent | Service status code | Windows NT status code | Name of the operation | Target of the operation |
|---|---|---|---|---|---|---|
| 4502 | 163 | 3223 | 200 | 0 | GET | DeptLogo.gif |
| 60 | 275 | 0 | 0 | 0 | [376] PASS | intro |
In the preceding example, the first entry says that an anonymous user with the IP address of 10.75.176.21 issued a GET command (that is, downloaded) the image file DeptLogo.gif at 7:55 A.M. on March 20, 1997, from a server named SALES1 at IP address 10.107.1.121. The 163-byte HTTP request had an elapsed processing time of 4502 milliseconds (4.5 seconds) to complete, and returned, without error, 3223 bytes of data to the anonymous user.
In the log file, all fields are terminated with a comma (,). A hyphen acts as a placeholder if there is no valid value for a certain field.
When you open an NCSA Common Log Format file in a text editor, the entries will be similar to the following example:
157.55.85.138 — REDMOND\fred [08/Apr/1997:17:39:04 -0800] "GET /scripts/iisadmin/ism.dll?http/serv, HTTP/1.0" 200 3401
Note In the preceding entry, the second field (which would show the remote log name of the user) is empty and is represented by the hyphen following the IP address 157.55.85.138.
The preceding sample entry is interpreted in the following tables. The example is shown in two tables because of page-width limitations.
| Remote host name | user’s username | Date | Time and GMT offset |
|---|---|---|---|
| 157.55.85.138 | REDMOND\fred | 08/Apr/1997 | 17:39:10 -0800 |
| Request | Service Status code | Bytes sent |
|---|---|---|
| GET /scripts/iisadmin/ism.dll?http/serv, HTTP/1.0 | 200 | 3401 |
The entry says that a user named Fred in the REDMOND domain, with the IP address of 157.55.85.138, issued a GET command (that is, downloaded a file) at 5:39 P.M. on April 8, 1997. The request returned, without error, 3401 bytes of data to the user named Fred.