It's All in the Logging

[November 2000]
It's All in the Logging
By: Allen Jones
Feature
InstantDoc #15835
From the November 2000 edition of Windows Web Solutions

IIS Logging Explained

For all the effort you put into your Web server and Web site content, the ultimate payoff is hidden in the growing files that document the visitors to your Web site. Log files, when you break them down and analyze them, tell many tales. Most of us can tell where our users come from and what they come to our sites to see: That's the relatively simple stuff. Depending on your logging method and depth, you can discover which browser your users are using.

This month, I describe how you can look at your logs for additional information. I introduce you to different logging methods and some commercial analysis packages. Finally, I show you a simple command that you can use to retrieve additional information.

Logging Explained
IIS 5.0 and IIS 4.0 each have four ways to log visits to your Web site. You can choose from among these formats:

World Wide Web Consortium (W3C) Extended Log File
IIS Log File
National Center for Supercomputing Applications (NCSA) Common Log File
ODBC Logging

Each format provides various sets of information; thus, some formats are more verbose than others.

Although you can determine where the logs will reside, IIS creates a new subdirectory (usually called W3SVCx, where x represents the sequentially created site) beneath your chosen location for each Web site you create. You can house the logs for each Web site you host on your IIS server in a different directory, which lets you maintain different sets of logs for each site. You can use the Internet Service Manager (ISM) to control the logging options for each site. Simply open Microsoft Management Console (MMC) Internet Information Services snap-in, and expand your Web server in the left pane. Right-click the Web site for which you want to change the logging, and select Properties. On the Default Web Site Properties dialog box, which Figure 1, page 8, shows, note the Active log format list box at the bottom of the dialog box. This box tells you what logging format the Web site is using. You can change the type of logging here by clicking the drop-down list box and selecting a new logging type.

Click Properties. On the General Properties tab, which Figure 2, page 8, shows, you can set the frequency with which logs close and the system creates new logs to avoid creating huge log files that become tedious to process. You can also set the location of the log files. By default, the logs exist in the \system32 directory, which isn't the best choice. Windows 2000 and Windows NT don't behave well with full system disks, so I recommend moving these logs to a drive that doesn't contain the OS. To move the logs, click Browse and select a new location on the Local Computer. After you've selected the new location, click OK three times to close the three dialog boxes. You also need to stop and restart your Web server before the new changes will take effect. (Note that stopping and starting a Web site causes the logging function to insert additional headers into your log files, which creates problems for automated Web log analyzers.)

Now you know how to find the logs and choose which logging format you want. Let's examine the different formats and their respective advantages.

W3C Extended Log File Format
The W3C format is the most customizable of the four formats. Because this format lets you choose which fields go into your logs, you don't have to waste disk space on fields you'll never use. Assuming you've selected the W3C format in the Default Web Site Properties, click the Properties tab to open the Extended Logging Properties dialog box. The Extended Properties tab presents a long list of field choices, as Figure 3 shows. (This tab looks a little different if you're using IIS 4.0, but the field choices are the same.) The names in parentheses tell you the field name that appears in the log file's header. Selecting or clearing these check boxes changes which fields you will log. If you make changes, save them, then stop and restart the Web server to make those changes effective.

Figure 4 shows a few sample entries in the IIS log made using the W3C Extended Log File format. A number sign (#) precedes the log file header. Notice that the fields that Figure 3 shows appear at the beginning of the log. (The format always substitutes dashes into the log when there is no value to log, such as the cs-username field.) The system successfully retrieved two pages—iisstart.asp and pagerror.gif. The system also logged the browser's user agent string, a configurable value that identifies the type of browser the client is running.

The W3C format usually records time in Greenwich Mean Time (GMT) instead of local time, although in IIS 5.0 you can change this setting on the Properties dialog box. You might need to be sensitive to this change when you decide how frequently you'll change your logs. For example, in the Central time zone, the logs flip at 6:00 p.m. local time or 7:00 p.m., depending on whether it's daylight savings time.

Another advantage to using the W3C format is that if you suspect that an out-of-process application is a candidate for throttling (i.e., forcibly reducing the amount of time a process can occupy the processor), you can set up process accounting in Extended Properties, as Figure 5 shows. This additional logged information can help you determine whether you need to employ process throttling on the Web site.

Microsoft IIS Log Format
The Microsoft format is the default for newly installed IIS servers. This format is neither as customizable as the W3C format nor as verbose as W3C can be when you configure all fields. Figure 6 shows a typical IIS log entry. An IIS 5.0 log entry has no header, but Figure 7 shows how you decode the fields.

The Client IP address, User Name, Date, and Time are self-explanatory. Service# is the instance of the Web server serving the request. This entry is almost always W3SVC for a Web server and MSFTPSVC for an FTP server. The number that follows the instance denotes the specific instance of a Web site or FTP server. The numbers are sequential beginning with W3SVC1, which is the Default Web Site. New Web sites that you create receive the designations W3SVC2, W3SVC3, and so on. Server Computer Name is the computer name of the Web server; its IP address follows. Elapsed Time shows how long it took to satisfy the request, followed by the number of bytes sent or received. The HTTP Service Code shows the result code that the server sent to the client (e.g., 200, 302, 401). The Request Type and the Target path and filename close out the entry into the log file.

NCSA Log File Format
The NCSA format is probably the oldest of the formats. The NCSA developed it during a time when HTML was young, so the format doesn't support the flashy logging features the other formats do. Because the NCSA has been out the longest and many Web server platforms support it, a lot of free log analyzer software is available. You can't customize the NCSA format like you can the W3C standard, but you can do a lot with it. Figure 8 shows a sample NCSA log entry. As you can see, the log entry is small. Figure 9 shows you how to decode the fields.

Prev. page [1] 2 next page

You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

V.good most helpfull

Anonymous User- February 18, 2005

Article Rating 5 out of 5

ADS BY GOOGLE SPONSORED LINKS

CA ERwin® Data Modeler: Delivers seamless, "out of box" support for Microsoft SQL Server. Try it free.

CA ERwin® Data Modeler: Effectively manage your SQL Server deployments. View whitepaper.

Order Your Fundamentals CD Today!: Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Try Idera’s new SQL admin toolset!: 24 essential desktop tools for managing SQL Server for $495.

Simplify your data management: Affordable multi-database query and design tool-- free trial!

FEATURED LINKS

SQL Server Magazine Connections Conference: Don’t miss the premier event for Microsoft developers and DBAs in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

Best Practices: Combat SQL Server Sprawl: View this web seminar to learn about an approach to successfully combat SQL Server sprawl and improve application availability and response time.

Get It All with Windows IT Pro VIP: Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!

Gain Enhanced Insight Into and Control Over Your IT Systems: View this web seminar to learn about the latest and greatest features and product enhancements in the Systems Center Configuration Manager SP1 and R2.

Windows IT Pro Is Your Definitive Source for BI Tools: Our tools are BI-lateral (relating to both the front and back ends of BI). Build the best platforms and reports with help from SQL Server Magazine. Master data-delivery with solutions in Windows IT Pro. Choose the resource that's right for you.

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technical Resources Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

Search

Reader Comments

Related Whitepapers

Related Events

Related eBooks

Related Essential Guides

Related Resources

ADS BY GOOGLE SPONSORED LINKS

FEATURED LINKS