A log file in the extended format contains a sequence of lines containing ASCII characters. Each line may contain either a directive or an entry. Entries consist of a sequence of fields relating to a single HTTP transaction. Fields are separated by white space. If a field is unused in a particular entry dash "-" marks the omitted field. Directives record information about the logging process itself.
Lines beginning with the # character contain directives. The following directives are defined:
The version of the extended log file format used. This draft defines version 1.0.
lists a sequence of field identifiers specifying the information recorded in each entry.
Identifies the software which generated the log.
The date and time at which the log was started.
The date and time at which the log was finished.
The date and time at which the entry was added.
Comment information. Data recorded in this field should be ignored by analysis tools.
The directives Version and Fields are required and should precede all entries in the log. The Fields directive specifies the data recorded in the fields of each entry.
W3C Extended Logging Field Definitions
The following is an example of a record in the extended log format that was produced by the Microsoft Internet Information Server (IIS):
The date that the activity occurred.
The time that the activity occurred.
Client IP Address
The IP address of the client that accessed your server.
The name of the authenticated user who accessed your server. This does not include anonymous users, who are represented by a hyphen (-).
The Internet service and instance number that was accessed by a client.
The name of the server on which the log entry was generated.
Server IP Address
The IP address of the server on which the log entry was generated.
The port number the client is connected to.
The action the client was trying to perform (for example, a GET method).
The resource accessed; for example, Default.htm.
The query, if any, the client was trying to perform.
The status of the action, in HTTP or FTP terms.
The status of the action, in terms used by Microsoft Windows®.
The number of bytes sent by the server.
The number of bytes received by the server.
The duration of time, in milliseconds, that the action consumed.
The protocol (HTTP, FTP) version used by the client. For HTTP this will be either HTTP 1.0 or HTTP 1.1.
Displays the content of the host header.
The browser used on the client.
The content of the cookie sent or received, if any.
The previous site visited by the user. This site provided a link to the current site.
#Software: Microsoft Internet Information Services 6.0
#Date: 2009-11-19 19:42:21
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2009-11-19 19:42:21 W3SVC874815883 IP-0AF98AC2 10.249.138.194 GET /index.html - 80 - 220.127.116.11 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.2;+en-US;+rv:18.104.22.168)+Gecko/20091102+Firefox/3.5.5+GTB5+(.NET+CLR+3.5.30729) - - powercram.com 200 0 0 366 399 265
2009-11-19 19:42:21 W3SVC874815883 IP-0AF98AC2 10.249.138.194 GET /favicon.ico - 80 - 22.214.171.124 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.2;+en-US;+rv:126.96.36.199)+Gecko/20091102+Firefox/3.5.5+GTB5+(.NET+CLR+3.5.30729) - - powercram.com 404 0 2 1836 380 0