Loading

Thursday, November 19, 2009

Microsoft IIS W3C Extended Log Format

This log file format is used by used by Microsoft Internet Information Server (IIS) 4.0, 5.0, 6.0 and 7.0.

A log file in the extended format contains a sequence of lines containing ASCII characters. Each line may contain either a directive or an entry. Entries consist of a sequence of fields relating to a single HTTP transaction. Fields are separated by white space. If a field is unused in a particular entry dash "-" marks the omitted field. Directives record information about the logging process itself.

Lines beginning with the # character contain directives. The following directives are defined:


Version: .
The version of the extended log file format used. This draft defines version 1.0.
Fields: [...]
lists a sequence of field identifiers specifying the information recorded in each entry.
Software: string
Identifies the software which generated the log.
Start-Date:
The date and time at which the log was started.
End-Date:
The date and time at which the log was finished.
Date:
The date and time at which the entry was added.
Remark:
Comment information. Data recorded in this field should be ignored by analysis tools.
The directives Version and Fields are required and should precede all entries in the log. The Fields directive specifies the data recorded in the fields of each entry.

W3C Extended Logging Field Definitions

Prefix
Meaning
s-
Server actions.
c-
Client actions.
cs-
Client-to-server actions.
sc-
Server-to-client actions.


Field
Appears As
Description
Date
date
The date that the activity occurred.
Time
time
The time that the activity occurred.
Client IP Address
c-ip
The IP address of the client that accessed your server.
User Name
cs-username
The name of the authenticated user who accessed your server. This does not include anonymous users, who are represented by a hyphen (-).
Service Name
s-sitename
The Internet service and instance number that was accessed by a client.
Server Name
s-computername
The name of the server on which the log entry was generated.
Server IP Address
s-ip
The IP address of the server on which the log entry was generated.
Server Port
s-port
The port number the client is connected to.
Method
cs-method
The action the client was trying to perform (for example, a GET method).
URI Stem
cs-uri-stem
The resource accessed; for example, Default.htm.
URI Query
cs-uri-query
The query, if any, the client was trying to perform.
Protocol Status
sc-status
The status of the action, in HTTP or FTP terms.
Win32® Status
sc-win32-status
The status of the action, in terms used by Microsoft Windows®.
Bytes Sent
sc-bytes
The number of bytes sent by the server.
Bytes Received
cs-bytes
The number of bytes received by the server.
Time Taken
time-taken
The duration of time, in milliseconds, that the action consumed.
Protocol Version
cs-version
The protocol (HTTP, FTP) version used by the client. For HTTP this will be either HTTP 1.0 or HTTP 1.1.
Host
cs-host
Displays the content of the host header.
User Agent
cs(User-Agent)
The browser used on the client.
Cookie
cs(Cookie)
The content of the cookie sent or received, if any.
Referrer
cs(Referer)
The previous site visited by the user. This site provided a link to the current site.
The following is an example of a record in the extended log format that was produced by the Microsoft Internet Information Server (IIS):
--------------------------------------------------------------------------------

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-11-19 19:42:21
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2009-11-19 19:42:21 W3SVC874815883 IP-0AF98AC2 10.249.138.194 GET /index.html - 80 - 67.212.138.161 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.2;+en-US;+rv:1.9.1.5)+Gecko/20091102+Firefox/3.5.5+GTB5+(.NET+CLR+3.5.30729) - - powercram.com 200 0 0 366 399 265
2009-11-19 19:42:21 W3SVC874815883 IP-0AF98AC2 10.249.138.194 GET /favicon.ico - 80 - 67.212.138.161 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.2;+en-US;+rv:1.9.1.5)+Gecko/20091102+Firefox/3.5.5+GTB5+(.NET+CLR+3.5.30729) - - powercram.com 404 0 2 1836 380 0

No comments:

Post a Comment