How to enable logging in Internet Information Services (IIS) (313437)


The information in this article applies to:

  • Microsoft Internet Information Services version 6.0
  • Microsoft Internet Information Server 5.0
  • Microsoft Internet Information Server 4.0
This article was previously published under Q313437
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

CONTENTS

INTRODUCTION

This step-by-step article describes how to enable logging for Web sites or for FTP sites in Microsoft Internet Information Services (IIS) 6.0, in IIS 5.0, and in IIS 4.0. You can configure your Web site or your FTP site to record log entries that are generated from user activity and from server activity. Log data can help you control access to content, determine content popularity, plan security requirements, and troubleshoot potential Web site issues or FTP site issues. For example, you can use the log files to help determine whether a security event has occurred. The data in the log files can provide information about the source of the attack.

IIS can save log files to different file formats. When you enable logging, you can specify the file format that you want to use. By default, IIS uses the W3C Extended log file format. Typically, the W3C Extended log file format is the preferred log type to use. This log format lets you configure lots of extended attributes that are useful to help analyze security.

back to the top

Customize the data

You can customize the data that is logged to log files that use the W3C Extended log file format. To customize the data, select the properties that you want and omit the properties that you do not want. You may want to select the following properties when you customize W3C Extended log file format logs:
  • Client IP address

    This is the IP address of the client that accesses the server. Notice that if a Web proxy computer is in front of the server that is running IIS, the IP address of the proxy may appear in the Client IP Address box.
  • User name

    This is the name of the user who accesses the server. If Anonymous authentication is configured, a hyphen (-) is logged instead of the user name.
  • Method

    This is the action that the client tries to perform. For example, the action may be a GET command or a POST command.
  • URI stem

    This is the resource on the server that is running IIS that the user tries to access. For example, the resource may be an HTML page, a graphic, a CGI program, or a script.
  • Protocol status

    This is the status of the action in HTTP terms. This is represented by a code number.
  • Win32 status

    This is the status of the action in Win32 code terms. Error numbers are reported. For example, error 5 means that access is denied. To evaluate error messages, type net helpmsg err at the command prompt, and then press ENTER.
  • User agent

    This is the name of the Web browser that accesses the server.
  • Server IP address

    This is the IP address of the virtual server where the log entry is generated. This option is helpful if you host multiple virtual servers on the same computer, and the multiple virtual servers use different IP addresses.
  • Server port

    This is the port number of the virtual server that receives the client request. This option is helpful if you host multiple virtual servers on the same computer, and the multiple virtual servers use different IP addresses.
back to the top

Enable and configure logging in Internet Information Services (IIS)

To enable and to configure logging for a Web site or for an FTP site in IIS, follow these steps:
  1. Start Internet Information Services (IIS) Manager.
  2. Expand ServerName, and then expand Web Sites or FTP Sites. Right-click the Web site or the FTP site where you want to enable logging, and then click Properties.
  3. Click the Web Site tab, or click the FTP Site tab.
  4. Click to select the Enable logging check box.
  5. In the Active log format box, click the format that you want to use.
  6. Click Properties, and then specify the settings that you want. For example, if you use W3C Extended log file format, follow these steps:
    1. If you are running IIS 6.0, click the General tab. If you are running IIS 5.0 or IIS 4.0, click the General Properties tab. Specify the schedule that you want to use to create new log files. For example, to create a new log file every day, click Daily.
    2. If you want to use local time, click to select the Use local time for file naming and rollover check box.

      Note Midnight local time is used for all log file formats except W3C Extended log file format. By default, W3C Extended log file format uses midnight Coordinated Universal Time (Greenwich Mean Time). To use midnight local time, click to select the Use local time for file naming and rollover check box.
    3. If you are running IIS 6.0, click the Advanced tab. If you are running IIS 5.0 or IIS 4.0, click the Extended Properties tab.
    4. Specify the options that you want. For example, specify the properties that are listed in the "Customize the data" section. Click OK.
    5. Click OK.
back to the top

REFERENCES

For additional information about how to configure logging in IIS 6.0, see the "Logging Site Activity" topic in the IIS 6.0 documentation. To view the IIS 6.0 documentation, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/technologies/featured/iis/default.mspx

For additional information about the W3C Extended log file format, see the W3C Working Draft WD-logfile-960323 specification. To do this, visit the following World Wide Web Consortium (W3C) Web site:

http://www.w3.org/TR/WD-logfile

For additional information about logging in IIS 6.0, click the following article numbers to view the articles in the Microsoft Knowledge Base:

814870 IIS 6.0 log management documentation

324279 How to configure Web site logging in Windows Server 2003

For additional information about how to configure logging in IIS 5.0, see the "Logging Site Activity" topic in the "Server Administration" section in the "Administration" chapter of the IIS 5.0 documentation. To view the IIS 5.0 documentation, visit the following Microsoft Web site:

http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/windows2000/en/server/iis/htm/core/errata.htm

For additional information about logging in IIS 5.0, click the following article numbers to view the articles in the Microsoft Knowledge Base:

300390 How to enable IIS logging site activity in Windows 2000

324091 How to view and report from log files

245243 How to configure ODBC logging in IIS

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

back to the top
Modification Type:MajorLast Reviewed:3/3/2006
Keywords:kbhowto kbnetwork KB313437 kbAudITPro kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.