How to configure Web site logging in Windows Server 2003 (324279)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Internet Information Services version 6.0
  • Microsoft Windows Small Business Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
This article was previously published under Q324279
For a Microsoft Windows 2000 version of this article, see 300390.

IN THIS TASK

SUMMARY

This article provides a step-by-step guide to turn on logging on a Microsoft Internet Information Services 6.0 (IIS) Web site.

back to the top

Turn On Logging on a Web Site

Internet Information Services (IIS) logging is designed to be more detailed than the event-logging or performance-monitoring features of Windows Server 2003. The IIS logs can include information such as who has visited your site, what they viewed, and when the information was viewed last. You can monitor attempts, either successful or unsuccessful, to access your Web sites, virtual folders, or files. This includes events such as reading the file or writing to the file. Events can be logged independently for any site, virtual folder, or file. By regularly reviewing these log files, you can detect areas of your server or your sites that may be subject to attacks or suffer from other security problems.

To turn on logging on a Web site, follow these steps:
  1. Start the Internet Information Services Manager. To do this, click Start, point to Administrative Tools, and then click Internet Information Services.
  2. Double-click your server_name, where server_name is the name of the server.
  3. Expand the Web Site folder.
  4. Right-click the Web site for which you want to turn on logging, and then click Properties.
  5. On the Website tab, select Enable Logging.

    Note Both Enable Logging on the Website tab and Log visits on the Home Directory Tab must be checked for logging to be enabled.
  6. Select a format in the Active log format list.
  7. Click Properties.
  8. On the General tab, select the way that you want to schedule the logging or change the Log file folder. For more information, see the Configuration Options for Saving IIS Log Files section of this article.
  9. Click the Advanced tab, and then click the items that you want to monitor in the log.NOTE: If you select ODBC logging, click Properties, provide the ODBC Data Source Name (DSN), table, user name, and password, and then click OK.
  10. Click OK.
back to the top

Turn Logging On or Off for a Specific Folder

  1. Start the Internet Information Services Manager. To do this, click Start, point to Administrative Tools, and then click Internet Information Services.
  2. Double-click your server_name, where server_name is the name of the server.
  3. Expand the Web Site folder.
  4. Right-click the Web site or locate the folder that you want to configure, and then click Properties.
  5. On the Directory tab, click Log visits.

    NOTE: To turn off logging, click Log visits.
  6. Click OK.
back to the top

Configuration Options for Saving IIS Log Files

To set options for saving log files, follow these steps:
  1. Open the Internet Information Services Manager. To do this, click Start, point to Administrative Tools, and then click Internet Information Services.
  2. Expand your server node.
  3. Expand the Web Site folder.
  4. Right-click the Web site, and then click Properties.
  5. On the Web Site tab, click Properties.
  6. On the General Properties tab, select the option to use when starting a new log file. The options are as follow:
    • Hourly: Log files are created hourly, starting with the first entry that occurs for each hour. This feature is typically used for high-volume Web sites.
    • Daily: Log files are created daily, starting with the first entry that occurs after midnight.
    • Weekly: Log files are created weekly, starting with the first entry that occurs after midnight Saturday.
    • Monthly: Log files are created monthly, starting with the first entry that occurs after midnight of the last day of the month. NOTE: "Midnight" is midnight local time for all log file formats except World Wide Web Consortium (W3C) Extended Log File Format. For this file format, "midnight" is midnight Greenwich Mean Time (GMT) by default, but it can be changed to midnight local time. To open new W3C Extended Log File Format logs that use local time, select Use local time for file naming and rollover. The new log starts at midnight local time, but the time that is recorded in the log files is still GMT.
    • Unlimited file size: Data is always appended to the same log file. You can access this log file only after you stop the site.
    • When file size reaches: A new log file is created when the current log file reaches a particular size. You must specify the size that you want.
  7. Under Log file directory, type the folder where log files are to be saved. NOTE: You must list the local folder using the whole path. You cannot use mapped drives or UNC paths such as \\server1\share1\, or the period or backslash characters when you specify the log file folder.
  8. You must list the local folder using the whole path. You cannot use mapped drives or UNC paths such as \\server1\share1\, or the period or backslash characters when you specify the log file folder. Click Apply, and then click OK.
back to the top

Review IIS Log Files with Notepad

  1. To open Notepad, click Start, point to All Programs, point to Accessories, and then click Notepad.
  2. On the File menu, click Open and type the location where the log file is saved.
  3. Examine the logs for suspicious security events, including the following:
    • Multiple unsuccessful commands that try to run executable files or scripts. (In this cane, closely monitor the Scripts folder.)
    • Too many unsuccessful logon attempts from a single IP address, with the possible intention of increasing network traffic or denying access to other users.
    • Failed attempts to access and modify .bat files or .cmd files.
    • Unauthorized attempts to upload files to a folder that contains executable files.
back to the top

Security

Correct security safeguards on your Web server can reduce or prevent various security threats both malicious and accidental.

For a production server, move Active Server Pages (ASP) enrollment pages off the Web server that allows users to browse files that contain information about how to make certificates. If you do not want to move the ASP pages, restrict access to view the files. These pages are typically located at the root of your Web site.

back to the top


back to the top
Modification Type:MajorLast Reviewed:6/16/2006
Keywords:kbWebServices kbAppServices kbhowto kbHOWTOmaster KB324279 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.