Categories
Linux

Microsoft IIS W3C Extended Log Format

This log file format is used by used by Microsoft Internet Information Server (IIS) 4.0, 5.0, 6.0 and 7.0.

A log file in the extended format contains a sequence of lines containing ASCII characters. Each line may contain either a directive or an entry. Entries consist of a sequence of fields relating to a single HTTP transaction. Fields are separated by white space. If a field is unused in a particular entry dash “-” marks the omitted field. Directives record information about the logging process itself.

Lines beginning with the # character contain directives. The following directives are defined:

Version: .
The version of the extended log file format used. This draft defines version 1.0.
Fields: […]
lists a sequence of field identifiers specifying the information recorded in each entry.
Software: string
Identifies the software which generated the log.
Start-Date:
The date and time at which the log was started.
End-Date:
The date and time at which the log was finished.
Date:
The date and time at which the entry was added.
Remark:
Comment information. Data recorded in this field should be ignored by analysis tools.
The directives Version and Fields are required and should precede all entries in the log. The Fields directive specifies the data recorded in the fields of each entry.

W3C Extended Logging Field Definitions

Prefix Meaning
s-
Server actions.
c-
Client actions.
cs-
Client-to-server actions.
sc-
Server-to-client actions.
Field Appears As Description
Date date The date that the activity occurred.
Time time The time that the activity occurred.
Client IP Address c-ip The IP address of the client that accessed your server.
User Name cs-username The name of the authenticated user who accessed your server. This does not include anonymous users, who are represented by a hyphen (-).
Service Name s-sitename The Internet service and instance number that was accessed by a client.
Server Name s-computername The name of the server on which the log entry was generated.
Server IP Address s-ip The IP address of the server on which the log entry was generated.
Server Port s-port The port number the client is connected to.
Method cs-method The action the client was trying to perform (for example, a GET method).
URI Stem cs-uri-stem The resource accessed; for example, Default.htm.
URI Query cs-uri-query The query, if any, the client was trying to perform.
Protocol Status sc-status The status of the action, in HTTP or FTP terms.
Win32® Status sc-win32-status The status of the action, in terms used by Microsoft Windows®.
Bytes Sent sc-bytes The number of bytes sent by the server.
Bytes Received cs-bytes The number of bytes received by the server.
Time Taken time-taken The duration of time, in milliseconds, that the action consumed.
Protocol Version cs-version The protocol (HTTP, FTP) version used by the client. For HTTP this will be either HTTP 1.0 or HTTP 1.1.
Host cs-host Displays the content of the host header.
User Agent cs(User-Agent) The browser used on the client.
Cookie cs(Cookie) The content of the cookie sent or received, if any.
Referrer cs(Referer) The previous site visited by the user. This site provided a link to the current site.

The following is an example of a record in the extended log format that was produced by the Microsoft Internet Information Server (IIS):
——————————————————————————–

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-11-19 19:42:21
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2009-11-19 19:42:21 W3SVC874815883 IP-0AF98AC2 10.249.138.194 GET /index.html – 80 – 67.212.138.161 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.2;+en-US;+rv:1.9.1.5)+Gecko/20091102+Firefox/3.5.5+GTB5+(.NET+CLR+3.5.30729) – – powercram.com 200 0 0 366 399 265
2009-11-19 19:42:21 W3SVC874815883 IP-0AF98AC2 10.249.138.194 GET /favicon.ico – 80 – 67.212.138.161 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.2;+en-US;+rv:1.9.1.5)+Gecko/20091102+Firefox/3.5.5+GTB5+(.NET+CLR+3.5.30729) – – powercram.com 404 0 2 1836 380 0

Leave a Reply

Your email address will not be published. Required fields are marked *