The Art of Reading an IIS Log Entry

[Previous] [Next]

The standard Web server log format is named the W3C Extended log format. By default, these text log files can be found in %winnt%\system32\LogFiles\W3SVCx, where x is the Web site instance. For example, the default Web site is W3SVC1. The format for this log file is defined at the World Wide Web Consortium (W3C) Web site at http://www.w3.org/TR/WD-logfile.

Let's analyze a sample log file entry. First notice that each log file starts with the following line:

 #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status cs(User-Agent) 

This indicates the fields used in the log file from this point on. You'll notice that some fields start with a prefix. Possible prefixes are

  • c Client
  • s Server
  • cs Client to server
  • sc Server to client
  • sr Server to remote server (used by proxy servers)
  • rs Remote server to server (used by proxy servers)

A log file could change fields, and this is reflected in the field heading. Table 11-6 describes these fields.

Table 11-6. W3C extended log file components.

FieldExampleComments
date2000-04-25Date of the request in Universal Coordinated Time (UTC).
time14:20:03Time of the request (UTC).
c-ip172.100.100.13Client IP address.
cs-usernameEXAIR/SquirtClient's name—a "-" value means anonymous or unidentified.
s-ip157.42.12.122Server IP address.
s-port80Server port number on which the request was received—another common value is 443 for Secure Sockets Layer/Transport Layer Security (SSL/TLS).
cs-methodGETHTTP method used to perform the request.
cs-uri-stem/ExAirHR/Default.aspStem portion of a Uniform Resource Identifier (URI).
cs-uri-query-Query portion of a URI. Note that this is often filled in by IIS when an error occurs and thus can be a goldmine of information.
sc-status401HTTP status—for example, 200 (OK) and 401 (unauthorized).
sc-win32-status5Win32 status—for example, 0 (no error) and 5 (access denied). This is not enabled by default; you can enable it using the IIS administration tool.
cs(User-Agent)Mozilla/4.0+ (compatible;+ MSIE+5.01;+ Windows+NT+5.0)The browser user-agent string.



Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 138

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net