Microsoft KB Archive/313437

= How to enable logging in Internet Information Services (IIS) =

Article ID: 313437

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Services 6.0
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q313437



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx





CONTENTS

 * INTRODUCTION
 * Customize the data
 * Enable and configure logging in Internet Information Services (IIS)
 * REFERENCES



INTRODUCTION
This step-by-step article describes how to enable logging for Web sites or for FTP sites in Microsoft Internet Information Services (IIS) 6.0, in IIS 5.0, and in IIS 4.0. You can configure your Web site or your FTP site to record log entries that are generated from user activity and from server activity. Log data can help you control access to content, determine content popularity, plan security requirements, and troubleshoot potential Web site issues or FTP site issues. For example, you can use the log files to help determine whether a security event has occurred. The data in the log files can provide information about the source of the attack.

IIS can save log files to different file formats. When you enable logging, you can specify the file format that you want to use. By default, IIS uses the W3C Extended log file format. Typically, the W3C Extended log file format is the preferred log type to use. This log format lets you configure lots of extended attributes that are useful to help analyze security.

back to the top

Customize the data
You can customize the data that is logged to log files that use the W3C Extended log file format. To customize the data, select the properties that you want and omit the properties that you do not want. You may want to select the following properties when you customize W3C Extended log file format logs:
 * Client IP address

This is the IP address of the client that accesses the server. Notice that if a Web proxy computer is in front of the server that is running IIS, the IP address of the proxy may appear in the Client IP Address box.
 * User name

This is the name of the user who accesses the server. If Anonymous authentication is configured, a hyphen (-) is logged instead of the user name.
 * Method

This is the action that the client tries to perform. For example, the action may be a GET command or a POST command.
 * URI stem

This is the resource on the server that is running IIS that the user tries to access. For example, the resource may be an HTML page, a graphic, a CGI program, or a script.
 * Protocol status

This is the status of the action in HTTP terms. This is represented by a code number.
 * Win32 status

This is the status of the action in Win32 code terms. Error numbers are reported. For example, error 5 means that access is denied. To evaluate error messages, type net helpmsg err at the command prompt, and then press ENTER.
 * User agent

This is the name of the Web browser that accesses the server.
 * Server IP address

This is the IP address of the virtual server where the log entry is generated. This option is helpful if you host multiple virtual servers on the same computer, and the multiple virtual servers use different IP addresses.
 * Server port

This is the port number of the virtual server that receives the client request. This option is helpful if you host multiple virtual servers on the same computer, and the multiple virtual servers use different IP addresses.

back to the top

Enable and configure logging in Internet Information Services (IIS)
To enable and to configure logging for a Web site or for an FTP site in IIS, follow these steps:  Start Internet Information Services (IIS) Manager. Expand  , and then expand Web Sites or FTP Sites. Right-click the Web site or the FTP site where you want to enable logging, and then click Properties. Click the Web Site tab, or click the FTP Site tab. Click to select the Enable logging check box. In the Active log format box, click the format that you want to use. Click Properties, and then specify the settings that you want. For example, if you use W3C Extended log file format, follow these steps: <ol style="list-style-type: lower-alpha;"> If you are running IIS 6.0, click the General tab. If you are running IIS 5.0 or IIS 4.0, click the General Properties tab. Specify the schedule that you want to use to create new log files. For example, to create a new log file every day, click Daily.</li> If you want to use local time, click to select the Use local time for file naming and rollover check box.

Note Midnight local time is used for all log file formats except W3C Extended log file format. By default, W3C Extended log file format uses midnight Coordinated Universal Time (Greenwich Mean Time). To use midnight local time, click to select the Use local time for file naming and rollover check box.</li> If you are running IIS 6.0, click the Advanced tab. If you are running IIS 5.0 or IIS 4.0, click the Extended Properties tab.</li> Specify the options that you want. For example, specify the properties that are listed in the &quot;Customize the data&quot; section. Click OK.</li> Click OK.</li></ol> </li></ol>

back to the top <div class="references_section">