Log File Formats in IIS
Applies To: Windows Server 2003, Windows Server 2003 with SP1
IIS provides six different log file formats that you can use to track and analyze information about your IIS-based sites and services. In addition to the six available formats, you can create your own custom log file format. For more information about custom logging, see Custom Logging Modules.
The following log file formats and logging options are available in IIS:
W3C Extended Log File Format Text-based, customizable format for a single site. This is the default format.
W3C Centralized Logging All data from all Web sites is recorded in a single log file in the W3C log file format.
NCSA Common Log File Format Text-based, fixed format for a single site.
IIS Log File Format Text-based, fixed format for a single site.
ODBC Logging Fixed format for a single site. Data is recorded in an ODBC-compliant database.
Centralized Binary Logging Binary-based, unformatted data that is not customizable. Data is recorded from multiple Web sites and sent to a single log file. To interpret the data, you need a special parser.
HTTP.sys Error Log Files Fixed format for HTTP.sys-generated errors.
You can read text-based log files using a text editor such as Notepad, which is included with Windows, but administrators often import the files into a report-generating software tool for further analysis.
For step-by-step instructions on how to enable logging, see Enabling Logging.
UTF-8 Format for Non-English Languages and Security
UTF-8 is a method of character encoding that allows for both single and multibyte characters in one string. If you want to read text-based (W3C Extended, IIS, and NCSA Common) log files in a language other than English, you can enable the UTF-8 format. You also need the UTF-8 format if you serve URLs in a language other than the native server code page, for example, if you serve Chinese URLs on a Japanese system. In addition, because IIS 6.0 tries to serve URLs in code pages other than the server default code page by default, you might want to enable the UTF-8 format for security reasons. It is a good security practice to enable the UTF-8 format in case of an attack based on URLs in UTF-8 that might not translate correctly to the default code page.
Note
IIS does not support the UTF-8 format for FTP site log files.
For information about enabling UTF-8, see Enabling UTF-8 Format for Non-English Languages and Security.
Log File Locations and ACLs
If you create a log file directory of C:\LogFilesfor HTTP.sys-generated logging (W3C Extended log file format, NCSA Common log file format, IIS log file format, centralized binary logging, or HTTP.sys error logging), then HTTP.sys generates the following subdirectories, and the log files are created under these subdirectories:
For the W3C Extended, NCSA Common, and IIS log file formats, HTTP.sys generates the subdirectory C:\LogFiles\W3SVC*#*, where # is the site ID.
For centralized binary logging, HTTP.sys generates the subdirectory C:\LogFiles\W3SVC.
For HTTP.sys error logging, HTTP.sys generates the subdirectory C:\WINDOWS\System32\LogFiles\HTTPErr.
By default, the log file directory has the following access control lists (ACLs):
NT Authority\System: Full access
Built-in\Administrators: Full access
Everyone: No access (Although the No access permission is the effective permission, this setting is not explicitly set by HTTP.sys.)
Individual log files in the log file directory have the following controls:
NT Authority\System: Full access
Built-in\Administrators: Read and delete access
Everyone: No access (Although the No access permission is the effective permission, this setting is not explicitly set by HTTP.sys.)
Important
The default log file directory ACLs (DACLs) are set for optimum security. If you choose to create log file directories with less restrictive ACLs, your system might be more vulnerable to attack.
If you are using the W3C Extended, NCSA Common, or IIS log file formats and it is necessary to do so, you can create a subdirectory called W3SVC# of the C:\LogFiles directory and set ACLs for that directory that are different from the defaults. For example, if you need to allow a site administrator to read the log files, create a W3SVC# subdirectory of the C:\LogFiles directory and set Read ACLs for the site's administrator.
Important
The owner of the W3SVC# subdirectory must be a member of the Local Administrators group. If not, HTTP.sys writes an error to the NT Event log and disables logging.
For more information about file and directory security and access control, see Managing a Secure IIS 6.0 Solution.