W3C Extended Log File Format
Applies To: Windows Server 2003, Windows Server 2003 with SP1
The W3C Extended log file format is the default log file format for IIS. It is a customizable ASCII text-based format. You can use IIS Manager to select which fields to include in the log file, which enables you to keep log files as small as possible. Because HTTP.sys handles the W3C Extended log file format, this format records HTTP.sys kernel-mode cache hits.
Table 10.1 lists and describes the available fields. Default fields are noted.
Table 10.1 W3C Extended Log File Fields
| Field | Appears As | Description | Default Y/N |
|---|---|---|---|
Date |
date |
The date on which the activity occurred. |
Y |
Time |
time |
The time, in coordinated universal time (UTC), at which the activity occurred. |
Y |
Client IP Address |
c-ip |
The IP address of the client that made the request. |
Y |
User Name |
cs-username |
The name of the authenticated user who accessed your server. Anonymous users are indicated by a hyphen. |
Y |
Service Name and Instance Number |
s-sitename |
The Internet service name and instance number that was running on the client. |
N |
Server Name |
s-computername |
The name of the server on which the log file entry was generated. |
N |
Server IP Address |
s-ip |
The IP address of the server on which the log file entry was generated. |
Y |
Server Port |
s-port |
The server port number that is configured for the service. |
Y |
Method |
cs-method |
The requested action, for example, a GET method. |
Y |
URI Stem |
cs-uri-stem |
The target of the action, for example, Default.htm. |
Y |
URI Query |
cs-uri-query |
The query, if any, that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages. |
Y |
HTTP Status |
sc-status |
The HTTP status code. |
Y |
Win32 Status |
sc-win32-status |
The Windows status code. |
N |
Bytes Sent |
sc-bytes |
The number of bytes that the server sent. |
N |
Bytes Received |
cs-bytes |
The number of bytes that the server received. |
N |
Time Taken |
time-taken |
The length of time that the action took, in milliseconds. |
N |
Protocol Version |
cs-version |
The protocol version see commentHTTP or FTP see commentthat the client used. |
N |
Host |
cs-host |
The host header name, if any. |
N |
User Agent |
cs(User-Agent) |
The browser type that the client used. |
Y |
Cookie |
cs(Cookie) |
The content of the cookie sent or received, if any. |
N |
Referrer |
cs(Referrer) |
The site that the user last visited. This site provided a link to the current site. |
N |
Protocol Substatus |
sc-substatus |
The substatus error code. |
Y |
You can select as many of the W3C Extended log file fields as you want. Some fields may not contain information. When a select field does not contain information, a hyphen (-) appears as a placeholder. If a field contains a nonprintable character, HTTP.sys replaces it with a plus sign (+) to preserve the log file format. Nonprintable characters can appear as a result of virus attacks such as when a malicious user sends carriage returns and line feeds that could break the log file format. You can avoid this problem if you replace nonprintable characters with the plus sign (+).
Fields are separated by spaces. Field prefixes have the following meanings:
s- Server actions
c- Client actions
cs- Client-to-server actions
sc- Server-to-client actions
Note
FTP log files do not record the following fields:
- cs-uri-query
- cs-host
- cs(User-Agent)
- cs(Cookie)
- cs(Referrer)
- sc-substatus
Note
For the Time Taken field, the client-request time stamp is initialized when HTTP.sys starts parsing the request. If the response size is less than or equal to 2 kilobytes and from memory, or the force buffer flag is set, the Time Taken value usually does not include network time. Otherwise, the TimeTaken value generally includes network time. For more information about the Time Taken field in IIS, see Description of the time-taken field in IIS 6.0 and IIS 7.0 HTTP logging.
For information about status codes, see IIS Status Codes.
For more information about the W3C Extended log file format, see Extended Log File Format.
For information about HTTP request buffering that uses the HTTP Server API Version 1, see HttpSendHttpResponse Function.