Redigera

Dela via


W3C Logging

W3C extended logging is type of server side logging that can be enabled on the server session or URL group. When W3C logging is enabled on a URL group, logging is performed only on requests that are routed to the URL Group. A separate log file is created for each URL group configured to enable W3C logging.

When W3C logging is enabled on the server session it functions as centralized form of logging for all the URL groups under the server session. A single log file is maintained for all of the URL groups in the server session.

The following table lists the fields that can be logged by the HTTP Server API. The table contains a subset of the HTTP_LOG_FIELD constants. Some of the fields listed below are auto generated by HTTP Server API internally and therefore not contained in the HTTP_LOG_FIELDS_DATA structure. The "Appears As" column contains the text that appears in the log file. The data in the table is in the order of occurrence in the log file record.

Fields that are not marked "HTTP Server API generated" have to be passed inside HTTP_LOG_FIELDS_DATA structure by application. Application could generate those fields from the HTTP_REQUEST structure passed to it.

Field Appears As Description HTTP_LOG_FIELDS_DATA Member HTTP_LOG_FIELDS constants
Date date The date on which the activity occurred. HTTP Server API generated. HTTP_LOG_FIELD_DATE
Time time The time, in coordinated universal time (UTC), at which the activity occurred. HTTP Server API generated. HTTP_LOG_FIELD_TIME
Service Name and Instance Number s-sitename The Internet service name and instance number that was running on the client. ServiceName HTTP_LOG_FIELD_SITE_NAME
Server Name s-computername The name of the server on which the log file entry was generated. ServerName HTTP_LOG_FIELD_COMPUTER_NAME
Server IP Address s-ip The IP address of the server on which the log file entry was generated. ServerIp HTTP_LOG_FIELD_SERVER_IP
Method cs-method The requested verb, for example, a GET method. Method HTTP_LOG_FIELD_METHOD
URI Stem cs-uri-stem The target of the verb, for example, Default.htm. UriStem HTTP_LOG_FIELD_URI_STEM
URI Query cs-uri-query The query, if any, that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages. UriQuery HTTP_LOG_FIELD_URI_QUERY
Server Port s-port The server port number that is configured for the service. ServerPort HTTP_LOG_FIELD_SERVER_PORT
User Name cs-username The name of the authenticated user that accessed the server. Anonymous users are indicated by a hyphen. UserName HTTP_LOG_FIELD_USER_NAME
Client IP Address c-ip The IP address of the client that made the request. ClientIp HTTP_LOG_FIELD_CLIENT_IP
Protocol Version cs-version The HTTP protocol version that the client used. HTTP Server API generated. HTTP_LOG_FIELD_VERSION
User Agent cs(User-Agent) The browser type that the client used. UserAgent HTTP_LOG_FIELD_USER_AGENT
Cookie cs(Cookie) The content of the cookie sent or received, if any. Cookie HTTP_LOG_FIELD_COOKIE
Referrer cs(Referrer) The site that the user last visited. This site provided a link to the current site. Referrer HTTP_LOG_FIELD_REFERRER
Host cs-host The host header name, if any. Host HTTP_LOG_FIELD_HOST
HTTP Status sc-status The HTTP status code. ProtocolStatus HTTP_LOG_FIELD_STATUS
Protocol Substatus sc-substatus The substatus error code. SubStatus HTTP_LOG_FIELD_SUB_STATUS
Win32 Status sc-win32-status The Windows status code. Win32Status HTTP_LOG_FIELD_WIN32_STATUS
Bytes Sent sc-bytes The number of bytes sent by the server. HTTP Server API generated. HTTP_LOG_FIELD_BYTES_SENT
Bytes Received cs-bytes The number of bytes received and processed by the server. HTTP Server API generated. HTTP_LOG_FIELD_BYTES_RECV
Time Taken time-taken The length of time that the action took, in milliseconds. HTTP Server API generated. HTTP_LOG_FIELD_TIME_TAKEN
Stream ID streamid The Stream Id. HTTP Server API generated. HTTP_LOG_FIELD_STREAM_ID

 

The log file is a customizable ASCII text-based format. The field prefixes in the file are defined as follows:

Prefix Description
s Server actions.
c Client actions.
sc Server-to-Client actions.
cs Client-to-Server actions.

 

The application can select one or more of the W3C Extended log file fields, however, not all fields will contain information. For fields that are selected but for which there is no information, a hyphen (-) appears as a placeholder. If a field contains a nonprintable character, the HTTP Server API replaces it with a plus sign (+) to preserve the log file format. This typically occurs with virus attacks, when, for example, a malicious user sends carriage returns and line feeds that, if not replaced with the plus sign (+), would break the log file format. Fields are separated by spaces.

If a field is enabled by the URL group or server session, but not selected for the request, it appears in the log file with a hyphen (-) as a placeholder.

Log files are created when the first request arrives on the URL Group or server session, they are not created when logging is configured. The following example shows the first log file entry for a W3C log file with the Client IP, Username, Server IP, Server Port, Method, URI Stem, URI Query, Status, and User Agent fields enabled:

#Software: Microsoft HTTP Server API 2.0  
#Version: 1.0   // the log file version as it's described by "https://www.w3.org/TR/WD-logfile".
#Date: 2002-05-02 17:42:15  // when the first log file entry was recorded, which is when the entire log file was created.
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)
2002-05-02 17:42:15 172.22.255.255 - 172.30.255.255 80 GET /images/picture.jpg - 200 Mozilla/4.0+(compatible;MSIE+5.5;+Windows+2000+Server)

The time-taken field is initialized when the HTTP Server API receives the first byte, before the request is parsed. The time-taken timestamp is stopped when the last send completion occurs. Time-taken does not reflect time across the network. The first request to the site shows a slightly longer time taken than other similar requests because the HTTP Server API opens the log file with the first request.