Centralized W3C Logging

Just learned about this cool new feature included with W2k3 SP1. On top of centralized binary logging, you will now get centralized w3c logging! To enable it,
adsutil.vbs set w3svc/CentralW3CLoggingEnabled true
This will give you centralized text format logging for all website! Cool huh ?

Here's the sample log entries:
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2005-05-25 21:52:36 127.0.0.1 GET /iisstart.htm - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 200 0 0
2005-05-25 21:54:17 127.0.0.1 GET /aspnet_client - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 403 14 5
2005-05-25 21:55:55 127.0.0.1 GET /aspnet_client - 801 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 301 0 0

Take note that:
a) you can't customize the log filed ! as it's w3c format (without certain fields like cs-refer, cs-version, etc)
b) there's no site id or website identifier in the log! In the above log sample, the 2nd and 3rd requests is actually to two different websites (I used port 801 in another website). With no site id logged, it might be difficult to analyze each website activities in this centralized format.

And finally, here's the official detail from Microsoft about W3C centralized logging.

Updated 27/05/05 3pm.
Thanks to Matt, I was wrong :) you can configure what fields to be logged. Do this at Web Sites, right mouse - properties - at the 'Enable logging' section, click properties, then click on Advanced tab, select the desire fields.

Published Wed, May 25 2005 16:17 by bernard

Filed under: IIS News, IIS Links

Comments

# bernard said on 27 May, 2005 03:24 PM: Hi Bernard:

Actually, that's not quite correct. You can indeed determine which site corresponds to which entry. Even with enabling centralized logging, you can turn on the extended W3C properties, particularly s-sitename which will give you the W3SVC[INDEX] for each site. This makes it quite easy to figure out which entry corresponds to which site. Additionally, you can enable cs(Referer) and cs-version as well as any of the other extended attributes. You do it at the global level, note my log entries below from a log of mine I pulled from my dev environment:

#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2005-05-03 08:59:59 W3SVC123499 172.29.16.83 GET /index.htm - 80 - 172.29.16.83 HTTP/1.1 Mozilla/4.61+[en]+(WinNT;+I) - domain123499.com 200 0 0 255 140 15
2005-05-03 08:59:59 W3SVC123466 172.29.16.83 GET /index.htm - 80 - 172.29.16.83 HTTP/1.1 Mozilla/4.61+[en]+(WinNT;+I) - domain123466.com 200 0 0 255 140 15
2005-05-03 08:59:59 W3SVC123476 172.29.16.83 GET /index.htm - 80 - 172.29.16.83 HTTP/1.1 Mozilla/4.61+[en]+(WinNT;+I) - domain123476.com 200 0 0 255 140 0
2005-05-03 08:59:59 W3SVC123560 172.29.16.83 GET /index.htm - 80 - 172.29.16.83 HTTP/1.1 Mozilla/4.61+[en]+(WinNT;+I) - domain123560.com 200 0 0 255 140 15
2005-05-03 08:59:59 W3SVC123635 172.29.16.83 GET /index.htm - 80 - 172.29.16.83 HTTP/1.1 Mozilla/4.61+[en]+(WinNT;+I) - domain123635.com 200 0 0 255 140 15
2005-05-03 08:59:59 W3SVC123600 172.29.16.83 GET /index.htm - 80 - 172.29.16.83 HTTP/1.1 Mozilla/4.61+[en]+(WinNT;+I) - domain123600.com 200 0 0 255 140 0
2005-05-03 08:59:59 W3SVC123514 172.29.16.83 GET /index.htm - 80 - 172.29.16.83 HTTP/1.1 Mozilla/4.61+[en]+(WinNT;+I) - domain123514.com 200 0 0 255 140 0
2005-05-03 08:59:59 W3SVC123481 172.29.16.83 GET /index.htm - 80 - 172.29.16.83 HTTP/1.1 Mozilla/4.61+[en]+(WinNT;+I) - domain123481.com 200 0 0 255 140 0
2005-05-03 08:59:59 W3SVC123579 172.29.16.83 GET /index.htm - 80 - 172.29.16.83 HTTP/1.1 Mozilla/4.61+[en]+(WinNT;+I) - domain123579.com 200 0 0 255 140 15
2005-05-03 08:59:59 W3SVC123613 172.29.16.83 GET /index.htm - 80 - 172.29.16.83 HTTP/1.1 Mozilla/4.61+[en]+(WinNT;+I) - domain123613.com 200 0 0 255 140 0
2005-05-03 08:59:59 W3SVC123605 172.29.16.83 GET /index.htm - 80 - 172.29.16.83 HTTP/1.1 Mozilla/4.61+[en]+(WinNT;+I) - domain123605.com 200 0 0 255 140 0
2005-05-03 08:59:59 W3SVC123624 172.29.16.83 GET /index.htm - 80 - 172.29.16.83 HTTP/1.1 Mozilla/4.61+[en]+(WinNT;+I) - domain123624.com 200 0 0 255 140 0

I agree it's quite cool and long overdue. I've rewritten my log processing engine to take advantage of this. Now, instead of n number of handles open to n number of log files I only have 1 handle open to 1 log file, improving the load on my servers. Hope this information helps.

Thanks.

-matt
# bernard said on 27 May, 2005 04:09 PM: Thanks Matt! I missed that global settings part. Thanks for pointing out.

Cheers.

Server: Microsoft-IIS/7.0\r\n

Centralized W3C Logging

Comments

News

Search

This Blog

Tags

Archives

IIS Sites

MVPs - MVPs

IIS Related

Syndication