W3C Extended Log File Examples
Applies To: Windows Server 2003, Windows Server 2003 with SP1
Example of an Intranet Site
The following example shows a W3C Extended log file entry from an intranet site, as viewed in a text editor. The log file includes only the default fields.
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2002-05-02 17:42:15
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)
2002-05-02 17:42:15 172.22.255.255 - 172.30.255.255 80 GET /images/picture.jpg - 200 Mozilla/4.0+(compatible;MSIE+5.5;+Windows+2000+Server)
You can interpret the preceding log file entry as follows:
#Software: Microsoft Internet Information Services 6.0
This indicates the version of IIS that is running.
#Version: 1.0
This indicates the log file format.
#Date: 2002-05-02 17:42:15
This indicates when the first log file entry was recorded, which is when the entire log file was created.
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem ...
This indicates the fields that are recorded in the log file entry and the order in which they are recorded
Table 10.2 lists and describes the fields that are recorded in this example.
Note
Use the order shown in the Fields log file entry to parse all entries until the next log file entry begins. The field order is subject to change and is different in IIS 6.0 than it was in IIS 5.0.
Table 10.2 Example of a W3C Extended Log File Entry from an Intranet Site
| Field | Appears As | Description |
|---|---|---|
date |
2002-05-02 |
This log file entry was recorded on May 2, 2002. |
time |
17:42:15 |
This log file entry was recorded at 5:42 P.M. UTC. Entries are recorded to the log file when the send completion for the last IIS send occurs. |
c-ip |
172.22.255.255 |
The IP address of the client. |
cs-username |
- |
The user was anonymous. |
s-ip |
172.30.255.255 |
The IP address of the server. |
s-port |
80 |
The server port. |
cs-method |
GET |
The user issued a GET, or download, command. |
cs-uri-stem |
/images/picture.jpg |
The user wanted to download the picture.jpg file from the Images folder. |
cs-uri-query |
- |
The URI query did not occur. (URI queries are necessary only for dynamic pages, such as ASP pages, so this field usually contains a hyphen for static pages.) |
sc-status |
200 |
The request was fulfilled with no errors. |
cs(User-Agent) |
Mozilla/4.0+ (compatible;MSIE+5.5;+Windows+2000+Server) |
The type of browser that the client used, as represented by the browser. |
Example of an Internet Site
The following example shows a W3C Extended log file entry from an Internet site, as viewed in a text editor. The log file contains several fields in addition to the default fields and is typical of the kind of log file you would run to monitor an Internet site.
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2002-05-24 20:18:01
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes time-taken cs(User-Agent) cs(Referrer)
2002-05-24 20:18:01 172.224.24.114 - 206.73.118.24 80 GET /Default.htm - 200 7930 248 31 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+2000+Server) https://64.224.24.114/
You can interpret the preceding log file entry as follows:
#Software: Microsoft Internet Information Services 6.0
This indicates the version of IIS that is running.
#Version: 1.0
This indicates the log file format.
#Date: 2002-05-24 20:18:01
This indicates when the first log file entry was recorded, which is when the entire log file was created.
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem ...
This indicates the fields that are recorded in the log file entry and the order in which they are recorded. Table 10.3 lists and describes the fields recorded in this example.
Table 10.3 Example of a W3C Extended Log File Entry from an Internet Site
| Field | Appears As | Description |
|---|---|---|
date |
2002-05-24 |
This log file entry was recorded on May 24, 2002. |
time |
20:18:01 |
This log file entry was recorded at 8:18 P.M. UTC. |
c-ip |
172.224.24.114 |
The IP address of the client. |
cs-username |
- |
The user was anonymous. |
s-ip |
206.73.118.24 |
The IP address of the server. |
s-port |
80 |
The server port. |
cs-method |
GET |
The user issued a GET, or download, command. |
cs-uri-stem |
/Default.htm |
The user wanted to download the contents of Default.htm. |
cs-uri-query |
- |
The URI query did not occur. |
sc-status |
200 |
The request was fulfilled without error. |
sc-bytes |
7930 |
The number of bytes that the server sent to the client. |
cs-bytes |
248 |
The number of bytes that the client sent to the server. |
time-taken |
31 |
The action was completed in 31 milliseconds. |
cs(User-Agent) |
Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+2000+Server) |
The type of browser that the client used, as represented by the browser. |
cs(Referrer) |
https://62.224.24.114/ |
The Web page that provided the link to the Web site. |
Example of an FTP Site
The following example shows a W3C Extended log file entry from an Internet FTP site, as viewed in a text editor. The example does not include all of the default fields and is typical of the kind of log file that you would run to monitor an FTP site.
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2002-06-04 16:40:23
#Fields: time c-ip cs-method cs-uri-stem sc-status
16:40:23 10.152.10.200 [6994]USER anonymous 331
16:40:25 10.152.10.200 [6994]PASS anonymous@example.net 530
You can interpret the preceding log file example as follows:
#Software: Microsoft Internet Information Services 6.0
This indicates the version of IIS that is running.
#Version: 1.0
This indicates the log file format.
#Date: 2002-06-04 16:40:23
This indicates when the first log file entry was recorded, which is when the log was created.
#Fields: time c-ip cs-method cs-uri-stem sc-status
This indicates the fields that are recorded in the log file entry and the order in which they are recorded. Table 10.4 lists and describes the fields recorded in this example.
Table 10.4 Example of a W3C Extended Log File Entry from an FTP Site
| Field | Appears As | Description |
|---|---|---|
time |
16:40:23 |
This log file entry was recorded at 4:40 P.M. UTC. |
c-ip |
10.152.10.200 |
The IP address of the client. |
cs-method |
[6994]USER |
The USER FTP command was used, which requests a user name and is always followed by a PASS FTP command. 6994 is the connection number corresponding to an anonymous user. |
cs-uri-stem |
anonymous |
The user (the target of the USER command) was anonymous. |
sc-status |
331 |
The user name was accepted. |
time |
16:40:25 |
The next recorded action occurred at 4:40 P.M. UTC. |
c-ip |
10.152.10.200 |
The IP address of the client. |
cs-method |
[6994]PASS |
The PASS FTP command was used, which supplies a password for the user name and is always preceded by a USER command. |
cs-uri-stem |
anonymous@example.net |
The password (the target of the PASS command) supplied. |
sc-status |
530 |
The user was not logged on. |