The W3C Extended log file format is the default log file format for IIS. It is a customizable ASCII text-based format. You can use IIS Manager to select which fields to include in the log file, which allows you to keep log files as small as possible. Because HTTP.sys handles the W3C Extended log file format, this format records HTTP.sys kernel-mode cache hits.
Table 10.1 lists and describes the available fields. Default fields are noted.
Table 10.1 W3C Extended Log File Fields | |||
Field | Appears As | Description | Default Y/N |
Date |
date |
The date on which the activity occurred. |
Y |
Time |
time |
The time, in coordinated universal time (UTC), at which the activity occurred. |
Y |
Client IP Address |
c-ip |
The IP address of the client that made the request. |
Y |
User Name |
cs-username |
The name of the authenticated user who accessed your server. Anonymous users are indicated by a hyphen. |
Y |
Service Name and Instance Number |
s-sitename |
The Internet service name and instance number that was running on the client. |
N |
Server Name |
s-computername |
The name of the server on which the log file entry was generated. |
N |
Server IP Address |
s-ip |
The IP address of the server on which the log file entry was generated. |
Y |
Server Port |
s-port |
The server port number that is configured for the service. |
Y |
Method |
cs-method |
The requested action, for example, a GET method. |
Y |
URI Stem |
cs-uri-stem |
The target of the action, for example, Default.htm. |
Y |
URI Query |
cs-uri-query |
The query, if any, that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages. |
Y |
HTTP Status |
sc-status |
The HTTP status code. |
Y |
Win32 Status |
sc-win32-status |
The Windows status code. |
N |
Bytes Sent |
sc-bytes |
The number of bytes that the server sent. |
N |
Bytes Received |
cs-bytes |
The number of bytes that the server received. |
N |
Time Taken |
time-taken |
The length of time that the action took, in milliseconds. |
N |
Protocol Version |
cs-version |
The protocol version —HTTP or FTP —that the client used. |
N |
Host |
cs-host |
The host header name, if any. |
N |
User Agent |
cs(User-Agent) |
The browser type that the client used. |
Y |
Cookie |
cs(Cookie) |
The content of the cookie sent or received, if any. |
N |
Referrer |
cs(Referrer) |
The site that the user last visited. This site provided a link to the current site. |
N |
Protocol Substatus |
sc-substatus |
The substatus error code. |
Y |
For information about status codes, see IIS Status Codes.
FTP log files do not record the following fields:
• | cs-uri-query |
• | cs-host |
• | cs(User-Agent) |
• | cs(Cookie) |
• | cs(Referrer) |
• | sc-substatus |
You can select as many of the W3C Extended log file fields as you want. However, not all fields will contain information. For fields that are selected but for which there is no information, a hyphen (-) appears as a placeholder. If a field contains a nonprintable character, HTTP.sys replaces it with a plus sign (+) to preserve the log file format. This typically occurs with virus attacks, when, for example, a malicious user sends carriage returns and line feeds that, if not replaced with the plus sign (+), would break the log file format.
Fields are separated by spaces. Field prefixes have the following meanings:
• | s- Server actions |
• | c- Client actions |
• | cs- Client-to-server actions |
• | sc- Server-to-client actions |
For the time-taken field, the client-request timestamp is initialized when HTTP.sys receives the first byte, but before HTTP.sys begins parsing the request. The client-request timestamp is stopped when the last IIS send completion occurs. Time taken does not reflect time across the network. The first request to the site shows a slightly longer time taken than other similar requests because HTTP.sys opens the log file with the first request.
For more information about the W3C Extended log file format, see W3C Extended Log File Format.
注:以下部分翻译自Microsoft网站--《W3C Extended Log File Format (IIS 6.0)》的解释。******************************************************************************************
W3C扩展日志文件格式是IIS(Microsoft IIS)的默认日志格式,其内容编码为默认的ASCII文本。你可以通过IIS管理器选择各种
“字段” “字段标识” “描述” “Default(Y/N )”
日期 date 动作发生时的日期。 Y
时间 time 动作发生时的时间(默认为UTC标准)。 Y
客户端IP地址 c-ip 访问服务器的客户端IP地址。 Y
用户名 cs-username 通过身份验证的访问服务器的用户名。不包括匿名用户(用‘-’表示)。 Y
服务名 s-sitename 客户所访问的Internet服务名以及实例号。 N
服务器名 s-computername 产生日志条目的服务器的名字。 N
服务器IP 地址 s-ip 产生日志条目的服务器的IP地址。 Y
服务器端口 s-port 服务端提供服务的传输层端口。 Y
方法 cs-method 客户端执行的行为(主要是GET与POST行为)。 Y
URI Stem cs-uri-stem 被访问的资源,如Default.asp等。 Y
URI Query cs-uri-query 客户端提交的参数(包括GET与POST行为)。 Y
协议状态 sc-status 用HTTP或者FTP术语所描述的、行为执行后的返回状态。 Y
Win32状态 sc-win32-status 用Microsoft Windows的术语所描述的动作状态。N
发送字节数 sc-bytes 服务端发送给客户端的字节数。 N
接受字节数 cs-bytes 服务端从客户端接收到的字节数。 N
花费时间 time-taken 执行此次行为所消耗的时间,以毫秒为单位。 N
协议版本 cs-version 客户端所用的协议(HTTP、FTP)版本。对HTTP协议来说是HTTP 1.0或者HTTP 1.1。 N
主机 cs-host 客户端的HTTP报头(host header)信息。 N
用户代理 cs(User-Agent) 客户端所用的浏览器版本信息。 Y
Cookie cs(Cookie) 发送或者接受到的cookie内容。 N
Referrer cs(Referer) 用户浏览的前一个网址,当前网址是从该网址链接过来的。 N
协议底层状态 sc-substatus 协议底层状态的一些错误信息。 Y
关于status codes字段的更多详细资料请浏览:“”。
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2005-01-03 16:00:00
#Fields: date time cs-method cs-uri-stem cs-uri-query c-ip cs(Referer) sc-status sc-bytes cs-bytes time-taken
2005-01-01 16:02:22 GET /Enterprise/detail.asp id=1612186 200 17735 369 4656
这里我们可以得到的资料是:这是一台装有IIS version 6的WEB服务器(通过#Software标识),版本是1.0(#Version标识),
to Server的方法、读取的对象、参数、客户端的IP地址、客户端上一个访问的对象、服务返回的状态、Server to Client的
正常的请求,如HTTP探测、HTTP DoS与CC等;