IIS Manager
IIS 7.0 introduces a completely new user interface, the IIS Manager. The IIS Manager makes it
easier to browse and make changes to IIS settings, including log file settings. For example,
if you wanted to implement the centralized logging in IIS 6.0, you had to use ADSUtil.vbs.
Now, the Centralized Logging option is exposed in the IIS Manager, as shown in Figure 15-1.
The XML-Based Logging Schema
IIS 7.0 uses a new configuration system that is XML-based and is very similar to the ASP.NET
configuration system. Each configuration section is defined in XML schema files located in
%SystemRoot%\system32\inetsrv\config\schema. Details on the configuration sections are
covered in Chapter 4, “Understanding the Configuration System.” Because information is
defined in XML files, it is easy to determine what attributes, elements, and enums are used.
The schema for IIS 7.0 contains a list of all the configurable options, so looking in the schema
file is a quick way to identify all the configurable settings for any feature, including logging.
The following listing is from the system.applicationHost/log section that is located in
%SystemRoot%\system32\inetsrv\config\schema\IIS_Schema.xml. (Some long lines have
been split to fit on the printed page.) As you can see, the XML clearly defines the names and
data types associated with each item.
<sectionSchema name="system.applicationHost/log">
<attribute name="logInUTF8" type="bool" defaultValue="true" />
<attribute name="centralLogFileMode" type="enum" defaultValue="Site" >
<enum name="Site" value="0"/>
<enum name="CentralBinary" value="1"/>
<enum name="CentralW3C" value="2"/>
</attribute>
<element name="centralBinaryLogFile">
<attribute name="enabled" type="bool" defaultValue="false" />
<attribute name="directory" type="string" expanded="true"
defaultValue="%SystemDrive%\inetpub\logs\LogFiles" />
<attribute name="period" type="enum" defaultValue="Daily">
<enum name="Hourly" value="4"/>
<enum name="Daily" value="1"/>
<enum name="Weekly" value="2"/>
<enum name="Monthly" value="3"/>
<enum name="MaxSize" value="0"/>
</attribute>
<attribute name="truncateSize" type="int64" defaultValue="20971520"
validationType="integerRange"
validationParameter="1048576,4294967295" />
<attribute name="localTimeRollover" type="bool"
defaultValue="false"/>
</element>
<element name="centralW3CLogFile">
<attribute name="enabled" type="bool" defaultValue="true" />
<attribute name="directory" type="string" expanded="true"
defaultValue="%SystemDrive%\inetpub\logs\LogFiles"
validationType="nonEmptyString" />
<attribute name="period" type="enum" defaultValue="Daily">
<enum name="Hourly" value="4"/>
<enum name="Daily" value="1"/>
<enum name="Weekly" value="2"/>
<enum name="Monthly" value="3"/>
<enum name="MaxSize" value="0"/>
</attribute>
<attribute name="truncateSize" type="int64" defaultValue="20971520"
validationType="integerRange"
validationParameter="1048576,4294967295" />
<attribute name="localTimeRollover" type="bool"
defaultValue="false"/>
<attribute name="logExtFileFlags" type="flags"
defaultValue="Date, Time, ClientIP, UserName, SiteName, ServerIP,
Method, UriStem, UriQuery, HttpStatus, Win32Status,
ServerPort, UserAgent, HttpSubStatus">
<flag name="Date" value="1"/>
<flag name="Time" value="2"/>
<flag name="ClientIP" value="4"/>
<flag name="UserName" value="8"/>
<flag name="SiteName" value="16"/>
<flag name="ComputerName" value="32"/>
<flag name="ServerIP" value="64"/>
<flag name="Method" value="128"/>
<flag name="UriStem" value="256"/>
<flag name="UriQuery" value="512"/>
<flag name="HttpStatus" value="1024"/>
<flag name="Win32Status" value="2048"/>
<flag name="BytesSent" value="4096"/>
<flag name="BytesRecv" value="8192"/>
<flag name="TimeTaken" value="16384"/>
<flag name="ServerPort" value="32768"/>
<flag name="UserAgent" value="65536"/>
<flag name="Cookie" value="131072"/>
<flag name="Referer" value="262144"/>
<flag name="ProtocolVersion" value="524288"/>
<flag name="Host" value="1048576"/>
<flag name="HttpSubStatus" value="2097152"/>
</attribute>
</element>
</sectionSchema>
Centralized Logging Configuration Options
Following is the logging section defined in the ApplicationHost.config file that controls
Centralized Logging options. You can change this so that your files are stored on another drive
or volume. You can enable options you want and disable whatever options you do not need.
<log>
<centralBinaryLogFile enabled="true"
directory="%SystemDrive%\inetpub\logs\LogFiles" />
<centralW3CLogFile enabled="true"
directory="%SystemDrive%\inetpub\logs\LogFiles" />
</log>
SiteDefaults Configuration Options
The SiteDefaults section in the ApplicationHost.config file, shown in the following code,
controls the logging settings that are used when creating new sites. You can configure two
options: the format of the log file and the location in which Failed Request tracing files are
stored.
<siteDefaults>
<logFile logFormat="W3C"
directory="%SystemDrive%\inetpub\logs\LogFiles" />
<traceFailedRequestsLogging
directory="%SystemDrive%\inetpub\logs\FailedReqLogFiles" />
</siteDefaults>
Disable HTTP Logging Configuration Options
In some cases, an IIS administrator does not require log files. If you would like to turn off
httpLogging at the server level, you can disable logging in the IIS Manager. You can also
disable logging at the site level. You might wonder why these options are available. It’s so that
you can disable logging on your test or development machines to reduce the disk space
that unnecessary files use.
You should evaluate your options before disabling httpLogging. Check with your business or
legal department to be certain what your company’s logging requirements and policies are.
The default value for this setting, as shown here, is false.
<httpLogging dontLog="false" />
Default Log File Location
One of the most significant changes in IIS 7.0 is that the folder where IIS stores WWW logs
has been changed to %SystemDrive%\inetpub\logs\LogFiles. For example, the Default Web
Site would log to C:\inetpub\logs\LogFiles\w3svc1. This means that by default in IIS 7.0, all
log files are stored in a single folder. Note, however, that log files for the legacy built-in File
Transfer Protocol (FTP) and Simple Mail Transfer Protocol (SMTP) services are still located in
%windir%\System32\Logfiles. You can manage these files by using the IIS Manager 6.0, an
MMC console that is installed when you install the legacy FTP service or the SMTP service.
Note The new FTP Publishing Service for IIS 7.0 stores its log files in %SystemDrive%\
inetpub\logs\LogFiles by default. You need to download and install this add-on, because it
does not ship with IIS 7.0. The x86 and x64 versions are available at http://www.iis.net. Click
Download and search for “Microsoft FTP Publishing Service for IIS 7.0.”
Default UTF-8 Encoding
By default, IIS 7.0 stores log files by using UTF-8 encoding. This changes the default file
naming convention so that the files start with u_ (for example, u_exYYMMDD.log). Here is
the portion of the IIS_Schema.xml file that sets the UTF-8 encoding option. The default
setting is true.
<sectionSchema name="system.applicationHost/log">
<attribute name="logInUTF8" type="bool" defaultValue="true" />
...
</sectionSchema>
UTF-8 encoding allows for single-byte and multi-byte characters in one string. This encoding
enables you to read text-based logs (for example, logs that use W3C Extended, IIS, and NCSA
Common formats) in a language other than English. IIS does not support the UTF-8 format
for the built-in FTP Publishing Service log files. UTF-8 encoding is available in IIS 6.0, but it is
not enabled by default. If you do not want to have your logs use UTF-8 encoding, you can use
ANSI as the format.
New Status Codes
In IIS 7.0, new status codes have been introduced for HTTP and FTP. These additional error
codes provide more details about events and better descriptions of how to fix errors, with
suggestions about what to look for or what procedures to run. Appendix A provides a
complete list of all status codes.
Management Service
IIS 7.0 introduces Management Service, which enables computer and domain administrators
to remotely manage a machine by using the IIS Manager. The Management Service also
enables nonadministrators to control sites and various applications by using the IIS Manager
from a workstation.
This service has its own logs that are used to track information related to the Management
Service. This service is not installed by default. If you install and enable this service, the logs
will be saved in %SystemDrive%\inetpub\logs\WMSvc.
From a logging perspective, you should make sure the Management Service logging is enabled.
The logs can help you audit and troubleshoot issues when clients are connecting to your
server. The Management Service is discussed in depth in Chapter 8, “Remote Administration.”
Log File Formats That Have Not Changed
IIS 7.0 supports all the common logging formats that are available in prior versions of IIS.
There have been no changes in IIS 7.0 to the following log file formats:
■ Microsoft IIS
■ NCSA
■ W3Svc extended
Note For descriptions, further discussion, and examples of these log formats, go to
http://msdn2.microsoft.com and search for “IIS logging formats.”
Centralized Logging
Centralized logging in IIS 7.0 operates the same way as it does in IIS 6.0. However, you can
now configure this option in the IIS 7.0 Manager. To access this feature, go to Administrative
Tools > Internet Information Services (IIS) Manager. Click the computer name and locate
the Logging option listed in the IIS section.
Using the Logging option can reduce administrative costs because only one IIS log file is
being maintained. If you use binary logging, the log can be stored in a much smaller file than
the equivalent text log file.
W3C Centralized Logging Format
W3C centralized logging was first introduced in Windows Server 2003 SP1. W3C centralized
logging is a server-level setting. When you enable this feature on a server, all Web sites on
that server are configured to write log data to a central log file. Data is stored in the log file
using the W3C Extended log file format. You can enable this setting through the IIS 7.0
Manager or by using Appcmd. If you use W3C centralized logging, you can view the log file
with a text editor such as Notepad.
Note W3C centralized logging uses the W3C Extended log format, which includes the following
four fields: HostHeader, Cookie, UserAgent, and Referrer. These fields are not available in
centralized binary logging.
Centralized Binary Logging Format
Centralized binary logging is essentially the same as W3C centralized logging, except that
the log file uses a proprietary, binary format. Because the resulting file is binary, it is smaller
than an equivalent text file so that you can conserve disk space. It cannot be read with a text
editor and requires parsing to produce useful information. However, this is easier than you
might think when you use the Log Parser tool, which reads the centralized binary file format
natively. The Log Parser tool is discussed later in this chapter.
Important The built-in FTP and SMTP services do not support W3C centralized logging.
Remote Logging
IIS 7.0 supports writing log files to a network share. This option enables you to have your log
files stored in real time to a remote computer. For example, suppose that you have a Web farm
configured for logging to a central location. The remote file server could be a server running
DFS (distributed file system). DFS can provide multiple benefits including a central location
to collect your log files and automatic replication of your logs to multiple locations. Having
such a primary collection point can make handling your reporting processes much easier.
Important When you set up your remote logging environment, make sure the host (A)
and pointer (PTR) DNS records are set up so that authentication and resolution happens
correctly. This can help avoid problems such as Kerberos authentication errors when HTTP.sys
is trying to write log files.
You can use either the IIS 7.0 Manager or Appcmd to set up Universal Naming Convention
(UNC) remote logging.
Setting Up Remote Logging by Using the IIS Manager
Following are the steps to enable remote logging by using the IIS Manager:
1. Create a directory called IISLogs on the remote server that will store the log files. This
machine is typically in the same domain as the Web servers. If the remote server is
not in the same domain or is a stand-alone machine, you can use the procedure outlined
in the following sidebar so your files are stored on a remote machine.
Using a NULL Session for Remote Logging
If your remote server will be in a different domain, you can set up a NULL Session to
support remote logging. The following procedure outlines how to set up this environment.
If your remote server is not in a different domain, you can skip over the details of
this outline and proceed with step 2 of the procedure for setting up remote logging by
using the IIS Manager.
Before setting up your environment, make sure both machines can resolve each other
using DNS, WINS, or custom entries in the local HOSTS file. This procedure assumes
both servers are Windows Server 2008.
1. Identify two machines, the Web server and the file server. These roles need to be
on separate physical machines.
2. Create a folder called IISLogs on your file server and then create a share and grant
appropriate folder security.
a. Open a command prompt on the file server and type mkdir c:\IISLogs
b. Then type net share IISLogs=c:\IISLogs /Grant:Everyone,FULL
c. Then type cacls c:\IISLogs /G Administrators:F SYSTEM:F Everyone:C
d. When you see the prompt “Are you sure (Y/N)?” type y
e. Processed dir: c:\IISLogs
3. Configure logging on your Web site by typing
appcmd set sites "WebsiteName" -logFile.directory:\\FileServerName\IISLogs
4. Configure Local Security Policy on the file server.
*Programs, Administrative Tools, Local Security Policy, Local Policies, Security Options*
a. Enable:Network access:Let Everyone permissions to apply to anonymous users.
b. Add IISLogs share to the Network access:Shares that can be accessed
anonymously.
5. Browse your Web site on the Web server.
a. Open http://localhost/
6. Open a command prompt on the Web server and type the following command:
netsh http flush logbuffer
7. Check your log files to see if your sample request is listed.
2. Share the IISLogs folder you created in the previous step. Change the share permissions
to—at minimum—enable both the remote machine accounts Administrators group and
the account that is writing the log files full control. Change the NTFS file system (NTFS)
permissions so that the remote machine accounts Administrators have full control and
the account writing the log files has modify permissions. This example assumes that
you are using the NETWORK SERVICE as your application pool account and that the
remote server and Web server are in the same domain.
Note When the NETWORK SERVICE account accesses a remote resource, it uses the
computer account stored in Active Directory Domain Service as the actual account
accessing the log folder.
3. In the IIS Manager, navigate to your Web site and type in the UNC path to the server.
To do so, go to Administrative Tools > Internet Information (IIS) Manager. Select the
computer name in the leftmost column and then double-click the Logging icon in
the IIS Section. Type the path to the share in the Directory text box by using the syntax
\\ServerName\ShareName, as shown in Figure 15-2.
Note You can also use the syntax \\FQDN\ShareName to specify the logging path,
but you might run into issues if you try to use the syntax \\IPAddress\ShareName to
specify the path. The \\IPAddress\ShareName syntax can cause an authentication issue
that prevents the log files from being created. The following is an example of an error
generated when trying to use an IP Address when remote logging is enabled:
Microsoft-Windows-HttpService , LogFileCreateFailed ,
49, 0, 16, 2, 59, 9,
0x0000000000000800, 0x00000004, 0x000005AC, 0,
, , {00000000-0000-0000-0000-
000000000000}, ,
128277049412643098, 220, 0, 0xC0000022,
"ResponseLogging ", "Site ", "W3C ",
"\dosdevices\UNC\192.168.0.125\UncLogFiles\W3SVC1\u_ex070630.log",
0 4. Click Apply.
5. Browse a Web page in your site.
6. Open a command prompt by using elevated credentials and type netsh http flush
logbuffer. If this is the first time entries have been logged, HTTP.sys will create the
folder and a log file. Open the log file in Notepad to confirm your example entries have
been logged.
Setting Up Remote Logging by Using Appcmd
You can also use Appcmd to update the logfile directory for a specific Web site. The syntax for
configuring UNC remote logging using Appcmd is shown here. (The line has been split to fit it
on the printed page.)
//Appcmd to set the log directory path for Default Web Site
Appcmd set sites "Default Web Site"
-logFile.directory:\\RemoteServerCMD.Contoso.com\LogFiles
Note To automate configuring remote logging, you could put this example into a script to
which you can pass variables.
Executing this command results in the following output:
SITE object "Default Web Site" changed
Note