CHAPTER 7
Logging Server Activity
Each of the services contained in Microsoft Peer Web Services can be configured to log information about who accessed the server and what information they accessed. This data can help you fine-tune your site, plan for the number of users that regularly gain access to your site, assess content, and audit security.
The logging feature in Peer Web Services has been designed for flexibility in the following areas:
- Various log-file formats:
Standard format, European Microsoft Windows NT Academic Centre (EMWAC) format, or National Center for Supercomputing (NCSA) Common Log File format.
- Location of log files within the system.
- Creation of new log files:
New log files can be created whenever the files achieve a particular size, or whenever the day, week, or month changes.
This chapter explains how to:
- Configure logging.
- Read file logs.
- Convert log files to other formats.
When you set up Peer Web Services, you can enable logging to see who has been using the server and how many times your online information was accessed.
To configure logging:
- Determine in which folder the logs will be stored.
- Specify how often logs are to be rotated (every day, every week, every month, and so on).
- Select the log tools you want to use to analyze the logs your server collects.
In Internet Service Manager, double-click the service to display its property sheets. The Logging property sheet sets logging for the selected information service.
To start logging, select the Enable Logging check box on the Logging property sheet. To stop logging, clear the Enable Logging check box. Choose Log to File to log activity information for the selected information service to a text file.
Use the Log Format box to select the logging format you want. Click the arrow and choose either Standard format or NCSA format, National Center for Supercomputing Applications (NCSA) Common Log File format.
This option generates new logs using the specified frequency. If not selected, the same log file will grow indefinitely.
This option sets the folder (directory) containing the log file.
This field shows the file name used for logging. If multiple services are configured to log to the same folder, they will use the same file.
To log to a file
1. In Internet Service Manager, double-click a service to display its property sheets, then click the Logging tab.
2. Select the Enable Logging check box.
3. Select Log to File.
4. In the Log Format box, select the logging format you want, either Standard or NCSA.
5. To create a new log file when certain conditions are met, select the Automatically open new log check box.
The service will close the log file and create a new one with a different name in the same folder when the appropriate interval or file size is reached. Log file names are as follows:
- Inetsv1.log if Automatically open new log is not selected.
- Inetsvnnn.log (where nnn is a sequentially increasing number) if When file size reaches is selected.
- Inmmddyy.log (where mmddyy is the month, day, and year when the log file is created) if one of the Daily, Weekly, or Monthly options is enabled.
For the Daily, Weekly, or Monthly options, the log file is closed the first time a log record is generated after midnight on the last day of the current log file. The new log file name will include the date of the first day in the log file.
For the When file size reaches option, every time the log file is closed and a new one is created, the sequential number in the file name is incremented.
When logging to a file, the maximum total log line is 1200 bytes. Each field is limited to 150 bytes.
Following are three entries from a log from a server running the WWW, gopher, and FTP services; the entries are in two tables only because of page-width limitations.
Clients IP address |
Clients username |
Date |
Time |
Service |
Computer name |
IP address of server |
10.75.176.21 |
|
12/11/95 |
7:55:20 |
W3SVC |
TREY1 |
10.107.1.121 |
10.16.7.165 |
anonymous |
12/11/95 |
23:58:11 |
MSFTPSVC |
TREY1 |
10.107.1.121 |
10.55.82.244 |
|
12/11/95 |
0:00:34 |
GopherSvc |
TREY1 |
10.107.1.121 |
Elapsed time |
Bytes received |
Bytes sent |
Service status code |
Windows NT status code |
Name of the operation |
Target of the operation |
4502 |
163 |
3223 |
200 |
0 |
GET |
small.gif |
60 |
275 |
0 |
0 |
0 |
[376] PASS |
intro |
6139 |
273 |
62184 |
0 |
0 |
file |
form1.bmp |
Parameters for the operation, if applicable, will be listed in the final fields.
Note All fields are terminated with a comma (,). A hyphen acts as a placeholder if there is no valid value for a certain field.
As a sample interpretation of logging data, the first entry in the table says that an anonymous client with the IP address of 10.75.176.21 downloaded (issued a GET command for) the file Small.gif at 7:55 AM on December 11, 1995, from a server named TREY1 at IP address 10.107.1.121. The 163-byte HTTP request had an elapsed processing time of 4502 milliseconds (almost half a second) to complete (without error) and returned 3223 bytes of data to the anonymous client.
The following example shows a log file in NCSA format:
157.55.85.138 - REDMOND\doug [07/Jun/1996:17:39:04 -0800] "POST /iisadmin/default.htm?-, HTTP/1.0" 200 3401
Remote host name |
Clients username |
Date |
Time |
157.55.85.138 |
REDMOND\doug |
07/Jun/1996 |
17:39:10 -0800 |
Request |
Service Status code |
Bytes received |
GET /scripts/iisadmin/ism.dll?http/serv, HTTP/1.0 |
200 |
5125 |
Internet Service Manager provides a choice between two log formats:
- Standard format (Microsoft Professional Internet Services format)
- NCSA Common Log File format
In the Log Format box on the Logging property sheet, click the arrow and select the format you want.
if you have created Microsoft Peer Web Services log files in Standard format and want to convert them to either the EMWAC log file format or NCSA Common Log File format, use the Microsoft Internet Log Converter (Convlog.exe). At the command prompt, type convlog without parameters to see syntax and examples.
To convert logs to other formats
1. Add Convlog.exe (in the \Inetsrv folder, by default) to your path.
2. In a command-prompt window, type the convlog command. See the syntax and examples below.
convlog -s[f|g|w] -t [emwac | ncsa[:GMTOffset] | none]
-o [output directory] -f [temp file directory] -h LogFilename
-d<m:[cachesize]>
Specifies the service for which to convert log entries.
f = Process FTP log entries
g = Process gopher log entries
w = Process WWW log entries
The default for the -s switch is to convert logs for all services.
-t [emwac | ncsa[:GMTOffset] | none]
Specifies the destination conversion format. The default is to create output files in EMWAC format.
Specifies the directory for the converted files. The default is the current directory.
Specifies a temporary directory to hold temporary files created by convlog. The default is C:\Temp or the directory specified by the tmp environment variable.
Specifies the name of the log to be converted. Convlog will display the file name for the converted file.
Converts IP addresses in NCSA log format to computer names or domain names. The default is to not convert IP addresses. The default cachesize is 5000 bytes.
convlog -sf -t ncsa -o c:\logs in*.log
convlog -t ncsa:-0300 in*.log
convlog -o \\stats\logs c:\logs\in*.log
convlog -sfg in*.log
convlog -nm *.log
convlog -t none -nm:20000 *.log
© 1996 by Microsoft Corporation. All rights reserved.