DOCUMENT:Q313437 22-FEB-2002 [iis] TITLE :HOW TO: Enable Logging in IIS 5.0 PRODUCT :Internet Information Server PROD/VER::5.0 OPER/SYS: KEYWORDS:kbnetwork kbtool kbAudITPro kbHOWTOmaster ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Server version 5.0 ------------------------------------------------------------------------------- IN THIS TASK ------------ - SUMMARY - Enable and Configure IIS Logging SUMMARY ======= This step-by-step article describes how to enable Internet Information Server (IIS) version 5.0 logging. You can use IIS 5.0 to carry out extensive logging of connections that are made to the server. Logging is a vital part of your IIS 5.0 security plan. You can use the log files to determine if a security event has taken place and the files can provide information about the source of the attack. IIS 5.0 can save log files in a variety of file types. The preferred log type in a secure environment is the W3C Extended Log File Format. This log format allows you to configure a large number of extended attributes that are useful in security analysis. The following information should be collected in your W3C Extended Log File Format logs: - Client IP Address This is the IP address of the client that accessed the server. Note that if a Web proxy computer is in "front" of the IIS 5.0 computer, the IP address of the proxy may show up in the Client IP Address box. - User Name The name of the user that accessed the server. If anonymous authentication is configured, a hyphen (-) is logged instead of the user name. - Method The action that the client tried to perform. For example, the GET or POST commands. - URI Stem The resource on the IIS 5.0 computer that the user attempted to access. This might be an HMTL page, a graphic, a GCI program or script. - Protocol (HTTP) Status This is the status of the action in HTTP terms, as represented by a code number. - Win32 Status The status of the action in Win32 code terms. Error numbers are reported, such as error 5, which means that access was denied. You can evaluate error messages by typing "net helpmsg err" (without the quotation marks) at the command prompt, and then pressing ENTER. - User Agent The name of the browser that is accessing the server. - Server IP Address This is the IP address of the virtual server that is receiving the request. This is helpful if you host multiple virtual servers on the same computer that uses different IP addresses. - Server Port This is the port number of the virtual server that is receiving the request. This is helpful if you host multiple virtual servers on the same computer that uses different IP addresses. Enable and Configure IIS Logging -------------------------------- To configure IIS logging: 1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager. 2. Right-click the virtual server on which you want to enable logging, and then click Properties. 3. Click the Web Site tab, and then click to select the Enable Logging check box. 4. In the "Active log format" box, click W3C Extended Log File Format. 5. Click Properties. On the General Properties tab, click Daily to cause the creation of a new log file each day. 6. Click "Use local time for file naming and rollover" if you want to use local time rather than GMT to determine when a new file is created and named. 7. Click the Extended Properties tab, and then select the options that are noted in the first part of this article. Click Apply, and then click OK. 8. Click Apply, and then click OK in the "Web site Properties" dialog box. After you make the preceding changes, restart the virtual server. NOTE: For more information about the extended log file format, see the W3C Working Draft WD-logfile-960323 specification at the following Web site: http://www.w3.org/TR/WD-logfile (http://www.w3.org/TR/WD-logfile) The third-party contact information included in this article is provided to help you find the technical support you need. This contact information is subject to change without notice. Microsoft in no way guarantees the accuracy of this third-party contact information. Additional query words: ====================================================================== Keywords : kbnetwork kbtool kbAudITPro kbHOWTOmaster Technology : kbiisSearch kbiis500 Version : :5.0 Issue type : kbhowto ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.