IIS 7.0 : Configuring IIS Logging

IIS 7.0 provides multiple ways to configure and administer your Web server, and that includes configuring your log settings. This section covers how to use the built-in graphical user interface (GUI) as well as command line tools to configure log settings.

IIS Manager

The IIS Manager is a completely rewritten tool that administrators can use to manage their Web servers. The intuitive interface enables you to quickly review and adjust all settings, including those that apply to log files. To access the Logging section of the IIS Manager, follow this procedure:

1.
Go to Administrative Tools > Internet Information Services (IIS) and select the server name. Figure 1 shows the icon for the global Logging section when it is selected.

Figure 1. The icon for the global Logging section selected in the IIS Manager.


2.
Double-click the Logging icon to view the interface through which you can administer logging settings for the server.

The default settings are shown in Figure 2. Because the server node selected is in the tree in the left pane, these settings are inherited by all Web sites configured on the server.

Figure 2. Default global settings.


3.
To make changes, select the appropriate drop-down box and select the option you want. For example, to change the server from site-level logging (creating one log file per site) to server-level logging (creating one log file per server), select Server in the One Log File Per drop-down list, as shown in Figure 3.

Figure 3. Go to the IIS Manager to change logging from site-level logging to server-level logging.


In IIS 6.0, you need to write a script to change the CentralW3CLoggingEnabled metabase property. This is one example of how the IIS Manager is more powerful and easier to use than it was in the previous version of IIS.

Note

When you configure IIS 7.0 to use server-level logging, the Binary format is selected by default. To have your server-level log use W3C extended logging, simply select W3C in the Format drop-down list.

 

IIS 7.0 also enables you to make changes on individual Web sites. For example, you can click the Select Fields button to adjust which options are logged for a specific Web site, as shown in Figure 4. In this figure, the Bytes Sent ( sc-bytes ), Bytes Received ( cs-bytes ), Time Taken ( time-taken ), and Referer ( cs(Referer) ) options have been selected. You can also adjust the log Directory setting, the Log File Rollover setting, and the Use Local Time For File Naming And Rollover setting.

Figure 4. Clicking the Select Fields button lets you choose which options are logged for a given Web site.



Appcmd

The IIS Manager is a great tool for managing individual settings that use a GUI. Appcmd is a tool that is intended to perform all administrative functions from a command line. Appcmd replaces a variety of scripts and tools used in previous IIS versions.

All the logging settings you might need to adjust are located in three sections of applicationHost.config: system.applicationHost/log, system.applicationHost/sites, and system.webServer/httpLogging.

The previous example uses IIS Manager to configure server-level logging. To use Appcmd to perform this same operation, follow this procedure:

1.
Open a command prompt and navigate to the %SystemRoot%\System32\inetsrv folder where Appcmd is deployed.

Note

If you add this path to your global PATH environment variable, you can execute Appcmd from any folder location.

2.
Execute the following command from the command prompt to list the current settings:

Appcmd list config -section:log


Following are the default settings:

<system.applicationHost>
  <log>
    <centralBinaryLogFile enabled="true"
directory="%SystemDrive%\inetpub\logs\LogFiles" />
    <centralW3CLogFile enabled="true"
directory="%SystemDrive%\inetpub\logs\LogFiles" />
  </log>
</system.applicationHost>


This will display the ApplicationHost.config section where the centralLogFileMode settings are stored.

3.
Next execute the following command to configure server-level logging:

Appcmd set config -section:log -centralLogFileMode:CentralW3C


4.
After you have executed the command in step 3, execute the following command to list the current settings and verify the settings have been changed:

Appcmd list config -section:log


The result, showing that the centralLogFileMode has changed to CentralW3C, should look like the following. (Some lines have been split to fit on the printed page.)

C:\Windows\System32\inetsrv>Appcmd list config -section:log
<system.applicationHost>
  <log centralLogFileMode="CentralW3C">
    <centralBinaryLogFile enabled="true"
        directory="%SystemDrive%\inetpub\logs\LogFiles" />
    <centralW3CLogFile enabled="true"
        directory="%SystemDrive%\inetpub\logs\LogFiles" />
  </log>
</system.applicationHost>

C:\Windows\System32\inetsrv>


Notice the log centralLogFileMode=“CentralW3C” setting. Before executing the Appcmd set config command, there was no value listed, because the Site option is the default setting as defined in the schema.

As another example, assuming you have already set the global Server attribute, if you want to adjust the global localTimeRollover setting, use this command:

Appcmd set config -section:log -centralW3CLogFile.localTimeRollover:True


The result should look like this:

Applied configuration changes to section "system.applicationHost/log" for "MACHINE/WEBROOT/
APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"

					  


Or, for example, you might want to change the siteDefaults log format to NCSA so that all new sites will inherit this setting unless otherwise configured on a specific site. You can adjust the global Format option to NCSA with this command:

Appcmd set config -section:sites -siteDefaults.logFile.logFormat:NCSA


Here’s the result:

Applied configuration changes to section "system.applicationHost/sites" for "MACHINE/
WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"

					  


Appcmd enables you to quickly use the command line to make changes to your IIS log settings. You can create a set of scripts that use Appcmd to replace the repetitive changes typically required when using the IIS Manager GUI. Such scripts can help streamline and automate your server configuration and deployment.

Advanced Appcmd Details

Appcmd enables you to perform many advanced operations. Here are some tips for using Appcmd to configure advanced properties.

When you configure the centralLogFileMode attribute, the only way to view which properties (also known as enums) are available is to open the IIS_Schema.xml file. It’s not too much trouble to do this once in a while, but it’s more efficient to use Appcmd to list the available properties. For example, the following command lists all the properties that can be set in the system.applicationHost/log section:

//List all properties available the system.applicationHost/log section
Appcmd set config –section:log -?


The output looks like this:

ERROR ( message:-logInUTF8
-centralLogFileMode
-centralBinaryLogFile.enabled
-centralBinaryLogFile.directory
-centralBinaryLogFile.period
-centralBinaryLogFile.truncateSize
-centralBinaryLogFile.localTimeRollover
-centralW3CLogFile.enabled
-centralW3CLogFile.directory
-centralW3CLogFile.period
-centralW3CLogFile.truncateSize
-centralW3CLogFile.localTimeRollover
-centralW3CLogFile.logExtFileFlags
 )


To adjust a property value, use the following syntax. (You can adjust multiple attributes by putting a space between each property value.)

Appcmd set config –section:log –property1Name:Value –property2Name:Value


If you are not sure which values are available to set on a particular property, you can use the following command to find out the values. This example shows how to get all values that can be set for the centralLogFileMode property:

//Find out which values can be set.
Appcmd set config –section:log –centralLogFileMode -?


The resulting error message lists the valid values, in this case Site, CentralBinary, and CentralW3C:

ERROR ( message:Unknown attribute "centralLogFileMode"..
Reason: Enum must be one of Site, CentralBinary, CentralW3C. )


You can change the site’s log settings. To list all the properties that are available as well as their syntax, type this command:

//List all properties available on the Sites section
Appcmd set config -section:sites -?


The output shows all properties related to the Sites section. The options starting with -siteDefaults.logFile, shown in the next lines of code in bold, enable you to adjust the defaults inherited by new sites. (Some lines have been split to fit on the printed page.)

C:\Windows\System32\inetsrv>Appcmd set config -section:sites -?
ERROR ( message:-siteDefaults.name
-siteDefaults.id
-siteDefaults.serverAutoStart
-siteDefaults.bindings.
    [protocol='string',bindingInformation='string'].protocol
-siteDefaults.bindings.
    [protocol='string',bindingInformation='string'].bindingInformation
-siteDefaults.limits.maxBandwidth
-siteDefaults.limits.maxConnections
-siteDefaults.limits.connectionTimeout
-siteDefaults.logFile.logExtFileFlags
							-siteDefaults.logFile.customLogPluginClsid
							-siteDefaults.logFile.logFormat
							-siteDefaults.logFile.directory
							-siteDefaults.logFile.period
							-siteDefaults.logFile.truncateSize
							-siteDefaults.logFile.localTimeRollover
							-siteDefaults.logFile.enabled
-siteDefaults.traceFailedRequestsLogging.enabled
-siteDefaults.traceFailedRequestsLogging.directory
-siteDefaults.traceFailedRequestsLogging.maxLogFiles
-siteDefaults.traceFailedRequestsLogging.maxLogFileSizeKB
-siteDefaults.traceFailedRequestsLogging.customActionsEnabled
-applicationDefaults.path
-applicationDefaults.applicationPool
-applicationDefaults.enabledProtocols
-virtualDirectoryDefaults.path
-virtualDirectoryDefaults.physicalPath
-virtualDirectoryDefaults.userName
-virtualDirectoryDefaults.password
-virtualDirectoryDefaults.logonMethod
-virtualDirectoryDefaults.allowSubDirConfig
-[name='string',id='unknown'].name
-[name='string',id='unknown'].id
-[name='string',id='unknown'].serverAutoStart
-[name='string',id='unknown'].bindings.
    [protocol='string',bindingInformation='string'].protocol
-[name='string',id='unknown'].bindings.
    [protocol='string',bindingInformation='string'].bindingInformation
-[name='string',id='unknown'].limits.maxBandwidth
-[name='string',id='unknown'].limits.maxConnections
-[name='string',id='unknown'].limits.connectionTimeout
-[name='string',id='unknown'].logFile.logExtFileFlags
-[name='string',id='unknown'].logFile.customLogPluginClsid
-[name='string',id='unknown'].logFile.logFormat
-[name='string',id='unknown'].logFile.directory
-[name='string',id='unknown'].logFile.period
-[name='string',id='unknown'].logFile.truncateSize
-[name='string',id='unknown'].logFile.localTimeRollover
-[name='string',id='unknown'].logFile.enabled
-[name='string',id='unknown'].traceFailedRequestsLogging.enabled
-[name='string',id='unknown'].traceFailedRequestsLogging.directory
-[name='string',id='unknown'].traceFailedRequestsLogging.maxLogFiles
-[name='string',id='unknown'].traceFailedRequestsLogging.maxLogFileSizeKB
-[name='string',id='unknown'].
    traceFailedRequestsLogging.customActionsEnabled
-[name='string',id='unknown'].applicationDefaults.path
-[name='string',id='unknown'].applicationDefaults.applicationPool
-[name='string',id='unknown'].applicationDefaults.enabledProtocols
-[name='string',id='unknown'].virtualDirectoryDefaults.path
-[name='string',id='unknown'].virtualDirectoryDefaults.physicalPath
-[name='string',id='unknown'].virtualDirectoryDefaults.userName
-[name='string',id='unknown'].virtualDirectoryDefaults.password
-[name='string',id='unknown'].virtualDirectoryDefaults.logonMethod
-[name='string',id='unknown'].virtualDirectoryDefaults.allowSubDirConfig
-[name='string',id='unknown'].[path='string'].path
-[name='string',id='unknown'].[path='string'].applicationPool
-[name='string',id='unknown'].[path='string'].enabledProtocols
-[name='string',id='unknown'].[path='string'].virtualDirectoryDefaults.path
-[name='string',id='unknown'].[path='string'].
    virtualDirectoryDefaults.physicalPath
-[name='string',id='unknown'].[path='string'].
    virtualDirectoryDefaults.userName
-[name='string',id='unknown'].[path='string'].
    virtualDirectoryDefaults.password
-[name='string',id='unknown'].[path='string'].
    virtualDirectoryDefaults.logonMethod
-[name='string',id='unknown'].[path='string'].
    virtualDirectoryDefaults.allowSubDirConfig
-[name='string',id='unknown'].[path='string'].[path='string'].path
-[name='string',id='unknown'].[path='string'].[path='string'].physicalPath
-[name='string',id='unknown'].[path='string'].[path='string'].userName
-[name='string',id='unknown'].[path='string'].[path='string'].password
-[name='string',id='unknown'].[path='string'].[path='string'].logonMethod
-[name='string',id='unknown'].[path='string'].[path='string'].
    allowSubDirConfig
 )

					  


You can also adjust settings for specific Web sites by using the properties starting with -[name=‘string’,id=‘unknown’].logFile. You simply need to replace the ‘unknown’ value with the Web site name. Following is an example of how to adjust settings in a specific site. Notice that the example for the Default Web Site contains double quotation marks. This is necessary to handle spaces in the Web site name. Remember to change the name and ID when using the example.

//Example how to set the logFile.directory property with a
//Site with spaces in the name.

C:\Windows\System32\inetsrv>Appcmd set config -section:sites
/[name='"Default Web Site"',id='1'].logFile.directory:c:\wwwlogs

//Example how to setup logFile.directory property with no spaces
//in the Site name.

C:\Windows\System32\inetsrv>Appcmd set config -section:sites
/[name='Contoso.com',id='2'].logFile.directory:c:\wwwlogs


You can also use Windows PowerShell 1.0 to administer your IIS 7.0 server. This section shows a few examples of setting the Logfile directory value. In the following sample script, you first load Microsoft.Web.Administration.dll into your Windows PowerShell session. Next, you assign an instance of the ServerManager$sm variable, which allows you to query and set Logfile values. (In the following listing, some lines have been split so that they fit on the printed page.) object to the

//Load the dll into the Powershell session
[System.Reflection.Assembly]::LoadFrom
    ( "C:\windows\system32\inetsrv\Microsoft.Web.Administration.dll" )

//Load an instance of the Server Manager object into the $sm variable
$sm = new-object Microsoft.Web.Administration.ServerManager

//List Default Web Site LogFile Directory value.
$sm.Sites["Default Web Site"].LogFile.Directory
//List SiteDefaults LogFile Directory value.
$sm.SiteDefaults.LogFile.Directory

//Set Default Website LogFile Directory
$sm.Sites["Default Web Site"].LogFile.Directory =
    "\\RemoteServer.Contoso.com\Logfiles"
$sm.CommitChanges()

//Set SiteDefaults LogFile Directory
$sm.SiteDefaults.Logfile.Directory = "\\RemoteServer.Contoso.com\Logfiles"
$sm.CommitChanges()


Immediately flushing log entries to disk is introduced in Windows Server 2008. The HTTP.sys service holds requests until they are periodically flushed to disk. When you are troubleshooting an immediate issue, you can use the following netsh command, which can be especially useful for troubleshooting HTTP.sys-related errors.

//Flush log entries to disk immediately
Netsh http flush logbuffer


HTTP.sys Logging

In IIS 6.0, the HTTP.sys process was introduced and took over logging duties that used to be handled by Inetinfo.exe. HTTP.sys introduced another log called HTTPERR log. The HTTPERR logs for Windows Server 2008 are located in the same location as for Windows Server 2003. The path is %SystemRoot%\System32\LogFiles\HTTPERR. This log records all errors that are not handed off to a valid worker process, typically responses to clients, connection time-outs, and orphaned requests. This additional information can help you troubleshoot HTTP-based errors, which are logged before the request reaches IIS.

Windows Vista and Windows Server 2008 introduce enhancements to the HTTP.sys logging process. You use ETW (Event Tracing for Windows) to obtain the enhanced information. Here are steps to start, capture, and display information from an ETW tracing session:

1.
Open a command prompt (click Start, select Run, and then type cmd.exe).

2.
Start the ETW trace session for HTTP.sys by using the following command:

logman.exe start httptrace -p Microsoft-Windows-HttpService 0xFFFF -o
    httptrace.etl –ets


3.
Reproduce or perform the steps or tests that need to be traced.

4.
To stop the ETW trace session for HTTP.sys, use the following command:

logman stop httptrace –ets


5.
To convert the ETL file to a comma-separated file (CSV) file, use this command:

tracerpt httptrace.etl -of csv -o httptrace.csv /y


The CSV files can then be viewed in a text editor or spreadsheet application. This complete procedure is covered in a white paper available at http://technet.microsoft.com; search for “HTTP.sys Manageability in Windows Vista and Longhorn Server.”

Note

The following site discusses the new networking features in Windows Vista and Windows Server 2008: http://technet.microsoft.com/en-us/library/bb726965.aspx.