Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
The standard Web server log format is named the W3C Extended log format. By default, these text log files can be found in %winnt%\system32\LogFiles\W3SVCx, where x is the Web site instance. For example, the default Web site is W3SVC1. The format for this log file is defined at the World Wide Web Consortium (W3C) Web site at http://www.w3.org/TR/WD-logfile.
Let's analyze a sample log file entry. First notice that each log file starts with the following line:
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status cs(User-Agent) |
This indicates the fields used in the log file from this point on. You'll notice that some fields start with a prefix. Possible prefixes are
- c Client
- s Server
- cs Client to server
- sc Server to client
- sr Server to remote server (used by proxy servers)
- rs Remote server to server (used by proxy servers)
A log file could change fields, and this is reflected in the field heading. Table 11-6 describes these fields.
Table 11-6. W3C extended log file components.
| Field | Example | Comments |
|---|---|---|
| date | 2000-04-25 | Date of the request in Universal Coordinated Time (UTC). |
| time | 14:20:03 | Time of the request (UTC). |
| c-ip | 172.100.100.13 | Client IP address. |
| cs-username | EXAIR/Squirt | Client's name—a "-" value means anonymous or unidentified. |
| s-ip | 157.42.12.122 | Server IP address. |
| s-port | 80 | Server port number on which the request was received—another common value is 443 for Secure Sockets Layer/Transport Layer Security (SSL/TLS). |
| cs-method | GET | HTTP method used to perform the request. |
| cs-uri-stem | /ExAirHR/Default.asp | Stem portion of a Uniform Resource Identifier (URI). |
| cs-uri-query | - | Query portion of a URI. Note that this is often filled in by IIS when an error occurs and thus can be a goldmine of information. |
| sc-status | 401 | HTTP status—for example, 200 (OK) and 401 (unauthorized). |
| sc-win32-status | 5 | Win32 status—for example, 0 (no error) and 5 (access denied). This is not enabled by default; you can enable it using the IIS administration tool. |
| cs(User-Agent) | Mozilla/4.0+ (compatible;+ MSIE+5.01;+ Windows+NT+5.0) | The browser user-agent string. |