Microsoft IIS 6.0Administrator's Consultant

IIS records errors in two locations: the IIS access logs and the Windows event logs. In the access logs, you’ll find information related to missing resources, failed authentication, and internal server errors. In the event logs, you’ll find IIS errors, failed authentication, IIS application errors, and errors related to other applications running on the server.

Examining the Access Logs

Access logs are created when you enable logging for Web, File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and NNTP sites. Every time someone requests a file from a site, an entry goes into the access log, making the access log a running history of resource requests. Because each entry has a status code, you can examine entries to determine the success or failure of a request. Failed requests have a status code beginning with a 4 or 5.

The most common error you’ll see is a 404 error, which indicates that a resource wasn’t found at the expected location. You can correct this problem by doing the following:

• Placing the file in the expected location

• Renaming the file if the current name is different than expected

• Modifying the linking file to reflect the file’s correct name and location

If you want to find the access log for a particular site, follow these steps:

1. Start the IIS snap-in and then, in the left pane (Console Root), click the plus sign (+) next to the computer you want to work with. If the computer isn’t shown, connect to it as discussed in the section entitled “Connecting to Other Servers” in Chapter 2, “Core IIS Administration.”

2. Right-click the Web, FTP, SMTP, or NNTP site you want to manage and then select Properties.

3. In the Enable Logging frame, click Properties to display a dialog box similar to the one shown in Figure 13-1.

4. The Log File Directory field shows the top-level directory for this site’s logs. The default top-level directory is \%WinDir%\System32\LogFiles.

5. The Log File Name field shows the subdirectory and log file naming format. For example, if the name shows \W3SVC1\EXYYMMDD.LOG, you’ll find the site’s logs in the W3SVC1 subdirectory. The current log is the file in this subdirectory with the most recent date and time stamp. All other logs are archive files that could be moved to a history directory.

   Figure 13-1: The Logging Properties dialog box tells you where logs are being written.

Now that you know where the log files are located for the site, you can search for errors in the log file. Because logs are stored as American Standard Code of Information Interchange (ASCII) text, one way to do this would be to open a log in Microsoft Notepad or another text editor and search for error codes, such as 404. Another way to search for errors would be to use the FIND command. At a command prompt, you could search for 404 errors in any log file within the current directory using the following command:

find "404" *

Once you identify missing files, you can use any of the previously recommended techniques to resolve the problem. You’ll learn more about access logs and status codes in Chapter 14, “Tracking User Access and IIS Logging.”

Examining the Windows Event Logs

Windows event logs provide historical information that can help you track down problems with services, processes, and applications. The event-logging service controls the events tracked. When this service is started, user actions and system resource usage events can be tracked through the following event logs:

• Application Records events logged by applications, such as IIS. This is a default Windows event log.

• Directory Service Records events logged by the Active Directory service and its related services. This event log is available only when Directory Services is installed.

• DNS Server Records Domain Name System (DNS) queries, responses, and other DNS activities. This event log is available only when DNS is installed.

• File Replication Service Records file replication activities on the system. This event log is available only when the File Replication Service (FRS) is installed.

• Security Records events you’ve set for auditing with local or global group policies. Note that administrators must be granted access to the security log through user rights assignment. This is a default Windows event log.

• System Records events logged by the operating system or its components, such as the failure of a service to start when the system boots up. This is a default Windows event log.

You access the Windows event logs by completing the following steps:

1. Open the Start menu, select All Programs, select Administrative Tools, and then select Event Viewer. This starts Event Viewer.

2. Event Viewer displays logs for the local computer by default. If you want to view logs on a remote computer, right-click the Event Viewer entry in the console tree (left pane), and then select Connect To Another Computer. In the Select Computer dialog box, type the name of the computer you want to access, and then click OK.

3. Select the log you want to view, as shown in Figure 13-2. Use the information in the Source column to determine which service or process logged a particular event.

   Figure 13-2: Event Viewer displays events for the selected log.

Entries in the right-hand pane of Event Viewer provide a quick overview of when, where, and how an event occurred. To obtain detailed information on an event, double-click its entry. The event type precedes the date and time of the event. Event types include:

• Information An informational event, which is generally related to a successful action.

• Success Audit An event related to the successful execution of an action.

• Failure Audit An event related to the failed execution of an action.

• Warning A warning. Details for warnings are often useful in preventing future system problems.

• Error An error, such as the failure of a service to start.

  Note

  Warnings and errors are the two key types of events that you’ll want to examine closely. Whenever these types of events occur and you’re unsure of the cause, double-click the entry to view the detailed event description.

In addition to type, date, and time, the summary and detailed event entries provide the following information:

• Source The application, service, or component that logged the event

• Category The category of the event, which is almost always set to None, but is sometimes used to further describe the related action, such as a process or a service

• Event Generally a numeric identifier for the specific event, which could be helpful when searching knowledge bases

• User The user account that was logged on when the event occurred, if applicable

• Computer The name of the computer on which the event occurred

• Description In the detailed entries, a text description of the event

• Data In the detailed entries, any data or error code output by the event

The sources you’ll want to look for include:

• Active Server Pages (ASP) Applications and ASP engines

• CERTSVC Certificate services

• Ci The Indexing Service

• MSDTC Microsoft Distributed Transaction Coordinator

• MSFTPSVC The FTP service

• NNTPSVC The Network News Transfer Protocol (NNTP) service

• SMTPSVC The SMTP service

• W3SVC The World Wide Web service

If you want to see only warnings and errors, you can filter the log by completing the following steps:

1. From the View menu, select the Filter option. This opens the dialog box shown in Figure 13-3.

   Figure 13-3: You can filter events so that only warnings and errors are displayed.

2. Clear the following check boxes: Information, Success Audit, and Failure Audit.

3. Select the Warning and Error check boxes.

4. Click OK. You should now see a list of only warning and error messages. Read these messages carefully and take steps to correct any problems that exist.