Developer

Make sure IIS runs at its peak by checking log events

Log events can tell you a lot about how IIS is working. Brien Posey shows you how to log events on your IIS server to check its performance and resource usage.


Any Web server, no matter how powerful, has a limited amount of resources from which to serve the world, so it’s important to keep track of how those resources are being used. If you determine that your server is being under utilized, you can boost the performance of some processes to give the users better response time. If your server is too busy and users are getting error 500s, you can reallocate some of the server’s resources to prevent this from happening.

Since most of you don’t have time to sit and watch Windows’ Performance Monitor to see when Internet Information Server (IIS) is reaching its limits, the easiest way to track its performance and resource utilization is through logging

Information logging
If you’ve ever used logging to track resources in previous versions of IIS, you know that the log files can quickly grow to hundreds of megabytes in size. However, logging options have been greatly improved in IIS 5.0. Yes, it’s still possible to have your log files grow into huge monstrosities that consume vast quantities of hard disk space, but you don’t have to have such large files unless you want to.

Log files associated with IIS 5.0 are generally smaller than the log files associated with other versions, because you can control the level of detail recorded in the log files. Sometimes it’s necessary to have a lot of detail in a log file, but remember that huge, detailed log files are difficult to search through. I recommend logging a minimal amount of information so you can quickly look through the log files. If you ever spot a potential problem, you can always later request that IIS log more information so you can analyze the true extent of the problem.

To enable logging, select the Programs | Administrative Tools | Internet Services Manager commands from the Start menu. The IIS console will open. Then, maneuver through the console tree to Internet Information Services | server | site where server is the name of the Web server you want to log and site is the name of the site. Right-click the Web site you want to log and open the Web site’s properties sheet, as shown in Figure A.

Figure A
You can enable or disable logging for a particular Web site on the Web Site tab of its properties sheet.


As you can see in the figure, logging for the Web site can be turned on or off with the Enable Logging check box; however, the logging is enabled by default. Beneath the Enable Logging check box is the Active Log Format drop-down list, which gives you three options for the log format: NCSA Common Log Format, ODBC Logging, and W3C Extended Log File Format. The NCSA common log format is nothing more than a simple, plain text log. ODBC logging, which is available only if you’re using Windows 2000, is similar to NCSA Common Log Format, except that log entries are added to a database rather than to a text file. The W3C Extended Log File Format option is selected by default. If you need to do process accounting, you must use this log format because it’s the only option that will log process accounting information.

Next, you must configure the W3C logging options. Verify that W3C Extended Log Format is selected from the Active Log Format and that the Enable Logging check box is selected and then open the Extended Logging Properties sheet. The General Properties tab will be selected (see Figure B).

Figure B
You can control the maximum size or duration of a log file.


This tab helps you to keep the log’s physical size under control. You can tell IIS to build a new log on an hourly, daily, weekly, or monthly basis. Other options allow you to use an unlimited log file size, or to start a new log file when the existing log file grows to a predetermined size.

In Figure B, you'll see the Use Local Time For Naming And Rollover check box. This check box is important becuase unlike the other two types of logging, W3C logging uses Greenwich Mean Time—also known as GMT or Zulu time—rather than local time.

To customize the log files, select the Extended Properties tab, where you can select which events are recorded in the log file. Some of the events you can log are pretty self explanatory, such as Date and Time. The Extended Properties tab contains two basic categories of events that you can log. The first type is the Extended Properties event, which includes things like the IP address that accessed your server and the type of action the client requested.

The other type is the Process Accounting event. Where the Extended Properties option records identifying information, the Process Accounting logging option allows you to see exactly what type of impact that the Web site has on system resources. There are seven categories under the Process Accounting option. Each of these events is important to understanding what’s going on with your Web server. In the next sections, I'll explain some of the various events that you can log through the Process Accounting option.

Process Event [s-event]
The Process Event refers to the type of process that triggered the event. In the log, the Process Event will usually be CGI, but it could also be Application or All.

Process Type [s-process-type]
The process type is the basic type of event that was triggered. For example, if the log file were to display a site stop event, it would mean that the Web site had stopped. There are a variety of different messages you can get for process type, including the following:
  • Site Stop means that the Web site was stopped.
  • Site Start indicates that the Web site was restarted.
  • Site Pause shows that the Web site was temporarily paused.
  • Periodic Log refers to a condition set by an administrator saying that a certain condition’s status should be reported at specific times.
  • Reset Interval Start indicates that the reset interval has begun.
  • Reset Interval End means that the reset interval expired and was reset.
  • Update could mean that an interval was changed or that the Web site was stopped, started, or paused.
  • Event Log Limit indicates that a new log was started because the log reached the size or time threshold previously set.
  • Priority Limit tells you that one of the Web site’s CGI or out of process applications was set to low priority because it reached the low priority threshold. The administrator can set this threshold limit.
  • Process Stop Limit means that a CGI or out of process application was stopped because it reached the stop limit. Again, the stop limit is a threshold set by an administrator.
  • Site Pause Limit means that the Web site was paused because either a CGI or an out of process application reached the pause threshold that you set.
  • Event Log Limit Reset appears any time the event log’s limit is reached or if you manually change the event log limit.
  • Priority Limit Reset indicates that either the reset interval was reached or the administrator has manually changed the priority limit.
  • Process Stop Limit Reset tells you that either the reset interval has been reached or the administrator has manually changed the stop limit.
  • Site Pause Limit shows that either the reset interval was reached or the administrator manually reset the site pause limit.

Total User Time [s-user-time]
The Total User Time is a number that indicates the number of total seconds the processor spent servicing all attached users during the current interval.

Total Kernel Time [s-kernel-time]
This counter is similar to the Total User Time, except that it counts the total amount of kernel time (in seconds) used by the site during the current interval.

Total Page Faults [s-page-faults]
The current number of page faults that this Web site has generated during the current interval is indicated by the Total Page Faults counter.

Total Processes [s-totalprocs]
The total number of CGI and out of process applications that were created during the current interval is supplied by the Total Processes counter.

Active Processes [s-active-procs]
The Active Processes counter is similar to the Total Processes counter, but instead of telling you the total number of CGI and out of process applications created during an interval, it tells you the number of CGI and out of process applications running at the time that the log entry was created.

Total Terminated Processes [s-stopped-procs]
The Total Terminated Processes counter tells you the number of CGI and out of process applications stopped during the current interval because of process throttling.

Viewing the logs
After you’ve selected the items you want to log, IIS will record the information for you. IIS logs won’t appear in Event Viewer like other logs for such things as your DNS server. Instead, you must manually view the logs using Notepad or a standard text editor.

You’ll find the logs in the C:\Winnt\System32\Logfiles\W3SVC1 folder. Depending on the options you chose on the General Properties screen in Internet Services Manager for the site, you’ll see either one large file or several smaller files. Select the file you want to view, open it, and then search through it for the events you selected on the Extended Properties screen.

Conclusion
IIS 5.0 log files allow you to check on the performance of your IIS server. By selecting the proper counters, you can have IIS log certain data that you can later view to verify whether your server resources are properly allocated, of if you need to make some adjustments to optimize IIS's performance.

Editor's Picks