Data Centers

Maximize IIS logging to track user activity

It's not enough to get an IIS Web server up and running. You must also be able to manage the log files to track site utilization and user activity.


Multiple options for logging user access activity are available when you manage Microsoft Internet Information Services (IIS) Web servers. I'm going to show you the various logging options and explain what you can do with this valuable data once you gather it.

IIS logging options
When you think about viewing logs in Windows, your first thought is to look in the Event Viewer, right? Not this time. IIS contains its own more extensive logging options that are separate from the Event Viewer.

To set up the logging options, you need to open the IIS management console from Start | Programs | Administrative Tools | Internet Services Manager. To see the logging properties, expand the computer name of the IIS server you want to look at and right-click on the Web site (such as Default Web Site) you want to set up. Figure A shows an example of the Properties sheet.

Figure A


IIS 5.0 offers four options to log your Web server activity. You select these from the Active Log Format drop-down list, highlighted in yellow in Figure A. The four options are:
  • ·        W3C Extended Log File Format—This is the default format used by IIS. It offers a selection of fields to display in the text log file. This option uses the UTC-Greenwich Mean Time for transactional timestamps.
  • ·        ODBC Logging—This transports the administrator-defined logging objects to an ODBC-compliant database.
  • ·        NCSA Common Log File Format—This is a noncustomizable logging mechanism available only for the Web sites of IIS (no FTP or other sites).
  • ·        Microsoft IIS Log File Format—This is a noncustomizable option, but it records more information than the NCSA method. This format allows you to record bytes transferred from the HTTP connection.

Each logging type offers a particular benefit, and you can switch types on the fly without affecting the status of any services for IIS. The only thing to keep in mind is that a new log file for the current log period (per day, by default) will be created with a different pair of leading characters denoting the type of logging.

The default logging method for IIS 5.0, the W3C Extended Log File Format, is a standard defined by the World Wide Web Consortium (W3C). This logging format can divulge a large amount of information on the activity of your IIS server, and IIS lets you drill down to select which options you want to log. You configure the options by clicking the Properties button (highlighted in green in Figure A) after selecting the desired log format.

Specifying which variables you want to log can make interpretation a lot easier and more useful.  Figure B  shows an example of some of the available W3C options. This isn't the complete list, but you can review full descriptions of all the options from Microsoft's Windows 2000 Server Documentation.

Figure B


Viewing log files
If you select any text file logging formats except ODBC, the logs are kept in a default location of \Winnt\System32\LogFiles\W3svc1. These files are transactional files, so you can't open the current log file. If you want to look at it, you need to make a copy of it and view the copy.

User activity
Tracking user activity in IIS is quite thorough. IIS tracks nonanonymous users better than it does anonymous users. IIS uses the term "nonanonymous" instead of "authenticated" for clarification in custom schemes. Both nonanonymous and anonymous connections are tracked by IP address in the IIS logs. Using the default configuration for the default Web site, the W3C Extended Log File Format will give you the authenticated username and the domain from which it authenticates, the client TCP/IP address, the location of the Web server viewed, and client information (OS and browser versions), among other things.

To demonstrate what an IIS log file would look like, I did some testing in which I used Internet Explorer 5 on Windows 2000 Professional, Internet Explorer 6 on Windows XP, and Netscape 4.76 on Linux as the test computers to show log activity. All three systems showed up correctly (OS and browser compatibility) in the logging on the Web server. I also used IIS for anonymous and nonanonymous connections. (I used Outlook Web Access and other nonanonymous areas of the Web site.) Click here to view the log sample.

PerfMon
The PerfMon utility can offer supplemental information to the logging of IIS. With PerfMon, you can view a running count of anonymous and nonanonymous users as well as other IIS objects. For example, connecting a session to the Web server and viewing the Web Service\ Current Nonanonymous Users counter will give a current count of nonanonymous connections.

PerfMon has notable limitations, as it does not show a clear number of users or provide the specific username like the logs. Further, busy Web sites (such as Outlook Web Access) represent a large number of nonanonymous connections and shoot the counter up quickly for one user. However, PerfMon is useful for providing some additional statistics. For more information on PerfMon monitoring, check out the Windows 2000 Resource Kit.

There are various ways to use the information PerfMon provides. If the IIS server hosts your commercial Web site, you can get a basic look at the analytics of your visitors. If the Web server hosts your company intranet, you now have a concrete look at who is visiting and how they are utilizing your site.

Outlook Web Access (OWA)
OWA activity will also appear in the IIS logs. This is an example of a nonanonymous connection, as authentication is required to gain access to a user’s mailbox. If you have OWA on the same Web server as an intranet, you will notice that OWA is connection-intensive in the logs.

Third-party software
You can purchase software packages that will perform fancy graphical Web analytics on your Web server logs, but all that information comes from the IIS log files themselves. Setting the log files to contain the information you want and getting them into a database or parsing through them for what you need could very well satisfy your needs. These third-party log analyzers can get pricey as the features increase too, so there's incentive to consider a custom solution based off the IIS logs, which you now know how to manipulate.

The logging advantage
Setting the IIS logs to give you the information you need and spending the time to get the results into a usable format can provide a wealth of information on who is visiting your Web site and how they are using it. Whether you do this to gather marketing data, look at the utilization of your Web server, or monitor and track potential hackers, you will find that knowing how to manage and manipulate this log data is definitely to your advantage.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

Editor's Picks