W3C Logging
W3C extended logging is type of server side logging that can be enabled on the server session or URL group. When W3C logging is enabled on a URL group, logging is performed only on requests that are routed to the URL Group. A separate log file is created for each URL group configured to enable W3C logging.
When W3C logging is enabled on the server session it functions as centralized form of logging for all the URL groups under the server session. A single log file is maintained for all of the URL groups in the server session.
The following table lists the fields that can be logged by the HTTP Server API. The table contains a subset of the HTTP_LOG_FIELD constants. Some of the fields listed below are auto generated by HTTP Server API internally and therefore not contained in the HTTP_LOG_FIELDS_DATA structure. The "Appears As" column contains the text that appears in the log file. The data in the table is in the order of occurrence in the log file record.
Fields that are not marked "HTTP Server API generated" have to be passed inside HTTP_LOG_FIELDS_DATA structure by application. Application could generate those fields from the HTTP_REQUEST structure passed to it.
| Field | Appears As | Description | HTTP_LOG_FIELDS_DATA Member | HTTP_LOG_FIELDS constants |
|---|---|---|---|---|
| Date | date | The date on which the activity occurred. | HTTP Server API generated. | HTTP_LOG_FIELD_DATE |
| Time | time | The time, in coordinated universal time (UTC), at which the activity occurred. | HTTP Server API generated. | HTTP_LOG_FIELD_TIME |
| Service Name and Instance Number | s-sitename | The Internet service name and instance number that was running on the client. | ServiceName | HTTP_LOG_FIELD_SITE_NAME |
| Server Name | s-computername | The name of the server on which the log file entry was generated. | ServerName | HTTP_LOG_FIELD_COMPUTER_NAME |
| Server IP Address | s-ip | The IP address of the server on which the log file entry was generated. | ServerIp | HTTP_LOG_FIELD_SERVER_IP |
| Method | cs-method | The requested verb, for example, a GET method. | Method | HTTP_LOG_FIELD_METHOD |
| URI Stem | cs-uri-stem | The target of the verb, for example, Default.htm. | UriStem | HTTP_LOG_FIELD_URI_STEM |
| URI Query | cs-uri-query | The query, if any, that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages. | UriQuery | HTTP_LOG_FIELD_URI_QUERY |
| Server Port | s-port | The server port number that is configured for the service. | ServerPort | HTTP_LOG_FIELD_SERVER_PORT |
| User Name | cs-username | The name of the authenticated user that accessed the server. Anonymous users are indicated by a hyphen. | UserName | HTTP_LOG_FIELD_USER_NAME |
| Client IP Address | c-ip | The IP address of the client that made the request. | ClientIp | HTTP_LOG_FIELD_CLIENT_IP |
| Protocol Version | cs-version | The HTTP protocol version that the client used. | HTTP Server API generated. | HTTP_LOG_FIELD_VERSION |
| User Agent | cs(User-Agent) | The browser type that the client used. | UserAgent | HTTP_LOG_FIELD_USER_AGENT |
| Cookie | cs(Cookie) | The content of the cookie sent or received, if any. | Cookie | HTTP_LOG_FIELD_COOKIE |
| Referrer | cs(Referrer) | The site that the user last visited. This site provided a link to the current site. | Referrer | HTTP_LOG_FIELD_REFERRER |
| Host | cs-host | The host header name, if any. | Host | HTTP_LOG_FIELD_HOST |
| HTTP Status | sc-status | The HTTP status code. | ProtocolStatus | HTTP_LOG_FIELD_STATUS |
| Protocol Substatus | sc-substatus | The substatus error code. | SubStatus | HTTP_LOG_FIELD_SUB_STATUS |
| Win32 Status | sc-win32-status | The Windows status code. | Win32Status | HTTP_LOG_FIELD_WIN32_STATUS |
| Bytes Sent | sc-bytes | The number of bytes sent by the server. | HTTP Server API generated. | HTTP_LOG_FIELD_BYTES_SENT |
| Bytes Received | cs-bytes | The number of bytes received and processed by the server. | HTTP Server API generated. | HTTP_LOG_FIELD_BYTES_RECV |
| Time Taken | time-taken | The length of time that the action took, in milliseconds. | HTTP Server API generated. | HTTP_LOG_FIELD_TIME_TAKEN |
| Stream ID | streamid | The Stream Id. | HTTP Server API generated. | HTTP_LOG_FIELD_STREAM_ID |
The log file is a customizable ASCII text-based format. The field prefixes in the file are defined as follows:
| Prefix | Description |
|---|---|
| s | Server actions. |
| c | Client actions. |
| sc | Server-to-Client actions. |
| cs | Client-to-Server actions. |
The application can select one or more of the W3C Extended log file fields, however, not all fields will contain information. For fields that are selected but for which there is no information, a hyphen (-) appears as a placeholder. If a field contains a nonprintable character, the HTTP Server API replaces it with a plus sign (+) to preserve the log file format. This typically occurs with virus attacks, when, for example, a malicious user sends carriage returns and line feeds that, if not replaced with the plus sign (+), would break the log file format. Fields are separated by spaces.
If a field is enabled by the URL group or server session, but not selected for the request, it appears in the log file with a hyphen (-) as a placeholder.
Log files are created when the first request arrives on the URL Group or server session, they are not created when logging is configured. The following example shows the first log file entry for a W3C log file with the Client IP, Username, Server IP, Server Port, Method, URI Stem, URI Query, Status, and User Agent fields enabled:
#Software: Microsoft HTTP Server API 2.0
#Version: 1.0 // the log file version as it's described by "https://www.w3.org/TR/WD-logfile".
#Date: 2002-05-02 17:42:15 // when the first log file entry was recorded, which is when the entire log file was created.
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)
2002-05-02 17:42:15 172.22.255.255 - 172.30.255.255 80 GET /images/picture.jpg - 200 Mozilla/4.0+(compatible;MSIE+5.5;+Windows+2000+Server)
The time-taken field is initialized when the HTTP Server API receives the first byte, before the request is parsed. The time-taken timestamp is stopped when the last send completion occurs. Time-taken does not reflect time across the network. The first request to the site shows a slightly longer time taken than other similar requests because the HTTP Server API opens the log file with the first request.