Friday, July 08, 2005 9:55 AM
by
mikekim
Tools to Manage IIS Log Files
Q: I have a fairly large shared IIS server at my company. We are trying to locate areas where we can simplify some management of the log files since handling over 1000 log files is somewhat tedious. We are running Windows Server 2003 with the latest updates.
A: Windows Server 2003 provides a new feature to use - the very powerful Centralized Binary Logging (CBL).
CBL is part of HTTP.sys (part of IIS 6.0). In Windows Server 2003, all logging except ODBC logging is done by the HTTP.sys kernel driver. This means that IIS 6.0 is no longer responsible for writing to disk the correct log data per request as it did in previous versions. CBL is a highly optimized log format where all request data is logged to one single file in binary. This unformatted binary data is nice for performance but hard on administrators like you. In fact, out of the box you have no effective mechanism to read the log files created when using CBL unless you write your own C++ program.
Log Parser 2.2 is an excellent command-line utility that you can use to both read and format the data. For more information about using Log Parser with CBL logs, watch the webcast (presented by Chris Adams): TechNet Webcast: The Ins and Outs of Centralized Binary Logging in IIS 6.0.
The great news is the even newer feature implemented in HTTP.sys for Windows Server 2003 Service Pack 1. This feature merges two log formats together to create a high performing but well manageable logging mechanism. It is called W3C Centralized Logging. The key to this feature is that it takes advantage of the “centralized” log file in such cases as yours where the sites, directories and files are otherwise unmanageable.
With W3C Centralized logging, an administrator gets exactly one log file created in the W3SVC directory. This file adheres to the W3C standard and allows the logging of standard properties and extended properties, such as cookies presented to IIS and the Win32 error codes. These “extended” properties are not available to users of CBL.
In your situation, switching to W3C Centralized Logging would let you manage a single log file per day, hour, etc., based on your rollover mechanism. This is much better than the one-directory, several-files approach for IIS 6.0. In addition, you wouldn’t need any special tools such as Log Parser 2.2 to view the data. The data would be viewable in your favorite text editor. Be warned, however, the file will usually be quite large, so the Notepad text editor may not suffice.
Unfortunately, enabling W3C Centralized logging is a bit more work to set up than a check box in a user interface. Just as with the CBL, W3C Centralized logging is not available in the IIS Manager and must be directly edited in the metabase. To do this, you just modify the CentralW3CLoggingEnabled metabase property, as follows:
cscript adsutil.vbs set w3svc/CentralW3CLoggingEnabled 1
After enabling this value, you can restart the IIS services and, upon restart, IIS will now be logging all requests for all sites using one formatted file that can be read using a text editor.
Source: July 2005 IIS Insider (scheduled to go live on or after July 13, 2005)
