How to configure Web site logging in Windows Server 2003

This article provides a step-by-step guide to turn on logging on a Microsoft Internet Information Services 6.0 (IIS) Web site.

Turn on logging on a Web site

Internet Information Services (IIS) logging is designed to be more detailed than the event-logging or performance-monitoring features of Windows Server 2003. The IIS logs can include information such as who has visited your site, what they viewed, and when the information was viewed last. You can monitor attempts, either successful or unsuccessful, to access your Web sites, virtual folders, or files. This includes events such as reading the file or writing to the file. Events can be logged independently for any site, virtual folder, or file. By regularly reviewing these log files, you can detect areas of your server or your sites that may be subject to attacks or suffer from other security problems.

To turn on logging on a Web site, follow these steps:

1. Start the Internet Information Services Manager. To do this, click Start, point to Administrative Tools, and then click Internet Information Services.
2. Double-click your server_name, where server_name is the name of the server.
3. Expand the Web Site folder.
4. Right-click the Web site for which you want to turn on logging, and then click Properties.
5. On the Website tab, select Enable Logging.
   
   Note Both Enable Logging on the Website tab and Log visits on the Home Directory Tab must be checked for logging to be enabled.
6. Select a format in the Active log format list.
7. Click Properties, click the Advanced tab, and then select the items that you want to monitor in the log.
   
   NOTE: If you select ODBC logging, click Properties, provide the ODBC Data Source Name (DSN), table, user name, and password, and then click OK
8. On the General tab, select the way that you want to schedule the logging or change the Log file folder. For more information, see the "Configuration options for saving IIS log files" section of this article.
9. Click OK.

Turn logging on or off for a specific folder

1. Start the Internet Information Services Manager. To do this, click Start, point to Administrative Tools, and then click Internet Information Services.
2. Double-click your server_name, where server_name is the name of the server.
3. Expand the Web Site folder.
4. Right-click the Web site or locate the folder that you want to configure, and then click Properties.
5. On the Directory tab, click Log visits.
   
   NOTE: To turn off logging, click Log visits.
6. Click OK.

Configuration options for saving IIS log files

To set options for saving log files, follow these steps:

1. Open the Internet Information Services Manager. To do this, click Start, point to Administrative Tools, and then click Internet Information Services.
2. Expand your server node.
3. Expand the Web Site folder.
4. Right-click the Web site, and then click Properties.
5. On the Web Site tab, click Properties.
6. On the General Properties tab, select the option to use when starting a new log file. The options are as follow:
   • Hourly: Log files are created hourly, starting with the first entry that occurs for each hour. This feature is typically used for high-volume Web sites.
   • Daily: Log files are created daily, starting with the first entry that occurs after midnight.
   • Weekly: Log files are created weekly, starting with the first entry that occurs after midnight Saturday.
   • Monthly: Log files are created monthly, starting with the first entry that occurs after midnight of the last day of the month. NOTE: "Midnight" is midnight local time for all log file formats except World Wide Web Consortium (W3C) Extended Log File Format. For this file format, "midnight" is midnight Greenwich Mean Time (GMT) by default, but it can be changed to midnight local time. To open new W3C Extended Log File Format logs that use local time, select Use local time for file naming and rollover. The new log starts at midnight local time, but the time that is recorded in the log files is still GMT.
   • Unlimited file size: Data is always appended to the same log file. You can access this log file only after you stop the site.
   • When file size reaches: A new log file is created when the current log file reaches a particular size. You must specify the size that you want.
7. Click Apply, and then click OK.

Review IIS log files with Notepad

1. To open Notepad, click Start, point to All Programs, point to Accessories, and then click Notepad.
2. On the File menu, click Open and type the location where the log file is saved.
3. Examine the logs for suspicious security events, including the following:
   • Multiple unsuccessful commands that try to run executable files or scripts. (In this cane, closely monitor the Scripts folder.)
   • Too many unsuccessful logon attempts from a single IP address, with the possible intention of increasing network traffic or denying access to other users.
   • Failed attempts to access and modify .bat files or .cmd files.
   • Unauthorized attempts to upload files to a folder that contains executable files.

Security

Correct security safeguards on your Web server can reduce or prevent various security threats both malicious and accidental.

For a production server, move Active Server Pages (ASP) enrollment pages off the Web server that allows users to browse files that contain information about how to make certificates. If you do not want to move the ASP pages, restrict access to view the files. These pages are typically located at the root of your Web site.