How to enable IIS logging site activity in Windows 2000

This article provides a step-by-step guide for enabling IIS logging on a Web site.

Enable Logging on a Web Site

IIS goes beyond the scope of the event-logging or performance-monitoring features of Windows 2000. The logs can include information such as who has visited your site, what the visitor viewed, and when the information was viewed last. You can monitor attempts, either successful or unsuccessful, to access your Web sites, virtual folders, or files. This includes events such as reading the file or writing to the file. You can choose which events you want to audit for any site, virtual folder, or file. By regularly reviewing these files, you can detect areas of your server or your sites that may be subject to attacks or other security problems. You can enable logging for individual Web sites and choose the log format. When logging is enabled, it is enabled for all the site's folders, but you can disable it for specific directories.

Note To enable logging, you must click to select both the Enable Logging check box on the Web Site tab and the Log visits check box on the Home Directory tab.

To enable logging on a Web site, follow these steps:

1. Open IIS. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Services manager. (In Windows 2000 Professional, Adminstrative Tools is located in Control Panel.)
2. Click the plus sign (+) next to your server name.
3. Right-click the Web site or FTP site, and click Properties.
4. On the Website or FTP Site tab, select Enable Logging.
5. In the Active log format list, select a format. By default, Enable Logging is selected and the format is W3C Extended Log File Format, with the following fields enabled for logging: Time, Client IP Address, Method, URI Stem, and HTTP Status. Select the items that you want to monitor in the log, leaving the defaults unless you want to customize your monitoring.NOTE: If the format you select is ODBC logging, click Properties and then type the data source name and the name of the table that is within the database in the text boxes. If a user name and password are required to access the database, type these also and click OK.
   
   
6. Click Apply, then click OK.

Disable or Enable Logging for a Specific Folder on a site

1. Open IIS. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Services manager. (In Windows 2000 Professional, Adminstrative Tools is located in Control Panel.)
2. Click the plus sign (+) next to your server name.
3. Right-click the Web site or FTP site, and click Properties.
4. On the Home Directory or Directory tab, locate Log visits. (By default, Log visits is selected.)
5. To disable logging for the folder, clear Log visits; to enable logging, select Log visits.

Save IIS Log Files

You can specify the folder in which log files are saved and set the option that affects when new log files are started.

To set options for saving log files, follow these steps:

1. Open IIS. To do this, click Start, point to Programs, point to Administrative Tools, and then click Internet Services manager. (In Windows 2000 Professional, Adminstrative Tools is located in Control Panel.)
2. Click the plus sign (+) next to your server name.
3. Right-click the Web site or FTP site, and click Properties.
4. On the Web Site tab, click Properties (located under the Enable Logging section).
5. On the General Properties tab, select the option to use when starting a new log file. The options are as follows:
   • Hourly: Log files are created hourly, starting with the first entry that occurs for each hour. This feature is typically used for high-volume Web sites.
   • Daily: Log files are created daily, starting with the first entry that occurs after midnight.
   • Weekly: Log files are created weekly, starting with the first entry that occurs after midnight Saturday.
   • Monthly: Log files are created monthly, starting with the first entry that occurs after midnight of the last day of the month. NOTE: "Midnight" is midnight local time for all log file formats except World Wide Web Consortium (W3C) Extended Log File Format. For this file format, "midnight" is midnight Greenwich Mean Time (GMT) by default, but can be changed to midnight local time. To open new W3C Extended Log File Format logs that use local time, select Use local time for file naming and rollover. The new log starts at midnight local time, but the time that is recorded in the log files is still GMT.
     
     
   • Unlimited file size: Data is always appended to the same log file. You can access this log file only after you stop the site.
   • When file size reaches: A new log file is created when the current log file reaches a particular size. You must specify the size that you want.
6. Under Log file, type the folder where log files should be saved. The folder must be a local drive and must list the whole path (not relative). You cannot use mapped drives or UNC paths such as \\server1\share1\, or the period (.) or period and backslach (.\) characters when you specify the log file folder.
7. Click Apply.

Detect Possible Security Problems by Reviewing IIS Log Files

1. Use the steps that are listed in section 3 to save the log file.
2. After the file has been saved, open a text editor such as Notepad. To open Notepad, click Start, point to Accessories, and click Notepad.
3. Open the log file in Notepad. To do this, click Open on the File menu and type the location where the log file is saved.
4. Inspect the logs for suspicious security events, including the following:
   • Multiple failed commands attempting to run executable files or scripts. (You should closely monitor the Scripts folder.)
   • Excessive failed logon attempts from a single IP address, with the possible intention of increasing network traffic or denying access to other users.
   • Failed attempts to access and modify .bat or .cmd files.
   • Unauthorized attempts to upload files to a folder that contains executable files.

Security

Proper security safeguards on your Web server can reduce or eliminate various security threats from malicious individuals, as well as from well-intentioned users who might accidentally gain access to restricted information or inadvertently alter important files.

For more information on how to tighten security on your Web server, see the following Microsoft Web site: This site provides a list of suggestions for securing your Web server, including Windows settings, IIS Web permissions, and physical security.

For a production server, it is a good idea to move the Active Server Pages (ASP) enrollment pages off of the Web server that allows users to browse files that contain information on how to make certificates. If you do not wish to move the ASP pages, you should at least restrict access to them so that they are not visible to all users. These pages are normally found at the root of your Web site.

Troubleshooting

Auditing uses computer resources. For optimum server performance, auditing should be applied as specifically as possible. For example, if a particular directory has 100 files, and only a few of those files need to be audited, you should set auditing for those files rather than for the entire directory.

For a conceptual overview of your Web server's security features, with tips for getting started and learning about using high-security Secure Sockets Layer (SSL) features, see the following Microsoft Web site: For more information on how to configure authentication in IIS which will allow administrators to confirm the identity of users who are attempting to establish connections to restricted content, see the following Microsoft Web site: For more information on how to control how users access and manipulate your files and directories, see the following Microsoft Web site: For more information on how to protect the privacy of your information with SSL encryption features, see the following Microsoft Web site: For more information on how to establish secure connections by using certificates and SSL features, see the following Microsoft Web site: For more information on how to monitor security activities to prevent tampering and unauthorized access, see the following Microsoft Web site: