IIS Log File Entries Have the Incorrect Date and Time Stamp


We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:For more information about IIS 7.0, visit the following Microsoft Web site:

Symptoms


The date and the time stamp on entries in the IIS log files appear to be incorrect by several hours when you compare the date and the time stamp to the local time on the server.

Cause


The selected log file format is the W3C Extended Log File Format. The extended log file format is defined in the W3C Working Draft WD- logfile-960323 specification by Phillip M. Hallam-Baker and Brian Behlendorf. This document defines the Date and Time files to always be in GMT. This behavior is by design.

Resolution


To resolve this problem, use one of the following resolutions:

Resolution 1

Change the active logging format to the Microsoft IIS Log File Format. This format logs in the server's Local Time.

Resolution 2

Use the Convlog.exe utility, which is located in the Winnt\System32 folder, to convert the log to the NCSA Log File Format and server's local time. At a command prompt, type the following:
convlog -ie LogFileName -t ncsa:+/-GMTOffset
where LogFileName is the name of the file to convert and GMTOffset is the number of hours to correct.

For example, to convert a file named "Logfile.log," and correct for Eastern Standard Time, you would use the following command:
convlog -ie Logfile.log -t ncsa:-0500
You can find complete instructions on how to use the Convlog utility in the IIS online documentation.

NOTE: This solution does not actually change the time stamps for the log entries. It enters the GMT offset into each entry, so that anyone reading through the log can see that the time stamp is not in local time.

The following is an example of a log entry produced by this utility:
192.168.1.1 - - [30/Jun/2000:20:16:40 -0500] "GET /default.asp HTTP/1.0" 200 -

More Information


For more information on the extended log file format, see the W3C Working Draft WD-logfile-960323 specification at the following URL: For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
194699 Extended Log File Format Always in GMT
193612 Log Files Rolled Over According to GMT, Not Local Time Zone