What's New in Logging (IIS 6.0)
Logging in IIS 6.0 differs from logging in previous versions of IIS in several ways. The redesigned IIS architecture, which allows for multiple worker processes, affects how the IIS core components handle logging. In addition, IIS 6.0 provides new logging features and log file formats.
Events Are Logged by HTTP.sys
In IIS 5.0, all logging is done by the Inetinfo.exe component and is accomplished using Component Object Model (COM) modules that are written for logging. This system is effective in IIS 5.0 because there is only one server process model, Inetinfo.exe. However, in IIS 6.0, logging is done by the HTTP protocol stack (HTTP.sys). IIS 6.0 passes user-mode events to HTTP.sys through application programming interfaces (APIs), and then the user-mode events are logged by HTTP.sys.
HTTP.sys handles logging for two main reasons. When IIS 6.0 is running in worker process isolation mode, each worker process can perform its own logging and a sites applications can spread across multiple application pools. If Inetinfo.exe performed logging in this environment, multi-instance or synchronization problems could occur. Such problems can be avoided because HTTP.sys performs logging. In addition, in IIS 6.0, requests can be served completely from the HTTP.sys kernel-mode cache without ever passing through Inetinfo.exe, so logging from HTTP.sys ensures that cached responses are recorded.
The log file format for which HTTP.sys does not perform logging is only Open Database Connectivity (ODBC) logging. For more information about how ODBC logging is handled, see ODBC Logging. For more information about the IIS 6.0 architecture and core components, see IIS 6.0 Architecture.
W3C Centralized Logging
W3C centralized logging is a global configuration on the server where all Web sites write data to a single log file. This single log file uses the W3C Extended log file format and can be viewed in a text editor, unlike centralized binary logging, which writes data in a binary format and requires a parsing tool to view the data. W3C centralized logging is available in Windows Server 2003 Service Pack 1 or later. For more information about this logging option, see W3C Centralized Logging.
Substatus Error Code Logging
To reduce the possibility that a malicious user might use the information provided by substatus error codes to attack the Web server, substatus error codes are not returned to the client in IIS 6.0. Instead, administrators using the World Wide Web Consortium (W3C) Extended log file format can record substatus error codes when requests fail. Substatus error code logging is turned on by default for the W3C Extended log file format. For more information about substatus error code logging, see Substatus Error Codes.
IIS Centralized Binary Logging
Centralized binary logging is a process in which IIS creates a single log file that contains binary, unformatted log data for all of the Web sites hosted on a server. In contrast, the other available IIS logging methods create one formatted, human-readable log file per Web site. Centralized binary logging provides organizations with a way to record detailed information about all of their Web sites, using a minimum of system resources. For more information about centralized binary logging, see IIS Centralized Binary Logging.
HTTP.sys Error Logging
HTTP.sys sometimes generates its own errors that, because of the IIS 6.0 architecture, are not recorded with the worker-process-driven events. To account for these errors, IIS 6.0 supports HTTP.sys error log files. One example of an event that would trigger a log file entry in the HTTP.sys error log file is a connection time-out. For more information about HTTP.sys error log files, see HTTP.sys Error Log Files.
You can write log data to a remote share over a network using a full, Universal Naming Convention (UNC) path. For example, you can specify \\Servername\LogFiles as the storage directory for your log files, where Servernamerepresents the name of the remote server, and LogFiles represents the name of the directory where the log files are stored.
For more information about remote logging, see Remote Logging.