IIS log management in Windows

IIS log options

Table
Field	Name	Description
Date	Date	The date when the action occurred.
Time	Time	The time when the action occurred.
Customer IP Address	C-IP	The IP address of the client that accesses the server.
User Name	CS-Username	The username used to access the server through authentication. It does not include anonymous users. It is represented by a hyphen.
Service name	S-sitename	The Internet service and instance number that the customer accesses.
Server Name	S-computername	The name of the server that generates the log entry.
Server IP Address	S-IP	The IP address of the server that generates the log entry.
Server Port	S-Port	The Port Number of the client connection.
Method	CS-Method	Actions attempted by the client (such as the get method ).
Uri stem	CS-Uri-stem	The accessed resource, such as default. asp.
URI query	CS-Uri-Query	The query performed by the customer.
Protocol Status	SC-status	The action status described in HTTP or FTP terms.
Win32 status	Sc-win32-status	The action status described in Microsoft Windows terminology.
Sent bytes	SC-bytes	The number of bytes sent by the server.
Number of accepted bytes	CS-bytes	The number of bytes received by the server.
Time spent	Time-taken	The time consumed to execute an action, in milliseconds.
Protocol version	CS-version	The Protocol (HTTP and FTP) used by the client. For HTTP, It is HTTP 1.0 or HTTP 1.1.
Host	CS-host	The content displayed in the Host header.
User Agent	CS (User-Agent)	The browser used by the customer.
Cookie	CS (cookie)	The cookie content sent or received.
Referrer	CS (Referer)	The previous URL that the user browses. The current URL is linked from this URL.

 

Log value query:

It is important to set the time, IP address, method, path, protocol status, and Win32 status.

The Protocol status can be queried through the net helpmgs + [command number] command in cmd. (For websites, FTP may not work, for example, 226,230)

The command is as follows: Net helpmsg 0; net helpmsg 100; net helpmsg 200;

 

IIS Log Path

Default location: % SystemRoot % \ system32 \ logfiles.

The IIS log time is 8 hours different from the local time:

The real reason is that IIS uses W3C extended log file format by default, while W3C extended log file defines that logs use GMT time (that is, Greenwich Mean Time), while China uses GMT + 8 time zone, naturally, the difference is eight hours.

In addition, several common Windows commands are recorded as follows:

Enter the IIS management command: inetmgr

Restart IIS Command: iisreset

Use the system Keyboard Command: osk (operate system key)

Control Panel: Control

View port: netstat-ano

Port details: netstat-ano | find "80" find the process number of port 80, that is, the ID of the last column, as shown in figure

C: \> netstat-ano | find "80"
TCP 192.168.0.81: 2480 74.125.128.156: 80 close_wait 1044

Then query the process name by process ID:

C: \> tasklist | find "1044"
Iexplore. EXE 1044 console 0 162,428 K

You can also find it by process ID in Task Manager

Check whether other website ports are connected: Telnet 192.168.0.20.8080.

Storage path of Windows Wallpaper: C: \ WINDOWS \ WEB \ wallpaper

 

IIS log analysis: the SC-status semantics is used to set the general attributes and extended attributes of IIS logs for the site in website properties-website-log (attribute). The extended attributes are used to set the display of IIS log fields. Meaning of the HTTP protocol status (SC-status) code in IIS

100 the initial request for continue has been accepted, and the customer shall continue to send the rest of the request
101 The switching protocols server converts a client-compliant request to another protocol
200 OK everything is normal, and the response document to the get and post requests follows.
The 201 created server has created a document and the location header provides its URL.
202 accepted has accepted the request, but the processing has not been completed.
203 the non-authoritative information document has been normally returned, but some response headers may be incorrect because the document copy is used.
204 NO content does not have a new document. The browser should continue to display the original document. This status code is useful if the user regularly refreshes the page and the servlet can determine that the user document is new enough.
205 there is no new content in the reset content, but the browser should reset the content displayed by it. Used to force the browser to clear the input content of the form
206 partial content the client sent a GET request with the range header, and the server completed it.
300 the documents requested by the multiple choices client can be found in multiple locations, which are listed in the returned documents. If the server needs to give priority, it should be specified in the location response header.
301 moved permanently the document requested by the customer is elsewhere. The new URL is provided in the location header and the browser should automatically access the new URL.
302 found is similar to 301, but the new URL should be treated as a temporary alternative, rather than permanent.
303 see other is similar to 301/302. The difference is that if the original request is post, the redirection target document specified by the location header should be extracted through get
304 The not modified client has a buffered document and issued a conditional request (generally, the IF-modified-since header is provided to indicate that the customer only wants to update the document on a specified date ). The server tells the customer that the original buffer documentation is still available
To continue using the service.
305 the document requested by the use proxy client should be extracted from the proxy server specified by the location header
307 temporary redirect and 302 (found) are the same. Many browsers mistakenly respond to the 302 response for redirection. Even if the original request is post, it can only be redirected when the POST request actually responds to 303. For this reason, HTTP 1.1 adds 307 to clear the region code in several states: When a 303 response occurs, the browser can follow the redirected get and post requests; if a 307 response occurs, the browser can only follow the redirection to get requests.
400 syntax error in bad request.
401 unauthorized the customer attempted to access the password-protected page without authorization. The response contains a WWW-Authenticate header. the browser displays the username/password dialog box accordingly, and then sends a request again after entering the appropriate authorization header.
403 Forbidden resources are unavailable.
404 Not found cannot find the resource at the specified position
405 method not allowed request methods (get, post, Head, delete, put, Trace, etc.) are not applicable to specified resources.
406 the resource specified by not acceptable has been found, but its MIME type is incompatible with the one specified by the customer in the accpet header.
407 proxy authentication required is similar to 401, indicating that the customer must first be authorized by the proxy server.
408 request timeout the client has not sent any request within the waiting time permitted by the server. The customer can repeat the same request later.
409 conflict is usually related to put requests. The request cannot be successful because the request conflicts with the current status of the resource.
410 the document requested by gone is no longer available, and the server does not know which address to redirect. It differs from 404 in that if 407 is returned, the document permanently leaves the specified position, and 404 indicates that the document is unavailable for unknown reasons.
The 411 length required server cannot process the request unless the customer sends a Content-Length header.
412 precondition failed: Some of the prerequisites specified in the request header fail.
413 the size of the target Request Entity too large document exceeds the size that the server is willing to process. If the server thinks it can process the request later, it should provide a retry-after Header
414 request URI Too long URI is too long
416 the requested range not satisfiable server cannot meet the range header specified by the customer in the request.
500 the internal server error server encounters unexpected circumstances and cannot complete the customer's request
501 The not implemented server does not support the functions required to implement the request. For example, the customer sends a put request not supported by the server.
502 when the Bad Gateway server acts as a gateway or proxy, in order to complete the request to access the next server, but the server returns an INVALID RESPONSE
503 the service unavailable server fails to respond due to maintenance or overload. For example, Servlet may return 503 when the database connection pool is full. A retry-after header can be provided when the server returns 503
504 gateway timeout is used by a proxy or gateway server, indicating that the remote server cannot receive a response in a timely manner.
505 the HTTP Version Not Supported server does not support the HTTP Version specified in the request