What the IIS logs mean
IIS is an abbreviation for Internet Information Server, which means that the network Information service, the log is the running record
The default directory for the IIS logs is%systemroot%\system32\logfiles\ (which can be customized as well)
Log format: last two digits of the ex+ year + month + Date
File suffix:. log as of September 30, 2010 logs generated file is Ex300910.log
IIS logs are required to be viewed by every Server Manager, and the server's status and source of IP access are recorded in the IIS logs, so the IIS logs are very important to each server Manager, Seoer is no exception, which also makes it easy for site managers to see how the site operates.
IIS Field Description
IIS faithfully records all the related records that access the Web service.
Find the log open and find the first few lines of the log as follows
#Software: Microsoft Internet Information Services 5.1//iis version
#Version: 1.0//Version
#Date: 2010-09-30 00:53:58//creation time
#Fields: Date Time C-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc- Win32-status sc-bytes cs-bytes time-taken cs-version cs-host CS (user-agent) CS (Cookie) CS (Referer)//log format
IIS Log Example
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-09-30 05:00:51
#Fields: Date Time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username C-IP cs (user-agent) sc-status sc- Substatus Sc-win32-status
2010-09-30 07:16:59 w3svc739 60.28.240.139 get/robots.txt-80-74.6.75.14 mozilla/5.0+ (compatible;+yahoo!+slurp;+http ://HELP.YAHOO.COM/HELP/US/YSEARCH/SLURP) 200 0 0
2010-09-30 07:16:59 w3svc739 60.28.240.139 get/blog/category/index/asp-80-72.30.177.172 mozilla/5.0+ (compatible;+ YAHOO!+SLURP;+HTTP://HELP.YAHOO.COM/HELP/US/YSEARCH/SLURP) 301 0 0
Date: Indicates record access dates;
Time: Access times;
S-sitename: Represents the McCartney of your virtual host.
S-IP: Visitor IP;
Cs-method: Represents the access method, there are two common, one is get, is usually we open a URL to access the action, the second is the post, submit the form when the action;
Cs-uri-stem: Which file is accessed;
Cs-uri-query: Refers to the accompanying parameters of the access address, such as the ASP file? After the string id=12 and so on, if no parameters are used-the expression;
S-port: Access to the port
Cs-username: Visitor Name
C-IP: Source IP
CS (user-agent): Access source;
Sc-status: Status, 200 indicates success, 403 means no permissions, 404 means no access to the page, 500 indicates the program is wrong;
Sc-substatus: The byte size that the server transmits to the client;
Cs–win32-statu: The size of the bytes sent by the client to the server;
IIS Log returns the status code in detail
2xx success
200 normal; request completed.
201 Normal; Immediately after the POST command.
202 normal; accepted for processing, but processing is not yet complete.
203 normal; Part of the information-the returned information is only part of it.
204 normal; No response-the request has been received, but there is no information to echo back.
3xx redirect
301 Moved-The requested data has a new location and the change is permanent.
302 found-the requested data temporarily has a different URI.
303 See other-a response to a request can be found under another URI, and the response should be retrieved using the GET method.
304 unmodified-the document was not modified as expected.
305 using a proxy-the requested resource must be accessed through the proxy provided in the Location field.
306 unused-no longer in use; Keep this code for future use.
4xx client error
400 Error request-There is a syntax problem in the request, or the request cannot be satisfied.
401 Unauthorized-The client is not authorized to access data.
402 requires payment-indicates that the billing system is valid.
403 Forbidden-access is not required even if it is authorized.
404 Not Found-the server cannot find a given resource; The document does not exist.
407 Proxy authentication Request-The client must first use the proxy to authenticate itself.
410 The requested Web page does not exist (permanent);
415 Media type is not supported-the server denies the service request because the format of the requested entity is not supported.
Error in server 5xx;
500 Internal Error-The server cannot complete the request because of an unexpected situation.  
501 is not executed-the server does not support the requested tool.
502 Error Gateway-server received an invalid response from the upstream server.  
503 cannot get service-the server cannot process requests due to temporary overloading or maintenance.
The time in the log does not show the correct issue:
The format of the log has 3 format iis,ncsa,w3c,iis default is the format, the format of the log information is the most complete, but the time format is GMT time, log records also have a delay. The time to add 8 is the right time.
#Software: Microsoft Internet information Services 8.5#version:1.0#date:2017-01-13 08:23:19#fields:date time S-ip cs-me Thod cs-uri-stem cs-uri-query s-port cs-username C-IP CS (user-agent) CS (Referer) sc-status sc-substatus sc-win32-status t IME-TAKEN2017-01-13 08:23:19 127.0.0.1 post/api/pipe/dball-2222-127.0.0.1--0 0 32122017-01-13 08:29:28:: 1 GET /-2222-:: 1 mozilla/5.0+ (WINDOWS+NT+6.3;+WOW64) +applewebkit/537.36+ (Khtml,+like+gecko) +chrome/50.0.2661.102+ safari/537.36-200 0 0 562017-01-13 08:29:28:: 1 get/favicon.ico-2222-:: 1 mozilla/5.0+ (WINDOWS+NT+6.3;+WOW64) +AppleW ebkit/537.36+ (Khtml,+like+gecko) +chrome/50.0.2661.102+safari/537.36 http://localhost:2222/200 0 0 112017-01-13 08:29:31:: 1 GET/-2222-:: 1 mozilla/5.0+ (WINDOWS+NT+6.3;+WOW64) +applewebkit/537.36+ (Khtml,+like+gecko) +Chrome/ 50.0.2661.102+safari/537.36-200 0 0 22017-01-13 08:29:31:: 1 get/favicon.ico-2222-:: 1 mozilla/5.0+ (Windows+NT+6.3;+ WOW64) +applewebkit/537.36+ (Khtml,+like+gecko) +chrome/50.0.2661.102+safari/537.36 http://localhost:2222/200 0 0 1#software:microsoft Internet information Services 8.5# VERSION:1.0#DATE:2017-01-13 08:51:37#fields:date time S-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip C S (user-agent) CS (Referer) sc-status sc-substatus sc-win32-status time-taken2017-01-13 08:51:37 127.0.0.1 post/api/pipe /dball-2222-127.0.0.1--200 0 0 741
NCSA format information is relatively small, can not be customized fields, is a fixed field, but the time is correct.
:: 1--[13/jan/2017:16:23:19 +0800] "get/index.html http/1.1" 304 164::1--[13/jan/2017:16:23:19 +0800] "Get/favicon. ico http/1.1 "404 4921::1--[13/jan/2017:16:23:19 +0800]" get/http/1.1 "404 0::1--[13/jan/2017:16:24:17 +0800]" GET /hqapi/upload_allotments http/1.1 "405 336::1--[13/jan/2017:16:26:15 +0800]" get/hqapi/upload_allotments HTTP/1.1 "40 5 336::1--[13/jan/2017:16:26:35 +0800] "get/hqapi/upload_allotments http/1.1" 405 336::1--[13/jan/2017:16:26:35 +08 XX] "Get/favicon.ico http/1.1" 404 4921::1--[13/jan/2017:16:27:33 +0800] "get/index.html http/1.1" 200 416::1--[13 /jan/2017:16:27:33 +0800] "Get/favicon.ico http/1.1" 404 4921::1--[13/jan/2017:16:27:55 +0800] "get/index.html HTTP/1 .1 "416::1--[13/jan/2017:16:27:55 +0800]" Get/favicon.ico http/1.1 "404 4921::1--[13/jan/2017:16:28:39 +0800]" get/index.html http/1.1 "416::1--[13/jan/2017:16:28:39 +0800]" Get/favicon.ico http/1.1 "404 4921::1--[13/Jan/ 2017:16:28:56 +0800] "GEt/index.html http/1.1 "416::1--[13/jan/2017:16:28:56 +0800]" Get/favicon.ico http/1.1 "404 4921
There is less information in IIS format. Time is right.
:: 1,-, 1/13/2017, 16:51:38, W3SVC3, ZHAOYIHAO-PC,:: 1, 1537, 510, 336, 405, 0, GET,/api/upload,-,::1,-, 1/13/2017, 16: 52:17, W3SVC3, ZHAOYIHAO-PC,:: 1, ten, 553, 336, 405, 0, GET,/api/upload,-,::1,-, 1/13/2017, 16:52:17, W3SVC3, Zhaoyihao -PC,:: 1, 0, 497, 4921, 404, 2, GET,/favicon.ico,-,
Reference documents:
https://support.microsoft.com/en-us/kb/271196
https://support.microsoft.com/en-us/kb/193612
Iis-logfiles detailed and log date issues