W3C Logging

W3C extended logging is type of server side logging that can be enabled on the server session or URL group. When W3C logging is enabled on a URL group, logging is performed only on requests that are routed to the URL Group. A separate log file is created for each URL group configured to enable W3C logging.

When W3C logging is enabled on the server session it functions as centralized form of logging for all the URL groups under the server session. A single log file is maintained for all of the URL groups in the server session.

The following table lists the fields that can be logged by the HTTP Server API. The table contains a subset of the HTTP_LOG_FIELD constants. Some of the fields listed below are auto generated by HTTP Server API internally and therefore not contained in the HTTP_LOG_FIELDS_DATA structure. The "Appears As" column contains the text that appears in the log file. The data in the table is in the order of occurrence in the log file record.

Fields that are not marked "HTTP Server API generated" have to be passed inside HTTP_LOG_FIELDS_DATA structure by application. Application could generate those fields from the HTTP_REQUEST structure passed to it.

FieldAppears AsDescriptionHTTP_LOG_FIELDS_DATA MemberHTTP_LOG_FIELDS constants
DatedateThe date on which the activity occurred. HTTP Server API generated.HTTP_LOG_FIELD_DATE
TimetimeThe time, in coordinated universal time (UTC), at which the activity occurred.HTTP Server API generated.HTTP_LOG_FIELD_TIME
Service Name and Instance Numbers-sitenameThe Internet service name and instance number that was running on the client.ServiceNameHTTP_LOG_FIELD_SITE_NAME
Server Names-computernameThe name of the server on which the log file entry was generated. ServerNameHTTP_LOG_FIELD_COMPUTER_NAME
Server IP Address s-ipThe IP address of the server on which the log file entry was generated.ServerIpHTTP_LOG_FIELD_SERVER_IP
Methodcs-methodThe requested verb, for example, a GET method.MethodHTTP_LOG_FIELD_METHOD
URI Stem cs-uri-stemThe target of the verb, for example, Default.htm.UriStemHTTP_LOG_FIELD_URI_STEM
URI Query cs-uri-queryThe query, if any, that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages. UriQueryHTTP_LOG_FIELD_URI_QUERY
Server Ports-portThe server port number that is configured for the service.ServerPortHTTP_LOG_FIELD_SERVER_PORT
User Namecs-usernameThe name of the authenticated user that accessed the server. Anonymous users are indicated by a hyphen.UserNameHTTP_LOG_FIELD_USER_NAME
Client IP Addressc-ipThe IP address of the client that made the request.ClientIpHTTP_LOG_FIELD_CLIENT_IP
Protocol Versioncs-versionThe HTTP protocol version that the client used.HTTP Server API generated.HTTP_LOG_FIELD_VERSION
User Agentcs(User-Agent)The browser type that the client used.UserAgentHTTP_LOG_FIELD_USER_AGENT
Cookie cs(Cookie)The content of the cookie sent or received, if any.CookieHTTP_LOG_FIELD_COOKIE
Referrercs(Referrer)The site that the user last visited. This site provided a link to the current site.ReferrerHTTP_LOG_FIELD_REFERRER
Hostcs-hostThe host header name, if any.HostHTTP_LOG_FIELD_HOST
HTTP Statussc-statusThe HTTP status code.ProtocolStatusHTTP_LOG_FIELD_STATUS
Protocol Substatussc-substatusThe substatus error code.SubStatusHTTP_LOG_FIELD_SUB_STATUS
Win32 Statussc-win32-statusThe Windows status code.Win32StatusHTTP_LOG_FIELD_WIN32_STATUS
Bytes Sentsc-bytesThe number of bytes sent by the server.HTTP Server API generated.HTTP_LOG_FIELD_BYTES_SENT
Bytes Receivedcs-bytesThe number of bytes received and processed by the server.HTTP Server API generated. HTTP_LOG_FIELD_BYTES_RECV
Time Taken time-takenThe length of time that the action took, in milliseconds.HTTP Server API generated.HTTP_LOG_FIELD_TIME_TAKEN


The log file is a customizable ASCII text-based format. The field prefixes in the file are defined as follows:

sServer actions.
cClient actions.
scServer-to-Client actions.
csClient-to-Server actions.


The application can select one or more of the W3C Extended log file fields, however, not all fields will contain information. For fields that are selected but for which there is no information, a hyphen (-) appears as a placeholder. If a field contains a nonprintable character, the HTTP Server API replaces it with a plus sign (+) to preserve the log file format. This typically occurs with virus attacks, when, for example, a malicious user sends carriage returns and line feeds that, if not replaced with the plus sign (+), would break the log file format. Fields are separated by spaces.

If a field is enabled by the URL group or server session, but not selected for the request, it appears in the log file with a hyphen (-) as a placeholder.

Log files are created when the first request arrives on the URL Group or server session, they are not created when logging is configured. The following example shows the first log file entry for a W3C log file with the Client IP, Username, Server IP, Server Port, Method, URI Stem, URI Query, Status, and User Agent fields enabled:

#Software: Microsoft HTTP Server API 2.0  
#Version: 1.0   // the log file version as it's described by "http://www.w3.org/TR/WD-logfile".
#Date: 2002-05-02 17:42:15  // when the first log file entry was recorded, which is when the entire log file was created.
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)
2002-05-02 17:42:15 - 80 GET /images/picture.jpg - 200 Mozilla/4.0+(compatible;MSIE+5.5;+Windows+2000+Server)

The time-taken field is initialized when the HTTP Server API receives the first byte, before the request is parsed. The time-taken timestamp is stopped when the last send completion occurs. Time-taken does not reflect time across the network. The first request to the site shows a slightly longer time taken than other similar requests because the HTTP Server API opens the log file with the first request.