IIS4.0 Event Record Details Wang Zhi When users access an IIS Web site, IIS (Internet Information Server) 4.0 can use the record file (log) to record and track event information, such as the user accessing the IIS web website or the application time, The number of visits, as well as the number of bytes sent or received, and the like, providing valuable reference materials to check the health and development trends of data and networks, while also avoiding user malicious access and attack. IIS4.0 has a record format in 4, and record data can be stored in a text-form type storage or a database. The maintenance record file will increase the system, so if you capture record data, you cannot use it to eat, you want to choose the most representative Sexual data as a record parameter. Let's take a look at the key elements to consider and determine when setting IIS4.0 event records, and its creation process. First, record format
Table 1: 4 record file formats of IIS 4.0 Log Format Record Format Description Time Zone Used Time Zone Log File Prefixes Record File Prefix W3C Extended Log File You can customize the properties of the record event and format GMT Greenwich time Extend, Excsa Common Log file format fixed standard NCSA Time IIS 4.0 Server Local Time NCSA, NCMICROSOFT IIS Log Fileiis Specified fixed format IIS 4.0 server local time inetsv, inodbc logging records fixed format IIS 4.0 Server Local Time without tables Listed above Four recorded file formats that can be used in IIS4.0: World Wide Web Consortium (W3C) Extended Log File (W3C Extended Record File) Format, National Center for Supercomputing Applications (NCSA) CommON log file (NCSA Universal Record File) Format, Microsoft Iis Log File format and ODBC Logging File format. The W3C extension record file format is the most common record format because it is more flexible than the three other formats later, that is, the user can set the contents of the record as needed. For a Web site, we hope to select record properties according to different purposes, while W3C just provides us with many optional records. It should be noted that the more recorded items you choose, the heavier the IIS4.0 server, and this will also increase the amount of disk space or database space. Figure 1 shows the extended option of the W3C record format in the default state. when
Figure 1 By default, the extended option of the W3C record format You need to collect multiple web sites, where some sites may not be built on the IIS server, at which time, the W3C record format and NCSA general record format can be used. Even if your company uses a network server of different platforms to provide a web service, if these servers can support the above two universal recording formats, you can also use any analysis tools that support this record format to access the above record files. For example, Sane Solutions' NetTracker can read record files and import them into the database you can use. Of course, if you want to record information in the form of a database, you can directly select the ODBC record file format. NCSA universal record file format, Microsoft IIS record file format and ODBC record file format are local time using IIS4.0 servers, but W3C records are used by Greenwich Time (ie GMT). Obviously, you need to know your time zone to prevent chaos from starting records. For the IIS event record, we can set it to a day, one week or one month. We can also determine when to restart records based on the size of the record file, such as the record file reaches 19MB, start again. The above-described operation can be completed by: Start Internet Service Manager (ISM) 4.0, right-click the site name you want to log, select "Properties", under the Web Site Tag, click Active Log Format On the right, the Properties button, in the pop-up window, select Daily, Weekly, etc. IIS4.0 is named after the record file: use the prefix in the table one to indicate the format of the record file, and then add the date on the record. For record files set depending on the file size, IIS4.0 uses a long prefix (such as Extend) to use a short prefix (such as EX) for the record file set. To give a specific example, when you see the following record file name NC010125, you should know that its meaning is: the file recorded in NCSA format, which is recorded in a manner every day, the date created by this file is January 25, 2001. Second, the record to the file is compared to the database according to Microsoft's official document, when IIS4.0 records the file, IIS4.0 will automatically establish a buffer for this record file, and written on disk in a 64KB data block. . Once the record is stopped, IIS will automatically brush this cache. We can use the way to increase this cache to reduce the number of file updates, reduce the write time of the disk. Changing the size of the cache can be performed in the following manner: In the registry hkey_local_machine / system / currentcontrolset / service / inetinfo / parameters location, the subscript of the name logfilebatchsize is established, and the key value is set to the value you need. When an ODBC record format is used, each event occurs, IIS4.0 records the event into the SQL database or other specified database. This real-time recording process causes IIS4.0 to add records to record databases, apparent that this way increases the burden on the database server, thus becoming one of the bottlenecks of IIS4.0.
Therefore, in Microsoft's Internet Information Server Resource Kit: "For a busy server, ODBC is not a good choice because it will reduce the speed of the server, and do not record well under higher burden Event. "Therefore, Microsoft's reference seems to be recommended to use record to file instead of using an ODBC database. Is this opinion? We can't conclusion prematurely. I made a test that found that IIS4.0 will write a record file immediately after the event occurs. This is the same as some reference materials, IIS4.0 does not cache recorded data, but directly writes files, at least in the default settings. We can make this test very easy: one of the IS4.0 ISMs, one of the web sites, build a record, then access this site, then you can find the record file, you can find the record file, you can find the record file. Seeing that the access operation is in the eye. According to this conclusion, if IIS 4.0 writes a record file directly for each visit, this is nothing distinguish between using database records. And the read and write speed of the database file may be more faster than the recorded file. Therefore, the author recommends that you will test before determining the record format, and then determine the file record or use database records according to the actual situation. In any case, I expressed doubts about file records than database records. In addition, because the event record consumes system resources, it is recommended that the network administrator consider the following suggestions to mitigate the system burden brought by the event record: 1. Use the class to import the record file into the database instead of real-time writing. 2. When choosing a recorded item, as careful, do not record unnecessary events. Because the more recorded items, the heavier the system's burden. Third, the operation of logging files By default, IIS 4.0 uses the W3C record format to record time, customer's IP address, access method, URI STEM, and HTTP STATUS. In order to change these default settings, we can do the following: 1. Open ISM 2, click on the server 3 where you want to record, right click on the site, select Properties 4, select Web Site Tag 5, in Figure 2 In the label, on the front of the enable logging, the check (selected) 6, select a record file format 7 in the Active Log Format list box, select the Properties button 8 on the right side of the Active Log Format list, change the recorded properties, then Return to Web Site Tag
Figure 2 Web Site Tags You Click the OK button to confirm that this change, IIS4.0 will turn off the current record file and re-establish a new record file format. In the default, IIS4.0 will send log information to disk files. The web server stores the DEFAULT Web Site's record file in the C: / WinNT / System32 / LogFiles / W3SVC1 directory, stores the application of the Admin Web Site in the C: / WinNT / System32 / Logfiles / W3SVC2 directory, so on. You can also use ISM to store record files into other directories. This allows us to increase the performance of the system by depositing the recorded file to a disk that does not contain the web site content, the performance of the system will increase because it can reduce the write amount of the disk where the web site is located. Change the storage path method of the record file as follows: 1. Select Web Site 2 in the window shown in Figure 2, click Properties 3, modify the path below the Log File Directory. It should be noted that the physical path must be used here, and the UNC path is invalid. 4. Click OK to confirm that the above steps are completed, IIS4.0 will establish a record file in the directory you specify. Fourth, the operation recorded in the database In addition to the file format, you can also record events in the ODBC database format. For example, I let the records can be sent directly to the SQL server or Oracle database, and then use SQL or other analytics tools. The method of setting the record database is as follows: 1. Open Enterprise Manager and create a new database 2, start Query Analyzer, log in to the SQL Server system 3 in the database file, select Record Database (Log Database This database must include a table with record data format. There is a SQL script file in IIS4.0 to create a table. The sample script file is as follows: create table inetlog (clienthost varchar (255), username varchar (255), logtime datetime, service varchar (255), machine varchar (255), serverip varchar (50), processingtime int, bytesrecvd int, Bytessent Int, ServiceStatus Int, Win32Status Int, Operation Varchar (255), Target Varchar (255), parameters varchar (255)) If you choose the default installed IIS4.0, this file will be stored in C: / Winnt / System32 / inetsrv directory. You can create a form if you run this script. This script is named inetlog for the created record form. Pick up
Figure 3 ODBC record configured down, create the data source of the ODBC system on the IIS4.0 system, the method is as follows: 1. Open the control panel 2, click ODBC icon 3, click System DSN Tag 4, click Add 5, Select SQL Server ODBC DRIVER 6, enter Data Source Name (DSN) and Description 7, enter the server name 8, then follow the prompts to select the database and test the data source. In the IIS Web site, store the event record in ODBC format, which is as follows: 1. Select ODBC Loging in the Web Site tag. 2. Click Properties to enter the configuration window recorded by ODBC, as shown in Figure 3. 3. Modify the DSN to the database file name created in the SQL settings above. 4. Modify the table name to inetlog. 5, enter the username and password required to access the table, click OK to confirm. As shown in Figure 4 event record error, the above settings are correct, IIS4.0 can send records to the database. If the record does not send to the database, check if the event log exists. Figure 4 shows the record error caused by the recording form name of the database. Other errors such as usernames or passwords will also result in a job that cannot be recorded normally. Maybe you have more experience in using IIS4.0's event record, this article is just a role of tile jade. In general, pay attention to the selection of the record and record formats. With regard to the analysis of the data, in addition to SQL, Microsoft's NT4.0 OPTION PACK also provides a tool called Site Server Express (SSE) to read record files and analyzed. Of course, select third-party analysis software, such as Seagate Crystal Reports, provided by Seagate software, can query and analyze SQL databases.