Description of Windows Log Entries

Web servers (WebSite, Netscape, MS IS) now support a new activity logging format called the Windows Log Format, Version 1.0. This logging format has been designed to make it easy to import log data into most Windows office productivity packages such as Microsoft Excel and Microsoft Access. It is also much easier (and faster) to parse the log entries using Visual Basic or perl. The disadvantage of the Windows Log Format is that log files are larger, requiring more disk space, than the NCSA Common and Combined formats.

Each HTTP request received by the server is logged as a single line. Fields in the log entry are tab-delimited text. There is no "encoding" or other alteration of the values in log entries. They are logged verbatim. The table below describes each field, starting with the leftmost (first) field in an entry. Tabs are included for empty fields.

Windows Log Entry Fields

Field Description

  1. The date and time at which the request was received. Format is per the local system's international "locale" setting, permitting importation into Windows programs without parsing or reformatting.
  2. The IP address of the remote client/browser. This will be the remote client's DNS hostname if DNS reverse lookup is enabled (not usually).
  3. The server's hostname on which the request was received. Most useful on multi-homed servers.
  4. The authentication realm, if present in the request. NOTE: Presence of this field does not imply that the requested object was access-controlled.
  5. The authentication username, if present in the request. NOTE: Presence of this field does not imply that the requested object was access-controlled.
  6. The HTTP method of the request (e.g., GET or POST)
  7. The path portion of the given URL. This does not contain any query string or URL parameter information.
  8. The complete referring URL, if present in the request. Most of the time, if this is present, it is the complete URL of the document that contained the link that generated this request.
  9. The email address of the client/browser user. This field is not currently generated by any known browser, due to privacy concerns.
  10. A string describing the client/browser software and version.
  11. The numeric status code of the request, for example 200 for OK. For a complete list of HTTP status codes, see the Hypertext Transfer Protocol 1.0 (HTTP/1.0) or the entries under the Common Log Format.
  12. The number of actual content bytes transferred in the response. This does not include HTTP response header information.
  13. The time, in milliseconds, between the arrival of this request and the time it was logged. This includes not only the processing time, but also the time it took to receive any content data provided with the request (e.g., form data), transmit the response to the client, close the TCP connection, and clean up thereafter. Due to buffering within the TCP/IP kernel, this may be optimistic. Several K bytes of data can be buffered beyond the time the server closes the connection.