摘录：W3C Extended Log File Format (IIS 6.0)

The W3C Extended log file format is the default log file format for IIS. It is a customizable ASCII text-based format. You can use IIS Manager to select which fields to include in the log file, which allows you to keep log files as small as possible. Because HTTP.sys handles the W3C Extended log file format, this format records HTTP.sys kernel-mode cache hits.
Table 10.1 lists and describes the available fields. Default fields are noted.

Table 10.1 W3C Extended Log File Fields
Field	Appears As	Description	Default Y/N
Date	date	The date on which the activity occurred.	Y
Time	time	The time, in coordinated universal time (UTC), at which the activity occurred.	Y
Client IP Address	c-ip	The IP address of the client that made the request.	Y
User Name	cs-username	The name of the authenticated user who accessed your server. Anonymous users are indicated by a hyphen.	Y
Service Name and Instance Number	s-sitename	The Internet service name and instance number that was running on the client.	N
Server Name	s-computername	The name of the server on which the log file entry was generated.	N
Server IP Address	s-ip	The IP address of the server on which the log file entry was generated.	Y
Server Port	s-port	The server port number that is configured for the service.	Y
Method	cs-method	The requested action, for example, a GET method.	Y
URI Stem	cs-uri-stem	The target of the action, for example, Default.htm.	Y
URI Query	cs-uri-query	The query, if any, that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages.	Y
HTTP Status	sc-status	The HTTP status code.	Y
Win32 Status	sc-win32-status	The Windows status code.	N
Bytes Sent	sc-bytes	The number of bytes that the server sent.	N
Bytes Received	cs-bytes	The number of bytes that the server received.	N
Time Taken	time-taken	The length of time that the action took, in milliseconds.	N
Protocol Version	cs-version	The protocol version —HTTP or FTP —that the client used.	N
Host	cs-host	The host header name, if any.	N
User Agent	cs(User-Agent)	The browser type that the client used.	Y
Cookie	cs(Cookie)	The content of the cookie sent or received, if any.	N
Referrer	cs(Referrer)	The site that the user last visited. This site provided a link to the current site.	N
Protocol Substatus	sc-substatus	The substatus error code.	Y

For information about status codes, see IIS Status Codes.
Note
FTP log files do not record the following fields:

•	cs-uri-query
•	cs-host
•	cs(User-Agent)
•	cs(Cookie)
•	cs(Referrer)
•	sc-substatus

You can select as many of the W3C Extended log file fields as you want. However, not all fields will contain information. For fields that are selected but for which there is no information, a hyphen (-) appears as a placeholder. If a field contains a nonprintable character, HTTP.sys replaces it with a plus sign (+) to preserve the log file format. This typically occurs with virus attacks, when, for example, a malicious user sends carriage returns and line feeds that, if not replaced with the plus sign (+), would break the log file format.
Fields are separated by spaces. Field prefixes have the following meanings:

•	s- Server actions
•	c- Client actions
•	cs- Client-to-server actions
•	sc- Server-to-client actions

Note
For the time-taken field, the client-request timestamp is initialized when HTTP.sys receives the first byte, but before HTTP.sys begins parsing the request. The client-request timestamp is stopped when the last IIS send completion occurs. Time taken does not reflect time across the network. The first request to the site shows a slightly longer time taken than other similar requests because HTTP.sys opens the log file with the first request.
For more information about the W3C Extended log file format, see W3C Extended Log File Format.

原文地址：http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/676400bc-8969-4aa7-851a-9319490a9bbb.mspx?mfr=true