IIS Log FAQ - Logging Headers

From time to time, I see some fairly common questions come across our internal discussion alias that we really don't do a good job of documenting externally, so I figured that as I see these frequently asked questions come up, I’d go ahead and post the answers here. I’ll start with one of the more common ones.

A handful of times a year, I see something similar to the following asked:

"Under what circumstances does IIS decide to re-write the logging headers in the IIS logs?"

Always in reference to the appearance of these headers in the logs at seemingly random times:

The answer?

To start with, I want to clarify something. IIS isn't writing these headers, HTTP.SYS is. The kernel mode driver handles all logging formats except ODBC and custom logging (which the Advanced Logging module falls under), so if you're using the standard W3C logging (for example), HTTP.SYS is writing the data in the logs.

On to the actual answer: In addition to the more commonly known reasons (IISReset, server reboot), HTTP.SYS will re-write these headers in an existing log under one of the following conditions:

1. If you've added or removed one or more logging fields, at which point HTTP.SYS rewrites the headers to show the fields now being logged. As an example, you decide to start logging the 'Protocol Version' field and enable it in the logging configuration for one or more sites. In that case, HTTP.SYS rewrites the headers to reflect the presence of the cs-version field
2. If a site doesn't receive requests for a set period of time (15 minutes), HTTP.SYS closes the handle to the associated log file to conserve resources. The next time a request comes in, HTTP.SYS re-opens the log file and writes the log headers.

Pretty simple answer, and I hope that clears it up for anyone who may have been curious.

Note that this applies to IIS 6/7/8