Capturing IP Addresses for Web Server Logon Events
Learn how to retrieve IP address for users logging on to a Win2K Web server.
September 22, 2003
Before visitors to my Windows 2000 Web server can access pages, I require them to log on to a server account. The Security log captures these logon events, including the username and workstation name, but not the IP address. If the logon succeeds, I can get the IP address from the Microsoft IIS log. But if the logon fails, I don't get the IP address.
Having the IP address could help me determine whether someone was trying to attack the site. Why doesn't the IP address appear in the Security log, and how can I make Windows log the address?
You're partly right—the Win2K Security log doesn't record the client's IP address—but IIS does record failed authentication attempts and supplies the username and IP address. If you use native IIS authentication techniques to authenticate users to an IIS server, event ID 528 identifies the username and workstation name whenever a user authenticates to the server. (The log won't capture data if you use cookie authentication or third-party forms authentication to authenticate users.) If an authentication attempt fails, Win2K logs event ID 529. As you observed, event IDs 529 and 528 don't supply the remote user's IP address. Because Win2K supports Windows logons through IPX and NetBEUI in addition to IP, the client IP address isn't always applicable, so Microsoft chose to omit the IP address from these logon events. I agree that Microsoft should modify Win2K so that the Security log records the IP address for IP logons. (Windows Server 2003 includes this capability.)
You're also right that IIS logs the IP address and username for successful Web requests. But IIS also records failed Web requests, including the username and IP address. When Win2K logs event ID 529 or 528 in the Security log, the IIS log (under %winroot%system32logfiles) records the fact that the request was received and processed successfully—usually with a result code of 200. If a user fails to authenticate to the Web server, IIS still logs the request. In both cases, IIS logs the time, client IP address, username, HTTP method (usually GET), pathname of the file requested, and result code. If the user fails to authenticate to the Web server, IIS logs a record with result code 401. Figure 1 shows sample IIS log data and includes an example of both a success and a failure result code.
—Randy Franklin Smith
About the Author
You May Also Like