IIS 7.0: II7.0 Troubleshooting and Logging

IIS Manager

IIS 7.0 introduces a completely new user interface, the IIS Manager. The IIS Manager makes it

easier to browse and make changes to IIS settings, including log file settings. For example,

if you wanted to implement the centralized logging in IIS 6.0, you had to use ADSUtil.vbs.

Now, the Centralized Logging option is exposed in the IIS Manager, as shown in Figure 15-1.

The XML-Based Logging Schema

IIS 7.0 uses a new configuration system that is XML-based and is very similar to the ASP.NET

configuration system. Each configuration section is defined in XML schema files located in

%SystemRoot%\system32\inetsrv\config\schema. Details on the configuration sections are

covered in Chapter 4, “Understanding the Configuration System.” Because information is

defined in XML files, it is easy to determine what attributes, elements, and enums are used.

The schema for IIS 7.0 contains a list of all the configurable options, so looking in the schema

file is a quick way to identify all the configurable settings for any feature, including logging.

The following listing is from the system.applicationHost/log section that is located in

%SystemRoot%\system32\inetsrv\config\schema\IIS_Schema.xml. (Some long lines have

been split to fit on the printed page.) As you can see, the XML clearly defines the names and

data types associated with each item.

</attribute>

<attribute name="directory" type="string" expanded="true"

defaultValue="%SystemDrive%\inetpub\logs\LogFiles" />

</attribute>

<attribute name="truncateSize" type="int64" defaultValue="20971520"

validationType="integerRange"

validationParameter="1048576,4294967295" />

<attribute name="localTimeRollover" type="bool"

defaultValue="false"/>

</element>

<attribute name="directory" type="string" expanded="true"

defaultValue="%SystemDrive%\inetpub\logs\LogFiles"

validationType="nonEmptyString" />

</attribute>

<attribute name="truncateSize" type="int64" defaultValue="20971520"

validationType="integerRange"

validationParameter="1048576,4294967295" />

<attribute name="localTimeRollover" type="bool"

defaultValue="false"/>

<attribute name="logExtFileFlags" type="flags"

defaultValue="Date, Time, ClientIP, UserName, SiteName, ServerIP,

Method, UriStem, UriQuery, HttpStatus, Win32Status,

ServerPort, UserAgent, HttpSubStatus">

</attribute>

</element>

</sectionSchema>

Centralized Logging Configuration Options

Following is the logging section defined in the ApplicationHost.config file that controls

Centralized Logging options. You can change this so that your files are stored on another drive

or volume. You can enable options you want and disable whatever options you do not need.

<log>

<centralBinaryLogFile enabled="true"

directory="%SystemDrive%\inetpub\logs\LogFiles" />

<centralW3CLogFile enabled="true"

directory="%SystemDrive%\inetpub\logs\LogFiles" />

</log>

SiteDefaults Configuration Options

The SiteDefaults section in the ApplicationHost.config file, shown in the following code,

controls the logging settings that are used when creating new sites. You can configure two

options: the format of the log file and the location in which Failed Request tracing files are

stored.

<logFile logFormat="W3C"

directory="%SystemDrive%\inetpub\logs\LogFiles" />

<traceFailedRequestsLogging

directory="%SystemDrive%\inetpub\logs\FailedReqLogFiles" />

</siteDefaults>

Disable HTTP Logging Configuration Options

In some cases, an IIS administrator does not require log files. If you would like to turn off

httpLogging at the server level, you can disable logging in the IIS Manager. You can also

disable logging at the site level. You might wonder why these options are available. It’s so that

you can disable logging on your test or development machines to reduce the disk space

that unnecessary files use.

You should evaluate your options before disabling httpLogging. Check with your business or

legal department to be certain what your company’s logging requirements and policies are.

The default value for this setting, as shown here, is false.

Default Log File Location

One of the most significant changes in IIS 7.0 is that the folder where IIS stores WWW logs

has been changed to %SystemDrive%\inetpub\logs\LogFiles. For example, the Default Web

Site would log to C:\inetpub\logs\LogFiles\w3svc1. This means that by default in IIS 7.0, all

log files are stored in a single folder. Note, however, that log files for the legacy built-in File

Transfer Protocol (FTP) and Simple Mail Transfer Protocol (SMTP) services are still located in

%windir%\System32\Logfiles. You can manage these files by using the IIS Manager 6.0, an

MMC console that is installed when you install the legacy FTP service or the SMTP service.

Note The new FTP Publishing Service for IIS 7.0 stores its log files in %SystemDrive%\

inetpub\logs\LogFiles by default. You need to download and install this add-on, because it

does not ship with IIS 7.0. The x86 and x64 versions are available at http://www.iis.net. Click

Download and search for “Microsoft FTP Publishing Service for IIS 7.0.”

Default UTF-8 Encoding

By default, IIS 7.0 stores log files by using UTF-8 encoding. This changes the default file

naming convention so that the files start with u_ (for example, u_exYYMMDD.log). Here is

the portion of the IIS_Schema.xml file that sets the UTF-8 encoding option. The default

setting is true.

...

</sectionSchema>

UTF-8 encoding allows for single-byte and multi-byte characters in one string. This encoding

enables you to read text-based logs (for example, logs that use W3C Extended, IIS, and NCSA

Common formats) in a language other than English. IIS does not support the UTF-8 format

for the built-in FTP Publishing Service log files. UTF-8 encoding is available in IIS 6.0, but it is

not enabled by default. If you do not want to have your logs use UTF-8 encoding, you can use

ANSI as the format.

New Status Codes

In IIS 7.0, new status codes have been introduced for HTTP and FTP. These additional error

codes provide more details about events and better descriptions of how to fix errors, with

suggestions about what to look for or what procedures to run. Appendix A provides a

complete list of all status codes.

Management Service

IIS 7.0 introduces Management Service, which enables computer and domain administrators

to remotely manage a machine by using the IIS Manager. The Management Service also

enables nonadministrators to control sites and various applications by using the IIS Manager

from a workstation.

This service has its own logs that are used to track information related to the Management

Service. This service is not installed by default. If you install and enable this service, the logs

will be saved in %SystemDrive%\inetpub\logs\WMSvc.

From a logging perspective, you should make sure the Management Service logging is enabled.

The logs can help you audit and troubleshoot issues when clients are connecting to your

server. The Management Service is discussed in depth in Chapter 8, “Remote Administration.”

Log File Formats That Have Not Changed

IIS 7.0 supports all the common logging formats that are available in prior versions of IIS.

There have been no changes in IIS 7.0 to the following log file formats:

■ Microsoft IIS

■ NCSA

■ W3Svc extended

Note For descriptions, further discussion, and examples of these log formats, go to

http://msdn2.microsoft.com and search for “IIS logging formats.”

Centralized Logging

Centralized logging in IIS 7.0 operates the same way as it does in IIS 6.0. However, you can

now configure this option in the IIS 7.0 Manager. To access this feature, go to Administrative

Tools > Internet Information Services (IIS) Manager. Click the computer name and locate

the Logging option listed in the IIS section.

Using the Logging option can reduce administrative costs because only one IIS log file is

being maintained. If you use binary logging, the log can be stored in a much smaller file than

the equivalent text log file.

W3C Centralized Logging Format

W3C centralized logging was first introduced in Windows Server 2003 SP1. W3C centralized

logging is a server-level setting. When you enable this feature on a server, all Web sites on

that server are configured to write log data to a central log file. Data is stored in the log file

using the W3C Extended log file format. You can enable this setting through the IIS 7.0

Manager or by using Appcmd. If you use W3C centralized logging, you can view the log file

with a text editor such as Notepad.

Note W3C centralized logging uses the W3C Extended log format, which includes the following

four fields: HostHeader, Cookie, UserAgent, and Referrer. These fields are not available in

centralized binary logging.

Centralized Binary Logging Format

Centralized binary logging is essentially the same as W3C centralized logging, except that

the log file uses a proprietary, binary format. Because the resulting file is binary, it is smaller

than an equivalent text file so that you can conserve disk space. It cannot be read with a text

editor and requires parsing to produce useful information. However, this is easier than you

might think when you use the Log Parser tool, which reads the centralized binary file format

natively. The Log Parser tool is discussed later in this chapter.

Important The built-in FTP and SMTP services do not support W3C centralized logging.

Remote Logging

IIS 7.0 supports writing log files to a network share. This option enables you to have your log

files stored in real time to a remote computer. For example, suppose that you have a Web farm

configured for logging to a central location. The remote file server could be a server running

DFS (distributed file system). DFS can provide multiple benefits including a central location

to collect your log files and automatic replication of your logs to multiple locations. Having

such a primary collection point can make handling your reporting processes much easier.

Important When you set up your remote logging environment, make sure the host (A)

and pointer (PTR) DNS records are set up so that authentication and resolution happens

correctly. This can help avoid problems such as Kerberos authentication errors when HTTP.sys

is trying to write log files.

You can use either the IIS 7.0 Manager or Appcmd to set up Universal Naming Convention

(UNC) remote logging.

Setting Up Remote Logging by Using the IIS Manager

Following are the steps to enable remote logging by using the IIS Manager:

1. Create a directory called IISLogs on the remote server that will store the log files. This

machine is typically in the same domain as the Web servers. If the remote server is

not in the same domain or is a stand-alone machine, you can use the procedure outlined

in the following sidebar so your files are stored on a remote machine.

Using a NULL Session for Remote Logging

If your remote server will be in a different domain, you can set up a NULL Session to

support remote logging. The following procedure outlines how to set up this environment.

If your remote server is not in a different domain, you can skip over the details of

this outline and proceed with step 2 of the procedure for setting up remote logging by

using the IIS Manager.

Before setting up your environment, make sure both machines can resolve each other

using DNS, WINS, or custom entries in the local HOSTS file. This procedure assumes

both servers are Windows Server 2008.

1. Identify two machines, the Web server and the file server. These roles need to be

on separate physical machines.

2. Create a folder called IISLogs on your file server and then create a share and grant

appropriate folder security.

a. Open a command prompt on the file server and type mkdir c:\IISLogs

b. Then type net share IISLogs=c:\IISLogs /Grant:Everyone,FULL

c. Then type cacls c:\IISLogs /G Administrators:F SYSTEM:F Everyone:C

d. When you see the prompt “Are you sure (Y/N)?” type y

e. Processed dir: c:\IISLogs

3. Configure logging on your Web site by typing

appcmd set sites "WebsiteName" -logFile.directory:\\FileServerName\IISLogs

4. Configure Local Security Policy on the file server.

*Programs, Administrative Tools, Local Security Policy, Local Policies, Security Options*

a. Enable:Network access:Let Everyone permissions to apply to anonymous users.

b. Add IISLogs share to the Network access:Shares that can be accessed

anonymously.

5. Browse your Web site on the Web server.

a. Open http://localhost/

6. Open a command prompt on the Web server and type the following command:

netsh http flush logbuffer

7. Check your log files to see if your sample request is listed.

2. Share the IISLogs folder you created in the previous step. Change the share permissions

to—at minimum—enable both the remote machine accounts Administrators group and

the account that is writing the log files full control. Change the NTFS file system (NTFS)

permissions so that the remote machine accounts Administrators have full control and

the account writing the log files has modify permissions. This example assumes that

you are using the NETWORK SERVICE as your application pool account and that the

remote server and Web server are in the same domain.

Note When the NETWORK SERVICE account accesses a remote resource, it uses the

computer account stored in Active Directory Domain Service as the actual account

accessing the log folder.

3. In the IIS Manager, navigate to your Web site and type in the UNC path to the server.

To do so, go to Administrative Tools > Internet Information (IIS) Manager. Select the

computer name in the leftmost column and then double-click the Logging icon in

the IIS Section. Type the path to the share in the Directory text box by using the syntax

\\ServerName\ShareName, as shown in Figure 15-2.

Note You can also use the syntax \\FQDN\ShareName to specify the logging path,

but you might run into issues if you try to use the syntax \\IPAddress\ShareName to

specify the path. The \\IPAddress\ShareName syntax can cause an authentication issue

that prevents the log files from being created. The following is an example of an error

generated when trying to use an IP Address when remote logging is enabled:

Microsoft-Windows-HttpService , LogFileCreateFailed ,

49, 0, 16, 2, 59, 9,

0x0000000000000800, 0x00000004, 0x000005AC, 0,

, , {00000000-0000-0000-0000-

000000000000}, ,

128277049412643098, 220, 0, 0xC0000022,

"ResponseLogging ", "Site ", "W3C ",

"\dosdevices\UNC\192.168.0.125\UncLogFiles\W3SVC1\u_ex070630.log",

0 4. Click Apply.

5. Browse a Web page in your site.

6. Open a command prompt by using elevated credentials and type netsh http flush

logbuffer. If this is the first time entries have been logged, HTTP.sys will create the

folder and a log file. Open the log file in Notepad to confirm your example entries have

been logged.

Setting Up Remote Logging by Using Appcmd

You can also use Appcmd to update the logfile directory for a specific Web site. The syntax for

configuring UNC remote logging using Appcmd is shown here. (The line has been split to fit it

on the printed page.)

//Appcmd to set the log directory path for Default Web Site

Appcmd set sites "Default Web Site"

-logFile.directory:\\RemoteServerCMD.Contoso.com\LogFiles

Note To automate configuring remote logging, you could put this example into a script to

which you can pass variables.

Executing this command results in the following output:

SITE object "Default Web Site" changed

IIS 7.0

Thursday, February 26, 2009

II7.0 Troubleshooting and Logging

No comments:

Post a Comment

Followers

Blog Archive