IIS 8.5 not logging all requests

iis-8.5loggingwindows-server-2012-r2

I'm having an issue where IIS 8.5 on Server 2012 R2 is not logging requests properly. It was working fine up until about a week ago – producing log files >10mb. This information was useful for our analytics processing. Currently, the log files contain very little information, with the occasional request that is logged – producing log files <100kb. I'm unsure what changed to cause it to stop.

I copy these files periodically and analyze them at a separate location. The log files for last month were all between 1mb and 14mb each. The same log files were later shown as <100kb files. The Date Modified for each does not appear to have changed. I have copies of both sets of files.

Reading through other similar-sounding issues with IIS6 and IIS7 led me to check comparable settings:

Permissions on logging directories match between my test server and production server. This does not appear to have changed.
Settings have not changed – dontLog = False, selectiveLogging = logAll
Use local time for file naming and rollover is unchecked.
W3C logging settings are default
Changing Log Event Destination to Both log file and ETW event produces same results. Limited requests logged.
Restarting services & IIS yielded no changes
Restarting server resulted in no changes.

W3C Logging Service set to Automatic startup

#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2015-10-08 15:22:58
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2015-10-08 15:22:58 x.x.x.x GET / - 80 - x.x.x.x MSIE+6.0 - 200 0 0 187
2015-10-08 15:27:58 x.x.x.x GET / - 80 - x.x.x.x MSIE+6.0 - 200 0 0 78
2015-10-08 15:32:58 x.x.x.x GET / - 80 - x.x.x.x MSIE+6.0 - 200 0 0 93

Best Answer

The problem has been solved, however my understanding of active directory and domain controllers is lacking.

Here are the conditions that restored the log files:

Log files were being kept, just not visible to my account. (not stored on the server/file system?)
There was a trust relationship failure between the server and domain.
Once the trust relationship between domain and server, including accounts, was restored, the log files were once again available. This includes all of the log files generated for the duration of the issue.

Hopefully this information is useful to someone in the future.

Related Solutions

HAProxy not logging all requests

With all HAProxy versions prior to 1.5-dev22, when used in mode http, it worked in the tunnel "sub-mode" if no other "sub-mode" was specified. I realize there's not actually such a thing as a "sub-mode" in HAProxy, but I'm not sure what else to call it. The docs just use the word 'mode', but I find that even more confusing...

In any event, in tunnel "sub-mode" only the first request and response are processed, and everything else is forwarded with no analysis at all. This mode should not be used as it creates lots of trouble with logging and HTTP processing.

As of 1.5-dev22, the default "sub-mode" was changed from tunnel to keep alive, meaning that all requests and responses are processed, and connections remain open but idle between responses and new requests.

This can be changed by using the option http-keep-alive, option http-tunnel, option httpclose, option http-server-close and option forceclose keywords in frontends and backends, with the effective mode (or "sub-mode" if you will) being outlined in the docs. Under section 4, there's a table that shows the effective "sub-mode" based on which options are set in the frontend and backed used for a particular connection.

For completeness, here's the relevant section of the docs, including the table and it's various "sub-modes", as it exists at the time of this writing (1.5.14):

In HTTP mode, the processing applied to requests and responses flowing over
a connection depends in the combination of the frontend's HTTP options and
the backend's. HAProxy supports 5 connection modes :

  - KAL : keep alive ("option http-keep-alive") which is the default mode : all
    requests and responses are processed, and connections remain open but idle
    between responses and new requests.

  - TUN: tunnel ("option http-tunnel") : this was the default mode for versions
    1.0 to 1.5-dev21 : only the first request and response are processed, and
    everything else is forwarded with no analysis at all. This mode should not
    be used as it creates lots of trouble with logging and HTTP processing.

  - PCL: passive close ("option httpclose") : exactly the same as tunnel mode,
    but with "Connection: close" appended in both directions to try to make
    both ends close after the first request/response exchange.

  - SCL: server close ("option http-server-close") : the server-facing
    connection is closed after the end of the response is received, but the
    client-facing connection remains open.

  - FCL: forced close ("option forceclose") : the connection is actively closed
    after the end of the response.

The effective mode that will be applied to a connection passing through a
frontend and a backend can be determined by both proxy modes according to the
following matrix, but in short, the modes are symmetric, keep-alive is the
weakest option and force close is the strongest.

                          Backend mode

                | KAL | TUN | PCL | SCL | FCL
            ----+-----+-----+-----+-----+----
            KAL | KAL | TUN | PCL | SCL | FCL
            ----+-----+-----+-----+-----+----
            TUN | TUN | TUN | PCL | SCL | FCL
 Frontend   ----+-----+-----+-----+-----+----
   mode     PCL | PCL | PCL | PCL | FCL | FCL
            ----+-----+-----+-----+-----+----
            SCL | SCL | SCL | FCL | SCL | FCL
            ----+-----+-----+-----+-----+----
            FCL | FCL | FCL | FCL | FCL | FCL

IIS 8.5 not accepting authentication settings at app level

Turns out that our IIS install script included the following:

Set-WebConfigurationProperty -PSPath 'MACHINE/WEBROOT/APPHOST'  -Filter "system.applicationHost/applicationPools/applicationPoolDefaults" -Name "enableConfigurationOverride" -Value "False"

Which essentially changes the default setting for all application pools that disabled any configuration override. Essentially, this turned off the ability to use web.config files within our sites.

That would definitely do it. I couldn't see anything in the UI for the enableConfigurationOverride option.

So I just ran the following in Powershell to fix the issue:

Set-WebConfigurationProperty -PSPath 'MACHINE/WEBROOT/APPHOST'  -Filter "system.applicationHost/applicationPools/applicationPoolDefaults" -Name "enableConfigurationOverride" -Value "True"

Best Answer

Related Solutions

HAProxy not logging all requests

IIS 8.5 not accepting authentication settings at app level

Related Topic