Troubleshooting Logging Problems (IIS 6.0)
Historically, IIS administrators have rarely had to troubleshoot logging problems. In earlier versions of IIS, log configuration was simple and straightforward, and in most cases, the default settings were adequate.
In IIS 6.0, new logging functionality, such as centralized binary logging and UTF-8 logging, and the fact that logging is now performed by HTTP.sys instead of the WWW Service (W3SVC) present new configuration options and architectural elements as well as new troubleshooting challenges. This section explores some of the problems that can occur with HTTP.sys logging.
Table 11.14 HTTP.sys Logging-Related Event Log Errors lists and describes HTTP.sys logging-related Event Log errors, and provides troubleshooting recommendations for each.
| Table 11.14 HTTP.sys Logging-Related Event Log Errors | ||
| Event ID | Description | Recommendation |
15000 | Unable to create log file %2. | Ensure that the logging directory is correct and this computer account has write access to that directory. |
15001 | Unable to create the log file for site W3SVC%2. | Ensure that the logging directory for the site is correct and this computer has write access to that directory. |
15002 | Unable to write to the log file %2 for site W3SVC%3. The disk might be full. | If this is a network path, ensure that network connectivity is not broken. Otherwise, the disk is full. |
15003 | Unable to create the centralized binary log file. | Ensure that the logging directory is correct and this computer has write access to that directory. |
15004 | Unable to write to the centralized binary log file %2. The disk might be full. . | If this is a network path, make sure that network connectivity is not broken. Otherwise, the disk is full. |
15006 | Owner of the log file or directory %2 is invalid. Another user might have already created the log file or the directory. | Check for the existence of the logging directory and ensure that the owner is the local Administrators group. |
Logging Security Configuration
One of the fundamental aspects of IIS logging design involves the expected security configuration of the log file directory or UNC share when logging to UNC.
Configuration process
Upon first receiving an HTTP request, HTTP.sys begins logging. On this initial request, if the appropriate logging subdirectory and file does not exist, HTTP.sys creates them, giving System and local Administrators full control. For each, the owner is the Local Administrators account. If the directory and file already exist, HTTP.sys performs an access check for security purposes and verifies that the owner of the file and directory is the local Administrators group. If not, HTTP.sys logs event ID 15006 to the event log and disables logging for that site. If the ownership check passes, HTTP.sys then ensures that System and local Administrators have full control.
When configuring logging to a UNC share, HTTP.sys does not perform an ownership check. Instead, the administrator is responsible for ensuring that security on the log file share and directory is configured appropriately. HTTP.sys sets the ACLs on the remote share to allow the Web servers system account the appropriate access.
Event ID 15000, 15001, and 15003
These errors occur when the log file and directory do not have proper security settings. When the IIS logging configuration settings are changed, if the file and directory security settings are not correct (if the System and Administrators do not have full control), HTTP.sys writes event ID 15001 or event ID 15003 (if binary logging is enabled) to the Event Log. HTTP.sys writes an event ID 15000 to the event log if security settings change during operation, for example, if the file ACLs are altered manually.
Event ID 15002 and Event ID 15004
Event ID 15002 and Event ID 15004 errors are similar. Both occur when HTTP.sys is unable to write to the log file because the disk is full. When binary logging is enabled, HTTP.sys writes an event ID 15004 error to the Event Log. An event ID 15004 also is written to the Event Log if a network problem prevents HTTP.sys from writing to the log file.
Logging Headers
In the past, the logging headers that were written to a log file typically indicated the restarting of the Web service. In IIS 6.0 this is not the case. After waiting for 15 minutes for a given site, HTTP.sys stops logging. When the next request for that site arrives, HTTP.sys restarts logging and writes a new set of headers to the log file.
Present in Log Files
In rare cases, you might see in an IIS log file entry. When a query string or a header value is longer than 4 KB, HTTP.sys writes the string as instead of writing the entire string.
UTF-8 Logging Problems
When using the UTF-8 logging feature, note the following:
| • | A log file logged in UTF-8 does not contain a Byte Order Mark (BOM). File editors use this mark to identify text as UTF-8 text. Therefore, if you attempt to open a log file that is logged in UTF-8 in Notepad by double-clicking the file or by using the Open With option, the file might not display correctly. To open the file in a way that displays it correctly, use the Open command on the File menu and then select UTF-8 in the Encoding box. |
| • | Because IIS 6.0 now supports UTF-8 URLs, you can now log those URL requests to an ASCII log file. UTF-8 is a double-byte character set standard. Because ASCII is a single-byte character set standard, logging UTF-8 information to an ASCII file presents a problem. In such a case, ? is logged for the characters that cannot be converted to the codepage of the server. |