Log a rhythm

Even before the day logs were just a piece of wood used to measure the speed of a ship, captains have looked for ways to know what’s going on under the deck, and with the new version of IIS in Windows Server 2012 R2 we have kicked the logging ability of IIS multiple notches up.

IIS’ logging abilities have always been above average and highly customizable, but now, it’s even better. We have introduced an ability for the administrator to configure IIS to log multiple fields that were previously available only with packet-level inspection. When configuring logging, the administrator can now add custom fields that store:

1. Request headers

2. Response headers

3. Server Variables

For example, until now, you could log the port the client was connecting to…but not the port it was connecting from. Now you can do this easily, as well as many other fields. To do so, you click on Logging (either at the server level, or site level) and click on Select Fields:

clip_image002

clip_image004

As you can see, this lists the fields that you are probably familiar from previous releases…but also the custom fields at the bottom. To add a field, click on Add Field, give your custom field a name, and select from the drop downs:

clip_image006

The other groups of items provide the following selection:

Request Headers

Response Headers

Server Variables

Accept Accept-Charset Accept-Encoding Authorization Cache-Control Connection Content-length Content-MD5 Content-Type Date Expect From Host If-Match If-Modified-Since If-None-Match If-Range If-Unmodified-Since Max-Forwards Pramga Proxy-Authorization Range Referer TE Upgrade User-Agent Via Warning

Accept-Ranges Content-Type ETag Last-Modified Server

ALL_HTTP ALL_RAW APPL_MD_PATH APPL_PHYSICAL_PATH AUTH_PASSWORD AUTH_TYPE AUTH_USER CERT_COOKIE CERT_FLAGS CERT_ISSUER CERT_KEYSIZE CERT_SECRETKEYSIZE CERT_SERIALNUMBER CERT_SERVER_ISSUER CERT_SERVER_SUBJECT CERT_SUBJECT CONTENT_LENGTH CONTENT_TYPE GATEWAY_INTERFACE HTTP_ACCEPT HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE HTTP_CONNECTION HTTP_COOKIE HTTP_HOST HTTP_METHOD HTTP_REFERER HTTP_URL HTTP_USER_AGENT HTTP_VERSION HTTPS HTTPS_KEYSIZE HTTPS_SECRETKEYSIZE HTTPS_SERVER_ISSUER HTTPS_SERVER_SUBJECT INSTANCE_ID INSTANCE_META_PATH LOCAL_ADDR LOGON_USER PATH_INFO PATH_TRANSLATED QUERY_STRING REMOTE_ADDR REMOTE_HOST REMOTE_PORT REMOTE_USER REQUEST_METHOD SCRIPT_NAME SERVER_NAME SERVER_PORT SERVER_PORT_SECURE SERVER_PROTOCOL SERVER_SOFTWARE UNMAPPED_REMOTE_USER

In addition to the pre-populated items, you can also type in your own custom field data. For example, a common challenge for security people and network administrator is the need to record the IP of connecting clients. On servers that are directly on the network, this is not a problem, but if the web server is front-ended by a load balancer, the logged IP will be the IP of the load balancer itself. Load balancers can usually be configured to forward the IP of the originating client in a custom HTTP Header named “X-FORWARDED-FOR” (https://en.wikipedia.org/wiki/X-Forwarded-For). The Load Balancer, before forwarding the request, would attach a custom request header by that name which contains the IP of the client this request was forwarded for. By adding a custom request-header field like this, we can record this in the IIS logs and use the data for whatever purpose we need:

clip_image014

Once you add in any additional fields, IIS will create log files with _x appended to the file name, which indicates that these are log files containing the extra fields:

image

The enhanced logging is managed by a new service in Windows 2012 R2 called “W3C Logging Service”. As opposed to previous generations of IIS, where the HTTP protocol stack would be doing the logging, the new service sits in-between, which allows it to collect the headers and put them in the log. This service is stopped by default and set to “manual” startup. When you add a field to enhanced logging and the site receives a request, the service will be started (although the startup mode remains on Manual) and logging the enhanced fields will commence.

image

Like it? Download the preview of Windows Server 2012 R2 here, and enjoy!

Comments

  • Anonymous
    January 02, 2016
    Thanks! Is it safe to say, then, that if the logs do not have the _x on the end, that they were created by IIS and not W3C? I ask because my IIS logs are standard (no added or custom fields, no _x on the end), seem to be working fine, and yet I never see my manual start W3C actually 'running' ... just curious. Thanks again for taking the time to post this...