locked
ISAPI and IIS 10 Logging Issues RRS feed

  • Question

  • User-1021758691 posted

    When using the ISAPI Handler Mapping in IIS 10 on Windows 2016, the IIS logs are not identifying the URI Stem (cs-uri-stem) and URI Query (cs-uri-query) as expected.  For EVERY request that the handler processes (e.g. default.cfm), the cs-uri-stem records an entry as "/jakarta/isapi_redirect.dll" and the cs-uri-query is always empty.

    On Window 2012 R2, IIS is not behaving this way. 

    Any help would be greatly appreciated!

    Tuesday, September 5, 2017 8:28 PM

Answers

  • User-1834227407 posted

    I finally managed to figure out what the issue is/was.  The c:\windows\system32\inetsrv\config\applicationHost.config file has a definition for IsapiFilter in the <location path="" overrideMode="Allow"><system.webServer><modules> section.  The IsapiFilterModule needs to be before the HttpLoggingModule in the list.  I've made this change on all of my Windows 2016 servers where logging wasn't working and they're all happy now, logging correctly.

    Hope this helps someone

    Justin 

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Friday, November 17, 2017 3:46 PM

All replies

  • User-460007017 posted

    Hi Miket03,

    The IIS logging service responsible for the logging and it should record the string after question mark in cs-uri-query.

    Best Regards,

    Yuk Ding

    Wednesday, September 6, 2017 8:06 AM
  • User-1021758691 posted

    Yuk,

    Here is a log Excerpt:

    #Software: Microsoft Internet Information Services 10.0
    #Version: 1.0
    #Date: 2017-07-02 00:00:00
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
    2017-07-02 00:00:00 XX.X.X.XX GET /jakarta/isapi_redirect.dll - 443 - XX.X.X.XX HTTP/1.1

    As you can see in the log, the columns are correct but the actual cs-uri-stem and cs-uri-query are not logged properly.  It is only listing the ISAPI module that is called and not the page that was requested.

    I read about this happening with "IIS Advanced Logging" feature here: https://forums.iis.net/p/1168716/2134036.aspx?Re+IIS+Advanced+Logging+issues+with+Tomcat+and+web+application

    Do you know if IIS 10 incorporated specific changes in the logging of requests?  Perhaps any updates as to how it handles ISAPI filters in general?  It "feels" like IIS 10 incorporated the Advanced Logging features directly into the platform along with this bug.

    -Mike

    Wednesday, September 6, 2017 8:03 PM
  • User-1021758691 posted

    Yuk,

    Did you see my previous post?  Any movement with this topic?  Still an outstanding issue on my end.

    Please advise!

    Thanks.

    Tuesday, September 19, 2017 12:35 PM
  • User-2064283741 posted
    Well it all looks like it is an issue with that isapi (I imagine it is old has not been updated for 2016) and really I would look at contacting the authors of that.

    Not used tomcat for many years but I imagine a suitable urlrewrite rule could do the job.

    I suppose you open a case with Microsoft support about this but I don't useful it would be considering it is a third party component.
    Tuesday, September 19, 2017 2:29 PM
  • User-1021758691 posted

    Rovastar,  Thanks for the reply.  I have been in contact with the author of the ISAPI Connector (Tomcat).  See the following thread: http://tomcat.10.x6.nabble.com/ISAPI-and-IIS-10-Logging-Issue-td5066963.html

    The author has tested and debugged the ISAPI module on Windows 2016 and has confirmed the same issue that I am referencing.  He has noted that there is most likely a bug with the SF_NOTIFY_LOG Handler in IIS 10.

    Any advice on getting Microsoft to investigate this as a bug?  I am experiencing data loss with regard to Web logs and this would consider this to be critical from a security perspective.

    Tuesday, October 10, 2017 1:35 PM
  • User-1834227407 posted

    I've been dealing with this very same issue but oddly enough I have six Windows 2016 servers; two of them work correctly and four of them don't.  As far as I can tell, the only difference between those that work and those that don't is that the two boxes that work have two additional Windows Updates installed, KB4013418 and KB3211320.  When I try to install those updates on the boxes that don't work, I get "Update not applicable", likely because those updates are superseded by KB4035631 which is also installed on all six boxes.

    I've gone as far as doing a directory compare of the full C:\Windows directory on a box that works to a box that doesn't and there are very few differences.  I suspect this is a permissions issue but still trying to track that down.  I will likely add this same information to the Adobe and Tomcat threads .

    Tuesday, October 10, 2017 2:59 PM
  • User-1834227407 posted

    I just built a new box from scratch it's working fine.  The new box is also missing the two updates I mentioned in the previous post so that's definitely not the issue.  The search continues...

    Wednesday, October 11, 2017 2:07 AM
  • User-1834227407 posted

    I finally managed to figure out what the issue is/was.  The c:\windows\system32\inetsrv\config\applicationHost.config file has a definition for IsapiFilter in the <location path="" overrideMode="Allow"><system.webServer><modules> section.  The IsapiFilterModule needs to be before the HttpLoggingModule in the list.  I've made this change on all of my Windows 2016 servers where logging wasn't working and they're all happy now, logging correctly.

    Hope this helps someone

    Justin 

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Friday, November 17, 2017 3:46 PM
  • User690216013 posted

    I finally managed to figure out what the issue is/was.  The c:\windows\system32\inetsrv\config\applicationHost.config file has a definition for IsapiFilter in the <location path="" overrideMode="Allow"><system.webServer><modules> section.  The IsapiFilterModule needs to be before the HttpLoggingModule in the list.  I've made this change on all of my Windows 2016 servers where logging wasn't working and they're all happy now, logging correctly.

    You should mark that as an answer. Great that you locate the culprit.

    In the meantime, Microsoft itself created HttpPlatformHandler to integrate with web technologies such as Java and Go, you should be free of any third party ISAPI right now.

    Friday, November 17, 2017 6:57 PM