IIS logs are not writing without Administrator permissions

Question

User391527191 posted

Hi Team,

We are trying to create logs in D:\logs, we have granted required permissions for AppPool identity still it is not working.

but failedrequests logs are getting logged in given path. we have removed Administrators permissions on D:\logs folder.

- Are IIS logs created by Administrator or AppPool Identity ? we have given full control on folder to AppPool Identity

- do we need configure AppPool Identity for iis logs

thanks

Answer 1

User690216013 posted

Here you get a misunderstanding of how IIS generates log files. Though application pool identity is used to create worker process (w3wp.exe), log files are not generated by that process.

Log files are written by IIS Admin Service (or Windows Process Activation Service I could not remember clearly). So you have to grant Local Service (or Local System) permissions on the log directory. So generally speaking you should give local administrators group permission on that.

Microsoft has a KB article to cover that permissions required,

http://support.microsoft.com/kb/981949

For log directories, they must meet thr requirements of \inetpub\logs. For FRT directories, they must match \inetpub\logs\FailedReqLogFiles.

Answer 2

User391527191 posted

Thanks lextm for reply, actually i am trying to set NAS path for logs in IIS. for that i am trying to find what access/what user actually creating logs.

Thanks

Appaji

Answer 3

User690216013 posted

Configure IIS to log to a remote location (via UNC typically) is not a good idea, which might decrease performance. You will have to do performance testing.

If you do have to log remotely, make sure the UNC path is accessible by the computer account. Windows services running under both Local Service and Local System identities will use the computer account to access remote resources.