Log a rhythm

Even before the day logs were just a piece of wood used to measure the speed of a ship, captains have looked for ways to know what’s going on under the deck, and with the new version of IIS in Windows Server 2012 R2 we have kicked the logging ability of IIS multiple notches up.

IIS’ logging abilities have always been above average and highly customizable, but now, it’s even better. We have introduced an ability for the administrator to configure IIS to log multiple fields that were previously available only with packet-level inspection. When configuring logging, the administrator can now add custom fields that store:

1. Request headers

2. Response headers

3. Server Variables

For example, until now, you could log the port the client was connecting to…but not the port it was connecting from. Now you can do this easily, as well as many other fields. To do so, you click on Logging (either at the server level, or site level) and click on Select Fields:

clip_image002

clip_image004

As you can see, this lists the fields that you are probably familiar from previous releases…but also the custom fields at the bottom. To add a field, click on Add Field, give your custom field a name, and select from the drop downs:

clip_image006

The other groups of items provide the following selection:

Request Headers

Response Headers

Server Variables

Accept
Accept-Charset
Accept-Encoding
Authorization
Cache-Control
Connection
Content-length
Content-MD5
Content-Type
Date
Expect
From
Host
If-Match
If-Modified-Since
If-None-Match
If-Range
If-Unmodified-Since
Max-Forwards
Pramga
Proxy-Authorization
Range
Referer
TE
Upgrade
User-Agent
Via
Warning

Accept-Ranges
Content-Type
ETag
Last-Modified
Server

ALL_HTTP
ALL_RAW
APPL_MD_PATH
APPL_PHYSICAL_PATH
AUTH_PASSWORD
AUTH_TYPE
AUTH_USER
CERT_COOKIE
CERT_FLAGS
CERT_ISSUER
CERT_KEYSIZE
CERT_SECRETKEYSIZE
CERT_SERIALNUMBER
CERT_SERVER_ISSUER
CERT_SERVER_SUBJECT
CERT_SUBJECT
CONTENT_LENGTH
CONTENT_TYPE
GATEWAY_INTERFACE
HTTP_ACCEPT
HTTP_ACCEPT_ENCODING
HTTP_ACCEPT_LANGUAGE
HTTP_CONNECTION
HTTP_COOKIE
HTTP_HOST
HTTP_METHOD
HTTP_REFERER
HTTP_URL
HTTP_USER_AGENT
HTTP_VERSION
HTTPS
HTTPS_KEYSIZE
HTTPS_SECRETKEYSIZE
HTTPS_SERVER_ISSUER
HTTPS_SERVER_SUBJECT
INSTANCE_ID
INSTANCE_META_PATH
LOCAL_ADDR
LOGON_USER
PATH_INFO
PATH_TRANSLATED
QUERY_STRING
REMOTE_ADDR
REMOTE_HOST
REMOTE_PORT
REMOTE_USER
REQUEST_METHOD
SCRIPT_NAME
SERVER_NAME
SERVER_PORT
SERVER_PORT_SECURE
SERVER_PROTOCOL
SERVER_SOFTWARE
UNMAPPED_REMOTE_USER

In addition to the pre-populated items, you can also type in your own custom field data. For example, a common challenge for security people and network administrator is the need to record the IP of connecting clients. On servers that are directly on the network, this is not a problem, but if the web server is front-ended by a load balancer, the logged IP will be the IP of the load balancer itself. Load balancers can usually be configured to forward the IP of the originating client in a custom HTTP Header named “X-FORWARDED-FOR” (http://en.wikipedia.org/wiki/X-Forwarded-For). The Load Balancer, before forwarding the request, would attach a custom request header by that name which contains the IP of the client this request was forwarded for. By adding a custom request-header field like this, we can record this in the IIS logs and use the data for whatever purpose we need:

clip_image014

Once you add in any additional fields, IIS will create log files with _x appended to the file name, which indicates that these are log files containing the extra fields:

image

The enhanced logging is managed by a new service in Windows 2012 R2 called “W3C Logging Service”. As opposed to previous generations of IIS, where the HTTP protocol stack would be doing the logging, the new service sits in-between, which allows it to collect the headers and put them in the log. This service is stopped by default and set to “manual” startup. When you add a field to enhanced logging and the site receives a request, the service will be started (although the startup mode remains on Manual) and logging the enhanced fields will commence.

image

Like it? Download the preview of Windows Server 2012 R2 here, and enjoy!

No Comments