« Previous Next »

• 11-09-2008, 10:21 PM

  Vissuluth Joined on 08-27-2008, 6:26 AM Posts 6

  urlscan and logging to a unc path Reply Contact I have IIS on my web servers log to a central server.  To do this I followed the following links: Configuring IIS to Log Data on a Remote Share: http://technet.microsoft.com/en-us/library/cc757377.aspx Setting Up a Null Session for Cross-Domain Logging: http://technet.microsoft.com/en-us/library/cc728059.aspx   I have added the directory iislogs$ to the NullSessionShares registory key and IIS has been loggin there for a number of months now. In my urlscan.ini I have LoggingDirectory=\\RemoteServer\iislogs$\WebServer\urlscan but itdoesnt log and I cant find any error logs to point me to what Im missing.  Does anyone have any advice on how to log to a unc share?   Using windows 2k3 sp2 for both web server and log server.  URLScan version 3.0

  Tags: iisiis6permissionsIIS 6.0mapped drivesiis 6IIS User RightsUrlScanIIS6 SecurityURLScan 3.1

• 11-10-2008, 9:54 PM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,951

  Re: urlscan and logging to a unc path Reply Contact Here are a few suggestions.  I was able to get urlscan to log to a remote share, it's supported.  Enable auditing to have failues logged on your local and remote server. Break out the network sniffer Run filemon on the local and remote server Make sure the everyone or appropriate user accounts have full control both on share and modify permissions on NTFS Make sure both machines can resolve each other.   Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 11-11-2008, 12:46 AM

  In reply to

  Vissuluth Joined on 08-27-2008, 6:26 AM Posts 6	Re: urlscan and logging to a unc path Reply Contact Thanks for the reply.  I'll give all that a go in the next few days but one question.   steve schofield: Enable auditing to have failues logged on your local and remote server. How do I do that?

• 11-11-2008, 3:21 AM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,951	Re: urlscan and logging to a unc path Reply Contact http://weblogs.asp.net/steveschofield/archive/2008/03/07/detecting-permission-issues-using-auditing-and-process-monitor.aspx Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 11-21-2008, 12:50 AM

  In reply to

  Vissuluth Joined on 08-27-2008, 6:26 AM Posts 6

  Re: urlscan and logging to a unc path Reply Contact Thanks for the reply Steve, been busy so I havnt had a lot of time to look at this but I was finally able to get back to it. I ran process mon and it looks like the IIS logs and url scan logs are written by different processes? Below is an extract from the process mon logs: IIS logs: 1:24:22.6143231 PM System 4 IRP_MJ_CREATE \\iislogs.server.com.au\iislogs$\webserver02\W3SVC792429\ex081120.log SUCCESS Desired Access: Generic Write, Disposition: OpenIf, Options: Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: 0, OpenResult: Opened URL Scan logs: 1:24:21.4265332 PM w3wp.exe 2540 IRP_MJ_CREATE \\iislogs.server.com.au\iislogs$\webserver02\URLScan\urlscan.112008.log LOGON FAILURE Desired Access: Generic Write, Read Attributes, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 0 The iis logs are written by the system process and where as the url scan logs are written by the worker process (w3wp.exe).  The worker process is running as Network Service. The destination (\\iislogs.server.com.au\iislogs$) has everyone full permissions and anonymous users full permissions so I don’t understand why the worker process cant access the destination. In the situation you have been able to get url scan to log over a unc was your worker process running as network service or a specified user?

• 11-21-2008, 11:31 PM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,951

  Re: urlscan and logging to a unc path Reply Contact IIS logging is handled by http.sys, a kernel level listener.  urlscan runs in the context of the app pool as you discovered.   For security best practices, I don't run application pools as network service, including when I'm doing remote processing.  I used a domain account and it worked.  It should work with network service, which really is the 'machine account' held in the domain.  Try granting WebServerName$ permissions on the remote share, verify the SHARE permissions are also allowing the appropriate permissions.  I normally grant authenticated users 'modify' SHARE permissions and handle all other security with NTFS. Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 11-23-2008, 6:02 PM

  In reply to

  Vissuluth Joined on 08-27-2008, 6:26 AM Posts 6

  Re: urlscan and logging to a unc path Reply Contact steve schofield: Try granting WebServerName$ permissions on the remote share  These servers arent in a domain so this wont work.  (Tried it anyway)   Setting up the app pool as a user that exists on both web server and log server worked so it looks like I will need to do that with all my servers.  (You wouldnt have a doco that can tell me the minimum permissions required to run would you?)   Thankyou for the help Steve.

• 11-23-2008, 6:17 PM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,951

  Re: urlscan and logging to a unc path Reply Contact At a minimum, the user account needs to have LIST, READ, WRITE.   I'd probably grant 'modify' and call it good, but through some creative NTFS permissions, you could find the exact minimum permissions.  Also, probably Administrators Full control wouldn't be a bad idea either.  http://learn.iis.net/page.aspx/477/urlscan-faq/ Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget