IIS 7 and Above
ISAPI and IIS 10 Logging Issues
Last post Oct 11, 2017 02:07 AM by jumiller
Sep 05, 2017 08:28 PM|Miket03|LINK
When using the ISAPI Handler Mapping in IIS 10 on Windows 2016, the IIS logs are not identifying the URI Stem (cs-uri-stem) and URI Query (cs-uri-query) as expected. For EVERY request that the handler processes (e.g. default.cfm), the cs-uri-stem records
an entry as "/jakarta/isapi_redirect.dll" and the cs-uri-query is always empty.
On Window 2012 R2, IIS is not behaving this way.
Any help would be greatly appreciated!
Sep 06, 2017 08:06 AM|Yuk Ding|LINK
The IIS logging service responsible for the logging and it should record the string after question mark in cs-uri-query.
Sep 06, 2017 08:03 PM|Miket03|LINK
Here is a log Excerpt:
#Software: Microsoft Internet Information Services 10.0
#Date: 2017-07-02 00:00:00
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2017-07-02 00:00:00 XX.X.X.XX GET /jakarta/isapi_redirect.dll - 443 - XX.X.X.XX HTTP/1.1
As you can see in the log, the columns are correct but the actual cs-uri-stem and cs-uri-query are not logged properly. It is only listing the ISAPI module that is called and not the page that was requested.
I read about this happening with "IIS Advanced Logging" feature here: https://forums.iis.net/p/1168716/2134036.aspx?Re+IIS+Advanced+Logging+issues+with+Tomcat+and+web+application
Do you know if IIS 10 incorporated specific changes in the logging of requests? Perhaps any updates as to how it handles ISAPI filters in general? It "feels" like IIS 10 incorporated the Advanced Logging features directly into the platform along with this
Sep 19, 2017 12:35 PM|Miket03|LINK
Did you see my previous post? Any movement with this topic? Still an outstanding issue on my end.
Sep 19, 2017 02:29 PM|Rovastar|LINK
Oct 10, 2017 01:35 PM|Miket03|LINK
Rovastar, Thanks for the reply. I have been in contact with the author of the ISAPI Connector (Tomcat). See the following thread:
The author has tested and debugged the ISAPI module on Windows 2016 and has confirmed the same issue that I am referencing. He has noted that there is most likely a bug with the SF_NOTIFY_LOG Handler in IIS 10.
Any advice on getting Microsoft to investigate this as a bug? I am experiencing data loss with regard to Web logs and this would consider this to be critical from a security perspective.
Oct 10, 2017 02:59 PM|jumiller|LINK
I've been dealing with this very same issue but oddly enough I have six Windows 2016 servers; two of them work correctly and four of them don't. As far as I can tell, the only difference between those that work and those that don't is that the two boxes
that work have two additional Windows Updates installed, KB4013418 and KB3211320. When I try to install those updates on the boxes that don't work, I get "Update not applicable", likely because those updates are superseded by KB4035631 which is also installed
on all six boxes.
I've gone as far as doing a directory compare of the full C:\Windows directory on a box that works to a box that doesn't and there are very few differences. I suspect this is a permissions issue but still trying to track that down. I will likely add this
same information to the Adobe and Tomcat threads .
Oct 11, 2017 02:07 AM|jumiller|LINK
I just built a new box from scratch it's working fine. The new box is also missing the two updates I mentioned in the previous post so that's definitely not the issue. The search continues...