IIS 7 and Above
IIS 7 Advanced Logging Error: Failed tocreate log file...
Last post Jul 22, 2010 07:04 PM by richma
Jul 20, 2010 08:15 AM|dgeeraerts|LINK
I am having an issue with several of our production servers running IIS 7 advanced logging. Here's some basic info:
Windows Version = 6.0.6002
Windows Server 2008 Standard x64
The exact error:
Failed to create the log file C:\inetpub\logs\AdvancedLogs\[<ServerName>]_D20100720-120207061.log. The log definition has been disabled. HRESULT: 0x0X80070005.
Note: where the log file name reads [<ServerName>], it's actually the server name not "[<ServerName>]".
What's odd is that I have some servers running advanced logging without error, and then I have a few that are having the same issue, same error.
For the servers that are having this issue, I have installed the advanced logging exactly the same way as the servers that are working. As far as installed components [IIS, Windows], all servers match: i.e. the .NET Framework is the same.
I've checked the IIS ApplicationHost.config file on both sets of servers, and they match, respective of Advanced Logging entities/elements.
David Geeraerts, Systems Engineer
Jul 20, 2010 12:30 PM|dgeeraerts|LINK
BTW, if I was reading this the first question I would have considering the error message would be about NTFS; so let me mention that the DACL's are exactly the same between the working servers and the non-working servers.
Jul 21, 2010 10:39 PM|richma|LINK
Try using process monitor to see if anything is getting accessed denied on the logs folder.
Jul 22, 2010 09:59 AM|dgeeraerts|LINK
I somewhat have to eat my own words! It turned out to be an NTFS (DACL) security issue after all. Imagine that, an NTFS security issue.
Now the 'weird' part, as I mentioned is that the DACL's for the "AdvancedLogs" folder, was exactly the same as the working servers --so that threw me off. Even though I have things working, I don’t have a good explanation as to why the production servers
are different then the servers that are working –remember their all the same Windows Version. It might have something to do with Group Policy; I’ll have to audit that, but to the best of my recollection, the same GP is being applied to the same group of servers
I worked with for Advanced Logging.
FIRST, a thank you to
richma for recommending the use of Process Monitor, it lead me back on the right track --I have used this tool before, not sure why I didn't think to quickly run it this time (so many things to remember).
As you may know, on a production server, Process Monitor was kicking out ~1,000 events per second! It would be crazy or next to impossible to quickly get an answer with so many events per second.
Had to filter out events and start narrowing down.
Here's the first assumption I made: Most likely the ProcessName trying to create the log would be w3wp.exe --I was correct.
Assumption two: After getting a general idea of operations, it made the most sense that "operation=CreateFile" is what needed to be filtered --I was correct.
Process monitor confirmed that an "Access Denied" was occurring when w3wp.exe was trying to create the log file; the mystery is in what credentials were being passed for NTFS security. The assumption would be SYSTEM because as a service (World Wide Publishing
Service), it's running as LOCAL SYSTEM --but that would wrong, it’s passing different credentials when trying to create the advanced logging file(s).
On a tangent, one does not have to use Process Monitor to troubleshoot NTFS security; I find using SACL (auditing) quicker; just turn on auditing on the folder (or whatever object), I use EVERYONE for gross auditing purposes. I got the same results/answer
that Process Monitor provided.
KEYWORDS= AUDIT FAILURE
EVENT ID = 4656
TASK CATEGORY=File System
Inside the event is SECURITY ID: <the mystery credentials being passed by w3wp.exe>
Most if not all of the App Pools are running as NETWORK SERVICE as Identity. So I am making an assumption that there is a correlation between what credentials w3wp.exe is going pass based on Application Pool Identity. NETWORK SERVICE is the identity for
most of the App Pools, and that is what is passed as the credentials to write the log files for advanced logging (in my environment).
Is this hard coded for the Advanced Logging Module?
It would be great to get an EXPERT answer as to how this works specifically –perhaps an IIS developer?
NETWORK SERVICE must be included as a DACL w/ READ/WRITE/MODIFY
Once I did that, advanced logging worked!
Jul 22, 2010 07:04 PM|richma|LINK
Advanced logging runs in worker process as a module and this runs under the context of the Worker process identity. Therefore this Identity needs the correct rights to create the logs , as you found.