IIS 7 and Above
custom fields are not claimed by W3C Logging Service
Last post Oct 11, 2018 10:04 AM by Terry Peng
Oct 05, 2018 11:01 AM|MartinZwarthoed|LINK
This week I've spent over 2 days trying to debug this issue, but I cannot find any information on what the cause of the issue is and how to solve it. I want to log custom fields in the IIS logs (W3C format) to log encryption protocols and ciphers.
We have a webcluster running with Network Load Balancing and I've tried to activate it there.
I've configured the fields using the user interface (go to logging on server level, choose select fields and add custom fields).
After I've done this, the add custom fields do not end up in the logfiles of the sites and this error is constantly logged in the eventviewer:
The loghttp module in the worker process removed custom log data for 'x' request(s) which was not claimed by the W3C Logging Service.
This happens on both nodes of the web cluster.
The web servers are Windows Server 2012 R2 with IIS 8.5.
I've tried to do the same on 2 other servers (which were not clustered) and on both servers it worked immediately.
Both of them had the same OS and IIS versions.
My theory is that it has nothing to do with NLB, since the load balancing happens on a network level before IIS ever receives the requests and it should not interfere in anyway with the configuration of the logfiles.
Can anyone tell me what the problem could be?
That would be greatly appreciated.
Oct 08, 2018 09:40 AM|Terry Peng|LINK
I tried to add a server to a server cluster and add custom field for the log, but I failed to get the error.
I would suggest you do some test to narrow down the range of possible reasons.
Will it be related to the fields? I tried to add a field which type is RequestHeadr and source is Warning. What's your custom fields?
For checking if it is related to NLB, keep the server in the server cluster and then send request to the server directly rather than via the NLB, will the error still occur?
If it does, I think it should not be related to the NLB, please try to remove the server from the cluster. Will the issue still occur on the server?
If it still occur on the server, the issue should be related to the server itself. Please try to create another site on the server for testing if the issue still exist.
Oct 08, 2018 09:50 AM|MartinZwarthoed|LINK
Thank you for your response.
The custom fields I'm trying to add are listed below (I've added these through the user interface, not through the application host config file). However, after this did not work I've tried several other variables. Both server variables and request headers
chosen from the list of IIS. This all resulted in the same problem.
<add logFieldName="crypt-protocol" sourceName="CRYPT_PROTOCOL" sourceType="ServerVariable" />
<add logFieldName="crypt-cipher" sourceName="CRYPT_CIPHER_ALG_ID" sourceType="ServerVariable" />
<add logFieldName="crypt-hash" sourceName="CRYPT_HASH_ALG_ID" sourceType="ServerVariable" />
<add logFieldName="crypt-keyexchange" sourceName="CRYPT_KEYEXCHANGE_ALG_ID" sourceType="ServerVariable" />
The web cluster is production and currently only has 2 nodes, so I cannot fiddle around too much or take one node out of the cluster for an extended period of time.
I have not tried adding an extra web site and configuring the custome fields directly on the website.
I will try that.
I will discuss internally if I can restore a backup of one of the nodes as virtual machine on a separate network; that way I don't have to worry about production issues and I can try a lot more stuff.
Oct 11, 2018 10:04 AM|Terry Peng|LINK
I have tried to test using your fields and failed to reproduce your issue too. I think the issue maybe more related to your server or site.
Since you have two other servers not in the farm, you could try to deploy your sites on the services. Check if the issue occurs when the servers are not in a farm and put them in same farm.
If the issue could be reproduced, please do the test as my previous reply.
If no, the issue should be related to your current servers. You'd better take one node for testing temporarily.