IIS fails to log cs-host

[Dave Atkins]

Two of our 7 identically configured servers have
mysteriously stopped logging the cs-host extended
property, despite showing it checked on the properties
panel.

Here is some log file output:

bad server:
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2002-04-29 11:00:00
#Fields: date time c-ip cs-username s-ip s-port cs-method
cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes time-
taken cs-version cs-host cs(User-Agent) cs(Cookie) cs
(Referer)
2002-04-29 11:00:00 63.65.14.195 - 192.168.1.71 80
GET /promo/art/Sony_MindiscPlayer.jpg - 200 1841 351 94
HTTP/1.0 - - - -
2002-04-29 11:00:00 24.60.188.250 - 192.168.1.71 80
GET /promo/art/audio_logos.gif - 304 141 396 0 HTTP/1.1 - -
- -

good server:
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2002-04-29 08:00:00
#Fields: date time c-ip cs-username s-ip s-port cs-method
cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes time-
taken cs-version cs-host cs(User-Agent) cs(Cookie) cs
(Referer)
2002-04-29 08:00:00 12.234.105.152 - 192.168.1.75 80
GET /A-V+Receivers/Yamaha,HTR-
5250/PRD_124613_2718crx.aspx - 200 50086 461 1656 HTTP/1.1
www.audioreview.com Mozilla/4.0+
(compatible;+MSIE+5.5;+Windows+98;+H010818) -
http://www.audioreview.com/A-
V+Receivers/PLS_2718_89crx.aspx
2002-04-29 08:00:00 203.162.18.123 - 192.168.1.75 80
GET /pscSpeakers/Main,Speaker/PLS_1594_913crx.aspx - 200
120362 486 70250 HTTP/1.0 www.audioreview.com Mozilla/4.0+
(compatible;+MSIE+5.0;+Windows+98;+DigExt) -
http://www.audioreview.com/pscSpeakers/Main,Speaker/PLS_159
4_77crx.aspx

I have meticulously compared the configuration screens of
the servers and found no differences.

These sites are recent installs of Win2K server and
ASP.NET. We have set up dozens of servers like this,
following a checklist procedure, so it is disturbing to
see this random behavior. This has already cost us several
weeks of data (logs on virtual servers are useless without
the cs-host field to identify the domain name!)

I don't know what else to check. The logs are rotating
every hour and we do an iisreset every day, so whatever is
causing this problem, it has been consistent since we
installed everything about 3 weeks ago.

[Lisa Cozzens]

Well, the server *is* logging the property, but it's not logging anything
useful. Note how there are four fields listed after cs-version: cs-host,
cs(User-Agent), cs(Cookie), and cs(Referer). Sure enough, there are four
entries after the version information (HTTP/1.1) in the logfile: -, -, -,
and -. This is what you'll see in the logfile if the browser doesn't send
that information. Are you hitting the two servers using the same browser?

Lisa

--------------------
> Content-Class: urn:content-classes:message
> From: "Dave Atkins" <dat...@consumerreview.com>
> Sender: "Dave Atkins" <dat...@consumerreview.com>
> Subject: IIS fails to log cs-host
> Date: Mon, 29 Apr 2002 17:33:41 -0700
> Lines: 58
> Message-ID: <7c4901c1efde$ad626710$37ef2ecf@TKMSFTNGXA13>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Newsreader: Microsoft CDO for Windows 2000
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> Thread-Index: AcHv3q1iWUOW9VZCQoOSVmX8MzE/Uw==
> Newsgroups: microsoft.public.inetserver.iis
> NNTP-Posting-Host: TKMSFTNGXA13 10.201.226.41
> Path: cpmsftngxa07!cpmsftngxa06!cpmsftngxa08
> Xref: cpmsftngxa07 microsoft.public.inetserver.iis:205728
> X-Tomcat-NG: microsoft.public.inetserver.iis

-----
Have you installed the new cumulative security patch for IIS?
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

Please do not send email directly to this alias. This is an online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers
no rights. You assume all risk for your use.

© 2001 Microsoft Corporation. All rights reserved.

[Dave Atkins]

Yes, indeed, there is a blank field. That is the problem!
Why would this happen? The servers are load-balanced
through an alteon switch. Over the course of the past 2
weeks, they have probably been hit by about half a million
distinct hosts, randomly allocated among the 7 servers in
the web farm.

This is a disaster in terms of our ability to track what
is going on with our websites and I need to understand how
such a misconfiguration/bug could happen. More
importantly, I need to fix it immediately.

without Í{ wÀ ûóHüßñHÌã ìØ

[Lisa Cozzens]

I'm still trying to determine whether this is a client-side or a
server-side issue. Does this occur for *all* requests to the two "bad"
servers, or only for certain requests? If you hit a "good" server and a
"bad" server from the same client, do you get logging only on the "good"
server, not on the "bad" server?

Lisa

--------------------
> Content-Class: urn:content-classes:message
> From: "Dave Atkins" <dat...@consumerreview.com>
> Sender: "Dave Atkins" <dat...@consumerreview.com>

> References: <7c4901c1efde$ad626710$37ef2ecf@TKMSFTNGXA13>
<zg71eU#7BHA.2344@cpmsftngxa07>
> Subject: RE: IIS fails to log cs-host
> Date: Mon, 29 Apr 2002 23:27:34 -0700
> Lines: 124
> Message-ID: <7ca001c1f010$1d747940$9ee62ecf@tkmsftngxa05>

> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"

> Content-Transfer-Encoding: quoted-printable

> X-Newsreader: Microsoft CDO for Windows 2000
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300

> Thread-Index: AcHwEB10rlJ7o8IHTAum9V43t+I8Ow==
> Newsgroups: microsoft.public.inetserver.iis
> NNTP-Posting-Host: TKMSFTNGXA05 10.201.232.164
> Path: cpmsftngxa07!cpmsftngxa06!cpmsftngxa08
> Xref: cpmsftngxa07 microsoft.public.inetserver.iis:205774
> X-Tomcat-NG: microsoft.public.inetserver.iis

> without ﾍ{掫ﾀ 靕H�ﾌ� �ﾘ

> >> the cs-host field to identify the domain name!)
> >>
> >> I don't know what else to check. The logs are rotating
> >> every hour and we do an iisreset every day, so whatever
> is
> >> causing this problem, it has been consistent since we
> >> installed everything about 3 weeks ago.
> >>
> >
>

-----

Have you installed the new cumulative security patch for IIS?
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

Please do not send email directly to this alias. This is an online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers
no rights. You assume all risk for your use.

ｩ 2001 Microsoft Corporation. All rights reserved.

[ab]

"Lisa Cozzens" <lcozzen...@microsoft.com> schreef in bericht
news:<y56tvzH8BHA.1700@cpmsftngxa07>...

> I'm still trying to determine whether this is a client-side or a

> server-side issue. Does this occur for *all* requests to the two "bad"

> servers, or only for certain requests? If you hit a "good" server and a

> "bad" server from the same client, do you get logging only on the "good"

> server, not on the "bad" server?

>

> Lisa

Hi,

I have noticed your conversation, and I think I have the same problem.

I have 2 ISS servers on W2K Server, 1 for testing purposes and 1 for the
production environment.

On the production server I am missing the same for fields, namely

cs-host cs(User-Agent) cs(Cookie) cs(Referer)

The only thing I see are dashes '-'

I already compared the logfile settings between the test and production
server.

And both settings are the same.

The weird thing is, that the production server was working flawlessy until
now.

(the four fields where always logged, until now)

I already tried restarting ISS, but that did not work.

(A few days before the ISS server was rebooted, but the problem already
existed at that time, and still does)

The production server still not logs the four fields.

Any pointers would be apriciated.

Arend van der Boom

[Dave Atkins]

This problem happens for ALL requests on the affected
servers. We are talking millions of requests from hundreds
of thousands of clients.

Today, we tried creating a new web site from the ISM and
deleting the old one, in the hopes that a fresh instance
would make a difference. It did not. Now, we are seeing
not only the last four fields blank, but sometimes garbage
characters:

2002-05-01 16:51:40 151.197.216.168 - 192.168.1.115 80
GET /Channels/PCPhotoReview/data/images/asset~upload~file45
3~11682.jpg - 200 8518 386 203 HTTP/1.0 - - - -
2002-05-01 16:51:41 205.181.240.133 - 192.168.1.138 80
GET /Channels/RoadBikeReview/images/45star.gif - 200 370
497 94 HTTP/1.0 - - - xÈú/ ~÷/ ~÷/ ø" v`

It appears that these fields are corrupted somehow. The
next step for us would be to flatten the servers and start
over (fdisk/format/install/etc). This will kill a day and
we do not understand the problem. Is there anything we can
do to diagnose this further?

I assume this has nothing to do with clients because the
servers are load balanced and the affected servers *NEVER*
log this information anymore.

Also, can you cc me on any followups--this is a big issue
for us and I want to know ASAP what steps I can take to
follow up.

dat...@consumerreview.com

>> >> Two of our 7 identically configured servers have Í
{ wÀ Ä ¤L'#o¦Ó"ü b ìz

>> without Í{ wÀ ûóHüßñHÌã ìØ

>> >> the cs-host field to identify the domain name!)
>> >>
>> >> I don't know what else to check. The logs are
rotating
>> >> every hour and we do an iisreset every day, so
whatever
>> is
>> >> causing this problem, it has been consistent since
we
>> >> installed everything about 3 weeks ago.
>> >>
>> >
>>
>
>-----
>Have you installed the new cumulative security patch for
IIS?
>http://www.microsoft.com/technet/security/bulletin/MS02-
018.asp
>
>Please do not send email directly to this alias. This is
an online
>account name for newsgroup participation only.
>
>This posting is provided "AS IS" with no warranties, and
confers
>no rights. You assume all risk for your use.
>

>© 2001 Microsoft Corporation. All rights reserved.
>
>.
>

[ab]

Hi Dave,

What servicepack's are installed on the W2K servers, and/or hotfixes ?

In my situation the production system uses SP1 and hotfix Q313450, and my
test servers uses SP2 and Q313450.
(thats the differance between the test and production envirionment, and that
the production system uses https and the testserver does not)
When I went through the docs of the hotfix, I found that the hotfix must be
installed on a SP2 system.(??)

When I went through the logfiles of W2K, I found when the hotfix was
installed, from that day on, I am missing the four fields in the IIS
logfiles.
I am going to install the SP2 on the production server, to see if this
resolves the IIS logfile problem.
(Not right away, because the production server uses encryption, for https,,
and SP2 changes this to 128bit, and I want to be sure that the production
server keeps on working.)

Please keep me informed if you find anything.

Arend van der Boom

"Dave Atkins" <dat...@consumerreview.com> schreef in bericht
news:47cd01c1f136$0548a720$3aef2ecf@TKMSFTNGXA09...

This problem happens for ALL requests on the affected
servers. We are talking millions of requests from hundreds
of thousands of clients.

Today, we tried creating a new web site from the ISM and
deleting the old one, in the hopes that a fresh instance
would make a difference. It did not. Now, we are seeing
not only the last four fields blank, but sometimes garbage
characters:

2002-05-01 16:51:40 151.197.216.168 - 192.168.1.115 80
GET /Channels/PCPhotoReview/data/images/asset~upload~file45
3~11682.jpg - 200 8518 386 203 HTTP/1.0 - - - -
2002-05-01 16:51:41 205.181.240.133 - 192.168.1.138 80
GET /Channels/RoadBikeReview/images/45star.gif - 200 370

497 94 HTTP/1.0 - - - x/ ~� ~� �`

[Andrew Davis [MS]]

Dave,

You wrote:
>What is our next step? Reformat the hard drive?

What happens if you do format/reinstall and you still see these "corrupt"
log entries?
Do you have any ISAPI filters installed?

Download IISTools.ZIP from ftp://ftppss.microsoft.com/outgoing/IIS/
and run the batch file. This will generate a TXT file. After you ZIP up
the TXT file, upload it to ftp://ftppss.microsoft.com/incoming/IIS/
Be sure you save the ZIP file with my First AND Last name!

You could try to isolate the issue by gathering Network Monitor traces
during the time these logs are generated and examine the traffic however
this will only isolate the issue, not identify the smoking gun.

Network Monitor:
Q243270 HOW TO: Install Network Monitor in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243270

According to W3C, http://www.w3.org/TR/WD-logfile
"Each logfile entry consists of a sequence of fields separated by
whitespace and terminated by a CR or CRLF sequence. The meanings of the
fields are defined by a preceding #Fields directive. If a field is omitted
for a particular entry a single dash "-" is substituted."

Andrew Davis - IIS Newsgroup Support

This posting is provided “AS IS” with no warranties, and confers no rights.

“Please do not send email directly to this alias. This is our online
account name for newsgroup participation only.”

Who should read this bulletin: Customers hosting web servers using
Microsoft® Windows NT® 4.0, Windows® 2000, or Windows XP.
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

[Kees Pijnenburg]

Any news on this subject? I have the same problem (more or
less). One server is running Windows 2000 with SP2 and
hotfix Q301625. This server is running fine, the last 4
fields (cs-host, cs(user-agent), cs(cookie) and cs
(referer)) are all present. However, this is our
development system.

On the production system we have a number of additional
hotfixes installed (Q292435 / Q293826 / Q298012 /
Q299553 / Q299687 / Q300972 / Q302755 / Q313450). For this
server, the last 4 log fields always show a '-'. On yet
another server, I tried to reproduce the problem by adding
each of the additional hotfixes but no such luck: after
each hotfix, the log file still reported the 4 log fields.

Any news on this subject?

Note: I tried to run the IIStools procedure but the
DLLLoad step seems to take a very long time and a lot of
CPU without producing much output.

Kind regards,

Kees Pijnenburg

>.
>

[Andrew Davis [MS]]

Kees,

You wrote:
>On the production system we have a number of additional
>hotfixes installed (Q292435 / Q293826 / Q298012 /
>Q299553 / Q299687 / Q300972 / Q302755 / Q313450). For this
>server, the last 4 log fields always show a '-'. On yet
>another server, I tried to reproduce the problem by adding
>each of the additional hotfixes but no such luck: after
>each hotfix, the log file still reported the 4 log fields.
>Any news on this subject?

Was the production server installed with Win2k with all the defaults, or
was it customized?
(Were any components added/removed during install?)

What other products have been installed on the production server?
(Office, Exchange, Site Server/Commerce Server, Dell/hardware utilites,
anti-virus, backup, application development tools)

The fact that your not able to repro the problem indicates some type of
configuration issue with that box.

Andrew Davis

[Kees Pijnenburg]

As a follow-up, my own solutions:

- comparing the DLL's on both systems (using the
IISTools.zip mentioned by Andrew Davis), I found 2 problem
DLL's:

Filename Server-Ok Server-Bad
httpext.dll 5.0.2195.4051 0.9.3940.21
w3svc.dll 5.0.2195.4051 5.0.2195.3554

By putting the incorrect DLL's on the Server which was Ok
(note: this was the development server), the problem also
appeared on this server: cs-host/referer/agent no longer
were appended to the log lines. Putting them back solved
the problem again.

I am now going to re-apply the hotfix again on the
production server. One more funny thing: both DLL's appear
twice on the server. One version is in the inetsrv
directory whereas the second is in the dllcache directory.
For 'Server-Bad' the dllcache contained the proper
version, the one in inetsrv was wrong.

Hope this helps some of you too.

Kind regards,

Kees Pijnenburg

>.
>