IIS 7.0 : Setting Up Remote Logging by Using the IIS Manager

IIS 7.0 supports writing log files to a network share. This option enables you to have your log files stored in real time to a remote computer. For example, suppose that you have a Web farm configured for logging to a central location. The remote file server could be a server running DFS (distributed file system). DFS can provide multiple benefits including a central location to collect your log files and automatic replication of your logs to multiple locations. Having such a primary collection point can make handling your reporting processes much easier.

Important

When you set up your remote logging environment, make sure the host (A) and pointer (PTR) DNS records are set up so that authentication and resolution happens correctly. This can help avoid problems such as Kerberos authentication errors when HTTP.sys is trying to write log files.

You can use either the IIS 7.0 Manager or Appcmd to set up Universal Naming Convention (UNC) remote logging.

Setting Up Remote Logging by Using the IIS Manager

Following are the steps to enable remote logging by using the IIS Manager:

1.	Create a directory called IISLogs on the remote server that will store the log files. This machine is typically in the same domain as the Web servers. If the remote server is not in the same domain or is a stand-alone machine, you can use the procedure outlined in the following sidebar so your files are stored on a remote machine. Using a NULL Session for Remote Logging If your remote server will be in a different domain, you can set up a NULL Session to support remote logging. The following procedure outlines how to set up this environment. If your remote server is not in a different domain, you can skip over the details of this outline and proceed with step 2 of the procedure for setting up remote logging by using the IIS Manager. Before setting up your environment, make sure both machines can resolve each other using DNS, WINS, or custom entries in the local HOSTS file. This procedure assumes both servers are Windows Server 2008. 1. Identify two machines, the Web server and the file server. These roles need to be on separate physical machines. 2. Create a folder called IISLogs on your file server and then create a share and grant appropriate folder security. a. Open a command prompt on the file server and type mkdir c:\IISLogs b. Then type net share IISLogs=c:\IISLogs /Grant:Everyone,FULL c. Then type cacls c:\IISLogs /G Administrators:F SYSTEM:F Everyone:C d. When you see the prompt “Are you sure (Y/N)?” type y e. Processed dir: c:\IISLogs 3. Configure logging on your Web site by typing appcmd set sites “WebsiteName” -logFile.directory:\\FileServerName\IISLogs 4. Configure Local Security Policy on the file server. *Programs, Administrative Tools, Local Security Policy, Local Policies, Security Options* a. Enable:Network access:Let Everyone permissions to apply to anonymous users. b. Add IISLogs share to the Network access:Shares that can be accessed anonymously. 5. Browse your Web site on the Web server. a. Open http://localhost/ 6. Open a command prompt on the Web server and type the following command: netsh http flush logbuffer 7. Check your log files to see if your sample request is listed.
2.	Share the IISLogs folder you created in the previous step. Change the share permissions to—at minimum—enable both the remote machine accounts Administrators group and the account that is writing the log files full control. Change the NTFS file system (NTFS) permissions so that the remote machine accounts Administrators have full control and the account writing the log files has modify permissions. This example assumes that you are using the NETWORK SERVICE as your application pool account and that the remote server and Web server are in the same domain. Note When the NETWORK SERVICE account accesses a remote resource, it uses the computer account stored in Active Directory Domain Service as the actual account accessing the log folder.
3.	In the IIS Manager, navigate to your Web site and type in the UNC path to the server. To do so, go to Administrative Tools > Internet Information (IIS) Manager. Select the computer name in the leftmost column and then double-click the Logging icon in the IIS Section. Type the path to the share in the Directory text box by using the syntax \\ServerName\ShareName, as shown in Figure 1. Figure 1. Configuring the Default Web Site to enable remote logging. Note You can also use the syntax \\FQDN\ShareName to specify the logging path, but you might run into issues if you try to use the syntax \\IPAddress\ShareName to specify the path. The \\IPAddress\ShareName syntax can cause an authentication issue that prevents the log files from being created. The following is an example of an error generated when trying to use an IP Address when remote logging is enabled: Microsoft-Windows-HttpService , LogFileCreateFailed , 49, 0, 16, 2, 59, 9, 0x0000000000000800, 0x00000004, 0x000005AC, 0, , , {00000000-0000-0000-0000- 000000000000}, , 128277049412643098, 220, 0, 0xC0000022, "ResponseLogging ", "Site ", "W3C ", "\dosdevices\UNC\192.168.0.125\UncLogFiles\W3SVC1\u_ex070630.log", 0
4.	Click Apply.
5.	Browse a Web page in your site.
6.	Open a command prompt by using elevated credentials and type netsh http flush logbuffer. If this is the first time entries have been logged, HTTP.sys will create the folder and a log file. Open the log file in Notepad to confirm your example entries have been logged.