Logging and Auditing Questions

By Walter Oliver

December 22, 2007

Can you delegate "logging" to remote administrators?

No. It is in the site section and only machine administrators can modify this section. You can only delegate whether to log or not.

What kind of load does a custom logging module put on the server? (Disabling the kernel mode cache).

It depends entirely on the application and the logging module implementation. If you are maxing CPU while serving static files, logging to SQL will be very heavy. If you're doing 50 requests/second, logging to SQL will most likely be able to keep up. You are losing the benefits of kernel-mode caching however.

Is there logging of delegated administration? Can we do an audit of delegated administrators?

The only logging currently available is located in %systemdrive%\inetpub\logs\wmsvc. However, it does not give any useful information about what was actually done or even which object they connected to, since those are part of the headers. We are looking into changing some of the remoting behavior to use QueryString for certain things so that they can query the log.

For example, moving the Module Service and the Method we are invoking as part of the query string would automatically place it in the log. That way you can figure out what is being done in their site. Also, the SiteName and the Application Path that you connected to should be there (connected to default web site), and potentially the current configuration path you are connecting to (now editing MyApp under my Default Web Site connection). One thing we should never include in the query string are arguments, since we do not want potentially sensitive information ending up in your log. This will also prevent the "email link" phishing attack.

Is there is an option to do auditing of the applicationhost.config file?

Applicationhost.config is a file, the file system supports auditing. There is also a configuration history feature (not for auditing, but to help remember your last few configurations).

Can the central W3CLogFile point to UNC share?

Yes, it can point to a UNC share.

Can multiple front ends write to the same log file on a share?

No, because there is no serialization service that would serialize file access between different writers. The utility Log Parser supports merging log files and potentially supports inserting them into SQL.

Note: Writing to separate logfiles can also help you determine what requests are going to a particular server in the farm. This can be helpful if you are seeing sporadic errors and need to track down what server they occurred on.

Does the SQL Logging Provider support W3C standards? Can we get logging all centralized into SQL using the W3C extended format?

ODBC logging is still in the product. It is trivial to write your own SQL logging on top of newer, faster database APIs, however. We would recommend writing an SQL logging module instead of going through the ancient ODBC interfaces.

What type of error reporting is implemented for Application Pools?

Event logs, FREB, ETW tracing, Detailed Errors

We have been monitoring the Resources and Support feature that uses on average 10% disk load and used around 38 GB of Data from install. Diskeeper 11 Reported over seven hours to defrag the volume before the data was purged. Now it only takes 5 minutes. Is there any issue with disabling this service?

Turning the service off will disable Windows error reporting and you will not be able to get solutions for problems happening on the machine. There should be no other issues with disabling the service.

Does IIS 7.0 record compressed or uncompressed (or both) bytes in site log files?

The *response* size is recorded, so if a 100 KB ASPX response gets compressed to 50 KB, you see 50 KB in the log file. There must be some way of measuring bandwidth savings, because ms.com measured this once.