RE: ISAPI and IIS 10 Logging Issue

["Thomas, Michael" <th...@asrcfederal.com>]

----------------------------------------------------------------------
On 06.09.2017 22:07, Thomas, Michael wrote:
>
> ----------------------------------------------------------------------
>> On 01.09.2017 22:21, Thomas, Michael wrote:
>>> All,
>>>
>>> When using the ISAPI Handler Mapping in IIS 10 on Windows 2016, the IIS logs are not identifying the URI Stem (cs-uri-stem) and URI Query (cs-uri-query) as expected.  For EVERY request that the handler processes (e.g. .cfm), the cs-uri-stem records an entry as "/jakarta/isapi_redirect.dll" and the cs-uri-query is always empty.
>>>
>>> Environment Details:
>>>
>>> *         IIS 10 (Windows 2016)
>>>
>>> *         Tomcat 8.5.11.0
>>>
>>> *         Java 1.8.0_131
>>>
>>> *         ISAPI Connector 1.2.41
>>>
>>> *         ColdFusion 2016
>>>
>>> For comparison, we have a similar setup on another box (IIS 8.5 Windows Server 2012 R2) and the logs are recording as expected.
>>>
>>> Any assistance would be great!
>>>
>>
>
>
>
> ----------------------------------------------------------------------
>> On 01.09.2017 22:37, Warnier, Andre wrote
>>> Hi.
>>>
>>> If I understand this correctly, the difference between your two setups above is at the Windows/IIS level, not at the tomcat/ISAPI-redirector level.
>>>
>>> This may be naive, but isn't this a question then for the Windows/IIS people ?
>>
>
> ----------------------------------------------------------------------
>> On 05.09.2017 22:42, Thomas, Michael wrote:
>> Andre, you're right.  Perhaps this is a good question for the Windows folks.  I guess I was hoping that someone in this community has seen this issue before and had a recommended solution.
>>
>> It is really challenging to not know what traffic your IIS Web Server is actually seeing.  There are of course other avenues (e.g. firewall logs, siem logs, etc) but the IIS logs are native to the boxes themselves and much easier to analyze.  I was curious if the ISAPI Connector returned a specific URL back to IIS and it could be tweaked.  Not sure if IIS is expecting a response in a certain format, etc.
>>
>> Is there documentation that I can look at for what the ISAPI module should return to IIS?  Anyone have any insight into that pipeline?
>
>
>
> ----------------------------------------------------------------------
>> On 06.09.2017 00:41, Warnier, Andre wrote
>>
>> First, about your last question above : I don't know, and I guess that the right people for that on this list would be Rainer or Mladen.
>>
>> But second, I believe that the terminology you are using above is a bit confusing, from the point of view of the logic of the thing, particularly when you mention "what the ISAPI module should return to IIS".
>>
>> IIS is the front-end, and it gets the client HTTP request first (URL, headers and all).
>> So it /has/ all the information needed to log whatever, should it choose to do so (*).
>>
>> In a second step, IIS examines the request URL and, maybe with the help of the isapi_redirector, it determines that to properly answer this request, it should not use its own internal machinery, but it should delegate this to the isapi_redirector module.
>> What the isapi_redirector module does with the request, is none of IIS's business, so to speak. The only thing which IIS expects back from the isapi_redirector module, is either a HTTP succesful response, or some error code.
>> So this is the only additional information for which IIS might be waiting, for logging the request (e.g. the size of the response, and/or the time needed to generate it).
>>
>> That the isapi_redirector module, to generate this HTTP response, uses a back-channel with a back-end tomcat, is unknown to IIS, and it does not care. From the IIS point of view, isapi_redirector might as well be using black magic to generate that response internally, without ever talking to anyone else.
>>
>> (*) but in your case, it doesn't do it, or does it differently than IIS 8.5 or whatever earlier version did, although all the rest of the machinery did not change. So /that's/ the mystery to solve. Maybe MS changed the rules of the game (the ISAPI interface) somehow for IIS 10, and an ISAPI module is now >supposed to do something additional, to get things properly logged, that the ISAPI-redirector module does not do (yet).
>> But I think that you are still more likely to get that kind of information on an IIS-oriented forum, that on this tomcat forum.
>>
>>
>> I would ask first for example, for any IIS-10 specific changes in the logging of requests, maybe in conjunction with the usage of ISAPI filters in general.
>> (Maybe it is just your log formatting that does not invoke the right
>> items of information ?)
>
> ----------------------------------------------------------------------
> Andre, thank you for the detailed explanation.  That helps me out a bunch.
>
> I have started a thread in the IIS forums here:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__forums.iis.net_p_
> 1236914_2135699.aspx-3FISAPI-2Band-2BIIS-2B10-2BLogging-2BIssues&d=DwI
> C-g&c=Ff2GokX4A_6S-cy_JRNEiQ&r=qnRbnLRaPTyCnNugXfUwBahUZvJn-qGmC8Rh9wH
> r8D0&m=BC-4WUV5kPpIZKzORUHJG6wlQCTIc5l--M9qU6PYzvE&s=huSulrdJiafH5haTQ
> dxZyl9kRX4pDefHhLW8WAltrnc&e=
>
> Hopefully someone can help me out with this one and in turn help others who may not even know about this issue yet!
>
>
>I followed the above link, and somewere in the chain I found this link :
>https://urldefense.proofpoint.com/v2/url?u=http-3A__www.iisadmin.co.uk_-3Fp-3D326&d=DwIC-g&c=Ff2GokX4A_6S-cy_JRNEiQ&r=qnRbnLRaPTyCnNugXfUwBahUZvJn-qGmC8Rh9wHr8D0&m=BC-4WUV5kPpIZKzORUHJG6wlQCTIc5l-->M9qU6PYzvE&s=FrOvJyRTI50GytQszLvmiaNuIi8lvr1rMe5UA1awvLI&e=
>
>This solution is what I would have recommended next, if you cannot solve the isapi_redirect logging issue. (*)
>
>That solution consists of using another way, to proxy some requests from IIS to Tomcat.
>Specifically, in that case, IIS (with the "ARR" module - of which I know nothing), is proxying the requests to the *HTTP* port of Tomcat (while isapi_redirect is proxying to the *AJP* port of Tomcat).
>And the protocol used on that connection is standard HTTP, and not AJP.
>
>Both HTTP and AJP carry essentially the same information (HTTP requests and responses), so for most standard applications, they are interchangeable.
>(There are some side-advantages to using AJP instead of HTTP, but they may not matter in your case).
>
>(*) But if you have the time, or even in parallel, it would be nice of course to pursue this ISAPI logging issue, and find out the real issue behind it.
>
>Note that also in the course of my investigations, somewhere I found a phrase to the effect that Mirosoft would be discouraging the future use of ISAPI modules in IIS, and recommends some other architecture instead now.
>That may explain some dificulty in finding the relevant information.
----------------------------------------------------------------------
On 10.05.2017 8:54, Thomas, Michael wrote:

Unfortunately I am not getting much traction with Microsoft.  From the IIS forum, it looks like they are pointing the finger in the direction of the "third-party" that is writing the module.

This may be an obvious question but has the team who created the ISAPI module tested it on Windows Server 2016?  If so, what do your IIS logs look like?  I can submit anonymized IIS logs if that helps.  I also analyzed IIS trace logs for a request using the ISAPI redirect on both Windows 2016 and Windows 2012 R2.  There are no discernable differences.

Can anyone confirm the functionality in Windows Server 2016?


________________________________

The preceding message (including attachments) is covered by the Electronic Communication Privacy Act, 18 U.S.C. sections 2510-2512, is intended only for the person or entity to which it is addressed, and may contain information that is confidential, protected by attorney-client or other privilege, or otherwise protected from disclosure by law. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error and destroy the original message and all copies.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: ISAPI and IIS 10 Logging Issue

["Thomas, Michael" <th...@asrcfederal.com>]

----------------------------------------------------------------------
On 17/11/17 15:47, jumiller wrote:
> I finally managed to figure out what the issue is/was.  The
> c:\windows\system32\inetsrv\config\applicationHost.config file has a
> definition for IsapiFilter in the <location path=""
> overrideMode="Allow"><system.webServer><modules> section.  The
> IsapiFilterModule needs to be before the HttpLoggingModule in the list.
> I've made this change on all of my Windows 2016 servers where logging
> wasn't working and they're all happy now, logging correctly.

Thanks for letting us know how you solved this.

Mark


This fixes my issue.  Thank you so much!!

-Mike


________________________________

The preceding message (including attachments) is covered by the Electronic Communication Privacy Act, 18 U.S.C. sections 2510-2512, is intended only for the person or entity to which it is addressed, and may contain information that is confidential, protected by attorney-client or other privilege, or otherwise protected from disclosure by law. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error and destroy the original message and all copies.

Re: ISAPI and IIS 10 Logging Issue

[Mark Thomas <ma...@apache.org>]

On 17/11/17 15:47, jumiller wrote:
> I finally managed to figure out what the issue is/was.  The
> c:\windows\system32\inetsrv\config\applicationHost.config file has a
> definition for IsapiFilter in the <location path=""
> overrideMode="Allow"><system.webServer><modules> section.  The
> IsapiFilterModule needs to be before the HttpLoggingModule in the list. 
> I've made this change on all of my Windows 2016 servers where logging wasn't
> working and they're all happy now, logging correctly.

Thanks for letting us know how you solved this.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: ISAPI and IIS 10 Logging Issue

[jumiller <ju...@utah.gov>]

I finally managed to figure out what the issue is/was.  The
c:\windows\system32\inetsrv\config\applicationHost.config file has a
definition for IsapiFilter in the <location path=""
overrideMode="Allow"><system.webServer><modules> section.  The
IsapiFilterModule needs to be before the HttpLoggingModule in the list. 
I've made this change on all of my Windows 2016 servers where logging wasn't
working and they're all happy now, logging correctly.




--
Sent from: http://tomcat.10.x6.nabble.com/Tomcat-User-f1968778.html

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: ISAPI and IIS 10 Logging Issue

[jumiller <ju...@utah.gov>]

I'm having this very same issue with one slight difference.  I have six
Windows 2016 servers and logging works correctly on two of them.  I've gone
through nearly everything I can think of to determine what is different
about the two boxes that work and have hit a wall.  I have even done a full
compare of the Windows directory to no avail. The two boxes that do work
have two additional Windows Updates which I can't get to apply to the four
boxes that don't work: KB4013418 and KB3211320.  When I try to install those
updates on the boxes that don't work, I get "Update not applicable", likely
because those updates are superseded by KB4035631, which is also installed
on all six boxes.



--
Sent from: http://tomcat.10.x6.nabble.com/Tomcat-User-f1968778.html

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: ISAPI and IIS 10 Logging Issue

["Thomas, Michael" <th...@asrcfederal.com>]

---------------------------------------------------------------------
On 06/10/17 22:42, Mark Thomas wrote:
> On 06/10/17 16:27, Mark Thomas wrote:
>>> On 10.05.2017 8:54, Thomas, Michael wrote:
>>>
>>> Unfortunately I am not getting much traction with Microsoft.  From the IIS forum, it looks like they are pointing the finger in the direction of the "third-party" that is writing the module.
>>
>> That is consistent with my experience with MS support.

Looks like you'll need to go back to MS support.

> I'll look at the IIS API docs next week and see if there is something
> different we should be doing in IIS 10 compared to 8.5 and earlier.

I can't find anything in the IIS API docs that indicates that this has changed in IIS 10 / Windows Server 2016.

I've added some debug logging and I see the following:

HttpFilterProc gets called with SF_NOTIFY_LOG

The JK code sees the original path [/jakarta/isapi_redirect.dll] and replaces it with the correct one - [/examples/] in my case.

The JK code sees the original [] query string and replaces it with the correct one - [foo=bar] in my case.

Given that this works as expected in Windows Server 2012 with exactly the same code AND that no API changes (that I can find) are documented for IIS 10 AND that debug logging shows that the expected calls are taking place AND the IIS log is not updated, all the evidence we have at the moment points squarely to an IIS 10 bug (or possibly an undocumented IIS 10 API).

Sorry it wasn't better news.

Mark
---------------------------------------------------------------------
Thanks for looking into this!  I am SO glad that I am not the only one with this issue!

I am not really sure how to open up a support case with Microsoft.  I will give it a shot though and see how it goes.

-Mike

________________________________

The preceding message (including attachments) is covered by the Electronic Communication Privacy Act, 18 U.S.C. sections 2510-2512, is intended only for the person or entity to which it is addressed, and may contain information that is confidential, protected by attorney-client or other privilege, or otherwise protected from disclosure by law. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error and destroy the original message and all copies.

Re: ISAPI and IIS 10 Logging Issue

[Mark Thomas <ma...@apache.org>]

On 06/10/17 22:42, Mark Thomas wrote:
> On 06/10/17 16:27, Mark Thomas wrote:
>>> On 10.05.2017 8:54, Thomas, Michael wrote:
>>>
>>> Unfortunately I am not getting much traction with Microsoft.  From the IIS forum, it looks like they are pointing the finger in the direction of the "third-party" that is writing the module.
>>
>> That is consistent with my experience with MS support.

Looks like you'll need to go back to MS support.

> I'll look at the IIS API docs next week and see if there is something
> different we should be doing in IIS 10 compared to 8.5 and earlier.

I can't find anything in the IIS API docs that indicates that this has
changed in IIS 10 / Windows Server 2016.

I've added some debug logging and I see the following:

HttpFilterProc gets called with SF_NOTIFY_LOG

The JK code sees the original path [/jakarta/isapi_redirect.dll] and
replaces it with the correct one - [/examples/] in my case.

The JK code sees the original [] query string and replaces it with the
correct one - [foo=bar] in my case.

Given that this works as expected in Windows Server 2012 with exactly
the same code AND that no API changes (that I can find) are documented
for IIS 10 AND that debug logging shows that the expected calls are
taking place AND the IIS log is not updated, all the evidence we have at
the moment points squarely to an IIS 10 bug (or possibly an undocumented
IIS 10 API).

Sorry it wasn't better news.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: ISAPI and IIS 10 Logging Issue

[Mark Thomas <ma...@apache.org>]

On 06/10/17 16:27, Mark Thomas wrote:
>> On 10.05.2017 8:54, Thomas, Michael wrote:
>>
>> Unfortunately I am not getting much traction with Microsoft.  From the IIS forum, it looks like they are pointing the finger in the direction of the "third-party" that is writing the module.
> 
> That is consistent with my experience with MS support.
> 
>> This may be an obvious question but has the team who created the ISAPI module tested it on Windows Server 2016?
> 
> Probably not. I took on the release manager role for 1.2.42 and from
> memory I was testing with 2008.
> 
>>  If so, what do your IIS logs look like?  I can submit anonymized IIS logs if that helps.  I also analyzed IIS trace logs for a request using the ISAPI redirect on both Windows 2016 and Windows 2012 R2.  There are no discernable differences.
>>
>> Can anyone confirm the functionality in Windows Server 2016?
> 
> I'm setting up a 2016 VM now. I'll report back when I get some results.

I see the same as you.

> I did find this:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=45769
> 
> which sounds suspiciously similar to your report.
> 
> I've tried and failed to find the referenced KB article.
> 
> The docs for setting up IIS are rather out of date. Providing some
> updated instructions looks like an opportunity to contribute if you (or
> anyone else) is interested.

I'll look at the IIS API docs next week and see if there is something
different we should be doing in IIS 10 compared to 8.5 and earlier.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: ISAPI and IIS 10 Logging Issue

["Igal @ Lucee.org" <ig...@lucee.org>]

On 10/6/2017 8:27 AM, Mark Thomas wrote:
>> On 10.05.2017 8:54, Thomas, Michael wrote:
>>
>> Unfortunately I am not getting much traction with Microsoft.  From the IIS forum, it looks like they are pointing the finger in the direction of the "third-party" that is writing the module.
> That is consistent with my experience with MS support.

I had the displeasure of working with IIS for many years until one day I 
switched to nginx and never looked back.  Works very well with the http 
connector and the RemoteIpFilter.

TBH, I am currently looking at HAProxy as an alternative to nginx, but 
that's for other reasons.

My 2c,

Igal Sapir
Lucee Core Developer
Lucee.org <http://lucee.org/>

Re: ISAPI and IIS 10 Logging Issue

[Mark Thomas <ma...@apache.org>]

> On 10.05.2017 8:54, Thomas, Michael wrote:
> 
> Unfortunately I am not getting much traction with Microsoft.  From the IIS forum, it looks like they are pointing the finger in the direction of the "third-party" that is writing the module.

That is consistent with my experience with MS support.

> This may be an obvious question but has the team who created the ISAPI module tested it on Windows Server 2016?

Probably not. I took on the release manager role for 1.2.42 and from
memory I was testing with 2008.

>  If so, what do your IIS logs look like?  I can submit anonymized IIS logs if that helps.  I also analyzed IIS trace logs for a request using the ISAPI redirect on both Windows 2016 and Windows 2012 R2.  There are no discernable differences.
> 
> Can anyone confirm the functionality in Windows Server 2016?

I'm setting up a 2016 VM now. I'll report back when I get some results.

I did find this:
https://bz.apache.org/bugzilla/show_bug.cgi?id=45769

which sounds suspiciously similar to your report.

I've tried and failed to find the referenced KB article.

The docs for setting up IIS are rather out of date. Providing some
updated instructions looks like an opportunity to contribute if you (or
anyone else) is interested.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org