Udostępnij za pośrednictwem


Hook me up!

Who doesn’t LOVE reading log files? Probably those who have really busy servers that generate hundreds of mega-bytes of logs every minute. Even though the log format of IIS is standardized and many tools can parse them easily, this still presents three challenges:

  1. Even the best tools cannot process the logs in real time, because the server keeps updating the text files as long as requests are coming in.
  2. Even if you only read the content of the log files, it still takes IIS some time to flush log lines to disk, so you’re at least a few seconds behind.
  3. On a very busy server, processing the text-based logs can be too difficult to mine the information you need even with advanced text-processing tools.

With the new version of IIS in Windows Server 2012 R2, we have enabled the logs to use ETW (Event Tracing for Windows). ETW is a special hook that allows the logging to be tracked in real time with special tools. In IIS, here’s how you enable ETW logging:

image

Once a request is received by IIS, the event viewer will show it immediately (as opposed to text-file based logging, in which flushing to the log takes approximately 30 seconds). In addition to this, you can hook into the ETW provider directly using tools such as Message Analyzer. Message Analyzer, currently in Beta 3, can hook directly into ETW, capture events in real time and filter the output. By configuring your filters cleverly, you can easily find the information you need even on a server that handles thousands of requests per second.

To configure Message Analyzer to hook into ETW, follow these steps:

1. open Message Analyzer

2. Go to Capture/Trace

3. In the top-right corner, in the Search and add providers input box, type in Microsoft-windows-IIS-logging (you don’t have to type in the whole thing…just type “iis-l” to get to it fast

image

4. Optionally, add a capture filter. For example, if you are trying to track the access by a specific iPad to your Exchange server ActiveSync, you can create a filter for that specific device ID, which will appear in the URL. To do so find the device ID, and create a filter for it. A typical iPad request to ActiveSync will look like this:

https://www.contoso.com/Microsoft-Server-ActiveSync?User=sbbgpowl\&DeviceId=ApplDLFHXGSG12DY\&DeviceType=iPad\&Cmd=Ping

Setting your filter to:

Contains==”ApplDLFHXGSG12DY”

Will show only requests from this device. Setting the filter to “iPad” will show requests from all iPad devices. Similarly, you can filter for any of the text in the custom fields you may have configured in IIS enhanced logging.

5. Click start-with to start the capture

Now, the analyzer will show any incoming requests to IIS that match your filter expression. Clicking on a request will show the details. For example:

image

As you can see, the details pane on the bottom-left shows the fields that were captured. The filtering abilities of Message Analyzer are very useful for servers that are handling a large amount of traffic. You can set your filters to run during capture, which is ideal, if you know what you’re looking for. You can also set the filters later, once you know you got what you need. For example, the Quick Filter button on the top-right allows you to filter for a specific time using a neat slider:

image

And beyond this…the things you can do are endless.

Like it? Download the Preview release of Windows Server 2012 R2 and enjoy!

Comments

  • Anonymous
    December 20, 2014
    Yes! Great article, I've been looking for something like this for Exchange 2013 now that ExMon is gone to see what clients are connecting to a mailbox in real time.