Skip to main content
B
BG650
Inspiring
December 4, 2016
Question

Poor logging in IIS 10 with ColdFusion 11

  • December 4, 2016
  • 4 replies
  • 4859 views

I think there is a logging bug that occurs when using ColdFusion 11 on IIS 10.

The IIS log shows cs-uri-stem as /jakarta/isapi_redirect.dll and so the actual .cfm file path is not logged.

I am testing 32-bit ColdFusion 11 (hotfix 10), on both Windows 10 and Windows Server 2016. I think I also got the same result with 64-bit ColdFusion.

Any ideas? Thanks.

Note, I haven't tested generic Tomcat, but I see that similar behavior has occurred in the past when using Tomcat with IIS 7, with or without "Advanced Logging" (which I have not installed).

    This topic has been closed for replies.

    4 replies

    Charlie Arehart
    Charlie Arehart
    Community Expert
    October 12, 2017

    As an update on this thread, folks will want to watch the discussion in the bug report opened by "None1". Others have been responding there, adding more to the discussion, including a post just today from Nikhil of Adobe. And see also the discussion he (and others, not using CF) are having with MS folks about this at https://forums.iis.net/p/1168716/2136576.aspx?Re+IIS+Advanced+Logging+issues+with+Tomcat+and+web+application).

    Not only is this not a CF problem (but a Tomcat one, affecting folks using the original Tomcat connector) but it's also not limited to Windows 2016 but also Windows 10. It's an IIS 10 issue, as the original post here did clarify. (Some of the later discussions since this was first opened in Dec 2016 could be read to indicate it was a Win2016 problem only.)

    Also, in following the trail of discussions (here and in that post there are links to still other threads where this is being discussed, outside of CF), I find one (https://forums.iis.net/p/1236914/2135699.aspx?ISAPI+and+IIS+10+Logging+Issues) where the most recent comments indicates folks having instances of IIS 10 where things DO work as expected, so there seems to be SOME matter of configurability that could be affecting this.

    Will be great to hear if anyone figures that out, and/or something about IIS or the connector changes to enable the important IIS request logging.

    /Charlie (troubleshooter, carehart. org)
    Charlie Arehart
    Charlie Arehart
    Community Expert
    October 12, 2017

    Following up my last note, and in the meantime while we await proper resolution of this problem, here's something that may help some here.

    Note that CF (well, Tomcat) does offer request logging of its own. It was on by default in CF10, then turned off in CF11 (because I assume it created very large files for some unsuspecting customers). Look into the Tomcat AccessLogValve, which can be enabled in CF's server.xml file. More at http://blogs.coldfusion.com/how-to-enable-disable-tomcat-logs/​ . And note that the logs are configurable to hold still more than they do as configured by default in that server.xml file. See the Tomcat docs on the valve for more details. Apache Tomcat 7 Configuration Reference (7.0.82) - The Valve Component

    That said, I realize that the OP and others here have their very important reasons for the logging to work in the standard IIS logs. I just point out this option as "better than nothing" in their flying blind with no insight at all into logging of CF page requests, querystrings, and more, all of which would be loggable via the Tomcat AccessLogValve, as a last resort.

    Finally, those using FusionReactor (fusion-reactor.com) will also find that it logs all CF page requests (and querystrings, and more) in its request.log.

    Still, no question, the problem should be fixed so that the IIS logs work as expected in IIS 10 with CF.

    /Charlie (troubleshooter, carehart. org)
    T
    terribleted
    Participating Frequently
    May 31, 2018

    Check out this helpful link to re order the logging module in IIS:

    https://forums.iis.net/p/1236914/2135699.aspx?ISAPI+and+IIS+10+Logging+Issues


    Beeker and 97671093,

    I found that I had not reordered both sections to move the iumiller fix in proper order The IsapiFilterModule needs to be before the HttpLoggingModule in the list.

    M
    mike42780
    Known Participant
    July 25, 2017

    I have this issue as well. I'm using CF 2016 on Windows 2016 (IIS 10).  The cs-uri-stem for a fair amount of logs just shows "/jakarta/isapi_redirect.dll".  These are valid 200 statuses over ssl and non ssl connections.  If I go look at the refererPath I can usually get an idea of where it came from, but it's not ideal.  I'm just using the regular logging.

    C
    carl type3
    Brainiac
    August 9, 2017

    Ditto what Mike said - CF2016 Windows 2016 IIS logs record "/jakarta/isapi_redirect.dll". Where CF2016 is installed using the refreshed installer that has update 3 applied then taken to update 4 using CFadmin > Server Update > Updates.

    B
    beekermd03
    Participating Frequently
    June 15, 2017

    I'd like to put a bump on this topic.

    I am experiencing the same issue.  My config:  ColdFusion 2016 and Windows Server 2016 (IIS 10),

    The IIS log shows cs-uri-stem as /jakarta/isapi_redirect.dll and so the actual .cfm file path is not logged.

    Interestingly enough, we also have ColdFusion 2016 installed in a different environment running IIS 8.5 (Windows 2012R2) and the IIS logs are recording as intended.

    If anyone has a solution, please note!

    Charlie Arehart
    Charlie Arehart
    Community Expert
    July 11, 2017

    Beeker (and BG), let's clarify first that CF11 (as BG was using) has never been certified for Windows Server 2016. Support was indeed added for IIS 10, on Windows 10, in update 7 (ColdFusion 11 Update 7 and ColdFusion 10 Update 18 are now available | Adobe ColdFusion Blog), but that was JUST IIS 10 as it runs on Windows 10, not Server 2016.

    And then Beeker, though you say you ARE on CF2016, you say things fail on on and work on another. Well, let's clarify also that CF2016 support for Windows Server 2016 was only added in April of this year, and note that it's ONLY provided for via a *new installer*, available only in 64-bit mode. More at ColdFusion 2016 : Support for Windows Server 2016 | Adobe ColdFusion Blog .

    So you could have two different servers, each with the same CF 2016 update level, and one would "support" Server 2016 and other would not, depending on the installer from which they were implemented.

    We should not expect things to "work completely as expected" with CF and Windows Server 2016 a) with CF 2016, and b) only with a CF2016 installed via the installer made available after April 2017.(I'm not saying you can't possibly GET it to work otherwise, just that it's not supported and may prove challenging for whatever reason).


    Hope that's helpful to you guys.

    /Charlie (troubleshooter, carehart. org)
    B
    beekermd03
    Participating Frequently
    August 23, 2017

    Charlie, thanks for the response.

    My organization is using CF 2016 on Windows Server 2016.  The "New Installer" was used in 64-bit mode.

    I tried reaching out to Adobe for help.  I was able to get with a team member (Case ID 189033405) and we we went back and forth a number of times trying to refine the problem.  Adobe was able to reproduce the issue but was unable to produce a resolution.  At the conclusion of the conversation, Adobe told me its a Microsoft problem and I need to contact them for the fix.  Not gonna sugar coat it, that response left me fuming.

    Due to the the IIS Logging issue, my security team is unable to fully analyze web traffic as it reaches the IIS web server.  The web team is unable to view malicious page requests and/or query strings.  This is a significant issue and Adobe should be working with Microsoft to figure out a way to make this work.  This is a security issue and should be one of the highest priorities for resolution.  IIS logs are not a convenience.

    In my opinion, if ColdFusion cannot accurately log web requests using IIS, it should be pulled.  It should be noted that the Windows 2016 installer is not fully compatible with IIS 10.  At the minimum, it should be noted that there is a deficiency with the logging of web requests.  This is a web server platform.  How can it not accurately log web requests!?!?!

    Do you or anyone know if Adobe has considered investigating the HttpPlatformhandler as opposed to ISAPI?

    As I told the tech who was "helping" me.  Windows 2012 is still mainstream but fading.  As Windows 2016 becomes more prominent, the chorus of voices surrounding this issue will grow.  I can't speak for anyone else, but in my organization security issues are #1 issues.  Anything less is unacceptable.

    I want Adobe to fix this.  I don't want to fume on the forums about it.  I have been using CF since 7 and am truly passionate about it.  It just seems like Adobe is not giving CF the attention it truly deserves.  Please help!

      Charlie Arehart
      Charlie Arehart
      Community Expert
      December 5, 2016

      Are you saying you are seeing these references to jakarta being logged in the IIS logs for *successful* CF page requests? I suppose we may see them if something about the IIS/CF configuration had such a page failing to be properly processed (such as filter or handler mapping issues).

      FWIW, I don't see any references to the /jakarta DLL in my IIS logs, and I've checked multiple servers and sites (and on multiple CF versions). Now, I will admit I rarely run CF in 32-bit on a 64-bit system, but you say your recollection is that his happened even then. So my first question stands.

      Another is: are you also saying this is so in all your sites (do you have more than one), for working or failing sites? It may be that it happens only on some, which may be useful for you diagnostically.

      To be clear, yes, this is really about the Tomcat connector (which CF uses), so if you saw something happen regarding IIS logging with Tomcat, you should expect to see it in CF also, although the CF team did tweak the Tomcat connector they use so it's not identical.

      And FWIW, IIS does indeed make a request to that /jakarta path with each CF request. One can see that happening in the IIS "Worker Processes" monitor (at the server level) which shows any requests currently running against any IIS app pool instance. With that tool, one would see a call to /jakarta (and that dll) for every CF page referenced. But I have not seen IIS LOG those requests, at least when the requests are indeed running.

      Let us know what you find.

      /Charlie (troubleshooter, carehart. org)
      B
      BG650Author
      Inspiring
      December 5, 2016

      Yes, I'm specifically talking about logging successful CF page requests, in IIS 10 only. I don't have any "live" sites on IIS 10, just testing.

      On the other hand, when the page loads failed (due to wrong configuration), the logging appeared to be correct!

      Do you have multiple live sites on IIS 10? I've been a little nervous about going live on Windows Server 2016 because isn't officially supported, and then I saw this logging issue...

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices