Poor logging in IIS 10 with ColdFusion 11

Explorer ,
Dec 04, 2016 Dec 04, 2016

Copy link to clipboard

Copied

I think there is a logging bug that occurs when using ColdFusion 11 on IIS 10.

The IIS log shows cs-uri-stem as /jakarta/isapi_redirect.dll and so the actual .cfm file path is not logged.

I am testing 32-bit ColdFusion 11 (hotfix 10), on both Windows 10 and Windows Server 2016. I think I also got the same result with 64-bit ColdFusion.

Any ideas? Thanks.

Note, I haven't tested generic Tomcat, but I see that similar behavior has occurred in the past when using Tomcat with IIS 7, with or without "Advanced Logging" (which I have not installed).

Views

2.9K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Dec 05, 2016 Dec 05, 2016

Copy link to clipboard

Copied

Are you saying you are seeing these references to jakarta being logged in the IIS logs for *successful* CF page requests? I suppose we may see them if something about the IIS/CF configuration had such a page failing to be properly processed (such as filter or handler mapping issues).

FWIW, I don't see any references to the /jakarta DLL in my IIS logs, and I've checked multiple servers and sites (and on multiple CF versions). Now, I will admit I rarely run CF in 32-bit on a 64-bit system, but you say your recollection is that his happened even then. So my first question stands.

Another is: are you also saying this is so in all your sites (do you have more than one), for working or failing sites? It may be that it happens only on some, which may be useful for you diagnostically.

To be clear, yes, this is really about the Tomcat connector (which CF uses), so if you saw something happen regarding IIS logging with Tomcat, you should expect to see it in CF also, although the CF team did tweak the Tomcat connector they use so it's not identical.

And FWIW, IIS does indeed make a request to that /jakarta path with each CF request. One can see that happening in the IIS "Worker Processes" monitor (at the server level) which shows any requests currently running against any IIS app pool instance. With that tool, one would see a call to /jakarta (and that dll) for every CF page referenced. But I have not seen IIS LOG those requests, at least when the requests are indeed running.

Let us know what you find.


/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 05, 2016 Dec 05, 2016

Copy link to clipboard

Copied

Yes, I'm specifically talking about logging successful CF page requests, in IIS 10 only. I don't have any "live" sites on IIS 10, just testing.

On the other hand, when the page loads failed (due to wrong configuration), the logging appeared to be correct!

Do you have multiple live sites on IIS 10? I've been a little nervous about going live on Windows Server 2016 because isn't officially supported, and then I saw this logging issue...

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 15, 2017 Jun 15, 2017

Copy link to clipboard

Copied

I'd like to put a bump on this topic.

I am experiencing the same issue.  My config:  ColdFusion 2016 and Windows Server 2016 (IIS 10),

The IIS log shows cs-uri-stem as /jakarta/isapi_redirect.dll and so the actual .cfm file path is not logged.

Interestingly enough, we also have ColdFusion 2016 installed in a different environment running IIS 8.5 (Windows 2012R2) and the IIS logs are recording as intended.

If anyone has a solution, please note!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Jul 10, 2017 Jul 10, 2017

Copy link to clipboard

Copied

Beeker (and BG), let's clarify first that CF11 (as BG was using) has never been certified for Windows Server 2016. Support was indeed added for IIS 10, on Windows 10, in update 7 (ColdFusion 11 Update 7 and ColdFusion 10 Update 18 are now available | Adobe ColdFusion Blog), but that was JUST IIS 10 as it runs on Windows 10, not Server 2016.

And then Beeker, though you say you ARE on CF2016, you say things fail on on and work on another. Well, let's clarify also that CF2016 support for Windows Server 2016 was only added in April of this year, and note that it's ONLY provided for via a *new installer*, available only in 64-bit mode. More at ColdFusion 2016 : Support for Windows Server 2016 | Adobe ColdFusion Blog .

So you could have two different servers, each with the same CF 2016 update level, and one would "support" Server 2016 and other would not, depending on the installer from which they were implemented.

We should not expect things to "work completely as expected" with CF and Windows Server 2016 a) with CF 2016, and b) only with a CF2016 installed via the installer made available after April 2017.(I'm not saying you can't possibly GET it to work otherwise, just that it's not supported and may prove challenging for whatever reason).


Hope that's helpful to you guys.


/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Aug 23, 2017 Aug 23, 2017

Copy link to clipboard

Copied

Charlie, thanks for the response.

My organization is using CF 2016 on Windows Server 2016.  The "New Installer" was used in 64-bit mode.

I tried reaching out to Adobe for help.  I was able to get with a team member (Case ID 189033405) and we we went back and forth a number of times trying to refine the problem.  Adobe was able to reproduce the issue but was unable to produce a resolution.  At the conclusion of the conversation, Adobe told me its a Microsoft problem and I need to contact them for the fix.  Not gonna sugar coat it, that response left me fuming.

Due to the the IIS Logging issue, my security team is unable to fully analyze web traffic as it reaches the IIS web server.  The web team is unable to view malicious page requests and/or query strings.  This is a significant issue and Adobe should be working with Microsoft to figure out a way to make this work.  This is a security issue and should be one of the highest priorities for resolution.  IIS logs are not a convenience.

In my opinion, if ColdFusion cannot accurately log web requests using IIS, it should be pulled.  It should be noted that the Windows 2016 installer is not fully compatible with IIS 10.  At the minimum, it should be noted that there is a deficiency with the logging of web requests.  This is a web server platform.  How can it not accurately log web requests!?!?!

Do you or anyone know if Adobe has considered investigating the HttpPlatformhandler as opposed to ISAPI?

As I told the tech who was "helping" me.  Windows 2012 is still mainstream but fading.  As Windows 2016 becomes more prominent, the chorus of voices surrounding this issue will grow.  I can't speak for anyone else, but in my organization security issues are #1 issues.  Anything less is unacceptable.

I want Adobe to fix this.  I don't want to fume on the forums about it.  I have been using CF since 7 and am truly passionate about it.  It just seems like Adobe is not giving CF the attention it truly deserves.  Please help!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Sep 08, 2017 Sep 08, 2017

Copy link to clipboard

Copied

Whatever bullsh** adobe may told you, this is their issue. THEY need to contact MS if they think this is a MS issue and THEY need to escalate and work together with MS to resolve this bug. MS does not directly support 3rd party software. They can only support their own software. Adobe need to contact MS and open a developer support case with MS if there is really a bug on MS side. Other vendors do this also. Then they can get a hotfix or it will be integrated into next windows rollup.

For reference of this suxxx bug I have opened a case with Adobe https://tracker.adobe.com/#/view/CF-4199631

Please join.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jul 25, 2017 Jul 25, 2017

Copy link to clipboard

Copied

I have this issue as well. I'm using CF 2016 on Windows 2016 (IIS 10).  The cs-uri-stem for a fair amount of logs just shows "/jakarta/isapi_redirect.dll".  These are valid 200 statuses over ssl and non ssl connections.  If I go look at the refererPath I can usually get an idea of where it came from, but it's not ideal.  I'm just using the regular logging.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Aug 08, 2017 Aug 08, 2017

Copy link to clipboard

Copied

Ditto what Mike said - CF2016 Windows 2016 IIS logs record "/jakarta/isapi_redirect.dll". Where CF2016 is installed using the refreshed installer that has update 3 applied then taken to update 4 using CFadmin > Server Update > Updates.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Oct 11, 2017 Oct 11, 2017

Copy link to clipboard

Copied

As an update on this thread, folks will want to watch the discussion in the bug report opened by "None1". Others have been responding there, adding more to the discussion, including a post just today from Nikhil of Adobe. And see also the discussion he (and others, not using CF) are having with MS folks about this at https://forums.iis.net/p/1168716/2136576.aspx?Re+IIS+Advanced+Logging+issues+with+Tomcat+and+web+app...).

Not only is this not a CF problem (but a Tomcat one, affecting folks using the original Tomcat connector) but it's also not limited to Windows 2016 but also Windows 10. It's an IIS 10 issue, as the original post here did clarify. (Some of the later discussions since this was first opened in Dec 2016 could be read to indicate it was a Win2016 problem only.)

Also, in following the trail of discussions (here and in that post there are links to still other threads where this is being discussed, outside of CF), I find one (https://forums.iis.net/p/1236914/2135699.aspx?ISAPI+and+IIS+10+Logging+Issues) where the most recent comments indicates folks having instances of IIS 10 where things DO work as expected, so there seems to be SOME matter of configurability that could be affecting this.

Will be great to hear if anyone figures that out, and/or something about IIS or the connector changes to enable the important IIS request logging.


/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Oct 11, 2017 Oct 11, 2017

Copy link to clipboard

Copied

Following up my last note, and in the meantime while we await proper resolution of this problem, here's something that may help some here.

Note that CF (well, Tomcat) does offer request logging of its own. It was on by default in CF10, then turned off in CF11 (because I assume it created very large files for some unsuspecting customers). Look into the Tomcat AccessLogValve, which can be enabled in CF's server.xml file. More at http://blogs.coldfusion.com/how-to-enable-disable-tomcat-logs/​ . And note that the logs are configurable to hold still more than they do as configured by default in that server.xml file. See the Tomcat docs on the valve for more details. Apache Tomcat 7 Configuration Reference (7.0.82) - The Valve Component

That said, I realize that the OP and others here have their very important reasons for the logging to work in the standard IIS logs. I just point out this option as "better than nothing" in their flying blind with no insight at all into logging of CF page requests, querystrings, and more, all of which would be loggable via the Tomcat AccessLogValve, as a last resort.

Finally, those using FusionReactor (fusion-reactor.com) will also find that it logs all CF page requests (and querystrings, and more) in its request.log.

Still, no question, the problem should be fixed so that the IIS logs work as expected in IIS 10 with CF.


/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 12, 2018 May 12, 2018

Copy link to clipboard

Copied

Have you seen anything from Adobe or MS to indicate a remedy for the logging issue?  I did enable the Tomcat log as suggest in the Oct 2017 posting

I tried the Jumiller fix and it did not work on my CF Sever 2016 | MS Server 2016 (IIS 10).  I have not tried to install Tomcat 8x or 9x as others have done.

One quirk that I am noticing and is probably best suited for a separate posting is that the IIS log shows http/2 working but the bulk of requests (spiders) appearing as http/1.  The /jakarta/isapi_redirect.dll  redirects show all requests as http/1.  And, the Tomcat log shows, virtually, all request as http/1.  Makes me wonder if the redirect is forcing all queries to http/1?

By the way, many thanks to everyone for the posts on this thread.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 12, 2018 May 12, 2018

Copy link to clipboard

Copied

Logging can be fixed by reordering logging module In iis.

http2 requires windows 2016 rollup update 17th April 2018 or later.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 14, 2018 May 14, 2018

Copy link to clipboard

Copied

97671093  wrote

Logging can be fixed by reordering logging module In iis.

http2 requires windows 2016 rollup update 17th April 2018 or later.

Thanks, but how does one go about "reordering logging module"?  The issue is in IIS 10 as everyone has described and I have not seen any affirmative posting on the lingering issue being fixed, thus the question.

Even after the rollup updates for April and May, no change in observations of the Tomcat log showing all uri's as http/1.  The use of the Tomcat log in CF is from a suggestion Charlie made last October. 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 28, 2018 May 28, 2018

Copy link to clipboard

Copied

Reordering one iis module is a workaround, but that works flawless. Adobe is still working with ms on solving the logging issue.

Fixing the http2 chunking bug already took 9 months and this was only a backport from windows 2019. I do not know what the tomcat log tells you, but the connection to iis is http2 in all browsers if you configured ssl properly. This is crucial. See https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12 for the script to configure SSL.

Not everything from Charlie is the optimal solution and it also does not mean there is no better solution.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 30, 2018 May 30, 2018

Copy link to clipboard

Copied

LATEST

I just fixed my own error and the logging works as it used to do.

I am rechecking my settings for ssl settings and TLS 1.2 Will let you know what I find

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 30, 2018 May 30, 2018

Copy link to clipboard

Copied

Check out this helpful link to re order the logging module in IIS:

https://forums.iis.net/p/1236914/2135699.aspx?ISAPI+and+IIS+10+Logging+Issues

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 30, 2018 May 30, 2018

Copy link to clipboard

Copied

Beeker and 97671093,

I found that I had not reordered both sections to move the iumiller fix in proper order The IsapiFilterModule needs to be before the HttpLoggingModule in the list.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines