ASP.NET/IIS7.5 写入日志文件不起作用(权限、UAC、配置,???)
我们在将 ASP.NET 应用程序迁移到 Windows Server 2008 R2 x64 和 IIS7.5 时遇到问题。问题是我们的 ASP.NET 应用程序写入日志文件,但这些日志文件并未被写入。应用程序写入日志文件的唯一方法是我以本地管理员用户身份登录服务器,或者右键单击并以管理员身份运行 IE,这对我们来说都不是可接受的解决方案。
我们的平台是: Windows Server 2008 R2 x64(UAC 设置为默认设置) IIS7.5 ASP.NET 4.0(使用 Windows 身份验证和模拟,均在 web.config 中)
我们的应用程序安装到: D:[应用程序名称] [appnameWebSite](所有.aspx、.dll等文件都在这里) \Log(应用程序尝试将日志文件写入此文件夹)
在服务器上: 创建了新的应用程序池(名称:[appname],.NET 4.0,托管管道模式:经典,身份:ApplicationPoolIdentity,加载用户配置文件:False,所有其他属性均为默认值) 创建了指向 D:[appname][appnameWebSite] 的 IIS 应用程序并将其添加到新的应用程序池(完全信任级别) 在本地管理员组中拥有域用户
使用上面列出的所有配置和默认设置,ASP.NET 应用程序将不会写入日志文件。该应用程序在浏览器中似乎运行良好,但没有 log.txt 文件。
为了尝试“解决”这个问题,我们尝试了很多方法: 尝试的应用程序池设置:托管管道模式:集成 尝试的应用程序池设置:身份:NetworkService 尝试的应用程序池设置:身份:LocalSystem 尝试的应用程序池设置:加载用户配置文件:True 为用户组提供对应用程序文件夹结构的文件系统的完全控制权(尝试了 appname 文件夹、仅尝试了 Log 文件夹、仅尝试了 appnameWebSite 和 Log 文件夹) 为 IIS AppPool[appname] (匹配新的应用程序池)用户提供对应用程序文件夹结构的文件系统的完全控制权(尝试过 appname 文件夹、仅尝试过 Log 文件夹、仅尝试过 appnameWebSite 和 Log 文件夹)
这些都没有帮助。同样,应用程序可以正常运行,只是没有创建日志文件。
如上所述,应用程序运行时创建日志文件的唯一方法是使用本地管理员帐户(这是有道理的,因为他是超级用户)登录服务器,或者以管理员身份运行 IE 并提升权限。
我们该如何解决这个问题?
We're having trouble migrating our ASP.NET applications to Windows Server 2008 R2 x64 and IIS7.5. The problem is that our ASP.NET apps write log files, and these log files are not being written. The only way the apps write their log files is if I'm logged into the server as the local Administrator user or if I right click and run IE as Run as Administrator, neither of which is an acceptable solution for us.
Our platform is:
Windows Server 2008 R2 x64 (UAC setting is the default setting)
IIS7.5
ASP.NET 4.0 (using Windows authentication and impersonation, both on in web.config)
Our app gets installed to:
D:[appname]
[appnameWebSite] (all the .aspx, .dll, etc. files are in here)
\Log (the app tries to write the log file to this folder)
On the server:
Created new App Pool (name: [appname], .NET 4.0, Managed Pipeline Mode: Classic, Identity: ApplicationPoolIdentity, Load User Profile: False, all other properties are the defaults)
Created IIS application pointing to D:[appname][appnameWebSite] and added it the the new App Pool (Full trust level)
Have a domain user in local Administrators group
With all the configuration and default settings listed above, the ASP.NET app will not write the log file. The app appears to work fine in the browser, but no log.txt file.
To try to "fix" this issues, we've tried many things:
Tried Application Pool setting: Managed Pipeline Mode: Integrated
Tried Application Pool setting: Identity: NetworkService
Tried Application Pool setting: Identity: LocalSystem
Tried Application Pool setting: Load User Profile: True
Gave Users group full control to file system for our application folder structure (tried appname folder, tried Log folder only, tried appnameWebSite and Log folders only)
Gave IIS AppPool[appname] (matching the new App Pool) user full control to file system for our application folder structure (tried appname folder, tried Log folder only, tried appnameWebSite and Log folders only)
None of these things helped. Again, the app would run fine, just no log file created.
As mentioned above, the only way that the log file is created when the app runs is if we log into the server using the local Administrator account (which makes sense since he's a super user) or if we run IE as administrator and elevate privileges.
How can we resolve this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我尝试授予所有可能的权限,但仍然没有获得任何日志文件。最后我遇到了this,它建议更改我的日志文件目录的所有权。我检查了一下,目录所有权设置为 SYSTEM。我将其更改为管理员并递归应用更改。我退回了 IIS,在浏览器中访问了该站点的网页,现在我有了日志文件。万岁!
注意:让我注意到的是检查系统事件日志。我收到 15006 错误,提示“日志文件或目录 C:\inetpub\logfiles\W3SVC1\some.log 的所有者无效。这可能是因为另一个用户已经创建了日志文件或目录。”
I tried granting every permission possible and still wasn't getting any log files. Finally I came across this which suggested changing the ownership of my logfiles directory. I checked, and the directory ownership was set to SYSTEM. I changed it to Administrators and applied the change recursively. I bounced IIS, hit a webpage from the site in the browser, and now I have log files. Hooray!
Note: the thing that tipped me off was checking the System event log. I was getting 15006 errors saying "Owner of the log file or directory C:\inetpub\logfiles\W3SVC1\some.log is invalid. This could be because another user has already created the log file or the directory."
好吧,经过几天尝试每个 IIS 选项、用户和组帐户、文件系统权限、Process Explorer 等之后,我认为我们已经成功了:
成功!无论哪个用户使用 ASP.NET 应用程序,也无论他们是在服务器本身上还是从工作站上运行该应用程序,日志文件都会按预期写入。
我不知道在服务器上关闭 Internet Explorer 增强安全配置是否是“正确”的做法,或者是否违反了任何最佳实践,但它似乎对我们有用。
有人有什么要补充的吗?
Well, after days of trying every IIS option, user and group accounts, file system permissions, Process Explorer, etc., I think we got it working:
And success! The log file is written as expected no matter what user is using the ASP.NET application, and no matter if they're running it on the server itself or from a workstation.
I don't know if turning off Internet Explorer Enhanced Security Configuration on the server is the "correct" thing to do or if it violates any best practices, but it seems to work for us.
Does anyone have anything to add?
我在这个问题上挣扎了一段时间。 ApplicationPoolIdentity 是 Users 组的成员,并且 Users 组的访问权限有限。
在资源管理器中,右键单击您要写入的文件夹,然后转到“安全”。单击高级按钮。您将看到用户具有读取和执行权限,并且用户组可能具有也可能不具有特殊权限。如果没有,请单击“更改权限”并授予用户创建文件/写入数据和创建文件夹/附加数据的能力。这仅限于此文件夹。我通常使用子文件夹,这样我就不会提供对整个网站的写访问权限。
尝试再次创建日志文件。这是我需要设置使其工作的唯一权限。
I struggled with this one for a while. The ApplicationPoolIdentity is a member of the Users group and the Users group has limited access.
From Explorer, right-click on the folder where you are trying to write and go to Security. Click the Advanced button. you will see that Users have Read and Execute permission and the Users group may or may not have Special permissions. If not, Click on Change Permissions and give Users the ability to Create files / write data and Create folders / append data. This is restricted to this folder. I usially use a subfolder so that I not provide write access to my whole website.
Try creating log files again. This is the only permission that I needed to set to make it work.
对我来说,诀窍是为
SYSTEM和Administrators提供写入权限,不仅是日志文件夹本身,而且路径中的每个文件夹。这不是 Windows 中权限通常的工作方式,但 IIS 似乎对此非常挑剔。并不是说一开始就有充分的理由从 ACL 中删除这两个内容。如果您怀疑这是问题所在,请检查 Windows 日志/系统下的事件日志。此问题表现为来自源 HttpEvent 的错误条目,并显示“无法创建日志文件 C:\path\to\logs\W3SVC1\u_extend1.log。请确保日志记录目录正确并且此计算机具有对那个目录。”
PS 这对于 IIS 10 来说是正确的,但也可能适用于其他版本。
For me the trick was giving write access for
SYSTEMandAdministratorsnot only to the log folder itself, but also every folder in the path. This is not how permissions usually work in Windows, but IIS appears to be really rather particular about it. Not that there is a good reason to remove these two from the ACLs to begin with.If you suspect this to be the problem, check the Event Log under Windows Logs / System. This issue manifests itself as an Error entry from source HttpEvent, and reads "Unable to create log file C:\path\to\logs\W3SVC1\u_extend1.log. Make sure that the logging directory is correct and this computer has write access to that directory."
P.S. This is true for IIS 10 but may apply to other versions too.