Re: IIS Log exactly 65.536 bytes ???

From: Mike Coppins (mike@legolas.com)
Date: 11/27/02

  • Next message: Eric Devine: "RE: Secure / Encrypt Terminal Services" 
    Date: Wed, 27 Nov 2002 01:06:34 +0000
To: focus-ms@securityfocus.com
From: Mike Coppins <mike@legolas.com>

    To throw in a quick tidbit of information, when IIS starts a new logfile,
    the size is 64KB, even though the rest of the file is 'empty'. The reason
    for this is for performance purposes. The filesystem doesn't keep getting
    requests to increase the size of a file every time a http request occurs
    and the log file doesn't get half as fragmented as it might.

    The freezing situation you describe when viewing logfiles over TS is
    obviously bad, but as to what the cause is I can't say.

    As for new file creation/modify times being the same frequently, it depends
    on how busy the website in question is. The file modify date of the file
    changes when the first hit of the next day occurs. IIS cuts the slack from
    the old log file and starts a new one. Personally I'm finding it odd that
    your 'not suspicious' logfiles are created at exactly 1am and your
    'suspicious' files have different timestamps :)

    The timestamps on a website I run (legolas.com) which doesn't get much
    traffic, but enough to keep the weblogs ticking over, the modify dates are
    anything from 00:00 to 00:49, and the creation date of the previous
    logfile. The last entry of the previous logfile is anything up to 23:59.

    I'd advise some general checking for a potential compromise on your machine
    (the sort of checking that should be done on a regular, but not
    particularly often, basis). Things like checking AT job listings, key
    binary comparisons, user listings, netstat output checks, etc.

    Could some of this behaviour be the result of using URLscan? I don't know,
    never used it, as it seems like one of those 'closing the door after the
    horse has bolted' security safeguards :) 

    -- 
Mike Coppins
mike@legolas.com
http://www.legolas.com/

    Relevant Pages

    • Re: Starten einer .exe via Link
      ... anmeldefenster mit folgendem titel: "Verbindung zu IIS... ... > welche Anfragen tauchen denn hierbei im Logfile auf? ... Prev by Date: ... Next by Date: ...
      (microsoft.public.de.german.entwickler.dotnet.asp)
    • Re: Web Bandwidth Projection Puzzle
      ... Is all the overhead logged by IIS? ... how many gigs per month is my hosting company going to ... LogFileManager - The only IIS Logfile Management Tool ...
      (microsoft.public.inetserver.iis)
    • Re: IIS logging issue
      ... Subject: IIS logging issue ... > /index%2easp becomes /index.asp and is shown as that in the logfile. ... I don't know about the documentation of IIS, ... > These days logs are used very often to prove illegal activity. ...
      (NT-Bugtraq)
    • Re: Probleme beim Zugriff auf lokale .aspx-Datei
      ... Logfile für den heutigen Tag) ... Es scheint also irgendwie mit der .NET-Konfiguration im IIS zusammen zu ... Prev by Date: ... Next by Date: ...
      (microsoft.public.de.inetserver.iis)
    • Re: Probleme beim Zugriff auf lokale .aspx-Datei
      ... > - ich erhalte keinen Eintrag im Logfile des IIS (genauer gesagt: ... Prev by Date: ... Next by Date: ...
      (microsoft.public.de.inetserver.iis)