In many cases, when troubleshooting web applications hosted in IIS, we start by collecting the basics for investigation:
The script at http://linqto.me/Grabber or the app at http://aka.ms/LogCatcher should help automate the steps below. And the article at http://linqto.me/IisTS describes why we collect these files.
Many of the files are only accessible to the Administrators on the investigated machine.
So open an administrative command-line console if you're going to use the commands below. Then…
First, create a folder where all collected files will be placed:
MKDIR C:\MsLogs
C:
CD \MsLogs
netsh http show cacheparam > C:\MsLogs\netsh_http_show_cacheparam.txt
netsh http show cachestate > C:\MsLogs\netsh_http_show_cachestate.txt
netsh http show iplisten > C:\MsLogs\netsh_http_show_iplisten.txt
netsh http show servicestate > C:\MsLogs\netsh_http_show_servicestate.txt
netsh http show setting > C:\MsLogs\netsh_http_show_setting.txt
netsh http show sslcert > C:\MsLogs\netsh_http_show_sslcert.txt
netsh http show timeout > C:\MsLogs\netsh_http_show_timeout.txt
netsh http show urlacl > C:\MsLogs\netsh_http_show_urlacl.txt
Default location is:
C:\Windows\System32\inetsrv\config\
Note: It's better if you can send the whole folder C:\Windows\System32\inetsrv\config\.
Example:
XCOPY %systemroot%\System32\inetsrv\config\*.* C:\MsLogs\ /E
Note: If IIS is using the Shared Configuration feature, then applicationHost.config should be collected from the network location where the file is shared.
Only send logs of the site containing the problematic application. Default location:
C:\inetpub\logs\LogFiles\W3SVC[siteID]\
Determine the Site ID from IIS Manager console, selecting the Sites node.
Only include latest files, if too many logs are there; we only need the investigated timeframe. For instance, logs in the last 10 days.
Example:
MKDIR C:\MsLogs\IIS-logs
ROBOCOPY C:\inetpub\logs\LogFiles\W3SVC1\ C:\MsLogs\IIS-logs\ /MAXAGE:10
…if any were collected at all, related to the issue being reported.
Only send traces for the site containing the problematic application. Default location:
C:\inetpub\logs\FailedReqLogFiles\W3SVC[siteID]\
Determine the Site ID from IIS Manager console, selecting the Sites node.
Example:
MKDIR C:\MsLogs\FREBs
COPY C:\inetpub\logs\FailedReqLogFiles\W3SVC1\*.* C:\MsLogs\FREBs\
Events and errors logged by the HTTP.SYS driver, which IIS relies on. The default location:
C:\Windows\System32\LogFiles\HTTPERR\
Only include latest files, if too many logs are there; we only need the investigated timeframe. For instance, logs in the last 10 days.
Example:
MKDIR C:\MsLogs\HTTPERR
ROBOCOPY %systemroot%\System32\LogFiles\HTTPERR\ C:\MsLogs\HTTPERR\ /MAXAGE:10
Before executing an app, IIS is building its configuration by merging trees with settings - read "config files": .NET FX config, then Asp.NET root Web.config, applicationHost.config of IIS, application's local Web.config cascade (root site Web.config, then sub-application's Web.config etc).
The .NET Framework (FX) configuration:
machine.config
The root ASP.NET configuration:
Web.config
Depending on application bitness, these can be found at:
C:\Windows\Microsoft.NET\Framework(64)\[version]\Config
Example:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config
It's better if you can send the whole folder.
Example:
MKDIR C:\MsLogs\ASP.NET-Config
XCOPY %systemroot%\Microsoft.NET\Framework64\v4.0.30319\Config\*.* C:\MsLogs\ASP.NET-Config\ /E
The Web.config file(s) of the root site - and sub-application(s), if that's the case - being diagnosed.
Or at least send the application's effective configuration, compiled by IIS from the above config files:
C:\inetpub\temp\appPools\[appPoolName]\[appPoolName].config
Example:
COPY C:\inetpub\temp\appPools\DefaultAppPool\DefaultAppPool.config C:\MsLogs\
We'll take the following 3 logs from Windows Events Viewer
Select each of them and then…
To collect entries in last 10 days, you can export them by running the following command lines:
WEVTUTIL export-log System C:\MsLogs\WinEvents-System.evtx /query:"*[System[TimeCreated[timediff(@SystemTime) <= 864000000]]]"
WEVTUTIL export-log Application C:\MsLogs\WinEvents-Application.evtx /query:"*[System[TimeCreated[timediff(@SystemTime) <= 864000000]]]"
WEVTUTIL export-log Security C:\MsLogs\WinEvents-Security.evtx /query:"*[System[TimeCreated[timediff(@SystemTime) <= 864000000]]]"
WEVTUTIL export-log Setup C:\MsLogs\WinEvents-Setup.evtx /query:"*[System[TimeCreated[timediff(@SystemTime) <= 864000000]]]"
Note that timediff function returns milliseconds from now. One day means 24 hours x 60 minutes x 60 seconds x 1.000 milliseconds = 86.400.000.
Collect Component-Based Setup log file - the packages that Windows installed.
Then IIS setup logs - how the IIS instance installation went.
COPY C:\Windows\Logs\CBS\cbs.log C:\MsLogs\
COPY C:\Windows\iis.log C:\MsLogs\
Export the output of MsInfo32, or simply run the command:
MsInfo32 /nfo C:\MsLogs\System-Info.nfo
MsInfo32 /report C:\MsLogs\System-Info.txt
Export the Registry keys telling about .NET Framework version(s) installed on machine:
Reg.exe export "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP" C:\MsLogs\NET-Frameworks-versions.reg.txt
Archive the resulting data collection folder C:\MsLogs\ in a ZIP file, then upload the archive in the file transfer space for the case.
You'll need to send the collected data and/or share it with the engineer helping you do the troubleshooting.
You have to provide as much descriptive information as you can around what happens.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.