Can ISAPI Filter remove entries from the IIS log file?

  • Article

I recently got this question about how to not log certain requests to the IIS log file.

Question:

As a hosting provider on several high traffic IIS6 based sites, we see TONS of disk space chewed up by the log entries that reflect our remote monitoring tools and load balancers doing QA checks on the sites. These are all known IP addresses, but I have yet to find a commercial solution to filtering these things out before they hit the log files.

Can an ISAPI filter be put in place that would toss out (not invoke an entry in the log files) any hits from our QA devices, but would still allow normal logging for any other hits that come?

For instance, we would want to filter out any hits from 10.x.x.x or 192.x.x.x right out of the gate. This will reduce log file size by 20% on busy sites, and 90% on less trafficed sites...

Thanks for the greate blog. One of the best I've seen.

Answer:

No, an ISAPI Filter cannot remove/discard entries from the IIS log file. ISAPI Filter can only modify the data that goes into the log entry, but it cannot remove its existence.

IIS does have built-in ability to not log anything for particular URL(s). However, the decision to log for a URL is a static decision - you cannot change your mind in the middle of the request in progress to either log/not-log.

Thus, it is possible for you to configure the URLs which your monitors ping on the "do not log" list and they will not show up in the log file. Note that this will also remove evidence that non 10.x.x.x or 192.x.x.x address requested those URLs.

For example, suppose your QA devices make periodic requests to /cgi-bin/ServerTest.asp and you want to remove it from being logged. You can do this with:

 CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\adsutil.vbs CREATE W3SVC/1/ROOT/cgi-bin/ServerTest/Test.asp IIsWebFile
CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\adsutil.vbs SET W3SVC/1/ROOT/cgi-bin/ServerTest/Test.asp/DontLog 1

This should remove /cgi-bin/ServerTest/Test.asp from ever being logged.

Note that this even works if your devices are making requests to default document URLs - for example, given the above configuration, requests to /cgi-bin/ServerTest/ (where Test.asp is the defined default document) will NOT be logged.

However, requests to /cgi-bin/ServerTest (note the missing trailing backslash) WILL be logged since IIS first sends a courtesy 302 redirection that gets logged, and when the client follows the courtesy redirect to /cgi-bin/ServerTest/ , that will NOT be logged as shown earlier.

Now, if you are paranoid about non 10.x.x.x or 192.x.x.x addresses requesting these URLs, you can write an ISAPI Filter to examine the REMOTE_ADDR and URL of a given request and do some filtering/logging of your own. You can probably use this filter sample from my blog with some tiny modifications to do what you need - just change the ServerVariable which triggers the logging and take advantage of the thread-safe logging code.

//David