The following section provides answers to frequently asked questions about URLScan.
Q: Where are my URLScan log files?
A: By default the log files are in %windir%\System32\Inetsrv\Urlscan\Logs for both x86 and x64 installations. Your Urlscan.ini file contains the LoggingDirectory key under the [Options] section that would point to an absolute location to your log file directory or a relative path based on the location of your Urlscan.ini file. If you have a custom folder and are not seeing any logs, it is likely that your IIS worker process does not have write access to the logs folder. For IIS 6.0 grant IIS_WPG group write access to this folder and for IIS 7.0 grant the IIS_IUSRS group write access to this folder. If this is a pre existing folder make sure this directory does not have any sensitive information that can be tampered. Also if you are on x64, file system redirection may affect the custom path you are writing your logs to.
Q: I have URLScan v3.0 Beta or RTM right now. What will happen if I install v3.1?
A: The URLScan v3.1 MSI will upgrade the URLScan v3.0 Beta or RTM filters in the inetsrv directory. It will leave your .ini configuration and log files intact and the RTW version will work against your previous configuration. Since new sections have been added to the URLScan v3.1, you can download the new default .ini file from here to see what more it has to offer and add those to your existing configuration.
Q: I have URLScan v2.5 right now. What will happen if I install v3.1?
A: URLScan v3.1 will overwrite the pre-existing URLScan v2.5 filter in the inetsrv directory. It will leave your old Urlscan.ini file intact though and no changes will be needed for this .ini file to make it work with URLScan v3.1. If you need to restore URLScan v2.5 you will need to re-install it from Microsoft Download Center.
Q: Has the log format for URLScan v3.1 changed?
A: URLScan v3.1 has W3C formatted logs just like URLScan v3.0. You can use tools like Log Parser to query information in these log files.
Q: How come I don’t see any 500 errors in my W3SVC logs from URLScan blocking requests?
A: URLScan v3.1 failures result in 404 errors and not 500 errors. Searching for 404 errors in your W3SVC log will include failures due to URLScan blocking.
Q: How is this version different from the request filtering module in IIS 7.0?
A: The request filtering module that shipped with Windows Server 2008 RTM does not have the ability to filter based on query strings like URLScan v3.1 does. Request Filtering module also does not allow you to specify rules that apply to multiple parts of an HTTP request in one entity. However all the changes in URLScan v3.x will be incorporated into the request filtering module for an update release in the near future.
Related Content
Comments