620 lines
15 KiB
C
620 lines
15 KiB
C
/*++
|
|
|
|
Copyright (c) 2000-2001 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
ullog.c (UL IIS+ HIT Logging)
|
|
|
|
Abstract:
|
|
|
|
This module implements the logging facilities
|
|
for IIS+ including the NCSA, IIS and W3CE types
|
|
of logging.
|
|
|
|
Author:
|
|
|
|
Ali E. Turkoglu (aliTu) 10-May-2000
|
|
|
|
Revision History:
|
|
|
|
--*/
|
|
|
|
#ifndef _ULLOG_H_
|
|
#define _ULLOG_H_
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
//
|
|
// Forwarders.
|
|
//
|
|
|
|
typedef struct _UL_FULL_TRACKER *PUL_FULL_TRACKER;
|
|
typedef struct _UL_INTERNAL_REQUEST *PUL_INTERNAL_REQUEST;
|
|
typedef struct _UL_CONFIG_GROUP_OBJECT *PUL_CONFIG_GROUP_OBJECT;
|
|
|
|
//
|
|
// Brief information about how logging locks works; Whole link list is controlled
|
|
// by a global EResource g_pUlNonpagedData->LogListResource. Functions that require
|
|
// read access to this list are Hit(),CacheHit() & BufferFlush() and the ReCycle().
|
|
// Whereas functions that requires write access are Create(),Remove() and ReConfig().
|
|
// Also the log entry eresource (EntryResource) controls the per entry buffer.
|
|
// This eresource is acquired shared for the log hits.
|
|
//
|
|
|
|
//
|
|
// Structure to hold a log file buffer
|
|
//
|
|
|
|
typedef struct _UL_LOG_FILE_BUFFER
|
|
{
|
|
//
|
|
// PagedPool
|
|
//
|
|
|
|
//
|
|
// This MUST be the first field in the structure. This is the linkage
|
|
// used by the lookaside package for storing entries in the lookaside
|
|
// list.
|
|
//
|
|
|
|
SINGLE_LIST_ENTRY LookasideEntry;
|
|
|
|
//
|
|
// Signature is UL_LOG_FILE_BUFFER_POOL_TAG.
|
|
//
|
|
|
|
ULONG Signature;
|
|
|
|
//
|
|
// I/O status block for UlpBufferFlushAPC.
|
|
//
|
|
|
|
IO_STATUS_BLOCK IoStatusBlock;
|
|
|
|
//
|
|
// Bytes used in the allocated buffered space.
|
|
//
|
|
|
|
LONG BufferUsed;
|
|
|
|
//
|
|
// The real buffered space for log records.
|
|
//
|
|
|
|
PUCHAR Buffer;
|
|
|
|
} UL_LOG_FILE_BUFFER, *PUL_LOG_FILE_BUFFER;
|
|
|
|
#define IS_VALID_LOG_FILE_BUFFER( entry ) \
|
|
( (entry != NULL) && ((entry)->Signature == UL_LOG_FILE_BUFFER_POOL_TAG) )
|
|
|
|
//
|
|
// Structure to hold info for a log file
|
|
//
|
|
|
|
typedef struct _UL_LOG_FILE_ENTRY
|
|
{
|
|
//
|
|
// Signature is UL_LOG_FILE_ENTRY_POOL_TAG.
|
|
//
|
|
|
|
ULONG Signature;
|
|
|
|
//
|
|
// This lock protects the whole entry. The ZwWrite operation
|
|
// that's called after the lock acquired cannot run at APC_LEVEL
|
|
// therefore we have to go back to eresource to prevent a bugcheck
|
|
//
|
|
|
|
UL_ERESOURCE EntryResource;
|
|
|
|
//
|
|
// The name of the file. Full path including the directory.
|
|
//
|
|
|
|
UNICODE_STRING FileName;
|
|
PWSTR pShortName;
|
|
|
|
//
|
|
// The open file handle. Note that this handle is only valid
|
|
// in the context of the system process.
|
|
//
|
|
|
|
HANDLE hFile;
|
|
|
|
//
|
|
// File-specific information gleaned from the file system.
|
|
//
|
|
|
|
FILE_STANDARD_INFORMATION FileInfo;
|
|
|
|
//
|
|
// links all log file entries
|
|
//
|
|
|
|
LIST_ENTRY LogFileListEntry;
|
|
|
|
HTTP_LOGGING_TYPE Format;
|
|
HTTP_LOGGING_PERIOD Period;
|
|
ULONG TruncateSize;
|
|
ULONG LogExtFileFlags;
|
|
|
|
//
|
|
// Time to expire field in terms of Hours.
|
|
// This could be at most 24 * 31, that's for monthly
|
|
// log cycling. Basically we keep a single periodic hourly
|
|
// timer and every time it expires we traverse the
|
|
// log list to figure out which log files are expired
|
|
// at that time by looking at this fields. And then we
|
|
// recylcle the log if necessary.
|
|
//
|
|
|
|
ULONG TimeToExpire;
|
|
|
|
//
|
|
// If this entry has MAX_SIZE or UNLIMITED
|
|
// log period
|
|
//
|
|
|
|
ULONG SequenceNumber;
|
|
ULARGE_INTEGER TotalWritten;
|
|
|
|
//
|
|
// To be able to close the file handle on threadpool.
|
|
//
|
|
|
|
UL_WORK_ITEM WorkItem;
|
|
KEVENT CloseEvent;
|
|
|
|
// TODO: Usage for RecyclePending Flag
|
|
// TODO: If disk was full during the last recycle of this entry.
|
|
// TODO: This value get set. And later (every 1 minute) it might be
|
|
// TODO: (if there's any space then) reset by DISKFULL_TIMER
|
|
// TODO: if none of the entries in the list is pending anymore
|
|
// TODO: then timer get destroyed until when we hit to disk full
|
|
// TODO: again.
|
|
|
|
union
|
|
{
|
|
// Flags to show the field states mostly. Used by
|
|
// recycling.
|
|
|
|
LONG Value;
|
|
struct
|
|
{
|
|
ULONG StaleSequenceNumber:1;
|
|
ULONG StaleTimeToExpire:1;
|
|
ULONG RecyclePending:1;
|
|
ULONG LogTitleWritten:1;
|
|
};
|
|
|
|
} Flags;
|
|
|
|
//
|
|
// Each log file entry keeps a fixed amount of log buffer.
|
|
// The buffer size is g_AllocationGranularity comes from
|
|
// the system's allocation granularity.
|
|
//
|
|
|
|
PUL_LOG_FILE_BUFFER LogBuffer;
|
|
|
|
} UL_LOG_FILE_ENTRY, *PUL_LOG_FILE_ENTRY;
|
|
|
|
#define IS_VALID_LOG_FILE_ENTRY( pEntry ) \
|
|
( (pEntry != NULL) && ((pEntry)->Signature == UL_LOG_FILE_ENTRY_POOL_TAG) )
|
|
|
|
#define SET_SEQUNCE_NUMBER_STALE(pEntry) do{ \
|
|
pEntry->Flags.StaleSequenceNumber = 1; \
|
|
}while(FALSE)
|
|
#define RESET_SEQUNCE_NUMBER_STALE(pEntry) do{ \
|
|
pEntry->Flags.StaleSequenceNumber = 0; \
|
|
}while(FALSE)
|
|
|
|
#define SET_TIME_TO_EXPIRE_STALE(pEntry) do{ \
|
|
pEntry->Flags.StaleTimeToExpire = 1; \
|
|
}while(FALSE)
|
|
#define RESET_TIME_TO_EXPIRE_STALE(pEntry) do{ \
|
|
pEntry->Flags.StaleTimeToExpire = 0; \
|
|
}while(FALSE)
|
|
|
|
//
|
|
// Some directory name related Macros
|
|
//
|
|
|
|
// Device Prefix
|
|
#define UL_LOCAL_PATH_PREFIX (L"\\??\\")
|
|
#define UL_LOCAL_PATH_PREFIX_LENGTH (4)
|
|
#define UL_UNC_PATH_PREFIX (L"\\dosdevices\\UNC")
|
|
#define UL_UNC_PATH_PREFIX_LENGTH (15)
|
|
|
|
#define UL_MAX_PATH_PREFIX_LENGTH (15)
|
|
|
|
// Put some Limit to the length of the Log Directory name will
|
|
// be passed down by WAS. In Bytes.
|
|
#define UL_MAX_FULL_PATH_DIR_NAME_SIZE (10*1024)
|
|
|
|
#define IS_VALID_DIR_NAME(s) \
|
|
(((s)!=NULL) && \
|
|
((s)->MaximumLength > (s)->Length) && \
|
|
((s)->Length != 0) && \
|
|
((s)->Buffer != NULL) && \
|
|
((s)->Buffer[(s)->Length/sizeof(WCHAR)] == UNICODE_NULL) && \
|
|
((s)->MaximumLength <= UL_MAX_FULL_PATH_DIR_NAME_SIZE) \
|
|
)
|
|
|
|
//
|
|
// Followings are all parts of our internal buffer to hold
|
|
// the Logging information. We copy over this info from WP
|
|
// buffer upon SendResponse request. Yet few of this fields
|
|
// are calculated directly by us and filled.
|
|
//
|
|
|
|
typedef enum _UL_LOG_FIELD_TYPE
|
|
{
|
|
UlLogFieldDate = 0, // 0
|
|
UlLogFieldTime,
|
|
UlLogFieldSiteName,
|
|
UlLogFieldServerName,
|
|
UlLogFieldServerIp,
|
|
UlLogFieldMethod, // 5
|
|
UlLogFieldUriStem,
|
|
UlLogFieldUriQuery,
|
|
UlLogFieldProtocolStatus,
|
|
UlLogFieldWin32Status,
|
|
UlLogFieldServerPort, // 10
|
|
UlLogFieldUserName,
|
|
UlLogFieldClientIp,
|
|
UlLogFieldProtocolVersion,
|
|
UlLogFieldUserAgent,
|
|
UlLogFieldCookie, // 15
|
|
UlLogFieldReferrer,
|
|
UlLogFieldHost,
|
|
UlLogFieldBytesSent,
|
|
UlLogFieldBytesReceived,
|
|
UlLogFieldTimeTaken, // 20
|
|
|
|
UlLogFieldMaximum
|
|
|
|
} UL_LOG_FIELD_TYPE, *PUL_LOG_FIELD_TYPE;
|
|
|
|
//
|
|
// Size of the pre-allocated log line buffer inside the request structure.
|
|
//
|
|
|
|
#define UL_LOG_LINE_BUFFER_SIZE (4*1024)
|
|
|
|
#define UL_MAX_LOG_LINE_BUFFER_SIZE (10*1024)
|
|
|
|
#define UL_MAX_TITLE_BUFFER_SIZE (512)
|
|
|
|
//
|
|
// To avoid the infinite loop situation we have to set the minimum
|
|
// allowable log file size to something bigger than maximum allowable
|
|
// log record line;
|
|
//
|
|
|
|
#define UL_MIN_ALLOWED_TRUNCATESIZE (16*1024)
|
|
|
|
C_ASSERT(UL_MIN_ALLOWED_TRUNCATESIZE >
|
|
(UL_MAX_TITLE_BUFFER_SIZE + UL_MAX_LOG_LINE_BUFFER_SIZE));
|
|
|
|
//
|
|
// If somebody overwrites the default log buffering size which
|
|
// is system granularity size of 64K. We have to make sure the
|
|
// buffer size is not smaller then miminum allowed. Which is
|
|
// MaximumAlowed Logrecord size of 10K. Also it should be 4k
|
|
// aligned therefore makes it 12k at least.
|
|
//
|
|
|
|
#define MINIMUM_ALLOWED_LOG_BUFFER_SIZE (12*1024)
|
|
|
|
C_ASSERT(MINIMUM_ALLOWED_LOG_BUFFER_SIZE >
|
|
(UL_MAX_TITLE_BUFFER_SIZE + UL_MAX_LOG_LINE_BUFFER_SIZE));
|
|
|
|
#define MAXIMUM_ALLOWED_LOG_BUFFER_SIZE (64*1024)
|
|
|
|
//
|
|
// Following is the definition of the Internal Log Data Buffer.
|
|
// It also holds the required pointer to pRequest.
|
|
//
|
|
|
|
typedef struct _UL_LOG_DATA_BUFFER
|
|
{
|
|
//
|
|
// A work item, used for queuing to a worker thread.
|
|
//
|
|
|
|
UL_WORK_ITEM WorkItem;
|
|
|
|
//
|
|
// Our private pointer to the Internal Request structure
|
|
// to be ensure to have the request around until we are done
|
|
// with logging. Even if connection get reset by client, before
|
|
// we get a chance to log. See the definition of UlLogHttpHit
|
|
// for further complicated comments.
|
|
//
|
|
|
|
PUL_INTERNAL_REQUEST pRequest;
|
|
|
|
//
|
|
// For Cache&Send Responses we won't be copying and allocating
|
|
// a new internal buffer again and again but instead will keep
|
|
// the original we have allocated during the capturing the res-
|
|
// ponse. This flag shows that the buffer is ready as it is and
|
|
// no need to copy over log data from cache again.
|
|
//
|
|
|
|
BOOLEAN CacheAndSendResponse;
|
|
|
|
//
|
|
// The total amount of send_response bytes
|
|
//
|
|
|
|
ULONGLONG BytesTransferred;
|
|
|
|
//
|
|
// For cache hits we can get the corresponding cgroup frm uri_cache
|
|
// entry to avoid the costly cgroup lookup.
|
|
//
|
|
|
|
PUL_CONFIG_GROUP_OBJECT pConfigGroup;
|
|
|
|
//
|
|
// Capture the log format/flags when the sendresponse happens. And
|
|
// discard the changes to it during the hit processing.
|
|
//
|
|
|
|
HTTP_LOGGING_TYPE Format;
|
|
|
|
ULONG Flags;
|
|
|
|
//
|
|
// Total length of the required fields in the final output buffer
|
|
// according to the Log Type & Syntax and included fields.
|
|
// It's in WideChars
|
|
//
|
|
|
|
ULONG Length;
|
|
|
|
ULONG Used;
|
|
|
|
//
|
|
// Individual log fields are captured in the following
|
|
// line. For NCSA and IIS formats two additional ushort
|
|
// fields keep private offsets that represents either
|
|
// the beginning of a certain field ( date for NCSA )
|
|
// or the used amount from the each fragment ( for IIS )
|
|
// Refer to UlpBuildCacheEntry for their usage.
|
|
//
|
|
|
|
USHORT UsedOffset1;
|
|
USHORT UsedOffset2;
|
|
|
|
//
|
|
// The actual log line for W3C & NCSA formats. IIS reformat and allocate
|
|
// a new buffer.
|
|
//
|
|
|
|
PCHAR Line;
|
|
CHAR Buffer[UL_LOG_LINE_BUFFER_SIZE];
|
|
|
|
} UL_LOG_DATA_BUFFER, *PUL_LOG_DATA_BUFFER;
|
|
|
|
|
|
#define NCSA_FIX_DATE_AND_TIME_FIELD_SIZE (29)
|
|
|
|
//
|
|
// IIS Log line is fragmented at the capture time the offsets
|
|
// are as follows and never get changed even if buffer get re
|
|
// allocated.
|
|
//
|
|
|
|
#define IIS_LOG_LINE_FIRST_FRAGMENT_OFFSET (0)
|
|
|
|
#define IIS_LOG_LINE_SECOND_FRAGMENT_OFFSET (512)
|
|
|
|
#define IIS_LOG_LINE_THIRD_FRAGMENT_OFFSET (1024)
|
|
|
|
|
|
//
|
|
// The HTTP Hit Logging functions which we expose in this module.
|
|
//
|
|
|
|
NTSTATUS
|
|
UlInitializeLogs(
|
|
VOID
|
|
);
|
|
|
|
VOID
|
|
UlTerminateLogs(
|
|
VOID
|
|
);
|
|
|
|
NTSTATUS
|
|
UlSetUTF8Logging (
|
|
IN BOOLEAN UTF8Logging
|
|
);
|
|
|
|
NTSTATUS
|
|
UlCreateLog(
|
|
IN OUT PUL_CONFIG_GROUP_OBJECT pConfigGroup
|
|
);
|
|
|
|
VOID
|
|
UlRemoveLogFileEntry(
|
|
PUL_LOG_FILE_ENTRY pEntry
|
|
);
|
|
|
|
VOID
|
|
UlLogTimerHandler(
|
|
IN PUL_WORK_ITEM pWorkItem
|
|
);
|
|
|
|
VOID
|
|
UlLogTimerDpcRoutine(
|
|
PKDPC Dpc,
|
|
PVOID DeferredContext,
|
|
PVOID SystemArgument1,
|
|
PVOID SystemArgument2
|
|
);
|
|
|
|
VOID
|
|
UlBufferTimerHandler(
|
|
IN PUL_WORK_ITEM pWorkItem
|
|
);
|
|
|
|
VOID
|
|
UlBufferTimerDpcRoutine(
|
|
PKDPC Dpc,
|
|
PVOID DeferredContext,
|
|
PVOID SystemArgument1,
|
|
PVOID SystemArgument2
|
|
);
|
|
|
|
NTSTATUS
|
|
UlReConfigureLogEntry(
|
|
IN PUL_CONFIG_GROUP_OBJECT pConfigGroup,
|
|
IN PHTTP_CONFIG_GROUP_LOGGING pCfgOld,
|
|
IN PHTTP_CONFIG_GROUP_LOGGING pCfgNew
|
|
);
|
|
|
|
NTSTATUS
|
|
UlProbeLogData(
|
|
IN PHTTP_LOG_FIELDS_DATA pLogData
|
|
);
|
|
|
|
NTSTATUS
|
|
UlCaptureLogFieldsW3C(
|
|
IN PHTTP_LOG_FIELDS_DATA pLogData,
|
|
IN HTTP_VERSION Version,
|
|
OUT PUL_LOG_DATA_BUFFER pLogBuffer
|
|
);
|
|
|
|
NTSTATUS
|
|
UlCaptureLogFieldsNCSA(
|
|
IN PHTTP_LOG_FIELDS_DATA pLogData,
|
|
IN HTTP_VERSION Version,
|
|
OUT PUL_LOG_DATA_BUFFER pLogBuffer
|
|
);
|
|
|
|
NTSTATUS
|
|
UlCaptureLogFieldsIIS(
|
|
IN PHTTP_LOG_FIELDS_DATA pLogData,
|
|
IN HTTP_VERSION Version,
|
|
OUT PUL_LOG_DATA_BUFFER pLogBuffer
|
|
);
|
|
|
|
__inline
|
|
NTSTATUS
|
|
FASTCALL
|
|
UlCaptureLogFields(
|
|
IN PHTTP_LOG_FIELDS_DATA pLogData,
|
|
IN HTTP_VERSION Version,
|
|
OUT PUL_LOG_DATA_BUFFER pLogBuffer
|
|
)
|
|
{
|
|
switch( pLogBuffer->Format )
|
|
{
|
|
case HttpLoggingTypeW3C:
|
|
return UlCaptureLogFieldsW3C( pLogData, Version, pLogBuffer );
|
|
break;
|
|
|
|
case HttpLoggingTypeNCSA:
|
|
return UlCaptureLogFieldsNCSA( pLogData, Version, pLogBuffer );
|
|
break;
|
|
|
|
case HttpLoggingTypeIIS:
|
|
return UlCaptureLogFieldsIIS( pLogData, Version, pLogBuffer );
|
|
break;
|
|
|
|
default:
|
|
ASSERT(!"Unknown Log Format.\n");
|
|
return STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
}
|
|
|
|
NTSTATUS
|
|
UlAllocateLogDataBuffer(
|
|
OUT PUL_LOG_DATA_BUFFER pLogData,
|
|
IN PUL_INTERNAL_REQUEST pRequest,
|
|
IN PUL_CONFIG_GROUP_OBJECT pConfigGroup
|
|
);
|
|
|
|
VOID
|
|
UlDestroyLogDataBufferWorker(
|
|
IN PUL_WORK_ITEM pWorkItem
|
|
);
|
|
|
|
/***************************************************************************++
|
|
|
|
Routine Description:
|
|
|
|
Wrapper function to ensure we are not touching to paged-pool allocated
|
|
large log buffer on elevated IRQL. It's important that this function has
|
|
been written with the assumption of Request doesn't go away until we
|
|
properly execute the possible passive worker. This is indeed the case
|
|
because request(with the embedded logdata) has been refcounted up by the
|
|
logdata.
|
|
|
|
Arguments:
|
|
|
|
pLogData - The buffer to be destroyed
|
|
|
|
--***************************************************************************/
|
|
|
|
__inline
|
|
VOID
|
|
FASTCALL
|
|
UlDestroyLogDataBuffer(
|
|
IN PUL_LOG_DATA_BUFFER pLogData
|
|
)
|
|
{
|
|
//
|
|
// Sanity check
|
|
//
|
|
|
|
ASSERT(pLogData);
|
|
|
|
//
|
|
// If we are running on elevated IRQL and large log line allocated
|
|
// then queue a passive worker otherwise complete inline.
|
|
//
|
|
|
|
if (pLogData->Length > UL_LOG_LINE_BUFFER_SIZE)
|
|
{
|
|
UL_CALL_PASSIVE( &pLogData->WorkItem,
|
|
&UlDestroyLogDataBufferWorker );
|
|
}
|
|
else
|
|
{
|
|
UlDestroyLogDataBufferWorker( &pLogData->WorkItem );
|
|
}
|
|
|
|
}
|
|
|
|
NTSTATUS
|
|
UlLogHttpHit(
|
|
IN PUL_LOG_DATA_BUFFER pLogBuffer
|
|
);
|
|
|
|
NTSTATUS
|
|
UlLogHttpCacheHit(
|
|
IN PUL_FULL_TRACKER pTracker
|
|
);
|
|
|
|
NTSTATUS
|
|
UlCheckLogDirectory(
|
|
IN PUNICODE_STRING pDirName
|
|
);
|
|
|
|
|
|
#ifdef __cplusplus
|
|
}; // extern "C"
|
|
#endif
|
|
|
|
#endif // _ULLOG_H_
|