Add IIS logging

[Mrod1598]

Add access logging for IIS based off of the W3C format.

Example log

[Mrod1598]

      "userAgent": "Mozilla/5.0+(Windows+NT;+Windows+NT+10.0;+en-US)+WindowsPowerShell/5.1.17763.2268",

Is this information available somewhere in the logs for kokoro? It still seems to be failing and not showing whether or not any logs were detected at all.

[jefferbrecht]

Is this information available somewhere in the logs for kokoro? It still seems to be failing and not showing whether or not any logs were detected at all.

Sort of. main_log.txt at least shows the query it's using to detect logs:

2022/04/13 08:49:21 logName=~"projects/stackdriver-test-143416/logs/iis_access" AND resource.labels.instance_id="1562314732415439244" AND timestamp > "2022-04-13T07:49:21-07:00" AND httpRequest.serverIp=~"::1:80" AND httpRequest.remoteIp=~"::1" AND httpRequest.requestUrl=~"/forbidden\\?something=something" AND httpRequest.requestMethod=~"GET" AND httpRequest.userAgent=~"Mozilla\\/5\\.0\\+\\(Windows\\+NT;\\+Windows\\+NT\\+\\d+\\.\\d+;\\+en\\-US\\)\\+WindowsPowerShell\\/\\d+\\.\\d+\\.\\d+\\.\\d+"
2022/04/13 08:49:21 Query returned found=false, err=<nil>, attempt=1

build_and_test.txt also provides a link for Logs Explorer which you can use to check the actual ingested logs:

=== CONT  TestThirdPartyApps/windows-2019/iis
    third_party_apps_test.go:577: Instance Log: https://console.cloud.google.com/logs/viewer?resource=gce_instance%2Finstance_id%2F1562314732415439244&project=stackdriver-test-143416

I'm skeptical of all of the backslashes being double-escaped -- Cloud Logging queries accept regex strings as-is and let the underlying regex engine handle unescaping, so those queries are looking for literal backslashes which wasn't the intention. metadata.yaml looks fine to me.

I think it's this. The %q is inserting escape sequences where we don't want them. Can you try changing that to:

parts = append(parts, fmt.Sprintf(`%s=~"%s"`, field.Name, field.ValueRegex))

(this change might affect previously-passing tests so there's a chance we'll have to update non-IIS metadata.yaml too -- we'll see what happens with the next Kokoro run after that change)

[Mrod1598]

    third_party_apps_test.go:577: Instance Log: https://console.cloud.google.com/logs/viewer?resource=gce_instance%2Finstance_id%2F1562314732415439244&project=stackdriver-test-143416

I don't seem to access to that. Any chance we can get access?

[jefferbrecht]

I don't think we grant access to that project outside of Google.

An alternative would be to run the integration test manually on a GCP project that you do have access to. This describes how to run it (you'll have to pass your GCP project in PROJECT). Be aware that you'll also have to pass AGENT_PACKAGES_IN_GCS as described here or else it'll run against the last released Ops Agent without any changes from your branch.

(but if there are any logs you'd like me to fetch for you from a stackdriver-test-143416 test run I'd be happy to do that)

[jefferbrecht]

Looks great overall, glad the tests are passing now. Just a few minor threads still open. Mainly the Lua code needs to be updated to delete those three fields, the rest are nits.

[jefferbrecht]

LGTM modulo the last small change in the doc 👍