Wednesday, April 14, 2010

Sharepoint 2010 ULS Problems - Logs are Empty!

I've been noticing since my install that SharePoint 2010 seems to not be logging much. It was logging some, but most of the logs were very small. Contrast this with SharePoint 2007 where you could easily generated several hundred kilobytes of logging within a few minute span and you can tell something is wrong.

I tried a lot of things to get to the root of my problem. The question I was trying to answer was why sometimes I'd get logs, and other times not. And why were none of my Correlation IDs found? I tried a lot of different things, including:
  • Disabling the Windows Firewall
  • Stopping and restarting the Windows SharePoint Services Tracing V4 service.
  • Running commands from stsadm or Powershell to see if they could log.
While doing this, I started reading the log entries I was receiving and noticed something. Each of the entries listed the process that was adding the entry. I saw entries from the following processes:
  • STSADM.EXE
  • PowerShell.exe
  • wsstracing.exe
  • vssphost4.exe
  • psconfigui.exe
Surprisingly, I didn't see a single entry for w3wp.exe. I decided to check permissions for the LOGS folder. The user who runs my AppPool, sp_Farm looks like he has almost every permission there is, and should be able to do almost anything to the log files. It didn't make sense.

In frustration I put all my AppPool accounts in the Administrators group and rebooted the machine. Suddenly my logs are going wild.

I'm not entirely sure why my AppPool accounts couldn't write to the logs when they are already in WSS_ADMIN_WPG, but there is clearly some missing permission somewhere. I'll have to break out procmon when I have some free time to figure out what the permission was missing.

2 comments:

  1. I have scoured the internet for a solution to this problem and FINALLY found this article, thanks for posting.

    ReplyDelete
  2. he solution was, to add the account for application pools to the “Performance Log Users” group. So far the accounts where just a member of the “Performance Monitor Users”.

    ReplyDelete