.NET Health MonitoringJonathan Franco

ITD

Application Services

What is .NET?

ASP.NET is a web application framework developed by Microsoft to allow programmers to build dynamic web sites, web application and web services.

It was first released in January 2002 with version 1.0 of the .NET Framework, and is the successor to Microsoft’s Active Server Pages (ASP) technology.

ASP.NET is built on the Common Language Runtime (CLR), allowing programmers to write ASP.NET code using any supported .NET language.

What is .NET Health Monitoring?

The ASP.NET Health Monitoring system is designed to monitor the health of a running ASP.NET application in a production environment.

The Health Monitoring system works by recording event information to a specified log source.

Log Sources• Email• Event Log• SQL• WMI• Trace

System.Web.Management.

WebBaseEvent“All Events”

WebApplicationLifetimeEvent

“Application Lifetime Events”

WebRequestErrorEvent“Request Processing Errors”

WebErrorEvent“Infrastructure Errors”

WebRequestEvent“Request Processing Events”

WebHeartbeatEvent“Heartbeats”

WebBaseErrorEvent“All Errors”

WebAuditEvent“All Audits”

WebFailureAuditEvent“Failure Audits”

WebViewStateFailureAuditEvent

WebAutheticationFailureAuditEvent

WebSuccessAuditEvent“Success Audits”

WebAuthenticationSuccessAuditEvent

RequestTransactionAbort = 2002RequestTransactionComplete = 2003

DiskOutputCacheInformation = 5003DiskOutputCacheQuotaExceedeed = 5001RuntimeErrorPostTooLarge = 3004RuntimeErrorRequestAbort = 3001RuntimeErrorUnhandledException = 3005RuntimeErrorValidationFailure = 3003RuntimeErrorViewStateFailure = 3002

WebErrorCompilationError = 3007WebErrorConfigurationError = 3008WebErrorObjectFormatterDeserializationError = 3011WebErrorOtherError = 3009WebErrorParserError = 3006WebErrorPropertyDeserializationError =3010

AuditFileAuthorizationSuccess = 4004AuditUrlAuthorizationSuccess = 4003

AuditFormsAuthenticationSuccess = 4001AuditMembershipAuthenticationSuccess = 4002

ApplicationCompilationEnd = 1004ApplicationCompilationStart = 1003ApplicationShutdown = 1002ApplicationStart = 1001

AuditFileAuthorizationFailure = 4008AuditUnhandledAccessException = 4011AuditUnhandledSecurityException = 4010AuditUrlAuthorizationFailure = 4007

AuditFormsAuthenicationFailure = 4005AuditMembershipAuthenicationFailure = 4006

AuditInvalidViewStateFailure = 4009

Event Class Hierarchy

WebHeartbeatEvent = 1005

Event Occurrence The chart below shows Event occurrences for an

outside facing server.

Sample Application

Error Handling When an error occurs for the web application the

error page should not give away any details. An error handler redirects to this error page.

Improper Error Handling Lack of error handling can lead to an attacker

gaining additional information about the web server or application.

There are ways to force the web application to reveal information without proper error handling.

Best Practices Error Page

• Add an error page to avoid giving information away to attackers.

Publish web sites to server• Don’t copy code to the servers. Copying code to the

servers will cause a fair amount of Health Monitoring Events to occur and is insecure.

Don’t debug on the server• Debugging on the server will cause various Health

Monitoring Events. Generating the wrong kinds of events can cause your IP to be blocked if done on the server.

Email Layout

Provider that sent the Event.

Application Name, Event Code and Event Detail Code for the Event.

Stack trace for the Event.

Email Layout

Event Message, time and ID. Event ID can be traced back to the Event Log if additional information is desired.

IP Address, regardless of proxy, that caused the Event.

Custom Configuration

Developer Override for Email• Subject Prefix• Email List• Header and Footer for Body• Reply To• AppendEmail

Sample Subject line• HM [servername] Event Code: 3003 Event Message: A validation

error has occurred. Event type: WebRequestErrorEvent

Settings

Buffer modes configured whether events are buffered or not.

Providers lists the providers that are configured along with information of where to send the event.

Profiles state any limits on sending the events. Rules link the Event Mapping to the Provider. Event Mappings tell what events to report.

Migration/Deployment Notes Review settings of any existing web applications

that use Health Monitoring. Make sure there are no conflicts.

Deploy during working hours where everyone is available.

Periodically check occurrence of events and determine which providers should report these events.

Non-ITD Provider Use

The Health Monitoring assemblies can be configured/used on your server.

Develop Provider• Develop HTTP Handler to get the Request information.• Sum up the compilation Events when web sites are

Published.• Obfuscate the offending content from a Validation Error,

shown in the Custom Event Details section.

Future Enhancements

Heartbeat, make a web service to receive heartbeats from various applications and only send an email if there is trouble.

Detect and report HTTP POST with SQL Injection. Send an email for multiple start and stops of an

application based on a configured threshold.

Any Questions/Comments?