Decoding IIS Logs

Everyone (just about) knows that there is a table of status codes that HTTP/1.1 defines. However, IIS gives you two more status codes in the log files. The HTTP/1.1 status is stored in sc_status (and it is automagically decoded for you in Splunk 6). There is also an extended code called sc_substatus and a Win32 error code. How can you really decode these, especially since the sc_win32_status seems to have really large numbers?

Let’s start with the sc_status and sc_substatus codes. These are normally written together as a decimal number. So, for instance, 401.1 means an sc_status of 401 and an sc_substatus of 1. The sc_status codes follow a pattern: 1xx are informational, 2xx indicate success, 3xx indicate redirection, and higher ones are for errors. Here is the big table:

Status Code

Meaning

100

Continue

101

Switching Protocols

200

Client Request Succeeeded

201

Created

202

Accepted

203

Non-authoritative information

204

No content

205

Reset content

206

Partial content

301

Moved Permanently

302

Moved Temporarily

303

See Other

304

Not modified

305

Temporary redirect

400

Bad Request

401.1

Access Denied (Logon Failed)

401.2

Access Denied (Logon Failed due to server configuration)

401.3

Access Denied (Unauthorized due to ACL on resource)

401.4

Access Denied (Authorization failed by filter)

401.5

Access Denied (Authorization failed by ISAPI/CGI application)

401.7

Access Denied (By IIS6 URL authorization policy on web server)

403.1

Forbidden (Execute Access)

403.2

Forbidden (Read Access)

403.3

Forbidden (Write Access)

403.4

Forbidden (SSL Required)

403.5

Forbidden (128-bit SSL Required)

403.6

Forbidden (IP Address Rejected)

403.7

Forbidden (Client Certificate Required)

403.8

Forbidden (Site access denied)

403.9

Forbidden (Too many users)

403.10

Forbidden (Invalid configuration)

403.11

Forbidden (Password change)

403.12

Forbidden (Mapper Denied Access)

403.13

Forbidden (Client certificate revoked)

403.14

Forbidden (Directory listing denied)

403.15

Forbidden (Client Access Licenses exceeded)

403.16

Forbidden (Client certificate is untrusted)

403.17

Forbidden (Client certificate is expired)

403.18

Forbidden (Cannot execute URL in current application pool)

403.19

Forbidden (Cannot execute CGIs in current application pool)

403.20

Forbidden (Passport logon failed)

404.1

Not Found (Website not accessible on the requested port)

404.2

Not Found (Web service extension lockdown policy)

404.3

Not Found (MIME map policy)

404.4

Not Found (No Handler in IIS7)

404.5

Request Filtering (URL Sequence)

404.6

Request Filtering (Verb)

404.7

Request Filtering (File extension)

404.8

Request Filtering (Hidden namespace)

404.9

Request Filtering (Hidden File Attribute)

404.10

Request Filtering (Header is too long)

404.11

Request Filtering (URL double escaped)

404.12

Request Filtering (High-bit characters)

404.13

Request Filtering (Content length is too long)

404.14

Request Filtering (URL is too long)

404.15

Request Filtering (Query string is too long)

405

Method not allowed

406

Browser does not accept the media type

407

Proxy authentication required

412

Precondition failed

413

Request entity too large

414

Request-URI too long

415

Unsupported media type

416

Requested range not satisfiable

417

Execution failed

500.12

Web Server is restarting

500.13

Web server is too busy

500.15

You can’t have Global.asa

500.16

UNC authorization credentials are incorrect

500.18

URL authorization store cannot be opened

500.100

Internal ASP error

501

Header values specify a configuration that is not implemented

502.1

CGI application timeout

502.2

Error in CGI application

503

Service unavailable

504

Gateway timeout

505

HTTP version not supported

There are a lot of codes there. The majority of failures are in 401 (which deals with Authentication and Authorization) and 404 (which deals with server-side failures, as opposed to the content generators and filters). You can get really granular about why a particular request failed. This aids in debugging when things go wrong.

For the sc_win32_status, fortunately, there are only a few you need to know:

Win32 Code

Meaning

2148074252

The logon attempt failed

2148074254

No credentials are available in the security package

You will normally see sc_status=401 sc_win32_status=2148074254 on the first access during an integrated authentication to an IIS Web site. This will prompt the browser to pop up a window saying “Enter your credentials”. Once you submit those credentials, you will get another sc_status=401 but with sc_win32_status=2148074252 instead when those credentials cannot be verified. You can look up any other sc_win32_status codes at MSDN.

Which brings us to the question that caused me to write this blog post. Can I provide a report that shows the top failed logons into IIS with integrated authentication? Since the integrated authentication does something like this:

Client sends “GET /” command
Server returns sc_status=401 Authorization Required
Client sends “GET /” with Authorization head
Server returns sc_status=200 with the page details

One cannot just use sc_status=401 for failed logons. You have to use:

sourcetype=iis sc_status=401 sc_win32_status=2148074252

Style

two-column

No results

/en_us/blog/fragments/about-splunk

/en_us/blog/fragments/subscribe-footer