Decoding IIS Logs

Everyone (just about) knows that there is a table of status codes that HTTP/1.1 defines. However, IIS gives you two more status codes in the log files. The HTTP/1.1 status is stored in sc_status (and it is automagically decoded for you in Splunk 6). There is also an extended code called sc_substatus and a Win32 error code. How can you really decode these, especially since the sc_win32_status seems to have really large numbers?

Let’s start with the sc_status and sc_substatus codes. These are normally written together as a decimal number. So, for instance, 401.1 means an sc_status of 401 and an sc_substatus of 1. The sc_status codes follow a pattern: 1xx are informational, 2xx indicate success, 3xx indicate redirection, and higher ones are for errors. Here is the big table:

Status Code   Meaning
100 Continue
101 Switching Protocols
200 Client Request Succeeeded
201 Created
202 Accepted
203 Non-authoritative information
204 No content
205 Reset content
206 Partial content
301 Moved Permanently
302 Moved Temporarily
303 See Other
304 Not modified
305 Temporary redirect
400 Bad Request
401.1 Access Denied (Logon Failed)
401.2 Access Denied (Logon Failed due to server configuration)
401.3 Access Denied (Unauthorized due to ACL on resource)
401.4 Access Denied (Authorization failed by filter)
401.5 Access Denied (Authorization failed by ISAPI/CGI application)
401.7 Access Denied (By IIS6 URL authorization policy on web server)
403.1 Forbidden (Execute Access)
403.2 Forbidden (Read Access)
403.3 Forbidden (Write Access)
403.4 Forbidden (SSL Required)
403.5 Forbidden (128-bit SSL Required)
403.6 Forbidden (IP Address Rejected)
403.7 Forbidden (Client Certificate Required)
403.8 Forbidden (Site access denied)
403.9 Forbidden (Too many users)
403.10 Forbidden (Invalid configuration)
403.11 Forbidden (Password change)
403.12 Forbidden (Mapper Denied Access)
403.13 Forbidden (Client certificate revoked)
403.14 Forbidden (Directory listing denied)
403.15 Forbidden (Client Access Licenses exceeded)
403.16 Forbidden (Client certificate is untrusted)
403.17 Forbidden (Client certificate is expired)
403.18 Forbidden (Cannot execute URL in current application pool)
403.19 Forbidden (Cannot execute CGIs in current application pool)
403.20 Forbidden (Passport logon failed)
404.1 Not Found (Website not accessible on the requested port)
404.2 Not Found (Web service extension lockdown policy)
404.3 Not Found (MIME map policy)
404.4 Not Found (No Handler in IIS7)
404.5 Request Filtering (URL Sequence)
404.6 Request Filtering (Verb)
404.7 Request Filtering (File extension)
404.8 Request Filtering (Hidden namespace)
404.9 Request Filtering (Hidden File Attribute)
404.10 Request Filtering (Header is too long)
404.11 Request Filtering (URL double escaped)
404.12 Request Filtering (High-bit characters)
404.13 Request Filtering (Content length is too long)
404.14 Request Filtering (URL is too long)
404.15 Request Filtering (Query string is too long)
405 Method not allowed
406 Browser does not accept the media type
407 Proxy authentication required
412 Precondition failed
413 Request entity too large
414 Request-URI too long
415 Unsupported media type
416 Requested range not satisfiable
417 Execution failed
500.12 Web Server is restarting
500.13 Web server is too busy
500.15 You can’t have Global.asa
500.16 UNC authorization credentials are incorrect
500.18 URL authorization store cannot be opened
500.100 Internal ASP error
501 Header values specify a configuration that is not implemented
502.1 CGI application timeout
502.2 Error in CGI application
503 Service unavailable
504 Gateway timeout
505 HTTP version not supported

There are a lot of codes there. The majority of failures are in 401 (which deals with Authentication and Authorization) and 404 (which deals with server-side failures, as opposed to the content generators and filters). You can get really granular about why a particular request failed. This aids in debugging when things go wrong.

For the sc_win32_status, fortunately, there are only a few you need to know:

Win32 Code Meaning
2148074252  The logon attempt failed
2148074254  No credentials are available in the security package

You will normally see sc_status=401 sc_win32_status=2148074254 on the first access during an integrated authentication to an IIS Web site. This will prompt the browser to pop up a window saying “Enter your credentials”. Once you submit those credentials, you will get another sc_status=401 but with sc_win32_status=2148074252 instead when those credentials cannot be verified. You can look up any other sc_win32_status codes at MSDN.

Which brings us to the question that caused me to write this blog post. Can I provide a report that shows the top failed logons into IIS with integrated authentication? Since the integrated authentication does something like this:

  1. Client sends “GET /” command
  2. Server returns sc_status=401 Authorization Required
  3. Client sends “GET /” with Authorization head
  4. Server returns sc_status=200 with the page details

One cannot just use sc_status=401 for failed logons. You have to use:

sourcetype=iis sc_status=401 sc_win32_status=2148074252
Posted by