Everyone (just about) knows that there is a table of status codes that HTTP/1.1 defines. However, IIS gives you two more status codes in the log files. The HTTP/1.1 status is stored in sc_status (and it is automagically decoded for you in Splunk 6). There is also an extended code called sc_substatus and a Win32 error code. How can you really decode these, especially since the sc_win32_status seems to have really large numbers?
Let’s start with the sc_status and sc_substatus codes. These are normally written together as a decimal number. So, for instance, 401.1 means an sc_status of 401 and an sc_substatus of 1. The sc_status codes follow a pattern: 1xx are informational, 2xx indicate success, 3xx indicate redirection, and higher ones are for errors. Here is the big table:
Status Code | Meaning | |
---|---|---|
100 | Continue | |
101 | Switching Protocols | |
200 | Client Request Succeeeded | |
201 | Created | |
202 | Accepted | |
203 | Non-authoritative information | |
204 | No content | |
205 | Reset content | |
206 | Partial content | |
301 | Moved Permanently | |
302 | Moved Temporarily | |
303 | See Other | |
304 | Not modified | |
305 | Temporary redirect | |
400 | Bad Request | |
401.1 | Access Denied (Logon Failed) | |
401.2 | Access Denied (Logon Failed due to server configuration) | |
401.3 | Access Denied (Unauthorized due to ACL on resource) | |
401.4 | Access Denied (Authorization failed by filter) | |
401.5 | Access Denied (Authorization failed by ISAPI/CGI application) | |
401.7 | Access Denied (By IIS6 URL authorization policy on web server) | |
403.1 | Forbidden (Execute Access) | |
403.2 | Forbidden (Read Access) | |
403.3 | Forbidden (Write Access) | |
403.4 | Forbidden (SSL Required) | |
403.5 | Forbidden (128-bit SSL Required) | |
403.6 | Forbidden (IP Address Rejected) | |
403.7 | Forbidden (Client Certificate Required) | |
403.8 | Forbidden (Site access denied) | |
403.9 | Forbidden (Too many users) | |
403.10 | Forbidden (Invalid configuration) | |
403.11 | Forbidden (Password change) | |
403.12 | Forbidden (Mapper Denied Access) | |
403.13 | Forbidden (Client certificate revoked) | |
403.14 | Forbidden (Directory listing denied) | |
403.15 | Forbidden (Client Access Licenses exceeded) | |
403.16 | Forbidden (Client certificate is untrusted) | |
403.17 | Forbidden (Client certificate is expired) | |
403.18 | Forbidden (Cannot execute URL in current application pool) | |
403.19 | Forbidden (Cannot execute CGIs in current application pool) | |
403.20 | Forbidden (Passport logon failed) | |
404.1 | Not Found (Website not accessible on the requested port) | |
404.2 | Not Found (Web service extension lockdown policy) | |
404.3 | Not Found (MIME map policy) | |
404.4 | Not Found (No Handler in IIS7) | |
404.5 | Request Filtering (URL Sequence) | |
404.6 | Request Filtering (Verb) | |
404.7 | Request Filtering (File extension) | |
404.8 | Request Filtering (Hidden namespace) | |
404.9 | Request Filtering (Hidden File Attribute) | |
404.10 | Request Filtering (Header is too long) | |
404.11 | Request Filtering (URL double escaped) | |
404.12 | Request Filtering (High-bit characters) | |
404.13 | Request Filtering (Content length is too long) | |
404.14 | Request Filtering (URL is too long) | |
404.15 | Request Filtering (Query string is too long) | |
405 | Method not allowed | |
406 | Browser does not accept the media type | |
407 | Proxy authentication required | |
412 | Precondition failed | |
413 | Request entity too large | |
414 | Request-URI too long | |
415 | Unsupported media type | |
416 | Requested range not satisfiable | |
417 | Execution failed | |
500.12 | Web Server is restarting | |
500.13 | Web server is too busy | |
500.15 | You can’t have Global.asa | |
500.16 | UNC authorization credentials are incorrect | |
500.18 | URL authorization store cannot be opened | |
500.100 | Internal ASP error | |
501 | Header values specify a configuration that is not implemented | |
502.1 | CGI application timeout | |
502.2 | Error in CGI application | |
503 | Service unavailable | |
504 | Gateway timeout | |
505 | HTTP version not supported |
There are a lot of codes there. The majority of failures are in 401 (which deals with Authentication and Authorization) and 404 (which deals with server-side failures, as opposed to the content generators and filters). You can get really granular about why a particular request failed. This aids in debugging when things go wrong.
For the sc_win32_status, fortunately, there are only a few you need to know:
Win32 Code | Meaning |
---|---|
2148074252 | The logon attempt failed |
2148074254 | No credentials are available in the security package |
You will normally see sc_status=401 sc_win32_status=2148074254 on the first access during an integrated authentication to an IIS Web site. This will prompt the browser to pop up a window saying “Enter your credentials”. Once you submit those credentials, you will get another sc_status=401 but with sc_win32_status=2148074252 instead when those credentials cannot be verified. You can look up any other sc_win32_status codes at MSDN.
Which brings us to the question that caused me to write this blog post. Can I provide a report that shows the top failed logons into IIS with integrated authentication? Since the integrated authentication does something like this:
One cannot just use sc_status=401 for failed logons. You have to use:
sourcetype=iis sc_status=401 sc_win32_status=2148074252
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.