Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
Decoding IIS Logs
By
Splunk
Everyone (just about) knows that there is a table of status codes that HTTP/1.1 defines. However, IIS gives you two more status codes in the log files. The HTTP/1.1 status is stored in sc_status (and it is automagically decoded for you in Splunk 6). There is also an extended code called sc_substatus and a Win32 error code. How can you really decode these, especially since the sc_win32_status seems to have really large numbers?
Let’s start with the sc_status and sc_substatus codes. These are normally written together as a decimal number. So, for instance, 401.1 means an sc_status of 401 and an sc_substatus of 1. The sc_status codes follow a pattern: 1xx are informational, 2xx indicate success, 3xx indicate redirection, and higher ones are for errors. Here is the big table:
| Status Code | Meaning | |
|---|---|---|
| 100 | Continue | |
| 101 | Switching Protocols | |
| 200 | Client Request Succeeeded | |
| 201 | Created | |
| 202 | Accepted | |
| 203 | Non-authoritative information | |
| 204 | No content | |
| 205 | Reset content | |
| 206 | Partial content | |
| 301 | Moved Permanently | |
| 302 | Moved Temporarily | |
| 303 | See Other | |
| 304 | Not modified | |
| 305 | Temporary redirect | |
| 400 | Bad Request | |
| 401.1 | Access Denied (Logon Failed) | |
| 401.2 | Access Denied (Logon Failed due to server configuration) | |
| 401.3 | Access Denied (Unauthorized due to ACL on resource) | |
| 401.4 | Access Denied (Authorization failed by filter) | |
| 401.5 | Access Denied (Authorization failed by ISAPI/CGI application) | |
| 401.7 | Access Denied (By IIS6 URL authorization policy on web server) | |
| 403.1 | Forbidden (Execute Access) | |
| 403.2 | Forbidden (Read Access) | |
| 403.3 | Forbidden (Write Access) | |
| 403.4 | Forbidden (SSL Required) | |
| 403.5 | Forbidden (128-bit SSL Required) | |
| 403.6 | Forbidden (IP Address Rejected) | |
| 403.7 | Forbidden (Client Certificate Required) | |
| 403.8 | Forbidden (Site access denied) | |
| 403.9 | Forbidden (Too many users) | |
| 403.10 | Forbidden (Invalid configuration) | |
| 403.11 | Forbidden (Password change) | |
| 403.12 | Forbidden (Mapper Denied Access) | |
| 403.13 | Forbidden (Client certificate revoked) | |
| 403.14 | Forbidden (Directory listing denied) | |
| 403.15 | Forbidden (Client Access Licenses exceeded) | |
| 403.16 | Forbidden (Client certificate is untrusted) | |
| 403.17 | Forbidden (Client certificate is expired) | |
| 403.18 | Forbidden (Cannot execute URL in current application pool) | |
| 403.19 | Forbidden (Cannot execute CGIs in current application pool) | |
| 403.20 | Forbidden (Passport logon failed) | |
| 404.1 | Not Found (Website not accessible on the requested port) | |
| 404.2 | Not Found (Web service extension lockdown policy) | |
| 404.3 | Not Found (MIME map policy) | |
| 404.4 | Not Found (No Handler in IIS7) | |
| 404.5 | Request Filtering (URL Sequence) | |
| 404.6 | Request Filtering (Verb) | |
| 404.7 | Request Filtering (File extension) | |
| 404.8 | Request Filtering (Hidden namespace) | |
| 404.9 | Request Filtering (Hidden File Attribute) | |
| 404.10 | Request Filtering (Header is too long) | |
| 404.11 | Request Filtering (URL double escaped) | |
| 404.12 | Request Filtering (High-bit characters) | |
| 404.13 | Request Filtering (Content length is too long) | |
| 404.14 | Request Filtering (URL is too long) | |
| 404.15 | Request Filtering (Query string is too long) | |
| 405 | Method not allowed | |
| 406 | Browser does not accept the media type | |
| 407 | Proxy authentication required | |
| 412 | Precondition failed | |
| 413 | Request entity too large | |
| 414 | Request-URI too long | |
| 415 | Unsupported media type | |
| 416 | Requested range not satisfiable | |
| 417 | Execution failed | |
| 500.12 | Web Server is restarting | |
| 500.13 | Web server is too busy | |
| 500.15 | You can’t have Global.asa | |
| 500.16 | UNC authorization credentials are incorrect | |
| 500.18 | URL authorization store cannot be opened | |
| 500.100 | Internal ASP error | |
| 501 | Header values specify a configuration that is not implemented | |
| 502.1 | CGI application timeout | |
| 502.2 | Error in CGI application | |
| 503 | Service unavailable | |
| 504 | Gateway timeout | |
| 505 | HTTP version not supported |
There are a lot of codes there. The majority of failures are in 401 (which deals with Authentication and Authorization) and 404 (which deals with server-side failures, as opposed to the content generators and filters). You can get really granular about why a particular request failed. This aids in debugging when things go wrong.
For the sc_win32_status, fortunately, there are only a few you need to know:
| Win32 Code | Meaning |
|---|---|
| 2148074252 | The logon attempt failed |
| 2148074254 | No credentials are available in the security package |
You will normally see sc_status=401 sc_win32_status=2148074254 on the first access during an integrated authentication to an IIS Web site. This will prompt the browser to pop up a window saying “Enter your credentials”. Once you submit those credentials, you will get another sc_status=401 but with sc_win32_status=2148074252 instead when those credentials cannot be verified. You can look up any other sc_win32_status codes at MSDN.
Which brings us to the question that caused me to write this blog post. Can I provide a report that shows the top failed logons into IIS with integrated authentication? Since the integrated authentication does something like this:
- Client sends “GET /” command
- Server returns sc_status=401 Authorization Required
- Client sends “GET /” with Authorization head
- Server returns sc_status=200 with the page details
One cannot just use sc_status=401 for failed logons. You have to use:
sourcetype=iis sc_status=401 sc_win32_status=2148074252
Related Articles
About Splunk
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
