IIS 408 Logging

iis

We have some web systems that in the past have experienced HTTP 408 response codes when making a request. They can happen at any time, there doesn't seem to be any pattern to them.

The problem we have is that the client request goes through a TMG gateway, and IIS never logs the 408. The last request I see is a 200, and subsequently a client received a 408.

Do 408's make it to IIS logs, or are 408's higher up in the stack meaning the request never makes it to IIS?

Best Answer

All http responses are at the same level. They are all at the application level since http is an application level protocol.

Most likely it's TMG returning the 408 and the request is not getting to IIS. Look in the TMG logs, you should see them. IIS logs everything so if you don't see it in the IIS logs then the requests are either not making it there or you're looking in the wrong place for the log data.

Related Solutions

Iis – Recommended LogParser queries for IIS monitoring

A good indicator for hacking activies or other attacks is the number of errors per hour. The following script returns the dates and hours that had more than 25 error codes returned. Adjust the value depending on the amount of traffic on the site (and the quality of your web application ;-) ).

SELECT date as Date, QUANTIZE(time, 3600) AS Hour, 
       sc-status as Status, count(*) AS ErrorCount
FROM   {filename} 
WHERE  sc-status >= 400 
GROUP BY date, hour, sc-status 
HAVING ErrorCount > 25
ORDER BY ErrorCount DESC

The result could something like this:

Date       Hour     Status ErrorCount
---------- -------- ------ ------
2009-07-24 18:00:00 404    187
2009-07-17 13:00:00 500    99
2009-07-21 21:00:00 404    80
2009-07-03 04:00:00 404    45
...

The next query detects an unusually high number of hits on a single URL from one IP address. In this example I chose 500, but you may have to change the query for edge cases (excluding the IP address of Google London for example ;-) .)

SELECT DISTINCT date AS Date, cs-uri-stem AS URL,
      c-ip AS IPAddress, Count(*) AS Hits
FROM  {filename}
GROUP BY date, c-ip, cs-uri-stem
HAVING Hits > 500
ORDER BY Hits Desc

Date       URL                                 IPAddress       Hits
---------- ----------------------------------- --------------- ----
2009-07-24 /Login.aspx                         111.222.111.222 1889
2009-07-12 /AccountUpdate.aspx                 11.22.33.44     973
2009-07-19 /Login.aspx                         123.231.132.123 821
2009-07-21 /Admin.aspx                         44.55.66.77     571
...

SSL Negotiation Logging – How to Log SSL Negotiation in IIS

SSL negotiation happens before any HTTP headers are processed so you won't see this in the IIS logs. Have you looked through your event logs to see if there is anything there?

EDIT:
You can also have a go with SSL Diagnostics from Microsoft, specifically SSLMon. Looks like it might have something that will be of benefit to you, although I admittedly have not played with it yet.

Best Answer

Related Solutions

Iis – Recommended LogParser queries for IIS monitoring

SSL Negotiation Logging – How to Log SSL Negotiation in IIS

Related Topic