IIS 7 and Above
Negative values in sc-bytes?
Last post Mar 07, 2012 04:32 AM by qbernard
Mar 02, 2012 12:17 AM|studlyed1|LINK
Hey everyone, I've had my advanced logging going for a while and I've just recently noticed that I have some really weird log entries, the sc-bytes field is -2147024894, has anybody ever seen this? And does anybody have any idea as to why? I've also noticed
that it only appears on 404 error's...
Mar 02, 2012 12:53 AM|qbernard|LINK
Should not be sc-bytes, but instead sc-win32-status ?
and it is normal for 404.x status code.
Mar 02, 2012 03:26 PM|studlyed1|LINK
No, it's in the sc-bytes field.
#Fields: date time cs-uri-stem cs-uri-query s-contentpath sc-status s-computername cs(Referer) sc-win32-status sc-bytes cs-bytes X-Forwarded-For W3WP-PrivateBytes cs-username cs(User-Agent) TimeTakenMS sc-substatus s-sitename s-ip RequestsPerSecond s-proxy
cs-version c-protocol cs-method cs(Host) CPU-Utilization cs(Cookie) c-ip
2012-02-13 21:15:54.312 /fifiles/static/images/slider/destination retirement.jpg - \"c:\\inetpub\\wwwroot\\fifiles\\static\\images\\slider\\destination retirement.jpg\" 404 \"hag-macu-web6\" \"http://www.domain.com/\"
-2147024894 4198 556 \"188.8.131.52\" - - \"mozilla/5.0 (compatible; msie 9.0; windows nt 6.1; wow64; trident/5.0)\" 0 0 \"default web site\" 10.100.8.21 80 - - \"http/1.1\" \"http\" get \"www.domain.com\"
- \"bigipservercustomer_macu_2_http=352871434.20480.0000; ts4b98d3=e0f5060e9486566559ed62335b6db944db2232b6c44bae394f397da2; asp.net_sessionid=h5pfr0rry3a0yqwfhnl241pi\" 10.100.8.18
I've bolded the parts that are busted in this log entry, the URI has spaces and is not quoted, and the sc-bytes is -2147024894. Weird right?
Mar 04, 2012 09:46 AM|qbernard|LINK
Errr let's split it one by one:
cs-uri-stem /fifiles/static/images/slider/destination retirement.jpg
s-contentpath \"c:\\inetpub\\wwwroot\\fifiles\\static\\images\\slider\\destination retirement.jpg\"
It is sc-win32-status :) correct ?
Mar 05, 2012 09:14 PM|studlyed1|LINK
woowwww. I really botched that one. I even looked at it a few times to make sure. Sometimes it just takes a second pair of eyes. Thanks. Do you have any ideas as to the missing quotes on the cs-uri-stem?
Mar 06, 2012 03:06 AM|qbernard|LINK
@@ it happened to me many times as well.
Where you are too 'in' into something, probably the fact is you are no way near to finding the answer.
Anyway, cs-uri-stem - no quotes? mm... I just noticed the same, I won't say it is missing, maybe it was design that way as " can be a valid URI ?
Mar 06, 2012 04:21 PM|studlyed1|LINK
I also noticed it on cs-uri-query does the same thing. Sad. Do you know if advanced logger is a .net plugin? or a native c++ module?
Mar 06, 2012 04:38 PM|studlyed1|LINK
Better yet, where do you file a bug for this? According to their readme file it specifically states, and I quote:
This is from:
Mar 06, 2012 11:17 PM|qbernard|LINK
Native module - %ProgramFiles%\IIS\Advanced Logging\AdvancedLoggingModule.dll
Mar 06, 2012 11:30 PM|studlyed1|LINK
Well, bummer. I'll just have to leave my hacky code in my log parser until it gets fixed (hopefully) by the people that originally wrote it.
Mar 07, 2012 04:32 AM|qbernard|LINK