IIS 7 and Above
Negative values in sc-bytes?
Last post Dec 09, 2016 05:33 PM by mahamr
Mar 01, 2012 08:17 PM|studlyed1|LINK
Hey everyone, I've had my advanced logging going for a while and I've just recently noticed that I have some really weird log entries, the sc-bytes field is -2147024894, has anybody ever seen this? And does anybody have any idea as to why? I've also noticed
that it only appears on 404 error's...
Mar 01, 2012 08:53 PM|qbernard|LINK
Should not be sc-bytes, but instead sc-win32-status ?
and it is normal for 404.x status code.
Mar 02, 2012 11:26 AM|studlyed1|LINK
No, it's in the sc-bytes field.
#Fields: date time cs-uri-stem cs-uri-query s-contentpath sc-status s-computername cs(Referer) sc-win32-status sc-bytes cs-bytes X-Forwarded-For W3WP-PrivateBytes cs-username cs(User-Agent) TimeTakenMS sc-substatus s-sitename s-ip RequestsPerSecond s-proxy
cs-version c-protocol cs-method cs(Host) CPU-Utilization cs(Cookie) c-ip
2012-02-13 21:15:54.312 /fifiles/static/images/slider/destination retirement.jpg - \"c:\\inetpub\\wwwroot\\fifiles\\static\\images\\slider\\destination retirement.jpg\" 404 \"hag-macu-web6\" \"http://www.domain.com/\"
-2147024894 4198 556 \"126.96.36.199\" - - \"mozilla/5.0 (compatible; msie 9.0; windows nt 6.1; wow64; trident/5.0)\" 0 0 \"default web site\" 10.100.8.21 80 - - \"http/1.1\" \"http\" get \"www.domain.com\"
- \"bigipservercustomer_macu_2_http=352871434.20480.0000; ts4b98d3=e0f5060e9486566559ed62335b6db944db2232b6c44bae394f397da2; asp.net_sessionid=h5pfr0rry3a0yqwfhnl241pi\" 10.100.8.18
I've bolded the parts that are busted in this log entry, the URI has spaces and is not quoted, and the sc-bytes is -2147024894. Weird right?
Mar 04, 2012 05:46 AM|qbernard|LINK
Errr let's split it one by one:
cs-uri-stem /fifiles/static/images/slider/destination retirement.jpg
s-contentpath \"c:\\inetpub\\wwwroot\\fifiles\\static\\images\\slider\\destination retirement.jpg\"
It is sc-win32-status :) correct ?
Mar 05, 2012 05:14 PM|studlyed1|LINK
woowwww. I really botched that one. I even looked at it a few times to make sure. Sometimes it just takes a second pair of eyes. Thanks. Do you have any ideas as to the missing quotes on the cs-uri-stem?
Mar 05, 2012 11:06 PM|qbernard|LINK
@@ it happened to me many times as well.
Where you are too 'in' into something, probably the fact is you are no way near to finding the answer.
Anyway, cs-uri-stem - no quotes? mm... I just noticed the same, I won't say it is missing, maybe it was design that way as " can be a valid URI ?
Mar 06, 2012 12:21 PM|studlyed1|LINK
I also noticed it on cs-uri-query does the same thing. Sad. Do you know if advanced logger is a .net plugin? or a native c++ module?
Mar 06, 2012 12:38 PM|studlyed1|LINK
Better yet, where do you file a bug for this? According to their readme file it specifically states, and I quote:
This is from:
Mar 06, 2012 07:17 PM|qbernard|LINK
Native module - %ProgramFiles%\IIS\Advanced Logging\AdvancedLoggingModule.dll
Mar 06, 2012 07:30 PM|studlyed1|LINK
Well, bummer. I'll just have to leave my hacky code in my log parser until it gets fixed (hopefully) by the people that originally wrote it.
Mar 07, 2012 12:32 AM|qbernard|LINK
Dec 09, 2016 05:21 PM|CarphuntinGod|LINK
Reviving the long dead... but I've got the same issue. So it would be apparent this never got fixed.
I have to start using Advanced Logging because I'm behind an F5 and need to get the forwarded ips.
from what I can see, the log files must have a format issue because I'm seeing incorrect values show up across most of the columns... so likely off by one or more vals per line
Dec 09, 2016 05:33 PM|mahamr|LINK
The problem on this thread ended up being user-error and there was no actual problem.
Please post one of your logs with the headers so we can see the possible issue.