We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

IIS Logs - Unknown value in sc-substatusRSS

1 reply

Last post Aug 16, 2019 01:41 PM by lextm

  • IIS Logs - Unknown value in sc-substatus

    Aug 16, 2019 07:16 AM|MartinBlack|LINK

    Our company synchronizes IIS logs with other intrusion control systems.

    I try to figure out how to recognize all bad login attempts from IIS logs. I tried to parse them out manually with grep throught regulars. But I found out many values i do not understand.

    I tried to google meaning of values in fields cs-status and cs-substatus. Bad login attempt should be marked with cs-status code 401 and different cs-substatus. But I found cs-substatus values that arent described in microsoft pages. Like cs-substatus values  111 or 0. (There is no description what means codes 401.0 and 401.111)

    Here are 2 examples of log inputs (with header with field order description):

    #Software: Microsoft Internet Information Services 10.0
    #Fields: s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

    127.0.0.1 GET /PowerShell/ &CorrelationID=<empty>; 443 - 127.0.0.1 AMProbe/Local/ClientAccess - 401 111 0 5

    10.10.10.10 POST /EWS/Exchange.asmx &CorrelationID=<empty>;&cafeReqId=2f43ba86-1f69-4116-82ca-e909e4e3edf7; 443 - 172.172.172.172 AppleExchangeWebServices/309+AddressBookSourceSync/1894 - 401 0 0 15



    I found some pages on microsoft.com but these substatus codes are not explained there.

    https://support.microsoft.com/en-us/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0

    Can someone explain these subsatus codes? Any ideas?

    Thank you for any suggestions

  • Re: IIS Logs - Unknown value in sc-substatus

    Aug 16, 2019 01:41 PM|lextm|LINK

    Such codes usually indicate that they were not generated by IIS, but custom ISAPI/modules.

    As the second link indicate you are using EWS from Exchange, it is clear that you should dig into Exchange documentation.

    Lex Li
    Want to have a chat on the issues you meet? Book an appointment at https://buy.stripe.com/cN24ia0yi7sAdIA7sv
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.