IIS 7 and Above
IIS Logs - Unknown value in sc-substatus
Last post Aug 16, 2019 01:41 PM by lextm
Aug 16, 2019 07:16 AM|MartinBlack|LINK
Our company synchronizes IIS logs with other intrusion control systems.
I try to figure out how to recognize all bad login attempts from IIS logs. I tried to parse them out manually with grep throught regulars. But I found out many values i do not understand.
I tried to google meaning of values in fields cs-status and cs-substatus. Bad login attempt should be marked with cs-status code 401 and different cs-substatus. But I found cs-substatus values that arent described in microsoft pages. Like cs-substatus
values 111 or 0. (There is no description what means codes 401.0 and 401.111)
Here are 2 examples of log inputs (with header with field order description):
#Software: Microsoft Internet Information Services 10.0
#Fields: s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
127.0.0.1 GET /PowerShell/ &CorrelationID=<empty>; 443 - 127.0.0.1 AMProbe/Local/ClientAccess - 401 111 0 5
10.10.10.10 POST /EWS/Exchange.asmx &CorrelationID=<empty>;&cafeReqId=2f43ba86-1f69-4116-82ca-e909e4e3edf7; 443 - 22.214.171.124 AppleExchangeWebServices/309+AddressBookSourceSync/1894 - 401 0 0 15
I found some pages on microsoft.com but these substatus codes are not explained there.
Can someone explain these subsatus codes? Any ideas?
Thank you for any suggestions
Aug 16, 2019 01:41 PM|lextm|LINK
Such codes usually indicate that they were not generated by IIS, but custom ISAPI/modules.
As the second link indicate you are using EWS from Exchange, it is clear that you should dig into Exchange documentation.