Jeremy Smith
2004-04-30 19:56:05 UTC
I'm trying to determine if a trend is happening and would like to know if it is possible to locate in the IIS log file
Setup
IIS 6.0 website with Integrated Windows Authentication only and uses Negotation, NTLM for the 2 Auth headers and extended logging. Most clients use kerneros, based on IE client setting
Scenerio
When the user "IE Client" connects to my website and is prompted to put in their login info. If you hit cancel at the prompt, you get an 401.2, if they type bad user info, they get a 401.1. I know from Microsoft's webcast that you allows get one 401.2 for the anonymous to determine Auth header types. I also now that in the local security event log, tracks when users put in bad login info. But how can I get both the hitting cancel and bad info from the iis log file
Also, logging definitions
what is the status code 2148074254 and 2148074252 for the field sc-win32-status
Thank
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2004-04-30 19:15:56 W3SVC1333628378 TXAUST1SADEV 150.179.22.35 GET / - 80 - 10.12.97.22 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+SBC) CFID=614364;+CFMAGIC=614364%3A84575031;+CFTOKEN=84575031;+SBC_PROPOSAL_CENTERS_SALESONE_S1LOGINID=2621;+SBCCS=Aa1D5000log0000Eg7R59u4084 - saord.tx.sbc.com 401 1 2148074252 358 617 12
2004-04-30 19:16:05 W3SVC1333628378 TXAUST1SADEV 150.179.22.35 GET / - 80 - 10.12.97.22 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+SBC) CFID=614364;+CFMAGIC=614364%3A84575031;+CFTOKEN=84575031;+SBC_PROPOSAL_CENTERS_SALESONE_S1LOGINID=2621;+SBCCS=Aa1D5000log0000Eg7R59u4084 - saord.tx.sbc.com 401 2 2148074254 1872 515 0
Setup
IIS 6.0 website with Integrated Windows Authentication only and uses Negotation, NTLM for the 2 Auth headers and extended logging. Most clients use kerneros, based on IE client setting
Scenerio
When the user "IE Client" connects to my website and is prompted to put in their login info. If you hit cancel at the prompt, you get an 401.2, if they type bad user info, they get a 401.1. I know from Microsoft's webcast that you allows get one 401.2 for the anonymous to determine Auth header types. I also now that in the local security event log, tracks when users put in bad login info. But how can I get both the hitting cancel and bad info from the iis log file
Also, logging definitions
what is the status code 2148074254 and 2148074252 for the field sc-win32-status
Thank
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2004-04-30 19:15:56 W3SVC1333628378 TXAUST1SADEV 150.179.22.35 GET / - 80 - 10.12.97.22 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+SBC) CFID=614364;+CFMAGIC=614364%3A84575031;+CFTOKEN=84575031;+SBC_PROPOSAL_CENTERS_SALESONE_S1LOGINID=2621;+SBCCS=Aa1D5000log0000Eg7R59u4084 - saord.tx.sbc.com 401 1 2148074252 358 617 12
2004-04-30 19:16:05 W3SVC1333628378 TXAUST1SADEV 150.179.22.35 GET / - 80 - 10.12.97.22 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+SBC) CFID=614364;+CFMAGIC=614364%3A84575031;+CFTOKEN=84575031;+SBC_PROPOSAL_CENTERS_SALESONE_S1LOGINID=2621;+SBCCS=Aa1D5000log0000Eg7R59u4084 - saord.tx.sbc.com 401 2 2148074254 1872 515 0