Posts Tagged ‘IIS’

Recently had a customer on Small Business Server think someone might be logging into the server as him. To check logs in IIS for a user : 

1 )Download and install Log Parser 2.2

2 ) Copy the logs from the default Location 

C:\inetpub\logs\LogFiles\W3SVC1 

to C:\Temp\Logs\

3) Save the following as query.sql in C:\Temp\Logs\

SELECT cs-username, date, time, c-ip, cs-uri-stem, cs(User-Agent) FROM C:\Temp\Logs\*
WHERE cs-method LIKE ‘%get%’ and cs-uri-stem LIKE ‘%owa%’

Run : 

Logparser.exe file:C:\Temp\Logs\query.sql -i:IISW3C -o:CSV

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Create a CSR , I find Digicert Util is the easiest way to do this

https://www.digicert.com/util/

Save the CSR request somewhere on a network available to the SBS server

Run this on the SBS server

certreq.exe -submit -attrib "CertificateTemplate:WebServer" %locationofcsrfiles%\csr.txt

Save to .cer file somewhere then import this into the server via the Digicert Util

Change the IIS Bindings to this nearly imported CERT

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Shout out to Bennis at Bayswater Electrical for this!

Logpaser is seriously good tool to filter through the mess of IIS logs!

https://www.microsoft.com/en-au/download/details.aspx?id=24659

Grab all your ISS log files for the dates you need.

Chuck them in a directory

First command grabs all the .log files into a single csv

logparser.exe -i:iis “select * into c:\temp\merge.log from c:\temp\logs\*” -o:csv

the “–i” option selects the log format  be sure to select the correct format to match your IIS settings. eg, exchange is generally IISW3C.

 

The second command you use to filter out the details you really need, similar to a sql query!

logparser.exe -i:csv “Select username, date, time, target FROM c:\temp\merge.log TO c:\temp\output.csv WHERE RequestType LIKE ‘%get%’ and username is not null”

Use Excel or Notepad ++ to join the results together

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

solarwinds-inc-logo[1]We had some alerts coming up for an IIS site in Solarwinds which read the value for this 


Win32_PerfFormattedData_W3SVC_WebService(SITECODE)\TotalLockedErrors

And alerted us when above 0. This is a Custom Performance Counter Monitor which uses WMI to get the counter by reading the IIS Log Files.

Per Microsoft Description of the alert : 

Number of requests that could not be satisfied by the server because the requested document was locked (since service startup).Generally reported as HTTP error 423.

There is no other way to find out which files were locked apart from Parsing the IIS Log Files

How to do this?

Download and install these both

https://www.microsoft.com/en-us/download/confirmation.aspx?id=24659

https://blogs.msdn.microsoft.com/friis/2014/02/06/how-to-analyse-iis-logs-using-logparser-logparser-studio/

Once done , open up Studio and insert the IIS Log Files. ( Click here for how to find these

Make sure the Log type is set to IISW3CLOG 

Use the Query below to Query all the 423 Errors

The list you are presented should show you all the files that have been locked which you can inspect and up the threshold if needed or increase the value of this Threshold!

 

/* All 423 errors to any IIS/.NET Web Service */
 
SELECT cs-uri-stem as Uri,
 
sc-status as HttpStatus,
 
sc-substatus as SubStatus,
 
sc-win32-status as Win32Status,
 
       COUNT(*) AS Total
 
FROM '[LOGFILEPATH]'
 
WHERE (sc-status = 423)
 
GROUP BY Uri, HttpStatus, SubStatus, Win32Status
 
ORDER BY Total DESC

 

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)

When trying to open a Virtual Directory in IIS we are greeted with the following Errors :  

 

Server Error in ‘/’ Application.
——————————————————————————–

Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: An error occurred loading a configuration file: Failed to start monitoring changes to ‘\\’ because access is denied.

Source Error:


[No relevant source lines]

Source File: \web.config Line: 0


——————————————————————————–
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.18446

 

This is the way the Website is running an Application Pool , you can change the virtual directories to Applications which should fix this , if not try another application pool it runs on 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)