Posts Tagged ‘IIS’

Unlike WAF v2 , the v1 product does not have custom rules for blocking IP , so you will need to do this at the IIS Level still

When the WAF forwards the request it tags on “x-forwarded-for” to the HTTP header and leaves the c-ip ( client IP ) the same

By Default IIS will check IP Address Domain and Restrictions list on the site and block the c-ip ( client IP ) using this list. 

Enabling Proxy Mode ( In IIS 8 and up ) means it will also adhere to the x-forwarded-for , but you will need to add the Subnet of the WAF ( as it picks a different IP each time ) to the allow list as well or the Health probe won’t be able to make sure the site is UP

GD Star Rating
GD Star Rating

Recently had a customer on Small Business Server think someone might be logging into the server as him. To check logs in IIS for a user : 

1 )Download and install Log Parser 2.2

2 ) Copy the logs from the default Location 


to C:\Temp\Logs\

3) Save the following as query.sql in C:\Temp\Logs\

SELECT cs-username, date, time, c-ip, cs-uri-stem, cs(User-Agent) FROM C:\Temp\Logs\*
WHERE cs-method LIKE ‘%get%’ and cs-uri-stem LIKE ‘%owa%’

Run : 

Logparser.exe file:C:\Temp\Logs\query.sql -i:IISW3C -o:CSV

GD Star Rating
GD Star Rating

Create a CSR , I find Digicert Util is the easiest way to do this

Save the CSR request somewhere on a network available to the SBS server

Run this on the SBS server

certreq.exe -submit -attrib "CertificateTemplate:WebServer" %locationofcsrfiles%\csr.txt

Save to .cer file somewhere then import this into the server via the Digicert Util

Change the IIS Bindings to this nearly imported CERT

GD Star Rating
GD Star Rating

Shout out to Bennis at Bayswater Electrical for this!

Logpaser is seriously good tool to filter through the mess of IIS logs!

Grab all your ISS log files for the dates you need.

Chuck them in a directory

First command grabs all the .log files into a single csv

logparser.exe -i:iis “select * into c:\temp\merge.log from c:\temp\logs\*” -o:csv

the “–i” option selects the log format  be sure to select the correct format to match your IIS settings. eg, exchange is generally IISW3C.


The second command you use to filter out the details you really need, similar to a sql query!

logparser.exe -i:csv “Select username, date, time, target FROM c:\temp\merge.log TO c:\temp\output.csv WHERE RequestType LIKE ‘%get%’ and username is not null”

Use Excel or Notepad ++ to join the results together

GD Star Rating
GD Star Rating

solarwinds-inc-logo[1]We had some alerts coming up for an IIS site in Solarwinds which read the value for this 


And alerted us when above 0. This is a Custom Performance Counter Monitor which uses WMI to get the counter by reading the IIS Log Files.

Per Microsoft Description of the alert : 

Number of requests that could not be satisfied by the server because the requested document was locked (since service startup).Generally reported as HTTP error 423.

There is no other way to find out which files were locked apart from Parsing the IIS Log Files

How to do this?

Download and install these both

Once done , open up Studio and insert the IIS Log Files. ( Click here for how to find these

Make sure the Log type is set to IISW3CLOG 

Use the Query below to Query all the 423 Errors

The list you are presented should show you all the files that have been locked which you can inspect and up the threshold if needed or increase the value of this Threshold!


/* All 423 errors to any IIS/.NET Web Service */
SELECT cs-uri-stem as Uri,
sc-status as HttpStatus,
sc-substatus as SubStatus,
sc-win32-status as Win32Status,
       COUNT(*) AS Total
WHERE (sc-status = 423)
GROUP BY Uri, HttpStatus, SubStatus, Win32Status


GD Star Rating
GD Star Rating

When trying to open a Virtual Directory in IIS we are greeted with the following Errors :  


Server Error in ‘/’ Application.

Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: An error occurred loading a configuration file: Failed to start monitoring changes to ‘\\’ because access is denied.

Source Error:

[No relevant source lines]

Source File: \web.config Line: 0

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.18446


This is the way the Website is running an Application Pool , you can change the virtual directories to Applications which should fix this , if not try another application pool it runs on 

GD Star Rating
GD Star Rating