LogLogic Microsoft Internet Information Services (IIS) Log Configuration Guide

(1)

(2)

This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.

Trademarks

LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners.

Notice

The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation.

(3)

LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable,

experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support:

Telephone: Toll Free—1-800-957-LOGS Local—1-408-834-7480

EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: [email protected]

You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support.  When contacting Customer Support, be prepared to provide:

Your name, email address, phone number, and fax number

Your company name and company address

Your machine type and release version

(6)

Conventions

LogLogic documentation uses the following conventions to highlight code and command-line elements:

A monospace font is used for programming elements (such as code fragments, objects,

methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs).

A monospace bold font is used to distinguish system prompts or screen output from

user responses, as in this example: username: system

home directory: home\app

A monospace italic font is used for placeholders, which are general names that you

replace with names specific to your site, as in this example:  LogLogic_home_directory\upgrade\

Straight brackets signal options in command-line syntax. For example:

(7)

Chapter 1 – Configuring LogLogic’s Microsoft IIS Log

Collection

This chapter describes the configuration steps involved to enable a LogLogic Appliance to capture Microsoft IIS web server logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft IIS web server log data.

Introduction to Microsoft IIS . . . 7

Prerequisites . . . 8

Configuring Microsoft IIS . . . 8

Enabling the LogLogic Appliance to Capture Log Data . . . 10

Verifying the Configuration . . . 15

Introduction to Microsoft IIS

The Microsoft IIS logs provide information about the activity of a Web application. Microsoft IIS logs give details of the main HTTP status code, Win32 error code, and the HTTP substatus code (if logging is configured to provide this data). The Win32 error codes and the HTTP substatus codes often contain information that is critical when troubleshooting device issues.

The Microsoft IIS gives you a choice of log file formats and lets you log to a file or directly to a database. The various formats are:

W3C Extended Log File Format

Microsoft IIS Log File Format

National Center for Supercomputing Applications (NCSA) Common Log File Format

ODBC Logging Format

The W3C Extended Log File Format is the default format for Microsoft IIS. You can use Microsoft IIS Manager to select the fields to include in the log file to help keep log files as small as possible. The LogLogic Appliance captures log data, in the W3C Extended format, from Microsoft IIS by file pull using a file transfer rule. The configuration procedures for Microsoft IIS and the LogLogic

Appliance depend upon your environment. For more information, see How LogLogic Captures

(8)

Prerequisites

Prior to configuring Microsoft IIS and the LogLogic Appliance, ensure that you meet the following prerequisites:

Microsoft IIS 5.0 or 6.0 running on Windows 2000 Server or Windows 2003 Server

respectively

Proper access permissions to make configuration changes

Microsoft IIS with FTP Service enabled, or 3rd-party FTP, FTP(S), HTTP(S), CIFS, SCP, and/

or SFTP server software installed for any platform that does not have these capabilities by default. For more information, see Configuring the LogLogic Appliance for File Collection on page 10.

LogLogic Appliance running Release 5.1 or later installed with the Microsoft IIS Log Source

Package

Administrative access on the LogLogic Appliance

Note: The user who installs Microsoft IIS only needs to have permission to edit the configuration files. The user does not need to be the root user.

Configuring Microsoft IIS

This section describes how to configure Microsoft IIS in order to enable the W3C logging format and rotation of logs. You can configure how regularly the log files are rotated, that is, how long it takes before a new log file is created. In Microsoft IIS, you can configure a new log to be created during any time period (i.e., daily, weekly, monthly) or when a log file has reached a particular size.

To enable the W3C logging format, configure W3C logging attributes, and setup log file rotation:

1. Log in to the web server as Administrator.

2. From the Windows Start menu, select Settings > Control Panel.

3. Double-click Administrative Tools, and then double-click Internet Services Manager.

4. In the left pane, right-click on the website in the list of served sites and select Properties.

5. On the Properties tab, select the Web Site tab.

6. On the Web Site tab, select the Enable logging checkbox.

(9)

Figure 1 Properties Tab with Enable Logging Selected

8. Next to the Active log format drop-down menu click Properties.

9. On the Extended Properties tab, select the properties you want to log from the options listed.

(10)

10. Select the General Properties tab.

11. Select the New Log Time Period setting for the web server log. This setting defines how frequently new logs are created.

Figure 3 General Properties Tab

12. Click OK.

Enabling the LogLogic Appliance to Capture Log Data

The following sections describe how to enable the LogLogic Appliance to capture Microsoft IIS log data.

Configuring the LogLogic Appliance for File Collection

The LogLogic Appliance captures Microsoft IIS logs using file pull functionality via a file transfer rule. If the host machine where Microsoft IIS is installed does not have file transfer functionality by default, you can use one of the following deployment options for log file collection:

Install 3rd-party file transfer software (or create a script to handle file transfers) on the host

(11)

Note: Microsoft IIS with the FTP Service enabled can be used for file-based log collection. Keep in mind that using IIS’s FTP Service is not a strict software requirement and you can use other 3rd-party software applications and other transfer protocols to provide the same functionality.

Configure a remote Host Server with file transfer capability to capture log files from the

Microsoft IIS host machine

Once the file transfer capability on the host machine or the remote Host Server is properly configured, you can create file transfer rules on the LogLogic Appliance for each log file you want to capture. The LogLogic Appliance pulls the log files via a supported file transfer protocol such as SFTP, SCP, FTP(S), HTTP(S), etc. For more information, see the LogLogic Administration Guide.

To enable the LogLogic Appliance to capture log data using Microsoft IIS with FTP Service enabled:

Note: The FTP Service might not enabled by default. Make sure that the FTP Service is enabled on IIS prior to configuring the server.

1. Make sure that a destination directory (i.e., log directory) exists and is accessible on the host machine where Microsoft IIS is installed.

The destination directory should contain the original log files that Microsoft IIS generates.

2. Transfer the Microsoft IIS log files to a separate publishing directory on the host machine.

Note: In Microsoft IIS, you can set a specific FTP site log file location or you can set the default FTP site location that applies to all FTP sites.

You can use a script that makes a copy of or moves the log files from the destination directory (i.e., log directory) to the publishing directory. In addition, you can use a Microsoft Scheduled Task to specify a time schedule when the script runs (for example, hourly, daily or weekly). You can access the Scheduled Task Wizard from the

Windows Start menu, in Accessories > System Tools > Scheduled Tasks.

Note: If you want to schedule the task to run during a specified time period (e.g., hourly), you must first create the task and then define the rules. Once you create the task, double-click the task and the select the Schedule tab, then click Advanced. Select the Repeat task checkbox and then define the rules.

(12)

- SCP and SFTP have limitations in their ability to pull a large number of files (100 or more). LogLogic recommends that you compress the files into a single file (such as .tar or tar.gz) before the files are pulled by the LogLogic Appliance. 



- File transfer rules using SCP or SFTP as the protocol require a Public Key Copy from the LogLogic Appliance. You need to copy the Appliance’s public key to the host machine containing the

publishing directory for the log files. For more information on public key copy, see the LogLogic

Administration Guide.

Adding a Microsoft IIS Device

LogLogic captures Microsoft IIS log files using file pull functionality via file transfer rule. You must add the server as a new device so LogLogic can properly handle the log file data and make it available through reports and searching. Once you have successfully added a Microsoft IIS device, you must configure file transfer rules for file collection. For more information, see Configuring the LogLogic Appliance for File Collection on page 10.

To add Microsoft IIS as a new device:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Management > Devices.

The Devices tab appears.

3. Click Add New.

The Add Device tab appears.

4. Type in the following information for the device:

 Name—Name for the Microsoft IIS device

 Description (optional)—Description of the Microsoft IIS device  Device Type—Select Microsoft IIS from the drop-down menu  Host IP—IP address of the Microsoft IIS appliance

 Enable Data Collection—Select the Yes radio button

 Refresh Device Name through DNS Lookups (optional)—Select this checkbox to

(13)

Figure 4 Adding a Device to the LogLogic Appliance

5. Click Add.

6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. After you add the new device, you can configure the LogLogic Appliance by setting up file transfer rules. For information on configuring the LogLogic Appliance to capture Microsoft IIS log messages, see Configuring the LogLogic Appliance for File Collection on page 10.

Creating File Transfer Rules

After you add your Microsoft IIS device, you can create a file transfer rule for the log files. File transfer rules enable the LogLogic Appliance to pull files from the host machine or remote Host Server publishing the Microsoft IIS log files.

LogLogic supports the following wildcards: * (asterisk), ? (question mark), and [...] (open and close brackets) using directory queries. If you use wildcards, you must enable directory listing on your host machine or remote Host Server.

Examples: file

(14)

3. Select the File Transfer Rules tab.

4. Add a rule for the Microsoft IIS log files you want to capture by completing the following steps:

a.From the Device Type drop-down menu, select the machine where Microsoft IIS

installed.

b.From the Device drop-down menu, select the appropriate Microsoft IIS device.

Note: If you have added only one Microsoft IIS device, the device name is automatically added.

c.Click Add Rule then enter the appropriate information for the following required fields:

 Rule Name—Name of the transfer rule (e.g., Microsoft IIS files)

 Protocol—Specify the appropriate protocol (e.g., SFTP, SCP, FTP(S), etc.)

Note: LogLogic recommends using a secure file transfer protocol, such as SFTP for Windows-based devices or SCP for UNIX-based devices. If you are using SFTP or SCP, you must copy the

Appliance’s public key to the machine where the logs are located. For more information, see Configuring the LogLogic Appliance for File Collection on page 10and the LogLogic Administration

Guide.

 User ID—Specify only if the protocol requires a User ID

 Password/Verify Password—Specify only if required for the User ID

 Files—Full path (after the IP address) to the Host Server where the Microsoft IIS log

files are located. For example: /log/file_name.log

Note: FTP currently supports path wildcards only (for example, /logs/*). SFTP allows for wildcard file names (for example, *.log).

To capture all logs in a specific directory specify the asterisk (*) wildcard. For example:

/log/*.log

The server can be the host machine where the device is installed or a remote Host Server with file transfer functionality. For more information, see Configuring the LogLogic Appliance for File Collection on page 10.

 File Format—Select W3C from the drop-down menu

 Collection Time—Specify the time you want to retrieve the log file

 Use Advanced Duplication Detection—Select the Yes radio button if you want the

LogLogic Appliance to check for duplicate data while capturing the Microsoft IIS logs.

(15)

Figure 5 Add File Transfer Rule Tab

d.Click Add.

(16)

If the device name (Microsoft IIS) appears in the list of devices, then the configuration is correct. If the device does not appear in the Log Source Status tab, check the Microsoft IIS logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Microsoft IIS configuration and the LogLogic Appliance configuration.

Note: If you are using Microsoft IIS with the FTP Service enabled to transfer log files to the LogLogic Appliance, make sure that IIS is properly configured. For more information, see To enable the LogLogic Appliance to capture log data using Microsoft IIS with FTP Service enabled: on page 11.

(17)

Chapter 2 – How LogLogic Supports Microsoft IIS

This chapter describes LogLogic’s support for Microsoft IIS. LogLogic enables you to capture Microsoft IIS web server log data to monitor IIS events.

How LogLogic Captures Microsoft IIS Log Data . . . 17

Supported Microsoft IIS Log Data . . . 18

LogLogic Real-Time Reports . . . 18

LogLogic Search Filters . . . 19

How LogLogic Captures Microsoft IIS Log Data

Microsoft IIS logs are located in the following directory:

systemroot\System32\LogFiles\W3SVCnumber

Where number is the site ID for the website. The log file name (i.e., ex*.log) is based on log time period. LogLogic enables you to capture the log data in text format from a remote file system using FTP(S), HTTP(S), SCP, etc.

The LogLogic Appliance uses file pulling to capture Microsoft IIS log messages in the W3C Extended Log File format. Log files unchanged since the last pull are filtered out from collecting to eliminate duplication. File pulling maintains a record of log files identified on the database to allow conversion. All log messages are pulled from the specified path where the converted log files are stored.

Note: LogLogic enables you to collect Microsoft IIS log messages at a configurable time (e.g., every x minutes, at an hourly interval, daily at a specified time, or weekly at a specified date and time).

Figure 6 provides a deployment example for capturing Microsoft IIS log messages. IIS Server (with FTP Service enabled) is used in the example. Using IIS’s FTP Service and the FTP protocol to capture file-based log data is not a requirement. For more information, see Configuring the LogLogic Appliance for File Collection on page 10.

(18)

Once the data is captured and parsed, you can generate reports. In addition, you can create alerts to notify you of issues on Microsoft IIS. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help.

Note: When a log file is transferred, each file contains a timestamp which consists of a date and time. The timestamp refers to the file creation date and time for a particular message in the file. For a listing of LogLogic supported date and time formats, see the LogLogic Administration Guide.

Supported Microsoft IIS Log Data

LogLogic enables you to capture Microsoft IIS W3C formatted log data. There are five event categories that can be generated:

Informational Successful Redirection Server Error Client Error

Table 1 on page 24 lists the Microsoft IIS events that are supported by the LogLogic Appliance. Each event is represented by HTTP status codes and substatus codes.

Note: The LogLogic Appliance captures all messages from the Microsoft IIS logs, but parses only specific messages for report/alert generation.

For more information, see Appendix A – Event Reference on page 23 for sample log messages for each event and event to category mapping.

LogLogic Real-Time Reports

LogLogic provides pre-configured Real-Time Reports for Microsoft IIS log data. The following Real-Time Reports are available:

All Unparsed Events – Displays data for all events retrieved from the Microsoft IIS log for a

specified time interval

Web Cache Activity – Displays locally-stored web information served during a specified

time interval

Web Surfing Activity – Displays web information served during a specified time interval

To access LMI 5 Real-Time Reports:

1. In the top navigation pane, click Reports. 2. Click Network Activity.

(19)

3. Click Operational.

The following Real-Time Reports are available:

 All Unparsed Events

You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help.

LogLogic Search Filters

LogLogic provides pre-configured Search Filters for Microsoft IIS log data. Search Filters are used to filter report data and create alerts.

To access Search Filters:

1. From the navigation menu, select Search. 2. Select Search Filters.

The following Search Filters are available:

Microsoft IIS: 401 Page Retrieve Errors – Displays information about Microsoft IIS: HTTP

Error 401 Page Retrieving errors

Microsoft IIS: 403 Forbidden – Displays information about Microsoft IIS: HTTP Error 403

Access Denied/Forbidden errors

Microsoft IIS: 404 Not Found – Displays information about Microsoft IIS: HTTP Error 404

Not Found errors

(20)

Chapter 3 – Troubleshooting and FAQ

This chapter contains troubleshooting information regarding the configuration and/or use of log collection for Microsoft IIS. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions.

Troubleshooting. . . 20

Frequently Asked Questions . . . 21

Troubleshooting

Is your version of Microsoft IIS supported?

For more information, see Prerequisites on page 8.

Is your LogLogic Appliance running Release 5.1 or later?

If you are running an release prior to 5.1, you might require an upgrade. Contact LogLogic Support for more information.

Is the appropriate Log Source Package (LSP) installed properly?

Check to make sure that the LSP that is installed includes support for Microsoft IIS. Also make sure that the package was installed successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package Release Notes.

If Microsoft IIS events are not appearing on the LogLogic Appliance...

You need to verify if the LogLogic Appliance is receiving the logs correctly. For more information, see Problems Retrieving Log Files Using Configured File Transfer Rules on page 20.

Also, make sure that you have properly enabled and configured W3C logging and log rotation on Microsoft IIS. For more information, see Configuring Microsoft IIS on page 8.

Problems Retrieving Log Files Using Configured File Transfer

Rules

If you are having general problems retrieving log files using your configured file transfer rules, you might need to verify that your LogLogic Appliance is receiving Microsoft IIS logs as scheduled.

To verify that the LogLogic Appliance is receiving logs correctly:

1. Log in to the LogLogic Appliance managing the Microsoft IIS log data.

(21)

3. Select the File Transfer Rules tab.

The File Transfer Rules tab appears with a table displaying all of your file transfer rules.

4. Find the file-based log data entries.

5. Under the Last Successful Retrieval column, watch for a successful transfer as defined by the Collection Interval mark.

6. Under the Last Attempted Retrieval column, verify that there are no failures. 7. If the Last Attempted Retrieval value is incrementing but the Last Successful

Retrieval value is not changing, then the LogLogic Appliance is not receiving logs correctly. If this problem occurs, then complete the following steps:

a.Verify the path to your log files. If necessary, make appropriate changes.

b.Verify your username and password. If necessary, make appropriate changes.

Alternatively, you can run an Index Search against Microsoft IIS as follows to check log collection: 1. In the navigation menu, select Search > Index Search.

2. Specify the LogLogic Appliance as the Device Type and choose the appropriate

Source Device.

3. Enter your Boolean Search query. For example:

 To return file collector-related logs, type engine_filecollector

 To return only Microsoft IIS entries, type engine_filecollector and

Microsoft IIS

Entries can be found in the /loglogic/status/filecollector_status file.

Frequently Asked Questions

How does the LogLogic Appliance obtain log data from Microsoft IIS?

The LogLogic Appliance captures web server log data, in W3C Extended Log File format, from Microsoft IIS by file pull using a file transfer rule. For more information, see How LogLogic Captures Microsoft IIS Log Data on page 17.

What access permissions are required?

A user on Microsoft IIS with administrator privileges is required.

(22)

(23)

Appendix A – Event Reference

This appendix lists the LogLogic-supported Microsoft IIS events. The Microsoft IIS event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic’s file pull functionality.

LogLogic Support for Microsoft IIS Events

The following list describes the contents of each of the columns in the table below.

Event ID – Microsoft IIS status and substatus codes (there is a space between the status and

substatus code)

Agile Reports/Search – Defines if the Microsoft IIS event is available through the LogLogic Agile

Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic’s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data.

Title/Comments – Event name

Event Category – Category of events such as Informational, Client Error, etc. Event Type – Type of event such as Success or Failure

Sample Log Message – Sample Microsoft IIS log messages in W3C format containing the

(24)

Table 1 Microsoft IIS Events Event ID Agile Reports/ Search Title Event Category Event Type

Sample Log Message

1 100 0 Agile HTTP_CONTINUE Informational Info 2005-06-24 00:15:14 10.1.1.145 GET / iisstart.htm - 80 - 10.1.1.147 - 100 0 2 101 0 Agile HTTP_SWITCHING_PROTOCOLS Informational Info 2005-06-24 00:15:14 10.1.1.145 GET /

iisstart.htm - 80 - 10.1.1.147 - 101 0 3 200 0 Agile HTTP_OK Successful Success 2005-06-24 00:15:08 10.1.1.145 GET /

iisstart.htm - 80 - 10.1.1.147 - 200 0 4 201 0 Agile HTTP_CREATED Successful Success 2005-06-24 00:15:08 10.1.1.145 GET /

iisstart.htm - 80 - 10.1.1.147 - 201 0 5 202 0 Agile HTTP_ACCEPTED Successful Success 2005-06-24 00:15:08 10.1.1.145 GET /

iisstart.htm - 80 - 10.1.1.147 - 202 0 6 203 0 Agile HTTP_NON_AUTHORITATIVE Successful Success 2005-06-24 00:15:08 10.1.1.145 GET /

iisstart.htm - 80 - 10.1.1.147 - 203 0 7 204 0 Agile HTTP_NO_CONTENT Successful Success 2005-06-24 00:15:08 10.1.1.145 GET /

iisstart.htm - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 204 0 8 205 0 Agile HTTP_RESET_CONTENT Successful Success 2005-06-24 00:15:08 10.1.1.145 GET /

iisstart.htm - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 205 0 9 206 0 Agile HTTP_PARTIAL_CONTENT Successful Success 2005-06-24 00:15:11 10.1.1.145 GET /

iisstart.htm - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 206 0

10 301 0 Agile HTTP_MOVED_PERMANENTLY Redirection Info 2005-06-24 00:15:46 10.1.1.145 GET /foo.jsp param=<SCRIPT>foo</SCRIPT> 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 301 0 11 302 0 Agile HTTP_MOVED_TEMPORARILY Redirection Info 2005-06-24 00:15:46 10.1.1.145 GET /foo.thtml

param=<SCRIPT>foo</SCRIPT> 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 302 0 12 304 0 Agile HTTP_NOT_MODIFIED Redirection Info 2005-06-24 00:15:46 10.1.1.145 GET /.cobalt/ -

80 - 10.1.1.147 Mozilla/

4.75+[en]+(X11,+U;+Nessus) 304 0

13 307 0 Agile HTTP_TEMPORARY_REDIRECT Redirection Info 2005-06-24 00:15:46 10.1.1.145 GET /1/ - 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 307 0

14 400 0 Agile HTTP_BAD_REQUEST Client Error Info 2005-06-24 00:15:46 10.1.1.145 GET /8/ - 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 400 0

(25)

16 401 1 Agile LOGON FAILED Client Error Info 2005-06-24 00:15:46 10.1.1.145 GET /3/ - 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 401 1

17 401 2 Agile LOGON FAILED DUE TO SERVER CONFIGURATION

Client Error Info 2005-06-24 00:15:46 10.1.1.145 GET /4/ - 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 401 2

18 401 3 Agile UNAUTHORIZE DUE TO ACL ON RESOURCE

Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /foo.php param=<SCRIPT>foo</SCRIPT> 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 401 3 19 401 4 Agile AUTHORIZATION FAILED BY FILTER Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /5/ - 80 -

10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 401 4

20 401 5 Agile AUTHORIZATION FAILED BY ISAPI/ CGI APPLICATION

Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /6/ - 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 401 5

21 401 7 Agile ACCESS DENIED BY URL AUTHORIZATION POLICY ON WEB SERVER

Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /7/ - 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 401 7

22 402 0 Agile HTTP_PAYMENT_REQUIRED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /9/ - 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 402 0

23 403 0 Agile HTTP_FORBIDDEN Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET / AdminWeb/ - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 0 24 403 1 Agile EXECUTE ACCESS_FORBIDDEN. Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /

Admin_files/ - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 1 Event ID Agile Reports/ Search Title Event Category Event Type

(26)

25 403 2 Agile READ ACCESS_FORBIDDEN Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET / Administration/ - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 2 26 403 3 Agile WRITE ACCESS_FORBIDDEN Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /

AdvWebAdmin/ - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 3

27 403 4 Agile SSL REQUIRED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /Agent/ - 80 - 10.1.1.147 Mozilla/

4.75+[en]+(X11,+U;+Nessus) 403 4

28 403 5 Agile SSL 128 REQUIRED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /Agents/ - 80 - 10.1.1.147 Mozilla/

4.75+[en]+(X11,+U;+Nessus) 403 5

29 403 6 Agile IP ADDRESS REJECTED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /Album/ - 80 - 10.1.1.147 Mozilla/

4.75+[en]+(X11,+U;+Nessus) 403 6

30 403 7 Agile CLIENT CERTIFICATE REQUIRED. Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /CS/ - 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 403 7

31 403 8 Agile SITE ACCESS DENIED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /CVS/ - 80 - 10.1.1.147 Mozilla/

4.75+[en]+(X11,+U;+Nessus) 403 8

32 403 9 Agile TOO MANY USERS Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /DMR/ - 80 - 10.1.1.147 Mozilla/

4.75+[en]+(X11,+U;+Nessus) 403 9 33 403 10 Agile INVALID CONFIGURATION Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /

DocuColor/ - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 10

34 403 11 Agile PASSWORD CHANGE Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /GXApp/ - 80 - 10.1.1.147 Mozilla/

4.75+[en]+(X11,+U;+Nessus) 403 11

35 403 12 Agile MAPPER DENIED ACCESS. Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /HB/ - 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 403 12

36 403 13 Agile CLIENT CERTIFICATE REVOKED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET / HBTemplates/ - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 13 37 403 14 Agile DIRECTORY LISTING DENIED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /

IBMWebAS/ - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 14

38 403 15 Agile CLIENT ACCESS LICENSES Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /Install/ - Event ID Agile Reports/ Search Title Event Category Event Type

(27)

39 403 16 Agile CLIENT CERTIFICATE UNTRUSTED OR INVALID

Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /JBookIt/ - 80 - 10.1.1.147 Mozilla/

4.75+[en]+(X11,+U;+Nessus) 403 16

40 403 17 Agile CLIENT CERTIFICATE EXPIRED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /Log/ - 80 - 10.1.1.147 Mozilla/4.75+[en]+ (X11,+U;+Nessus) 403 17

41 403 18 Agile CANT EXECUTE REQUESTED URL IN CURRENT APPLICATION POOL

Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /Mail/ - 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 403 18

42 403 19 Agile CANT EXECUTE CGIs FOR CLIENT IN APPLICATION POOL.

Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /Msword/ - 80 - 10.1.1.147 Mozilla/

4.75+[en]+(X11,+U;+Nessus) 403 19

43 403 20 Agile PASSPORT LOGON FAILED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /NSearch/ - 80 - 10.1.1.147 Mozilla/

4.75+[en]+(X11,+U;+Nessus) 403 20

44 404 0 Agile HTTP_NOT_FOUND Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /News/ - 80 - 10.1.1.147 Mozilla/

4.75+[en]+(X11,+U;+Nessus) 404 0 45 404 1 Agile WEB SITE NOT ACCESSIBLE ON

REQUESTED PORT

Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET / PDG_Cart/ - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 404 1 46 404 2 Agile WEB SERVICE EXTENSION

LOCKDOWN POLICY PREVENT THIS REQUEST

Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /README/ - 80 - 10.1.1.147 Mozilla/

4.75+[en]+(X11,+U;+Nessus) 404 2 47 404 3 Agile MIME MAP POLICY PREVENTS THIS

REQUEST

Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /Readme/ - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 404 3 Event ID Agile Reports/ Search Title Event Category Event Type

(28)

48 405 0 Agile HTTP_METHOD_NOT_ALLOWED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET / SilverStream/ - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 405 0

49 406 0 Agile HTTP_NOT_ACCEPTABLE Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /Stats/ - 80 - 10.1.1.147 Mozilla/

4.75+[en]+(X11,+U;+Nessus) 406 0 50 407 0 Agile HTTP_PROXY_AUTHENTICATION_RE

QUIRED

Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /StoreDB/ - 80 - 10.1.1.147 Mozilla/

4.75+[en]+(X11,+U;+Nessus) 407 0 51 412 0 Agile HTTP_PRECONDITION_FAILED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /

foo.jspparam=<SCRIPT>foo</SCRIPT>.jsp 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 412 0

52 413 0 Agile HTTP_REQUEST_ENTITY_TOO_LAR GE

Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /robots.txt - 80 - 10.1.1.147 Mozilla/

4.75+[en]+(X11,+U;+Nessus) 413 0 53 414 0 Agile HTTP_REQUEST_URI_TOO_LARGE Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /CVS/

Entries - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 414 0

54 415 0 Agile HTTP_UNSUPPORTED_MEDIA_TYPE Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /foo.shtml param=<SCRIPT>foo</SCRIPT>.shtml 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 415 0

55 416 0 Agile HTTP_RANGE_NOT_SATISFIABLE Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET / NonExistant1555037972/ - 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 416 0 56 417 0 Agile HTTP_EXPECTATION_FAILED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /foo.thtml

param=<SCRIPT>foo</SCRIPT>.thtml 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 417 0

57 423 0 Agile HTTP_ LOCKED ERROR Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /foo.cfm param=<SCRIPT>foo</SCRIPT>.cfm 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 423 0

58 500 0 Agile HTTP_INTERNAL_SERVER_ERROR Server Error Error 2005-06-24 00:15:53 10.1.1.145 GET / iisstart.htm - 80 - 10.1.1.147 - 500 0 59 500 12 Agile APPLICATION BUSY RESTARTING

ON WEB SERVER

Server Error Error 2005-06-24 00:15:54 10.1.1.145 GET / iisstart.htm - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 500 12 60 500 13 Agile WEB SERVER BUSY Server Error Error 2005-06-24 00:15:54 10.1.1.145 GET /

iisstart.htm - 80 - 10.1.1.147 Mozilla/ Event ID Agile Reports/ Search Title Event Category Event Type

(29)

61 500 15 Agile DIRECT REQUEST FOR GLOBAL.ASA NOT ALLOWED

Server Error Error 2005-06-24 00:15:54 10.1.1.145 GET / iisstart.htm - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 500 15 62 500 16 Agile UNC AUTHORIZATION CREDENTIALS

INCORRECT

Server Error Error 2005-06-24 00:15:54 10.1.1.145 GET / iisstart.htm - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+ Nessus) 500 16 63 500 18 Agile URL AUTHORIZATION STORE

CANNOT BE OPENED

Server Error Error 2005-06-24 00:15:54 10.1.1.145 GET / iisstart.htm - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+ Nessus) 500 18 64 500

100

Agile INTERNAL ASP ERROR Server Error Error 2005-06-24 00:15:54 10.1.1.145 GET / iisstart.htm - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+ Nessus) 500 100

65 501 0 Agile HTTP_NOT_IMPLEMENTED Server Error Error 2005-06-24 00:15:54 10.1.1.145 NESSUS / - 80 - 10.1.1.147 - 501 0

66 502 0 Agile HTTP_BAD_GATEWAY Server Error Error 2005-06-24 00:16:16 10.1.1.145 GET /modules / forum/index.php board=10; action=news; ext= help;template=http:// xxxxxxxxxxxx 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11 ,+U;+Nessus) 502 0

67 502 1 Agile CGI APPLICATION TIMEOUT Server Error Error 2005-06-24 00:16:16 10.1.1.145 GET /ttforum / index.php board=10;action=news ;ext=help; template=http://xxxxxxxxxxxx 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 502 1 68 502 2 Agile ERROR IN CGI APPLICATION Server Error Error 2005-06-24 00:16:23 10.1.1.145 GET /_vti_bin/

fpcount.exe - 80 - 10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 502 2

69 503 0 Agile HTTP_SERVICE_UNAVAILABLE Server Error Error 2005-06-24 00:16:16 10.1.1.145 GET /cgi-bin/ index.php board=10;action=news;ext=help ;template=http://xxxxxxxxxxxx 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 503 0 Event ID Agile Reports/ Search Title Event Category Event Type

(30)

70 504 0 Agile HTTP_GATEWAY_TIME_OUT Server Error Error 2005-06-24 00:16:16 10.1.1.145 GET /index.php board=10;action=news;ext=help;template=http:// xxxxxxxxxxxx 80 - 10.1.1.147 Mozilla/4.75+[en] +(X11,+U;+Nessus) 504 0

71 505 0 Agile HTTP_VERSION_NOT_ SUPPORTED Server Error Error 2005-06-24 00:16:14 10.1.1.145 GET /bizmail.cgi - 80 - 10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+ Nessus) 505 0 Event ID Agile Reports/ Search Title Event Category Event Type