locked
Negative values in sc-bytes? RRS feed

  • Question

  • User-1291324404 posted

    Hey everyone, I've had my advanced logging going for a while and I've just recently noticed that I have some really weird log entries, the sc-bytes field is -2147024894, has anybody ever seen this? And does anybody have any idea as to why? I've also noticed that it only appears on 404 error's...

    Thursday, March 1, 2012 8:17 PM

All replies

  • User989702501 posted

    Should not be sc-bytes, but instead sc-win32-status ?
    and it is normal for 404.x status code.

    Thursday, March 1, 2012 8:53 PM
  • User-1291324404 posted

    No, it's in the sc-bytes field.

    #Fields:  date time cs-uri-stem cs-uri-query s-contentpath sc-status s-computername cs(Referer) sc-win32-status sc-bytes cs-bytes X-Forwarded-For W3WP-PrivateBytes cs-username cs(User-Agent) TimeTakenMS sc-substatus s-sitename s-ip RequestsPerSecond s-proxy cs-version c-protocol cs-method cs(Host) CPU-Utilization cs(Cookie) c-ip

    2012-02-13 21:15:54.312 /fifiles/static/images/slider/destination retirement.jpg - \"c:\\inetpub\\wwwroot\\fifiles\\static\\images\\slider\\destination retirement.jpg\" 404 \"hag-macu-web6\" \"http://www.domain.com/\" -2147024894 4198 556 \"50.135.250.211\" - - \"mozilla/5.0 (compatible; msie 9.0; windows nt 6.1; wow64; trident/5.0)\" 0 0 \"default web site\" 10.100.8.21 80 - - \"http/1.1\" \"http\" get \"www.domain.com\" - \"bigipservercustomer_macu_2_http=352871434.20480.0000; ts4b98d3=e0f5060e9486566559ed62335b6db944db2232b6c44bae394f397da2; asp.net_sessionid=h5pfr0rry3a0yqwfhnl241pi\" 10.100.8.18

    I've bolded the parts that are busted in this log entry, the URI has spaces and is not quoted, and the sc-bytes is -2147024894. Weird right?

    Friday, March 2, 2012 11:26 AM
  • User989702501 posted

    Errr let's split it one by one:

    date 2012-02-13
    time 21:15:54.312
    cs-uri-stem /fifiles/static/images/slider/destination retirement.jpg
    cs-uri-query -
    s-contentpath \"c:\\inetpub\\wwwroot\\fifiles\\static\\images\\slider\\destination retirement.jpg\"
    sc-status 404
    s-computername \"hag-macu-web6\"
    cs(Referer) \"http://www.domain.com/\"
    sc-win32-status -2147024894
    sc-bytes 4198
    cs-bytes 556
    X-Forwarded-For \"50.135.250.211\"
    W3WP-PrivateBytes -
    cs-username -

     It is sc-win32-status :) correct ? 

    Sunday, March 4, 2012 5:46 AM
  • User-1291324404 posted

    woowwww. I really botched that one. I even looked at it a few times to make sure. Sometimes it just takes a second pair of eyes. Thanks. Do you have any ideas as to the missing quotes on the cs-uri-stem?

    Monday, March 5, 2012 5:14 PM
  • User989702501 posted

    @@ it happened to me many times as well.

    Where you are too 'in' into something, probably the fact is you are no way near to finding the answer.

    Anyway, cs-uri-stem - no quotes? mm... I just noticed the same, I won't say it is missing, maybe it was design that way as " can be a valid URI ?

    Monday, March 5, 2012 11:06 PM
  • User-1291324404 posted

    I also noticed it on cs-uri-query does the same thing. Sad. Do you know if advanced logger is a .net plugin? or a native c++ module?

    Tuesday, March 6, 2012 12:21 PM
  • User-1291324404 posted

    Better yet, where do you file a bug for this? According to their readme file it specifically states, and I quote:

  • Logging string values with quotation marks. You can specify the maximum size for logging fields that record string values. Strings that are larger than this value will be truncated to the maximum size that you specify, which allows applications that have string size limits consume the data. Advanced Logging follows the <?XML:NAMESPACE PREFIX = [default] http://ddue.schemas.microsoft.com/authoring/2003/5 NS = "http://ddue.schemas.microsoft.com/authoring/2003/5" /><linkText xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">W3C Extended Log File Format</linkText> and surrounds string values with quotation marks, which causes further truncation of the strings that are consumed by these applications, reducing the amount of usable data.

    This is from: http://learn.iis.net/page.aspx/1035/advanced-logging-readme/

Tuesday, March 6, 2012 12:38 PM
  • User989702501 posted

    Native module - %ProgramFiles%\IIS\Advanced Logging\AdvancedLoggingModule.dll

    Tuesday, March 6, 2012 7:17 PM
  • User-1291324404 posted

    Well, bummer. I'll just have to leave my hacky code in my log parser until it gets fixed (hopefully) by the people that originally wrote it.

    Tuesday, March 6, 2012 7:30 PM
  • User989702501 posted
    Interesting... I didn't recall that W3C format got quotation marks.
    Anyway, you can try post it to feedback section.
    Wednesday, March 7, 2012 12:32 AM
  • User210535102 posted

    Reviving the long dead... but I've got the same issue.  So it would be apparent this never got fixed.

    I have to start using Advanced Logging because I'm behind an F5 and need to get the forwarded ips.

    from what I can see, the log files must have a format issue because I'm seeing incorrect values show up across most of the columns... so likely off by one or more vals per line

    Friday, December 9, 2016 5:21 PM
  • User1896514328 posted

    Hi Carphuntin,

    The problem on this thread ended up being user-error and there was no actual problem.

    Please post one of your logs with the headers so we can see the possible issue.

    Friday, December 9, 2016 5:33 PM