LOGPARSER #9: Check your Win32 errors trends


This script will get you any win32 errors within you IIS logs.

SELECT
    sc-win32-status as ErrorNumber,
    WIN32_ERROR_DESCRIPTION(sc-win32-status) as ErrorDesc,
    Count(*) AS Total
    INTO Win32ErrorNumbers.txt
FROM
    logs\iis\ex*.log
WHERE
    sc-win32-status>0
GROUP BY
    ErrorNumber
ORDER BY
    Total
DESC

image

You can also check these errors by day to see any trends. Good after site updates etc. Only problem I’ve found is that you manually need to update this second script with any new errors numbers found in the first script.

SELECT
  TO_STRING(To_timestamp(date, time), 'MMdd') AS Day,
  SUM(c200) AS Credentials,
  SUM(c206) AS InvalidToken,
  SUM(c207) AS NetworkConnAborted,
  SUM(c208) AS BadCommand,
  SUM(c301) AS NetworkName,
  SUM(c302) AS ExpiredPassword,
  SUM(c304) AS Path,
  SUM(c307) AS AccessDenied,
  SUM(c309) AS CannotFindFile,
  SUM(c400) AS LogonFailed
USING
  CASE sc-win32-status WHEN 2148074254 THEN 1 ELSE 0 END AS c200,
  CASE sc-win32-status WHEN 2148074248 THEN 1 ELSE 0 END AS c206,
  CASE sc-win32-status WHEN 1236 THEN 1 ELSE 0 END AS c207,
  CASE sc-win32-status WHEN 22 THEN 1 ELSE 0 END AS c208,
  CASE sc-win32-status WHEN 64 THEN 1 ELSE 0 END AS c301,
  CASE sc-win32-status WHEN 1330 THEN 1 ELSE 0 END AS c302,
  CASE sc-win32-status WHEN 3 THEN 1 ELSE 0 END AS c304,
  CASE sc-win32-status WHEN 5 THEN 1 ELSE 0 END AS c307,
  CASE sc-win32-status WHEN 2 THEN 1 ELSE 0 END AS c309,
  CASE sc-win32-status WHEN 2148074252 THEN 1 ELSE 0 END AS c400
INTO
  win32errorsperday.csv
FROM
    logs\iis\ex*.log
GROUP BY
  Day
ORDER BY
  Day

Note: The generated CSV file can be used as a comma separated file. Open up a new Excel windows and import the data. Give it a conditional formatting and it looks something like this.

image

//Anders

Comments (0)

Skip to main content