LOGPARSER #9: Check your Win32 errors trends

This script will get you any win32 errors within you IIS logs.

SELECT
sc-win32-status as ErrorNumber,
WIN32_ERROR_DESCRIPTION(sc-win32-status) as ErrorDesc,
Count(*) AS Total
INTO Win32ErrorNumbers.txt
FROM
logs\iis\ex*.log
WHERE
sc-win32-status>0
GROUP BY
ErrorNumber
ORDER BY
Total
DESC

You can also check these errors by day to see any trends. Good after site updates etc. Only problem I’ve found is that you manually need to update this second script with any new errors numbers found in the first script.

SELECT
TO_STRING(To_timestamp(date, time), 'MMdd') AS Day,
SUM(c200) AS Credentials,
SUM(c206) AS InvalidToken,
SUM(c207) AS NetworkConnAborted,
SUM(c208) AS BadCommand,
SUM(c301) AS NetworkName,
SUM(c302) AS ExpiredPassword,
SUM(c304) AS Path,
SUM(c307) AS AccessDenied,
SUM(c309) AS CannotFindFile,
SUM(c400) AS LogonFailed
USING
CASE sc-win32-status WHEN 2148074254 THEN 1 ELSE 0 END AS c200,
CASE sc-win32-status WHEN 2148074248 THEN 1 ELSE 0 END AS c206,
CASE sc-win32-status WHEN 1236 THEN 1 ELSE 0 END AS c207,
CASE sc-win32-status WHEN 22 THEN 1 ELSE 0 END AS c208,
CASE sc-win32-status WHEN 64 THEN 1 ELSE 0 END AS c301,
CASE sc-win32-status WHEN 1330 THEN 1 ELSE 0 END AS c302,
CASE sc-win32-status WHEN 3 THEN 1 ELSE 0 END AS c304,
CASE sc-win32-status WHEN 5 THEN 1 ELSE 0 END AS c307,
CASE sc-win32-status WHEN 2 THEN 1 ELSE 0 END AS c309,
CASE sc-win32-status WHEN 2148074252 THEN 1 ELSE 0 END AS c400
INTO
win32errorsperday.csv
FROM
logs\iis\ex*.log
GROUP BY
Day
ORDER BY
Day

Note: The generated CSV file can be used as a comma separated file. Open up a new Excel windows and import the data. Give it a conditional formatting and it looks something like this.

//Anders