Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Source: ASP.NET 4.0.30319.0|
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 1/28/2012 2:40:53 AM
Event time (UTC): 1/28/2012 7:40:53 AM
Event ID: 9ab93ebd11c049ff8b0daed494d31000
Event sequence: 816
Event occurrence: 1
Event detail code: 0
Application domain: /LM/W3SVC/96341253/Root-2-129721774566969617
Trust level: Full
Application Virtual Path: /
Application Path: C:\var\v3.cobra.com\
Machine name: VARTOR01
Process ID: 388
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Exception type: HttpException
Exception message: A potentially dangerous Request.Path value was detected from the client (:). at System.Web.HttpRequest.ValidateInputIfRequiredByConfig() at System.Web.HttpApplication.ValidateRequestExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Request URL: http://cobra.com/(https:
Request path: /(https:
User host address: 188.8.131.52
Is authenticated: False
Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread ID: 62
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at System.Web.HttpRequest.ValidateInputIfRequiredByConfig() at System.Web.HttpApplication.ValidateRequestExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Custom event details:
|English: Request a translation of the event description in plain English.|
- HttpException / Request timed out. - According to EV100639 (How to troubleshoot HttpException Request timed out), this kind of issue is typically occurs when the ASP.NET request executes for a period of time longer than the maximum timeout period allowed for server-side code execution. This maximum timeout period can be set by executionTimeout attribute of httpRuntime element in config file. (The default value is 110 seconds in .Net 4.0). See the article for detailed information on how to debug this type of error.
Error: "The OwinStartup attribute discovered in assembly 'MvcMovie' referencing startup type 'MvcMovie.Startup' conflicts with the attribute in assembly 'WroxMvcCh4' referencing startup type 'WroxMvcCh4.Startup' because they have the same FriendlyName ''. Remove or rename one of the attributes, or reference the desired type directly" - This error was recorded after a new ASP.Net MVC5 website was published on top of an old one. The web.config file contained references to the old website. Once the references were removed (for the MvcMovie), the problem disappeared.
According to ME2249852, this issue may occur when the IIS website that hosts an Exchange Web Services (EWS) virtual directory contains a site binding that binds to an IPv6 address. Hotfix ME981667 is supposed to fix this.
Various types of "Exception type/message" combinations recorded with this event:
- HttpException / A potentially dangerous Request.Path value was detected from the client - This is usually the result of a malformed request from a client, in many cases they are attempts of hacking (just scripts scanning the website for vulnerabilities).
- ThreadAbortException / Thread was being aborted.
- SqlException / Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding. - This indicates a communication problem between the website and the SQL database that it is used by it. It may also indicate a problem with the rights of the user used to connect to the database (may not have enough permissions).
- ArgumentException / An entry with the same key already exists. - Most probably a bug in the application running on the web server
- HttpException / Request timed out. - As the message says, one of the HTTP requests have not been answered by the server in a timely fashion so it failed with a timeout error. May indicate a network communication problem, lack of resources, faulty app and so on.
The main reason for this type of error is recorded in the "Exception message" part of the description. That part, combined with the "Request URL" should pinpoint the source of the problem.
For example, a common exception message is "A potentially dangerous Request.Path value was detected from the client". See EV100374 (Server Error in Application) for details about this common problem.
A potentially dangerous Request.Path value was detected from the client - This event is recorded by ASP.NET when it encounters an error that cannot be handled properly. ASP.NET will record as many details as possible, including the application that was affected, the application path, the actual code where the error was encountered and so on. By analyzing the information recorded in the description, the administrator may be able to determine the cause of the error and take the appropriate step in fixing it. In most cases there is nothing wrong with the application and the admin cannot this type of anonymous requests being sent against the webserver. All he/she has to do is to make sure that the application is not vulnerable to this type of attacks (malformed HTTP requests, SQL injection and so on).
In the example above, the error was caused by a web request:
The "(https:" argument is obviously an error in the HTTP request (most probably a script with programming mistakes in it).
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated