More

    The 15 Most Common Web Server Tags and Real-Time Alerts

    Log data is becoming an increasingly important indicator of companies’ application, IT and overall business health. It is the go-to data when things go wrong.

    More than ever before, companies are turning to logs to proactively troubleshoot in development, support real-time performance-monitoring efforts, analyze user behavior and assure security compliance. Based on Logentries‘ 25,000 global users who are actively analyzing and tagging critical log events in real time, the top tags fall into three critical categories: organization-wide exceptions (e.g., general browser and server issues); security-related tags (e.g., tracking SQL injection attempts to block breaches); and specific, application-level server exceptions.

    In this slide show, Logentries Chief Scientist Dr. Trevor Parsons shares perspective on the 15 most common Web server tags and real-time alerts so any company can quickly start classifying log data and proactively identify common issues.

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 1

    Click through for insight on the 15 most common Web server tags and real-time alerts, as identified by Logentries Chief Scientist Dr. Trevor Parsons.

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 2

    500 Server Errors

    When the Web server is not able to perform a task, it generates 500 server errors. The most common is the 500 internal server error where something has gone wrong in the server itself. The most common reason for a 500 error is due to the programming of the underlying application – it is not typically a user-generated issue.

    "/HTTP/1.[01]"s+5[0-9]{2}/"

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 3

    400 Server Errors

    Similar to 500 server errors, 400 server errors are generated when a server is unable to perform the task as requested by the browser. This is most often due to the browser/client either asking for something to be done that can’t be done or asking for something that it does not have access to. Other common issues include bad request, request timeout, etc.

    "/HTTP/1.[01]s+4[0-9]{2}/

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 4

    204 Server Errors

    The 204 server error occurs when the server performs a request but is not sending back any data. This is a common response for delete commands on RESTFul systems. If a system does not use delete commands, then this happens when a server is responding with no content and can often be linked to another issue within a Web application.

    "/HTTP/1.[01]"s+204/"

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 5

    Exceptions and Errors

    When a Web server sits on top of a Web application or similar, there is always a possibility that the system might send back “Error” or “Exception” in the results. By monitoring for these keywords in outgoing logs, you can quickly catch issues in the underlying system and react proactively instead of waiting for customers to contact you.

    "" ERROR " OR /Exception/i"

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 6

    Unauthorized Access of Directories

    Security is always important and there are lots of script kiddies out there who will attempt to gain access to resources on your system that they shouldn’t. One of the common tactics is to test if they can get directory listings for possible directories on a site. Often directories are left unprotected and so if they get a listing, which includes sensitive files, they can gain access to your system. Monitor to see if your site is being asked to list directories and, if so, get notified immediately.

    "/directory index of .* is forbidden/"

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 7

    SQL Injection

    Hackers can try to gain access to your database and its contents by attempting to inject SQL commands into the queries that are being sent to your server. By monitoring incoming requests, it is simple to watch for certain SQL keywords and catch any of these types of attempts in real time so you can react accordingly.

    "/^s*(SELECT DELETE)/"

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 8

    Null Pointer Exception

    This is probably the most common error that a Java/Tomcat developer will get. It is caused when the code being run behind the Web server tries to do something with data that does not exist. This can be generated by either poor programming or by data that was expected to exist that doesn’t. Keep an eye on outgoing responses to your user to make sure that this common issue is minimized.

    "/NullPointerException"

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 9

    Server Stats

    A best practice is to make sure that servers are not being overloaded. This helps to maintain a quality level of service for your users, and customer happiness comes first. By setting up your application to log its CPU load and its disk usage, you can then set up alerts and thresholds in your log management system to let you know when it hits a certain level. This will help you keep your system available and aid in maintaining a good level of service.

    "load>80" AND "disk>=80"

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 10

    JDBC Connection Error

    The most common way of having Tomcat or some other Java-based system communicate with a data store is through the use of a JDBC driver and a SQL or similar database. A common Tomcat error to watch for is a Non Transient Connection Exception. With Tomcat and MySQL being a common pairing, it is not uncommon to get this exception. Usually, this happens due to connection pooling where the driver has issues gaining a new connection.

    "MySQLNonTransientConnectionException"

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 11

    Java Out of Memory

    Just like any other program, Tomcat and Java need memory to run. But often a program that works perfectly at startup can end up running into this problem. This often occurs because over time a program ends up needing more and more memory either due to increased load or by mismanaged resources. But due to the nature of this type of error, it is good practice to monitor for it. If it does arise, you can quickly resolve the issue and put in a long-term fix.

    "java.lang.OutOfMemoryError"

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 12

    Deploy Error

    With a lot of systems deploying regularly to production, errors in the deploy process can lead to major issues for the application. The most common way to deliver a new or updated application to a Tomcat server is in the form or a WAR file. This is just a zipped-up version of all the required files for the application. The problem occurs if the file has been poorly created or has been corrupted in transit, thus creating an error when the file is unzipped. In order to avoid unexpected failures during extraction of the WAR file, the Tomcat server generated logs should be monitored for this ZipException and a notification set up to alert those involved.

    "java.util.zip.ZipException"

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 13

    Jet Database Error

    With most IIS-based Web applications using some sort of data store, one of the most common methods of accessing the Datastore/DB is through the use of the Microsoft Jet ADO or ODBC drivers. Unfortunately, several issues can appear around this connection and cause an error. These include: The DB is already opened by another source; the data source is marked as exclusive; linked tables; and, the most common, Authorization. Monitoring the logs for the error number helps to quickly and easily identify the real issues.

    "80004005"

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 14

    Setup Issues

    When you start to run a new application on a new or existing install of IIS and ASP.net, you often run into the following error: Handler “ScriptHandlerFactory” has a bad module “ManagedPipelineHandler” in its module list. One reason for this error may be that ASP.net was not completely installed during the IIS setup. Another reason this error may appear in your logs is due to a configuration issue when your application requires that it be run in integrated mode. By monitoring your logs for the specific error code 500.21, you can easily catch this error and correct it before it causes a real issue.

    "Error 500.21"

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 15

    32-bit VS 64-bit

    With Microsoft supporting two variants of its operating systems – 32-bit and 64-bit – issues around compatibility can leak into a deployment. There can often be issues if you try to launch a 32-bit application in a newer 64-bit version of IIS 7. Changing a setting within the IIS server offers a quick fix, but first you need to make sure you catch the error or you might not know you need to resolve this issue.

    "0x8007000B"

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 16

    Stack Overflow

    Occasionally the IIS service W3wp.exe can crash, causing your application to fail. Keep an eye out for this with the pattern below.

    There are many reasons why an application can cause a stack overflow, but basically it is due to the stack thread being damaged. This is one of those generic errors that can be caused by a different issue in every application, so resolving it most often comes down to the developer(s) of the application.

    "0xc00000fd"

    The 15 Most Common Web Server Tags and Real-Time Alerts - slide 17

    Executing the Top Tags

    These popular tagging and alerting categories support the most common log management use cases including: troubleshooting in development, real-time performance monitoring and alerting of production systems, user behavior analytics, and assuring security compliance.

    Three separate tag files – one for all Web servers, one specific to Tomcat and one specific to Microsoft IIS – are available for easy download at https://logentries.com/doc/community-insights/.

    Latest Articles