Message

Request received (request ID %1) on connection (connection ID %2) from remote address %4.

Fields

Message

Parsed request (request pointer %1, method %2) with URI %3.

Fields

Message

Delivered request to server application (request pointer %1, request ID %2, site ID %3) from request queue %4 for URI %5 with status %6.

Fields

Message

Server application passed response (request ID %1, connection ID %2, method %4, header length %5, number of entity chunks %6, cache policy %7) with status code %3.

Fields

Message

Server application passed the last response (corresponding to request ID %1).

Fields

Message

Server application passed entity body for request ID %1 (connection ID %2).

Fields

Message

Server application passed the last entity body for request ID %1.

Fields

Message

Server application passed response (request ID %1, connection ID %2, method %4, header length %5, number of entity chunks %6, cache policy %7) with status code %3.

Fields

Message

Server application passed the last response (corresponding to request ID %1).

Fields

Message

Response ready for send (corresponding to request ID %1) with status code %2.

Fields

Message

Cached the response (corresponding to request ID %1) with status code %2. Response to be sent.

Fields

Message

Queued last response (corresponding to request ID %1) for sending. Status code is %2.

Fields

Message

Response sent (corresponding to request ID %1) with status code %2. If disconnect is required, a TCP FIN has been sent.

Fields

Message

Error occurred while sending the last response (corresponding to request ID %1) with status code %2. A TCP Reset has been sent.

Fields

Message

Error %3 occurred while sending (corresponding to request ID %1). A TCP Reset will be sent.

Fields

Message

Response (request pointer %1, site ID %2, number of bytes %3) queued for sending from the cache.

Fields

Message

Response (request pointer %1, site ID %2, number of bytes %3) queued for sending with status code 304 (cache not modified).

Fields

Message

Attempted to reserve URL (%1). Status %2.

Fields

Message

Successfully read the IP listen list for IP address %1.

Fields

Message

SSL credentials for IP address and port %3 successfully created.

Fields

Message

New connection created (local IP address %3 and remote address %5).

Fields

Message

Connection ID (%2) assigned to connection and request (request ID %1) will be parsed.

Fields

Message

Client closed the connection (connection pointer %1). Status of whether closed by TCP Reset: %2.

Fields

Message

Connection (connection pointer %1) cleanup started due to either the sending of a TCP Reset, receiving of a TCP Reset, or after the mutual exchange of TCP Fins.

Fields

Message

Successfully added entry (URI %1) to cache.

Fields

Message

Failed to add an entry (URI %1) to the cache. Status: %2.

Fields

Message

Flushed entry (URI %1) from the cache.

Fields

Message

Attempted to set URL group property: %1. Status: %2.

Fields

Message

Attempted to set server session property: %1. Status: %2.

Fields

Message

Attempted to set request queue property: %1. Status: %2.

Fields

Message

Attempted to add URL (%2) to URL group (%1). Status: %3.

Fields

Message

Removed URL (%2) from URL group (%1).

Fields

Message

Removed all URLs from URL group %1.

Fields

Message

Initiating SSL connection.

Fields

Message

Initiating SSL handshake.

Fields

Message

SSL handshake completed with status: %1.

Fields

Message

Server application is attempting to receive the SSL client certificate, which will be provided if available. If the client certificate is not available, a renegotiation will be initiated.

Fields

Message

Attempt by server application to receive client certificate failed with status: %1.

Fields

Message

Raw SSL data is available for processing.

Fields

Message

Decrypted SSL data is available for processing.

Fields

Message

Passed plaintext data for encryption.

Fields

Message

Attempt (on connection ID %1) to authenticate client completed. Authentication type %2. Security status: %3.

Fields

Message

Attempted to add entry to the %2 authentication cache. Status: %4.

Fields

Message

Entry successfully removed from the authentication cache.

Fields

Message

Successfully associated QoS flow with connection (connection ID %1). Bandwidth throttled to: %2 Bytes per second.

Fields

Message

Failed to configure the %2 logging (directory %4), Status: %1.

Fields

Message

Successfully configured %2 logging (directory %5).

Fields

Message

Failed to create %2 log file %5. Status: %1.

Fields

Message

Successfully created new %2 log file %5.

Fields

Message

Entry has been written to %3 log file.

Fields

Message

Parsing of request (request ID %2) failed due to reason: %3. Request may not be compliant with HTTP/1.1.

Fields

Message

HTTP timer %3 expired. The connection will be reset.

Fields

Message

Failed to acquire handle for SSL credentials. Failure will be event logged. Security status: %2.

Fields

Message

SSL connection will be disconnected as initiated by the client.

Fields

Message

SSL connection will be disconnected as initiated by the server application. Status: %2.

Fields

Message

Attempt to decrypt SSL data failed. Security status: %2.

Fields

Message

Query for SSL connection parameters failed. Security status: %2. Connection will be reset.

Fields

Message

Cannot find SSL endpoint for inbound connection for local IP address and port %3.

Fields

Message

Attempt to perform SSL handshake failed. Security status: %2.

Fields

Message

Attempt to encrypt SSL data failed. Security status: %2.

Fields

Message

Request (request ID %1) rejected due to reason: %2.

Fields

Message

Server application canceled the processing of its request (request ID %1).

Fields

Message

Http.sys failed to process CPU hot-add. Processor number: %1, reason: %2, status: %3.

Fields

Message

Hot-add information: Current UxNumberOfProcessors: %1, comment: %2.

Fields

Message

Initialized QoS flow: FlowHandle %1, bandwidth %2, peak bandwidth %3, burst size %4

Fields

Message

Initialized QoS flow: FlowHandle %1, bandwidth %2, peak bandwidth %3, burst size %4

Fields

Message

QoS flow initialization failed: bandwidth %1, peak bandwidth %2, burst size %3, status %4

Fields

Message

Setting flow: Connection %1, FlowHandle %2

Fields

Message

Assign to Configuration QoS Flow: FlowHandle %1

Fields

Message

[re]Setting QoS Flow failed: Connection %1, FlowHandle %2, status %3

Fields

Message

Response range processing done. Req. %1, response content size %2, ranges %3 (%4-%5, %6-%7,...)

Fields

Message

Begin building slices. Req. %1, slices %2 (%3,%4,...), ranges %5 (%6-%7, %8-%9,...)

Fields

Message

Send cached slices. Req. %1, CacheEntry %2, slices %3 (%4,%5,...), ranges %6 (%7-%8, %9-%10,...)

Fields

Message

Cached slices match content. Req. %1, CacheEntry %2, slices %3 (%4,%5,...), ranges %6 (%7-%8, %9-%10,...)

Fields

Message

Merge slices to cache. CacheEntry %1, slices to merge %2, slices to cache %3

Fields

Message

Sending range from flat cache entry. CacheEntry %1, range %2-%3

Fields

Message

Channel bind ASC parameters: connection %1, buffers %2, flags %3

Fields

Message

Service bind check done. Connection %1, Context %2-%3, status %4, target %5

Fields

Message

Captured channel bind config. Hardening %1, flags %2, service count %3

Fields

Message

Channel bind response config overwrites %1

Fields

Message

Policy-Based QoS: Connection %1, FlowHandle %2

Fields

Message

Thread pool extension. Pool type: %1, active pools: %2.

Fields

Message

Thread ready. Pool type: %1, active pools: %2, thread count: %3

Fields

Message

Thread pool trim. Pool type: %1, active pools: %2.

Fields

Message

Thread gone. Pool type: %1, active pools: %2, thread count: %3

Fields

Message

SNI parsed for connection: %1 with status: %2

Fields

Message

Request %1 has initated opaque mode

Fields

Message

Endpoint auto-generated for %2

Fields

Message

Deleted auto-generated endpoint for %2

Fields

Message

Inbound connection for IP: %3, SNI: %4. SSL endpoint found: %5

Fields

Message

SSL connection with local IP address and port %2 rejected due to configuration policy.

Fields

Message

Parsing of response (response ID %2) failed due to reason: %3. Request may not be compliant with HTTP/1.1.

Fields

Message

SSL handshake failed. Local IP: %2, Remote IP: %4, SNI: %5, Thumbprint: %7, Client Initiated Disconnect: %8, Abortive Disconnect: %9, Connection Status: %10

Fields

Message

HTTP error response sent. Url: %1, Verb: %2, Status Code: %3, Cache Send: %4, Request Queue: %5, PID: %6, TID: %7, Image Name: %8, Working Set(Bytes): %9, Send Status: %10, Thread Count: %11, Reason Phrase: %12, Error Cause: %13, Verbosity: %14

Fields

Message

SSL renegotiate timed out. Local IP: %2, Remote IP: %4, SNI: %5, Thumbprint: %7, Connection Buffer Full: %8

Fields

Message

HTTP 11 Required. Verb: %1, Fault Code: %2

Fields

Message

Version: %1 Counts: %2

Fields

Message

Version: %1 Counts: %2

Fields

Message

QUIC Connection. QuicConnectionId: %1, Connection: %2, Local IP: %4, Remote IP: %6, SNI: %8, ErrorCode: %9, Status: %10

Fields

Message

QUIC Connection Callback. Connection: %1, Event: %2, EventParam: %3

Fields

Message

QUIC Stream. QuicStreamId: %1, Connection: %2, Stream: %3

Fields

Message

QUIC Stream Callback. Stream: %1, Connection: %2, StreamType: %3, Event: %4, EventParam: %5

Fields

Message

QUIC Registration Failed. Status: %1

Fields

Message

Correlation ID for request %1: %2

Fields

Message

Create URL group %1. Status %2. Process Id %3 Executable path %4, User %5

Fields

Message

Attempted to reserve URL %1. Status %2. Process Id %3 Executable path %4, User %5

Fields

Example Event

system:
  provider: Microsoft-Windows-HttpService
  guid: DD5EF90A-6398-47A4-AD34-4DCECDEF795F
  event_source_name: ''
  event_id: 112
  version: 0
  level: 4
  task: 3
  opcode: 121
  keywords: 4611686018427387905
  time_created: '2023-11-06T06:25:42.192778+00:00'
  event_record_id: 1703
  correlation: {}
  execution:
    process_id: 4
    thread_id: 228
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Url: http://+:10243/WMPNSSv4/
  ReserveStatus: 0
  ProcessId: 4
  ExecutablePath: ''
  UserSid: S-1-5-18
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Attempted to add URL (%2) to URL group (%1). Status: %3. Process Id %4 Executable path %5, User %6

Fields

Message

Removed URL (%2) from URL group (%1). Process Id %3 Executable path %4, User %5

Fields

Example Event

system:
  provider: Microsoft-Windows-HttpService
  guid: DD5EF90A-6398-47A4-AD34-4DCECDEF795F
  event_source_name: ''
  event_id: 114
  version: 0
  level: 4
  task: 5
  opcode: 123
  keywords: 4611686018427387968
  time_created: '2023-10-25T22:56:15.387118+00:00'
  event_record_id: 1477
  correlation: {}
  execution:
    process_id: 3840
    thread_id: 3904
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  UrlGroupId: 18302628886170566657
  Url: http://*:5357/31383106-803d-411b-9763-a28cdc0f0c3f/
  ProcessId: 3840
  ExecutablePath: \Device\HarddiskVolume4\Windows\System32\svchost.exe
  UserSid: S-1-5-19
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Removed all URLs from URL group %1. Process Id %2 Executable path %3, User %4

Fields

Message

Attempted to set URL group %1 property %2. Status: %3. Process Id %4 Executable path %5, User %6

Fields

Message

Delete URL group %1. Status %2. Process Id %3 Executable path %4, User %5

Fields

Example Event

system:
  provider: Microsoft-Windows-HttpService
  guid: DD5EF90A-6398-47A4-AD34-4DCECDEF795F
  event_source_name: ''
  event_id: 117
  version: 0
  level: 4
  task: 5
  opcode: 126
  keywords: 4611686018427387968
  time_created: '2023-10-25T22:56:15.387403+00:00'
  event_record_id: 1478
  correlation: {}
  execution:
    process_id: 3840
    thread_id: 3904
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  UrlGroupId: 18302628886170566657
  Status: 0
  ProcessId: 3840
  ExecutablePath: \Device\HarddiskVolume4\Windows\System32\svchost.exe
  UserSid: S-1-5-19
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Status %1. Process Id %2 Executable path %3, User %4

Fields

Message

SSL Certificate Settings deleted for endpoint : %1. Status %2. Process Id %3 Executable path %4, User %5

Fields

Message

SSL Certificate Settings created by an admin process for endpoint : %1. Status %2. Process Id %3 Executable path %4, User %5

Fields

Message

SSL Certificate Settings updated by an admin process for endpoint : %1, Extended Param Type %2. Status %3. Process Id %4 Executable path %5, User %6

Fields

Message

Set the IP address to the listen only list %1. Status %2. Process Id %3 Executable path %4, User %5

Fields

Message

QUIC certificate load failed with status %1 and was ignored due to disabled TLS 1.3 (status %2).

Fields

Message

Request (request ID %1) rejected due to request queue overflow

Fields

Message

Connection %1, Connection Id %2: Stream Created, StreamId %3

Fields

Message

Connection %1, Connection Id %2: Stream Aborted, StreamId %3, HRESULT error %4, Reset Code %5

Fields

Message

Connection %1, Connection Id %2: Send StreamId %3, Length %4

Fields

Message

Connection %1, Connection Id %2: Data Indincation, StreamId %3, BytesIndicated %4, BytesAccepted %5, Status %6

Fields

Message

Connection %1, Connection Id %2: Header Indincation, StreamId %3, Headers indicated %4, Status %5

Fields

Message

Connection %1, Connection Id %2: Go Away, StreamId %3, ErrorCode %4, FaultCode %5

Fields

Message

Http2 fault. Connection %1, Connection Id %2:, StreamId %3, Code %4, Status %5

Fields

Message

Connection %1, Connection Id %2: Create

Fields

Message

Connection %1, Connection Id %2: Detach

Fields

Fields

Fields

Fields

Fields

Message

Query for SSL connection cipher info failed. Security status: %2. Connection will be reset.

Fields