cancel
Showing results for 
Search instead for 
Did you mean: 

over %60 of log entries from MWG have status_code=0

We've been trying to get to the bottom of this for over a month now. Effects both HTTP and HTTPS traffic. Over %60 of all logs have a status code of 0. We received an explanation from McAfee, but the explanation made absolutely no sense. Even after asking for clarification, the explanation doesn't make sense (I think it could be a language barrier.)

I wanted to check here before escalating the issue with McAfee. 

Can anyone explain why the logs have this status code of 0?

3 Replies
AaronT
Level 9
Report Inappropriate Content
Message 2 of 4

Re: over %60 of log entries from MWG have status_code=0

Can you provide more information on which logs?

I'm assuming you're referring to the access logs?  Typically in the access log that means the traffic wasn't blocked (block.id 0 means the request was successful)

Re: over %60 of log entries from MWG have status_code=0

Yes, sorry. This is HTTP status code, other codes we see are 200, 403, 500, etc. Here's some log entry examples with all sensitive information removed:

Jun 10 07:36:01 x.x.x.x mwg: NAME|time_stamp=[10/Jun/2019:12:36:01 +0000]|auth_user=|src_ip=|server_ip=|host=certificates.godaddy.com|url_port=80|status_code=0|bytes_from_client=0|bytes_to_client=0|categories=Business|rep_level=Minimal Risk|method=GET|url=http://certificates.godaddy.com/repository/gdig2.crt|media_type=application/x-empty|application_name...

 

Jun 10 07:36:26 x.x.x.x mwg: NAME|time_stamp=[10/Jun/2019:12:36:26 +0000]|auth_user=|src_ip=|server_ip=|host=fonts.gstatic.com|url_port=443|status_code=0|bytes_from_client=0|bytes_to_client=0|categories=Content Server, Internet Services|rep_level=Minimal Risk|method=CERTVERIFY|url=https://fonts.gstatic.com|media_type=application/x-empty|application_name=|user_agent=|block_res=0|b...

 

As you can see, the above example include http and https traffic, but the status code is 0 for both. This status code is the HTTP status code field.

Re: over %60 of log entries from MWG have status_code=0

Being curious I quickly checked some of my own access.log files and indeed found many of those myself. They all have a common pattern: they all are HTTP/2.0 and 0 bytes to client. Therefore I think they were all cancled.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community