Do not log < 500 on web sockets as errors

For example if someone spams a web socket without authentication we
should not log "forbidden".  Forbidden is normal/expected operation, not
an error.