Microsoft IIS
Microsoft IIS normalizes Microsoft IIS events and enables you to analyze the data using pre-set dashboard views.
Package Details
Microsoft IIS components:
-
Dashboard Package
- LP_MS IIS
-
Normalization Packages
- LP_Microsoft Exchange IIS
- LP_Microsoft IIS
- LP_Microsoft IIS FTP
-
Compiled Normalizer
- MicrosoftIISCompiledNormalizer
Enhancement
| Description | Issue ID | Reference ID |
|---|---|---|
| Added Syslog Collector based IIS log source template, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template. |
KB-22757 |
- |
Installation
To install Microsoft IIS:
- Download the .pak file from the Download link above.
- Go to Settings >> System Settings from the navigation bar and click Applications.
- Click Import.
- Browse to the downloaded .pak file.
- Click Upload.
Past Releases
Microsoft IIS v5.1.0
Supported On: Logpoint v6.7.0 and later
Download: MicrosoftIIS_5.1.0.pak
SHA256: 39df0c0eae511f5f8597f38111b6c76afd1a574789107d5de93c06c64f1d06ce
Enhancement
The compiled normalizer MicrosoftIISCompiledNormalizer has been updated to correctly handle the truncated JSON logs from Microsoft IIS.
Supported Versions
- Microsoft IIS Server 6.0
- Microsoft IIS Server 7.0
- Microsoft IIS Server 7.5
- Microsoft IIS Server 8.0
- Microsoft IIS Server 8.5
- Microsoft IIS Server 10
Screenshot
NxLog Sample Configuration file
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Extension w3c>
Module xm_csv
Fields $date, $time, $s-sitename, $s-computername, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs-version, $cs-User-Agent, $cs-Cookie, $cs-Referer, $cs-host, $sc-status, $sc-substatus, $sc-win32-status, $sc-bytes, $cs-bytes, $time-taken
FieldTypes string, string, string, string, string, string, string, string, integer, string, string, string, string, string, string, string, string, string, string, integer, integer, integer
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>
# Convert the IIS logs to JSON and use the original event time
<Input IIS_Logs>
Module im_file
File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
ReadFromLast FALSE
Recursive TRUE
PollInterval 1
Exec $FileName = file_name();
Exec if $raw_event =~ /^#/ drop();\
else\
{\
w3c->parse_csv();\
$EventTime = parsedate($date + " " + $time);\
$SourceName = "IIS";\
}
</Input>
<Input in>
Module im_msvistalog
</Input>
<Output out>
Module om_tcp
Host 192.168.2.1
Port 514
Exec to_json(); $Message=$raw_event; to_syslog_bsd();
</Output>
<Route 1>
Path IIS_Logs, in => out
</Route>
|
|
Note: Create parsing rules according to the headers of the IIS log file. For Header: #Software: Microsoft Internet Information Services 10.0 Your sample rule looks like: Fields date,date,time, s−sitename, s−sitename, s-computername, s−ip, s−ip, cs-method, cs−uri−stem, cs−uri−stem, cs-uri-query, s−port, s−port, cs-username, c−ip,c−ip, cs-version, cs−User−Agent, cs−User−Agent, cs-Cookie, cs−Referer, cs−Referer,cs-host, sc−status, sc−status, sc-substatus, sc−win32−status, sc−win32−status, time-taken FieldTypes string, string, string, string, string, string, string, string, integer, string, string, string, string, string, string, string, integer, string, string, integer |
Log Formats
Expected Log Format
Microsoft IIS W3C
Log Sample
2020-1-21 05:09:41 W3SVC1194433281 EBOKSWEB204D 1.1.1.1 GET /images/graphics/gx_logo_e-boks_dk_152x30.gif - 80 - 1.1.1.1 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/1.1.1.1+Safari/537.36+Edge/12.10240https://logpoint.np /default.aspxlogpoint 200 0 0 2577 1287 46 N/A
Expected Log Format
Microsoft IIS SMTP
Log Samples
2020-1-20 08:31:59 192.168.2.38 logpoint.com SMTPSVC1 GRSPS0192.168.2.38.2 0 MAIL - FROM:<logpoint@lp.com> 250 0 45 32 0 SMTP - - - -
2020-1-20 08:31:59 192.168.8.177 logpoint.com SMTPSVC1 GRSPS0192.168.2.38.4 0 MAIL - +FROM:<logpoint@lp.com> 250 0 45 32 0 SMTP - - - -
2020-1-20 08:29:26 192.168.7.66 DRSGOLD01 SMTPSVC1 GRSPS0192.168.2.38.5 0 RCPT - +TO:<> 501 0 27 10 0 SMTP - - - -
2020-1-20 08:29:26 192.168.3.182 DRSGOLD01 SMTPSVC1 GRSPS0192.168.2.38.7 0 HELO - +DRSGOLD01 250 0 33 14 0 SMTP - - - -
2020-1-20 08:31:59 192.168.1.59 OutboundConnectionResponse SMTPSVC1 GRSPS01 - 25 - - 354+Start+mail+input;+end+with+<CRLF>.<CRLF> 0 0 44 0 125 SMTP - - - -
Expected Log Format
Microsoft IIS FTP
Log Samples
<13>Jan 3 10:20:01 IISSRV01 2020-01-03 10:20:00 192.168.1.212 MDN\ftpadmin xxx.xxx.x.xx 21 LIST - 226 0 0 081f18be-afdf-481a-b345-e7046a9f3d8b /test01/VendorFiles/logpoint_22941/Items
<13>Jan 3 10:20:01 IISSRV01 2020-01-03 10:20:00 192.168.1.212 MDN\ftpadmin xxx.xxx.x.xx 65250 DataChannelClosed - - 0 0 8e7cc68c-d83a-43f4-a6fe-2e227d7e5ffb -
Expected Log Format
JSON
Log Sample
{"EventReceivedTime":"2020-01-23 11:28:31","SourceModuleName":"iis_log_in","SourceModuleType":"im_file","date":"2020-01-23","time":"09:28:05","s_sitename":"W3SVC2","s_computername":"logpoint","s_ip":"1.1.1.1", "cs_method":"GET","cs_uri_stem":"/gtautostart.aspx","cs_uri_query": "wm_actvty=\"clnt_space\"&wm_object=\"1894131\"","s_port":80,"cs-username":"-","c_ip":"1.1.1.1","cs_version":"HTTP/1.1","cs_User_Agent":"Mozilla/5.0+(Windows+NT+6.1;+Trident/7.0;+rv:11.0)+like+Gecko","cs_Referer":"-","cs_host":"logpoint.bob","sc_status":401,"sc_substatus":2,"sc_win32_status":5, "sc_bytes":1600,"cs_bytes":372,"time_taken":31,"SourceName":"IIS_LOG", "Environnement":"EXP","EventTime":"2020-01-23 11:28:05"}
To export data to LogPoint, use the Syslog collector on port 514 of the LogPoint server.
Microsoft IIS v5.0.2
Enhancement
A minor update in the Microsoft IIS's normalizer for better signature handling.
Microsoft IIS v5.0.1
Bug Fix
Updated the compiled normalizer to normalize the values for the following fields correctly:
|
Field name |
LogPoint Taxonomy |
|---|---|
| EventTime | log_ts |
| EventReceiveTime | event_ts |
Microsoft IIS v3.5.0
Release Date: May 14, 2020
Supported On: Logpoint v6.0.0 to v6.6.6
Download: MicrosoftIIS_3.5.0.pak
SHA256: 2c2af811a2f97e41c1d1523f7df5e301da1eb4bec2b05ad908f18003768ae64f
Enhancement
A minor update in the Microsoft IIS's normalizer for better signature handling.
Support
If you have any questions or require assistance, create a support ticket.
Hi, the zip contains old versions of normalizers. Please could you update the zip file as it confusing.