Logo
Sign in
  1. Logpoint Service Desk
  2. Products Hub
  3. Marketplace
app-115003783285.png

Microsoft IIS

Microsoft IIS normalizes Microsoft IIS events and enables you to analyze the data using pre-set dashboard views. 

Release Details
Version: 5.2.0
Release date: May 08, 2024
Supported On: Logpoint v7.4.0 or later for log source template
SHA 256: a5cfbd67cbf21fec32ddbbfe62f58eafb475148cf8e36f8401146ebab361ec0b
Download

Package Details

Microsoft IIS components:

  1. Dashboard Package
    • LP_MS IIS
  2. Normalization Packages
    • LP_Microsoft Exchange IIS 
    • LP_Microsoft IIS 
    • LP_Microsoft IIS FTP 
  3. Compiled Normalizer
    • MicrosoftIISCompiledNormalizer

 

Enhancement

Description Issue ID Reference ID
Added Syslog Collector based IIS log source template, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template.

KB-22757

-

Installation

To install Microsoft IIS:

  1. Download the .pak file from the Download link above. 
  2. Go to Settings >> System Settings from the navigation bar and click Applications.
  3. Click Import.
  4. Browse to the downloaded .pak file.
  5. Click Upload.

Past Releases

Microsoft IIS v5.1.0

Release Date: March 10, 2021

Supported On: Logpoint v6.7.0 and later

Download: MicrosoftIIS_5.1.0.pak

SHA256: 39df0c0eae511f5f8597f38111b6c76afd1a574789107d5de93c06c64f1d06ce

Enhancement

The compiled normalizer MicrosoftIISCompiledNormalizer has been updated to correctly handle the truncated JSON logs from Microsoft IIS.

Supported Versions

  • Microsoft IIS Server 6.0
  • Microsoft IIS Server 7.0
  • Microsoft IIS Server 7.5
  • Microsoft IIS Server 8.0
  • Microsoft IIS Server 8.5
  • Microsoft IIS Server 10

Screenshot

iis1__1_.png

NxLog Sample Configuration file 

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
 
<Extension _syslog>
    Module      xm_syslog
</Extension>
 
<Extension _json>
                  Module xm_json
</Extension>
 
<Extension w3c>
    Module xm_csv
    Fields $date, $time, $s-sitename, $s-computername, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs-version, $cs-User-Agent, $cs-Cookie, $cs-Referer, $cs-host, $sc-status, $sc-substatus, $sc-win32-status, $sc-bytes, $cs-bytes, $time-taken
    FieldTypes        string, string, string, string, string, string, string, string, integer, string, string, string, string, string, string, string, string, string, string, integer, integer, integer
    Delimiter ' '
    QuoteChar '"'
    EscapeControl FALSE
    UndefValue -
</Extension>
 
# Convert the IIS logs to JSON and use the original event time
<Input IIS_Logs>
    Module   im_file
    File    "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
    ReadFromLast FALSE
    Recursive TRUE
    PollInterval  1
    Exec     $FileName = file_name();
    Exec if $raw_event =~ /^#/ drop();\
       else\
       {\
        w3c->parse_csv();\
        $EventTime = parsedate($date + " " + $time);\
        $SourceName = "IIS";\
       }
</Input>
 
<Input in>
    Module      im_msvistalog
</Input>
 
<Output out>
    Module      om_tcp
    Host        192.168.2.1
    Port        514
    Exec       to_json(); $Message=$raw_event; to_syslog_bsd();
</Output>
 
<Route 1>
    Path IIS_Logs, in => out
</Route>

Note: Create parsing rules according to the headers of the IIS log file.

For Header:

#Software: Microsoft Internet Information Services 10.0 
#Version: 1.0 
#Date: 2018-08-05 08:02:35 
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken

Your sample rule looks like:

Fields date,date,time, s−sitename, s−sitename, s-computername, s−ip, s−ip, cs-method, cs−uri−stem, cs−uri−stem, cs-uri-query, s−port, s−port, cs-username, c−ip,c−ip, cs-version, cs−User−Agent, cs−User−Agent, cs-Cookie, cs−Referer, cs−Referer,cs-host, sc−status, sc−status, sc-substatus, sc−win32−status, sc−win32−status, time-taken

FieldTypes string, string, string, string, string, string, string, string, integer, string, string, string, string, string, string, string, integer, string, string, integer


Log Formats

Expected Log Format

Microsoft IIS W3C

Log Sample


2020-1-21 05:09:41 W3SVC1194433281 EBOKSWEB204D 1.1.1.1 GET /images/graphics/gx_logo_e-boks_dk_152x30.gif - 80 - 1.1.1.1 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/1.1.1.1+Safari/537.36+Edge/12.10240 

https://logpoint.np /default.aspxlogpoint 200 0 0 2577 1287 46 N/A  

Expected Log Format

Microsoft IIS SMTP

Log Samples

2020-1-20 08:31:59 192.168.2.38 logpoint.com SMTPSVC1 GRSPS0192.168.2.38.2 0 MAIL - FROM:<logpoint@lp.com> 250 0 45 32 0 SMTP - - - -

2020-1-20 08:31:59 192.168.8.177 logpoint.com SMTPSVC1 GRSPS0192.168.2.38.4 0 MAIL - +FROM:<logpoint@lp.com> 250 0 45 32 0 SMTP - - - -

2020-1-20 08:29:26 192.168.7.66 DRSGOLD01 SMTPSVC1 GRSPS0192.168.2.38.5 0 RCPT - +TO:<> 501 0 27 10 0 SMTP - - - -

2020-1-20 08:29:26 192.168.3.182 DRSGOLD01 SMTPSVC1 GRSPS0192.168.2.38.7 0 HELO - +DRSGOLD01 250 0 33 14 0 SMTP - - - -

2020-1-20 08:31:59 192.168.1.59 OutboundConnectionResponse SMTPSVC1 GRSPS01 - 25 - - 354+Start+mail+input;+end+with+<CRLF>.<CRLF> 0 0 44 0 125 SMTP - - - -

Expected Log Format

Microsoft IIS FTP

Log Samples

<13>Jan 3 10:20:01 IISSRV01 2020-01-03 10:20:00 192.168.1.212 MDN\ftpadmin xxx.xxx.x.xx 21 LIST - 226 0 0 081f18be-afdf-481a-b345-e7046a9f3d8b /test01/VendorFiles/logpoint_22941/Items

<13>Jan 3 10:20:01 IISSRV01 2020-01-03 10:20:00 192.168.1.212 MDN\ftpadmin xxx.xxx.x.xx 65250 DataChannelClosed - - 0 0 8e7cc68c-d83a-43f4-a6fe-2e227d7e5ffb -

Expected Log Format

JSON

Log Sample

{"EventReceivedTime":"2020-01-23 11:28:31","SourceModuleName":"iis_log_in","SourceModuleType":"im_file","date":"2020-01-23","time":"09:28:05","s_sitename":"W3SVC2","s_computername":"logpoint","s_ip":"1.1.1.1", "cs_method":"GET","cs_uri_stem":"/gtautostart.aspx","cs_uri_query": "wm_actvty=\"clnt_space\"&wm_object=\"1894131\"","s_port":80,"cs-username":"-","c_ip":"1.1.1.1","cs_version":"HTTP/1.1","cs_User_Agent":"Mozilla/5.0+(Windows+NT+6.1;+Trident/7.0;+rv:11.0)+like+Gecko","cs_Referer":"-","cs_host":"logpoint.bob","sc_status":401,"sc_substatus":2,"sc_win32_status":5, "sc_bytes":1600,"cs_bytes":372,"time_taken":31,"SourceName":"IIS_LOG", "Environnement":"EXP","EventTime":"2020-01-23 11:28:05"}

To export data to LogPoint, use the Syslog collector on port 514 of the LogPoint server.

Microsoft IIS v5.0.2

Enhancement

A minor update in the Microsoft IIS's normalizer for better signature handling.

Microsoft IIS v5.0.1

Bug Fix

Updated the compiled normalizer to normalize the values for the following fields correctly:

Field name

LogPoint Taxonomy

EventTime log_ts
EventReceiveTime event_ts

Microsoft IIS v3.5.0

Release Date: May 14, 2020

Supported On: Logpoint v6.0.0 to v6.6.6

Download: MicrosoftIIS_3.5.0.pak

SHA256: 2c2af811a2f97e41c1d1523f7df5e301da1eb4bec2b05ad908f18003768ae64f

Enhancement

A minor update in the Microsoft IIS's normalizer for better signature handling.

Support

If you have any questions or require assistance, create a support ticket.

Comments

  • Avatar
    Faizal Dagia
    July 31, 2018 11:14

    Hi, the zip contains old versions of normalizers. Please could you update the zip file as it confusing.

    Comment actions Permalink

Article is closed for comments.

Follow

Related articles

  • Logpoint Agent Collector
  • NXLog Enterprise
  • Microsoft Exchange
  • Universal Normalizer
  • Solar Winds Supply Chain Attack
Privacy policy    EULA    Terms of service   
Copyright © , Logpoint. All rights reserved.

Note: We use cookies that are essential for the smooth functioning of our website.