Microsoft IIS

Microsoft IIS normalizes Microsoft IIS events and enables you to analyze the data using pre-set dashboard views.

Release Details

Version: 5.2.0

Release date: May 08, 2024

Supported On: Logpoint v7.4.0 or later for log source template

SHA 256: a5cfbd67cbf21fec32ddbbfe62f58eafb475148cf8e36f8401146ebab361ec0b

Download

Package Details

Microsoft IIS components:

Dashboard Package
- LP_MS IIS
Normalization Packages
- LP_Microsoft Exchange IIS
- LP_Microsoft IIS
- LP_Microsoft IIS FTP
Compiled Normalizer
- MicrosoftIISCompiledNormalizer

Enhancement

Description	Issue ID	Reference ID
Added Syslog Collector based IIS log source template, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template.	KB-22757	-

Installation

To install Microsoft IIS:

Download the .pak file from the Download link above.
Go to Settings >> System Settings from the navigation bar and click Applications.
Click Import.
Browse to the downloaded .pak file.
Click Upload.

Past Releases

Microsoft IIS v5.1.0

Release Date: March 10, 2021

Supported On: Logpoint v6.7.0 and later

Download: MicrosoftIIS_5.1.0.pak

SHA256: 39df0c0eae511f5f8597f38111b6c76afd1a574789107d5de93c06c64f1d06ce

Enhancement

The compiled normalizer MicrosoftIISCompiledNormalizer has been updated to correctly handle the truncated JSON logs from Microsoft IIS.

Supported Versions

Microsoft IIS Server 6.0
Microsoft IIS Server 7.0
Microsoft IIS Server 7.5
Microsoft IIS Server 8.0
Microsoft IIS Server 8.5
Microsoft IIS Server 10

Screenshot

NxLog Sample Configuration file

## This is a sample configuration file. See the nxlog reference manual about the

## configuration options. It should be installed locally and is also available

## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,

## otherwise it will not start.

#define ROOT C:\Program Files\nxlog

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules

CacheDir %ROOT%\data

Pidfile %ROOT%\data\nxlog.pid

SpoolDir %ROOT%\data

LogFile %ROOT%\data\nxlog.log

<Extension _syslog>

    Module      xm_syslog

</Extension>

<Extension _json>

                  Module xm_json

</Extension>

<Extension w3c>

    Module xm_csv

    Fields $date, $time, $s-sitename, $s-computername, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs-version, $cs-User-Agent, $cs-Cookie, $cs-Referer, $cs-host, $sc-status, $sc-substatus, $sc-win32-status, $sc-bytes, $cs-bytes, $time-taken

    FieldTypes        string, string, string, string, string, string, string, string, integer, string, string, string, string, string, string, string, string, string, string, integer, integer, integer

    Delimiter ' '

    QuoteChar '"'

    EscapeControl FALSE

    UndefValue -

</Extension>

# Convert the IIS logs to JSON and use the original event time

<Input IIS_Logs>

    Module   im_file

    File    "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"

    ReadFromLast FALSE

    Recursive TRUE

    PollInterval  1

    Exec     $FileName = file_name();

    Exec if $raw_event =~ /^#/ drop();\

       else\

{\

        w3c->parse_csv();\

        $EventTime = parsedate($date + " " + $time);\

        $SourceName = "IIS";\

</Input>

<Input in>

    Module      im_msvistalog

</Input>

<Output out>

    Module      om_tcp

    Host        192.168.2.1

    Port        514

    Exec       to_json(); $Message=$raw_event; to_syslog_bsd();

</Output>

<Route 1>

    Path IIS_Logs, in => out

</Route>

Note: Create parsing rules according to the headers of the IIS log file.

For Header:

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2018-08-05 08:02:35
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken

Your sample rule looks like:

Fields $d a t e,$ time, $s - s i t e n a m e,$ s-computername, $s - i p,$ cs-method, $c s - u r i - s t e m,$ cs-uri-query, $s - p o r t,$ cs-username, $c - i p,$ cs-version, $c s - U s e r - A g e n t,$ cs-Cookie, $c s - R e f e r e r,$ cs-host, $s c - s t a t u s,$ sc-substatus, $s c - w i n 32 - s t a t u s,$ time-taken

FieldTypes string, string, string, string, string, string, string, string, integer, string, string, string, string, string, string, string, integer, string, string, integer

Log Formats

Expected Log Format

Microsoft IIS W3C

Log Sample

2020-1-21 05:09:41 W3SVC1194433281 EBOKSWEB204D 1.1.1.1 GET /images/graphics/gx_logo_e-boks_dk_152x30.gif - 80 - 1.1.1.1 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/1.1.1.1+Safari/537.36+Edge/12.10240

https://logpoint.np /default.aspxlogpoint 200 0 0 2577 1287 46 N/A

Expected Log Format

Microsoft IIS SMTP

Log Samples

2020-1-20 08:31:59 192.168.2.38 logpoint.com SMTPSVC1 GRSPS0192.168.2.38.2 0 MAIL - FROM:<logpoint@lp.com> 250 0 45 32 0 SMTP - - - -

2020-1-20 08:31:59 192.168.8.177 logpoint.com SMTPSVC1 GRSPS0192.168.2.38.4 0 MAIL - +FROM:<logpoint@lp.com> 250 0 45 32 0 SMTP - - - -

2020-1-20 08:29:26 192.168.7.66 DRSGOLD01 SMTPSVC1 GRSPS0192.168.2.38.5 0 RCPT - +TO:<> 501 0 27 10 0 SMTP - - - -

2020-1-20 08:29:26 192.168.3.182 DRSGOLD01 SMTPSVC1 GRSPS0192.168.2.38.7 0 HELO - +DRSGOLD01 250 0 33 14 0 SMTP - - - -

2020-1-20 08:31:59 192.168.1.59 OutboundConnectionResponse SMTPSVC1 GRSPS01 - 25 - - 354+Start+mail+input;+end+with+<CRLF>.<CRLF> 0 0 44 0 125 SMTP - - - -

Expected Log Format

Microsoft IIS FTP

Log Samples

<13>Jan 3 10:20:01 IISSRV01 2020-01-03 10:20:00 192.168.1.212 MDN\ftpadmin xxx.xxx.x.xx 21 LIST - 226 0 0 081f18be-afdf-481a-b345-e7046a9f3d8b /test01/VendorFiles/logpoint_22941/Items

<13>Jan 3 10:20:01 IISSRV01 2020-01-03 10:20:00 192.168.1.212 MDN\ftpadmin xxx.xxx.x.xx 65250 DataChannelClosed - - 0 0 8e7cc68c-d83a-43f4-a6fe-2e227d7e5ffb -

Expected Log Format

JSON

Log Sample

{"EventReceivedTime":"2020-01-23 11:28:31","SourceModuleName":"iis_log_in","SourceModuleType":"im_file","date":"2020-01-23","time":"09:28:05","s_sitename":"W3SVC2","s_computername":"logpoint","s_ip":"1.1.1.1", "cs_method":"GET","cs_uri_stem":"/gtautostart.aspx","cs_uri_query": "wm_actvty=\"clnt_space\"&wm_object=\"1894131\"","s_port":80,"cs-username":"-","c_ip":"1.1.1.1","cs_version":"HTTP/1.1","cs_User_Agent":"Mozilla/5.0+(Windows+NT+6.1;+Trident/7.0;+rv:11.0)+like+Gecko","cs_Referer":"-","cs_host":"logpoint.bob","sc_status":401,"sc_substatus":2,"sc_win32_status":5, "sc_bytes":1600,"cs_bytes":372,"time_taken":31,"SourceName":"IIS_LOG", "Environnement":"EXP","EventTime":"2020-01-23 11:28:05"}

To export data to LogPoint, use the Syslog collector on port 514 of the LogPoint server.

Microsoft IIS v5.0.2

Enhancement

A minor update in the Microsoft IIS's normalizer for better signature handling.

Microsoft IIS v5.0.1

Bug Fix

Updated the compiled normalizer to normalize the values for the following fields correctly:

Field name	LogPoint Taxonomy
EventTime	log_ts
EventReceiveTime	event_ts

Microsoft IIS v3.5.0

Release Date: May 14, 2020

Supported On: Logpoint v6.0.0 to v6.6.6

Download: MicrosoftIIS_3.5.0.pak

SHA256: 2c2af811a2f97e41c1d1523f7df5e301da1eb4bec2b05ad908f18003768ae64f

Enhancement

A minor update in the Microsoft IIS's normalizer for better signature handling.

Support

If you have any questions or require assistance, create a support ticket.

Microsoft IIS

Package Details

Enhancement

Installation

Past Releases

Microsoft IIS v5.1.0

Enhancement

Supported Versions

Screenshot

NxLog Sample Configuration file

Log Formats

Microsoft IIS v5.0.2

Enhancement

Microsoft IIS v5.0.1

Bug Fix

Microsoft IIS v3.5.0

Enhancement

Support

Comments

Related articles