Log Types: IISWebLog (WebLog)
Overview
Internet Information Services is an extensible web server software created by Microsoft.
Collection
The Snare Epilog agent can collect logs from IIS servers.
IIS web server logs can also be transferred to the directory /data/SnareCollect/IISWebLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight. Note that for batch transfers, logs should include header information - this will assist the Snare Collection subsystem in determining which components need to be allocated to appropriate fields.
Sample Events
2005-06-17 04:27:32 10.226.2.162 GET /controlmanager - 80 - 10.15.5.44 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 301 0 02006-06-22 02:14:23 W3SVC1 2.150.10.55 GET /6161 - 80 - 2.150.10.56 Mozilla/5.0+(X11;+U;+Linux+i686;+en-US;+rv:1.7.12)+Gecko/20051010+Firefox/1.0.7+(Ubuntu+package+1.0.7) 404 0 22006-06-14 22:48:10 W3SVC1 WINCLIENT 192.168.0.20 GET /config-ie/configure-ie.html - 80 - 192.168.0.20 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) - http://192.168.0.20/config-ie/configure-ie.html 192.168.0.20 304 0 0 189 439 187
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | WebLog |
HOSTNAME |
|
USERNAME | If available, the authenticated username requesting access to the data. |
URL | Universal resource locator - the web address of the resource being accessed. |
RETURNCODE | Return code of the access request |
BYTES | The number of bytes transferred |
REFERRER | The referrer page |
AGENT | The browser information provided by the client |
PROTOCOL | HTTP, HTTPS, FTP, GOPHER, and so on |
LOGTYPE | IIS, Apache, IIS, Squid, ISA, and other logs are currently all pushed to a consolidated 'WebLog' table. This field allows us to separate web server logs from proxy logs. |
CATEGORY |
|
STRINGS | All other data in the event will be pushed to this field. |
Notes
The IIS log data will be sent to the ‘WebLog’ table to facilitate easy correlation with other log servers.
In order to provide a reasonable level of confidence that the IIS server can write the most recent logs to file, in the event of a compromise or system failure, the IIS server will pre-allocate large ‘chunks’ of whitespace in the target log file, and then replace the whitespace with log content as required. This means that IIS logs are generally incompatible with traditional ‘tail’ style log monitoring solutions. The Snare Epilog agent has a special exception mode for IIS log data.