How to Collect IIS Logs

Owned by rthornton
Jan 05, 2023
8 min read

Configuring Microsoft IIS6 

  1. Click Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager.

  2. To determine your log file encoding type right click your server and select properties. If you have UTF-8 encoding enabled the check box for “UTF-8 Logging” will be checked. The default is unchecked which is ANSII encoding. Snare supports either UTF-8 or ANSII encoding

  3. Now navigate to the Web Sites folder. Expand the Web Sites folder and select your site for monitoring. Right click the site and select properties. Validate that you have logging enabled for the site and if not select Enable logging to enable logging.

  4. Now that you have verified and or enabled logging for the site make sure the “Active log format” is W3C Extended Log File Format. (See above screenshot for example).

  5. While still on the same screen click the Properties button for the “Active log format” to view the log directory, log schedule and rollover settings.

  6. Here you will find your Log file directory settings. Notice the numerical value in the “Log file name”. This is the site ID number for the site which is added as a suffix to the log directory. Note: your log schedule, rollover and log file directory may be different from the below screenshot as this is our suggested default configuration.

  7. Now that you have defined and or verified your log schedule, rollover and log file directory select the Advanced tab at the top. Here we need to verify that the proper log flags are defined. Not having the required log flags defined could result in missed security events. Make sure you either select all of the log flags or at a minimum the following log flags MUST be selected.

    Date, Time, ClientIP, UserName, ServerIP, ServerPort, Method, UriStem, HttpStatus (Protocol Status), UserAgent

    The following are the flags set by default:
    Date, Time, ClientIP, UserName, ServiceName, ServerIP, ServerPort, Method, URIStem, URIQuery, HttpStatus (Protocol Status), Protocol Substatus, Win32 Status, User Agent

  8. Now that you have configured logging and or verified logging for your monitored sites you may want to view the log in their directory. Here are some examples of what the logs will look like. 

Note: if you do not see any logs files in the log directory/directories it could be due to no traffic/users accessing the site(s). You may want to browse the site(s) to generate traffic so logs are produced. Also note that it can sometimes take a minute before IIS updates the log file.

Now that log output has been configured, please follow the steps in “Configuring Windows Agent” section.

 

Configuring Microsoft IIS7/IIS8

  1. Click Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager.

  2. To determine your global logging settings and log file encoding type select your server and in the middle pane double click Logging.

  3. Verify and or enable logging globally for the server. Our examples here assumes you are using one log file per Site. If you have logging Enabled globally the fields in the middle pane will not be greyed out and the “Action” “Disable” should be blue. If logging is disabled the fields will be greyed out and the “Action” “Enable” should be blue.

    Logging enabled globally example If you make a configuration change, make sure to Apply the change!


    Logging disabled globally example. If you make a configuration change, make sure to Apply the change!

     

  4. Now that you have verified and or enabled logging globally lets verify and or configure your log format and encoding globally. The default log file format for IIS7/IIS8 is W3C and the default encoding is UTF-8. Your current global implementation may be set differently and that is fine. This can be changed at the site level if you have the need to log in a different format for other sites.

    If you make a configuration change, make sure to Apply the change!

  5. Now navigate to the Sites folder. Expand the Sites folder and select your site for monitoring. Then in the middle pain double click Logging.

  6. Now that you have the logging settings open for the site verify and or enable logging for the site as you did for your global settings.

  7. Make note of your configured “Directory” as this is where you will find your site’s log directory and access logs.

  8. Verify and or configure the “Log File” format as W3C. The “Encoding” should be UTF-8 or ANSII. In the below example you can see that the encoding was inherited from the global settings and is defined as UTF-8. Note: Your options for “Log File Rollover” may be different than the below example as this is our suggested default configuration.

    If you make a configuration change, make sure to Apply the change!

     

  9. Now that you have defined and or verified your log schedule, rollover and log file directory click the Select Fields button by the Log File “Format” drop down.

10. Here we need to verify that the proper log flags are defined. Not having the required log flags defined could result in missed security events. Make sure you either select all of the log flags or at a minimum the following log flags MUST be selected.

Date, Time, ClientIP, UserName, ServerIP, ServerPort, Method, UriStem, HttpStatus (Protocol Status), UserAgent

The following are the flags set by default.

Date, Time, ClientIP, UserName, ServerIP, ServerPort, Method, URIStem, URIQuery, HttpStatus (Protocol Status), Protocol Substatus, Win32 Status, Time Taken, User Agent

If you make a configuration change, make sure to Apply the change!

11.  Now that you have configured logging and or verified logging for your monitored sites you may want to view the log in their directory. Here are some examples of what the logs will look like. Note: if you do not see any logs files in the log directory/directories it could be due to no traffic/users accessing the site(s). You may want to browse the site(s) to generate traffic so logs are produced. Also note that it can sometimes take a minute before IIS updates the log file.

First collect your site IDs so you know which log directory belongs to which site. You can do this by selecting the Sites folder on the left pane and the IDs will be listed in the middle pane.

12.  Now using the previous log path(s) for your site(s) you gathered, append W3SVC<ID#> to the log path and that will be your full path to the site’s access logs.

Configuring Windows Agent

  1. Navigate to the Enterprise Agent for Windows web interface available on http://<ip-address>:6161

  2. From the left-hand menu, select Log Configuration

  3. Click the Add button at the bottom of the Log Configuration screen.

    1. Select the Log Type : select Microsoft IIS web server logs from the drop down list.

    2. In Log File or Directory, enter the directory where the IIS logs are stored. If you are unsure of your log path, see section 4 above for assistance in determining the log directory.

      1. Typically for IIS6:                  C:\WINDOWS\system32\LogFiles\W3SVC<site_ID#>\

      2. Typically for IIS7 and IIS8:    C:\inetpub\logs\LogFiles\W3C\W3SVC<site_ID#>\

    3. In Log Name Format enter the filename where your access logs are being written.
      For ANSII  encoding the filename will typically be ex%.log (the percent sign will automatically add the date format of YYMMDD; example result: ex130418.log).
      For UTF-8  encoding the filename will typically be u_ex%.log (the percent sign will automatically add the date format of YYMMDD; example result: u_ex130418.log).
      If you are unsure of your encoding type, see section "Configuring Microsoft IIS" for assistance in determining your log encoding.

    4. Leave all other settings as their default

  4. Once you have filled in the appropriate fields, click the Change Configuration button.

  5. Continue to add your log configurations until all running sites that will be monitored are defined.

  6. In the left-hand menu, click Apply Configuration & Restart Service.

  7. You will be redirected to Status screen once changes are applied 

  8. Navigate again to Log Configuration page in the Agent web interface. 

  9. Verify Log Configuration: review your log configuration and make sure the "Matching File" is black  and not red . A filename in black  indicates that Snare Agent has found the current file for processing. A filename in red  indicates that Snare Agent cannot find the file for processing. Log Error(s) column will show errors if any. 

Proper Matching File:

Improper Matching File:

Verifying Log Events

Events collected by the Windows Agent will be displayed on the Latest Events page of the Web Interface. This page displays 20 latest events sent to the configured network destination(s). The status of the current network connection(s) is also displayed on this screen. The window will automatically refresh every 30 seconds.

Select Log Audit filter to view events collected from the log files, as configured under Log Configuration.

Review your Log Events once you are sure you have a proper matching file(s) to ensure the contents of the file is being processed and sent to the destination.

Note: You may see events with/without Bell. The events with  Bell indicates that they are the most recently processed entries.