Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Microsoft IIS Server

 

The Microsoft Internet Information Services (IIS) Server DSM for JSA accepts FTP, HTTP, NNTP, and SMTP events using syslog.

You can integrate a Microsoft IIS Server with JSA using one of the following methods:

For more information, see the JSA WinCollect User Guide.

Table 1: Microsoft IIS Supported Log Types

Version

Supported Log Type

Method of Import

Microsoft IIS 6.0

HTTP

IIS Protocol

Microsoft IIS 6.0

SMTP, NNTP, FTP, HTTP

WinCollect or Snare

Microsoft IIS 10.0

HTTP

IIS Protocol

Microsofy IIS 10.0

SMTP, NNTP, FTP, HTTP

WinCollect or Snare

Configuring Microsoft IIS by Using the IIS Protocol

You can configure Microsoft IIS Protocol to communicate with JSA by using the IIS Protocol.

Before you configure JSA with the Microsoft IIS protocol, you must configure your Microsoft IIS Server to generate the proper log format.

The Microsoft IIS Protocol supports only the W3C Extended log file format. The Microsoft authentication protocol NTLMv2 Session is not supported by the Microsoft IIS protocol.

To configure the W3C event log format in Microsoft IIS:

  1. Log in to your Microsoft Information Services (IIS) Manager.
  2. In the IIS Manager menu tree, expand Local Computer.
  3. Select Web Sites.
  4. Right-click on Default Web Sites and select Properties.

    The Default Web Site Properties window is displayed.

  5. Select the Web Site tab.
  6. Select the Enable logging check box.
  7. From the Active Log Format list, select W3C Extended Log File Format.
  8. From the Enable Logging pane, click Properties.

    The Logging Properties window is displayed.

  9. Click the Advanced tab.
  10. From the list of properties, select check boxes for the following W3C properties:

    Table 2: Required Properties for IIS Event Logs

    IIS 6.0 Required Properties

    IIS 7.0/7.5 Required Properties

    IIS 8.0/8.5 Required Properties

    IIS 10 Required Properties

    Date (date)

    Date (date)

    Date (date)

    Date (date)

    Time (time)

    Time (time)

    Time (time)

    Time (time)

    Client IP Address (c-ip)

    Client IP Address (c-ip)

    Client IP Address (c-ip)

    Client IP Address (c-ip)

    User Name (cs-username)

    User Name (cs-username)

    User Name (cs-username)

    User Name (cs-username)

    Server IP Address (s-ip)

    Server IP Address (s-ip)

    Server IP Address (s-ip)

    Server IP Address (s-ip)

    Server Port (s-port)

    Server Port (s-port)

    Server Port (s-port)

    Server Port (s-port)

    Method (cs-method)

    Method (cs-method)

    Method (cs-method)

    Method (cs-method)

    URI Stem (cs-uri-stem)

    URI Stem (cs-uri-stem)

    URI Stem (cs-uri-stem)

    URI Stem (cs-uri-stem)

    URI Query (cs-uri-query)

    URI Query (cs-uri-query)

    URI Query (cs-uri-query)

    URI Query (cs-uri-query)

    Protocol Status (sc-status)

    Protocol Status (sc-status)

    Protocol Status (sc-status)

    Protocol Status (sc-status)

    Protocol Version (cs-version)

    User Agent (cs(User-Agent))

    User Agent (cs(User-Agent))

    User Agent (cs(User-Agent))

    User Agent (cs(User-Agent))

       
  11. Click OK.

You are now ready to configure the log source in JSA.

Configuring the Microsoft IIS Protocol in JSA

You can configure the log source for Microsoft IIS in JSA.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.

    The Data Sources pane is displayed.

  4. Click the Log Sources icon.

    The Log Sources window is displayed.

  5. Click Add.

    The Add a log source window is displayed.

  6. From the Log Source Type list, select Microsoft IIS Server.
  7. From the Protocol Configuration list, select Microsoft IIS.
  8. Configure the following values:

    Table 3: Microsoft IIS Protocol Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source.

    Server Address

    Type the IP address of the Microsoft IIS server.

    Username

    Type the user name that is required to access the Microsoft IIS server.

    Password

    Type the password that is required to access the Microsoft IIS server.

    Confirm Password

    Confirm the password that is required to access the Microsoft IIS server.

    Domain

    Type the domain that is required to access the Microsoft IIS server.

    Folder Path

    Type the directory path to access the IIS log files. The default is \WINDOWS\system32\LogFiles\W3SVC1\

    Parameters that support file paths give you the option to define a drive letter with the path information. For example, you can use c$/LogFiles/ for an administrative share or LogFiles/ for a public share folder path, but not c:/LogFiles.

    If a log folder path contains an administrative share (C$), users with NetBIOS access on the administrative share (C$) have the proper access that is needed to read the log files.Local or domain administrators have sufficient privileges to access log files on administrative shares.

    File Pattern

    Type the regular expression (regex) that is needed to filter the file names. All matching files are included in the processing. The default is (?:u_)?ex.*\.(?:log|LOG)

    For example, to list all files that start with the word log, followed by one or more digits and ending with tar.gz, use the following entry: log[0-9]+\.tar\.gz. Use of this parameter requires knowledge of regular expressions (regex). For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/

    Recursive

    Select this check box if you want the file pattern to search sub folders. By default, the check box is selected.

    Polling Interval (s)

    Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The default is 10 seconds.

  9. Click Save.
  10. The Microsoft IIS protocol configuration is complete.

Configuring Microsoft IIS Using a Snare Agent

If you want to use a snare agent to integrate the Microsoft IIS server with JSA, you must configure a Snare Agent to forward events.

Configuring Your Microsoft IIS Server for Snare

You can configure a Snare Agent to integrate a Microsoft IIS server with JSA:

  1. Log in to your Microsoft Information Services (IIS) Manager.
  2. In the IIS Manager menu tree, expand Local Computer.
  3. Select Web Sites.
  4. Right-click on Default Web Sites and select Properties.

    The Default Web Site Properties window is displayed.

  5. Select the Web Site tab.
  6. Select the Enable logging check box.
  7. From the Active Log Format list, select W3C Extended Log File Format.
  8. From the Enable Logging pane, click Properties.

    The Logging Properties window is displayed.

  9. Click the Advanced tab.
  10. From the list of properties, select check boxes for the following W3C properties:

    Table 4: Required Properties for IIS Event Logs

    IIS 6.0 Required Properties

    IIS 7.0 Required Properties

    Date (date)

    Date (date)

    Time (time)

    Time (time)

    Client IP Address (c-ip)

    Client IP Address (c-ip)

    User Name (cs-username)

    User Name (cs-username)

    Server IP Address (s-ip)

    Server IP Address (s-ip)

    Server Port (s-port)

    Server Port (s-port)

    Method (cs-method)

    Method (cs-method)

    URI Stem (cs-uri-stem)

    URI Stem (cs-uri-stem)

    URI Query (cs-uri-query)

    URI Query (cs-uri-query)

    Protocol Status (sc-status)

    Protocol Status (sc-status)

    Protocol Version (cs-version)

    User Agent (cs(User-Agent))

    User Agent (cs(User-Agent))

     
  11. Click OK.
  12. You are now ready to configure the Snare Agent.

Configure the Snare Agent

You can configure your Snare Agent.

  1. Access the InterSect Alliance website:

    http://www.intersectalliance.com/

  2. Download open source Snare Agent for IIS, version 1.2:

    SnareIISSetup-1.2.exe

  3. Install the open source Snare Agent for IIS.
  4. In the Snare Agent, select Audit Configuration.

    The Audit Service Configuration window is displayed.

  5. In the Target Host field, type the IP address of your JSA.
  6. In the Log Directory field type the IIS file location:

    \%SystemRoot%\System32\LogFiles/

    By default Snare for IIS is configured to look for logs in C:\WINNT\System32\LogFiles/.

  7. For Destination, select Syslog.
  8. For Delimiter, select TAB.
  9. Select the Display IIS Header Information check box.
  10. Click OK.

Configuring a Microsoft IIS Log Source

JSA automatically discovers and creates a log source for syslog events from Microsoft IIS forwarded from a Snare agent. These configuration steps are optional.

To manually create a Microsoft IIS log source in JSA:

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.

    The Data Sources pane is displayed.

  4. Click the Log Sources icon.

    The Log Sources window is displayed.

  5. Click Add.

    The Add a log source window is displayed.

  6. From the Log Source Type list, select Microsoft IIS Server.
  7. From the Protocol Configuration list, select Syslog.
  8. Configure the following values:

    Table 5: Microsoft IIS Syslog Configuration

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source.

  9. Click Save.
  10. On the Admin tab, click Deploy Changes.

    The configuration is complete.

Configuring Microsoft IIS by Using Adaptive Log Exporter

WinCollect is a stand-alone application that gives the option to integrate device logs or application event data with JSA or Log Manager.

To integrate the Adaptive Log Exporter with Microsoft IIS:

  1. Log in to your Microsoft Information Services (IIS) Manager.
  2. In the IIS Manager menu tree, expand Local Computer.
  3. Select Web Sites.
  4. Right-click on Default Web Site and select Properties.

    The Web Sites Properties window is displayed.

  5. From the Active Log Format list, select one of the following options:
  6. Click Properties.

    The Properties window is displayed.

  7. Click the Advanced tab.
  8. From the list of properties, select all event properties that you want to apply to the Microsoft IIS event log. The selected properties must include the following selections:
    1. Select the Method (cs-method) check box.

    2. Select the Protocol Version (cs-version) check box.

  9. Click OK.

You are now ready to configure the Adaptive Log Exporter. For more information on installing and configuring Microsoft IIS for the Adaptive Log Exporter, see the Adaptive Log Exporter User Guide.