Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Microsoft IIS Server

 

The Microsoft Internet Information Services (IIS) Server DSM for JSA accepts FTP, HTTP, NNTP, and SMTP events using syslog.

You can integrate a Microsoft IIS Server with JSA using one of the following methods:

For more information, see the Juniper Secure Analytics WinCollect User Guide.

Table 1: Microsoft IIS Supported Log Types

Version

Supported Log Type

Method of Import

Microsoft IIS 6.0

HTTP

IIS Protocol

Microsoft IIS 6.0

SMTP, NNTP, FTP, HTTP

WinCollect or Snare

Microsoft IIS 10.0

HTTP

IIS Protocol

Microsofy IIS 10.0

SMTP, NNTP, FTP, HTTP

WinCollect or Snare

Configuring Microsoft IIS by Using the IIS Protocol

You can configure Microsoft IIS Protocol to communicate with JSA by using the IIS Protocol.

Before you configure JSA with the Microsoft IIS protocol, you must configure your Microsoft IIS Server to generate the proper log format.

The Microsoft IIS Protocol supports only the W3C Extended log file format. The Microsoft authentication protocol NTLMv2 Session is not supported by the Microsoft IIS protocol.

To configure the W3C event log format in Microsoft IIS:

  1. Log in to your Microsoft Information Services (IIS) Manager.
  2. In the IIS Manager menu tree, expand Local Computer.
  3. Select Web Sites.
  4. Right-click on Default Web Sites and select Properties.

    The Default Web Site Properties window is displayed.

  5. Select the Web Site tab.
  6. Select the Enable logging check box.
  7. From the Active Log Format list, select W3C Extended Log File Format.
  8. From the Enable Logging pane, click Properties.

    The Logging Properties window is displayed.

  9. Click the Advanced tab.
  10. From the list of properties, select check boxes for the following W3C properties:

    Table 2: Required Properties for IIS Event Logs

    IIS 6.0 Required Properties

    IIS 7.0/7.5 Required Properties

    IIS 8.0/8.5 Required Properties

    IIS 10 Required Properties

    Date (date)

    Date (date)

    Date (date)

    Date (date)

    Time (time)

    Time (time)

    Time (time)

    Time (time)

    Client IP Address (c-ip)

    Client IP Address (c-ip)

    Client IP Address (c-ip)

    Client IP Address (c-ip)

    User Name (cs-username)

    User Name (cs-username)

    User Name (cs-username)

    User Name (cs-username)

    Server IP Address (s-ip)

    Server IP Address (s-ip)

    Server IP Address (s-ip)

    Server IP Address (s-ip)

    Server Port (s-port)

    Server Port (s-port)

    Server Port (s-port)

    Server Port (s-port)

    Method (cs-method)

    Method (cs-method)

    Method (cs-method)

    Method (cs-method)

    URI Stem (cs-uri-stem)

    URI Stem (cs-uri-stem)

    URI Stem (cs-uri-stem)

    URI Stem (cs-uri-stem)

    URI Query (cs-uri-query)

    URI Query (cs-uri-query)

    URI Query (cs-uri-query)

    URI Query (cs-uri-query)

    Protocol Status (sc-status)

    Protocol Status (sc-status)

    Protocol Status (sc-status)

    Protocol Status (sc-status)

    Protocol Version (cs-version)

    User Agent (cs(User-Agent))

    User Agent (cs(User-Agent))

    User Agent (cs(User-Agent))

    User Agent (cs(User-Agent))

       
  11. Click OK.

You are now ready to configure the log source in JSA.

Microsoft IIS Log Source Parameters for Microsoft IIS Server

If JSA does not automatically detect the log source, add a Microsoft IIS Server log source on the JSA Console by using the Microsoft IIS protocol.

When using the Microsoft IIS protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Microsoft IIS events from a Microsoft IIS Server:

Table 3: Microsoft IIS log source parameters for the Microsoft IIS Server DSM

Parameter

Value

Log Source type

Microsoft IIS Server

Protocol Configuration

Microsoft IIS

Log Source Identifier

Type the IP address or host name for the log source.

File Pattern

Type the regular expression (regex) that is needed to filter the file names. All matching files are included in the processing. The default is (?:u_)?ex.*\. (?:log|LOG)

For example, to list all files that start with the word log, followed by one or more digits and ending with tar.gz, use the following entry: log[0-9]+\.tar \.gz. Use of this parameter requires knowledge of regular expressions (regex)

Syslog Log Source Parameters for Microsoft IIS Server

If JSA does not automatically detect the log source, add a Microsoft IIS Server log source on the JSA Console by using the syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from Microsoft IIS Server:

Table 4: Syslog Log Source Parameters for the Microsoft IIS Server DSM

Parameter

Value

Log Source type

Microsoft IIS Server

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the log source.