Microsoft IIS Server
The Microsoft Internet Information Services (IIS) Server DSM for JSA accepts FTP, HTTP, NNTP, and SMTP events using syslog.
You can integrate a Microsoft IIS Server with JSA using one of the following methods:
Configure JSA to connect to your Microsoft IIS Server using the IIS Protocol. The IIS Protocol collects HTTP events from Microsoft IIS servers. For more information, see Configuring Microsoft IIS by Using the IIS Protocol.
Configure WinCollect to forward IIS events to JSA.
For more information, see the Juniper Secure Analytics WinCollect User Guide.
Version |
Supported Log Type |
Method of Import |
---|---|---|
Microsoft IIS 6.0 |
HTTP |
IIS Protocol |
Microsoft IIS 6.0 |
SMTP, NNTP, FTP, HTTP |
WinCollect or Snare |
Microsoft IIS 10.0 |
HTTP |
IIS Protocol |
Microsofy IIS 10.0 |
SMTP, NNTP, FTP, HTTP |
WinCollect or Snare |
Configuring Microsoft IIS by Using the IIS Protocol
You can configure Microsoft IIS Protocol to communicate with JSA by using the IIS Protocol.
Before you configure JSA with the Microsoft IIS protocol, you must configure your Microsoft IIS Server to generate the proper log format.
The Microsoft IIS Protocol supports only the W3C Extended log file format.
To configure the W3C event log format in Microsoft IIS:
Log in to your Microsoft Information Services (IIS) Manager.
-
Expand IIS Manager > Local Computer > Sites.
-
Select Web Site.
-
Double-click the Logging icon.
-
Select W3C as the log file format from the Log File window.
-
Click Select Fields.
From the list of properties, select check boxes for the following W3C properties:
Table 2: Required Properties for IIS Event Logs IIS 6.0 Required Properties
IIS 7.0/7.5 Required Properties
IIS 8.0/8.5 Required Properties
IIS 10 Required Properties
Date (date)
Date (date)
Date (date)
Date (date)
Time (time)
Time (time)
Time (time)
Time (time)
Client IP Address (c-ip)
Client IP Address (c-ip)
Client IP Address (c-ip)
Client IP Address (c-ip)
User Name (cs-username)
User Name (cs-username)
User Name (cs-username)
User Name (cs-username)
Server IP Address (s-ip)
Server IP Address (s-ip)
Server IP Address (s-ip)
Server IP Address (s-ip)
Server Port (s-port)
Server Port (s-port)
Server Port (s-port)
Server Port (s-port)
Method (cs-method)
Method (cs-method)
Method (cs-method)
Method (cs-method)
URI Stem (cs-uri-stem)
URI Stem (cs-uri-stem)
URI Stem (cs-uri-stem)
URI Stem (cs-uri-stem)
URI Query (cs-uri-query)
URI Query (cs-uri-query)
URI Query (cs-uri-query)
URI Query (cs-uri-query)
Protocol Status (sc-status)
Protocol Status (sc-status)
Protocol Status (sc-status)
Protocol Status (sc-status)
Protocol Version (cs-version)
User Agent (cs(User-Agent))
User Agent (cs(User-Agent))
User Agent (cs(User-Agent))
User Agent (cs(User-Agent))
-
Click OK, and then click Apply.
You are now ready to configure the log source in JSA.
Microsoft IIS Log Source Parameters for Microsoft IIS Server
If JSA does not automatically detect the log source, add a Microsoft IIS Server log source on the JSA Console by using the Microsoft IIS protocol.
When using the Microsoft IIS protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Microsoft IIS events from a Microsoft IIS Server:
Parameter |
Value |
---|---|
Log Source type |
Microsoft IIS Server |
Protocol Configuration |
Microsoft IIS |
Log Source Identifier |
Type the IP address or host name for the log source. |
File Pattern |
Type the regular expression (regex) that is needed to filter
the file names. All matching files are included in the processing.
The default is For example, to list all files that start with the word log,
followed by one or more digits and ending with tar.gz, use the following
entry: |
Syslog Log Source Parameters for Microsoft IIS Server
If JSA does not automatically detect the log source, add a Microsoft IIS Server log source on the JSA Console by using the syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect syslog events from Microsoft IIS Server:
Parameter |
Value |
---|---|
Log Source type |
Microsoft IIS Server |
Protocol Configuration |
Syslog |
Log Source Identifier |
Type the IP address or host name for the log source. |
Microsoft IIS Server Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
- Microsoft IIS Server sample message when you use the Microsoft IIS protocol
- Microsoft IIS Server sample messages when you use the Syslog protocol
Microsoft IIS Server sample message when you use the Microsoft IIS protocol
The following sample event message shows that an HTTP 500 internal server error occurred.
SourceIp=10.232.192.155 AgentDevice=MSIIS AgentLogFile=u_extend1220_x.log AgentLogFormat=W3C date=2018-06-19 time=06:27:41 s-sitename=W3SVC2 scomputername= TESTTESTTEST012 s-ip= 10.232.192.155 cs-method=GET cs-uri-stem=/ login.asp cs-uri-query=- s-port= 444 cs-username=- c-ip= 10.142.129.147 csversion= HTTP/1.0 cs(User-Agent)=- cs(Cookie)== cs(Referer)=- cs-host= scstatus= 500 sc-substatus=0 sc-win32-status=0 sc-bytes=3733 cs-bytes=90 timetaken= 171 X-Forwarded-For=-
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
500 |
Source IP |
10.142.129.147 |
Destination IP |
10.232.192.155 |
Destination Port |
444 |
Microsoft IIS Server sample messages when you use the Syslog protocol
Sample 1: The following sample event message shows a configuration error.
<13> Apr 17 08:55:56 microsoft.iis.test AgentDevice=WindowsLog AgentLogFile=Microsoft-IISConfiguration/ Administrative PluginVersion=7.2.9.105 Source=Microsoft-Windows-IISConfiguration Computer=microsoft.iis.test OriginatingComputer= 10.18.224.7 User= user Domain=domain EventID= 12 EventIDCode=12 EventType=2 EventCategory=0 RecordNumber=380 TimeGenerated=1587124522 TimeWritten=1587124522 Level=Warning Keywords=0x8000000000000000 Task=None Opcode=Info Message=Unable to find schema for config section 'system.serviceModel/client'. This section will be ignored.
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
12 |
Username |
user |
Source IP |
10.18.224.7 |
Device Time |
Apr 17 08:55:56 is extracted from Date and Time fields in JSA. |
Sample 2: The following sample event message shows that an HTTP 401 access denied error occurred.
<13> Oct 02 09:54:19 microsoft.iis.test IISWebLog 0 2020-10-02 14:53:31 10.0.10.51 CCM_POST /ccm_system_windowsauth/request - 80 - 10.0.0.23 ccmhttp - 401 2 5 1509 1
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
401 |
Source IP |
10.0.0.23 |
Destination IP |
10.0.10.51 |
Destination Port |
80 |
Device Time |
Oct 02 09:54:19 is extracted from Date and Time fields in JSA. |