Microsoft IIS

Microsoft IIS provides valuable data about how users interact with your website or application. You can search Microsoft IIS logs to detect and report web server access activity. These logs are ingested in the W3C-compliant format.

You can configure a directory watcher on a collector to monitor the logs of the asset that is running the Microsoft IIS software. Read more about Microsoft IIS at: https://learn.microsoft.com/en-us/iis/get-started/getting-started-with-iis/getting-started-with-the-iis-manager-in-iis-7-and-iis-8

To set up Microsoft IIS, you’ll need to:

1. Configure Microsoft IIS to send data to InsightIDR.
2. Configure InsightIDR to collect logs from Microsoft IIS.
3. Test the configuration.
4. Optionally, perform any required troubleshooting tasks.

Configure Microsoft IIS to send data to InsightIDR

Before you configure the Microsoft IIS event source in InsightIDR, you need to configure logging in IIS so that InsightIDR can collect the logs.

To allow the Collector to ingest logs from Microsoft IIS, perform these steps on the Microsoft IIS server(s):

1. Configure logging in Microsoft IIS.
   • Note: InsightIDR cannot retrieve logs from folders or subfolders other than the folder you specify during the configuration process. If you need to store IIS logs in an additional folder, you must configure a new event source for that destination.
2. Create a hidden network share for the destination folder.
3. Grant your service account Read permissions to the share.
4. Note the Network Path to the share as you will need it when you configure InsightIDR to receive data from the event source.

Configure logging in Microsoft IIS

Complete the instructions in the Configuring Per-site Logging at the Server Level topic of the Microsoft IIS documentation at: https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis#configure-per-site-logging-at-the-server-level.

To configure logging in Microsoft IIS, you must:

1. Ensure that you select the W3C log file format.
2. On the Logging page, click Select Fields.
3. Specify the fields in the W3C Logging Fields screen. You must also select sc-bytes (which represents the number of bytes sent by the server) from the list of unchecked fields. Fields must be specified in this exact order to be parsed (note that this is the default Microsoft IIS 10 format):
   • date
   • time
   • s-ip
   • cs-method
   • cs-uri-stem
   • cs-uri-query
   • s-port
   • cs-username
   • c-ip
   • cs(User-Agent)
   • cs(Referer)
   • sc-status
   • sc-substatus
   • sc-win32-status
   • sc-bytes
   • time-taken

Configuration steps for a load balancer

If you use a load balancer, you must configure an X-Forwarded-For header by following the instructions at: https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/enhanced-logging-for-iis85#configure-enhanced-logging-for-iis-85-and-later

This option displays as an optional field at the end of the list of fields on the W3C Logging Fields screen.

Configure InsightIDR to receive data from the event source

After you complete the prerequisite steps and configure Microsoft IIS server logging, you must add the event source in InsightIDR. You will need a credential that has both Read Share permissions and Read NTFS permissions to access the IIS logs.

To configure the new event source in InsightIDR:

1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
2. Do one of the following:
   • Search for Microsoft IIS in the event sources search bar.
   • In the Product Type filter, select Web Server Access Logs.
3. Select the Microsoft IIS event source tile.
4. Name the event source. This name will be used to name the log that contains the event data in Log Search.
5. Select a collector.
6. Optionally, select the option to send unparsed data.
7. Configure your default domain and any Advanced Event Source Settings.
8. Select Watch Directory as your collection method.
9. In the UNC path field, enter the network path you noted when configuring Microsoft IIS to send data to InsightIDR.
10. If the directory contains any files other than IIS logs, optionally specify *.log in the File Pattern field.
11. Click Save.

Test the configuration

To test that event data is flowing into InsightIDR through the Collector:

1. From the Data Collection Management page, click the Event Sources tab.
2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
3. After approximately 7 minutes, log entries start to appear in Log Search. From the left menu, go to Log Search.
4. In the Log Sources panel, filter for the Web Server Access log set.
5. Select the Microsoft IIS log.
6. Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into InsightIDR in the last 10 mins. The keys and values that are displayed are helpful to know when you want to build a query and search your logs.

Sample logs

In Log Search, the log that is generated uses the name of your event source by default. The log appears under the log set Web Server Access.

Here is an example of a log entry that is created by the event source:

 
1
2023-03-07 07:41:46 11.11.11.11 POST /rapid7/moose - 80 - ::1 - - 200 0 0 0 3

Sample file header

The file header should appear at the top of the file exactly as listed here:

 
1
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status sc-bytes time-taken

Troubleshoot common issues

If the data is not parsing, you can review the logs to identify the cause of the issue. The most common issues are:

• The fields are not correctly configured.
• The load balancer IP is being used instead of the true source IP.

Once you identify the issue, you can make the necessary changes in the Exchange servers to remedy it.

The fields are not correctly configured

A common reason why a parsing issue may occur is that the fields are not correctly configured. Ensure that the fields you select for the log file exactly match those listed in the Configure Microsoft IIS to send data to InsightIDR section.

Load balancer IP is used instead of the true source IP

If you have a load balancer, such as Netscaler, in front of your servers, you may notice that the source IP for all users is the IP address associated with your load balancer instead of the true IP address.

To fix this, you must add an x-forwarded-for header to the IIS logs. Learn more about how to add this header at:

• http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/
• https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/enhanced-logging-for-iis85#configure-enhanced-logging-for-iis-85-and-later