Flat File - Microsoft IIS NCSA Common Format File

NCSA Common formats record logging data in four-digit year format. The IIS format uses a two-digit year format for years 1999 and earlier, and a four-digit format thereafter. The data logged for each request is fixed for NCSA and IIS log file formats.

Prerequisites

• Ensure the IIS Active log format = NCSA Common Log File Format.
• Identify the following prior to configuration:
  • The Microsoft IIS default log directory.
  • The LogRhythm System Monitor Agent used to collect the logs from Microsoft IIS Manager.

Configure Default Log Directory and Active Log NCSA Common Format in Microsoft IIS Manager

1. Start Internet Information Services (IIS) Manager.
2. Access ServerName, then Web Sites or FTP Sites.
3. Right-click the web site or FTP site where you want to enable logging and select Properties from the context menu.
4. Click the Web Site or FTP Site tab.
5. Select the Engage logging check box.
6. In the Active log format box, select Microsoft IIS Log File Format.
7. Next to the Active log format, click Properties.
8. Specify the log file directory, for example: C:\Windows\System32\LogFiles\IISNCSA_logs\.

After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

The name of the log message source is Flat File - Microsoft IIS NCSA Common Format File. In addition, when configuring this log source:

• For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
• On the Flat File Settings tab, enter the following:
  • File Path.C:\Windows\System32\LogFiles\IISNCSA_logs\*.log
  • Date Parsing Format. Select existing IIS NCSA Log type: “<d>/<MM>/<yy>, <h>:<m>:<s>,”
  • Log Message Start Regex. ^\d