OBSOLETE Flat File - Microsoft IIS W3C File
The W3C Extended log file format is the Microsoft IIS default. It is a customizable ASCII text-based format. You can use IIS Manager to select which boxes to include in the log file, which enables you to keep log files as small as possible. To collect and process logs using the default LogRhythm MPE Rules sets you must leave the format in its default state. Adding any additional boxes to the output format will cause processing to fail. Because HTTP.sys handles the W3C Extended log file format, this format records the HTTP.sys kernel-mode cache hits.
The following are the default format fields:
<date> <time> <s-sitename> <server-ip> <cs-method> <cs-uri-stem> <cs-uri-query> <s-port> <cs-username> <c-ip> <cs(User-Agent)> <sc-status> <sc-substatus> <sc-win32-status>
Prerequisites
- Ensure the IIS Active log format = W3C Extended Log Format.
- Identify the following prior to configuration:
- The Microsoft IIS default log directory
- The LogRhythm System Monitor Agent used to collect the logs from Microsoft IIS Manager
Configure Default Log Directory and Active Log W3C in Microsoft IIS Manager
- Start Internet Information Services (IIS) Manager.
- Access ServerName, then Web Sites or ServerName, and then FTP Sites.
- Right-click the web site or FTP site where you want to enable logging and select Properties from the context menu.
- Click the Web Site or FTP Site tab.
- Select the Engage logging check box.
- In the Active log format box, select W3C Extended Log Format.
- Next to the Active log format, click Properties.
- Specify the log file directory, for example:
C:\Windows\System32\LogFiles\IISW3C_logs\.
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. LogRhythm requires a LogRhythm System Monitor Agent be used to collect the logs. The files being collected must be viewable on the host with the Agent using a standard file name path such as: /var/log/logfile.txt or C:\logs\logfile.txt.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is Flat File - Microsoft IIS W3C File. In addition, when configuring this log source:
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the Flat File Settings tab, enter the following:
- File Path.C:\Windows\System32\LogFiles\IISW3C_logs\*.log
- Date Parsing Format. Select existing IIS W3C Log type: “<UTC><yy>-<M>-<d> <h>:<m>:<s>”
- Log Message Start Regex. ^\d
Supported Log Messages
(List of LR tags used to parse the log information for each message type)
Type | Product Version | Supported Schema Fields |
---|---|---|
404 Error Messages 1 | N/A | <dport>, <sip>, <sport>, <protname>, <command>, <object>, <responsecode>, <reason>, <sinterface> |
Catch All : Level 1" | N/A | <severity>, <subject> |
Catch All : Level 3 3 | N/A | <command>, <url>, <subject>, <dport>, <domain>, <login>, <sip>, <version>, <useragent>, <object>, <vmid>, <responsecode>, <tag2>, <tag1>, <bytesout>, <bytesin>, <milliseconds>, <dip> |
Comment Line 1 | N/A | <vmid>, <tag5> |
Email Attachment Enumeration Messages | N/A | <object>, <dport>, <dip>, <session>, <objectname> |
Fan Status Information | N/A | <severity>, <object>, <subject>, <objectname> |
Propfind Messages Request 1 | N/A | <sip>, <command>, <tag1>, <objectname>, <dport>, <login>, <dip>, <useragent>, <object>, <url>, <tag2>, <vmid>,<responsecode> |
Http Get Requests | N/A | <vmid>, <sip>, <dip>, <dport>, <snatip>, <object>, <objectname>, <useragent>, <url>, <command>, <responsecode>, <duration>, <tag1>, <tag2> |
Http Post Request | N/A | <vmid>, <sip>, <dip>, <dport>, <snatip>, <login>, <object>, <objectname>, <useragent>, <command>, <responsecode>, <duration>, <tag1>, <tag2> |
HTTP Requests 2 | N/A | <vmid>, <sip>, <dip>, <dport>, <snatip>, <login>, <domainorigin>, <object>, <objectname>, <subject>, <useragent>, <url>, <command>, <responsecode>, <duration>, <tag1>, <tag2> |
HTTP Request Status Messages 1 | N/A | <command>, <tag1>, <objectname>, <dport>, <domain>, <login>, <sip>, <useragent>, <tag2>, <vmid>, <responsecode>, <dip> |
TCP Request Denied 1 | N/A | <process>, <subject>, <object>, <objectname> |
Timer_Connection Messages | N/A | <dip>, <sport>, <dport>, <sinterface>, <process>, <tag1> |
User Logon | N/A | <severity>, <object>, <login>, <objectname> |
VERSION And BASELINE Control Information | N/A | <object>, <dport>, <dip>, <objectname>, <useragent>, <session>, <dname>, <responsecode> |
Web Server Access | N/A | <dip>, <tag1>, <command>, <url>, <dport>, <domain>, <login>, <snatip>, <useragent>, <object>, <sender>, <responsecode>, <vmid>, <milliseconds>, <bytesin>, <bytesout>, <sinterface>, <sip> |
Revision History
KB Version | Log Type | Change Type | Details |
---|---|---|---|
KB 7.1.598.0 | N/A | Documentation | Created documentation |