Microsoft IIS Integration Guide
integrations endpoints microsoft
This guide provides configuration instructions for Microsoft Internet Information Services (IIS) logging in order to transmit the logs for security monitoring by other agents. Supported agents can be found at Connect Microsoft Windows Event Log.
The Secureworks® Taegis™ XDR On-Premises Data Collector accepts logs in the Snare over Syslog format.
Connectivity Requirements ⫘
| Source | Destination | Port/Protocol |
|---|---|---|
| Windows Server | Taegis™ XDR Collector (mgmt IP) | UDP/514 |
Data Provided from Integration ⫘
| Auth | DHCP | DNS | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | |
|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft IIS | D |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Logging Configuration Instructions ⫘
Logging configuration depends on the version of Microsoft IIS you are running.
Important
The data source must be configured to report timestamps as UTC to ensure that XDR reports the correct time zone.
Note
NXLog CE does not support changing the timestamp into UTC. If that is required, a different product like NXlog Enterprise Edition is required.
Configuring Microsoft IIS Logging ⫘
Note
These steps support Microsoft IIS 8.5 and later.
- From your Windows machine, open Administrative Tools > Internet Information Services (IIS) Manager.
- Within the IIS management console, select the IIS Web Site you are configuring.
- Select Logging
Select Logging from IIS Server Properties
-
Select the following fields:
- Date
- Time
- Client IP Address
- User Name
- Service Name
- Server Name
- Server IP Address
- Server Port
- Method
- URI Stem
- URI Query
- Protocol Status
- Protocol Substatus
- Win32 Status
- Bytes Sent
- Bytes Received
- Time Taken
- Host
- User Agent
- Referrer
Required Fields
-
Select Add field to configure X-Forwarded-For custom field.
- Field Name — X-Forwarded-For
- Source Type — Request Header
- Source — X-Forwarded-For
Custom Field
- Select OK.
- Apply changes by selecting Apply from Actions.
Apply Changes
Configuring Syslog Forwarding ⫘
Note
Sending IIS logs to XDR requires a third-party agent that can send those logs via Snare over Syslog format.
Configuring Snare ⫘
- Navigate to the Enterprise Agent for Windows web interface, available at
http://<ip-address>:6161. - From the left-hand menu, select Log Configuration.
Add Snare Log Configuration
- Select Add to add a Snare Log Configuration monitor:
- Log Type — MS IIS Logs
- Multi-Line Format — Single line only
- Log File or Directory —
C:\inetpub\logs\LogFiles\W3C\W3SVC<siteIDnumber>\
Note
A Log Configuration monitor is required for each W3SVC site ID due to Snare lacking support for wildcards in directory names; if you run three websites, you’ll need three configurations for the W3SVC1, W3SVC2, and W3SVC3 directories, respectively. If your logs are located elsewhere, make sure to use the proper path for your IIS log configuration.
- Log Name Format —
u_ex%_x.log - All matching files
Snare Log Configuration
- Select Change Configuration.
- Add as many more monitors as necessary, based on how many site IDs you have.
- On the left-hand menu, select Apply Configuration & Restart Service.
Apply Configuration
Configuring NXLog ⫘
- Modify the following configuration to reflect the proper file path for your environment, if not default, and your XDR Collector FQDN or IP.
- Under the Input stanza, change the File path if your IIS logs are not stored in the default location.
- Under the Output stanza, modify the Host value to be the FQDN or IP of your XDR Collector. If you prefer to use UDP, change Module to om_udp and Port to 514.
## Please set ROOT to the folder NXLog is installed in.
## - if 64bit NxLog is used, comment out (#) x86 and uncomment C:\Program Files\nxlog lines
define ROOT C:\Program Files\nxlog
define ROOT_STRING C:\Program Files\nxlog
## - if 32bit NxLog is used, comment out (#) "C:\Program Files\nxlog" and uncomment x86 lines
#define ROOT C:\Program Files (x86)\nxlog
#define ROOT_STRING C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %LOGFILE%
<Extension _syslog>
Module xm_syslog
</Extension>
<Input W3SVCIN>
Module im_file
## By using the recursive directive, we'll monitor all directories under LogFiles for file u_ex*.log
File 'C:\inetpub\logs\LogFiles\u_ex*.log'
SavePos TRUE
Recursive TRUE
ReadFromLast TRUE
PollInterval 1
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
$Hostname = hostname_fqdn(); \
$SourceName = "IISWebLog"; \
$Message = $raw_event; \
}
</Input>
<Output W3SVCOUT>
Module om_udp
Module om_tcp
## Guidance on TLS/SSL configuration - https://nxlog.co/documentation/nxlog-user-guide/om_ssl.html
Module om_ssl
Host %XDR%
Port %PORT%
CAFile %CERTDIR%\CA.cer
CertFile %CERTDIR%\winhost.cer
CertKeyFile %CERTDIR%\winhost.key
AllowUntrusted FALSE
## Create our RFC3164 compliant syslog line and transmit on local5.info
Exec $SyslogFacilityValue = 21;$Hostname=hostname_fqdn();$Severity = 'INFO';to_syslog_bsd();
</Output>
<Route 1>
Path W3SVCIN => W3SVCOUT
</Route>
- Place the config contents in a file on the desktop called
nxlog.conf. - Make a backup of your existing
C:\Program Files (x86)\NXLog\conf\nxlog.conffile. - Replace the
C:\Program Files (x86)\NXLog\conf\nxlog.conffile with the new one on the desktop. - Restart the NXLog service.