cancel
Showing results for 
Search instead for 
Did you mean: 

IIS 7 or 8 Log Parsing Issue

Jump to solution

Hello,

I have a problem parsing logs from IIS 7,8.x. As you know we were able to parse the log files for the version on IIS 5-6 without any problem. We were able to change log fields order, however we can't change it on IIS 7-8. Mcafee recommended format is following:

#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

Since we can't make this change on IIS 7-8 how can I solve this problem? Please let me know if you have any possible solution except creating custom parser.

Best Regards,

1 Solution

Accepted Solutions

Re: IIS 7 or 8 Log Parsing Issue

Jump to solution

Thanks for your effort btkarp However, you know that as always we have to solve our own problems I wrote a new parser with regexp for our IIS 8 log-format as below:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken ClientIP

RegEX


(?<datetime>\d+-\d+-\d+\s\d+:\d+:\d+)\s(?<dstip>(?:\d{1,3}\x2e){3}\d{1,3})\s(?<method>\w+)\s(?<uri>[^\s]*)\s(?<parameter>\-|[^\s]*)\s(?<dstPort>\d+)\s(?<dummy2>\-)\s(?<sIP>(?:\d{1,3}\x2e){3}\d{1,3})\s(?<Agent>\-|[^\s]*)\s(?<Referrer>\-|[^\s]*)\s(?<Response>301)\s(?<substatus>\d+)\s(?<win32status>\d+)\s(?<dummybytes>\d+\s\d+)\s(?<timetaken>\d+)\s(?<realSrcIP>\-|(?:\d{1,3}\x2e){3}\d{1,3})


I know Advanced Logging plugin and I have already using on our IIS 6-7 , however I have to create a parser to it, as well. Let's face it, ESM supported products list is poorly!

4 Replies
Highlighted

Re: IIS 7 or 8 Log Parsing Issue

Jump to solution

As far as I understand no one who had problems with new IIS version log format? Then could you please share us your tricks.

btkarp
Level 9
Report Inappropriate Content
Message 3 of 5

Re: IIS 7 or 8 Log Parsing Issue

Jump to solution

after digging all day, I may have found what we need.

Advanced Logging : The Official Microsoft IIS Site

Advanced Logging generates completely customizable W3C-standard log files. Site administrators can generate real-time client and server logs and tailor logs to track as many or as few metrics as necessary across multiple log files. Filter out information relevant to a specific purpose. Advanced Logging can create multiple logs per request, with each log contains data relevant to the purpose of the log. Capture quality of service data and audience engagement in separate logs to simplify analysis.


My guess is this will allow us to not only select what fields are used by also what order.


I hope this helps!

Re: IIS 7 or 8 Log Parsing Issue

Jump to solution

Thanks for your effort btkarp However, you know that as always we have to solve our own problems I wrote a new parser with regexp for our IIS 8 log-format as below:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken ClientIP

RegEX


(?<datetime>\d+-\d+-\d+\s\d+:\d+:\d+)\s(?<dstip>(?:\d{1,3}\x2e){3}\d{1,3})\s(?<method>\w+)\s(?<uri>[^\s]*)\s(?<parameter>\-|[^\s]*)\s(?<dstPort>\d+)\s(?<dummy2>\-)\s(?<sIP>(?:\d{1,3}\x2e){3}\d{1,3})\s(?<Agent>\-|[^\s]*)\s(?<Referrer>\-|[^\s]*)\s(?<Response>301)\s(?<substatus>\d+)\s(?<win32status>\d+)\s(?<dummybytes>\d+\s\d+)\s(?<timetaken>\d+)\s(?<realSrcIP>\-|(?:\d{1,3}\x2e){3}\d{1,3})


I know Advanced Logging plugin and I have already using on our IIS 6-7 , however I have to create a parser to it, as well. Let's face it, ESM supported products list is poorly!

btkarp
Level 9
Report Inappropriate Content
Message 5 of 5

Re: IIS 7 or 8 Log Parsing Issue

Jump to solution

streamer, you are not the only one.

I am getting 'unknown events' for IIS 8.0 Version 1.0 from my IIS server logs as well.

The current format we have looks as follows:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

I have a ticket open now, waiting to hear back some good news...

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community