I have a problem parsing logs from IIS 7,8.x. As you know we were able to parse the log files for the version on IIS 5-6 without any problem. We were able to change log fields order, however we can't change it on IIS 7-8. Mcafee recommended format is following:
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
Since we can't make this change on IIS 7-8 how can I solve this problem? Please let me know if you have any possible solution except creating custom parser.
Solved! Go to Solution.
Thanks for your effort btkarp However, you know that as always we have to solve our own problems I wrote a new parser with regexp for our IIS 8 log-format as below:
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken ClientIP
I know Advanced Logging plugin and I have already using on our IIS 6-7 , however I have to create a parser to it, as well. Let's face it, ESM supported products list is poorly!
Advanced Logging generates completely customizable W3C-standard log files. Site administrators can generate real-time client and server logs and tailor logs to track as many or as few metrics as necessary across multiple log files. Filter out information relevant to a specific purpose. Advanced Logging can create multiple logs per request, with each log contains data relevant to the purpose of the log. Capture quality of service data and audience engagement in separate logs to simplify analysis.
My guess is this will allow us to not only select what fields are used by also what order.
I hope this helps!
streamer, you are not the only one.
I am getting 'unknown events' for IIS 8.0 Version 1.0 from my IIS server logs as well.
The current format we have looks as follows:
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
I have a ticket open now, waiting to hear back some good news...