cancel
Showing results for 
Search instead for 
Did you mean: 

IIS 7 or 8 Log Parsing Issue

Jump to solution

Hello,

I have a problem parsing logs from IIS 7,8.x. As you know we were able to parse the log files for the version on IIS 5-6 without any problem. We were able to change log fields order, however we can't change it on IIS 7-8. Mcafee recommended format is following:

#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

Since we can't make this change on IIS 7-8 how can I solve this problem? Please let me know if you have any possible solution except creating custom parser.

Best Regards,

1 Solution

Accepted Solutions

Re: IIS 7 or 8 Log Parsing Issue

Jump to solution

Thanks for your effort btkarp However, you know that as always we have to solve our own problems I wrote a new parser with regexp for our IIS 8 log-format as below:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken ClientIP

RegEX


(?<datetime>\d+-\d+-\d+\s\d+:\d+:\d+)\s(?<dstip>(?:\d{1,3}\x2e){3}\d{1,3})\s(?<method>\w+)\s(?<uri>[^\s]*)\s(?<parameter>\-|[^\s]*)\s(?<dstPort>\d+)\s(?<dummy2>\-)\s(?<sIP>(?:\d{1,3}\x2e){3}\d{1,3})\s(?<Agent>\-|[^\s]*)\s(?<Referrer>\-|[^\s]*)\s(?<Response>301)\s(?<substatus>\d+)\s(?<win32status>\d+)\s(?<dummybytes>\d+\s\d+)\s(?<timetaken>\d+)\s(?<realSrcIP>\-|(?:\d{1,3}\x2e){3}\d{1,3})


I know Advanced Logging plugin and I have already using on our IIS 6-7 , however I have to create a parser to it, as well. Let's face it, ESM supported products list is poorly!

4 Replies

Re: IIS 7 or 8 Log Parsing Issue

Jump to solution

As far as I understand no one who had problems with new IIS version log format? Then could you please share us your tricks.

btkarp
Level 9
Report Inappropriate Content
Message 3 of 5

Re: IIS 7 or 8 Log Parsing Issue

Jump to solution

after digging all day, I may have found what we need.

Advanced Logging : The Official Microsoft IIS Site

Advanced Logging generates completely customizable W3C-standard log files. Site administrators can generate real-time client and server logs and tailor logs to track as many or as few metrics as necessary across multiple log files. Filter out information relevant to a specific purpose. Advanced Logging can create multiple logs per request, with each log contains data relevant to the purpose of the log. Capture quality of service data and audience engagement in separate logs to simplify analysis.


My guess is this will allow us to not only select what fields are used by also what order.


I hope this helps!

Re: IIS 7 or 8 Log Parsing Issue

Jump to solution

Thanks for your effort btkarp However, you know that as always we have to solve our own problems I wrote a new parser with regexp for our IIS 8 log-format as below:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken ClientIP

RegEX


(?<datetime>\d+-\d+-\d+\s\d+:\d+:\d+)\s(?<dstip>(?:\d{1,3}\x2e){3}\d{1,3})\s(?<method>\w+)\s(?<uri>[^\s]*)\s(?<parameter>\-|[^\s]*)\s(?<dstPort>\d+)\s(?<dummy2>\-)\s(?<sIP>(?:\d{1,3}\x2e){3}\d{1,3})\s(?<Agent>\-|[^\s]*)\s(?<Referrer>\-|[^\s]*)\s(?<Response>301)\s(?<substatus>\d+)\s(?<win32status>\d+)\s(?<dummybytes>\d+\s\d+)\s(?<timetaken>\d+)\s(?<realSrcIP>\-|(?:\d{1,3}\x2e){3}\d{1,3})


I know Advanced Logging plugin and I have already using on our IIS 6-7 , however I have to create a parser to it, as well. Let's face it, ESM supported products list is poorly!

btkarp
Level 9
Report Inappropriate Content
Message 5 of 5

Re: IIS 7 or 8 Log Parsing Issue

Jump to solution

streamer, you are not the only one.

I am getting 'unknown events' for IIS 8.0 Version 1.0 from my IIS server logs as well.

The current format we have looks as follows:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

I have a ticket open now, waiting to hear back some good news...