cancel
Showing results for 
Search instead for 
Did you mean: 

IIS Logging Issue - Not Sending Properly

This is an example of a line from my raw log file:

2016-06-10 18:37:04 W3SVC7 <snip> <snip> GET /v1/Carrier/EL/Skins/Producer/Forms/Top/Footer_L.gif - 443 - 66.222.193.37 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.84+Safari/537.36 ASP.NET_SessionId=vxikp1x1edzphnzpgdhbh3kc;+XYZ=1;+XYZ_Legacy=1;+__utmt=1;+<snip>=E46EFC511E84EC3CD3F5F5EC2D857300A5A9E584CE714D03C1C5CA50D9BC0B32DCCD0B4DA415F33E58DE03D6A73226FF4B9EEFCD496B34C796A51E233E9EF2E646D27EB580553CC402C0F7C910F23CAFC7B02D37E7F0D29C44CB2A5948BADB6173B2F1CCA73DD10D8C65674CEDCD4EA2EFE4C114659C08B71AD60B901B5ADEFB662022F24EBEF5B<snip>1CC536A4B1BA35277699EA1F71DEA2276455EBFFFE257C9B6D91C1FE228CB2F3B83FA354E93C59B333780961C255685445E0C;+__utma=36809652.120754785.1424726715.1465531765.1465582847.160;+__utmb=36809652.35.10.1465582847;+__utmc=36809652;+__utmz=36809652.1465582847.160.120.utmcsr=*.ca|utmccn=(referral)|utmcmd=referral|utmcct=/;+Language=en https://www.**.ca/v1/Modules/PlanAdmin/Pages/Division.aspx www.e<snip> 304 0 0 325 2181 124

(I snipped the sensitive stuff)

and this is what the SIEM Collector Utility ships off to the SIEM [different request, but from the same log file and site]:

2016-06-03 17:12:57 <snip> GET /cms/media/8703/lifeworks.jpg - 443 - 24.157.67.103 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/50.0.2661.102+Safari/537.36 200 0 0 140

- These two sites are on the same server with the same logging configuration, the raw log files have the proper fields, but for some reason the SIEM Collector does not send the top log properly

For example, here is an entry for the site that DOES work:

2016-06-10 18:11:08 W3SVC2 E**********6 10.*.*.*POST /Novus.asmx - 8443 - 67.21.241.11 HTTP/1.1 SOAP::Lite/Perl/0.710.08 - - <snip>:8443 200 0 0 3093 835 140

This one includes the proper fields and gets parsed properly - the top one does not

I do see these events in the streaming events view so it's not an issue with communication, does anyone know why the SIEM Collector Utility is stripping out some data from the original log file?

3 Replies
Highlighted
btkarp
Level 9
Report Inappropriate Content
Message 2 of 4

Re: IIS Logging Issue - Not Sending Properly

Check your IIS log configuration and ensure that all the boxes are checked off. The parser will only work properly if you have all the boxes in the logging options checked. Also, are you running any Advanced IIS log collecton, that may have an affect on what the IIS Parser is expecting to see.

Re: IIS Logging Issue - Not Sending Properly

Yep all the fields were enabled - it was one server with two sites, both sites had all fields enabled but only 1 of the sites were working properly. The issue seemed to have corrected itself, although the parser ignores the session token. Maybe this is by design. I wish I knew what the issue was but I'm just happy it's working. I'd be happy to provide some screenshots if anyone is running into the same issues. The SIEM collector utility is not my favourite

Re: IIS Logging Issue - Not Sending Properly

Solution 1. If you are not using SIEM log collector telnet between both system IIS to recerver and receiver to IIS for log sending and receiving port and see WMI logs as well, if WMI logs are properly received on Receiver there are a problem on IIS log forwarder. If WMI logs too not received on ERC remove existing data source from ESM and add windows data source and check it to receiver.

In my experinece i had faced some issue without log collector so i m recommended you to SIEM log collector.

Solution2: SIEM log collector verification:

>> go to IIS Machine >> open McAfee SIEM Collector Management Utility

>> check your Receiver IP address it is properly connected or not ? see on screenhots:epo.JPG

If receiver are not connected ESM cannot displayed IIS log on SIEM Dashboard.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community