This is an example of a line from my raw log file:
2016-06-10 18:37:04 W3SVC7 <snip> <snip> GET /v1/Carrier/EL/Skins/Producer/Forms/Top/Footer_L.gif - 443 - 18.104.22.168 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.84+Safari/537.36 ASP.NET_SessionId=vxikp1x1edzphnzpgdhbh3kc;+XYZ=1;+XYZ_Legacy=1;+__utmt=1;+<snip>=E46EFC511E84EC3CD3F5F5EC2D857300A5A9E584CE714D03C1C5CA50D9BC0B32DCCD0B4DA415F33E58DE03D6A73226FF4B9EEFCD496B34C796A51E233E9EF2E646D27EB580553CC402C0F7C910F23CAFC7B02D37E7F0D29C44CB2A5948BADB6173B2F1CCA73DD10D8C65674CEDCD4EA2EFE4C114659C08B71AD60B901B5ADEFB662022F24EBEF5B<snip>1CC536A4B1BA35277699EA1F71DEA2276455EBFFFE257C9B6D91C1FE228CB2F3B83FA354E93C59B333780961C255685445E0C;+__utma=36809652.120754785.1424726715.1465531765.1465582847.160;+__utmb=36809622.214.171.1245582847;+__utmc=36809652;+__utmz=36809652.1465582847.160.120.utmcsr=*.ca|utmccn=(referral)|utmcmd=referral|utmcct=/;+Language=en https://www.**.ca/v1/Modules/PlanAdmin/Pages/Division.aspx www.e<snip> 304 0 0 325 2181 124
(I snipped the sensitive stuff)
and this is what the SIEM Collector Utility ships off to the SIEM [different request, but from the same log file and site]:
2016-06-03 17:12:57 <snip> GET /cms/media/8703/lifeworks.jpg - 443 - 126.96.36.199 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/50.0.2661.102+Safari/537.36 200 0 0 140
- These two sites are on the same server with the same logging configuration, the raw log files have the proper fields, but for some reason the SIEM Collector does not send the top log properly
For example, here is an entry for the site that DOES work:
2016-06-10 18:11:08 W3SVC2 E**********6 10.*.*.*POST /Novus.asmx - 8443 - 188.8.131.52 HTTP/1.1 SOAP::Lite/Perl/0.710.08 - - <snip>:8443 200 0 0 3093 835 140
This one includes the proper fields and gets parsed properly - the top one does not
I do see these events in the streaming events view so it's not an issue with communication, does anyone know why the SIEM Collector Utility is stripping out some data from the original log file?
Check your IIS log configuration and ensure that all the boxes are checked off. The parser will only work properly if you have all the boxes in the logging options checked. Also, are you running any Advanced IIS log collecton, that may have an affect on what the IIS Parser is expecting to see.
Yep all the fields were enabled - it was one server with two sites, both sites had all fields enabled but only 1 of the sites were working properly. The issue seemed to have corrected itself, although the parser ignores the session token. Maybe this is by design. I wish I knew what the issue was but I'm just happy it's working. I'd be happy to provide some screenshots if anyone is running into the same issues. The SIEM collector utility is not my favourite
Solution 1. If you are not using SIEM log collector telnet between both system IIS to recerver and receiver to IIS for log sending and receiving port and see WMI logs as well, if WMI logs are properly received on Receiver there are a problem on IIS log forwarder. If WMI logs too not received on ERC remove existing data source from ESM and add windows data source and check it to receiver.
In my experinece i had faced some issue without log collector so i m recommended you to SIEM log collector.
Solution2: SIEM log collector verification:
>> go to IIS Machine >> open McAfee SIEM Collector Management Utility
>> check your Receiver IP address it is properly connected or not ? see on screenhots:
If receiver are not connected ESM cannot displayed IIS log on SIEM Dashboard.