cancel
Showing results for 
Search instead for 
Did you mean: 
btkarp
Level 9
Report Inappropriate Content
Message 1 of 10

Multiple IIS Log Collection Using Collector

Jump to solution

Hello all,

Just wanted to see if anyone has any experience with collecting IIS from multiple paths on one data source and having each of those log source paths listed as an individual data source on SIEM.

For example, have 3 websites being run with 3 different log paths. I have tried to the below configuration with no success:

On the IIS Server:

The Agent Collector has 3 different 'Generic Log Tail' configurations. Each is configured to a unique path where logs are stored for Website A,B and C

On the SIEM:

Microsoft IIS MEF Parent Data Source - Configured with IP of Server

Client Data Source 1 - configured using Host ID WebsiteA

Client Data Source 2 - configured using Host ID WebsiteB

Client Data Source 3 - configured using HostID WebsiteC

With this current setup, ALL the IIS logs for all 3 configurations go directly to the Parent Data Source and do not get sent to their respective Client Data Source (which is what I was expecting by setting the Host ID on each configuration on the Agent Utility)

Does anyone have any ideas on how I can get these IIS logs to show up under their own client data source I created? Additionally, the logs are reporting as Unknown Events even though IIS is suppose to be supported, what gives?

Kind Regards

1 Solution

Accepted Solutions

Re: Multiple IIS Log Collection Using Collector

Jump to solution

Hi btkarp,

I have 5 IIS Logs on the same host  and I'm create 5 data source on ESM. I'm going to share some sample from our environment, I hope it might help

IISLogs.JPG

This image show is my parent datasource for get all events from SIEM Collector

Parent Data Source.JPG

And I have created child data source for each HOST ID

Child Data Source.JPG

log view.JPG

9 Replies
exbrit
Level 21
Report Inappropriate Content
Message 2 of 10

Re: Multiple IIS Log Collection Using Collector

Jump to solution

For faster support I moved this to SIEM which I assume it's about.

---

Peter

Moderator

Re: Multiple IIS Log Collection Using Collector

Jump to solution

Instead of creating client data sources, have you tried just creating three separate parent data sources and setting the respective host ID for each?

What parser are you using?  Try Microsoft as vendor, IIS (ASP) and retrieval set to MEF.

btkarp
Level 9
Report Inappropriate Content
Message 4 of 10

Re: Multiple IIS Log Collection Using Collector

Jump to solution

Thanks for the reply.

Unfortunately, you can not have multiple data sources using the same IP address for the same log type. Since I have 3 IIS Logs on the same data source, I am unable to create 3 Parent Data Sources.

The Parent / Child layout will not work either due to the same duplicate IP / log type issue. Which leaves the only option (that I can think of) the Parent / Client route. This allows me to set the IP / Hostname on the Parent and only set the Host ID for each "client" which is really just a different path to a different log file on the same server.

As it stands right now, I have no trouble getting all the logs to the SIEM - the problem is that I cannot get the logs to show under their respective "Client" data sources I have created. Below is how it looks right now.

IIS Server Parent Data Source - All IIS Logs for Website A, B, C showing when I click this data source - No way to determine log source!

                    - Website A Client Data Source - No logs showing here

                    - Website B Client Data Source - No logs showing here

                    - Website C Client Data Source - No logs showing here


Any and all ideas are welcome! Thanks.

Re: Multiple IIS Log Collection Using Collector

Jump to solution

Hi btkarp,

I have 5 IIS Logs on the same host  and I'm create 5 data source on ESM. I'm going to share some sample from our environment, I hope it might help

IISLogs.JPG

This image show is my parent datasource for get all events from SIEM Collector

Parent Data Source.JPG

And I have created child data source for each HOST ID

Child Data Source.JPG

log view.JPG

btkarp
Level 9
Report Inappropriate Content
Message 6 of 10

Re: Multiple IIS Log Collection Using Collector

Jump to solution

@streamer Thank you! I have been racking my brain about the Agent Configuration for 2 days straight!

This helps me out VERY much!

Life saver!

poezie
Level 9
Report Inappropriate Content
Message 7 of 10

Re: Multiple IIS Log Collection Using Collector

Jump to solution

If you use IIS 8.5 and above you could also enable your IIS server to write the IIS logs to the Event log and pick them up from their with the SIEM Collector Event log collector.

This works well for us

Thanks

dan2
Level 7
Report Inappropriate Content
Message 8 of 10

Re: Multiple IIS Log Collection Using Collector

Jump to solution

Do you use IP address in parent datasource configuration. the pictue is blue it out. Thank you.

asadz
Level 9
Report Inappropriate Content
Message 9 of 10

Re: Multiple IIS Log Collection Using Collector

Jump to solution

Hello Streamer,

I have moreover the same case, but the thing is I'm using remote system to fetch IIS logs. When I do I get error which is displayed on the attach screenshot.

Also should I need to add as separate data-source because for macafe collector utility installed on the system I'm also getting windows events from it, but same collector is also used to fetch logs from remote system which is IIS webserver.

Capture (6).PNG

btkarp
Level 9
Report Inappropriate Content
Message 10 of 10

Re: Multiple IIS Log Collection Using Collector

Jump to solution

@asadz instead of trying to pull from a remote directory, why are you not just simply installing the Collector Agent on the 10.25.1.74 machine? Then you can just make a data source for 10.25.1.74 on the Event Receiver...

I have never seen log collection configured in the manner in which you are attempting, so I cannot really comment on if that will even work or not.