cancel
Showing results for 
Search instead for 
Did you mean: 

SIEM and logs from IIS

After spending a while configuring siem log collector on IIS servers and hooking the feed to the SIEM box I stumbled upon a question of why these logs are even needed... 

For example, these logs are not being flagged if there's an SQL injection in the URL field, auto rule is created for 308-200 event ID that just says the 200 OK. It populates and parses data nicelty etc, shows URL that was in the GET request etc, but that's about it, nothing is being flagged. I understand I can create alerts, but those are based on certain pattern, which wouldn't be feasible for getting one for SQL injections for example..

Just wondering, am I wrong on this one and may be there's some method to actually make use of these logs? Guys, what use are you making out of these logs? Any examples, case studies etc?

I was very surprised to see that mcafee SIEM doesn't really do that...

2 Replies
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: SIEM and logs from IIS

SIEMs don't do things like match SQL injection attempts or detect malware.  They collect logs from sources that do and give you a central location to view, alarm, and report on them.  What you want is an IPS/IDS to detect those types of events, which then feeds the SIEM, which can then alarm you, or take automated action when it detects these types of events.

 

 

Re: SIEM and logs from IIS

Sure, makes sense. IPS is the thing. However wouldn't it be vital/good/useful if a log analyser would parse through the logs that are getting fed into it? Coz SIEM could fill in the right fields so the parser is good, however it can't see SQL injections or anything suspecious in URL field (if we are talking about IIS)

It can, however, show high severety on the events that are getting from WMI logs, so how does that coinside?

Deep down I still believe that there must be some way of making more use out of IIS logs...

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.