5 Replies Latest reply on Sep 25, 2013 11:53 AM by Scott Taschler

    IIS Collector

    pfabrizi

      I have been asked to start collecting our IIS logs from our Webzone IIS servers and looking through the data sources I found a IIS collector, but not sure how to configure it. I spoke with our IIS person and he gave me a sample log (file based), he indicated that it is a standard IIS log for the most part. It resides on a file share.

       

      If I use the Information Services data model would this work?

       

      I tried setting up the data source as follows, but receiver a error when trying to test the connection.

       

      data source: Microsoft

      data source model: Internet Information Services

      data format: default

      data retrieval: Not sure, so I tried CIFS File

       

      gave a share name to a testing location since the firewall rules are not in place to allow me to connect yet.

       

      I get this error;

      NotOk retrying with upper case share name(ntlm), retrying with upper case share name(ntlmv2), mount error(95): Operation not supported(ntlmi), mount error(95): Operation not supported(ntlmv2i)

        • 1. Re: IIS Collector
          haroot

          Hi pfabrizi,

           

           

          I would suggest you use the mcAfee windows agent for testing purpose (if you can). below is the URL link on how to configire IIS as a data source using Windows Agent.

           

          Its not necessary to install the agent on the IIS Server as you can install the same on your PC as well.

           

          http://kc.mcafee.com/corporate/index?page=content&id=KB74849&actp=search&viewloc ale=en_US&searchid=1377163705967

           

           

           

          Haroot

          • 2. Re: IIS Collector
            pfabrizi

            The IIS logs come 16 different servers and are dropped to share where the datasource is configured to use CIFS file and look in a share for the files. The files all have the same name just from diffrent servers , so for example the all 16 files are named ex0018.log and I have to rename them to somthinh servername_ex0018.log. The collector only seems to do 1 file at a time and only files named with ex*.log it doesn't ever seem to read the files named as server_ex*.log.

             

            How would tailing this logs help me?

            is it even possible for the collectopr\parser to read more than 1 file at an collection interval?

            • 3. Re: IIS Collector
              pfabrizi

              I have configured my local device as an agent and I can see in the logs that agent is tailing the logs, how ever the data is not getting retreived from ESM. Is there any log file that I can look at to see where the failure might be?

              • 4. Re: IIS Collector
                pfabrizi

                I have found the debug logs and I see the agent getting the data.

                But the data is not getting to the ESM as far as I can tell.

                 

                I have my data source set up as:

                Vendor Microsoft

                Data source Model: Internet Information Service

                Data Format: Default

                Data Retreivel : MEF

                Host ID: Match Host ID of the configuration I created in the Windows Agent.

                 

                Need some assistance.

                 

                Thank You!

                 

                • 5. Re: IIS Collector
                  Scott Taschler

                  Have you verified that IIS is logging in the format expected by the IIS parser?

                   

                  Here are a couple of KB articles that describe the expected format:

                   

                  What format must the Microsoft IIS logs be in to be parsed with the SIEM Receiver?

                  http://kc.mcafee.com/corporate/index?page=content&id=KB77344

                   

                  How to configure IIS WebServer as a data source

                  http://kc.mcafee.com/corporate/index?page=content&id=KB74270

                   

                  The latter article discusses sending the logs via syslog, which you can ignore, since it looks like you're usiing the SIEM collector via MEF.  However, the instructions for configuring the log format are valid for your use case.

                   

                  Scott