4 Replies Latest reply on Jun 9, 2014 2:52 AM by wilson.wang

    duplicated IIS logs

    wilson.wang

      Hi Nitro Team:

       

          I am facing a problem and very hard to explain. I set up a data source to pull logs from IIS server. I works can events can be processed properly. but the weird thing is , I have totally 2 x (http 200 ok) and 4 x (http 404) records in my raw log files. but on NitroView I can see the records have been doubled which means SIEM shows there are totally 4 x HTTP-200 and 8 x HTTP-404.

         Has the siem fetched the logfile twice? how to fix this issue?

       

      Cheers

       

      wilson

        • 1. Re: duplicated IIS logs
          psj

          Do you have recievers in HA mode? If yes then please try to put secondary reciever in standby mode and then check again after some time. We had a lot of duplicates on AD logs. Putting secondary reciever in standby mode helps - I know this is not a perfect solution but temporary solves our problem.

          1 of 1 people found this helpful
          • 2. Re: duplicated IIS logs
            wilson.wang

            Hi PSJ:

             

                Thanks for pointing the possibility. but unfortunately, we have only one receiver working in the production. (Standalone deployment). 

                 Your idea is definitely valuable to me coz we are having another reciever on board late on. In the mean time, I am still looking for other solutions to fix this issue (or explain this to the client at least).

             

            Regards

             

            Wilson

            • 3. Re: duplicated IIS logs
              psj

              Ning, one more thing - how IIS is configured? WMI or flat files?

              1 of 1 people found this helpful
              • 4. Re: duplicated IIS logs
                wilson.wang

                They are configured to log with w3svc format (flat file) as below

                 

                #Software: Microsoft Internet Information Services 6.0

                #Version: 1.0

                #Date: 2002-05-02 17:42:15

                #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)

                2002-05-02 17:42:15 172.22.255.255 - 172.30.255.255 80 GET /images/picture.jpg - 200 Mozilla/4.0+(compatible;MSIE+5.5;+Windows+2000+Server)