4 Replies Latest reply on Oct 16, 2015 1:19 AM by streamer

    IIS 7 or 8 Log Parsing Issue

    streamer

      Hello,

       

      I have a problem parsing logs from IIS 7,8.x. As you know we were able to parse the log files for the version on IIS 5-6 without any problem. We were able to change log fields order, however we can't change it on IIS 7-8. Mcafee recommended format is following:

       

      #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

       

      Since we can't make this change on IIS 7-8 how can I solve this problem? Please let me know if you have any possible solution except creating custom parser.

       

      Best Regards,

        • 1. Re: IIS 7 or 8 Log Parsing Issue
          streamer

          As far as I understand no one who had problems with new IIS version log format? Then could you please share us your tricks.

          • 2. Re: IIS 7 or 8 Log Parsing Issue
            btkarp

            streamer, you are not the only one.

             

            I am getting 'unknown events' for IIS 8.0 Version 1.0 from my IIS server logs as well.

             

            The current format we have looks as follows:

             

            #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

             

            I have a ticket open now, waiting to hear back some good news...

            • 3. Re: IIS 7 or 8 Log Parsing Issue
              btkarp

              streamer after digging all day, I may have found what we need.

               

              Advanced Logging : The Official Microsoft IIS Site

               

              Advanced Logging generates completely customizable W3C-standard log files. Site administrators can generate real-time client and server logs and tailor logs to track as many or as few metrics as necessary across multiple log files. Filter out information relevant to a specific purpose. Advanced Logging can create multiple logs per request, with each log contains data relevant to the purpose of the log. Capture quality of service data and audience engagement in separate logs to simplify analysis.


              My guess is this will allow us to not only select what fields are used by also what order.


              I hope this helps!

              • 4. Re: IIS 7 or 8 Log Parsing Issue
                streamer

                Thanks for your effort btkarp However, you know that as always we have to solve our own problems I wrote a new parser with regexp for our IIS 8 log-format as below:

                 

                #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken ClientIP

                 

                RegEX

                (?<datetime>\d+-\d+-\d+\s\d+:\d+:\d+)\s(?<dstip>(?:\d{1,3}\x2e){3}\d{1,3})\s(?<m ethod>\w+)\s(?<uri>[^\s]*)\s(?<parameter>\-|[^\s]*)\s(?<dstPort>\d+)\s(?<dummy2> \-)\s(?<sIP>(?:\d{1,3}\x2e){3}\d{1,3})\s(?<Agent>\-|[^\s]*)\s(?<Referrer>\-|[^\s ]*)\s(?<Response>301)\s(?<substatus>\d+)\s(?<win32status>\d+)\s(?<dummybytes>\d+ \s\d+)\s(?<timetaken>\d+)\s(?<realSrcIP>\-|(?:\d{1,3}\x2e){3}\d{1,3})

                 

                I know Advanced Logging plugin and I have already using on our IIS 6-7 , however I have to create a parser to it, as well. Let's face it, ESM supported products list is poorly!