3 Replies Latest reply on Jun 15, 2016 11:50 AM by sriniraula

    IIS Logging Issue - Not Sending Properly

    anton2016

      This is an example of a line from my raw log file:

       

      2016-06-10 18:37:04 W3SVC7 <snip> <snip> GET /v1/Carrier/EL/Skins/Producer/Forms/Top/Footer_L.gif - 443 - 66.222.193.37 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/51.0.2704.84+Safari/537.36 ASP.NET_SessionId=vxikp1x1edzphnzpgdhbh3kc;+XYZ=1;+XYZ_Legacy=1;+__utmt=1;+<sni p>=E46EFC511E84EC3CD3F5F5EC2D857300A5A9E584CE714D03C1C5CA50D9BC0B32DCCD0B4DA415F 33E58DE03D6A73226FF4B9EEFCD496B34C796A51E233E9EF2E646D27EB580553CC402C0F7C910F23 CAFC7B02D37E7F0D29C44CB2A5948BADB6173B2F1CCA73DD10D8C65674CEDCD4EA2EFE4C114659C0 8B71AD60B901B5ADEFB662022F24EBEF5B<snip>1CC536A4B1BA35277699EA1F71DEA2276455EBFF FE257C9B6D91C1FE228CB2F3B83FA354E93C59B333780961C255685445E0C;+__utma=36809652.1 20754785.1424726715.1465531765.1465582847.160;+__utmb=36809652.35.10.1465582847; +__utmc=36809652;+__utmz=36809652.1465582847.160.120.utmcsr=*.ca|utmccn=(referra l)|utmcmd=referral|utmcct=/;+Language=en https://www.**.ca/v1/Modules/PlanAdmin/Pages/Division.aspx www.e<snip> 304 0 0 325 2181 124

       

      (I snipped the sensitive stuff)

       

      and this is what the SIEM Collector Utility ships off to the SIEM [different request, but from the same log file and site]:

       

      2016-06-03 17:12:57 <snip> GET /cms/media/8703/lifeworks.jpg - 443 - 24.157.67.103 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chr ome/50.0.2661.102+Safari/537.36 200 0 0 140

       

      - These two sites are on the same server with the same logging configuration, the raw log files have the proper fields, but for some reason the SIEM Collector does not send the top log properly

       

      For example, here is an entry for the site that DOES work:

       

      2016-06-10 18:11:08 W3SVC2 E**********6 10.*.*.*POST /Novus.asmx - 8443 - 67.21.241.11 HTTP/1.1 SOAP::Lite/Perl/0.710.08 - - <snip>:8443 200 0 0 3093 835 140

       

      This one includes the proper fields and gets parsed properly - the top one does not

       

      I do see these events in the streaming events view so it's not an issue with communication, does anyone know why the SIEM Collector Utility is stripping out some data from the original log file?

        • 1. Re: IIS Logging Issue - Not Sending Properly
          btkarp

          Check your IIS log configuration and ensure that all the boxes are checked off. The parser will only work properly if you have all the boxes in the logging options checked. Also, are you running any Advanced IIS log collecton, that may have an affect on what the IIS Parser is expecting to see.

          • 2. Re: IIS Logging Issue - Not Sending Properly
            anton2016

            Yep all the fields were enabled - it was one server with two sites, both sites had all fields enabled but only 1 of the sites were working properly. The issue seemed to have corrected itself, although the parser ignores the session token. Maybe this is by design. I wish I knew what the issue was but I'm just happy it's working. I'd be happy to provide some screenshots if anyone is running into the same issues. The SIEM collector utility is not my favourite

            • 3. Re: IIS Logging Issue - Not Sending Properly
              sriniraula

              Solution 1. If you are not using SIEM log collector telnet between both system IIS to recerver and receiver to IIS for log sending and receiving port and see WMI logs as well, if WMI logs are properly received on Receiver there are a problem on IIS log forwarder. If WMI logs too not received on ERC remove existing data source from ESM and add windows data source and check it to receiver.

              In my experinece i had faced some issue without log collector so i m recommended you to SIEM log collector.

               

              Solution2: SIEM log collector verification:

              >> go to IIS Machine >> open McAfee SIEM Collector Management Utility

              >> check your Receiver IP address it is properly connected or not ? see on screenhots:epo.JPG

              If receiver are not connected ESM cannot displayed IIS log on SIEM Dashboard.