IIS Event Source Parsing

mmur_gt4e · August 22, 2023, 9:00am

Hi there!

I´ve been testing the “new” IIS Event Source integration, and I´ve realised that the order indicated by Rapid7 for the fields of the logs, doesn´t match the default of IIS in W3C Format.

w3c
insightidrorder

This means that the parsing is being performed incorrectly.
I attach some evidences.
II3

I´d appreciate any help!

Thank you all in advance.

Best Regards!

cyberpunk · May 14, 2024, 7:08pm

@mmur_gt4e Did you get this issue resolved? I have also set up an IIS Event source and is not getting parsed. Let me know if you ended up creating a ticket to have it resolved or anything. Thanks!

randy_s · May 14, 2024, 7:48pm

I had a similar issue with my IIS event sources, opened a case with support and it was resolved shortly after.

cyberpunk · May 14, 2024, 8:03pm

Do you mind sharing what was done to resolve the issue? @randy_s

randy_s · May 15, 2024, 12:55pm

My case was sent over to the engineering team, so to be honest I have no idea what was done, If its still an issue I would open a case to have them take a look.

cyberpunk · May 15, 2024, 1:17pm

Thank you. I will put in a ticket now. What sort of parsing applies to the IIS logs?

randy_s · May 15, 2024, 3:35pm

Webserver Access stuffs, here are the keys you can expect to see.

cyberpunk · May 16, 2024, 2:48pm

I have the keys but I was thinking they will get parsed as stated in the documentation. I set up this IIS not long ago and I have the keys you have above but they are not getting parsed.

IIS

hannah_coakley · May 16, 2024, 2:56pm

@cyberpunk can you send over what you’re getting in log search? If nothing is showing up you can select the “Send any data that is not currently processed by InsightIDR to log search as raw logs.” checkbox. That ensures that logs make it to log search even if they’re not getting parsed. If you start getting logs then, you know that they are in the wrong format and can compare to what the expected is. You can post back here and I can take a look

cyberpunk · May 16, 2024, 4:16pm

@hannah_coakley I have logs in raw logs and log search. I will put in a ticket and attached log sample

mmur_gt4e · May 17, 2024, 6:27am

Hey, not at all, finally I parsed it as I wanted and have them as raw logs… sadly.

cyberpunk · June 18, 2024, 6:47pm

Is there a way to send the logs to a shared folder instead of the local directory which is the inetpub?
I have many IIS servers and I want to push the logs to one shared directory and set up one event source to watch that directory. I created the share and everything but the IIS is unable to write the logs to it. I manually added a file to the share and was able to read and write so its not like a permission issue.