Skip to content

Microsoft IIS Integration Guide🔗

This guide provides configuration instructions for Microsoft Internet Information Services (IIS) logging in order to transmit the logs for security monitoring by other agents. Supported agents can be found at Connect Microsoft Windows Event Log.

The Secureworks® Taegis™ XDR On-Premises Data Collector accepts logs in the Snare over Syslog format.

Connectivity Requirements🔗

Source Destination Port/Protocol
Windows Server Taegis™ XDR Collector (mgmt IP) UDP/514

Data Provided from Integration🔗

Normalized Data Out-of-the-Box Detections Vendor-Specific Detections
Microsoft IIS HTTP

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Logging Configuration Instructions🔗

Logging configuration depends on the version of Microsoft IIS you are running.

Important

The data source must be configured to report timestamps as UTC to ensure that XDR reports the correct time zone.

Note

NXLog CE does not support changing the timestamp into UTC. If that is required, a different product like NXlog Enterprise Edition is required.

Configuring Microsoft IIS Logging🔗

Note

These steps support Microsoft IIS 8.5 and later.

  1. From your Windows machine, open Administrative Tools > Internet Information Services (IIS) Manager.
  2. Within the IIS management console, select the IIS Web Site you are configuring.

  3. Select Logging

    Select Logging from IIS Server Properties

  4. Select the following fields:

    • Date
    • Time
    • Client IP Address
    • User Name
    • Service Name
    • Server Name
    • Server IP Address
    • Server Port
    • Method
    • URI Stem
    • URI Query
    • Protocol Status
    • Protocol Substatus
    • Win32 Status
    • Bytes Sent
    • Bytes Received
    • Time Taken
    • Host
    • User Agent
    • Referrer

    Required Fields

  5. Select Add field to configure X-Forwarded-For custom field.

    • Field Name — X-Forwarded-For
    • Source Type — Request Header
    • Source — X-Forwarded-For

    Custom Field

  6. Select OK.

  7. Apply changes by selecting Apply from Actions.

    Apply Changes

Configuring Syslog Forwarding🔗

Note

Sending IIS logs to XDR requires a third-party agent that can send those logs via Snare over Syslog format.

Configuring Snare🔗

  1. Navigate to the Enterprise Agent for Windows web interface, available at http://<ip-address>:6161.

  2. From the left-hand menu, select Log Configuration.

    Add Snare Log Configuration

  3. Select Add to add a Snare Log Configuration monitor:

    • Log Type — MS IIS Logs
    • Multi-Line Format — Single line only
    • Log File or DirectoryC:\inetpub\logs\LogFiles\W3C\W3SVC<siteIDnumber>\

    Note

    A Log Configuration monitor is required for each W3SVC site ID due to Snare lacking support for wildcards in directory names; if you run three websites, you’ll need three configurations for the W3SVC1, W3SVC2, and W3SVC3 directories, respectively. If your logs are located elsewhere, make sure to use the proper path for your IIS log configuration.

    • Log Name Formatu_ex%_x.log
    • All matching files

    Snare Log Configuration

  4. Select Change Configuration.

  5. Add as many more monitors as necessary, based on how many site IDs you have.

  6. On the left-hand menu, select Apply Configuration & Restart Service.

    Apply Configuration.

Configuring NXLog🔗

  1. Modify the following configuration to reflect the proper file path for your environment, if not default, and your XDR Collector FQDN or IP.
  2. Under the Input stanza, change the File path if your IIS logs are not stored in the default location.

  3. Under the Output stanza, modify the Host value to be the FQDN or IP of your XDR Collector. If you prefer to use UDP, change Module to om_udp and Port to 514.

    ## Please set ROOT to the folder NXLog is installed in.
## - if 64bit NxLog is used, comment out (#) x86 and uncomment C:\Program Files\nxlog lines
define ROOT C:\Program Files\nxlog
define ROOT_STRING C:\Program Files\nxlog
## - if 32bit NxLog is used, comment out (#) "C:\Program Files\nxlog" and uncomment x86 lines
#define ROOT C:\Program Files (x86)\nxlog
#define ROOT_STRING C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %LOGFILE%

<Extension _syslog>
Module xm_syslog
</Extension>

<Input W3SVCIN>
Module im_file
## By using the recursive directive, we'll monitor all directories under LogFiles for file u_ex*.log

File 'C:\inetpub\logs\LogFiles\u_ex*.log'
SavePos TRUE
Recursive TRUE
ReadFromLast TRUE
PollInterval 1
Exec if $raw_event =~ /^#/ drop();            \
            else                            \
            {                                \
            $Hostname = hostname_fqdn();    \
            $SourceName = "IISWebLog";        \
            $Message = $raw_event;            \
            }
</Input>

<Output W3SVCOUT>
    Module      om_udp
    Module      om_tcp
## Guidance on TLS/SSL configuration - https://nxlog.co/documentation/nxlog-user-guide/om_ssl.html
    Module    om_ssl
    Host        %XDR%
    Port        %PORT%
    CAFile    %CERTDIR%\CA.cer
    CertFile    %CERTDIR%\winhost.cer
    CertKeyFile    %CERTDIR%\winhost.key
    AllowUntrusted    FALSE

## Create our RFC3164 compliant syslog line and transmit on local5.info
    Exec        $SyslogFacilityValue = 21;$Hostname=hostname_fqdn();$Severity = 'INFO';to_syslog_bsd();

</Output>

<Route 1>
    Path    W3SVCIN => W3SVCOUT
</Route>

  4. Place the config contents in a file on the desktop called nxlog.conf.

  5. Make a backup of your existing C:\Program Files (x86)\NXLog\conf\nxlog.conf file.
  6. Replace the C:\Program Files (x86)\NXLog\conf\nxlog.conf file with the new one on the desktop.
  7. Restart the NXLog service.