WINDOWS IIS LOGS

If you are running an IIS server hopefully, you are operating over HTTPS otherwise you can capture all of these requests with your typical Snort sensor. The IIS logs will store every request that is made to the hosted website, so you will want to monitor these requests for entries like cross-site scripting and SQL injections.

IIS logs are stored in a flat file that we must configure NXlog to check for new entries and forward those new entries to our log server. The default location for the IIS logs should be located at "C:\inetpub\logs\LogFiles\W3SVC1\" and the log file will look like u_ex431323.log. Inside each log file, there is an entry at the top of the log file that identifies the software which generated the logs, version, and the date to which the entry was created. If you have not installed NXlog yet, please refer to this page. Before we go over the NXlog configuration we must turn on logging for the IIS server.

Here are the steps to enable IIS logging:

  1. Start IIS manager on the server hosting the website.
  2. In the navigation pane, select the server that is hosting the website, which should be the name of the server.
  3. After the server has been selected, there will be option that appears that looks like a journal that is labeled "Logging". Double click the logging option.
  4. If logging is currently disabled, there will be an option in the action pane on the right hand side of the IIS manager labeled "Enable Logging" otherwise there will be an option labeled "Disable Logging".
  5. Logging has now been enabled, but there are a few additional configurations we will want to make sure are made:
    1. We will want to make sure that "One log file per:" is currently set to Site.
    2. Verify that the Format is set to "W3C"
    3. The default location of the logs should work, unless you want to store them elsewhere, but the default location should be "%SystemDrive%\inetpub\logs\LogFiles".
    4. Set the Encoding to UTF-8.
    5. Make sure the schedule for "Log File Rollover" is set to Daily.
    6. Depending on if any of your web servers are hosted in different time zones, you may or may not want to check the "Use local time for file naming and rollover".

After logging has been enabled, we will want to replace our NXlog configuration file with the one below, again a lot of the legwork was already provided here, https://gist.github.com/Eagle6705/3d91b2270bf60b7cff12, but a few changes have been made. Just to go into a bit more detail with the configuration, here are a few points to notate:

  1. Defines the variable %ROOT% and sets the directory to the default installation path of NXlog at "C:\Program Files (x86)\NXlog\"
  2. Declares the path for Moduledir, Cachedir, Pidfile, SpoolDir, and LogFile, referencing the %ROOT% variable.
  3. Enables the GELF (Graylog Extended Log Format) module.
  4. Enables the JSON module.
  5. Defines the extension w3c1 which loads the xm_csv module, which allows NXlog to parse a CSV file. Variables for each column in the CSV are defined in the extension as well, the naming convention of the columns corresponds with the default naming convention that is assigned at the top of the IIS logs. There is also a delimiter defined to specify how the logs are to be parsed and how to separate the columns.
  6. An input module is created called IIS_In which loads the im_file module that allows NXlog to get a file that is on the local system. The file that is in question, the IIS logs, is specified at "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\*.*" and a wildcard symbol is notated to specify all files in that directory. As noted in the DHCP logs configuration, the SavePos and InputType references are both the default options, but we specify them just to understand how NXlog works. After that the main function of the Input module is executed which calls the w3c1 extension module to parse each line of the IIS logs assigning additional variables such as host name, event time, time, and source name and then converts all the data into json format.
  7. The output module is instantiated and labeled Output_Out and the host name and port number of the remote log server are specified. The om_udp module is also declared letting NXlog know to send the log files over UDP and the OutputType is also specified to send the logs in the GELF format.
  8. Finally the route is declared and the path of IIS_In to IIS_Out is identified so NXlog understands the flow of processing the logs.
define ROOT C:\Program Files (x86)\nxlog #1

Moduledir %ROOT$\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log #2

<Extension gelf>
    Module xm_gelf
</Extension> #3

<Extention json>
    Module xm_json
</Extension> #4

<Extension w3c1>
    Module  xm_csv

        Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs(User-Agent), $cs(Referer), $sc-status, $sc-substatus, $sc-win32-status, $time-taken

        Delimiter ' '
</Extension> #5

<Input IIS_In>
    Module  im_file
    File    "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\*.*"
    SavePos True
    InputType   LineBased
    Exec if $raw_event =~ /^#/ drop();
        else
        {
            w3c1->parse_csv();
                $host       =   hostname_fqdn();
                $EventTime  =   parsedata($date + " " + $time + "Z");
                $Time       =   ($Time + "Z");
                $SourceName =   "IIS";
            $SiteName   = "Default Web Site";
            $Message    = to_json();
        }
</Input> #6

<Output IIS_Out>
    Module  om_udp
    Host    log server ip
    Port    log server listening port
    OutputType  gelf
</Output> #7

<Route 1>
    Path    IIS_In => IIS_Out
</Route> #8

Once the configuration file above has been implemented restart the NXlog service to reload the new configuration file. You will also want to make sure the Log server is listening on whatever port you specified in the configuration and you will want to verify that you are receiving logs on the log server.