Add IIS logs
- In Threat Monitor, navigate to Admin > Manage Collectors.
- In the sensors list, select a collector, and then click Edit.
- Click the OSSEC tab.
- Click the Remote Logs tab, and then click Add.
- From the Log Format drop-down list, select iis.
Change Log Location to D:\inetpub\logs\LogFiles\W3SVC2\u_ex%y%m%d_x.log.
Update the drive letter and any folder locations to where your IIS logs are stored on that machine.
- From the Type drop-down list, select Host.
- From the next drop-down list, select the appropriate host, and then click Create.
- To push the changes out to the OSSEC agents, click Restart Required.
- Click the Syslog tab.
- Click the Log Destinations tab, and then click Add.
- In the Destination Setup window, select Both File and Elastic SOC.
- Enter a unique name based on the data source (iis).
When entering a name, do not use spaces.
- Enter a file storage location on the collector, select the appropriate plugin (iis), and then click Save.
This is typically located in /var/log/<filename>.log. For example, /var/log/iis.log. You must specify a log destination for each plugin.
- Click the Filters tab, and then click Add.
- Enter a unique filter name based on the data source (iis).
The purpose of this filter is to give Threat Monitor something unique that it can match in the logs so it knows what log it is coming from. The best way to determine what filter to use, is to look at the logs that are being sent over to find something unique and specific.
- To set your filter conditions, click Add Row.
- From the Condition drop-down list, select n/a.
- From the Filter drop-down list, select message.
- In the Value field, enter W.SVC.
- Click the Actions tab, and then click Add.
- Add four rows, and then make the following selections from the Type and Value drop-down lists:
- Source: ossec
- Filter: iis
- Destination: iis (Elastic SOC)
- Destination: iis (file)
- To save your settings, click Apply changes.
- Click the Data Sources tab.
- Click New Plugin.
- From the Active Plugin list, select iis.
Click the gear icon next to each Play button under the Parser Workers, Storage workers, and Error Workers, and then click Save.
Please note that this is necessary to create the queues to process your incoming logs.
- For each queue, click Play.
- Set Parser Workers to 5 and Storage Workers to 10.
- Click Save.