Skip to main content
Skip table of contents

Create an Agent Based Log Source - IIS

Topics Discussed

To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account: 

  • Write Virtual Machine

  • Delete Log Management

  • Read Log Endpoints

  • Read Log Relays

  • Write Log Relays

  • Delete Log Relays


You can use this document to send IIS logs to Armor's Security Information & Event Management (SIEM).

Configure Your IIS Service

Configuring IIS services uses the Command Line Interface (CLI) feature. For more information, see Security Service CLI Commands.

The following arguments are possible parameters for the Logging CLI feature. This allows customers to manage filebeat modules on Virtual Machines.

Command

Arguments

Result

  • iis-enable


Enables filebeat IIS/apache/nginx. When run, module yml file will change from disabled state to enable state.

  • iis- disable


Disables Filebeat IIS/apache/nginx. When run the module yml file will change from enable state to disable mode.

  • iis-add-access-paths

path1, path2, path3

Includes the argument paths in module yml file under the 'access_paths' section.

  • iis-remove-access-paths

path1, path2, path3

Removes the argument paths in module yml file under the 'access_paths' section.

  • iis-add-error-paths

path1, path2, path3

Includes the argument paths in module yml file under the 'error_paths' section.

  • iis-remove-error-paths

path1, path2, path3

Removes the argument paths in module yml file under the 'error_paths' section. Removes the argument paths in module yml file under the 'error_paths' section.

  • iis-sync-config


The command sync the module yml file on vm with latest changes which are required.

  • iis-describe-config


The command displays current access & error paths which are configured in module yml file.

Command Usage:

CODE 
armor logging iis-enable

armor logging iis-disable

armor logging iis-add-access-paths <required paths needs to add here>

armor logging iis-remove-access-paths <required paths needs to add here>

armor logging iis-add-error-paths <required paths needs to add here>

armor logging iis-remove-error-paths <required paths needs to add here>

armor logging iis-sync-config

armor logging iis-describe-config

Troubleshooting

Verify that logs are formatted correctly, similar to the following example:

CODE 
2020-04-09 08:09:10 203.0.113.80 2094 192.0.2.5 80 HTTP/1.1 GET /qos/file.txt 503 - ConnLimit -
CODE 
2020-04-09 17:45:25 198.51.100.80 58467 192.0.2.5 80 HTTP/1.1 GET / - 1 Client_Reset DefaultAppPool
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close