Microsoft Internet Information Services (IIS)

Similar documents
Accellion Secure File Transfer

RSA Authentication Manager

F5 Local Traffic Manager

A10 Networks Load Balancer

Barracuda Networks Web Application Firewall

Pre-Processing: Procedure on Web Log File for Web Usage Mining

Survey on web log data in teams of Web Usage Mining

Exploitation of Server Log Files of User Behavior in Order to Inform Administrator

LogLogic Blue Coat ProxySG Syslog Log Configuration Guide

The web server administrator needs to set certain properties to insure that logging is activated.

LogLogic Blue Coat ProxySG Log Configuration Guide

Research on Application of Web Log Analysis Method in Agriculture Website Improvement

Copyright Winfrasoft Corporation. All rights reserved.

Analyzing the Different Attributes of Web Log Files To Have An Effective Web Mining

PoSHServer Documentation AUTHOR: YUSUF OZTURK (MVP)

Installing AWStats on IIS 6.0 (Including IIS 5.1) - Revision 3.0

Using the Microsoft IIS SMTP Service for LISTSERV Deliveries

An Approach to Convert Unprocessed Weblogs to Database Table

F-SECURE MESSAGING SECURITY GATEWAY

McAfee Enterprise Security Manager. Data Source Configuration Guide. Infoblox NIOS. Data Source: September 2, Infoblox NIOS Page 1 of 8

Pg. 1/20 OVERVIEW... 2 Auto Report Requirements... 4 General SMTP Requirements... 4 STMP Service Requirements... 4 TROUBLESHOOTING: SMTP

LogLogic Microsoft Internet Information Services (IIS) Log Configuration Guide

Network Load Balancing

Comparison table for an idea on features and differences between most famous statistics tools (AWStats, Analog, Webalizer,...).

Logs. Log File Management APPENDIX

Web Log Mining: A Study of User Sessions

Apache Logs Viewer Manual

Blue Coat Systems SG Appliance

Wireless Installation Checklist for Novell GroupWise Environments

Threat Analytics Platform (TAP)

CDN Operation Manual

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Reference and Troubleshooting: FTP, IIS, and Firewall Information

Security Correlation Server Quick Installation Guide

McAfee SIEM Alarms. Setting up and Managing Alarms. Introduction. What does it do? What doesn t it do?

Dynamic DNS How-To Guide

RSA Security Analytics

Quick Scan Features Setup Guide

USER GUIDE. Snow Inventory Data Receiver Version 2.1 Release date Installation Configuration Document date

User Management Guide

Adaptive Log Exporter Users Guide

Velocity Web Services Client 1.0 Installation Guide and Release Notes

Basic Exchange Setup Guide

Configuring WMI Performance Monitors

How to Setup and Configure ESXi 5.0 and ESXi 5.1 for OpenManage Essentials

Symantec Event Collector 3.6 for Blue Coat Proxy Quick Reference

XIA Configuration Server

PREPROCESSING OF WEB LOGS

Mining Proxy Logs: Finding Needles In Haystacks

To install the SMTP service:

Quick Start Guide for VMware and Windows 7

Management, Logging and Troubleshooting

Quick Scan Features Setup Guide. Scan to Setup. See also: System Administration Guide: Contains details about setup.

Administration guide. Océ LF Systems. Connectivity information for Scan-to-File

HP Device Manager 4.6

Monitoring Oracle Enterprise Performance Management System Release Deployments from Oracle Enterprise Manager 12c

FTP, IIS, and Firewall Reference and Troubleshooting

After you have created your text file, see Adding a Log Source.

SonicWALL Global Management System Reporting Guide Standard Edition

Trend Micro Worry-Free Remote Manager Agent Installation Guide

LogLogic Trend Micro OfficeScan Log Configuration Guide

IBM Security QRadar SIEM Version MR1. Log Sources User Guide

Datagram. Datagram SyslogAgent manual. Version 3.6

Installing and Configuring Active Directory Agent

IBM Security QRadar Version WinCollect User Guide V7.2.2

HTTP Reverse Proxy Scenarios

EventTracker: Integrating Imperva SecureSphere

Tenrox and Microsoft Dynamics CRM Integration Guide

Availability Monitoring using Http Ping

McAfee Security Information Event Management (SIEM) Administration Course 101

Configure Cisco Unified Customer Voice Portal

MIGRATING TO AVALANCHE 5.0 WITH MS SQL SERVER

Knowledge Base Articles

SolarWinds Certified Professional. Exam Preparation Guide

LifeSize Transit Deployment Guide June 2011

NSi Mobile Installation Guide. Version 6.2

Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition

Setting up Microsoft Office 365

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Blue Coat Systems ProxySG Appliance

F-Secure Messaging Security Gateway. Deployment Guide

PineApp Surf-SeCure Quick

NeoMail Guide. Neotel (Pty) Ltd

EMR Link Server Interface Installation

Guidelines for Incident Management Pre-requisite Measures. How to be prepared to handle a computer incident

Big Data Preprocessing Mechanism for Analytics of Mobile Web Log

Integrate Websense Web Security Gateway (WSG)

LogLogic Microsoft Domain Name System (DNS) Log Configuration Guide

Device Integration: CyberGuard SG565

EMC Smarts Integration Guide

Quick Start Guide for Parallels Virtuozzo

PrintFleet Local Beacon

Security Correlation Server Quick Installation Guide

Introduction Installation firewall analyzer step by step installation Startup Syslog and SNMP setup on firewall side firewall analyzer startup

E- SPIN's IPSwitch WhatsUp Gold Network Management System System Administration Advanced Training (5 Day)

About Archiving for Microsoft Exchange Server

Introduction to the EIS Guide

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

Transcription:

McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: Microsoft Internet Information Services (IIS) September 30, 2014 Microsoft IIS Page 1 of 11

Important Note: The information contained in this document is confidential and proprietary. Please do not redistribute without permission. Microsoft IIS Page 2 of 11

Table of Contents 1 Introduction 4 2 Prerequisites 4 3 Specific Data Source Configuration Details 5 3.1 Microsoft IIS Configuration 5 3.2 McAfee Receiver Configuration 7 4 Data Source Event to McAfee Field Mappings 8 4.1 Log Format 8 4.2 Log Sample 8 4.3 Mappings 9 5 Appendix A - Generic Syslog Configuration Details 11 6 Appendix B - Troubleshooting 11 Microsoft IIS Page 3 of 11

1 Introduction This guide details how to configure Microsoft IIS to send syslog data in the proper format to the ESM. 2 Prerequisites McAfee Enterprise Security Manager Version 9.2.0 and above. In order to configure the Microsoft IIS Syslog service, appropriate administrative level access is required to perform the necessary changes documented below. Microsoft IIS Page 4 of 11

3 Specific Data Source Configuration Details 3.1 Microsoft IIS Configuration 1. Open the Internet Information Services (IIS) Manager (found in Administrative Tools within the Control Panel). 2. Select the Logging option: 3. Select desired log format. W3C format is the default but IIS and NCSA are also supported. All fields will need to be checked if using the W3C format. Microsoft IIS Page 5 of 11

4. Take note of where the logs are being saved (or change the location if desired). 5. Finish the logging setup by configuring the MFE SIEM Collector to tail the IIS logs and send to the receiver. Microsoft IIS Page 6 of 11

3.2 McAfee Receiver Configuration After successfully logging into the McAfee ESM console the data source will need to be added to a McAfee Receiver in the ESM hierarchy. 1. Select the Receiver you are applying the data source setting to. 2. Select the Receiver properties. 3. From the Receiver Properties listing, select Data Sources. 4. Select Add Data Source. OR 1. Select the Receiver you are applying the data source setting to. 2. After selecting the Receiver, select the Add Data Source icon. Data Source Screen Settings 1. Data Source Vendor Microsoft 2. Data Source Model Internet Information Services (ASP) 3. Data Format Default 4. Data Retrieval MEF 5. Enabled: Parsing/Logging/SNMP Trap <Defaults> 6. Name Name of data source 7. IP Address/Hostname The IP address and host name associated with the data source device. 8. Support Generic Syslogs Do nothing 9. Time Zone Time zone of data being sent. Note Refer to Appendix A for details on the Data Source Screen options Microsoft IIS Page 7 of 11

4 Data Source Event to McAfee Field Mappings 4.1 Log Format The expected formats for this device are as follows: WC3 date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port csusername c-ip cs-version cs(user-agent) cs(cookie) cs(referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken NCSA Remote_host_address Remote_log_name User_name [Date/time Greenwich mean time (GMT) offset] "Request and protocol version" Service_status_code Bytes_sent IIS Client_IP_address, User_name, Date, Time, Service_and_instance, Server_name, Server_IP, Time_taken, Client_bytes_sent, Server_bytes_sent, Service_status_code, Windows_status_code, Request_type, Target_of_operation, Parameters, 4.2 Log Sample The following are samples of possible logs from the Microsoft IIS device: WC3 2011-04-14 14:58:36 MS_ISS_1 name 127.0.0.1 GET /exampletest - 80-127.0.0.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+ CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729) - - 127.0.0.1 404 4 2 109 398 2 NCSA 172.21.13.45 - Microsoft\fred [08/Apr/2001:17:39:04-0800] "GET /scripts/iisadmin/ism.dll?http/serv HTTP/1.0" 200 3401 IIS 172.16.255.255, anonymous, 03/20/01, 23:58:11, MSFTPSVC, SALES1, 172.16.255.255, 60, 275, 0, 0, 0, PASS, /Intro.htm, -, Microsoft IIS Page 8 of 11

4.3 Mappings The table below shows the mappings between the data source and McAfee ESM fields. WC3 Log Fields McAfee ESM Fields Date Time (two fields) s-ip cs-method cs-uri-stem s-port cs-username (domain section) cs-username c-ip cs(user-agent) cs-host sc-status sc-status(first number) FirstTime,LastTime Destination IP Command Object Destination Port Domain Source User Source IP Application Hostname sid Action IIS Log Fields Client IP User name Date Time (two fields) Server Name Server IP Clients bytes sent Server bytes sent Service Status Code Service Status Code (first number) Request Type Target of Operation McAfee ESM Fields Source IP Source User FirstTime, LastTime Hostname Destination IP Bytes_from_Client Bytes_from_Server sid action Command Object Microsoft IIS Page 9 of 11

NCSA Log Fields Remote Host Address User name Date Time (two fields) Request and protocol version (first part) Request and protocol version (second part) Request and protocol version (third part) Service Status Code Service Status Code (first number) Bytes Sent McAfee ESM Fields Source IP Source User FirstTime, LastTime Command Object Protocol sid action Bytes_Sent Microsoft IIS Page 10 of 11

5 Appendix A - Generic Syslog Configuration Details Once you select the option to add a data source, you are taken to the Add Data Source menu. The general options for adding a data source are shown. As you select different options, additional parameters may show. Each of these parameters will be examined in more detail. 1. Use System Profiles System Profiles are a way to use settings that are repetitive in nature, without having to enter the information each time. An example is WMI credentials, which are necessary to retrieve Windows Event Logs if WMI is the chosen mechanism. 2. Data Source Vendor List of all supported vendors. 3. Data Source Model List of supported products for a vendor. 4. Data Format Data Format is the format the data is in. Options are Default, CEF, and MEF. Note If you choose CEF it will enable the generic rule for CEF and may not parse data source-specific details. 5. Data Retrieval Data Retrieval allows you to select how the Receiver is going to collect the data. Default is over syslog. 6. Enabled: Parsing/Logging/SNMP Trap Enables parsing of the data source, logging of the data source, and reception of SNMP traps from the data source. If no option is checked, the settings are saved to the ESM, but not written to the Receiver or utilized. Default is to select Parsing. 7. Name This is the name that will appear in the Logical Device Groupings tree and the filter lists. 8. IP Address/Hostname The IP address and host name associated with the data source device. 9. Syslog Relay Syslog Relay allows data to be collected via relays and bucketed to the correct data source. Enable syslog relay on relay sources such as Syslog-NG. 10. Mask Enables you to apply a mask to an IP address so that a range of IP addresses can be accepted. 11. Require Syslog TLS Enable to require the receiver to communicate over TLS. 12. Support Generic Syslog Generic Syslog allows users to select Parse generic syslog or Log unknown syslog event. Both these options will create an alert for an auto-learned syslog event if there is no parsing rule. 13. Time Zone - If syslog events are sent in a time zone other than GMT, you need to set the time zone of the data source so the date on the events can be set accordingly. 14. Interface Opens the receiver interface settings to associate ports with streams of information. 15. Advanced Opens advanced settings for the data source. 6 Appendix B - Troubleshooting If a data source is not receiving events, verify that the data source settings have been written out and that policy has been rolled out to the Receiver. If you see errors saying events are being discarded because the Last Time value is more than one hour in the future, or the values are incorrect, you may need to adjust the Time Zone setting. Microsoft IIS Page 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information