LogLogic Microsoft Internet Information Services (IIS) Log Configuration Guide

LogLogic Microsoft Internet Information Services (IIS) Log Configuration Guide Document Release: September 2011 Part Number: LL60001-00ELS090000 This manual supports LogLogic Microsoft IIS Release 1.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.

2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA 95134 Tel: +1 408 215 5900 Fax: +1 408 774 1752 U.S. Toll Free: 888 347 3883 http://www.loglogic.com

Contents Preface About This Guide.........................................................5 Technical Support........................................................5 Documentation Support.................................................... 5 Conventions............................................................. 6 Chapter 1 Configuring LogLogic s Microsoft IIS Log Collection Introduction to Microsoft IIS................................................. 7 Prerequisites............................................................ 8 Configuring Microsoft IIS................................................... 8 Enabling the LogLogic Appliance to Capture Log Data........................... 10 Configuring the LogLogic Appliance for File Collection........................ 10 Adding a Microsoft IIS Device........................................... 12 Creating File Transfer Rules............................................ 13 Verifying the Configuration................................................ 15 Chapter 2 How LogLogic Supports Microsoft IIS How LogLogic Captures Microsoft IIS Log Data................................ 17 Supported Microsoft IIS Log Data........................................... 18 LogLogic Real-Time Reports............................................... 18 LogLogic Search Filters................................................... 19 Chapter 3 Troubleshooting and FAQ Troubleshooting......................................................... 20 Problems Retrieving Log Files Using Configured File Transfer Rules............. 20 Frequently Asked Questions............................................... 21 Appendix A Event Reference LogLogic Support for Microsoft IIS Events.................................... 23 Microsoft IIS Log Configuration Guide 3

4 Microsoft IIS Log Configuration Guide

Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Microsoft Internet Information Services (IIS) enables LogLogic Appliances to capture logs from machines running Microsoft IIS. Once the logs are captured and parsed, you can generate reports and create alerts on Microsoft IIS s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free 1-800-957-LOGS Local 1-408-834-7480 EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: support@loglogic.com You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. When contacting Customer Support, be prepared to provide: Your name, email address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send e-mail to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Microsoft IIS Log Configuration Guide 5

Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Microsoft IIS Log Configuration Guide

Chapter 1 Configuring LogLogic s Microsoft IIS Log Collection This chapter describes the configuration steps involved to enable a LogLogic Appliance to capture Microsoft IIS web server logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft IIS web server log data. Introduction to Microsoft IIS.............................................. 7 Prerequisites.......................................................... 8 Configuring Microsoft IIS................................................ 8 Enabling the LogLogic Appliance to Capture Log Data........................ 10 Verifying the Configuration.............................................. 15 Introduction to Microsoft IIS The Microsoft IIS logs provide information about the activity of a Web application. Microsoft IIS logs give details of the main HTTP status code, Win32 error code, and the HTTP substatus code (if logging is configured to provide this data). The Win32 error codes and the HTTP substatus codes often contain information that is critical when troubleshooting device issues. The Microsoft IIS gives you a choice of log file formats and lets you log to a file or directly to a database. The various formats are: W3C Extended Log File Format Microsoft IIS Log File Format National Center for Supercomputing Applications (NCSA) Common Log File Format ODBC Logging Format The W3C Extended Log File Format is the default format for Microsoft IIS. You can use Microsoft IIS Manager to select the fields to include in the log file to help keep log files as small as possible. The LogLogic Appliance captures log data, in the W3C Extended format, from Microsoft IIS by file pull using a file transfer rule. The configuration procedures for Microsoft IIS and the LogLogic Appliance depend upon your environment. For more information, see How LogLogic Captures Microsoft IIS Log Data on page 17. Microsoft IIS Log Configuration Guide 7

Prerequisites Prior to configuring Microsoft IIS and the LogLogic Appliance, ensure that you meet the following prerequisites: Microsoft IIS 5.0 or 6.0 running on Windows 2000 Server or Windows 2003 Server respectively Proper access permissions to make configuration changes Microsoft IIS with FTP Service enabled, or 3rd-party FTP, FTP(S), HTTP(S), CIFS, SCP, and/ or SFTP server software installed for any platform that does not have these capabilities by default. For more information, see Configuring the LogLogic Appliance for File Collection on page 10. LogLogic Appliance running Release 5.1 or later installed with the Microsoft IIS Log Source Package Administrative access on the LogLogic Appliance Note: The user who installs Microsoft IIS only needs to have permission to edit the configuration files. The user does not need to be the root user. Configuring Microsoft IIS This section describes how to configure Microsoft IIS in order to enable the W3C logging format and rotation of logs. You can configure how regularly the log files are rotated, that is, how long it takes before a new log file is created. In Microsoft IIS, you can configure a new log to be created during any time period (i.e., daily, weekly, monthly) or when a log file has reached a particular size. To enable the W3C logging format, configure W3C logging attributes, and setup log file rotation: 1. Log in to the web server as Administrator. 2. From the Windows Start menu, select Settings > Control Panel. 3. Double-click Administrative Tools, and then double-click Internet Services Manager. 4. In the left pane, right-click on the website in the list of served sites and select Properties. 5. On the Properties tab, select the Web Site tab. 6. On the Web Site tab, select the Enable logging checkbox. 7. In the Active log format drop-down menu, select a format. By default, the format is W3C Extended Log File Format. 8 Microsoft IIS Log Configuration Guide

Figure 1 Properties Tab with Enable Logging Selected 8. Next to the Active log format drop-down menu click Properties. 9. On the Extended Properties tab, select the properties you want to log from the options listed. Figure 2 Extended Properties Tab Microsoft IIS Log Configuration Guide 9

10. Select the General Properties tab. 11. Select the New Log Time Period setting for the web server log. This setting defines how frequently new logs are created. Figure 3 General Properties Tab 12. Click OK. Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture Microsoft IIS log data. Configuring the LogLogic Appliance for File Collection The LogLogic Appliance captures Microsoft IIS logs using file pull functionality via a file transfer rule. If the host machine where Microsoft IIS is installed does not have file transfer functionality by default, you can use one of the following deployment options for log file collection: Install 3rd-party file transfer software (or create a script to handle file transfers) on the host machine where Microsoft IIS is installed 10 Microsoft IIS Log Configuration Guide

Note: Microsoft IIS with the FTP Service enabled can be used for file-based log collection. Keep in mind that using IIS s FTP Service is not a strict software requirement and you can use other 3rd-party software applications and other transfer protocols to provide the same functionality. Configure a remote Host Server with file transfer capability to capture log files from the Microsoft IIS host machine Once the file transfer capability on the host machine or the remote Host Server is properly configured, you can create file transfer rules on the LogLogic Appliance for each log file you want to capture. The LogLogic Appliance pulls the log files via a supported file transfer protocol such as SFTP, SCP, FTP(S), HTTP(S), etc. For more information, see the LogLogic Administration Guide. To enable the LogLogic Appliance to capture log data using Microsoft IIS with FTP Service enabled: Note: The FTP Service might not enabled by default. Make sure that the FTP Service is enabled on IIS prior to configuring the server. 1. Make sure that a destination directory (i.e., log directory) exists and is accessible on the host machine where Microsoft IIS is installed. The destination directory should contain the original log files that Microsoft IIS generates. 2. Transfer the Microsoft IIS log files to a separate publishing directory on the host machine. Note: In Microsoft IIS, you can set a specific FTP site log file location or you can set the default FTP site location that applies to all FTP sites. You can use a script that makes a copy of or moves the log files from the destination directory (i.e., log directory) to the publishing directory. In addition, you can use a Microsoft Scheduled Task to specify a time schedule when the script runs (for example, hourly, daily or weekly). You can access the Scheduled Task Wizard from the Windows Start menu, in Accessories > System Tools > Scheduled Tasks. Note: If you want to schedule the task to run during a specified time period (e.g., hourly), you must first create the task and then define the rules. Once you create the task, double-click the task and the select the Schedule tab, then click Advanced. Select the Repeat task checkbox and then define the rules. IMPORTANT! Log messages on a Microsoft IIS can grow to consume a large portion of disk space which affects performance. Microsoft recommends that you remove log files periodically. LogLogic recommends that you define a clean-up process to handle log files on the FTP server. 3. On the LogLogic Appliance, add the Microsoft IIS to the Appliance as a new device. For more information, see Adding a Microsoft IIS Device on page 12. 4. Create a file transfer rule and specify FTP as the Protocol. For more information, see Creating File Transfer Rules on page 13. IMPORTANT! If you are planning to use a more secure method of file transfer than FTP, the following caveats will apply for the SCP and SFTP protocols: Microsoft IIS Log Configuration Guide 11

- SCP and SFTP have limitations in their ability to pull a large number of files (100 or more). LogLogic recommends that you compress the files into a single file (such as.tar or tar.gz) before the files are pulled by the LogLogic Appliance. - File transfer rules using SCP or SFTP as the protocol require a Public Key Copy from the LogLogic Appliance. You need to copy the Appliance s public key to the host machine containing the publishing directory for the log files. For more information on public key copy, see the LogLogic Administration Guide. Adding a Microsoft IIS Device LogLogic captures Microsoft IIS log files using file pull functionality via file transfer rule. You must add the server as a new device so LogLogic can properly handle the log file data and make it available through reports and searching. Once you have successfully added a Microsoft IIS device, you must configure file transfer rules for file collection. For more information, see Configuring the LogLogic Appliance for File Collection on page 10. To add Microsoft IIS as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 4. Type in the following information for the device: Name Name for the Microsoft IIS device Description (optional) Description of the Microsoft IIS device Device Type Select Microsoft IIS from the drop-down menu Host IP IP address of the Microsoft IIS appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. 12 Microsoft IIS Log Configuration Guide

Figure 4 Adding a Device to the LogLogic Appliance 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. After you add the new device, you can configure the LogLogic Appliance by setting up file transfer rules. For information on configuring the LogLogic Appliance to capture Microsoft IIS log messages, see Configuring the LogLogic Appliance for File Collection on page 10. Creating File Transfer Rules After you add your Microsoft IIS device, you can create a file transfer rule for the log files. File transfer rules enable the LogLogic Appliance to pull files from the host machine or remote Host Server publishing the Microsoft IIS log files. LogLogic supports the following wildcards: * (asterisk),? (question mark), and [...] (open and close brackets) using directory queries. If you use wildcards, you must enable directory listing on your host machine or remote Host Server. Examples: file /foo/file, /bar/*.log /foo?/bar*/*.aud, /foo1/file1.tar.gz, /foo1/file2.z /foo[2-8]/bar*/net*.log LogLogic can pull and decompress archive files, extract individual files from the archive files, and then process the individual files. The following file types are supported:.tar.bz2,.tar.gz, tar.z,.tgz,.taz,.tar,.gz,.z,.z,.zip,.zip. For more information, see the LogLogic Administration Guide. To create file transfer rules: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. Microsoft IIS Log Configuration Guide 13

3. Select the File Transfer Rules tab. 4. Add a rule for the Microsoft IIS log files you want to capture by completing the following steps: a. From the Device Type drop-down menu, select the machine where Microsoft IIS installed. b. From the Device drop-down menu, select the appropriate Microsoft IIS device. Note: If you have added only one Microsoft IIS device, the device name is automatically added. c. Click Add Rule then enter the appropriate information for the following required fields: Rule Name Name of the transfer rule (e.g., Microsoft IIS files) Protocol Specify the appropriate protocol (e.g., SFTP, SCP, FTP(S), etc.) Note: LogLogic recommends using a secure file transfer protocol, such as SFTP for Windows-based devices or SCP for UNIX-based devices. If you are using SFTP or SCP, you must copy the Appliance s public key to the machine where the logs are located. For more information, see Configuring the LogLogic Appliance for File Collection on page 10 and the LogLogic Administration Guide. User ID Specify only if the protocol requires a User ID Password/Verify Password Specify only if required for the User ID Files Full path (after the IP address) to the Host Server where the Microsoft IIS log files are located. For example: /log/file_name.log Note: FTP currently supports path wildcards only (for example, /logs/*). SFTP allows for wildcard file names (for example, *.log). To capture all logs in a specific directory specify the asterisk (*) wildcard. For example: /log/*.log The server can be the host machine where the device is installed or a remote Host Server with file transfer functionality. For more information, see Configuring the LogLogic Appliance for File Collection on page 10. File Format Select W3C from the drop-down menu Collection Time Specify the time you want to retrieve the log file Use Advanced Duplication Detection Select the Yes radio button if you want the LogLogic Appliance to check for duplicate data while capturing the Microsoft IIS logs. Enable Select the Yes radio button to enable the File Transfer Rule 14 Microsoft IIS Log Configuration Guide

Figure 5 Add File Transfer Rule Tab d. Click Add. Verifying the Configuration The section describes how to verify that the configuration changes made to Microsoft IIS and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP address for each Microsoft IIS device. Microsoft IIS Log Configuration Guide 15

If the device name (Microsoft IIS) appears in the list of devices, then the configuration is correct. If the device does not appear in the Log Source Status tab, check the Microsoft IIS logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Microsoft IIS configuration and the LogLogic Appliance configuration. Note: If you are using Microsoft IIS with the FTP Service enabled to transfer log files to the LogLogic Appliance, make sure that IIS is properly configured. For more information, see To enable the LogLogic Appliance to capture log data using Microsoft IIS with FTP Service enabled: on page 11. You can also verify that the LogLogic Appliance is properly capturing log data from Microsoft IIS by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time Reports on page 18. If the device name appears in the list of devices but event data for the device is not appearing within your reports, see Troubleshooting on page 20 for more information. 16 Microsoft IIS Log Configuration Guide

Chapter 2 How LogLogic Supports Microsoft IIS This chapter describes LogLogic s support for Microsoft IIS. LogLogic enables you to capture Microsoft IIS web server log data to monitor IIS events. How LogLogic Captures Microsoft IIS Log Data.............................. 17 Supported Microsoft IIS Log Data........................................ 18 LogLogic Real-Time Reports............................................ 18 LogLogic Search Filters................................................ 19 How LogLogic Captures Microsoft IIS Log Data Microsoft IIS logs are located in the following directory: systemroot\system32\logfiles\w3svcnumber Where number is the site ID for the website. The log file name (i.e., ex*.log) is based on log time period. LogLogic enables you to capture the log data in text format from a remote file system using FTP(S), HTTP(S), SCP, etc. The LogLogic Appliance uses file pulling to capture Microsoft IIS log messages in the W3C Extended Log File format. Log files unchanged since the last pull are filtered out from collecting to eliminate duplication. File pulling maintains a record of log files identified on the database to allow conversion. All log messages are pulled from the specified path where the converted log files are stored. Note: LogLogic enables you to collect Microsoft IIS log messages at a configurable time (e.g., every x minutes, at an hourly interval, daily at a specified time, or weekly at a specified date and time). Figure 6 provides a deployment example for capturing Microsoft IIS log messages. IIS Server (with FTP Service enabled) is used in the example. Using IIS s FTP Service and the FTP protocol to capture file-based log data is not a requirement. For more information, see Configuring the LogLogic Appliance for File Collection on page 10. Figure 6 Microsoft IIS with LogLogic Components and Processes for File-Based Log Collection Microsoft IIS Log Configuration Guide 17

Once the data is captured and parsed, you can generate reports. In addition, you can create alerts to notify you of issues on Microsoft IIS. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Note: When a log file is transferred, each file contains a timestamp which consists of a date and time. The timestamp refers to the file creation date and time for a particular message in the file. For a listing of LogLogic supported date and time formats, see the LogLogic Administration Guide. Supported Microsoft IIS Log Data LogLogic enables you to capture Microsoft IIS W3C formatted log data. There are five event categories that can be generated: Informational Successful Redirection Server Error Client Error Table 1 on page 24 lists the Microsoft IIS events that are supported by the LogLogic Appliance. Each event is represented by HTTP status codes and substatus codes. Note: The LogLogic Appliance captures all messages from the Microsoft IIS logs, but parses only specific messages for report/alert generation. For more information, see Appendix A Event Reference on page 23 for sample log messages for each event and event to category mapping. LogLogic Real-Time Reports LogLogic provides pre-configured Real-Time Reports for Microsoft IIS log data. The following Real-Time Reports are available: All Unparsed Events Displays data for all events retrieved from the Microsoft IIS log for a specified time interval Web Cache Activity Displays locally-stored web information served during a specified time interval Web Surfing Activity Displays web information served during a specified time interval To access LMI 5 Real-Time Reports: 1. In the top navigation pane, click Reports. 2. Click Network Activity. The following Real-Time Reports are available: Web Cache Activity Web Surfing Activity 18 Microsoft IIS Log Configuration Guide

3. Click Operational. The following Real-Time Reports are available: All Unparsed Events You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. LogLogic Search Filters LogLogic provides pre-configured Search Filters for Microsoft IIS log data. Search Filters are used to filter report data and create alerts. To access Search Filters: 1. From the navigation menu, select Search. 2. Select Search Filters. The following Search Filters are available: Microsoft IIS: 401 Page Retrieve Errors Displays information about Microsoft IIS: HTTP Error 401 Page Retrieving errors Microsoft IIS: 403 Forbidden Displays information about Microsoft IIS: HTTP Error 403 Access Denied/Forbidden errors Microsoft IIS: 404 Not Found Displays information about Microsoft IIS: HTTP Error 404 Not Found errors For more information on Search Filters, reports, and alerts see the LogLogic User Guide and LogLogic Online Help. Microsoft IIS Log Configuration Guide 19

Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting information regarding the configuration and/or use of log collection for Microsoft IIS. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Troubleshooting....................................................... 20 Frequently Asked Questions............................................. 21 Troubleshooting Is your version of Microsoft IIS supported? For more information, see Prerequisites on page 8. Is your LogLogic Appliance running Release 5.1 or later? If you are running an release prior to 5.1, you might require an upgrade. Contact LogLogic Support for more information. Is the appropriate Log Source Package (LSP) installed properly? Check to make sure that the LSP that is installed includes support for Microsoft IIS. Also make sure that the package was installed successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package Release Notes. If Microsoft IIS events are not appearing on the LogLogic Appliance... You need to verify if the LogLogic Appliance is receiving the logs correctly. For more information, see Problems Retrieving Log Files Using Configured File Transfer Rules on page 20. Also, make sure that you have properly enabled and configured W3C logging and log rotation on Microsoft IIS. For more information, see Configuring Microsoft IIS on page 8. Problems Retrieving Log Files Using Configured File Transfer Rules If you are having general problems retrieving log files using your configured file transfer rules, you might need to verify that your LogLogic Appliance is receiving Microsoft IIS logs as scheduled. To verify that the LogLogic Appliance is receiving logs correctly: 1. Log in to the LogLogic Appliance managing the Microsoft IIS log data. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 20 Microsoft IIS Log Configuration Guide

3. Select the File Transfer Rules tab. The File Transfer Rules tab appears with a table displaying all of your file transfer rules. 4. Find the file-based log data entries. 5. Under the Last Successful Retrieval column, watch for a successful transfer as defined by the Collection Interval mark. 6. Under the Last Attempted Retrieval column, verify that there are no failures. 7. If the Last Attempted Retrieval value is incrementing but the Last Successful Retrieval value is not changing, then the LogLogic Appliance is not receiving logs correctly. If this problem occurs, then complete the following steps: a. Verify the path to your log files. If necessary, make appropriate changes. b. Verify your username and password. If necessary, make appropriate changes. Alternatively, you can run an Index Search against Microsoft IIS as follows to check log collection: 1. In the navigation menu, select Search > Index Search. 2. Specify the LogLogic Appliance as the Device Type and choose the appropriate Source Device. 3. Enter your Boolean Search query. For example: To return file collector-related logs, type engine_filecollector To return only Microsoft IIS entries, type engine_filecollector and Microsoft IIS Entries can be found in the /loglogic/status/filecollector_status file. Frequently Asked Questions How does the LogLogic Appliance obtain log data from Microsoft IIS? The LogLogic Appliance captures web server log data, in W3C Extended Log File format, from Microsoft IIS by file pull using a file transfer rule. For more information, see How LogLogic Captures Microsoft IIS Log Data on page 17. What access permissions are required? A user on Microsoft IIS with administrator privileges is required. Do I need to transfer logs via FTP to the LogLogic Appliance using the FTP Service on Microsoft IIS? No, FTP as the file transfer protocol is used as an example in this document. It is possible to set up a remote Host Server using other 3rd-party file transfer applications. It is also possible to use a more secure file transfer protocol (i.e., SFTP, SCP) to send log files to the Appliance. Microsoft IIS Log Configuration Guide 21

22 Microsoft IIS Log Configuration Guide

Appendix A Event Reference This appendix lists the LogLogic-supported Microsoft IIS events. The Microsoft IIS event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic s file pull functionality. LogLogic Support for Microsoft IIS Events The following list describes the contents of each of the columns in the table below. Event ID Microsoft IIS status and substatus codes (there is a space between the status and substatus code) Agile Reports/Search Defines if the Microsoft IIS event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. Title/Comments Event name Event Category Category of events such as Informational, Client Error, etc. Event Type Type of event such as Success or Failure Sample Log Message Sample Microsoft IIS log messages in W3C format containing the following default fields: Time, Date, c-ip, cs-username, s-ip, s-port, cs-method, cs-uri-stem, cs-uri-query, sc-status, cs(user-agent), sc-substatus) Microsoft IIS Log Configuration Guide 23

Table 1 Microsoft IIS Events Event ID Agile Reports/ Search Title Event Category Event Type Sample Log Message 1 100 0 Agile HTTP_CONTINUE Informational Info 2005-06-24 00:15:14 10.1.1.145 GET / iisstart.htm - 80-10.1.1.147-100 0 2 101 0 Agile HTTP_SWITCHING_PROTOCOLS Informational Info 2005-06-24 00:15:14 10.1.1.145 GET / iisstart.htm - 80-10.1.1.147-101 0 3 200 0 Agile HTTP_OK Successful Success 2005-06-24 00:15:08 10.1.1.145 GET / iisstart.htm - 80-10.1.1.147-200 0 4 201 0 Agile HTTP_CREATED Successful Success 2005-06-24 00:15:08 10.1.1.145 GET / iisstart.htm - 80-10.1.1.147-201 0 5 202 0 Agile HTTP_ACCEPTED Successful Success 2005-06-24 00:15:08 10.1.1.145 GET / iisstart.htm - 80-10.1.1.147-202 0 6 203 0 Agile HTTP_NON_AUTHORITATIVE Successful Success 2005-06-24 00:15:08 10.1.1.145 GET / iisstart.htm - 80-10.1.1.147-203 0 7 204 0 Agile HTTP_NO_CONTENT Successful Success 2005-06-24 00:15:08 10.1.1.145 GET / iisstart.htm - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 204 0 8 205 0 Agile HTTP_RESET_CONTENT Successful Success 2005-06-24 00:15:08 10.1.1.145 GET / iisstart.htm - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 205 0 9 206 0 Agile HTTP_PARTIAL_CONTENT Successful Success 2005-06-24 00:15:11 10.1.1.145 GET / iisstart.htm - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 206 0 10 301 0 Agile HTTP_MOVED_PERMANENTLY Redirection Info 2005-06-24 00:15:46 10.1.1.145 GET /foo.jsp param=<script>foo</script> 80-10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 301 0 11 302 0 Agile HTTP_MOVED_TEMPORARILY Redirection Info 2005-06-24 00:15:46 10.1.1.145 GET /foo.thtml param=<script>foo</script> 80-10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 302 0 12 304 0 Agile HTTP_NOT_MODIFIED Redirection Info 2005-06-24 00:15:46 10.1.1.145 GET /.cobalt/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 304 0 13 307 0 Agile HTTP_TEMPORARY_REDIRECT Redirection Info 2005-06-24 00:15:46 10.1.1.145 GET /1/ - 80-307 0 14 400 0 Agile HTTP_BAD_REQUEST Client Error Info 2005-06-24 00:15:46 10.1.1.145 GET /8/ - 80-400 0 15 401 0 Agile HTTP_UNAUTHORIZED Client Error Info 2005-06-24 00:15:46 10.1.1.145 GET /2/ - 80-401 0 24 Microsoft IIS Log Configuration Guide

Event ID Agile Reports/ Search Title Event Category Event Type Sample Log Message 16 401 1 Agile LOGON FAILED Client Error Info 2005-06-24 00:15:46 10.1.1.145 GET /3/ - 80-401 1 17 401 2 Agile LOGON FAILED DUE TO SERVER CONFIGURATION 18 401 3 Agile UNAUTHORIZE DUE TO ACL ON RESOURCE Client Error Info 2005-06-24 00:15:46 10.1.1.145 GET /4/ - 80-401 2 C l i e n t E r r o re r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1. 1. 1 4 5 G E T / f o o. p h p param=<script>foo</script> 80-10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 401 3 19 4 0 1 4 A g i l e A U T H O R I Z AT I O N FA I L E D B Y F I LT E R C l i e n t E r r o re r r o r 2 0 0 5-0 6-2 4 0 0 : 15:46 10.1.1.145 GET /5/ - 80-401 4 20 401 5 Agile AUTHORIZATION FAILED BY ISAPI/ CGI APPLICATION 21 401 7 Agile ACCESS DENIED BY URL AUTHORIZATION POLICY ON WEB SERVER C l i e n t E r r o re r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1. 1. 1 4 5 G E T / 6 / - 8 0-401 5 C l i e n t E r r o re r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1. 1. 1 4 5 G E T / 7 / - 8 0-401 7 22 4 0 2 0 A g i l e H T T P_ PAY M E N T _ R E Q U I R E D C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0.1.1.145 GET /9/ - 80-402 0 23 403 0 Agile HTTP_ FORBIDDEN Client Error Error 2005-06 - 24 00 : 15 : 46 10. 1. 1. 145 GET / AdminWeb/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 0 24 403 1 Agile EXECUTE ACCESS_FORBIDDEN. Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET / Admin_files/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 1 Microsoft IIS Log Configuration Guide 25

Event ID Agile Reports/ Search Title Event Category Event Type Sample Log Message 25 403 2 Agile READ ACCESS_FORBIDDEN Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET / Administration/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 2 26 403 3 Agile WRITE ACCESS_FORBIDDEN Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET / AdvWebAdmin/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 3 27 4 0 3 4 A g i l e S S L R E Q U I R E D C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1. 1. 1 4 5 GET /Agent/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 4 28 4 0 3 5 A g i l e S S L 1 2 8 R E Q U I R E D C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1. 1. 145 GET /Agents/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 5 29 403 6 Agile IP ADDRESS REJECTED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /Album/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 6 30 4 0 3 7 A g i l e C L I E N T C E RT I F I C AT E R E Q U I R E D. C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5:46 10.1.1.145 GET /CS/ - 80-403 7 31 403 8 Agile SITE ACCESS DENIED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /CVS/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 8 32 4 0 3 9 A g i l e TO O M A N Y U S E R S C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1. 1. 1 4 5 GET /DMR/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 9 33 403 10 Agile INVALID CONFIGURATION Client Error Error 2005-06 - 24 00 : 15 : 46 10.1.1.145 GET / DocuColor/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 10 34 403 11 Agile PASSWORD CHANGE Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /GXApp/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 11 35 403 12 Agile MAPPER DENIED ACCESS. Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /HB/ - 80-403 12 36 403 13 Agile CLIENT CERTIFICATE REVOKED Client Error Error 2005-06 - 24 00 : 15 :46 10.1.1.145 GET / HBTemplates/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 13 37 403 14 Agile DIRECTORY LISTING DENIED Client Error Error 2005-06 - 24 00 : 15 : 46 10.1.1.145 GET / IBMWebAS/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 14 38 403 15 Agile CLIENT ACCESS LICENSES EXCEEDED C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1. 1. 1 4 5 G E T / I n s t a l l / - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 15 26 Microsoft IIS Log Configuration Guide

Event ID Agile Reports/ Search Title Event Category Event Type Sample Log Message 39 403 16 Agile CLIENT CERTIFICATE UNTRUSTED OR INVALID Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /JBookIt/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 16 40 403 17 Agile CLIENT CERTIFICATE EXPIRED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /Log/ - 80-10.1.1.147 Mozilla/4.75+[en]+ (X11,+U;+Nessus) 403 17 41 403 18 Agile CANT EXECUTE REQUESTED URL IN CURRENT APPLICATION POOL 42 403 19 Agile CANT EXECUTE CGIs FOR CLIENT IN APPLICATION POOL. C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1. 1. 1 4 5 G E T / M a i l / - 8 0-403 18 C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1. 1. 1 4 5 G E T / M s w o r d / - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 19 43 403 20 Agile PASSPORT LOGON FAILED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /NSearch/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 403 20 44 4 0 4 0 A g i l e H T T P_ N O T _ F O U N D C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1. 1. 1 4 5 GET /News/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 404 0 45 404 1 Agile WEB SITE NOT ACCESSIBLE ON REQUESTED PORT 46 404 2 Agile WEB SERVICE EXTENSION LOCKDOWN POLICY PREVENT THIS REQUEST 47 404 3 Agile MIME MAP POLICY PREVENTS THIS REQUEST Client Error Error 2005-06 - 24 00 : 15 : 46 10. 1. 1. 145 GET / PDG_Cart/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 404 1 C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1. 1. 1 4 5 G E T / R E A D M E / - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 404 2 C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1. 1. 1 4 5 G E T / R e a d m e / - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 404 3 Microsoft IIS Log Configuration Guide 27

Event ID Agile Reports/ Search Title Event Category Event Type Sample Log Message 48 405 0 Agile HTTP_ METHOD _ NOT _ ALLOWED Client Error Error 2005-06 - 24 00 : 15 : 46 10.1.1.145 GET / SilverStream/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 405 0 49 4 0 6 0 A g i l e H T T P_ N O T _ A C C E P TA B L E C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1.1.145 GET /Stats/ - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 406 0 50 407 0 Agile HTTP_PROXY_AUTHENTICATION_RE QUIRED C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1. 1. 1 4 5 G E T / S t o r e D B / - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 407 0 51 412 0 Agile HTTP_ PRECONDITION _ FAILED Client Error Error 2005-06 - 24 00 : 15 : 46 10.1.1.145 GET / foo.jspparam=<script>foo</script>.jsp 80-412 0 52 413 0 Agile HTTP_REQUEST_ENTITY_TOO_LAR GE C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1. 1. 1 4 5 G E T / r o b o t s. t x t - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 413 0 53 414 0 Agile HTTP_ REQUEST _ URI _ TOO _ LARGE Client Error Error 2005-06 - 24 00 : 15 : 46 10.1.1.145 GET /CVS/ Entries - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 414 0 54 4 1 5 0 A g i l e H T T P_ U N S U P P O RT E D _ M E D I A _ T Y P E C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 :46 10.1.1.145 GET /foo.shtml param=<script>foo</script>.shtml 80-415 0 55 416 0 Agile HTTP_ RANGE _ NOT _ SATISFIABLE Client Error Error 2005-06 - 24 00 : 15 : 46 10.1.1.145 GET / NonExistant1555037972/ - 80-10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 416 0 56 417 0 Agile HTTP_EXPECTATION_FAILED Client Error Error 2005-06-24 00:15:46 10.1.1.145 GET /foo.thtml param=<script>foo</script>.thtml 80-417 0 57 4 2 3 0 A g i l e H T T P_ L O C KE D E R R O R C l i e n t E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 4 6 1 0. 1. 1.145 GET /foo.cfm param=<script>foo</script>.cfm 80-423 0 58 500 0 Agile HTTP_ INTERNAL _ SERVER _ ERROR Server Error Error 2005-06 - 24 00 : 15 : 53 10.1.1.145 GET / iisstart.htm - 80-10.1.1.147-500 0 59 500 12 Agile APPLICATION BUSY RESTARTING ON WEB SERVER Server Error Error 2005-06 - 24 00 : 15 : 54 10. 1. 1. 145 GET / iisstart.htm - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 500 12 60 500 13 Agile WEB SERVER BUSY Server Error Error 2005-06 - 24 00 : 15 : 54 10. 1. 1. 145 GET / iisstart.htm - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 500 13 28 Microsoft IIS Log Configuration Guide

Event ID Agile Reports/ Search Title Event Category Event Type Sample Log Message 61 500 15 Agile DIRECT REQUEST FOR GLOBAL.ASA NOT ALLOWED 62 500 16 Agile UNC AUTHORIZATION CREDENTIALS INCORRECT 63 500 18 Agile URL AUTHORIZATION STORE CANNOT BE OPENED Server Error Error 2005-06 - 24 00 : 15 : 54 10. 1. 1. 145 GET / iisstart.htm - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 500 15 Server Error Error 2005-06 - 24 00 : 15 : 54 10. 1. 1. 145 GET / iisstart.htm - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+ Nessus) 500 16 Server Error Error 2005-06 - 24 00 : 15 : 54 10. 1. 1. 145 GET / iisstart.htm - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+ Nessus) 500 18 64 500 100 Agile INTERNAL ASP ERROR Server Error Error 2005-06-24 00:15:54 10.1.1.145 GET / iisstart.htm - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+ Nessus) 500 100 65 5 0 1 0 A g i l e H T T P_ N O T _ I M P L E M E N T E D S e r v e r E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 5 : 5 4 1 0. 1.1.145 NESSUS / - 80-10.1.1.147-501 0 66 502 0 Agile HTTP_ BAD _ GATEWAY Server Error Error 2005-06 - 24 00 : 16 : 16 10. 1. 1. 145 GET /modules / forum/index.php board=10; action=news; ext= help;template=http:// xxxxxxxxxxxx 80-10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 502 0 67 502 1 Agile CGI APPLICATION TIMEOUT Server Error Error 2005-06-24 00:16:16 10.1.1.145 GET /ttforum / index.php board=10;action=news ;ext=help; template=http://xxxxxxxxxxxx 80-10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 502 1 68 502 2 Agile ERROR IN CGI APPLICATION Server Error Error 2005-06-24 00:16:23 10.1.1.145 GET /_vti_bin/ fpcount.exe - 80-10.1.1.147 Mozilla/ 4.75+[en]+(X11,+U;+Nessus) 502 2 69 503 0 Agile HTTP_ SERVICE _ UNAVAILABLE Server Error Error 2005-06 - 24 00 : 16 : 16 10.1.1.145 GET /cgi-bin/ index.php board=10;action=news;ext=help ;template=http://xxxxxxxxxxxx 80-10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+Nessus) 503 0 Microsoft IIS Log Configuration Guide 29

Event ID Agile Reports/ Search Title Event Category Event Type Sample Log Message 70 5 0 4 0 A g i l e H T T P_ G AT E WAY _ T I M E _ O U T S e r v e r E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 6 : 1 6 1 0.1.1.145 GET /index.php board=10;action=news;ext=help;template=http:// xxxxxxxxxxxx 80-10.1.1.147 Mozilla/4.75+[en] +(X11,+U;+Nessus) 504 0 71 5 0 5 0 A g i l e H T T P_ V E R S I O N _ N O T _ S U P P O RT E D S e r v e r E r r o r E r r o r 2 0 0 5-0 6-2 4 0 0 : 1 6 :14 10.1.1.145 GET /bizmail.cgi - 80-10.1.1.147 Mozilla/4.75+[en]+(X11,+U;+ Nessus) 505 0 30 Microsoft IIS Log Configuration Guide