Microsoft IIS protocol configuration options
You can configure a log source to use the Microsoft IIS protocol. This protocol supports a single point of collection for W3C format log files that are located on a Microsoft IIS web server.
The Microsoft IIS protocol is an outbound/active protocol.
To read the log files, folder paths that contain an administrative share (C$), require NetBIOS privileges on the administrative share (C$). Local or domain administrators have sufficient privileges to access log files on administrative shares.
Fields for the Microsoft IIS protocol that support file paths allow administrators to define a drive letter with the path information. For example, the field can contain the c$/LogFiles/ directory for an administrative share, or the LogFiles/directory for a public share folder path, but cannot contain the c:/LogFiles directory.
Parameter | Description |
---|---|
Protocol Configuration | Microsoft IIS |
Log Source Identifier | Type the IP address, host name, or a unique name to identify your log source. |
Server Address | The IP address or host name of your Microsoft IIS server. |
Domain |
Type the domain for your Microsoft IIS server. This parameter is optional if your server is not in a domain. |
Username | Type the user name that is required to access your server. |
Password | Type the password that is required to access your server. |
Confirm Password | Type the password that is required to access the server. |
Log Folder Path | The directory path to access the log files. For example, administrators can
use the c$/LogFiles/ directory for an administrative share, or the
LogFiles/ directory for a public share folder path. However, the
c:/LogFiles directory is not a supported log folder path. If a log folder path contains an administrative share (C$), users with NetBIOS access on the administrative share (C$) have the privileges that are required to read the log files. Local system or domain administrator privileges are also sufficient to access a log files that are on an administrative share. |
File Pattern | The regular expression (regex) that identifies the event logs. |
Recursive | If you want the file pattern to search sub folders, use this option. By default, the check box is selected. |
SMB Version |
Select the version of SMB that you want to use.
Note: Before you create a log source with a specific SMB version (for example: SMBv1, SMBv2, and
SMBv3), ensure that the specified SMB version is supported by the Windows OS that is running on your server. You also need to verify that SMB
versions is enabled on the specified Windows Server.
For more information about which Windows version supports which SMB versions, go to the Microsoft TechNet website (https://blogs.technet.microsoft.com/josebda/2012/06/06/windows-server-2012-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-or-smb-3-0-are-you-using-on-your-file-server/ ). For more information about how to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server, go to the Microsoft support website (https://support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server). |
Polling Interval (in seconds) | Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The default is 10 seconds. |
Throttle Events/Sec | The maximum number of events the IIS protocol can forward per second. |
File Encoding | The character encoding that is used by the events in your log file. |
- Date-UTC
- Time-UTC
- URI-Stem
- URI-Querystring
- ContentPath
- Status
- Server Name
- Referer
- Win325Status
- Bytes Sent