Microsoft IIS Server sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Microsoft IIS Server sample message when you use the Microsoft IIS protocol
The following sample event message shows that an HTTP 500 internal server error occurred.
SourceIp=10.232.192.155 AgentDevice=MSIIS AgentLogFile=u_extend1220_x.log AgentLogFormat=W3C date=2018-06-19 time=06:27:41 s-sitename=W3SVC2 s-computername=TESTTESTTEST012 s-ip=10.232.192.155 cs-method=GET cs-uri-stem=/login.asp cs-uri-query=- s-port=444 cs-username=- c-ip=10.142.129.147 cs-version=HTTP/1.0 cs(User-Agent)=- cs(Cookie)== cs(Referer)=- cs-host= sc-status=500 sc-substatus=0 sc-win32-status=0 sc-bytes=3733 cs-bytes=90 time-taken=171 X-Forwarded-For=-| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | 500 |
| Source IP | 10.142.129.147 |
| Destination IP | 10.232.192.155 |
| Destination Port | 444 |
Microsoft IIS Server sample messages when you use the Syslog protocol
Sample 1: The following sample event message shows a configuration error.
<13>Apr 17 08:55:56 microsoft.iis.test AgentDevice=WindowsLog AgentLogFile=Microsoft-IIS-Configuration/Administrative PluginVersion=7.2.9.105 Source=Microsoft-Windows-IIS-Configuration Computer=microsoft.iis.test OriginatingComputer=10.18.224.7 User=user Domain=domain EventID=12 EventIDCode=12 EventType=2 EventCategory=0 RecordNumber=380 TimeGenerated=1587124522 TimeWritten=1587124522 Level=Warning Keywords=0x8000000000000000 Task=None Opcode=Info Message=Unable to find schema for config section 'system.serviceModel/client'. This section will be ignored. | QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | 12 |
| Username | user |
| Source IP | 10.18.224.7 |
| Device Time | Apr 17 08:55:56 is extracted from Date and Time fields in QRadar. |
Sample 2: The following sample event message shows that an HTTP 401 access denied error occurred.
<13>Oct 02 09:54:19 microsoft.iis.test IISWebLog 0 2020-10-02 14:53:31 10.0.10.51 CCM_POST /ccm_system_windowsauth/request - 80 - 10.0.0.23 ccmhttp - 401 2 5 1509 1| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | 401 |
| Source IP | 10.0.0.23 |
| Destination IP | 10.0.10.51 |
| Destination Port | 80 |
| Device Time | Oct 02 09:54:19 is extracted from the Date and Time fields in QRadar. |