diff --git a/Content/Content Packs/Microsoft IIS Content Pack.html b/Content/Content Packs/Microsoft IIS Content Pack.html new file mode 100644 index 0000000..81b0342 --- /dev/null +++ b/Content/Content Packs/Microsoft IIS Content Pack.html @@ -0,0 +1,428 @@ + + + + Microsoft IIS Content Pack + + + + +

Microsoft IIS (Internet Information Services) is a flexible, secure, and manageable web server developed by Microsoft for hosting websites, web applications, and services on Windows. It supports HTTP, HTTPS, FTP, FTPS, and more, and integrates tightly with ASP.NET, Windows authentication, and the broader Windows Server ecosystem.

+

Supported/Tested Versions

+ +

+

+
Hint: This pack supports two formats for access logs. The Default W3C fields and all W3C fields in the default order. +
+
+

+

+

+
Warning: Custom formats are not supported. +
+
+

+

Requirements

+ +

Stream Configuration

+

This technology pack includes 1 stream:

+ +

+

+
Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream. +
+
+

+

Index Set Configuration

+

This technology pack includes 1 index set definition:

+ +

+

+
Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation. +
+
+

+

Log Collection

+

This pack parses logs from the following sources:

+ +

Filebeat Configuration

+
    +
  1. +

    Please refer to the official documentation to set up Graylog Sidecar for Filebeat.

    +
    2. +
  2. +

    Create a matching Beats input in Graylog.

    +
    3. +
  3. +

    Ensure that the option Do not add Beats type as prefix is disabled.

    +
    4. +
  4. +

    Create an API access token and custom Windows Filebeat collector.

    +
    5. +
  5. +

    Configure the collector to ship messages to Graylog (select the right path). The Filebeat input must add the field event_source_product: microsoft_iis for the parser to identify the log source as Microsoft IIS.

    +
    6. +
  6. +

    In addition, the option fields_under_root must be set to true for message identification to work. See the following example:

    + + + filebeat.inputs: +- type: log +enabled: true +paths: +- C:\inetpub\logs\LogFiles\W3SVC1\*.log +fields: +event_source_product: microsoft_iis +fields_under_root: true + +
    7. +
  7. +

    Adjust the file path in the config file if needed.

    +
    8. +
  8. +

    Install Graylog Sidecar on the client host.

    +
    9. +
  9. +

    Edit the Graylog Sidecar client configuration with your Graylog server API URL and API access token.

    +
    10. +
+

Log Format Example

+

These are example logs for Microsoft IIS in W3C log format.

+

W3C default Logs

+

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken + 2025-07-22 16:04:35 ::1 GET / - 80 - ::1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/122.0.0.0+Safari/537.36+Edg/122.0.0.0 - 200 0 0 1127 + 2025-07-22 16:04:35 ::1 GET /iisstart.png - 80 - ::1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/122.0.0.0+Safari/537.36+Edg/122.0.0.0 http://localhost/ 200 0 0 14 + 2025-07-22 16:04:35 ::1 GET /favicon.ico - 80 - ::1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/122.0.0.0+Safari/537.36+Edg/122.0.0.0 http://localhost/ 404 0 2 7 +

+

W3C all fields selected

+

#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken + 2025-07-22 17:08:10 W3SVC1 WIN-I4KO2719DL6 ::1 GET / - 80 - ::1 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/122.0.0.0+Safari/537.36+Edg/122.0.0.0 - - localhost 304 0 0 166 780 86 +

+

What is Provided

+ +

Events Processed by This Technology Pack

+

The content pack supports the following log types. Generic processing will be provided for log types not listed.

+ +

GIM Categorization

+

GIM categorization is provided for the following messages:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Message Typegim_event_type_codegim_event_categorygim_event_classgim_event_subcategorygim_event_type
Access Logs180200httpprotocolhttp.communicationhttp communication
+

Message Fields Included in This Pack

+

General Parsing for Default W3C Format

+ + + Common Fields List + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Field_NameExample_ValueField_TypeDescription
event_created2025-07-22 17:08:10dateDate and Time of the event created
source_ip::1stringSource IP address
http_request_methodGETstringHTTP method used
http_request_path/stringRequested URI path
http_uri_query-stringQuery string parameters
destination_port80longPort on destination
user_name-stringAuthenticated user name
destination_ip::1stringDestination IP address
http_user_agentMozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/122.0.0.0+Safari/537.36+Edg/122.0.0.0stringClient user agent
http_referrer-stringHTTP referrer header
http_response_code200longHTTP status code
http_sub_status10longHTTP substatus code
http_win32_status20longWin32 status code
http_response_time1127longTime taken to serve request
+ + +

Extended W3C Field Format

+ + + Fields List + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Field_NameExample_ValueField_TypeDescription
event_created2025-07-22 17:08:10dateDate and Time of the event created
destination_sitenameW3SVC1stringWeb server site name
destination_hostnameWIN-I4KO2719DL6stringWeb server hostname
source_ip::1stringSource IP address
http_request_methodGETstringHTTP method used
http_request_path/stringRequested path
http_uri_query-stringQuery string parameters
destination_port80longPort on destination host
user_name-stringAuthenticated user name
destination_ip::1stringIP of destination
http_versionHTTP/1.1stringHTTP protocol version
http_user_agentMozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/122.0.0.0+Safari/537.36+Edg/122.0.0.0stringClient user agent
http_cookie-stringHTTP cookie header
http_referrer-stringReferrer URL
http_hostlocalhoststringTarget host
http_response_code304longHTTP status code
http_sub_status0longHTTP substatus code
http_win32_status0longWin32 status code
destination_bytes_sent166longBytes sent to client
source_bytes_sent780longBytes received from client
http_response_time86longRequest duration in ms
+ + +

Microsoft IIS Content Pack

+

This spotlight offers a dashboard with 1 tab:

+

Overview

+

+ +

+ + diff --git a/Content/Resources/Images/Microsoft IIS/microsoft_iis_dashboard.png b/Content/Resources/Images/Microsoft IIS/microsoft_iis_dashboard.png new file mode 100644 index 0000000..86c7146 Binary files /dev/null and b/Content/Resources/Images/Microsoft IIS/microsoft_iis_dashboard.png differ