IIS Auditing Overview
InTrust with the Knowledge Pack for Microsoft IIS allows you to gather and monitor for events generated by Microsoft Internet Information Services (IIS). This information allows you to stay informed about who has been using the server and how many times your online information was accessed.
You can collect, report, and monitor for events generated by Microsoft IIS versions 7.0 and later. Gathering (but not monitoring) of events generated by Microsoft FTP Service is also supported.
IMPORTANT: Make sure IIS is configured as follows:
- For real-time monitoring to work, on 64-bit Windows, IIS must be running in 32-bit mode.
- For gathering to work, IIS logging must be done on a per-site basis, meaning that the One log per option must be set to Site (instead of Server) in IIS Manager.
InTrust can process the event data written by IIS to the following logs:
- Microsoft IIS WWW Log
- Microsoft IIS FTP Log
- Windows Security Log (events generated by IIS)
Installing the Knowledge Pack for Microsoft IIS
Support for IIS auditing and real-time monitoring is provided by the Knowledge Pack for Microsoft IIS. The Knowledge Pack must be installed on top of an existing InTrust installation.
Configuring Service Logging for IIS and FTP Service
- In Internet Information Services Manager, in the left pane, click the necessary site or server.
- In the right pane, click Logging.
- On the screen that opens, set the Format option to W3C.
- Configure other logging options as necessary.
Known Issues with IIS 7.0 and FTP Service 7.5
The following issues exist with gathering and real-time monitoring of IIS 7.0 and FTP Service 7.5 logs:
- The "Oversized request" real-time monitoring rule does not work for these logs.
- When gathering uses agent-side log backup, filtering by the sc-bytes, cs-bytes and time-taken fields does not work in the following audit data filters:
- MS IIS: Web Site: Failed Access
- MS IIS: Web Site: Restricted Access
- MS IIS FTP Site Log
- MS IIS: Web Site: Warning-code Access
- MS IIS: FTP Site: Successful Logons
- MS IIS: Web Site: Successful Access
- MS IIS: FTP Site: Failed Logons
- MS IIS: FTP Site: Upload
- MS IIS: FTP Site: All Logons
- MS IIS Web Site Log
- MS IIS: Web Site: Not Found Errors
- MS IIS: FTP Site: Download
- If gathering uses agent-side log backup, the "Web site total statistics" and "WEB site daily traffic [chart]" reports cannot be generated from the resulting events.
- Real-time monitoring and gathering of FTP logs with the agent-side audit log backup enabled does not work.
- Gathering of WWW log in UTF-8 format does not work if Do not create new log files logging option is selected.