Internet Information Services (IIS) is Microsoft’s extensible web server software for the Windows NT operating system. It provides a modular and extensible platform for hosting websites, services and applications.
Blumira integrates with Microsoft Windows operating systems to provide automated threat detection and actionable response for IIS. Blumira supports the following Microsoft Windows server operating systems:
Blumira provides broad coverage for Windows Server including collecting logs using NXLog, Command Line Logging, DNS Debugging and Winlogbeat.
You will need to first install and configure NXLog on the windows host using these instructions: https://www.blumira.com/integration/windows-server/
With the configuration file change on 2019/10/16, updates to the configuration file are no longer required to support IIS. If you currently use IIS, you should run the following commands in an Administrative command prompt to enable logging:
wevtutil sl Microsoft-IIS-Configuration/Administrative /e:true wevtutil sl Microsoft-IIS-Configuration/Operational /e:true wevtutil sl Microsoft-IIS-Logging/Logs /e:true
If IIS is not installed you will get an error. That’s OK, it’s non-harmful if being used across a broad deployment.
Lastly, each IIS server will need its logging configuration changed in Log Event Destination to support the Event Log.
net stop nxlog && net start nxlog
NOTE: This is an option INSTEAD of the recommended collection option above, if you have an older nxlog.conf that you’d like to use.
If you are leveraging IIS on a server and would like to collect the access logs associated with it, a few small modifications are required to the aforementioned nxlog.conf file that you downloaded from above. In most cases, just enabling logging for your IIS Site and uncommenting the section in nxlog.conf will be all that is required from the below steps.
NOTE: If you have more than one Site on your host, you will need to ensure that each Site is configured appropriately for Logging. Then, you will need to copy and paste the entire Windows IIS Event Logs START to END block and change the File parameters appropriately for those log files.