Setting Up NXLog for Windows

You will need to first install and configure NXLog on the windows host using these instructions: https://www.blumira.com/integration/windows-server/

Setting Up IIS Logging

Event Viewer Collection for IIS – Recommended

With the configuration file change on 2019/10/16, updates to the configuration file are no longer required to support IIS.  If you currently use IIS, you should run the following commands in an Administrative command prompt to enable logging:

wevtutil sl Microsoft-IIS-Configuration/Administrative /e:true
wevtutil sl Microsoft-IIS-Configuration/Operational /e:true
wevtutil sl Microsoft-IIS-Logging/Logs /e:true

If IIS is not installed you will get an error.  That’s OK, it’s non-harmful if being used across a broad deployment.

Lastly, each IIS server will need its logging configuration changed in Log Event Destination to support the Event Log.

• Go to your IIS Manager>Server Configuration>Logging
• Select “Both log file and ETW event”
• Restart nxlog from the services console or with the following command

net stop nxlog && net start nxlog

• Data from IIS will start flowing

Direct Log File Collection

NOTE: This is an option INSTEAD of the recommended collection option above, if you have an older nxlog.conf that you’d like to use.

If you are leveraging IIS on a server and would like to collect the access logs associated with it, a few small modifications are required to the aforementioned nxlog.conf file that you downloaded from above. In most cases, just enabling logging for your IIS Site and uncommenting the section in nxlog.conf will be all that is required from the below steps.

• Check that you have Logging enabled on your IIS instance.
• Go to your IIS Manager>Server Configuration>Logging
• Ensure that your main Logging configuration matches the below configurations.  The locations of the log file(s) can be in a different place than the default, but, the actual field selection seen in the below image must match or the data will fail to parse appropriately.
• When you click on Select Fields… next to W3C format, the fields seen below should be selected in this order.  Your Standard Fields output should look exactly like the following image.
• 
• Once you have validated that the logging is set up correctly and the logs are either in the default path or you are aware as to where they are located, you can proceed to the next step.
• Open up nxlog.conf downloaded from the previous section and navigate to Windows IIS Event Logs START.  If your logs are in the default location, C:\inetpub\logs\LogFiles\, then you likely do not need to make any changes.  Otherwise, change the File path at line 201 to be where your logfiles are located and named, e.g., C:\logfiles\site* if all files are rotating at C:\logfiles\site_log1.log.
• Uncomment the section, this means that you will remove all # from the beginning of the lines.  Starting at #<Extension w3c> until #</Route> above the Windows IIS Event Logs END block.
• You can now restart your nxlog instance, net stop nxlog && nx start nxlog and IIS logs will now show up as http_access on your Sensor Details page.

NOTE: If you have more than one Site on your host, you will need to ensure that each Site is configured appropriately for Logging. Then, you will need to copy and paste the entire Windows IIS Event Logs START to END block and change the File parameters appropriately for those log files.

Get a Free Cloud SIEM Trial

Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.