Request: modernize setup-iis.exe to utilize IIS 6 WMI or compatible IIS7+ features to detect IIS logs.

[nbent...@gmail.com]

I noticed in 3.2 none of my iis logs were being detected by ossec agent. I'm using this janky script to detect and add iis logs to the ossec.conf:

Option Explicit

WScript.Timeout = 82800

' This script is locates all IIS websites and their log paths and 

' appends it to the ossec.conf file.

'

' The locations of the IIS log files are found automatically (for this

' to also work on IIS 7.x on Windows Vista, Windows Server 2008 or

' Windows 7, please enable "IIS 6 Metabase Compatibility" aka

' "IIS Metabase and IIS 6 configuration compatibility").

Dim objIIS, objWeb, objIISOuter, objWebOuter

Const ForReading = 1

Const ForWriting = 2

Dim MODOUT 

MODOUT = "<!-- One entry for each file/Event log to monitor. -->"

Dim objFSO, objFile, strText, strNewText

'Get Operating System's OS level (x86/64). For Program Files Directory layout

Dim OSbits

OSbits = GetObject("winmgmts:root\cimv2:Win32_Processor='cpu0'").AddressWidth

Set objIISOuter = GetObject("IIS://LOCALHOST")

For Each objWebOuter in objIISOuter

  If LCase(objWebOuter.Class) = "iiswebservice" Then

    Set objIIS = GetObject("IIS://LOCALHOST/W3SVC")

    For Each objWeb in objIIS

      If LCase(objWeb.Class) = "iiswebserver" Then

MODOUT = MODOUT & VBCrLf & "  " & "<localfile>" & VBCrLf & "    " & "<location>" & objWeb.LogFileDirectory & "\W3SVC" & objWeb.Name _

& "\u_ex%y%m%d.log</location>" & VBCrLf & "    " & "<log_format>iis</log_format>" & VBCrLf & "  " & "</localfile>" & VBCrLf

End If

    Next

  ElseIf LCase(objWebOuter.Class) = "iissmtpservice" Then

    Set objIIS = GetObject("IIS://LOCALHOST/SMTPSVC")

    For Each objWeb in objIIS

      If LCase(objWeb.Class) = "iissmtpserver" Then

MODOUT = MODOUT & VBCrLf & "  " & "<localfile>" & VBCrLf & "    " & "<location>" & objWeb.LogFileDirectory & "\SMTPSVC" & objWeb.Name _

& "\u_ex%y%m%d.log</location>" & VBCrLf & "    " & "<log_format>iis</log_format>" & VBCrLf & "  " & "</localfile>" & VBCrLf

      End If

    Next

  End If

Next

'Read in the ossec.conf from the correct path (x86/64bit)

If OSbits = "64" Then

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objFile = objFSO.OpenTextFile("C:\Program Files (x86)\ossec-agent\ossec.conf", ForReading)

strText = objFile.ReadAll

objFile.Close

Else

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objFile = objFSO.OpenTextFile("C:\Program Files\ossec-agent\ossec.conf", ForReading)

strText = objFile.ReadAll

objFile.Close

End If

' Write out the discovered IIS website log file locations to the ossec.conf 

strNewText = Replace(strText, "<!-- One entry for each file/Event log to monitor. -->", MODOUT)

If OSbits = "64" Then

Set objFile = objFSO.OpenTextFile("C:\Program Files (x86)\ossec-agent\ossec.conf", ForWriting)

objFile.WriteLine strNewText

objFile.Close

Else

Set objFile = objFSO.OpenTextFile("C:\Program Files\ossec-agent\ossec.conf", ForWriting)

objFile.WriteLine strNewText

objFile.Close

End If

Set objIIS = nothing

Set objIISOuter = nothing

However it doesn't detect existing iis logs so it can't run in a nightly schedule to recheck if more sites were added (our environment constantly updated websites about weekly in certain environments). I would think updating setup-iis.exe to use a built in wmi service to scan for potential logs would be great, also if it did detection for existing logs in the ossec.conf so it doesn't create duplicates that would be awesome as well.