Collecting IIS logs from multiple W3SVC directories

[Daniel Garczek]

Hi Wazuh Community,

I'm looking to collect IIS log files from multiple W3SVCx directories (multiple IIS profiles). My current configuration only grabs logs from W3SVC1 and looks like this:

  <localfile>

    <location>F:\logfiles\W3SVC1\u_ex%y%m%d.log</location>

    <log_format>iis</log_format>

  </localfile>

I would like to also collect logs from W3SVC2, W3SVC3, and so on. I understand that a wildcard W3SVC* will not work in Windows. Is there any other way to specify a recursive directory search OR will I have to manually define all W3SVC folder locations, like in the example below?

  <localfile>

    <location>F:\logfiles\W3SVC1\u_ex%y%m%d.log</location>

    <location>F:\logfiles\W3SVC2\u_ex%y%m%d.log</location>

    <location>F:\logfiles\W3SVC3\u_ex%y%m%d.log</location>

    ...

    <location>F:\logfiles\W3SVC254\u_ex%y%m%d.log</location>

    <log_format>iis</log_format>

  </localfile>

Thanks,

Dan

[jesus.g...@wazuh.com]

Hi Dan,

From our documentation, I can see localfile#location, it says that we can’t use wildcards on Windows systems so for now, you should achieve that as you said.

We’ll take this feedback, it’s a good point and the team will discuss this.

Best regards,
Jesús

​

[Dan G]

Thanks, Jesus.

I did some more testing and found that placing all folders inside a single element will not work - they have to be separated like so:

 <localfile>

   <location>F:\logfiles\W3SVC1\u_ex%y%m%d.log</location>

   <log_format>iis</log_format>

 </localfile>

 <localfile>

  <location>F:\logfiles\W3SVC2\u_ex%y%m%d.log</location>

  <log_format>iis</log_format>

</localfile>

  

 <localfile>

   <location>F:\logfiles\W3SVC3\u_ex%y%m%d.log</location>

   <log_format>iis</log_format>

</localfile>

[jesus.g...@wazuh.com]

Hi Dan,

Thanks for your feedback, we note down this thread for future releases. Really appreciated.

Regards!