iis7 access log not show on dashboad
84 views
Skip to first unread message
Renee Lin
Jun 20, 2023, 10:21:50 PM6/20/23
to Wazuh mailing list
I have a 2008 R2 server with a configured IIS log path, but I'm unable to import it into Wazuh. I checked the archive.log file, and there are no errors generated. However, the archive.json file shows a blank field in the decode section. The agent also doesn't display any other errors. Is there any configuration issue that could be causing this problem?
archives.json
{"timestamp":"2023-06-20T13:12:49.799+0800","agent":{"id":"018","name":"Agentname","ip":"10.1.0.41"},"manager":{"name":"wazuh-server"},"id":"1687237969.374367404","full_log":"\\WEB_log\\W3SVC1\\u_ex230620.log:2023-06-20 05:12:08 10.1.0.41 GET / - 80 - 10.1.5.132 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 401 3 0 94","decoder":{},"location":"D|"}
Decoders Test
**Phase 1: Completed pre-decoding.
full event: '2023-06-20 00:00:55 10.1.0.41 GET /MForm/Content/SemanticUI/Fonts/H2DMvhDLycM56KNuAtbJYA.woff2 - 443 - 60.249.95.11 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 3 50 15'
**Phase 2: Completed decoding.
name: 'web-accesslog-iis-default'
parent: 'windows-date-format'
action: 'GET'
id: '404'
srcip: '60.249.95.11'
srcport: '443'
url: '/MForm/Content/SemanticUI/Fonts/H2DMvhDLycM56KNuAtbJYA.woff2 -'
user_agent: 'Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0'
**Phase 3: Completed filtering (rules).
id: '31101'
level: '5'
description: 'Web server 400 error code.'
groups: '["web","accesslog","attack"]'
firedtimes: '2'
gdpr: '["IV_35.7.d"]'
mail: 'false'
nist_800_53: '["SA.11","SI.4"]'
pci_dss: '["6.5","11.4"]'
tsc: '["CC6.6","CC7.1","CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"]'
**Alert to be generated.
archives.json
{"timestamp":"2023-06-20T13:12:49.799+0800","agent":{"id":"018","name":"Agentname","ip":"10.1.0.41"},"manager":{"name":"wazuh-server"},"id":"1687237969.374367404","full_log":"\\WEB_log\\W3SVC1\\u_ex230620.log:2023-06-20 05:12:08 10.1.0.41 GET / - 80 - 10.1.5.132 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 401 3 0 94","decoder":{},"location":"D|"}
Decoders Test
**Phase 1: Completed pre-decoding.
full event: '2023-06-20 00:00:55 10.1.0.41 GET /MForm/Content/SemanticUI/Fonts/H2DMvhDLycM56KNuAtbJYA.woff2 - 443 - 60.249.95.11 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 3 50 15'
**Phase 2: Completed decoding.
name: 'web-accesslog-iis-default'
parent: 'windows-date-format'
action: 'GET'
id: '404'
srcip: '60.249.95.11'
srcport: '443'
url: '/MForm/Content/SemanticUI/Fonts/H2DMvhDLycM56KNuAtbJYA.woff2 -'
user_agent: 'Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0'
**Phase 3: Completed filtering (rules).
id: '31101'
level: '5'
description: 'Web server 400 error code.'
groups: '["web","accesslog","attack"]'
firedtimes: '2'
gdpr: '["IV_35.7.d"]'
mail: 'false'
nist_800_53: '["SA.11","SI.4"]'
pci_dss: '["6.5","11.4"]'
tsc: '["CC6.6","CC7.1","CC8.1","CC6.1","CC6.8","CC7.2","CC7.3"]'
**Alert to be generated.
Renee Lin
Jun 20, 2023, 10:29:16 PM6/20/23
to Wazuh mailing list
archives.log
2023 Jun 21 09:11:36 (
Agentname ) any->D| \WEB_log\W3SVC1\u_ex230621.log:2023-06-21 01:10:48 10.1.0.41 GET / - 80 - 104.244.77.92 Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:76.0)+Gecko/20100101+Firefox/76.0 401 3 0 203Related messages from archive.log, currently all messages cannot be imported. So I have randomly selected some logs, and their contents may vary. Please understand.
Renee Lin 在 2023年6月21日 星期三上午10:21:50 [UTC+8] 的信中寫道:
Devender Rao
Jun 21, 2023, 6:40:24 AM6/21/23
to Wazuh mailing list
Hi Renee,
I hope you are doing well!
Thanks for using Wazuh!
To assist with your request, we're going to need some additional information, which wazuh version you are currently using, and which agent version?
As the log is received at the wazuh manager and not shown to the dashboard then it might be an issue in connection, can you confirm, if only specific logs are not shown or no logs are coming to the dashboard?
{"timestamp": "2023-06-20T13:12:49.799+0800","agent":{"id":"018","name":"Agentname","ip":"10.1.0.41"},"manager":{"name":"wazuh-server"},"id":"1687237969.374367404","full_log":"\\WEB_log\\W3SVC1\\u_ex230620.log:2023-06-20 05:12:08 10.1.0.41 GET / - 80 - 10.1.5.132 Mozilla/5.0+(Windows+NT+10.0;+Win64;+64;+rv:109.0)+Gecko/20100101+Firefox/114.0 401 3 0 94","decoder":{},"location":"D|"}
archives.log
2023 Jun 21 09:11:36 ( Agentname ) any->D| \WEB_log\W3SVC1\u_ex230621.log:2023-06-21 01:10:48 10.1.0.41 GET / - 80 - 104.244.77.92 Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:76.0)+Gecko/20100101+Firefox/76.0 401 3 0 203
Reference:-
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html
Regards,
Devender
I hope you are doing well!
Thanks for using Wazuh!
To assist with your request, we're going to need some additional information, which wazuh version you are currently using, and which agent version?
As the log is received at the wazuh manager and not shown to the dashboard then it might be an issue in connection, can you confirm, if only specific logs are not shown or no logs are coming to the dashboard?
{"timestamp": "2023-06-20T13:12:49.799+0800","agent":{"id":"018","name":"Agentname","ip":"10.1.0.41"},"manager":{"name":"wazuh-server"},"id":"1687237969.374367404","full_log":"\\WEB_log\\W3SVC1\\u_ex230620.log:2023-06-20 05:12:08 10.1.0.41 GET / - 80 - 10.1.5.132 Mozilla/5.0+(Windows+NT+10.0;+Win64;+64;+rv:109.0)+Gecko/20100101+Firefox/114.0 401 3 0 94","decoder":{},"location":"D|"}
The first log is successfully decoded but as there is no default rule available, it will not generate any alerts. You need to create a custom rule based on the logs.
Here is the blog which helps to create custom rules ,
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
For Second, you can see the rule with id: '31101' , is generated .
For the last log, you shared, there are no default decoders and rules are available, to generate alerts you need to create custom rules and decoders .
Here is the blog which helps to create custom rules ,
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
For Second, you can see the rule with id: '31101' , is generated .
For the last log, you shared, there are no default decoders and rules are available, to generate alerts you need to create custom rules and decoders .
archives.log
Reference:-
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html
Regards,
Devender
Renee Lin
Jun 25, 2023, 9:42:51 PM6/25/23
to Wazuh mailing list
Sorry, I sent some incorrect logs.
Only the ones related to the Decoders Test should generate an alert.
However, the issue is that all the logs that should have generated alerts, including this one, did not appear on my dashboard.
My Wazuh version is v4.3.10, and the agent version is 4.4.3.
Also, here are some logs from yesterday that are not showing any IIS logs on my dashboard.
Only the ones related to the Decoders Test should generate an alert.
However, the issue is that all the logs that should have generated alerts, including this one, did not appear on my dashboard.
My Wazuh version is v4.3.10, and the agent version is 4.4.3.
Also, here are some logs from yesterday that are not showing any IIS logs on my dashboard.
2023-06-25 00:01:31 10.1.0.41 GET /WEBAP/Form/Content/SemanticUI/Fonts/H2DMvhDLycM56KNuAtbJYA.woff2 - 80 - 10.30.7.201 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 3 50 46
2023-06-25 00:01:31 10.1.0.41 GET /WEBAP/Form/Content/SemanticUI/themes/default/assets/fonts/icons.woff2 - 80 - 10.30.7.201 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 3 50 49
2023-06-25 00:01:31 10.1.0.41 GET /WEBAP/Form/Content/SemanticUI/themes/default/assets/fonts/icons.woff - 80 - 10.30.7.201 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 3 50 38
2023-06-25 00:01:40 10.1.0.41 GET /WEBAP/Common/Style/font-awesome/fonts/fontawesome-webfont.woff2 v=4.5.0 80 - 10.30.7.201 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 3 50 46
2023-06-25 00:01:40 10.1.0.41 GET /WEBAP/Common/Style/font-awesome/fonts/fontawesome-webfont.woff v=4.5.0 80 - 10.30.7.201 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 3 64 39
2023-06-25 00:01:31 10.1.0.41 GET /WEBAP/Form/Content/SemanticUI/themes/default/assets/fonts/icons.woff2 - 80 - 10.30.7.201 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 3 50 49
2023-06-25 00:01:31 10.1.0.41 GET /WEBAP/Form/Content/SemanticUI/themes/default/assets/fonts/icons.woff - 80 - 10.30.7.201 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 3 50 38
2023-06-25 00:01:40 10.1.0.41 GET /WEBAP/Common/Style/font-awesome/fonts/fontawesome-webfont.woff2 v=4.5.0 80 - 10.30.7.201 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 3 50 46
2023-06-25 00:01:40 10.1.0.41 GET /WEBAP/Common/Style/font-awesome/fonts/fontawesome-webfont.woff v=4.5.0 80 - 10.30.7.201 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 3 64 39
Devender Rao 在 2023年6月21日 星期三下午6:40:24 [UTC+8] 的信中寫道:
Renee Lin
Jun 27, 2023, 2:54:43 AM6/27/23
to Wazuh mailing list
Hi
Devender Rao
Thank you for your previous assistance. After conducting several tests, I found that my other agent is able to successfully receive IIS logs. Apart from the difference in IIS versions, the agent versions are also different. Therefore, I reinstalled the agent and downgraded it to Wazuh v4.3.10, and now the logs can be successfully collected.
There are some differences in the logs between two version agent in the "archive.log."
-----------------------------------------------
config:
<localfile>
<location>D:\WEBWEP_log\W3SVC1\*.log</location>
<log_format>iis</log_format>
</localfile>
-----------------------------------------------
Version v4.3.10:
2023 Jun 27 14:16:14 (WEBAPP) any->\WEBWEP_log\W3SVC1\u_ex230627.log 2023-06-27 06:16:04 10.1.0.41 GET /WebAAA/common/images/icon/icon_m19.gif - 80 - 10.1.0.102 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 0 2 3
2023 Jun 27 14:16:14 (WEBAPP) any->\WEBWEP_log\W3SVC1\u_ex230627.log 2023-06-27 06:16:04 10.1.0.41 GET /WebAAA/common/images/icon/icon_m97.gif - 80 - 10.1.0.102 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 200 0 0 9
2023 Jun 27 14:16:14 (WEBAPP) any->\WEBWEP_log\W3SVC1\u_ex230627.log 2023-06-27 06:16:04 10.1.0.41 GET /WebAAA/common/images/icon/icon_m19.gif - 80 - 10.1.0.102 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 0 2 1
2023 Jun 27 14:16:14 (WEBAPP) any->\WEBWEP_log\W3SVC1\u_ex230627.log 2023-06-27 06:16:04 10.1.0.41 GET /WebAAA/common/images/icon/icon_m66.gif - 80 - 10.1.0.102 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 200 0 0 203
-----------------------------------------------
Version v4.4.3
2023 Jun 27 13:37:17 (WEBAPP) any->D| \WEBWEP_log\W3SVC1\u_ex230627.log:2023-06-27 05:36:47 10.1.0.41 GET /WebAAA/Common/Style/font-awesome/fonts/fontawesome-webfont.woff2 v=4.5.0 443 - 60.249.95.11 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 3 50 6
2023 Jun 27 13:37:17 (WEBAPP) any->D| \WEBWEP_log\W3SVC1\u_ex230627.log:2023-06-27 05:36:47 10.1.0.41 POST /WebAAA/Login.aspx ReturnUrl=%2fgvceip%2f 443 - 60.249.95.11 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 200 0 64 56
2023 Jun 27 13:37:17 (WEBAPP) any->D| \WEBWEP_log\W3SVC1\u_ex230627.log:2023-06-27 05:36:47 10.1.0.41 GET /WebAAA/Common/Style/font-awesome/fonts/fontawesome-webfont.woff v=4.5.0 443 - 60.249.95.11 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 3 50 6
2023 Jun 27 13:37:17 (WEBAPP) any->D| \WEBWEP_log\W3SVC1\u_ex230627.log:2023-06-27 05:36:48 10.1.0.41 POST /WebAAA/Login.aspx ReturnUrl=%2fgvceip%2f 443 - 60.249.95.11 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 200 0 0 561
2023 Jun 27 13:37:17 (WEBAPP) any->D| \WEBWEP_log\W3SVC1\u_ex230627.log:2023-06-27 05:36:48 10.1.0.41 GET /WebAAA/App_Themes/ThirdTheme/images/icon/icon_m17.gif - 443 - 10.1.5.107 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/109.0.0.0+Safari/537.36 404 0 2 0
-----------------------------------------------
I'm not sure why the new version includes "D |" in the path, and it's unclear if this is the cause of the issue. However, I wanted to inform you that my issue has already been resolved. I'm providing these records for your reference. If there is a need for further testing or any other assistance, I would be happy to help.
Thank you for your previous assistance. After conducting several tests, I found that my other agent is able to successfully receive IIS logs. Apart from the difference in IIS versions, the agent versions are also different. Therefore, I reinstalled the agent and downgraded it to Wazuh v4.3.10, and now the logs can be successfully collected.
There are some differences in the logs between two version agent in the "archive.log."
-----------------------------------------------
config:
<localfile>
<location>D:\WEBWEP_log\W3SVC1\*.log</location>
<log_format>iis</log_format>
</localfile>
-----------------------------------------------
Version v4.3.10:
2023 Jun 27 14:16:14 (WEBAPP) any->\WEBWEP_log\W3SVC1\u_ex230627.log 2023-06-27 06:16:04 10.1.0.41 GET /WebAAA/common/images/icon/icon_m19.gif - 80 - 10.1.0.102 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 0 2 3
2023 Jun 27 14:16:14 (WEBAPP) any->\WEBWEP_log\W3SVC1\u_ex230627.log 2023-06-27 06:16:04 10.1.0.41 GET /WebAAA/common/images/icon/icon_m97.gif - 80 - 10.1.0.102 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 200 0 0 9
2023 Jun 27 14:16:14 (WEBAPP) any->\WEBWEP_log\W3SVC1\u_ex230627.log 2023-06-27 06:16:04 10.1.0.41 GET /WebAAA/common/images/icon/icon_m19.gif - 80 - 10.1.0.102 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 0 2 1
2023 Jun 27 14:16:14 (WEBAPP) any->\WEBWEP_log\W3SVC1\u_ex230627.log 2023-06-27 06:16:04 10.1.0.41 GET /WebAAA/common/images/icon/icon_m66.gif - 80 - 10.1.0.102 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 200 0 0 203
-----------------------------------------------
Version v4.4.3
2023 Jun 27 13:37:17 (WEBAPP) any->D| \WEBWEP_log\W3SVC1\u_ex230627.log:2023-06-27 05:36:47 10.1.0.41 GET /WebAAA/Common/Style/font-awesome/fonts/fontawesome-webfont.woff2 v=4.5.0 443 - 60.249.95.11 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 3 50 6
2023 Jun 27 13:37:17 (WEBAPP) any->D| \WEBWEP_log\W3SVC1\u_ex230627.log:2023-06-27 05:36:47 10.1.0.41 POST /WebAAA/Login.aspx ReturnUrl=%2fgvceip%2f 443 - 60.249.95.11 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 200 0 64 56
2023 Jun 27 13:37:17 (WEBAPP) any->D| \WEBWEP_log\W3SVC1\u_ex230627.log:2023-06-27 05:36:47 10.1.0.41 GET /WebAAA/Common/Style/font-awesome/fonts/fontawesome-webfont.woff v=4.5.0 443 - 60.249.95.11 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 404 3 50 6
2023 Jun 27 13:37:17 (WEBAPP) any->D| \WEBWEP_log\W3SVC1\u_ex230627.log:2023-06-27 05:36:48 10.1.0.41 POST /WebAAA/Login.aspx ReturnUrl=%2fgvceip%2f 443 - 60.249.95.11 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 200 0 0 561
2023 Jun 27 13:37:17 (WEBAPP) any->D| \WEBWEP_log\W3SVC1\u_ex230627.log:2023-06-27 05:36:48 10.1.0.41 GET /WebAAA/App_Themes/ThirdTheme/images/icon/icon_m17.gif - 443 - 10.1.5.107 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/109.0.0.0+Safari/537.36 404 0 2 0
-----------------------------------------------
I'm not sure why the new version includes "D |" in the path, and it's unclear if this is the cause of the issue. However, I wanted to inform you that my issue has already been resolved. I'm providing these records for your reference. If there is a need for further testing or any other assistance, I would be happy to help.
Renee Lin 在 2023年6月26日 星期一上午9:42:51 [UTC+8] 的信中寫道:
Reply all
Reply to author
Forward
0 new messages