IIS logs
58 views
Skip to first unread message
George Paun
Nov 12, 2025, 1:43:37 AMNov 12
to Wazuh | Mailing List
Hy guys,
<localfile>
<log_format>syslog</log_format>
<location>C:\inetpub\logs\LogFiles\W3SVC3\*.log</location>
I have 2 questions:
1. for IIS if the logs have more Folders, how i make for ossec logfile?where is W3SVC3, i have more folders
<log_format>syslog</log_format>
<location>C:\inetpub\logs\LogFiles\W3SVC3\*.log</location>
</localfile>
2. i need a new decoder for IIS?
Thanks,
George
hasitha.u...@wazuh.com
Nov 12, 2025, 1:50:22 AMNov 12
to Wazuh | Mailing List
Hi George,
Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.
Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.
Message has been deleted
hasitha.u...@wazuh.com
Nov 12, 2025, 3:51:35 AMNov 12
to Wazuh | Mailing List
Hi George
You can monitor multiple log files that end with .log in this path C:\inetpub\logs\LogFiles\W3SVC3 by adding a wildcard option for file name. For example: *.log
You can monitor multiple log files that end with .log in this path C:\inetpub\logs\LogFiles\W3SVC3 by adding a wildcard option for file name. For example: *.log
- <localfile>
- <log_format>syslog</log_format>
- <location>C:\inetpub\logs\LogFiles\W3SVC3\*.log</location>
- </localfile>
If you have multiple folders in this path C:\inetpub\logs\LogFiles\W3SVC3, for example: C:\inetpub\logs\LogFiles\W3SVC3\Test2\abc.log, C:\inetpub\logs\LogFiles\W3SVC3\Test2\efg.log
You can configure the additional localfile config like this if you have multiple folders in the W3SVC3 directory.
Could you please share the sample logs from the IIS logs so I can replicate on my end and share the decoder and rules if needed?
It would be great if you can share the full sample log instead of part of the log. To capture the sample log, I recommend that you use the archives.json log file.
By default, archives.json logs are disabled due to high resource utilization.
To capture the logs from archives.json, please follow these steps:
1. Enable log_all_json on Wazuh Manager
Update the ossec.conf file on the Wazuh manager to enable log_all_json.
2. Reproduce the Event
Trigger the event again to capture the relevant logs.
3. Extract Relevant Logs
Run the following command on the Wazuh manager:
cat /var/ossec/logs/archives/archives.json | grep -iE "<related string>"
Replace <related string> with a relevant value from the log to filter the specific entries.
4. Disable log_all_json
After capturing the logs, disable log_all_json in the ossec.conf file to prevent excessive storage usage.
Share the sample log that you have taken from archives.json with us.
Ref: https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving
Warning
Keeping <logall_json>yes</logall_json> on can fill up your disk fast! Once you’re done troubleshooting, set it back to no in /var/ossec/etc/ossec.conf and restart the manager:
systemctl restart wazuh-manager
We recommend creating custom rules and decoders based on archives.json because in these logs we can see the field full_log, which is the one being parsed by analysis, one of the archives.json events should look like this (the field of interest is in bold):
{"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log ":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower","predecoder":{"program_name":"dbus-daemon","timestamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}
Ref: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Let me know the update on this.
Ref:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
- <localfile>
- <log_format>syslog</log_format>
- <location>C:\inetpub\logs\LogFiles\W3SVC3\*\*.log</location>
- </localfile>
You can configure the additional localfile config like this if you have multiple folders in the W3SVC3 directory.
Could you please share the sample logs from the IIS logs so I can replicate on my end and share the decoder and rules if needed?
It would be great if you can share the full sample log instead of part of the log. To capture the sample log, I recommend that you use the archives.json log file.
By default, archives.json logs are disabled due to high resource utilization.
To capture the logs from archives.json, please follow these steps:
1. Enable log_all_json on Wazuh Manager
Update the ossec.conf file on the Wazuh manager to enable log_all_json.
2. Reproduce the Event
Trigger the event again to capture the relevant logs.
3. Extract Relevant Logs
Run the following command on the Wazuh manager:
cat /var/ossec/logs/archives/archives.json | grep -iE "<related string>"
Replace <related string> with a relevant value from the log to filter the specific entries.
4. Disable log_all_json
After capturing the logs, disable log_all_json in the ossec.conf file to prevent excessive storage usage.
Share the sample log that you have taken from archives.json with us.
Ref: https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving
Warning
Keeping <logall_json>yes</logall_json> on can fill up your disk fast! Once you’re done troubleshooting, set it back to no in /var/ossec/etc/ossec.conf and restart the manager:
systemctl restart wazuh-manager
We recommend creating custom rules and decoders based on archives.json because in these logs we can see the field full_log, which is the one being parsed by analysis, one of the archives.json events should look like this (the field of interest is in bold):
{"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log ":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower","predecoder":{"program_name":"dbus-daemon","timestamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}
Ref: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Let me know the update on this.
Ref:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
George Paun
Nov 12, 2025, 8:18:28 AMNov 12
to Wazuh | Mailing List
Hi HAshita,
I have multiple folders in path :
C:\inetpub\logs\LogFiles
hasitha.u...@wazuh.com
Nov 16, 2025, 6:37:45 AMNov 16
to Wazuh | Mailing List
Hi George,
You can monitor files in any xxxxx directories under this path: C:\inetpub\logs\LogFiles\xxxxx,like below.
The above configuration can monitor any file like this as expected.
For example:
C:\inetpub\logs\LogFiles\test\test.log
C:\inetpub\logs\LogFiles\test2\test_second.log
If you have multiple folders in the specific location, you can use * to match any name instead of each folder name, as I mentioned above.
Ref: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
You can monitor files in any xxxxx directories under this path: C:\inetpub\logs\LogFiles\xxxxx,like below.
- <localfile>
- <log_format>syslog</log_format>
- <location>C:\inetpub\logs\LogFiles\*\*.log</location>
- </localfile>
The above configuration can monitor any file like this as expected.
For example:
C:\inetpub\logs\LogFiles\test\test.log
C:\inetpub\logs\LogFiles\test2\test_second.log
If you have multiple folders in the specific location, you can use * to match any name instead of each folder name, as I mentioned above.
Ref: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
Reply all
Reply to author
Forward
0 new messages