IIS log in wazuh

[Wahyu Kurniawan]

Hi,

I'm installing wazuh using AIO deployement. I need to get IIS log from the agent. by editing ossec.conf in the agent

<localfile>
    <location>%SystemDrive%\inetpub\logs\LogFiles\W3SVC2\*.log</location>
    <log_format>iis</log_format>
</localfile>

my question is how do I monitor the IIS log in wazuh? where to view this logs in wazuh dashboard?

[Maximiliano Ibarra]

Hi. First of all, thanks for contacting us.
I leave you an official article that shows how to monitor the IIS:https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/log-data-configuration.html#using-environment-variables

If the configuration is correct, we can look at the agent logs, you should see something like this when the new file is detected:

wazuh-agent[5668] logcollector.c:966 at update_fname(): INFO: (1952): Monitoring variable log file: 'C:\$YOUR_FILE_PATH'.

Also, I leave another related user thread about the same topic.
https://groups.google.com/g/wazuh/c/cEClu-XeJd8

I hope this could help you.
Best regards

[Wahyu Kurniawan]

hi Max,

yes I followed that link. in my agent I got the IIS logs

2022/08/24 11:53:23 wazuh-agent: INFO: (1957): New file that matches the 'C:\inetpub\logs\LogFiles\W3SVC2\*.log' pattern: 'C:\inetpub\logs\LogFiles\W3SVC2\u_ex190502.log'.
2022/08/24 11:53:23 wazuh-agent: INFO: (1957): New file that matches the 'C:\inetpub\logs\LogFiles\W3SVC2\*.log' pattern: 'C:\inetpub\logs\LogFiles\W3SVC2\u_ex190503.log'.
2022/08/24 11:53:23 wazuh-agent: INFO: (1957): New file that matches the 'C:\inetpub\logs\LogFiles\W3SVC2\*.log' pattern: 'C:\inetpub\logs\LogFiles\W3SVC2\u_ex190504.log'.

also in agent configuration the log is there as shown by below image

as you can see above I get all log under c:\inetpub\logs\LogFiles\W3SVC2\*.*

Where can I see this log in discovery or security event because I can't find them. I hope you can assist me with this, I'm being task with this to monitor our server but I'm having roadblock in here.

[Wahyu Kurniawan]

I forgot to provide you with my ossec.conf
hope you can guide me through. I need to khow how to display iis logs in kibana > discover section. 

[Maximiliano Ibarra]

Thank you for your feedback.
Please, give me some time to try to reproduce your use case. I'll answer you soon.  

[Maximiliano Ibarra]

Hi, again.
I was researching more about and I found some information that could be helpful.
In this case, you must do some steps to monitor your IIS logs:

1. Collecting: Review if your agent is reading the log that you are configuring. You can read the ossec.log file and search for "localfile" entries. 
   
2. Reception: You can review the events that the manager receives by enabling the logall_json setting. Enable it and verify that you see the events in the /var/ossec/logs/archives/archives.json file.
3. Rule matching: Once you know that you are receiving the events, you should review if the event is properly decoded and matches a rule. To do this, you can paste the raw events (from the archives.json file) to the tool logtest under /var/ossec/bin. 
   If any rule is triggered, you should review the decoders/rules in order to fix them or create new ones.
   https://documentation.wazuh.com/current/learning-wazuh/replace-stock-rule.html?highlight=custom%20rules
   
4. Indexing: Finally, if the alert generated has a level equal to or higher than 3, you should be able to see it in Kibana > Discover section. If you can't find them, review the filebeat/logstash/elasticsearch logs, it could be an issue with the index template.

You have done the first step, you must continue with the following steps. I hope this could help you.
Best regards

[Wahyu Kurniawan]

Hi Max,

Thank you for this guidance . Sorry for late response, I will try this tomorrow

Best Regards,
Wahyu Kurniawan