/
Enable Windows IIS Logs
Document toolboxDocument toolbox

Enable Windows IIS Logs

Owned by Juan Tomás Alonso Nieto (Deactivated)
Jun 15, 2022

Overview

IIS uses a flexible and efficient logging architecture. When a loggable event—usually an HTTP transaction—occurs, IIS calls the selected logging module.

Configuration

IIS logs

  1. Open IIS Manager.
  2. In the Connections tree view, select your website.
  3. In Features View, double-click Logging.
  4. On the Logging page, in the Log file section under Format, select W3C log file format (with default fields).
  5. Under Directory, specify the path where the log file should be stored. The default is %SystemDrive%\inetpub\logs\LogFiles.
  6. Click Apply in the Actions pane.
    Configuration sample:

Endpoint Agent Manager

Using ansible roles (recommended)

  1. Search for options.yaml file in the Devo EA Manager installer (usually in playbooks/roles/deam-packs/files/devo-packs/options.yaml).
  2. Open it with your preferred text editor, search for the Windows section and add a custom configuration for fetchfiles with your previously configured log file path with a custom tag.
    The following screenshots shows a configuration sample:

If you are running a new deployment, continue with the normal process of deployment, the change will not be applied until the devo-endpoint-agent is run.

If you have an existing deployment, run the deam-packs playbook from your deployer folder to apply the configuration: ansible-playbook -i inventories/<your_inventory_name>.yaml playbooks/deam-packs.yaml.

Endpoints will refresh their configuration every X seconds according to the config_refresh parameter. If the configuration is not refreshed automatically after the period has passed, you might need to restart the endpoints so that the configuration takes place.

Use admin page in EA Manager Web UI

Be aware that modifying the osquery configuration via the WebUI only applies to the actual config instance of EA Manager, and that the changes are not replicated in the options.yaml file in the ansible playbook. This means that the changes in configuration done in the Web UI need to be consolidated to the options.yaml file in the ansible playbooks before performing any new deployment in the ansible, or else the applied changes will be overwritten.
  1. Log into your Devo EA Manager administration console (https://<devo_ea_manager_ip>:8080).
  2. Once logged in, go to the osquery configuration page by adding /settings/osquery to the URL (example: https://<devo_ea_manager_ip>:8080/settings/osquery) (URL for EA prior to 1.2.0 is https://<devo_ea_manager_ip>:8080/admin/osquery).
  3. You see a text editor with the loaded DEA Manager options.yaml file as in the following screenshot:

You must search for the windows -> devo_extensions -> fetchfiles section and add your previously configured log file path with a custom tag as in the following sample:

Remember to follow these steps if you have previously deployed the pattern in fetchfiles.

Sending to Devo

These events use the fetchfiles query added by default in the DevoFetchFilesPack pack, so if the DevoFetchFilesPack pack is enabled, you do not need to change anything else.

Data access

By default, content files will be ingested line-by-line into Devo under box.devo_ea.files.iis. They can also be seen in the parent table, box.devo_ea.files.