Document toolboxDocument toolbox

Enable Windows IIS Logs

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: May 10, 2023
3 min read
[ 1 Overview ] [ 2 Configuration ] [ 3 Endpoint Agent Manager ] [ 4 Sending to Devo ] [ 5 Data access ]

Overview

IIS uses a flexible and efficient logging architecture. When a loggable event—usually an HTTP transaction—occurs, IIS calls the selected logging module.

Configuration

IIS logs

  1. Open IIS Manager.

  2. In the Connections tree view, select your website.

  3. In Features View, double-click Logging.

  4. On the Logging page, in the Log file section under Format, select W3C log file format (with default fields).

  5. Under Directory, specify the path where the log file should be stored. The default is %SystemDrive%\inetpub\logs\LogFiles.

  6. Click Apply in the Actions pane.
    Configuration sample:

Endpoint Agent Manager

Using ansible roles (recommended)

  1. Locate the inventory file we used in our Devo EA Manager deployment.

  2. Open it with your preferred text editor, search for deam_fleet_config_devoext_fetchfiles_paths_win (or add it under vars if you have no previously configured fetchfiles) and add a new pattern with our previously configured log file path and a custom tag.

    The following screenshots shows a configuration sample:

If you are running a new deployment, continue with the normal process of deployment, the change will not be applied until the devo-endpoint-agent playbook is run.

If you have an existing deployment:

  • Enable the virtual environment by running:

    source "/opt/ansible-2.9/venv/bin/activate"

  • Run the deam-packs playbook from your deployer folder to apply the configuration:

    ansible-playbook -i inventories/<your_inventory_name>.yaml playbooks/deam-packs.yaml

Endpoints will refresh their configuration every X seconds according to the config_refresh parameter. If the configuration is not refreshed automatically after the period has passed, you may need to restart the endpoints so the configuration takes place.

Use admin page in EA Manager Web UI

Please be aware that modifying the osquery configuration via the WebUI, just applies to the actual config instance of EA Manager and do not replicates the change to the inventory file in the ansible playbook. This means that the changes in configuration done in the Web UI, need to be consolidated to the inventory file in the ansible playbooks before performing any new deployment in the ansible or applied changes will be overwritten.

  1. Log in to your Devo EA Manager administration console (https://<devo_ea_manager_ip>:8080)

  2. Once logged in, access the osquery configuration in https://<DEAM_IP:8080>/ -> settings -> Global agent options

  3. Here, we will see a text editor with the default configuration values and the ones loaded from DEA Manager inventory file as in the following screenshot:

     

  4. We need to search for the windows -> devo_extensions -> fetchfiles section and add our previously configured log file path with a custom tag as in the following sample:

Remember to follow these steps if you have previously deployed the pattern in fetchfiles.

Sending to Devo

These events use fetchfiles query added by default in the DevoFetchFilesPack pack, so if DevoFetchFilesPack pack is enabled, it isn’t necessary to change anything else.

Data access

By default, content files will be ingested line-by-line into Devo under box.devo_ea.files.iis
They can also be seen in the parent table, box.devo_ea.files