iis-logs Log Parser

Installation

cscli parsers install crowdsecurity/iis-logs

Description

Parser for IIS default W3C logs.

Log file and event log are both supported.

YAML Configuration

1filter: "evt.Parsed.program == 'iis'"
2onsuccess: next_stage
3name: crowdsecurity/iis-logs
4description: "Parse IIS access logs"
5nodes:
6  #W3C logs can come from the event log
7  - filter: "evt.Meta.datasource_type == 'wineventlog' and evt.Parsed.EventID == '6200'"
8    statics:
9        - meta: source_ip
10          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='c-ip']") 
11        - meta: http_status
12          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='sc-status']")
13        - parsed: http_path
14          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='cs-uri-stem']")
15        - meta: http_path
16          expression: evt.Parsed.http_path
17        - target: evt.Parsed.http_args
18          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='cs-uri-query']")
19        - parsed: verb
20          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='cs-method']")
21        - meta: http_verb
22          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='cs-method']")
23        - meta: http_user_agent
24          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='csUser-Agent']")
25        - meta: target_fqdn
26          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='s-sitename']") #not a FQDN, but close enough ?
27        - target: evt.StrTime
28          expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='date']") + " " + XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='time']")
29        - target: evt.Parsed.request
30          expression: evt.Meta.http_path + '?' + evt.Parsed.http_args
31  - filter: "evt.Parsed.datasource_type != 'wineventlog'"
32    grok:
33      pattern: "%{TIMESTAMP_ISO8601:date} %{IP:server_ip} %{WORD:http_method} %{DATA:http_path} %{DATA:http_args} %{INT} %{DATA:remote_user} %{IP:client_ip} %{DATA:user_agent} %{DATA:referer} %{INT:status} %{INT:substatus} %{INT:win32_status} %{INT:duration}"
34      apply_on: message
35    statics:
36      - target: evt.StrTime
37        expression: evt.Parsed.date
38      - meta: source_ip
39        expression: evt.Parsed.client_ip
40      - meta: http_status
41        expression: evt.Parsed.status
42      - meta: http_path
43        expression: evt.Parsed.http_path
44      - meta: http_user_agent
45        expression: evt.Parsed.user_agent
46      - meta: http_verb
47        expression: evt.Parsed.method
48      - parsed: verb
49        expression: evt.Parsed.method
50      - target: evt.Parsed.request
51        expression: evt.Meta.http_path + '?' + evt.Parsed.http_args
52
53statics:
54  - meta: service
55    value: http
56  - meta: log_type
57    value: http_access-log

Hub configuration

« iis-logs »
v0.4 by crowdsecurity
Log parser

Hub configuration

« iis-logs »v0.4 by crowdsecurityLog parser

« iis-logs »
v0.4 by crowdsecurity
Log parser