Internet Information Services (IIS) stores user activity in log files (“IIS logs”). These logs can be useful for many purposes, from simple retention, statistical analysis and site mapping through to security-focused use cases and detections like brute force attacks, detection of code injection, Web shell attacks and more.
Internet Information Services (IIS) stores user activity in log files (“IIS logs”). These logs can be useful for many purposes, from simple retention, statistical analysis and site mapping through to security-focused use cases and detections like brute force attacks, detection of code injection, Web shell attacks and more.
The Azure Monitor Agent can collect IIS log files when configured with a data collection rule (DCR), with IIS logs supported as a key input log type. You can find out how to collect log data in the article Collect data with Azure Monitor Agent.
IIS numbers its websites internally, and stores logs for each site in a numbered folder by default. If you’re just using the Default Web Site, that’s ID 1, and the log file folder will default to C:\InetPub\logs\LogFiles\W3SVC1. AMA with a default DCR is very happy to collect from this location.
But what if you’re hosting more than just 1 website, and need to collect logs from more than one location, as shown in the picture below?
The default configuration for the DCR won’t cover those logs, so to configure our Azure Monitor Agent to pick up more locations, we can edit the DCR to add more.
We’re going to use the existing rule as our template to add more folders. Here’s how:
- In the Azure Portal, find and open the DCR object for the IIS logs
o You can type its name directly into the Search box at the top, if you know it (or a portion of it)
o Or type ‘Data Collection Rules’ and open that page to see a full list
-
-
- Click on Export template.
- Uncheck the include parameters box
-
o Note: Timing can be tricky - you should be left with a page which lists Parameters (0).
- Click on deploy.
- Click on Edit Template
- Add additional IIS log folder locations under the iisLogs logDirectories section as show below.
o Remember we’re using JSON array syntax, so each entry except the last needs to be followed by a comma, e.g.
"logDirectories": [
"c:\\one",
"c:\\two",
"c:\\three"
]
o And each backslash in the path needs to be doubled.
- Click Save when you’ve added your desired folders
- Click on Review + create
- Click Create
Finally, when you open the JSON view of the DCR you will see multiple directories added in the IIS logs section.
This configuration of DCR will help you to collect logs from multiple IIS directories.
Internet Information Services (IIS) stores user activity in log files (“IIS logs”). These logs can be useful for many purposes, from simple retention, statistical analysis and site mapping through to security-focused use cases and detections like brute force attacks, detection of code injection, Web shell attacks and more.
The Azure Monitor Agent can collect IIS log files when configured with a data collection rule (DCR), with IIS logs supported as a key input log type. You can find out how to collect log data in the article Collect data with Azure Monitor Agent.
IIS numbers its websites internally, and stores logs for each site in a numbered folder by default. If you’re just using the Default Web Site, that’s ID 1, and the log file folder will default to C:\InetPub\logs\LogFiles\W3SVC1. AMA with a default DCR is very happy to collect from this location.
But what if you’re hosting more than just 1 website, and need to collect logs from more than one location, as shown in the picture below?
The default configuration for the DCR won’t cover those logs, so to configure our Azure Monitor Agent to pick up more locations, we can edit the DCR to add more.
We’re going to use the existing rule as our template to add more folders. Here’s how:
- In the Azure Portal, find and open the DCR object for the IIS logs
o You can type its name directly into the Search box at the top, if you know it (or a portion of it)
o Or type ‘Data Collection Rules’ and open that page to see a full list
-
-
- Click on Export template.
- Uncheck the include parameters box
-
o Note: Timing can be tricky - you should be left with a page which lists Parameters (0).
- Click on deploy.
- Click on Edit Template
- Add additional IIS log folder locations under the iisLogs logDirectories section as show below.
o Remember we’re using JSON array syntax, so each entry except the last needs to be followed by a comma, e.g.
"logDirectories": [
"c:\\one",
"c:\\two",
"c:\\three"
]
o And each backslash in the path needs to be doubled.
- Click Save when you’ve added your desired folders
- Click on Review + create
- Click Create
Finally, when you open the JSON view of the DCR you will see multiple directories added in the IIS logs section.
This configuration of DCR will help you to collect logs from multiple IIS directories.
Microsoft
