Microsoft IIS

Samurai [Local] CollectorSamurai [Cloud] CollectorSamurai [Cloud Native] Collector
Picture1.svg

Use this document to install and configure the Filebeat agent to send Microsoft IIS logs to Samurai using the Samurai Local Collector deployed in your network.

To complete this Integration you will need to:

  1. Ensure correct network connectivity
  2. Download & Install Filebeat
  3. Configure & Enable Microsoft IIS Logging
  4. Configure & Start Filebeat

notice_icon.png This guide is based on the premise of a single Samurai Local Collector installation with deployment of a single Windows host with Microsoft IIS service(s) enabled and configured.

Ensure correct network connectivity

You must ensure the following connectivity requirements are fulfilled:

SourceDestinationPortsDescription
Microsoft IIS HostSamurai Local CollectorTCP/5044For log transmission

Download & Install Filebeat

Perform the steps outlined in Step 1: Install Filebeat as per the vendor documentation.

notice_icon.png Make sure to click the Windows tab for OS selection.

Configure & Enable Microsoft IIS Logging

  1. Follow the steps outlined below as per the vendor documentation for either per-site or per-server configuration that is best suited to your setup.

    1. Configure Logging at the Site Level.
    2. Configure Per-site Logging at the Server Level.
  2. During step 4 in the vendor documentation, select W3C logging format.

    iis_logging_format.png
  3. Under “Select Fields…”, select all available fields:

  4. Configure a suitable log file path for the logging files according to your system requirements.

  5. During step 6 in the vendor documentation, configure Log File Rolloversettings and **Maximum file size (in bytes)**according to your system needs and requirements.

  6. Note down the file path that has been configured, this will be used later in the section Configure & Start Filebeat.

Configure & Start Filebeat

  1. Access the Filebeat installation folder and open and edit the file filebeat.yml.
  2. Modify the below template by replacing the section IP_OF_LOCAL_COLLECTOR with the IP address of the Samurai Local Collector.
  3. Modify the paths section of the template to use the path that was configured for the ISS Web Server log file location from Configure & Enable Microsoft IIS Logging.
    notice_icon.png Follow the vendor documentation when configuring the paths section.
# ============================== Filebeat inputs ===============================
filebeat.inputs:
  - type: filestream
    id: microsoft_iis
    enabled: true
    paths:
      - 'c:\inetpub\logs\LogFiles\*\*.log'
    include_lines: ['^[^#].*?$']
    tags: [microsoft_iis]

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  hosts: ["IP_OF_LOCAL_COLLECTOR:5044"]
  1. Replace the default configuration of filebeat.yml with the modified template and save the file.

  2. Perform the steps outlined in Step 5: Start Filebeat as per the vendor documentation to start the service.

    notice_icon.png Make sure to click the Windows tab for OS selection.

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.