Skip to main content

Integrating with Microsoft Windows Internet Information Services

  • Updated

Overview

Internet Information Services (IIS) is Microsoft’s extensible web server software for the Windows NT operating system. It provides a modular and extensible platform for hosting websites, services and applications.

Blumira integrates with Microsoft Windows operating systems to provide automated threat detection and actionable response for IIS. Blumira supports the following Microsoft Windows server operating systems:

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012R2
  • Windows Server 2012

Blumira provides broad coverage for Windows Server including collecting logs using NXLog, Command Line Logging, DNS Debugging and Winlogbeat.

Before you begin

This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.

Setting Up NXLog for Windows

You will need to first install and configure NXLog on the windows host using these instructions: Integrating with Microsoft Windows Server.

Setting Up IIS Logging

If you are on Windows Server 2012 R2 or newer, you can leverage Poshim to enable log forwarding from the IIS Event Channels. By default, if Poshim sees available IIS event channels, those channels will automatically be added to your configuration.

In addition to using Poshim, you must also configure IIS to stream events to the Windows Event service. Each IIS server will need its logging configuration modified to forward logs to the Windows Event service.

To configure IIS:

  1. Go to your IIS Manager > Server Configuration > Logging.
  2. Ensure Both log file and ETW event is selected.
    Screen_Shot_2022-04-12_at_1.54.25_PM.png
  3. Click Save in the right sidebar menu when you are done.
    Note: This process must be done for each site. You can also change this at the IIS server level which will update each site setting and ensure each new site forwards logs appropriately. 
  4. Restart NXLog from the services console or with the following command:
    net stop nxlog && net start nxlog

Viewing your IIS log data in Report Builder

To view the IIS data that Blumira has received, you can use the Report Builder to run a global report (Load Saved Report) or create your own custom report with these data sources:

  • HTTP Access (Apache/IIS/NginX)
  • HTTP Error (Apache/IIS/NginX)
  • IIS Configuration Events
Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles