Internet Information Services (IIS) is Microsoft’s extensible web server software for the Windows NT operating system. It provides a modular and extensible platform for hosting websites, services and applications.
Blumira integrates with Microsoft Windows operating systems to provide automated threat detection and actionable response for IIS. Blumira supports the following Microsoft Windows server operating systems:
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012R2
- Windows Server 2012
Blumira provides broad coverage for Windows Server including collecting logs using NXLog, Command Line Logging, DNS Debugging and Winlogbeat.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Setting Up NXLog for Windows
You will need to first install and configure NXLog on the windows host using these instructions: Integrating with Microsoft Windows Server.
Setting Up IIS Logging
If you are on Windows Server 2012 R2 or newer, you can leverage Poshim to enable log forwarding from the IIS Event Channels. By default, if Poshim sees available IIS event channels, those channels will automatically be added to your configuration.
In addition to using Poshim, you must also configure IIS to stream events to the Windows Event service. Each IIS server will need its logging configuration modified to forward logs to the Windows Event service.
To configure IIS:
- Go to your IIS Manager > Server Configuration > Logging.
- Ensure Both log file and ETW event is selected.
Click Save in the right sidebar menu when you are done.
Note: This process must be done for each site. You can also change this at the IIS server level which will update each site setting and ensure each new site forwards logs appropriately.
Restart NXLog from the services console or with the following command:
net stop nxlog && net start nxlog
Viewing your IIS log data in Report Builder
To view the IIS data that Blumira has received, you can use the Report Builder to run a global report (Load Saved Report) or create your own custom report with these data sources:
- HTTP Access (Apache/IIS/NginX)
- HTTP Error (Apache/IIS/NginX)
- IIS Configuration Events