AnsweredAssumed Answered

IIS parser will not parse all IIS information

Question asked by RSA Admin Employee on Dec 14, 2014
Latest reply on Dec 17, 2014 by Sean Koniarz

Hi,

I'm working with SA 10.3 and i have multiple IIS sites that i'm transferring the logs to SA using SFTP agent.

 

 

The problem i'm facing with is that most of the logs are not parsing in SA.

 

 

For example, the following log:

%IIS-4-: date="2014-12-14",time="06:17:09",s-ip="192.168.121.30",cs-method="GET",cs-uri-stem="/",cs-uri-query="-",s-port="444",cs-username="-",c-ip="192.168.121.252",cs(User-Agent)="-",sc-status="200",sc-substatus="0",sc-win32-status="0",time-taken="31",

 

 

SA will not parse the webpage and only show me the information inside the msg container:

sessionid=11000751318

time=2014-12-14T08:19:35.0

size=322

lc.cid="hostname***"

forward.ip=127.0.0.1

device.ip=192.168.121.30

medium=32

device.type="microsoftiis"

device.class="Web Logs"

header.id="0001"

ip.dst=192.168.121.30

ip.dstport=444

ip.src=192.168.121.252

result.code="200"

result="0"

event.time=2014-12-14 06:17:09.000

msg="date="2014-12-14",time="06:17:09",s-ip="192.168.121.30",cs-method="GET",cs-uri-stem="/",cs-uri-query="-",s-port="444",cs-username="-",c-ip="192.168.121.252",cs(User-Agent)="-",sc-status="200",sc-substatus="0",sc-win32-status="0",time-taken="31","

level=6

msg.id="GET"

event.cat.name="Content.Web Traffic"

 

 

I followed the documentation here: http://sadocs.emc.com/@api/deki/files/40485/Microsoft_IIS.pdf

 

 

Anyone knows how can i fix this?

Attachments

Outcomes