Home / server / Questions / 469383
In Process
John
Asked: 2013-01-16 11:11:01 +0800 CST

IIS Advanced Logging Forward to Syslog

  • 772

I am looking for a method that would allow us to forward the IIS Advanced Logging logs to a centralized log source via syslog or something similar. We are able to perform this currently for the regular IIS logs with Snare; however it does not work the same for IIS Advanced Logging.

The default file path is different for IIS Advanced Logging (%SystemDrive%\inetpub\logs\AdvancedLogs) and it appears that the file names are based upon the UTC time, see here, and not the local date and time that you can specify with regular logging. This also creates and issue for developing some type of wildcard rule if we wanted to test this with Snare. Any ideas are welcome.

exchange-2010

2 Answers

  1. logparser has the ability to insert into syslog

    type logparser -h -o:syslog

    Wrap into a batch file or powershell script. That is one option.

    Examples:

    Send error entries in the IIS log to a SYSLOG server:

     LogParser "SELECT TO_TIMESTAMP(date,time), CASE sc-status WHEN 500 THEN
 'emerg' ELSE 'err' END AS MySeverity, s-computername AS MyHostname,
 cs-uri-stem INTO @myserver FROM <1> WHERE sc-status >= 400" -o:SYSLOG
 -severity:$MySeverity -hostName:$MyHostname
    • 2

  2. Have you looked at Snare for collecting and forwarding logs to syslog? I haven't looked for a while but, at one time, they had support for file-based logs (i.e. polling the IIS log files), as well as direct support for IIS and even Windows Event Logs.

    • -1