One of the building blocks of system and network monitoring is watching the logs. IIS logs are one of the best places to keep track of access and availability of your web apps, but by default don’t really give you any actionable information for security.
Let’s walk through how to enable some of this helpful info to be logged, first open the IIS manger and go into logging for the server.
note: this is on Server 2016, but any OS with at least IIS 8.0 should be able to handle the changes below.
Next, we’ll be going into the Select Fields windows; this is a good time to note the actual log locations and rollover schedule.
Now you’ll see a window with only the default fields selected. Here’s a screenshot of a standard config I run and you’ll notice the highlighted fields that aren’t captured by default and the custom fields below which give us SSL/TLS information.
Service Name: this is the name of the site and the name of the log file
Server Name: the actual hostname of the server
Bytes Sent: Bytes sent to the client for the full request
Bytes Received: Bytes received from the client for the full request
Protocol Version: HTTP/1.1 or HTTP/2
Host: The actual web address used (from the headers)
crypt-protocol: Hex value of the SSL/TLS Version (MS Reference)
crypt-cipher: Cipher Algorithm (128/256-bit AES, etc.) (MS Reference)
crypt-hash: Hash Algorithm (MD5, SHA-1, etc.) (MS Reference)
crypt-keyexchange: Key Exchange (Diffie-Hellman, etc.) (MS Reference)
Once these fields are standard on your servers (anything serving IIS really) you can pull them into ELK, Graylog, Splunk, etc. and visualize, trend, and alert from there.