本文にスキップ
KYRA MDR KYRA MDR Docs

Microsoft IIS Integration

Overview

This integration collects IIS web server logs and HTTP error logs for web attack detection and application monitoring. IIS is commonly used in Korean government agencies and organizations running .NET/ASP.NET applications on Windows Server.

Supported versions: IIS 10 (Windows Server 2016/2019/2022)

Prerequisites

  • A KYRA MDR Collector installed and running (Installation Guide)
  • Administrator access on the Windows Server
  • NXLog installed on the server (NXLog Community Edition)
  • Network connectivity from the server to the collector on port 514

Configuration

Install NXLog and configure it to forward IIS log files to the KYRA MDR Collector:

<Input iis>
    Module im_file
    File "C:\\inetpub\\logs\\LogFiles\\W3SVC*\\*.log"
    InputType LineBased
</Input>
<Output syslog>
    Module om_udp
    Host KYRA_COLLECTOR_IP
    Port 514
</Output>
<Route iis_to_syslog>
    Path iis => syslog
</Route>

IIS Log Format

IIS uses W3C Extended Log Format by default. Ensure the following fields are enabled in IIS Manager under Logging > Select Fields:

date time s-ip cs-method cs-uri-stem cs-uri-query s-port
cs-username c-ip cs(User-Agent) cs(Referer) sc-status
sc-substatus sc-win32-status time-taken

HTTP Error Logs

HTTP error logs at C:\Windows\System32\LogFiles\HTTPERR\ are also collected by NXLog for detecting connection-level failures.

Collected Log Types

Log TypeSecurity UsePriority
Access logs (W3C)SQL injection, web shell, attack detectionCritical
HTTP error logsConnection failures, malformed requestsHigh
Authentication eventsBrute force via Windows Auth (Event 4625)High
ASP.NET errorsDeserialization attacks, ViewState tamperingCritical
Application pool eventsAbnormal app pool recyclingMedium
Admin access attempts/iisadmin, remote management accessHigh

Troubleshooting

No Logs Received

  1. Verify IIS logging is enabled in IIS Manager for each site
  2. Check that NXLog service is running: Get-Service nxlog
  3. Confirm the log file path matches your IIS site configuration
  4. Ensure port 514 is open between the server and the collector

Logs Not Parsing

  • Confirm IIS is using W3C Extended format (not IIS or NCSA format)
  • Ensure all recommended fields are selected in the IIS logging configuration

For additional help, contact kyra@seekerslab.com.