Accenture MDR Quick Start Guide for Microsoft Internet Information Services (Generic TCP)

Owned by KM (Unlicensed)
Last updated: Jun 09, 2021 by KS
6 min read

This quick start guide will help Accenture Security customers configure Microsoft IIS TCP to send logs to the Log collection Platform (LCP).

 

This document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document

(Accenture_MDR_Supported_Products_List.xlsx) which can be found at Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

Microsoft IIS

LCP

10014 (TCP with TLS) or

10013 (TCP with Non-TLS)

Default port

Configuring Microsoft IIS

Microsoft IIS stores its events in log files. Accenture Security MDR provides below three options for Microsoft IIS log collection based on the syslog agent installed.

 

Configure Microsoft IIS on Windows Server 2012 and 2016

  1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager.

  2. In the Internet Information Services (IIS) Manager window, right-click on Sites, then click Web Site you want to monitor.

  3. In the Home pane, click Logging.

 

4. In the Log File area in the Logging pane, click W3C in the Format drop-down list.

5. In the Log File area in the Logging pane, click Select Fields.

6. In the W3C Logging Fields dialog, click to select all fields, then click OK.

7. To get the real source IPs in the IIS hit logs for servers, create a new custom field (Optional Step)

Field Name = Source-IP Source Type = Request Header Source = X-FORWARDED-FOR

8. Perform an IIS reset after this. Now we will start seeing the IP address of the client PCs in our IIS logs rather than the IP of the load balancer.

Log Configuration via Nxlog Agent

To configure the Nxlog Agent, select any one of the below options.

  • Windows NxLog Agent using TCP with Non-TLS

  • Windows NxLog Agent using TCP with TLS

Steps to configure Windows NxLog Agent for Non TLS TCP Log flow on port 10013

  1. Download and Install NxLog agent from https://nxlog.co/products/nxlog-community- edition/download

  2. Navigate to services.msc and stop the nxlog service.

  3. Navigate to C:\Program Files (x86)\nxlog\data and delete configcache.dat.

  4. For Windows Agent , go to the installed location C:\Program Files (x86)\nxlog\conf

5. Copy and paste the attached below configuration into the file - nxlog.conf and save the file.

6. In the file, replace LCPIP with actual LCP IP address in nxlog.conf against Host.

7. Enter the log file location against File.

Note: For example, the Microsoft IIS log file location will be as follows

For HTTP - C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log

For FTP - C:\inetpub\logs\LogFiles\FTPSVC*\u_ex*.log)

8. Now start the nxlog service from services.msc.

9. NxLog agent logs will be available at location C:\Program Files (x86)\nxlog\data\nxlog.log.

Steps to configure Windows NxLog Agent for TLS TCP Log flow on port 10014

  1. Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community- edition/download

  2. Navigate to services.msc and stop the nxlog service.

Note: Please contact the Accenture Security MDR onboarding team to obtain the certificate.

3. Place the certificate in the DNS server which is obtained from the MDR onboarding team at your desired location.

4. Navigate to folder C:\Program Files (x86)\nxlog\data and delete configcache.dat.

5. For Windows Agent, go to installed location C:\Program Files (x86)\nxlog\conf

6. Copy and paste the attached below configuration into the file - nxlog.conf and save the file.

7. In the file, replace LCP_IP_Address with actual LCP IP address in nxlog.conf against Host.

8. Enter the log file location against File

Note: For example, the Microsoft IIS log file location will be as follows

For HTTP - C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log

For FTP - C:\inetpub\logs\LogFiles\FTPSVC*\u_ex*.log)

9. Provide the file location for the CA certificate on the DNS server

10. Now start the nxlog service from services.msc.

11. NxLog agent logs will be available at location C:\Program Files (x86)\nxlog\data\nxlog.log.

 

Log Configuration via Epilog Agent (Version 5.4.1 Onwards)

To collect logs from the Epilog agent, follow the steps below.

To Collect HTTP and FTP logs

  1. Login to the Epilog agent web interface.

2. Go to Log Configuration > Add.

3. Do the following.

  • From the Select the Log Type drop-down list, select Custom Event Log and type Epilog-IISWebLog in the next text box.

  • In the Multi-Line Format section, select the Single line only option.

  • Check the Send Comments: check box.

  • In Log File or Directory text box, type the FTP log file directory where Microsoft IIS stores the logs.

  • In Log Name Format: text box, type the exact log file format

Note: Use u_ex%.log, if the log file starts with u_ex. Use ex%.log, if the log file starts with ex.

4. Click Change Configuration.

Destination Configuration

  1. Navigate to Network Configuration section

2. In Network Destination, enter the LCP details in Domain/IP fields.

3. Enter Port details as 10013.

4. Select TCP as Protocol.

5. Select SYSLOG (RFC3164) as Format.

6. Select Space [] as Delimiter Character.

7. To save your configuration, click on Update Destinations

8. Navigate to left-menu pane, select Apply Configuration and Restart Service section.

Log Configuration via Syslog-ng Agent (Version 5.4.1 Onwards)

Collect FTP Logging

  1. Go to Syslog-ng Agent Settings > Eventlog Sources.

2. In Settings, check the Disable check box. This will prevent syslog-ng from sending Windows event logs further (recommended).

3. In Files Sources, go to Sources and select the Enable check box.

  • Go to Add.

  • In File Source Property, in the Base Directory: text box, browse the directory where MS-IIS stores its FTP log files.

  • From the File Name Filter drop-down list, select the file which must be monitored.

  • In the Application Name text box, type MSIISFTP and click Ok to save the configurations.

Configure HTTP logging:

  1. Go to Syslog-ng Agent Settings > Eventlog Sources.

2. In Settings, check the Disable check box. This will prevent syslog-ng from sending Windows event logs further (recommended).

3. In Files Sources, go to sources and check the Enable check box.

4. Go to Add.

  • In File Source Property, in the Base Directory text box, browse the directory where MS-IIS store its HTTP log files.

  • In the File Name Filter drop-down list, select the file which must be monitored.

5. In the Application Name text box, type MSIISHTTP and click Ok to save the configurations.

Add Destination Configuration

  1. Right Click on Destinations and click on Add New Server

  2. Click on Enable Flow Control in Server tab.

3. Enter IP address of LCP at Server Name or Address (IPv4)

4. Enter Server Port as 10013

5. Click Ok to save the configurations.

6. Navigate to Messages tab.

7. Under Protocol section, select Legacy BSD Syslog Protocol

In template add below text:

NXLOG|${HOST}|OFFBOX-MSFTWEBIIS-TO-LCP|${FILE_NAME}|::::${MSG}

8. Click Ok to save configurations.

9. Start the syslog-ng service.

LCP Configuration Parameters

Table 1-2: The Microsoft IIS TCP event collector (Syslog -3938) properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Protocol

TCP

The default protocol for syslog.

IP Address

Microsoft IIS Interface IP address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the MDR onboarding team.

Port Number

TCP/10013

or TCP/10014

The default port for TCP.

Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture MDR onboarding team if this is a requirement.

 

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.