Accenture MDR Quick Start Guide for Amazon Web Services (AWS) Microsoft Internet Information Services (IIS)

This quick start guide will help Accenture MDR customers configure AWS MS IIS to collect logs to the Log collection Platform (LCP).

This document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

             Source

     Destination

      Port

    Description

LCP

CloudWatch

443 (TCP)

Default port

Configuring AWS MS IIS

Pre-requisites:

An AWS account that you can sign in to.

A user who's a Global Administrator or AWS EC2, System Manager, CloudWatch, IAM Administrator.

 

Device Configuration Steps:

Configure Microsoft IIS on Windows Server 2012 and 2016.

  1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager.

2. In the Internet Information Services (IIS) Manager window, right-click on Sites, then select Web Site you want to monitor.

3. In the Home pane, click Logging.

4. In the Log File area in the Logging pane, select W3C in the Format drop-down list.

5. In the Log File area in the Logging pane, click Select Fields.

6. In the W3C Logging Fields dialog, click to select all fields, then click OK.

7. Perform an IIS reset after this.

 

Configure CloudWatch Agent to collect logs from the EC2 Windows instances.

  1. Setup IAM instance profile roles for system Manager.

    1. Create IAM Role.

b. Attach all the policies displayed in below image and save the Role.

c. Attach the Role created to IIS Windows EC2 server.

 

2. To install Cloud Watch Agent on Windows server

a. Navigate to AWS Systems Manager > Run Command 

b. Select AWS-ConfigureAWSPackage

c. Add AmazonCloudWatchAgent as a Name in Command Parameter.

d. Select target Windows machine(s) where you want to install AWS CloudWatch Agent.

e. Scroll down and click on Run.

f. Once the command get executed. Select the instance id and view the output. There should not be any error in output.

3. Creating Configurations file and saving it to AWS Systems Parameter Store

a. Go to IIS EC2 windows machine and there should be "C:\Program Files\Amazon\AmazonCloudWatchAgent" directory present on machine.

b. Open command prompt, run amazon-cloudwatch-agent-config-wizard.exe file and provide parameters as shown in below snapshots.

c. Provide the response to every query asked on the config_wizard as shown in below screenshots.

d. In case of IIS, MxDR supports u_ex*log file so provide Log file path and provide appropriate Log group name as well.

4. Once Done , the Systems Manager Parameter store can be checked for the newly created configuration file with the parameters provided as an input.

a. Navigate to AWS Systems Manager > Parameter Store

b. Copy the newly created Parameter Store name.

5. Start the Agent while pointing to the configuration file using AWS Systems Manager

a. In order to start the newly configured Cloud Watch Agents on the instances ,we need to use Run Command.

b. Navigate to AWS Systems Manager > Run Command

c. Navigate to next Page and Search for the specific Command using the search Box.

d. Search for  "AmazonCloudWatch-ManageAgent"

e. Specify the name of newly created Parameter Store Configuration file.

f. Select target (EC2 IIS Windows Machine) where you want run the command. Scroll down and click on Run

g. Used by default Values i.e timeout time is kept 600 Seconds

h. Keep Rate Control as default

i. We are not sending any events to S3 bucket for now. Keep it unchecked.

j. SNS Notifications are not enabled and once enabled can be configured with the details of the SNS. Keep it unchecked.

k. AWS command line interface command has not been altered and default value is utilized.

l. Once complete with all the above configurations > Click on RUN > Systems manager will Start the CloudWatch Agent on the instance and the log Flow will start.

6. Navigate to CloudWatch > Logs to see the logs getting collected. The newly created Log Groups will automatically be created once the logs are getting shipped through the instance by the agents.

7. Please refer below page to check required IAM user policies.

Accenture MDR Quick Start Guide in Configuring IAM User and KMS Key Policies

8. Below are the URL details which we need to allow for connectivity (Please identify URLs by referring AWS document according to your services and regions):

IAM: For any logging source IAM URL should be allowed

https://docs.aws.amazon.com/general/latest/gr/iam-service.html

Cloudwatch: For cloudwatch logging source, cloudwatch URL should be allowed.

https://docs.aws.amazon.com/general/latest/gr/cwl_region.html

LCP Configuration Parameters

MxDR supports log collection using role based access control (RBAC) or access key ID and secret method.

Table 1-2: AWS MS IIS event collector (API - 3900) properties to be configured by MDR are given in the table.

Property

Access Key and Secret

RBAC

Property

Access Key and Secret

RBAC

Region

Enter region (Eg: us-west-2)

Enter region (Eg: us-west-2)

AWS Access Key ID Or Role ARN

Enter Access Key

Provide Role ARN

AWS Secret Access Key Or External ID

Enter Secret

Enter external ID

Logging Source

Cloudwatch

Cloudwatch

S3 Bucket/Log Group(s)/SQS Queue URL

Provide cloudwatch log group

Provide cloudwatch log group

Bucket Prefix Path(s)

Leave Empty

Leave Empty

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.