The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Microsoft IIS (Internet Information Services) is a flexible, secure, and manageable web server developed by Microsoft for hosting websites, web applications, and services on Windows. It supports HTTP, HTTPS, FTP, FTPS, and more, and integrates tightly with ASP.NET, Windows authentication, and the broader Windows Server ecosystem.

Supported Versions

  • Microsoft IIS 10, W3C Log format

  • Microsoft IIS 8, W3C Log format

Hint: This pack supports two formats for access logs. The Default W3C fields and all W3C fields in the default order.

Warning: Custom formats are not supported.

Requirements

  • Graylog 6.1.0+

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Microsoft IIS Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Microsoft IIS Logs"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

This pack parses logs from the following sources:

  • Filebeat

Filebeat Configuration

  1. Refer to the official documentation to set up Graylog Sidecar for Filebeat.

  2. Create a matching Beats input in Graylog.

  3. Ensure that the option Do not add Beats type as prefix is disabled.

  4. Create an API access token and custom Windows Filebeat collector.

  5. Configure the collector to ship messages to Graylog (select the right path). The Filebeat input must add the field event_source_product: microsoft_iis for the parser to identify the log source as Microsoft IIS.

  6. The option fields_under_root must be set to true for message identification to work. See the following example:

    Copy 
    filebeat.inputs:
    - type: log
    enabled: true
    paths:
    - C:\inetpub\logs\LogFiles\W3SVC1\*.log
    fields:
    event_source_product: microsoft_iis
    fields_under_root: true

  7. Adjust the file path in the configuration file if needed.

  8. Install Graylog Sidecar on the client host.

  9. Edit the Graylog Sidecar client configuration with your Graylog server API URL and API access token.

Log Format Example

These are example logs for Microsoft IIS in W3C log format.

W3C default Logs

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 2025-07-22 16:04:35 ::1 GET / - 80 - ::1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/122.0.0.0+Safari/537.36+Edg/122.0.0.0 - 200 0 0 1127 2025-07-22 16:04:35 ::1 GET /iisstart.png - 80 - ::1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/122.0.0.0+Safari/537.36+Edg/122.0.0.0 http://localhost/ 200 0 0 14 2025-07-22 16:04:35 ::1 GET /favicon.ico - 80 - ::1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/122.0.0.0+Safari/537.36+Edg/122.0.0.0 http://localhost/ 404 0 2 7

W3C all fields selected

#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken 2025-07-22 17:08:10 W3SVC1 WIN-I4KO2719DL6 ::1 GET / - 80 - ::1 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/122.0.0.0+Safari/537.36+Edg/122.0.0.0 - - localhost 304 0 0 166 780 86

What is Provided

  • Rules to parse, normalize, and enrich Microsoft IIS messages.

Events Processed by This Technology Pack

The content pack supports the following log types. Generic processing will be provided for log types not listed.

  • Access logs

GIM Categorization

GIM categorization is provided for the following messages:

Message Type gim_event_type_code gim_event_category gim_event_class gim_event_subcategory gim_event_type
Access Logs 180200 http protocol http.communication http communication

Message Fields Included in This Pack

General Parsing for Default W3C Format

Field_Name Example_Value Field_Type Description
event_created 2025-07-22 17:08:10 date Date and Time of the event created
source_ip ::1 string Source IP address
http_request_method GET string HTTP method used
http_request_path / string Requested URI path
http_uri_query - string Query string parameters
destination_port 80 long Port on destination
user_name - string Authenticated user name
destination_ip ::1 string Destination IP address
http_user_agent Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/122.0.0.0+Safari/537.36+Edg/122.0.0.0 string Client user agent
http_referrer - string HTTP referrer header
http_response_code 200 long HTTP status code
http_sub_status 10 long HTTP substatus code
http_win32_status 20 long Win32 status code
http_response_time 1127 long Time taken to serve request

Extended W3C Field Format

Field_Name Example_Value Field_Type Description
event_created 2025-07-22 17:08:10 date Date and Time of the event created
destination_sitename W3SVC1 string Web server site name
destination_hostname WIN-I4KO2719DL6 string Web server hostname
source_ip ::1 string Source IP address
http_request_method GET string HTTP method used
http_request_path / string Requested path
http_uri_query - string Query string parameters
destination_port 80 long Port on destination host
user_name - string Authenticated user name
destination_ip ::1 string IP of destination
http_version HTTP/1.1 string HTTP protocol version
http_user_agent Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/122.0.0.0+Safari/537.36+Edg/122.0.0.0 string Client user agent
http_cookie - string HTTP cookie header
http_referrer - string Referrer URL
http_host localhost string Target host
http_response_code 304 long HTTP status code
http_sub_status 0 long HTTP substatus code
http_win32_status 0 long Win32 status code
destination_bytes_sent 166 long Bytes sent to client
source_bytes_sent 780 long Bytes received from client
http_response_time 86 long Request duration in ms

Microsoft IIS Content Pack

This spotlight offers a dashboard with 1 tab:

Overview