IIS Configuration

i followed the same steps (pipeline rules adapter lookup table… referance doc : [How to Set Up Graylog GeoIP Configuration - Graylog] but why is my ip address private? can you help?

my ufw log is come to my private ip. i want to public ip . because in widget not show red sign
@mhammady

1 Like

Hi @er213

  1. You must configure the IIS to show you the PUBLIC/REAL IP. This depends on your network configuration, but in most cases, if the IIS is behind a firewall or load balancer, it will show you the local IP as the client IP (which you don’t need). To resolve this, please follow the instructions in the following document:
    How to use X-Forwarded-For header to log actual client IP address?

  2. You should have the last field in the log showing the public IP of the traffic. You need to add this to your input extractor. In my case, I create a GROK pattern called IIS_w3c and used it inside the extractor as follows

Grok pattern: IIS_w3c

%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:serviceName} %{DATA:serverName} %{IP:local_serverIP} %{WORD:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port;int} %{NOTSPACE:username} %{IPORHOST:local_clientIP} %{NOTSPACE:protocolVersion} %{NOTSPACE:userAgent} %{NOTSPACE:cookie} %{NOTSPACE:referer} %{NOTSPACE:requestHost} %{NUMBER:response;int} %{NUMBER:subresponse;int} %{NUMBER:win32response;int} %{NUMBER:bytesSent;int} %{NUMBER:bytesReceived;int} %{NUMBER:timetaken;int} %{IP:source_ip}

And now, every log entry that has W3SVC1 (from IIS log) it will be segmented into fields, and I named the last field source_ip, but you are free to name it as you like and use it later

2 Likes

Hi @er213

Can you share one line/entry from your most recent IIS log?

Also, I just found that the message you used for testing the GROK pattern is not IIS log. You need to test your pattern against IIS logs only. You can use this button to load the appropriate message

image

hi @mhammady

its ex: 30 days logs

but i dont have new logs so i cant see grok patterns worked

Let’s forget about Graylog for a second. I think you have a problem in with creating the correct IIS log files or sending them. Can you please check the C:\inetpub\logs\LogFiles\W3SVC1 dir (default) and see if you have logs, then share one line of these logs

@mhammady
this folder is empty.

So, you don’t have logs to parse. You need to troubleshoot IIS and make sure that this folder is full of logs then we can resume how to integrate with Graylog

1 Like

@mhammady i’ve looked into it, but I couldn’t do it. are IIS settings required to show the location on the map? I stayed at an impasse. :frowning: i just wanted to show the location on the widget I couldn’t :frowning:

Hey @er213

Sorry to hear about your issue. I have a couple idea’s pertaining to why your IIS server doesn’t have a public address and perhaps some documentation of setting up logs in IIS.

Since I don’t know how you setup this environment I’m going to assume you created Windows IIS server. I’m also going to assume you have a DNS server.

Commenting on you first post.

On the IIS server run the command ipconfig. If it shows your private Address (192.168.x.x) then I know its private. Hence your receiving a private address not public one.
A IIS server is general-purpose [web server] from Microsoft. You can with some configuration collect activities from Users logging into you web site and collect IP address from there. But this is not Windows Forum :smiley:

NOTE: the next demo is not for a FQDN I’m just using IP addresses to simplify this.

So that means within your environment you have private address THEN using your firewall you need to place a routable address to the IIS server.

Firewall routing Example: 172.168.66.11:80 --> 192.168.1.100:80.

If your IIS server is collecting logs from user logging into 172.168.66.11, then logging them in log file you may need to look into this.

A public IP address is a “normal” IP address which has not been assigned for special purpose.
Those addresses are routable on the public Internet.

A private IP address is defined by rfc1918. These are the following:

 10.0.0.0        -   10.255.255.255  (10/8 prefix)
 172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
 192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

Depending on your “end goal” here what Are you trying to achieve? Just a widget with Red dots or monitoring users on a web site?

1 Like

@gsmith my goal is to indicate my location with a red mark on the map.

https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/

i read this link and did the same. but I didn’t get what I wanted about public ip

Hi @er213

Your problem AFAIK is primarily your IIS doesn’t create logs at all, or maybe creating them in a different directory. Can you share your IIS site log configuration?