You must configure the IIS to show you the PUBLIC/REAL IP. This depends on your network configuration, but in most cases, if the IIS is behind a firewall or load balancer, it will show you the local IP as the client IP (which you don’t need). To resolve this, please follow the instructions in the following document: How to use X-Forwarded-For header to log actual client IP address?
You should have the last field in the log showing the public IP of the traffic. You need to add this to your input extractor. In my case, I create a GROK pattern called IIS_w3c and used it inside the extractor as follows
And now, every log entry that has W3SVC1 (from IIS log) it will be segmented into fields, and I named the last field source_ip, but you are free to name it as you like and use it later
Can you share one line/entry from your most recent IIS log?
Also, I just found that the message you used for testing the GROK pattern is not IIS log. You need to test your pattern against IIS logs only. You can use this button to load the appropriate message
Let’s forget about Graylog for a second. I think you have a problem in with creating the correct IIS log files or sending them. Can you please check the C:\inetpub\logs\LogFiles\W3SVC1 dir (default) and see if you have logs, then share one line of these logs
So, you don’t have logs to parse. You need to troubleshoot IIS and make sure that this folder is full of logs then we can resume how to integrate with Graylog
@mhammady i’ve looked into it, but I couldn’t do it. are IIS settings required to show the location on the map? I stayed at an impasse. i just wanted to show the location on the widget I couldn’t
Sorry to hear about your issue. I have a couple idea’s pertaining to why your IIS server doesn’t have a public address and perhaps some documentation of setting up logs in IIS.
Since I don’t know how you setup this environment I’m going to assume you created Windows IIS server. I’m also going to assume you have a DNS server.
Commenting on you first post.
On the IIS server run the command ipconfig. If it shows your private Address (192.168.x.x) then I know its private. Hence your receiving a private address not public one.
A IIS server is general-purpose [web server] from Microsoft. You can with some configuration collect activities from Users logging into you web site and collect IP address from there. But this is not Windows Forum
NOTE: the next demo is not for a FQDN I’m just using IP addresses to simplify this.
So that means within your environment you have private address THEN using your firewall you need to place a routable address to the IIS server.
Your problem AFAIK is primarily your IIS doesn’t create logs at all, or maybe creating them in a different directory. Can you share your IIS site log configuration?