Collect Microsoft IIS logs

Supported in:

Google secops SIEM

This guide explains how you can ingest Microsoft Internet Information Services (IIS) logs to Google Security Operations using Bindplane.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
A Windows Server 2016 or later with IIS installed
Administrative access to the IIS server
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer IDfrom the Organization Detailssection.

Configure IIS W3C extended logging

Open IIS Manager

Click Start.
Type inetmgr and press Enter.
The Internet Information Services (IIS) Managerwindow opens.

Alternative method:

Press Windows Key + R.
Type inetmgr and press Enter.

Navigate to logging configuration

In the Connectionspane, expand your server name.
To configure server-wide logging (recommended):
- Click the server nameat the root level.
To configure site-specific logging:
- Expand Sitesand then click the specific site (for example, Default Web Site).
In the Features View, double-click Logging.

Select W3C extended log format

On the Loggingpage, under Log Filesection:
- In the Formatdropdown, select W3C.
Click Select Fieldsbutton.

Configure W3C logging fields

In the W3C Logging Fieldsdialog, enable the following fields by checking the boxes:

Fields required for parsers

Date(date) - Event timestamp (date component).
Time(time) - Event timestamp (time component in UTC).
Client IP Address(c-ip) - Source IP address.
Method(cs-method) - HTTP method (GET, POST, PUT, DELETE).
URI Stem(cs-uri-stem) - Requested resource path.
Protocol Status(sc-status) - HTTP response code (200, 404, 500).

Fields required for detections

These fields are essential for Google SecOps built-in security detections:

Service Name(s-sitename) - Site or service identifier
Server Name(s-computername) - Server hostname
Server IP Address(s-ip) - Target server IP address
Server Port(s-port) - Target port number
User Name(cs-username) - Authenticated username (critical for authentication attack detection)
User Agent(cs(User-Agent)) - Client browser or application identifier (critical for bot and malware detection)

Fields for enhanced visibility

These fields provide additional context for security analysis:

URI Query(cs-uri-query) - Query string parameters
Referer(cs(Referer)) - Referrer URL
Protocol Substatus(sc-substatus) - Detailed HTTP substatus code
Win32 Status(sc-win32-status) - Windows error code
Bytes Sent(sc-bytes) - Response size in bytes
Bytes Received(cs-bytes) - Request size in bytes
Time Taken(time-taken) - Request duration in milliseconds

Optional fields (use-case specific)

Enable these fields if needed for your specific requirements:

Host(cs-host) - Virtual host header (enable if using virtual hosts)
Protocol Version(cs-version) - HTTP protocol version (HTTP/1.1, HTTP/2)
Cookie(cs(Cookie)) - Cookie values (enable if tracking sessions)

Apply configuration

Click OKto close the W3C Logging Fieldsdialog.
Verify the Directorypath where logs will be written.
- Default: %SystemDrive%\inetpub\logs\LogFiles
Under Log File Rollover, select Daily(recommended for Google SecOps ingestion).
Click Applyin the Actionspane.

Verify IIS logging

Generate test traffic to your IIS site by opening a web page in a browser.
Navigate to the log directory: C:\inetpub\logs\LogFiles\W3SVC1\
Open the most recent log file (for example, u_ex251020.log ) in Notepad.
Verify the #Fields: line contains all the fields you enabled.

Example #Fields: line:

 #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

Example log entry:

  2025 
 - 
 10 
 - 
 20 
  
 14 
 : 
 23 
 : 
 15 
  
 Def 
 ault_Web_Site 
  
 SERVER01 
  
 192.168.1.10 
  
 GET 
  
 / 
 index 
 . 
 html 
  
 - 
  
 80 
  
 - 
  
 203.0.113.45 
  
 Mozilla 
 / 
 5.0 
 + 
 ( 
 Windows 
 + 
 NT 
 + 
 10.0 
 ) 
  
 - 
  
 200 
  
 0 
  
 0 
  
 1234 
  
 567 
  
 125

Install Bindplane agent

Install the Bindplane agent on your Windows server according to the following instructions.

Windows installation

Open Command Promptor PowerShellas an administrator.
Run the following command:

  msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

Additional installation resources

For additional installation options, consult this installation guide .

Configure Bindplane agent to ingest IIS logs and send to Google SecOps

Stop the Bindplane service

Before editing the configuration file, stop the service:

  Stop-Service 
 "observIQ OpenTelemetry Collector"

Edit the configuration file

Locate the config.yaml file.
- Default path: C:\Program Files\observIQ OpenTelemetry Collector\config.yaml
Open the file using a text editor (for example, Notepad, VS Code, or Notepad++) as Administrator.

Replace the entire contents with the following configuration:

  receivers 
 : 
  
 iis 
 : 
  
 collection_interval 
 : 
  
 60s 
 processors 
 : 
  
 resourcedetection 
 : 
  
 detectors 
 : 
  
 [ 
 "system" 
 ] 
  
 system 
 : 
  
 hostname_sources 
 : 
  
 [ 
 "os" 
 ] 
  
 normalizesums 
 : 
  
 batch 
 : 
 exporters 
 : 
  
 chronicle/iis 
 : 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 creds 
 : 
  
 'C:\SecOps\ingestion-auth.json' 
  
 log_type 
 : 
  
 'IIS' 
  
 override_log_type 
 : 
  
 false 
  
 raw_log_field 
 : 
  
 body 
  
 customer_id 
 : 
  
 '<CUSTOMER_ID>' 
  
 compression 
 : 
  
 gzip 
 service 
 : 
  
 pipelines 
 : 
  
 logs/iis 
 : 
  
 receivers 
 : 
  
 - 
  
 iis 
  
 processors 
 : 
  
 - 
  
 resourcedetection 
  
 - 
  
 normalizesums 
  
 - 
  
 batch 
  
 exporters 
 : 
  
 - 
  
 chronicle/iis

Update configuration values

Replace the following placeholders:

creds: - Path to your ingestion authentication file (for example, C:\SecOps\ingestion-auth.json ).
customer_id: - Your actual Google SecOps customer ID from the Get Google SecOps customer ID section.

Restart Bindplane agent to apply the changes

After saving the config.yaml file, restart the Bindplane service:

  Start-Service 
 "observIQ OpenTelemetry Collector"

Verify the service is running:

  Get-Service 
 "observIQ OpenTelemetry Collector"

Expected output:

 Status   Name                               DisplayName
  ------   ----                               -----------
  Running  observiq-otel-collector            observIQ OpenTelemetry Collector

UDM Mapping Table

Log field	UDM mapping	Logic
@timestamp	metadata.event_timestamp	The timestamp of the event as recorded in the raw log.
@version	metadata.product_version	The version of the IIS server.
AgentDevice	additional.fields.AgentDevice.value.string_value	The device that generated the log.
AgentLogFile	additional.fields.AgentLogFile.value.string_value	The name of the log file.
ASP.NET_SessionId	network.session_id	The session ID of the user.
c-ip	principal.ip	The IP address of the client.
Channel	security_result.about.resource.attribute.labels.Channel.value	The channel where the event was logged.
ChannelID	security_result.about.resource.attribute.labels.ChannelID.value	The ID of the channel where the event was logged.
Computer	target.hostname	The hostname of the target machine.
cs-bytes	network.received_bytes	The number of bytes received from the client.
cs-host	principal.hostname, principal.asset.hostname	The hostname of the client.
cs-method	network.http.method	The HTTP method used by the client.
cs-uri-query	target.url	The query string of the URL requested by the client.
cs-uri-stem	target.url	The path of the URL requested by the client.
cs-username	principal.user.user_display_name	The username of the client.
cs-version	network.tls.version_protocol	The HTTP version used by the client.
cs(Cookie)		Used to extract cookie information.
cs(Referer)	network.http.referral_url	The URL that referred the client to the current page.
cs(User-Agent)	network.http.user_agent	The user agent of the client.
csbyte	network.received_bytes	The number of bytes received from the client.
cshost	principal.hostname, principal.asset.hostname	The hostname of the client.
csip	principal.ip, principal.asset.ip	The IP address of the client.
csmethod	network.http.method	The HTTP method used by the client.
csreferer	network.http.referral_url	The URL that referred the client to the current page.
csuseragent	network.http.user_agent	The user agent of the client.
csusername	principal.user.user_display_name	The username of the client.
csversion	network.tls.version_protocol	The HTTP version used by the client.
date		Used to construct the event timestamp if the raw log timestamp is invalid.
description	security_result.description	A description of the event.
devicename	target.hostname	The hostname of the target machine.
dst_ip	target.ip, target.asset.ip	The IP address of the target machine.
dst_port	target.port	The port number of the target machine.
duration		The duration of the request in milliseconds.
EventEnqueuedUtcTime	additional.fields.EventEnqueuedUtcTime.value.string_value	The time when the event was enqueued in UTC.
EventID	metadata.product_log_id	The ID of the event.
EventProcessedUtcTime	additional.fields.EventProcessedUtcTime.value.string_value	The time when the event was processed in UTC.
EventTime	metadata.event_timestamp	The timestamp of the event.
EventType	metadata.product_event_type	The type of the event.
file_path	target.file.full_path	The full path of the file involved in the event.
FilterId	security_result.about.resource.attribute.labels.FilterId.value	The ID of the filter.
FilterKey	security_result.about.resource.attribute.labels.FilterKey.value	The key of the filter.
FilterName	security_result.about.resource.attribute.labels.FilterName.value	The name of the filter.
FilterType	security_result.about.resource.attribute.labels.FilterType.value	The type of the filter.
host	target.hostname	The hostname of the target machine.
host.architecture	principal.asset.hardware.cpu_platform	The architecture of the host machine.
host.geo.name	additional.fields.geo_name.value.string_value	The geographical location of the host machine.
host.hostname	target.hostname, target.asset.hostname	The hostname of the host machine.
host.id	observer.asset_id	The ID of the host machine.
host.ip	principal.ip, principal.asset.ip	The IP address of the host machine.
host.mac	principal.mac	The MAC address of the host machine.
host.os.build	additional.fields.os_build.value.string_value	The build number of the operating system on the host machine.
host.os.kernel	principal.platform_patch_level	The kernel version of the operating system on the host machine.
host.os.name	additional.fields.os_name.value.string_value	The name of the operating system on the host machine.
host.os.platform	principal.platform	The platform of the operating system on the host machine.
host.os.version	principal.platform_version	The version of the operating system on the host machine.
http_method	network.http.method	The HTTP method used by the client.
http_response	network.http.response_code	The HTTP response code.
http_status_code	network.http.response_code	The HTTP status code of the response.
http_substatus	additional.fields.sc_substatus.value.string_value	The HTTP substatus code of the response.
instance	additional.fields.instance.value.string_value	The instance ID of the task.
intermediary_devicename	intermediary.hostname, intermediary.asset.hostname	The hostname of the intermediary device.
json_message		The raw log message in JSON format.
kv_fields		Used to extract key-value pairs from the raw log message.
LayerKey	security_result.about.resource.attribute.labels.LayerKey.value	The key of the layer.
LayerName	security_result.about.resource.attribute.labels.LayerName.value	The name of the layer.
LayerId	security_result.about.resource.attribute.labels.LayerId.value	The ID of the layer.
log.file.path	target.file.full_path	The full path of the log file.
log.offset	metadata.product_log_id	The offset of the event in the log file.
logstash.collect.host	observer.hostname	The hostname of the machine that collected the log.
logstash.process.host	intermediary.hostname	The hostname of the machine that processed the log.
logstash_json_message		The raw log message in JSON format.
message	security_result.description	The raw log message.
ministry	additional.fields.ministry.value.string_value	The ministry associated with the event.
name		The name of the entity.
NewValue	additional.fields.NewValue.value.string_value	The new value of the configuration setting.
OldValue	additional.fields.OldValue.value.string_value	The old value of the configuration setting.
port	principal.port	The port number of the client.
priority_code		The priority code of the syslog message.
ProcessID	principal.process.pid	The process ID of the process that generated the event.
ProviderGuid	security_result.about.resource.attribute.labels.ProviderGuid.value	The GUID of the provider.
ProviderKey	security_result.about.resource.attribute.labels.ProviderKey.value	The key of the provider.
ProviderName	security_result.about.resource.attribute.labels.ProviderName.value	The name of the provider.
referrer_url	network.http.referral_url	The URL that referred the client to the current page.
request_url	target.url	The URL requested by the client.
s-computername	target.hostname	The hostname of the target machine.
s-ip	target.ip, target.asset.ip	The IP address of the target machine.
s-port	target.port	The port number of the target machine.
s-sitename	additional.fields.sitename.value.string_value	The name of the site.
sc-bytes	network.sent_bytes	The number of bytes sent to the client.
sc-status	network.http.response_code	The HTTP status code of the response.
sc-substatus	additional.fields.sc_substatus.value.string_value	The HTTP substatus code of the response.
sc-win32-status		The Windows status code of the response.
scbyte	network.sent_bytes	The number of bytes sent to the client.
scstatus	network.http.response_code	The HTTP status code of the response.
severity	security_result.severity	The severity of the event.
service.type	additional.fields.service_type.value.string_value	The type of the service.
sIP	principal.ip, principal.asset.ip	The IP address of the client.
sPort	principal.port	The port number of the client.
sSiteName	additional.fields.sitename.value.string_value	The name of the site.
src_ip	principal.ip, principal.asset.ip, observer.ip	The IP address of the client.
src_port	principal.port	The port number of the client.
sysdate		The date and time of the syslog message.
syslog_facility	security_result.severity_details	The facility of the syslog message.
syslog_pri		The priority of the syslog message.
syslog_severity	security_result.severity_details	The severity of the syslog message.
syslog_severity_code		The severity code of the syslog message.
tags	security_result.rule_name	Tags associated with the event.
task	additional.fields.task.value.string_value	The name of the task.
time		Used to construct the event timestamp if the raw log timestamp is invalid.
time-taken		The duration of the request in milliseconds.
uri_query	target.url	The query string of the URL requested by the client.
user_agent	network.http.user_agent	The user agent of the client.
UserName	target.user.userid	The username of the user.
UserSid	target.user.windows_sid	The Windows SID of the user.
Weight	security_result.about.resource.attribute.labels.Weight.value	The weight of the filter.
win32_status		The Windows status code of the response.
xforwardedfor		The X-Forwarded-For header, containing a comma-separated list of IP addresses.
	metadata.log_type	"IIS"
	network.direction	"INBOUND"
	metadata.vendor_name	"Microsoft"
	metadata.product_name	"Internet Information Server"
	metadata.event_type	"NETWORK_HTTP", "USER_UNCATEGORIZED", "GENERIC_EVENT", "STATUS_UPDATE", "USER_LOGOUT", "USER_LOGIN"
	extensions.auth.type	"MACHINE"

Need more help? Get answers from Community members and Google SecOps professionals.