Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Is IIS 8 supported yet? If not, is there a way to make it work?

cbnathan

I've already tried using the IIS 7 connector, but it doesn't seem to want to start due to an error.

Find more posts tagged with

siem

security_information_and_event_management

hipaa

Accepted answers

All comments

LGarvin

Nathan, can you post the exact error you're getting when attempting to use the IIS7 connector?

cbnathan

I've seen a couple errors. The first occurs when the log file path is configured in these ways:

C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex140118.log
C:\inetpub\logs\LogFiles\W3SVC1\
C:\\inetpub\\logs\\LogFiles\\W3SVC1\\
C:\inetpub\logs\LogFiles\W3SVC1

I get:

Event Field Information

Description Failed to start FAST reader: reader failed to report the error

If I configure it in this way:

C:\\inetpub\\logs\\LogFiles\\W3SVC1

I get:

Event Field Information

Description Corrupt or manually edited file. Skipping this line: 0+(Windows+NT+6.1;+Microsoft+Office+Outlook+12.0.6683;+Pro) - 404 0 2 97

Thanks for any info you're able to give me.

FormerMember

We've confirmed with our QA team that IIS8 DOES in fact work, but there are similar problems with IIS8 as there are commonly with IIS7. You'll need to go into the IIS logging configuration (in Logging, "Select Fields") and add fields that are de-selected by default but LEM uses to get key data like the hostname/source of the message. You definitely need to add the s-computername field which might be enough to resolve your error and get you moving, but you may need to add more fields to get the full range of data to show up.

I'm hoping we have this documented somewhere and if I find it, I'll be sure to have IIS 8 added to it and let you know where to find it.

cbnathan

Thanks for the reply. I've been working on this issue off-and-on, but I'm still having some trouble getting this connector to work. I've enabled the field as suggested (and fiddled around with a few others), but for whatever reason, I'm still getting the same issues as above. Mostly, though, it just says that it failed to start and failed to report an error. Could this be a file locking issue or something? In the instances it does seem to be able to read the file, it seems like it gets partially through the log then at some point decides it doesn't like the middle of one of the lines and says that it's manually edited. Any further suggestions would be greatly appreciated!

cbnathan

For reference, here are the fields I'm currently using directly from the logfile. I've seen other forum posts where these work, but it just doesn't seem to do the trick on our servers:

#Fields: date time s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken

cbnathan

A possible commonality I'm finding is for the cs-method field, the lines that it says it can read either have OPTIONS as the method for either that event specifically or the event previous. Is the connector tripping up when it sees that?