IIS 7 and Above
IIS Logs & Audit Requirements
Last post Aug 09, 2017 03:52 AM by Yuk Ding
Aug 08, 2017 06:27 PM|YourPublic1dentity|LINK
Policy requires that WWW servers log startup and shutdown, system access, and system authentication events. Additionally I have to prove that logs begin recording events as soon as the web service is up, or get an MS doc stating it does.
I'm on Server 2016 Core/IIS 10.
I've gone in and set the server in system.applicationHost/log to use Central W3C and set the log ExtFileFlags that I need (user name, time, etc). However, when I logged into the IIS console to the server, I don't see anything in the logs to show I had signed
in but earlier in logs I see my signings.
Where in IIS config do I need to go to meet my audit policy needs?
Aug 09, 2017 03:24 AM|Ken Schaefer|LINK
I've gone in and set the server in system.applicationHost/log to use Central W3C and set the log ExtFileFlags that I need (user name, time, etc).
This only logs HTTP requests to your websites. Not RDP connections, or network logons using Microsoft Management Console tools. You need to look in the Windows Security Event Log for those types of events.
However, when I logged into the IIS console to the server, I don't see anything in the logs to show I had signed in but earlier in logs I see my signings.
I'm unsure what this even means.
But if you are talking about the IIS logfiles, it doesn't write each entry to the file in real time (that would create performance issues with really busy websites which might be getting hundreds of requests/second). IIS writes the log entries in batches
(64KB from memory, or when the website is shutdown/stopped)
Aug 09, 2017 03:35 AM|YourPublic1dentity|LINK
I'm sorry, all questions around logging and 'connections' are directed at connections an IIS website or IIS management console/mmc.
Aug 09, 2017 03:52 AM|Yuk Ding|LINK
It is not difficult to auditing the IIS configuration change or site start/stop. You could only need to create a custom event view with the IIS related source and WAS in drop down list. Also in event viewer/application and services log/Microsoft/IIS-Configuration/operational->right
click->enable. However, there are no IIS log event that show the IIS log has started or stopped. So the only way to check whether IIS log is running is go to C:\inetpub\logs\LogFiles and check the last modified time manually.