Auditing Access with Internet Information Server Logs

You can use Internet Information Server logs to track use of your IIS services.

Logging is very flexible. You can configure it to suit your site's needs. For example, two or more IIS servers can log to the same network file or network database. This is useful for large sites or for sites that use duplicate servers for load balancing. Conversely, if you also run the FTP or Gopher service, you can specify separate files or databases to track access by each service.

By logging to a database, you can use database reporting tools or the Internet Database Connector to query and analyze the log files to detect suspicious activity.

Suspicious activity can include:

• Multiple failed commands, especially to the /Scripts directory or another directory configured for executable files.
• Attempts to upload files to the /Scripts directory or another directory configured for executable files.
• Attempts to access .bat or .cmd files and subvert their purpose.
• .Bat or .cmd commands maliciously sent to the /Scripts directory or another directory configured for executable files.
• Excessive requests from a single IP address attempting to overload or cause a denial of service to other users.

Logs are generated in CERN (European Laboratory for Particle Physics) format but can be converted to Common Log File (National Center for Supercomputing Applications [NCSA] or European Microsoft Windows NT Academic Center [EMWAC]) formats. Conversion is often necessary to use third-party log analysis tools.

For more information about logging, see the Internet Information Server Installation and Administration Guide.