AD

IIS log analysis methods and tools

The importance of logging has been more and more attention to the programmer, IIS log is self-evident.

Recommend the use of IIS W3C Extended log file format logs, which is already on the IIS 5.0 default format, you can specify a daily record of the client IP address, user name, server port, Method, URI, URI query, protocol status, user agent, each days to review the log. Figure 1.

IIS log analysis methods and tools


The WWW IIS log file default location is% systemroot% \ system32 \ logfiles \ w3svc1 \, (for example: I was in C: \ WINDOWS \ system32 \ LogFiles \ W3SVC1 \), by default a log every day.

Recommended not to use the default directory, replace the path of a log while the log set access permissions, allowing only administrators and SYSTEM to Full Control permissions. Shown in Figure 2.

IIS log analysis methods and tools


If you find the IIS log records no longer the solution:
See if you have enabled logging: Site -> Properties -> "Site "-->" Enable Logging" is checked.

Log file name format is: ex + the last two digits of the year + month + date.
(Eg, August 10, 2002 of the WWW log file is ex020810.log)

IIS log files are text files, you can use any editor or open software, such as Notepad program, AWStats tool.

Four lines are a description of the beginning of the log information

# Software generation software
# Version version
# Date the date the log
# Fields field shows the format of recording information, by the IIS custom.

A log of the subject is a request for information, request information format is defined by the # Fields Each field has a space.

Field interpretation

data date
time time
cs-method request method
cs-uri-stem request file
cs-uri-query request parameter
cs-username client user name
c-ip client IP
cs-version protocol version the client
cs (User-Agent) client browser
cs (Referer) reference page

The following list shows some of the contents of log files (one for each log file has the following first four lines):
# Software: Microsoft Internet Information Services 6.0
# Version: 1.0
# Date: 2007-09-21 02:38:17
# Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs (User-Agent) sc-status sc-substatus sc-win32-status

2007-09-21 01:10:51 10.152.8.17 - 10.152.8.2 80
GET / seek / images / ip.gif - 200 Mozilla/5.0 + (X11; + U; + Linux +2.4.2-2 + i686; + en-US; +0.7)

Were clearly above the line down the remote client:

Connection Time 2007-09-21 01:10:51
IP address 10.152.8.17 - 10.152.8.2
Port 80
Request action GET / seek / images / ip.gif - 200
Return result - 200 (expressed in figures, places such as the page does not exist 404 return)
Browser Type Mozilla/5.0 +
Systems and other related information X11; + U; + Linux +2.4.2-2 + i686; + en-US; +0.7

Attached: IIS's FTP log

IIS FTP log file default location is% systemroot% \ system32 \ logfiles \ MSFTPSVC1 \, for the vast majority of systems (if you install the system defines the system directory is stored according to practical situation) is C: \ winnt \ system32 \ logfiles \ MSFTPSVC1 \, and IIS log the same as the WWW, is a daily log by default. Log file name format is: ex + year + month + last two digits of the date, such as the August 10, 2002 of the WWW log file is ex020810.log. It is also a text file, also can use any editor to open, such as Notepad. Compared to the WWW and IIS log, IIS log files to the FTP much richer. Here are some of the contents of the log file.

# Software: Microsoft Internet Information Services 6.0
# Version: 1.0
# Date: 2002-07-24 01:32:07
# Fields: time cip csmethod csuristem scstatus
03:15:20 210.12.195.3 [1] USER administator 331
(IP address 210.12.195.2 user name administator user attempts to log in)

03:16:12 210.12.195.2 [1] PASS - 530 (Login failed)

03:19:16 210.12.195.2 [1] USER administrator 331
(IP address 210.12.195.2 user name is administrator and the user tries to log in)

03:19:24 210.12.195.2 [1] PASS - 230 (successful logon)
03:19:49 210.12.195.2 [1] MKD brght 550 (new directory failed)
03:25:26 210.12.195.2 [1] QUIT - 550 (out of the FTP program)

Experienced users this can be seen that the content of the FTP log file from a remote IP address 210.12.195.2 customers from at 3:15 on 24 July 2002 began trying to log on to this server, has changed two times a user name and password was successful, and ultimately successful login as administrator account. This time should be vigilant, because the administrator account is likely to leak, and for safety considerations, should change your password to this account or rename this account.

How can I tell if someone has made use of server UNICODE exploits on it? You can see in the log similar to the following records:
If someone has been executed copy, del, echo,. Bat with the intrusion of such an order, there will be similar to the following records:
13:46:07 127.0.0.1 GET / scripts / .. \ ../winnt/system32/cmd ". Exe 401
13:46:07 127.0.0.1 GET / scripts / .. \ ../winnt/system32/cmd ". Exe 200
13:47:37 127.0.0.1 GET / scripts / .. \ ../winnt/system32/cmd ". Exe 401

Related Software:

If the intruder more sophisticated technology, it will delete the IIS log files to erase the traces, then can go to the Event Viewer to see the warning message from W3SVC can often find some clues. Of course, particularly for visits a Web server, manual analysis alone is almost impossible - too much data! Can make use of third-party log analysis tools, such as Faststs Analyzer, Logs2Intrusions v.1.0 and so on. Here only brief Logs2Intrusions log analysis tools. It is a Turkish Security Network has developed free software is a free log analysis tool that can analyze IIS 4 / 5, Apache and other log files. Can go to ****trsecurity**/logs2intrusions download the latest version. The software is easy to use, the following is its main interface, shown in Figure 3.

IIS log analysis methods and tools


Click [Select] button and select the log file to analyze, then click [Next] button in the window that appears, click [Begin Work] button to start the analysis, shown in Figure 4.

IIS log analysis methods and tools


Shown in Figure 4, it has been found that traces of the invasion. If you do not find traces of the pop-up dialog box shown in Figure 5.

IIS log analysis methods and tools


After the discovery of traces click [Next] button to continue, as shown in Figure 6.

IIS log analysis methods and tools


[View Report] button is to view the report, [] button is Save Report to save the report, [New Report] button is to generate a new report. Here is an example of the report, shown in Figure 7.

IIS log analysis methods and tools


In "Intrusion Attempt" column lists the hyperlink, select it can be Trsecurity's expert advice. And the software is the same directory sign.txt intrusion characteristics of keywords, users can find new vulnerabilities and added at any time.

AWStats Description: Apache / IIS log analysis tool
****chedong**/tech/awstats.html


Different log types, their storage location is also different:
Application log, security log, system log, DNS log default location:% systemroot% \ system32 \ config
Web, Ftp log the default location:% systemroot% \ system32 \ logfiles
See the specific article: Win2k log details

Enable and set the IIS log
How in Windows 2000 to enable IIS logging site activity

Log analysis log analysis tools to a lot of tools, AWStats is an excellent cross-platform open source log analysis tools
Awstats Installation instructions

IIS logs record the contents of some of the text is
IIS Log Analysis

How in Windows 2000 to enable IIS logging site activity (MSDN)
**support.microsoft**/default.aspx?scid=kb; zh-cn; 300390

标签: request method, default directory, software microsoft, method request, protocol version, client ip address, default format, notepad program, open software, address user, information format, recording information, ip client, space field, generation software, protocol status, software generation, query protocol, field interpretation, interpretation data
分类: Internet
时间: 2011-09-26

相关文章

  1. {Reserved} on software requirements analysis methods and tools used

    Abstract In this paper, an IT product sales of the company's information systems project development backgroun ...
  2. AWStats Description: Apache / Windows IIS log analysis tools to download, install, configure and use sample

    http://127.0.0.1:8600/awstats/awstats.pl?config=test You do not have the patience to read all the content: a b ...
  3. (Reserved) of software requirements analysis methods and tools used

    Abstract In this paper, an IT product sales of the company's information systems project development backgroun ...
  4. MySQL monitoring tools and log analysis tools to summarize

    Monitoring tools: innotop ( installation and description ), mysqlsniffer ( http://hackmysql.com/mysqlsniffer ) ...
  5. Oracle log analysis tools - LogMiner Detailed

    LogMiner ---- Oracle 8i provided after the self through the form of SQL commands to query and resolve redo (re ...
  6. Understand and use Oracle log analysis tools-LogMiner

    This article is reproduced, the first author is unknown, please contact me. Oracle LogMiner is Oracle 8i from ...
  7. [Switch] with awstats log analysis of some records Nginx

    Original Address: http://www.linuxbyte.org/yong-awstats-fen-xi-nginx-ri-zhi-de-yi-xie-ji-lu.html System enviro ...
  8. Talk about log analysis

    Log Analysis Overview: Log in the computer system is a very broad concept, there may be any program output log ...
  9. AWStats log analysis tool

    The following tutorial is installed under the windows2003 server configuration, as by awstats perl program to ...
  10. Demonstrate a strong command line under linux - command-line log analysis buttoned

    Demonstrate a strong command line under linux - command-line log analysis buttoned Recently, a need to analyze ...
  11. MySQL database under Linux binary log recovery methods

    MySQL database under Linux binary log recovery methods September 21, 2009 04:04 pm Monday, if the MySQL server ...
  12. A log analysis tool splunk

    Splunk is a Unix environment running on log analysis software. With Google Analytics this type of Web log anal ...
  13. apache log analysis software Weg Log Explorer

    apache log analysis software Weg Log Explorer
  14. [Maintenance] mysql log analysis, summary

    mysql> show master logs; shows the number of binary logs mysql> show variables like 'log_bin'; confirm y ...
  15. Oracle archive log analysis - LogMiner (rpm)

    Log Analysis Technical Overview: As the Oracle DBA, we sometimes need to track the malicious user data acciden ...
  16. UML analysis and design tools (EA 4.1)

    <Transfer http://hi.baidu.com/ztf704/blog/item/9c2345a9e6f1bbff1f17a225.html> Enterprise Architect Deskt ...
  17. [Reserved] mysqlsla log analysis tool

    mysqlsla log analysis tool mysqlsla is hackmysql.com introduced a MySQL log analysis tool, very powerful. data ...
  18. oracle log analysis tools to LogMiner use (combat)

    To install the LogMiner tool, you must first run the following two scripts so that the two are in the script m ...
  19. request-log-analyzer log analysis tools

    http://github.com/wvanbergen/request-log-analyzer http://www.letrails.cn/archives/rails-performance-optimizati ...