This article provides the step-by-step instructions on how to audit Internet Information Services (IIS) with Netwrix Auditor.
- Download the Internet Information Services pack and unzip it to the computer where Netwrix Auditor Administrator Console (Netwrix Auditor console in Netwrix Auditor 6.5 and below) is installed.
- Download link for Netwrix Auditor 6.5 and below: https://www.netwrix.com/download/products/elm_iis/Internet_Information_Services.zip
- Download link for Netwrix Auditor 7.0 and 7.1: https://www.netwrix.com/download/internet_information_services.zip
- Locate the Internet Information Services folder.
|Netwrix Auditor version||Folder/File name||Computer where Netwrix Auditor Administrator Console is installed|
|Netwrix Auditor 6.5 and below||<Download_path>Internet Information Services.
||C:Program Files (x86)NetwrixEvent Log ManagerReportsNetWrix Event Log ManagerChange Reports|
|Netwrix Auditor 7.0 and 7.1||<Download_path>Internet_Information_ServicesInternet Information Services.
C:ProgramDataNetwrix AuditorReportsNetwrix Auditor for Event LogChange Reports
Note: when completed, restart the Netwrix Auditor Archive Service.
- In Netwrix Auditor Administrator Console, create a new Managed Object for auditing Event Log:
- On the Audit Archiving Filters step, disable all filters and click Add to create a new filter with the following parameters:
|Description||Internet Information Services events|
- Review the Managed Object settings and click Finish.
- Configure the IIS Operational log size and retention settings:
- On the computer where the Internet Information Services is installed, navigate to Start -> Run and type “eventvwr.msc” to start the Event Viewer.
- In the Event Viewer snap-in, navigate to Event Viewer (Local) -> Applications and Services Logs -> Microsoft -> Windows / IIS-Configuration.
- Right click the Operational log and select Properties.
- Select Enable logging, set Maximum log size to 4 GB and make sure Do not overwrite events (Clear logs manually) is cleared. If this option is selected, change the retention method by selecting another option: Overwrite events as needed (oldest events first).
To access IIS reports in a web browser, do the following:
- Depending on your Netwrix Auditor version, navigate to one of the following locations:
- Netwrix Auditor 6.5 and below: Settings -> Audit Archive
- Netwrix Auditor 7.0: Settings -> Long-Term Archive
- Netwrix Auditor 7.1 and above: Audit Archive -> Audit Database
- Go to your Report Manager URL. In the Home folder, navigate to Netwrix Auditor -> Netwrix Auditor for Event Logs -> Change Reports.
- Review available reports:
- IIS Changes of Application Pools—shows changes in Application Pools, such as adding, deleting, renaming Application Pools, changing their properties, starting, stopping, etc.
- IIS Changes of Web Sites—shows changes in Web Sites, such as creating, deleting, renaming, starting and stopping Web Sites, changing their general properties, changing the Binding options: creation, deletion, modification, etc.
- Netwrix Auditor for Event Log audits event-based changes. If the target servers lose events for some reason or Netwrix Auditor is not able to collect these events, reports will not contain configuration changes.
- The Internet Information Services (IIS) configuration changes made directly in the configuration files and not through the IIS Manager will never be logged in the IIS Operational log and reported by Netwrix Auditor.