IIS website W3C logging with fields "Service Name (s-sitename)" or "Server Name (s-computername) not parse

[jods10]

Describe the bug
A clear and concise description of what the bug is.

IIS websites W3C format logs are not parsed when one or both of the following fiels are selected

• "Service Name (s-sitename)"
• "Server Name (s-computername)

To Reproduce
Steps to reproduce the behavior.

Microsoft IIS, "Default Web Site" or any web site. IIS feature View, Logging, Log File, Format W3, Select "Service Name (s-sitename)" or "Server Name (s-computername) or both. OK.
Restart "crowdsec" service on Windows services.
Access to your modified website from your preferred Internet Browser and analyse the log.

Example:
PS C:\Users\Administrator> cscli explain --dsn "file://C:\inetpub\Logs\LogFiles\W3SVC2\u_ex241223.log" --type iis

level=warning msg="Line 0/8 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode."
level=warning msg="Line 1/8 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode."
level=warning msg="Line 2/8 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode."
level=warning msg="Line 3/8 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode."
level=warning msg="Line 4/8 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode."
level=warning msg="Line 5/8 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode."
level=warning msg="Line 6/8 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode."
level=warning msg="Line 7/8 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode."
line: #Software: Microsoft Internet Information Services 10.0
├ s00-raw
| ├ 🔴 crowdsecurity/windows-eventlog
| └ 🟢 crowdsecurity/windows-non-eventlog (+5 ~8)
├ s01-parse
| ├ 🔴 crowdsecurity/iis-logs
| ├ 🔴 crowdsecurity/mssql-logs
| ├ 🔴 crowdsecurity/mssql-text-logs
| ├ 🔴 crowdsecurity/windows-auth
| └ 🔴 crowdsecurity/windows-firewall-logs
└-------- parser failure 🔴

line: #Date: 2024-12-23 14:13:48
├ s00-raw
| ├ 🔴 crowdsecurity/windows-eventlog
| └ 🟢 crowdsecurity/windows-non-eventlog (+5 ~8)
├ s01-parse
| ├ 🔴 crowdsecurity/iis-logs
| ├ 🔴 crowdsecurity/mssql-logs
| ├ 🔴 crowdsecurity/mssql-text-logs
| ├ 🔴 crowdsecurity/windows-auth
| └ 🔴 crowdsecurity/windows-firewall-logs
└-------- parser failure 🔴

line: #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
├ s00-raw
| ├ 🔴 crowdsecurity/windows-eventlog
| └ 🟢 crowdsecurity/windows-non-eventlog (+5 ~8)
├ s01-parse
| ├ 🔴 crowdsecurity/iis-logs
| ├ 🔴 crowdsecurity/mssql-logs
| ├ 🔴 crowdsecurity/mssql-text-logs
| ├ 🔴 crowdsecurity/windows-auth
| └ 🔴 crowdsecurity/windows-firewall-logs
└-------- parser failure 🔴

line: 2024-12-23 14:13:48 W3SVC2 ip-test-01 212.147.XX.XXX GET /favicon.ico - 80 - 212.147.XX.XXX HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:133.0)+Gecko/20100101+Firefox/133.0 http://ip-test-01.test.net/ ip-test-01.test.net 404 0 2 1406 387 17
├ s00-raw
| ├ 🔴 crowdsecurity/windows-eventlog
| └ 🟢 crowdsecurity/windows-non-eventlog (+5 ~8)
├ s01-parse
| ├ 🔴 crowdsecurity/iis-logs
| ├ 🔴 crowdsecurity/mssql-logs
| ├ 🔴 crowdsecurity/mssql-text-logs
| ├ 🔴 crowdsecurity/windows-auth
| └ 🔴 crowdsecurity/windows-firewall-logs
└-------- parser failure 🔴

PS C:\Users\Administrator>

Expected behavior
A clear and concise description of what you expected to happen.

IIS websites W3C format logs with (Service Name (s-sitename)" or "Server Name (s-computername) will be parsed or Indicate on Crowdsec DOC these W3C format logs must not be used

[blotus]

Hello,

The parser provided in crowdsec only supports the default W3C format (which does not include the service name or the server name).
If your logs use those fields, you will need to edit the parser to add support for them.

I can look into it, but I don't think it's something we can easily support out of the box (because users can add and remove any number of fields, it would be very easy to have a configuration that would confuse the parser and have it extract wrong data from the logs).

We can probably make it a bit more obvious, but the description of the parser does mention Parser for IIS default W3C logs.

[jods10]

Hello,

Thank you for confirming that crowdsec only supports the default W3C format and in case someone really needs them. It is possible to add support for them by editing the parser (For example, iis-logs.yaml).

In our case, it took us some time to find it because we installed crwodsec in a test machine without really traffic and due to our lack of experience with crowdsec. We did not know if it was correctly installed / configured.

About the mention Parser for IIS default W3C logs.
In our opinion it would be quite helpful for future users if you can add more information in you doc or maybe better in the "acquis.yaml" or "iis-logs.yaml" files as you have done with notifications ".yaml" files. As example, when we did the installation we followed the default Windows Installation Procedure "https://docs.crowdsec.net/u/getting_started/installation/windows" instead "Windows Security Engine Installation - https://docs.crowdsec.net/docs/next/getting_started/install_windows/#security-engine-installation" where we can find parser for IIS W3C log format (with the default fields)

Thanks in advance.