none
event viewer security event - servers behind a proxy RRS feed

  • Question

  • Hi,

    originally asked this question here: https://social.technet.microsoft.com/Forums/security/en-US/861f1c6f-d871-4638-9c69-b9df244d594c/event-viewer-security-event-servers-behind-a-proxy?forum=securityupdateguide
    but was asked to ask it here instead.

    we have some servers (mainly for IIS roles) that sit behind a proxy server.

    Is there a way to set the windows security event log to listen to x-forwarder headers (when present) and include the real source client IP in the event? I know that IIS does this automatically in it own log- however when searching for user lockout events we do so in the windows security event log on the domain controller- not having the info there makes lockouts very difficult to track (sadly we have no siem or log management tool)

    Monday, February 12, 2018 10:50 AM

All replies


  • Hi Stanley,
    If you were using IIS 10, then you are able to promote the IIS log to event viewer. You could enable this in IIS manager->site level->logging->both log file and ETW event.

    You could also add the custom request header field to IIS log:

    IIS and X-Forwarded-For Header

    http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Of course, you need to enable the IIS event log by going to  application and services logs/Microsoft/Windows/IIS-logging/right click Logs->Enable log.

    Besides, you could post this issue to IIS forum for further help:
    https://forums.iis.net

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 13, 2018 7:03 AM
    Moderator
  • Hi ,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.                   

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 14, 2018 9:33 AM
    Moderator
  • Hi ,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 20, 2018 9:00 AM
    Moderator