How to audit Internet Information Services (IIS) with Netwrix Auditor

IIS Audit Internet Information Services
KB1720 | Last review: Jan 27, 2016 | Netwrix Auditor for Windows Server | Netwrix Auditor 7.1 and below

This article provides the step-by-step instructions on how to audit Internet Information Services (IIS) with Netwrix Auditor.

  1. Download the Internet Information Services pack and unzip it to the computer where Netwrix Auditor Administrator Console (Netwrix Auditor console in Netwrix Auditor 6.5 and below) is installed. 
Note: exit Netwrix Auditor Administrator Console before you start
  1. Locate the Internet Information Services folder.
Review the table below and move the files and folders to one of the following locations, depending on your Netwrix Auditor version.​
Netwrix Auditor versionFolder/File nameComputer where Netwrix Auditor Administrator Console is installed
Netwrix Auditor 6.5 and below<Download_path>\Internet Information Services.
  • IIS Changes of Application Pools.rdl 
  • IIS Changes of Web Sites.rdl 
 C:\Program Files (x86)\Netwrix\Event Log Manager\Reports\NetWrix Event Log Manager\Change Reports
Netwrix Auditor 7.0 and 7.1<Download_path>\Internet_Information_Services\Internet Information Services.
  • Implicit Folder
  • IIS Changes of Application Pools.rdl 
  • IIS Changes of Web Sites.rdl 

C:\ProgramData\Netwrix Auditor\Reports\Netwrix Auditor for Event Log\Change Reports
when completed, restart the Netwrix Auditor Archive Service.
  1. In Netwrix Auditor Administrator Console, create a new Managed Object for auditing Event Log: 
Note: If you use Netwrix Auditor 7.0 or 7.1, do not select the Make audit data available via summary emails only checkbox.
  • On the Audit Archiving Filters step, disable all filters and click Add to create a new filter with the following parameters:
NameIIS Events
DescriptionInternet Information Services events 
Event LogMicrosoft-IIS-Configuration/Operational 
Write toBoth
  • Review the Managed Object settings and click Finish
  1. Configure the IIS Operational log size and retention settings:
  • On the computer where the Internet Information Services is installed, navigate to Start -> Run and type "eventvwr.msc" to start the Event Viewer.
  • In the Event Viewer snap-in, navigate to Event Viewer (Local) -> Applications and Services Logs -> Microsoft -> Windows / IIS-Configuration.
  • Right click the Operational log and select Properties
  • Select  Enable logging, set Maximum log size to 4 GB and make sure Do not overwrite events (Clear logs manually) is cleared. If this option is selected, change the retention method by selecting another option: Overwrite events as needed (oldest events first).

To access IIS reports in a web browser, do the following:
  1. Depending on your Netwrix Auditor version, navigate to one of the following locations:
  • Netwrix Auditor 6.5 and below: Settings -> Audit Archive
  • Netwrix Auditor 7.0: Settings -> Long-Term Archive
  • Netwrix Auditor 7.1 and above: Audit Archive -> Audit Database
  1. Go to your Report Manager URL. In the Home folder, navigate to Netwrix Auditor -> Netwrix Auditor for Event Logs -> Change Reports
  2. Review available reports:
  • IIS Changes of Application Pools—shows changes in Application Pools, such as adding, deleting, renaming Application Pools, changing their properties, starting, stopping, etc. 
  • IIS Changes of Web Sites—shows changes in Web Sites, such as creating, deleting, renaming, starting and stopping Web Sites, changing their general properties, changing the Binding options: creation, deletion, modification, etc. 
  1. Netwrix Auditor  for Event Log audits event-based changes. If the target servers lose events for some reason or Netwrix Auditor is not able to collect these events, reports will not contain configuration changes. 
  2. The Internet Information Services (IIS) configuration changes made directly in the configuration files and not through the IIS Manager will never be logged in the IIS Operational log  and reported by Netwrix Auditor. 
Was this information helpful?