IIS event sources are unparsed.

  • 7022327
  • 15-Nov-2017
  • 16-Nov-2017


Microsoft IIS Collector


All of the events coming into Sentinel from IIS event sources are unparsed


To resolve this issue use the following steps. 

1.  Go into the ESM console and remove all of the current collector\connectors pertaining to IIS.

2.  Download the most current file connector from https://www.netiq.com/support/sentinel/plugins

Note: Consider checking the available connector under "preview and test" as well as the currently supported connectors. 

3.  Delete all of the IIS PersistentData files. You can simply delete the parent folder for IIS.  That directory will not exist unless an IIS collector exist.

E.g. /var/opt/novell/sentinel/data/plugindata/collector_PersistentData/Microsoft IIS_007D1A35-63F9-1035-B712-0050569A44CF

4.  Apply and configure the file connector as "is rotating" to "true".

5.  Complete the remaining configuration as necessary for the IIS collector and event sources. 

Once the new IIS collector is created and receiving events as long as the incoming raw data contains the proper fields there should be a corresponding PersistentData file created.  

E.g. IIS field info

#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2017-06-27 11:06:43
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken OriginalIP


If for any reason an IIS log file did not contain any fields the events would not be parsed by Sentinel. If the IIS event source data had been previously processed with fields then Sentinel should have added the fields to the PersistentData files under /var/opt/novell/sentinel/data/plugindata/collector_PersistentData/collector_UUID. However if the collector_PersistentData files have become corrupt, the events would not parsed.