IISW-SI-000206 - Both the log file and Event Tracing for Windows (ETW) for each IIS 8.5 website must be enabled.

Information

Internet Information Services (IIS) on Windows Server 2012 provides basic logging capabilities. However, because IIS takes some time to flush logs to disk, administrators do not have access to logging information in real-time. In addition, text-based log files can be difficult and time-consuming to process.

In IIS 8.5, the administrator has the option of sending logging information to Event Tracing for Windows (ETW). This option gives the administrator the ability to use standard query tools, or create custom tools, for viewing real-time logging information in ETW. This provides a significant advantage over parsing text-based log files that are not updated in real time.

Satisfies: SRG-APP-000092-WSR-000055, SRG-APP-000108-WSR-000166

Solution

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Click the site name.

Click the 'Logging' icon.

Under Log Event Destination, select the 'Both log file and ETW event' radio button.

Select 'Apply' from the 'Actions' pane.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_8-5_Y22M01_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5a., 800-53|AU-14(1), CAT|II, CCI|CCI-000139, CCI|CCI-001464, Rule-ID|SV-214449r508659_rule, STIG-ID|IISW-SI-000206, STIG-Legacy|SV-91481, STIG-Legacy|V-76785, Vuln-ID|V-214449

Plugin: Windows

Control ID: 3db8ddd95fd20a1e6b8de38ec2e3b55bfc9cdbbde7c86aafdf1f3ce0a2f13128