Microsoft Internet Information Service (IIS) events are not parsed correctly or even not translated at all.

Symptoms
This is the IIS log file header of a not working setup.

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-03-05 02:02:55
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status


This is the IIS log file header of a working setup. - see - lost more fields..

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-03-30 09:43:08
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

 

Microsoft IIS is not setup to log all fields.

In order for the Microsoft IIS Event Collector to parse fields properly, IIS must have all fields enabled to be logged.

This is how it looks in IIS, you need to check ALL the boxes.






References
This is covered in the Microsoft IIS event collector Guide (SEC_for_MS-IIS_43.pdf, page 11 - section "Configuring your security product to work with the collector")