Tracking TLS protocols in IIS logs

[mctunes]

In an attempt to monitor the security protocols and ciphers used by clients connecting to an IIS 8.5 server, we have activated four custom logging fields that return the protocol, cipher, hash and key exchange:

• New IIS functionality to help identify weak TLS usage

These four new fields are appended to the standard IIS log:

date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken crypt-protocol crypt-cipher crypt-hash crypt-keyexchange

We would like to be able to visualize which protocols and ciphers are being used/not used, so we can harden the web server. From what I understand, this should be possible by adding the fields to import_logs.py, and then extracting the data into custom dimensions.

Would it be possible to update the README.md to include an example of how we might achieve this, or provide some kind of template for extracting the TLS data?

Many thanks in advance!

(The following forum thread describes the issue: Tracking TLS Version)

[michalkleiner]

Hi @mctunes,

thank you for opening the issue. We've put it in our backlog for prioritisation. Since the mechanism should already supported, we'll look into providing an example for this (or better guidance for the existing docs).

Would you be able to provide some anonymised log rows with different values as an example? Thanks!

[mctunes]

Hi @michalkleiner,

Many thanks for your response. I've attached a sample IIS log file with 100 rows, containing the four extra custom fields. I've edited this quite a bit manually to remove any traces of our application URLs, etc, so if it fails to import, just let me know and I'll endeavor to provide another working log file.

Thanks again!

iis_crypt_sample.log