Share via

How to Enable Logs in "Microsoft-IIS-Configuration/Operational" in IIS

Ali Refahiati 20 Reputation points
2024-08-19T05:21:47.3766667+00:00

Hi everyone,

I'm currently working on enhancing the security monitoring of my IIS server, and I came across the "Microsoft-IIS-Configuration/Operational" section in the logs within the event viewer.

I have a few questions:

  1. How can I enable logging for this specific section?
  2. What exactly is logged in the "Microsoft-IIS-Configuration/Operational" section? I’m particularly interested in understanding the details of the logs stored here and how they can be leveraged for security auditing and monitoring. Are these logs relevant for identifying potential configuration changes or security-related activities?
  3. Where can I find detailed information or documentation about what exactly is logged in this section?

Any guidance or resources on how to activate and effectively use these logs for security auditing and monitoring purposes would be greatly appreciated.

Thanks in advance for your help!

Internet Information Services
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,050 questions
0 comments
Accepted answer
  1. Jinlei Shuang-MSFT 80 Reputation points Microsoft Vendor
    2024-08-19T09:02:47.9666667+00:00

    Hi @Ali Refahiati ,

    1. Open Command Prompt and enter the following commands.
    • Lists additional logs available for IIS: wevtutil el | findstr -i IIS
    • Configuration for the selected log: wevtutil gl Microsoft-IIS-Configuration/Operational
    • Enable the selected log: wevtutil sl /e:true Microsoft-IIS-Configuration/Operational

    User's image

    When enabled, the default path for this log is C:\Windows\System32\winevt\Logs\Microsoft-IIS-Configuration%4Operational.evtx.

    2. The Microsoft IIS Configuration Operational log captures the additional and removal of IIS modules. By enabling this logging, you’ll be able to detect any backdoor installations and unauthorized modifications to your system in real-time. This is a critical security measure that can help you safeguard your data and ensure the smooth operation of your web services. You can learn more about it from this Microsoft official blog.

    Best regards,

    Jinlei Shuang

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.