Critical Bugs in crowdsecurity/iis-logs Parser

[duartenuno2]

Environment: Windows Server 2012R2, 2026, 2019, 2022, 2025, IIS (W3C logs + ETW EventID 6200)
CrowdSec Version Tested: 1.6.11

Note: Parser appears unchanged in version 1.7.3, suggesting bugs persist across versions.

Problem

The crowdsecurity/iis-logs parser has 2 critical bugs that prevent detection scenarios from working:

Bug crowdsecurity/crowdsec#1: Incorrect HTTP Verb Mapping
Affected field: evt.Parsed.verb
The parser extracts the HTTP method using grok as http_method, but incorrectly maps it as method (which doesn't exist).

Impact:
Scenarios depending on evt.Parsed.verb fail (e.g., http-bf-wordpress_bf, http-bf-wordpress_xmlrpc)

Fix (Node 2 - W3C file logs section):
yaml- meta: http_verb
expression: evt.Parsed.http_method # ✓ (was: evt.Parsed.method)

• parsed: verb
  expression: evt.Parsed.http_method # ✓ (was: evt.Parsed.method)

Bug crowdsecurity/crowdsec#2: User-Agent Not Available in evt.Parsed
Affected field: evt.Parsed.http_user_agent
The parser extracts User-Agent to evt.Meta.http_user_agent, but scenarios (including crowdsecurity/http-bad-user-agent) look for it in evt.Parsed.http_user_agent.

Impact:
Malicious bot detection doesn't work
crowdsecurity/http-bad-user-agent fails silently

Fix (Node 1 - ETW events section):
yaml- meta: http_user_agent
expression: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@name='csUser-Agent']")

• parsed: http_user_agent # ← ADD THIS
  expression: evt.Meta.http_user_agent # ← ADD THIS
  Fix (Node 2 - W3C file logs section):
  yaml- meta: http_user_agent
  expression: evt.Parsed.user_agent
• parsed: http_user_agent # ← ADD THIS
  expression: evt.Parsed.user_agent # ← ADD THIS

Validation
Fixes tested and validated with:
✅ Real IIS logs (wp-login.php, xmlrpc.php, multiple user-agents)
✅ Windows Server 2012R2, 2016, 2019, 2022, 2025
✅ CrowdSec 1.6.11
✅ Both W3C file logs + ETW events (EventID 6200)
✅ WordPress brute-force scenarios (http-bf-wordpress_bf) working
✅ Scenario crowdsecurity/http-bad-user-agent working

Complete Fixed File
Attached is the complete iis-logs.yaml file with both fixes applied, tested in production environment.
iis-logs(custom).yaml

[github-actions]

@duartenuno2: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[github-actions]

@duartenuno2: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

• /kind feature
• /kind enhancement
• /kind refactoring
• /kind bug
• /kind packaging

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[duartenuno2]

/kind bug