IIS logs sourcetype

rcovert · ‎04-09-2012

Hi,

I am running the Splunk indexer on a linux machine and have the universal forwarder installed on a remote Windows machine. I am monitoring IIS logs on the remote server in the Web Intelligence App.

The IIS logs are coming into the indexer fine, but they are coming in as sourcetype "u_ex". How can I set the sourcetype to IIS?

Is there anything else I will have to do to make the Web Intelligence App see these logs?

Thanks in advance.

treinke · ‎04-09-2012

Here is what I have in my inputs.conf file for IIS servers:

[monitor://C:\WINDOWS\system32\LogFiles\W3SVC*\]
disabled = false
followTail = 0
recursive = true
index=iis

You will need to have an index on the indexer named iis or whatever value you put in the index field.

There are no answer without questions

treinke · ‎04-09-2012

Put that on the IIS server sending the logs (on the remote server).

C:\Program Files\Splunk\etc\system\local\inputs.conf

There are no answer without questions

rcovert · ‎04-09-2012

Do I put that in the inputs.conf in the Web Intelligence app (/opt/splunk/etc/apps/webintelligence/local/inputs.conf) or /opt/splunk/etc/system/local/inputs.conf?

Will C: work if the C: is on a remote server?

IIS logs sourcetype

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...