Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

IIS Logs and Universal Forwarder?

singhg
Explorer
‎04-19-2012 12:35 PM

Hi,

I am trying to forward IIS logs from one of the server that has forwarder installed. I have below config settings. I don't see any IIS logs on my splunk server.

Inputs.conf
[monitor://c:\inetpub\logs\LogFiles]
ignoreOlderThan = 14d
host =

What Am I missing?

Tags (2)
Reply

mahsaalaeifar
Explorer
‎11-28-2018 09:33 PM

if you have deployment server and want to collect logs from web server through Universal Forwarder, the following may help you

  1. install "Splunk app for web analytics" on SH
  2. Install "splunk add-on for microsioft iis" on SH
  3. Install "splunk add-on for microsioft iis" on IDX
  4. Install UF on the web server
  5. Copy the app “Splunk_TA_microsoft-iis” from $splunk home/etc/apps to “Splunk_TA_microsoft-iis” in $splunk home/etc/deploymentapps
  6. Create inputs.conf in /$splunk home/etc/deploymentapps /Splunk_TA_microsoft-iis/local

monitor://C:\IIS-LOG-Files\W3SVC*.*
disabled = false
sourcetype =iis
index=my-index

  1. Create props.conf in $splunk home/etc/deploymentapps/Splunk_TA_microsoft-iis/local

[iis]
INDEXED_EXTRACTIONS = w3c

make sure you have created output.conf in local directory to send logs to indexer
example of outputs.conf :

[tcpout]
defaultGroup = indexer

[tcpout:indexer]
server = indexer_IP:9997
autoLB = true

  1. Create server class my-serverclass on DS(Deployment server)
  2. Add the Splunk_TA_microsoft-iis to My-serverclass as the app
  3. Create the index My index on IDX
  4. Add the web server as client to My-server-class
  5. Check the web server c:/programfile/splunkuniversalforwarder/ec/app to assure the app Splunk_TA_microsoft-iis is pulled
  6. Restart the splunkuniversalforwarder service on web server
  7. Search for sourcetype iis and index My-index on SH
0 Karma
Reply

paul_1994
Path Finder
‎09-28-2012 03:11 PM

Everything looks correct to me as far as my setup goes.

where are you editing the inputs.conf file? is it in etc\system\local or some app?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-28-2012 10:26 AM

on the forwarder, define an input in a inputs.conf

[monitor://c:\myiisfolder\]
disabled = false
followTail = 0
sourcetype=iis

make sure that the forwarder has outputs.conf configured.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...