Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

IIS Logs and Universal Forwarder?

singhg
Explorer
‎04-19-2012 12:35 PM

Hi,

I am trying to forward IIS logs from one of the server that has forwarder installed. I have below config settings. I don't see any IIS logs on my splunk server.

Inputs.conf
[monitor://c:\inetpub\logs\LogFiles]
ignoreOlderThan = 14d
host =

What Am I missing?

Tags (2)
Reply

mahsaalaeifar
Explorer
‎11-28-2018 09:33 PM

if you have deployment server and want to collect logs from web server through Universal Forwarder, the following may help you

  1. install "Splunk app for web analytics" on SH
  2. Install "splunk add-on for microsioft iis" on SH
  3. Install "splunk add-on for microsioft iis" on IDX
  4. Install UF on the web server
  5. Copy the app “Splunk_TA_microsoft-iis” from $splunk home/etc/apps to “Splunk_TA_microsoft-iis” in $splunk home/etc/deploymentapps
  6. Create inputs.conf in /$splunk home/etc/deploymentapps /Splunk_TA_microsoft-iis/local

monitor://C:\IIS-LOG-Files\W3SVC*.*
disabled = false
sourcetype =iis
index=my-index

  1. Create props.conf in $splunk home/etc/deploymentapps/Splunk_TA_microsoft-iis/local

[iis]
INDEXED_EXTRACTIONS = w3c

make sure you have created output.conf in local directory to send logs to indexer
example of outputs.conf :

[tcpout]
defaultGroup = indexer

[tcpout:indexer]
server = indexer_IP:9997
autoLB = true

  1. Create server class my-serverclass on DS(Deployment server)
  2. Add the Splunk_TA_microsoft-iis to My-serverclass as the app
  3. Create the index My index on IDX
  4. Add the web server as client to My-server-class
  5. Check the web server c:/programfile/splunkuniversalforwarder/ec/app to assure the app Splunk_TA_microsoft-iis is pulled
  6. Restart the splunkuniversalforwarder service on web server
  7. Search for sourcetype iis and index My-index on SH
0 Karma
Reply

paul_1994
Path Finder
‎09-28-2012 03:11 PM

Everything looks correct to me as far as my setup goes.

where are you editing the inputs.conf file? is it in etc\system\local or some app?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-28-2012 10:26 AM

on the forwarder, define an input in a inputs.conf

[monitor://c:\myiisfolder\]
disabled = false
followTail = 0
sourcetype=iis

make sure that the forwarder has outputs.conf configured.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...