IIS 8.0 logfiles

groundLoop · ‎08-16-2013

I can't seem to get Splunk to injest IIS 8.0 logfiles. I've installed a universal forwarder on a Windows Server 2012 server with IIS 8.0. IIS is configured to log in the w3c format. The UF is configured to monitor the IIS logfile folder.

In Splunk, I can see only a few events, parsing the first two lines of the log file, which are comments and should be ignored. The actually IIS events are not present.

The source types on the events I am seeing in Splunk are "u_ex" and "iis-2".

Thanks in advance.

ogdin · ‎02-13-2014

If you are using Splunk 6 on both forwarder and indexer, you should try to take advantage of the headers feature we built that better understands IIS and W3C log formats.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime

If you are seeing this "iis-2" sourcetype, we are attempting to use the CHECK_FOR_HEADER feature which is deprecated as of Splunk 6 and never worked very well for this format.

On your forwarder, you should have in inputs.conf

[monitor:///path-to-directory] sourcetype=iis

Under the covers, we are using props.conf to set INDEXED_EXTRACTIONS=W3C on the IIS sourcetype, ignore the first few lines of the header, and automatically map the fields found in the IIS header.

jgedeon120 · ‎08-17-2013

If you run $SPLUNK_HOME/bin/splunk monitor-list show the files being monitored? You can also check the logs on the UF to see if there are issues reported with reading the files.

IIS 8.0 logfiles

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases