Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

IIS Logs and Universal Forwarder?

singhg
Explorer
‎04-19-2012 12:35 PM

Hi,

I am trying to forward IIS logs from one of the server that has forwarder installed. I have below config settings. I don't see any IIS logs on my splunk server.

Inputs.conf
[monitor://c:\inetpub\logs\LogFiles]
ignoreOlderThan = 14d
host =

What Am I missing?

Tags (2)
Reply

mahsaalaeifar
Explorer
‎11-28-2018 09:33 PM

if you have deployment server and want to collect logs from web server through Universal Forwarder, the following may help you

  1. install "Splunk app for web analytics" on SH
  2. Install "splunk add-on for microsioft iis" on SH
  3. Install "splunk add-on for microsioft iis" on IDX
  4. Install UF on the web server
  5. Copy the app “Splunk_TA_microsoft-iis” from $splunk home/etc/apps to “Splunk_TA_microsoft-iis” in $splunk home/etc/deploymentapps
  6. Create inputs.conf in /$splunk home/etc/deploymentapps /Splunk_TA_microsoft-iis/local

monitor://C:\IIS-LOG-Files\W3SVC*.*
disabled = false
sourcetype =iis
index=my-index

  1. Create props.conf in $splunk home/etc/deploymentapps/Splunk_TA_microsoft-iis/local

[iis]
INDEXED_EXTRACTIONS = w3c

make sure you have created output.conf in local directory to send logs to indexer
example of outputs.conf :

[tcpout]
defaultGroup = indexer

[tcpout:indexer]
server = indexer_IP:9997
autoLB = true

  1. Create server class my-serverclass on DS(Deployment server)
  2. Add the Splunk_TA_microsoft-iis to My-serverclass as the app
  3. Create the index My index on IDX
  4. Add the web server as client to My-server-class
  5. Check the web server c:/programfile/splunkuniversalforwarder/ec/app to assure the app Splunk_TA_microsoft-iis is pulled
  6. Restart the splunkuniversalforwarder service on web server
  7. Search for sourcetype iis and index My-index on SH
0 Karma
Reply

paul_1994
Path Finder
‎09-28-2012 03:11 PM

Everything looks correct to me as far as my setup goes.

where are you editing the inputs.conf file? is it in etc\system\local or some app?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-28-2012 10:26 AM

on the forwarder, define an input in a inputs.conf

[monitor://c:\myiisfolder\]
disabled = false
followTail = 0
sourcetype=iis

make sure that the forwarder has outputs.conf configured.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...