topic Re: Splunk Add-On for Microsoft IIS Default Settings in All Apps and Add-ons

Splunk Add-On for Microsoft IIS Default Settings

timpacl — Tue, 29 Sep 2020 15:38:40 GMT

This application includes several FIELDALIAS comands in props.conf for the sourcetypes defined. One of these is "FIELDALIAS-s_computername = s_computername as host" which reassigns the host value at search time from the value of s_computername in the event. We don't log the host name in all of our IIS events so Splunk pulled the port (80 or 443) into this field resulting in the majority of our events showing the port for the host.

My question is: Is it a standard practice to send IIS logs through a syslog server? This setting seems like it would only be only helpful under that scenario. If IIS logs are sent through a syslog server then I would need to have IIS include the hostname so I could pull it from there. Otherwise all events would have the syslog server as the host.

If it is not a standard practice, and I don't think it is, why is this a default setting in the app?

Re: Splunk Add-On for Microsoft IIS Default Settings

kmorris_splunk — Sat, 09 Sep 2017 15:57:06 GMT

Typically, IIS logs are ingested directly from the web server using a universal forwarder. Take a look at the documentation for the Add-on here. I'm not sure if that gets you around the issue of not logging the host or not.

Re: Splunk Add-On for Microsoft IIS Default Settings

timpacl — Mon, 11 Sep 2017 21:42:20 GMT

Thanks kmorris. The solution was to comment out the offending line. Since this is a search time config, that fixed the issue retroactively.

The question, however, is why is that setting enabled by default? It seems to support an infrequent use case which means it should not be enabled by default.

Re: Splunk Add-On for Microsoft IIS Default Settings

jkat54 — Wed, 08 Aug 2018 11:01:11 GMT

Thanks for the follow up with the solution!

Re: Splunk Add-On for Microsoft IIS Default Settings

guarisma — Wed, 23 Oct 2019 18:32:07 GMT

I changed the line

FIELDALIAS-s_computername = s_computername as host

FIELDALIAS-s_computername = s_computername ASNEW host

so it won't overwrite the value with null() since my IIS logs don't have s_computername field

Re: Splunk Add-On for Microsoft IIS Default Settings

mhessel — Fri, 24 Jan 2020 17:35:58 GMT

a lot has changed in the way you set up parsing addons since this was initially made. Back in Splunk 6.x normally you would see FIELDALIAS rules for all fields that the data provided to normalize it.

FIELDALIAS frequently causes problems now due to the new way it works, and NULLs overriding actual data is a problem if there is no source field matching the FIELDALIAS definition. Back in Splunk 6.x, you would not have this issue, as the lack of a source field (s_computername) would result in the FIELDALIAS getting skipped, and the host field you already had would still be there when you search.

On the other hand, overriding host for Splunk data on a forwarder is unneccessary in most cases, as the host field would already exist, it would make sense for the maintainer of this add-on to remove or disable this one in particular.