topic IIS integration with splunk in Getting Data In

IIS integration with splunk

Nawab — Wed, 29 Jan 2025 12:17:04 GMT

I have an IIS server that is sending logs to splunk, and the logs are saved in w3c format. but I found that logs are save in UTC time format. and only IIS format can save logs in local time but there is no parser for IIs.

if someone have integrated IIS do let me know

Re: IIS integration with splunk

SanjayReddy — Wed, 29 Jan 2025 14:18:36 GMT

Hi @Nawab

Have you tried integrated using add on and documention, this documentation helps to setup the iis logs

https://docs.splunk.com/Documentation/AddOns/released/MSIIS/About

https://splunkbase.splunk.com/app/3185

Re: IIS integration with splunk

dural_yyz — Wed, 29 Jan 2025 14:21:02 GMT

Can you tell me which format your are ingesting from these examples.

https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525807(v=vs.90)

#Software: Internet Information Services 6.0 #Version: 1.0 #Date: 2001-05-02 17:42:15 #Fields: time c-ip cs-method cs-uri-stem sc-status cs-version 17:42:15 172.16.255.255 GET /default.htm 200 HTTP/1.0

192.168.114.201, -, 03/20/01, 7:55:20, W3SVC2, SALES1, 172.21.13.45, 4502, 163, 3223, 200, 0, GET, /DeptLogo.gif, -, 172.16.255.255, anonymous, 03/20/01, 23:58:11, MSFTPSVC, SALES1, 172.16.255.255, 60, 275, 0, 0, 0, PASS, /Intro.htm, -,

Once you confirm which format someone should be able to provide a recommended props.conf for the ingested sourcetype.

Ofcourse you could opt for the app from Splunk base which looks to be very complete for IIS server logs.

https://splunkbase.splunk.com/app/3185

Re: IIS integration with splunk

Nawab — Thu, 30 Jan 2025 07:56:34 GMT

Hi, I have installed the add on on search head and indexers, but it is not working.

I am using 1st log format which w3c.

The time in w3c is UTC, but we need it in gtm+3.

for second log format which is IIS, it is not pared at any sourcetype available in addon