topic Re: IIS Advance Logs Forwarding in Getting Data In

IIS Advance Logs Forwarding

jgodfrey_kumc — Thu, 18 Apr 2013 17:52:55 GMT

Mt question here is very similar to the question posted here: http://serverfault.com/questions/469383/iis-advanced-logging-forward-to-syslog.

I am looking for a method that would allow us to forward the IIS Advanced Logging logs to Splunk. We are able to forward regular IIS logs; however I am not sure how to make it work the same for IIS Advanced Logging.

The default file path is different for IIS Advanced Logging (%SystemDrive%\inetpub\logs\AdvancedLogs) and it appears that the file names are based upon the UTC time, see here, and not the local date and time that you can specify with regular logging. This also creates and issue for developing some type of wildcard rule.

Any ideas are welcome.

Re: IIS Advance Logs Forwarding

alacercogitatus — Thu, 18 Apr 2013 18:04:10 GMT

I implemented this with a new sourcetype and input. I justified a new sourcetype because it is a different model than iis, and has different fields available.

inputs.conf on the IIS Server

[monitor://%SYSTEM_DRIVE%/inetpublogs/AdvancedLogs/*] sourcetype=iis_advanced

props.conf on the INDERXER
[iis_advanced] TZ = GMT

Re: IIS Advance Logs Forwarding

jgodfrey_kumc — Thu, 18 Apr 2013 18:11:34 GMT

Do you have any problems with it obtaining the current information since the log files are constantly changing names and to which file is being written to?

Re: IIS Advance Logs Forwarding

alacercogitatus — Thu, 18 Apr 2013 18:13:19 GMT

nope, I just index everything in the folder and it displays just fine. Related to Advanced IIS, have you ever gotten the filter to work with a User Agent String?

Re: IIS Advance Logs Forwarding

jgodfrey_kumc — Thu, 18 Apr 2013 18:25:22 GMT

No, I have not gotten it to work with a User Agent string. I would be interested in how to make that work if anyone else has any details.