https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-and-Universal-Forwarder/m-p/31216#M5483 <P>Everything looks correct to me as far as my setup goes. </P> <P>where are you editing the inputs.conf file? is it in etc\system\local or some app?</P> Fri, 28 Sep 2012 22:11:15 GMT paul_1994 2012-09-28T22:11:15Z https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-and-Universal-Forwarder/m-p/31214#M5481 <P>Hi,</P> <P>I am trying to forward IIS logs from one of the server that has forwarder installed. I have below config settings. I don't see any IIS logs on my splunk server.</P> <P>Inputs.conf<BR /> [monitor://c:\inetpub\logs\LogFiles]<BR /> ignoreOlderThan = 14d<BR /> host = <HOSTNAME of="" the="" server="" where="" forwarder="" is="" installed=""></HOSTNAME></P> <P>What Am I missing?</P> Thu, 19 Apr 2012 19:35:06 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-and-Universal-Forwarder/m-p/31214#M5481 singhg 2012-04-19T19:35:06Z https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-and-Universal-Forwarder/m-p/31215#M5482 <P>on the forwarder, define an input in a inputs.conf</P> <PRE> [monitor://c:\myiisfolder\] disabled = false followTail = 0 sourcetype=iis </PRE> <P>make sure that the forwarder has outputs.conf configured.</P> Fri, 28 Sep 2012 17:26:24 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-and-Universal-Forwarder/m-p/31215#M5482 yannK 2012-09-28T17:26:24Z https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-and-Universal-Forwarder/m-p/31216#M5483 <P>Everything looks correct to me as far as my setup goes. </P> <P>where are you editing the inputs.conf file? is it in etc\system\local or some app?</P> Fri, 28 Sep 2012 22:11:15 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-and-Universal-Forwarder/m-p/31216#M5483 paul_1994 2012-09-28T22:11:15Z https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-and-Universal-Forwarder/m-p/31217#M5484 <P>if you have deployment server and want to collect logs from web server through Universal Forwarder, the following may help you</P> <OL> <LI> install "Splunk app for web analytics" on SH</LI> <LI> Install "splunk add-on for microsioft iis" on SH</LI> <LI> Install "splunk add-on for microsioft iis" on IDX</LI> <LI> Install UF on the web server</LI> <LI> Copy the app “Splunk_TA_microsoft-iis” from $splunk home/etc/apps to “Splunk_TA_microsoft-iis” in $splunk home/etc/deploymentapps </LI> <LI> Create inputs.conf in /$splunk home/etc/deploymentapps /Splunk_TA_microsoft-iis/local </LI> </OL> <P><A href="https://community.splunk.com/your%20log%20path%20but%20with%20similar%20format" target="_blank">monitor://C:\IIS-LOG-Files\W3SVC*.*</A><BR /> disabled = false<BR /> sourcetype =iis<BR /> index=my-index</P> <OL> <LI> Create props.conf in $splunk home/etc/deploymentapps/Splunk_TA_microsoft-iis/local</LI> </OL> <P>[iis]<BR /> INDEXED_EXTRACTIONS = w3c</P> <P>make sure you have created output.conf in local directory to send logs to indexer <BR /> example of outputs.conf :</P> <P>[tcpout]<BR /> defaultGroup = indexer</P> <P>[tcpout:indexer]<BR /> server = indexer_IP:9997<BR /> autoLB = true</P> <OL> <LI> Create server class my-serverclass on DS(Deployment server)</LI> <LI> Add the Splunk_TA_microsoft-iis to My-serverclass as the app</LI> <LI>Create the index My index on IDX</LI> <LI>Add the web server as client to My-server-class</LI> <LI>Check the web server c:/programfile/splunkuniversalforwarder/ec/app to assure the app Splunk_TA_microsoft-iis is pulled</LI> <LI>Restart the splunkuniversalforwarder service on web server</LI> <LI>Search for sourcetype iis and index My-index on SH</LI> </OL> Tue, 29 Sep 2020 22:12:36 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-Logs-and-Universal-Forwarder/m-p/31217#M5484 mahsaalaeifar 2020-09-29T22:12:36Z